An unprecedented theft of personal identification numbers from thousands of consumers across the country is calling into question the basic safety of paying with debit cards. The debit card breach, which the trade publication American Banker says could have allowed thieves to gain access to as many as 600,000 bank accounts, has raised larger questions about whether merchants are improperly storing customers' personal data.In other news:Study: Cell phones a hazard on flights Russian phone Trojan tries to ring up chargesThe problem, according to security experts, is the storage of PINs attached to debit cards.

The compromise of so many PINs suggests that a national retailer stockpiled customer information even though such a practice is against rules set down by the major credit card companies. What the breach has revealed, say security analysts, is that safety measures around these numbers could represent an Achilles heel for debit cards. "The process of authentication for PIN numbers has been perceived for a long time to be very secure," said Edward Kountz, a financial services analyst at Jupiter Research. "These thefts call into question how secure they really are." The recent debit card crime spree stretched from Seattle to North Carolina.

And for the past month, most of the media attention has focused on which company suffered the security breach. Many of the victims shop at OfficeMax, an office- supply chain headquartered in Itasca, Ill., according to law enforcement officials. The company has denied suffering a breach and said a third-party audit found no problems (though the company is still working with authorities investigating the case). Law enforcement officials in New Jersey have arrested 14 people in connection with the case. The suspects, all U.S. citizens, are accused of using stolen credit and debit card information to produce counterfeit cards. These were used to make fraudulent purchases and withdrawals from cardholder accounts, Hudson County Prosecutor Edward DeFazio said. Most of the arrests were made during the past two weeks.

But as FBI and Secret Service agents continue to investigate, security experts are beginning to worry less about where it happened and are turning their attention to whether a similar crime could happen again. Indeed, the robbery could mark the dawning of a new age in computer crime, said Gartner security analyst Avivah Litan. "The moral of the story is there must be hundreds of companies that store PIN data," Litan said. Litan pointed out that most retailers use the same technology and follow many of the same procedures. At most retail stores, registers feed information into a "terminal controller," which acts as a master computer server, Litan said. The terminal controller encrypts the data at each register. At some stores, an encryption "key" is also kept at the terminal controller. This would make it very convenient for electronic intruders who managed to break into the controller. They could slip away with the data as well as the key to unlock the encryption. Storing encryption keys and customer data is prohibited in section 3.2.3 of the Payment Card Industry data security standard, a set of requirements created by Visa and adopted by other big card issuers. Companies can be fined if found violating the rule.

But it is possible to acquire and save customer data by mistake. "(It's possible) that a manager of a store has no clue they are doing it," Litan said. "The information can be buried in old software." Quoting unnamed sources, American Banker reported that the leading theory among experts is that hackers likely breached the computer systems of an unknown retailer at possibly 30 U.S. store locations, mainly on the West Coast and Southeast. The thieves made off with the cards' magnetic stripes, PINs and PIN keys. Still, one theft of PIN codes, even if it involved hundreds of thousands of customers, doesn't mean the current system is broken, said Mike Urban, a fraud technology operations director at Fair Isaac, which monitors ATM networks for counterfeit transactions. "I'm not sure that this problem is all that widespread," Urban said. "In this business, it's all about following procedures and implementing the correct systems. It's certainly possible that this could happen again. All I'm saying is that it's not something that we've heard much about until now."

We have established that passwords, for all their widespread use, have two fundamental problems: They can be shared, and they can be stolen. Most important, perhaps, is that when a password is compromised, the password holder is generally unaware.

Industry has given us two solutions to these password problems. The first is token-based authentication; the second is biometrics. Both systems have profound problems and clear advantages, depending on your needs. As CSOs know, the fundamental motivation behind using both tokens and biometrics is to replace easily compromised passwords. Because neither system uses the same password every time you log in, they are not susceptible to keyboard sniffers, shoulder surfing or many socially engineered attacks. But what CSOs need to remember is that both of these so-called strong authentication systems are far from perfect.

Our recommendation to CSOs is to deploy token-based systems for knowledge-based employees, especially those who need remote access. Use biometrics in workplaces requiring physical access control and in environments, such as retail, that experience high employee turnover and where employees have an incentive to cheat the system (for example, with time cards). Token-based Authentication For authenticating to remote systems and servers, token-based authentication is the clear winner today. It can be used with the widest variety of systems and is the easiest to deploy. Costs increase with the number of users, rather than the number of locations where users need to authenticate.

Token-based systems require the least amount of training. And it is readily obvious to users when their tokens are lost or stolen. The salient feature of most token-based systems is the token itself. These are typically small, handheld devices that either have a little screen with numbers or a plug you can insert into the USB port of a typical computer. Each token has a unique serial number and some kind of hidden secret. When the user tries to log in, the token uses that secret to prove that it-and presumably the user-is legitimate. Once this proof is performed, the system lets the user log in. Probably the best-known token is RSA Security's SecurID. This token has a small LCD screen displaying eight digits, which change every minute. To log in to a remote computer, you type your user name, a password, and the digits that the token displays. The remote computer takes this information and sends it to the authentication server, which looks up your name and verifies the password, then performs some tricky math to see if the number you typed is the number your token should have displayed. If this calculated number matches the number you typed, permission is granted.

Although SecurID has been on the market for more than a decade, it has recently come into public view as phishing, pharming and Trojan horses have become a widespread problem. Last year, for instance, both AOL and E-Trade Securities announced they would make the SecurID token available to any users who requested it. More and more, I'm seeing the ubiquitous SecurID token at conferences when attendees want to access their corporate e-mail. Of course, there's a downside: Leave your token at home and you can't log in. Also, if you have five websites that all use token-based authentication, you'll need to carry around five tokens. This isn't a major inconvenience for people who do Web banking at home once a week, but it is a hassle for people who need to routinely use a variety of token-protected services. Note that the SecurID doesn't eliminate passwords: It just gives every user a second password-one that changes every minute. This means that users can still forget their passwords, which can create headaches for help desks.

Cryptograhic Tokens Cryptographic tokens are based on public-key cryptography. The token creates a key pair consisting of a public and a private key. The public key is then certified-that is, it is signed with the organization's private key-and the certificate is also stored on the token. To prove your identity to a remote service, you plug the token into a USB port. Your token then engages in a challenge-response protocol with the remote service that proves the token has the private key. The certificate proves that the key is authorized. The security of this approach comes from the fact that the private key never leaves the token: Unplug the token from the USB port and there is little chance that somebody can pretend to be you. Most cryptographic tokens further lock the private key with a PIN or password. In theory, this prevents unauthorized use in the event that the token is lost or stolen.

Alas, research by Ross Anderson at the University of Cambridge in England has shown that it is remarkably hard to build a token that can really make good on these guarantees when it's being tested by a determined and reasonably well-funded adversary. Nevertheless, cryptographic tokens still provide dramatically more security than passwords alone. But despite their added security, tokens are not foolproof. A person in the office can borrow or steal your token, just as he might borrow or steal your password. Biometric Authentication Biometric-based systems work best in environments that require physical access control. This is because the cost is at the authentication point, rather than with the individual being authenticated. Although biometrics generally require more training, most employees will find them easier to use.

But there is a big caveat here: Some employees will not be able to enroll in a biometric system and will need to have a backup system. Biometric authentication systems, such as fingerprint or iris readers, are becoming increasingly popular in applications that are especially vulnerable to fraud or abuse; after all, there's no way to share your fingerprint. But biometrics are not foolproof. They don't offer the mathematical precision that comes with cryptographic keys or passwords. Just as each photograph you take of my face might be a little different, so is every scan of my fingerprint. As a result, biometric systems have complicated algorithms that take two measurements, and then try to determine whether the match is close enough. Unfortunately, there's no right answer. Biometric systems are plagued by errors. Make the system accepting of fuzzy matches so that it can tolerate people who have dirty hands from time to time, and you increase the chance of an accidental mismatch, something called the false acceptance rate (FAR). Make the system more picky, and you decrease the FAR, but simultaneously increase the false rejection rate (FRR).  

Biometrics are undemocratic: Some people can use them with ease, while others use them only with great difficulty, or sometimes not at all. Children, Asian women, and the elderly sometimes have problems with fingerprint readers because their fingerprints are too small or too fine. Some people lack hands altogether. These kinds of incidents contribute to the system's failure to enroll (FTE) rate. Other people can enroll in the system, but for whatever reason cannot get the system to verify their identity once it is on file. This is known as a failure to verify (FTV). Biometrics is a young field with a profound lack of standardization-new and sometimes better biometrics are being developed every year.

As a result, a CSO must evaluate the FAR, FRR and FTE and FTV rates of any proposed biometric system to see if the reliability of the system is adequate for the proposed application. A system that has an FTE rate of 1 percent might be fine in an office with 500 people: The five individuals who can't enroll with the system could be given USB security tokens. But the same system would be inappropriate as the basis of a national identification system designed to certify the identities of 100 million people. Biometrics Aren't Foolproof Biometrics are also susceptible to replay attacks. The simplest is to replay the biometric itself: A friend of mine once fooled a voiceprint lock into opening because he and his brother, the lock's authorized user, sounded so much alike.

Researchers in Japan demonstrated how to use gelatin to make a gummy finger with a lifted print: In tests both there and at MIT, the lifted print could fool commercial fingerprint readers. Face recognition systems have been fooled by a photograph of the person to be identified being held up to the camera. But while these attacks are fun to perpetrate, they aren't practical if you are sick in bed and need to let your assistant log in to your desktop so that you can get a printout of your e-mail. Although it is possible to set up some kind of delegation with biometrics, in practice such systems are rarely set up before they are needed. Thus, biometrics can create problems for authorized users because the people who install them usually don't anticipate the messiness of day-to-day operations.

Although we're likely to see more and more biometrics in the coming years, to date these systems have been most successful when they are deployed to limited user communities that can afford the installation costs, training and inevitable hand-holding. For applications where the users themselves have an incentive to bypass the authentication technology, biometrics are a good alternative to passwords. But for many applications, tokens can be both simpler and more democratic.

A popular software that retailers use to control debit-card transactions may inadvertently store sensitive customer information, including PIN codes, says Visa.

Two versions of cash-register software made by Fujitsu Transaction Solutions are under scrutiny, according to a warning Visa issued to the companies that process card transactions for some of the nation's largest retailers. A Visa representative confirmed that the warning was sent. Some of Fujitsu's retail customers include Best Buy, Staples and OfficeMax, but it is not known which companies use the software Visa claims is flawed.

Visa's warning, which was first reported by The Wall Street Journal on Friday, has raised eyebrows in the financial and retail sectors. The software was flagged at a time when thousands of debit-card holders across the country have reported unauthorized withdrawals from their accounts. Bank of America, Washington Mutual and Citibank are among the financial institutions that have replaced more than 200,000 debit cards in the past two months and have told customers that thieves obtained vital debit-card information as a result of a security breach at a large merchant.

One commonality among the fraud victims, according to law enforcement and banking officials, is that most had shopped at one of Fujitsu's clients: OfficeMax. The office-supply retailer has said that it has found no indication that it suffered an illegal intrusion. Fujitsu, which did not return repeated phone calls from CNET News.com on Friday, denied that its software has had anything to do with any alleged security breach. A representative for the company told the Journal that customer data, such as PIN codes, could not be stored using just its software. Other software tools would have to be added. Major credit-card companies have banned the storing of customer data and can fine merchants who do store such data. The fear is that customer information may be a sitting duck for hackers should it be left in a company's computer system.

What may be more worrisome for consumers is that it's not uncommon for merchants to accidentally stockpile their customers' data, says Branden Williams, a principal consultant at computer-infrastructure firm VeriSign. One of VeriSign's offerings is that it will assess a company's computer systems to ensure they meet security standards required by the big credit-card firms. During his white-glove inspections, Williams said, he has often found software that would trap customer data, including PIN information, without the retailer's knowledge. Big companies working with complex systems are more prone to such slipups he said. "You could totally understand how they could forget to turn off some switch," he said.

But Williams said there's no reason for the problem to go unchecked. Not only are there companies like VeriSign that will monitor system security, but Visa also offers a list of software products proven not to store data. Neither one of the Fujitsu products, RAFT and GlobalStore, is among the products approved by the major credit card companies. This doesn't mean that the software doesn't meet industry standards. It only means that the software hasn't undergone the review process needed for sanctioning by the group, according to a note on Visa's site.

"It's really the responsibility of a company doing business to protect their customers," said Williams. "Especially when you consider what's at stake: identity theft, bad public relations and potential fines. Software vendors should also have their applications checked for any vulnerabilities that could lead to a security breach."

By Greg Sandoval Staff Writer, CNET News.com

A Web start-up hopes to give consumers an easier way to protect themselves from identity theft, but the company may get the cold shoulder from credit-reporting agencies.

Omar Ahmad never shies from a fight. He was a vice president at Napster back when the company was staging a bold frontal assault on the music industry. After the September 11 attacks, the Florida-born pilot, a Muslim, was questioned by the FBI, and he shares his anger and confusion over that experience.

But now the brazen, outspoken entrepreneur has a new target: the three credit-reporting agencies, TransUnion, Equifax and Experian. The giant financial firms maintain files on the credit health of more than 150 million Americans. Retailers go to them when customers open up new lines of credit, and consumers contact them to check on their own credit histories-and in case of ID theft, to put fraud alerts or freezes besides their names, to make it more difficult for criminals to open up new bogus accounts.

But if you ask anyone who has dealt with the credit-reporting agencies for an opinion on their sensitivity to consumer concerns, you likely won't get a very polite answer. As an ID theft victim myself, I'm painfully familiar with the usual complaints. The companies are notoriously unresponsive, shuffling callers into voice-mail hell and corresponding with incomprehensibly bureaucratic letters. So it's no surprise that Ahmad reserves some of his characteristic vitriol for the three agencies: "Tell me why execs at the credit-reporting agencies are not taken out like Enron execs in leg irons," he said over lunch last month in Silicon Valley. He's not really serious, just making a point about his new mission-to mitigate the horrors faced by Americans trying to wrestle back control over their own credit.

One of the toughest challenges for ID theft victims is trying to prevent the crime from happening all over again. But freezing your credit (a way of requiring that merchants and banks seek your verbal permission to open new credit in your name) is an arduous process involving sending registered mail to each of the three agencies. Currently 12 states have different credit freeze laws on the book, and each law is, naturally, a little bit different. Congress is considering a federal law that would impose a uniform right for all Americans to a credit freeze; a half dozen committees in the House and Senate are now considering multiple ID theft bills, and wrangling could continue into next year.

Ahmad's new Silicon Valley company, TrustedID, wants to act as a single "on-off switch" for consumers, allowing them to freeze their accounts with all three credit bureaus at once, from the Web. The company's Web site, TrustedID.com, opened this week and will serve as that switch. After a 30-day free trial, customers will pay $8 a month and give power of attorney to the company, which will handle all the paperwork. That sounds expensive, but keep in mind that millions of Americans already sign up for costly credit-monitoring services that watch for suspicious activity. Placing a freeze on your account is more proactive, and probably more effective.

Over the long term, Ahmad and his partner, financial industry veteran Scott Mitic, hope to convince the three credit-reporting agencies to make the process electronic, which will drive down the cost. But for now, the business "is as ugly as you can possibly imagine," Ahmad says. TrustedID employees are shuttling back and forth to the post office, while the credit agencies are swamping the start-up with letters questioning its legal status. The company has raised $5 million in seed funding from venture capital firm Draper Fisher Jurvetson, which also backed Internet telephone start-up Skype.

Mitic and Ahmad say they are spending much of their time visiting the credit agencies and trying to solicit cooperation-with mixed results so far. "I would rather deal with Tony Soprano," Ahmad says of the companies. "At least you would have a nice Italian meal and get something done." I got a sense of the challenge facing TrustedID after trying to elicit comment from the reporting agencies for this story. The companies themselves referred me to their industry organization, the Consumer Data Industry Association. Its spokesman, Norm Magnuson, left me a message saying the group was only now becoming familiar with TrustedID and to his knowledge, "We don't have any problem with it." Then he didn't return several subsequent messages requesting further comment.

It's not surprising that the credit-reporting agencies might be dragging their feet. They are not legally required to honor consumer credit freeze requests in 38 states. And the three companies have woken up to the opportunities of selling services to consumers, and probably want to offer their own credit freeze option directly to consumers-for a fee. Of course, it benefits consumers to be able to go to a single source like TrustedID, who can manage a credit freeze with all three bureaus.

But to make that happen, Ahmad and TrustedID will have to convince TransUnion, Experian and Equifax to cooperate. TrustedID is already exploring alternative ways to force their hand. It has hired a lobbyist in Washington to push for a federal credit freeze bill and to press for legal protection for third-party players. The company can also consider litigation, and has talked to former FTC commissioner Christine Varney about representing it. Sounds like David picking a fight with Goliath. For Omar Ahmad, that's right up his alley.

By Brent MacLean

You can't protect your identity if you don't know what represents your identity. Identity is more than a few plastic laminated cards with your name and bunch of numbers. Identity is what you are, what you know, in addition to what you have. Other people keep records of your identity too. That means you don't have full control over the personal information that represents your identity. You can't lock down every piece of information. Even though you don't have full control, the chance of becoming an identity theft victim increases when you or other people unnecessarily hand out your personal information. More important than reducing the chances of losing ID you control, protecting yourself from identity theft starts when you know which personal information needs to be kept private, and which can be exposed no matter what you do.

WHY IS MY IDENTITY IMPORTANT TO ME?

Your identity is vital to your survival or growth in today's society. You won't get far without it. To get anything of value in modern society - be it getting paid, saving money, owning property, running a business, or even having basic freedom - you must prove who you say you are - with identity. Given this, you're held accountable to what you do with your identity. From this perspective, your identity can be an asset or a liability. It's an asset when it allows you to make a living and save money. It's a liability when someone else uses it to commit fraud. So identity theft comes down to liability - your liability. In a perfect world, identity theft wouldn't concern you if you're never held responsible if someone else fraudulently uses your identity. Unfortunately that's not the case.

SO WHAT'S AN IDENTITY?

Identity is who you are, what you know and what you have. You identifications are characteristics by which you are recognized or known. Personal information or materials (such as ID documents) represent those characteristics. Other can then tell who you are by those representations. Everywhere you go, you leave a trail of information about you. These identity footprints follow you from the day you were born to far into the future. Some examples of personal information include:

* Your full name

* Your former names

* Your handwritten signature

* Your home address

* You past home addresses

* Date of birth

* Social Security Number

* Mother's maiden name

* Past and present employer

* Credit card numbers

* Bank account numbers

* Account login information

Plastic ID cards and account numbers also represent your identity. A copy of your fingerprint, photo of your face, or sample of your DNA might someday serve as identification too. Identity is limited to personal information and ID documents in this identity theft mini-course. Future coaching update letters will look at the bigger identity picture. When you're uncertain whether you have identification in your hand, simply ask if yourself if you can be held accountable with that material or information. If the information proves who you say you are, and binds you to a contractual agreement, it's identity. It's important to know that identity can't be stolen. Your identity stays the same even when someone else uses it to commit fraud. Identity like your birthday, place of birth, eye color, or mother's maiden name won't change because of identity theft. Second, other people issue information that represent your identity. For example, financial institutions issue your bank account and credit card numbers; the government issues your SIN, driver's license and passport. They can change, cancel or reassign those identifications; however, the liability they accept for fraud damages from the use of identification they issue varies. Third, other people have your personal information. More on this will be discussed under where your personal info is kept. Last, It's easier for someone to impersonate you with more personal info. The walls of financial security don't crumble down just because you lose one piece of personal info. Identity theft usually requires several pieces of personal info. For instance, it's hard for someone to commit fraud with just your name and work telephone number. On the other hand, that person will find it much easier to get a loan in your name with your date of birth, SIN, employment history, past and present addresses, and bank account numbers. With that, personal information increases in value when more available pieces connect. The key point here is you reduce getting hit with identity theft by keeping valuable personal info out of the wrong hands.

WHERE IS THIS PERSONAL INFORMATION KEPT?

Identity is something you are, know, and have. For your identity to be any value, other people must recognize it too. This means other people must have your personal information. This information doesn't only sit in your wallet, at home and in your workplace. Other organizations keep it in storage like warehouses, libraries, filing cabinets, paper piles, desks, tapes, discs, computers hard drives and databases. Other people keep your personal info in their heads too. What this means is you don't fully control your personal info. You can lock away your personal info, but an a bad employee of an organization that also has the same info can sell it out the back door. Identity theft prevention deals with personal info within your control. You reduce getting hit with identity theft by minimizing how much personal info you give out. Personal info also moves around. It moves through the air, over wire, by light, and in shipping envelopes. Your personal info can be exposed while changing hands, but that likelihood is normally low. This is just something you should be aware of. Last, public and private information forms your identity. Private personal info should be restricted to only you and those with permission. Anyone can look up your publicly available personal information. Just keep in mind that it doesn't make sense to put a costly amount of effort into securing personal information that's already publicly available. There are ways to minimize how much personal information is public, but that is covered another time in bimonthly coaching update letters.

SOME PERSONAL INFORMATION IS MORE IMPORTANT THAN OTHERS

Each piece of personal information has different importance. For instance, keeping a magazine web site login ID probably isn't as important as a credit card number. And a credit card number might not be worth as much as your SIN. This is because each piece of information gains something different. From an identity theft standpoint, liability stemming from fraud sets the importance of each piece of personal info. The value you place on each piece of personal information depends on your unique situation and what's important to you. You'll get more from your time, money and energy by dealing with the high value personal information first. Personal information can be valued by what you can acquire with it. It can also be valued by how much time and money you must spend to clean up identity theft liability.

WHAT'S MY IDENTITY WORTH?

Everyone values personal information differently. This mini-course concentrates on what your personal info is worth to you. By worth, personal info can get you tangible things, which you can value in terms of time, money and effort. Personal info can be used to get a home, loan, car, job, furnishings, boat, recognition, guns, and much more. Identity information can also be valued in terms of time, money and effort to clear liability - both civil and criminal. If someone else uses your ID to commit a crime for example, you'll have toprove your innocence. This battle takes time and money. Yourenergy and the emotional drain are not measurable but they'rereal costs.

By Brent MacLean,
CEO of J.B. MacLean Consulting Inc.and Wire Fraud Solutions Inc.

You need to know the different ways protect yourself against identity theft. The protection measures you should apply to each identity theft threat will vary.

By J.B. MacLean Consulting Inc.

PROTECTION MEASURES

First, what are the possible ways to deal the threat of identity theft? Your choices follow:

1. Awareness. Know your exposure to identity theft. Know how identity theft works, and be alert to those situations. Awareness helps keep you from falling into several identity theft traps. Even though awareness reduces your exposure to identity theft situations, you still need other protection measures.

2. Prevention. Prevention can be as simple as avoiding certain situation like unnecessarily giving out your personal information; or it can be as sophisticated as encrypting your personal identification numbers on computer discs. Other ways to prevent loss include carrying only the identification required by law and locking identification documents in a safe place. Prevention isn't bulletproof, so you must reinforce with other protection measures.

3. Detection. Detection deals with identity theft after it's happened. You minimize damage by detecting identity theft early. Detection only works when you respond with action.

4. Response. Have a response plan. Response allows you to take quick steps to minimize damage with the least confusion. A response plan tells you who to call and what to do after you've detected identity theft. There's nothing worse than losing a wallet full of identification and credit cards while on vacation in a remote place, and not knowing what to do.

5. Insurance. Insure against identity theft. Insurance or remediation can reduce some of the financial damage created by identity theft. You only benefit from insurance after identity theft has occurred. Insurance coverage varies, so you should first understand how much you get back against the impact of identity theft. Beware. The coverage often isn't worth what you pay for in insurance, or you might find the insurance won't cover your real losses.

6. Acceptance. You can also choose to do nothing if the outcomes don't mean much to you. Some identity theft threats have insignificant impact or low likelihood. Doing nothing within the context of protection measures means you understand and accept threat impact. This comes down to balancing your priorities against the cost to protect yourself. If credit card fraud insurance costs $100 a year for instance, it wouldn't make sense to buy it when your total liability cost against fraud is just $50. On the other hand, $100 credit card fraud insurance might make sense if you have $50 fraud liability on each of your ten credit cards, which you keep together in one place.

By Brent MacLean,
CEO of J.B. MacLean Consulting Inc.and Wire Fraud Solutions Inc.