NEWS and INFORMATION

IDSP Convenes Third Plenary Meeting on Identity Theft and Fraud
The American National Standards Institute (ANSI) will hold the third plenary meeting of its Identity Theft Prevention and Identity Management Standards Panel (IDSP) April 27-28, 2009, in Arlington, Virginia. The IDSP is a cross-sector coordinating body working to reduce identity theft and fraud by promoting the development and use of voluntary consensus standards and best practices. The April meeting will take a point-in-time look at the state of identity theft prevention and identity management. Panel discussions will consider progress made on a number of fronts and look ahead at areas that still need attention and that may be ripe for future IDSP work. Agenda topics will include: measuring identity theft, regulatory developments relating to customer authentication and the use of Social Security numbers, the need for identity verification guidelines, the commercial applications of identity management systems, medical identity theft, and what's on the horizon over the next year.

GAO Report on the Security of US Passport Issuance Process Causes Alarm
U.S. Senators Dianne Feinstein (D-Calif.) and Jon Kyl (R-Ariz.) are expressing concern over a Government Accountability Office (GAO) report that found that potential terrorists or criminals could steal an American's identity and create fraudulent documents to obtain a genuine U.S. passport from the State Department. GAO investigators conducted four tests simulating this approach and were successful each time. The senators will continue their oversight of this matter and are working on legislation to address these security vulnerabilities.

First Comprehensive Bill of Rights for Victims of ID Theft Now Available
The Santa Fe Group, a financial services consulting firm, along with The Santa Fe Group Vendor Council, a consortium of leading service providers to the financial services industry, has released the a Bill of Rights white paper for victims of identity theft. The Bill of Rights calls for consistent processes for handling identity crime incidents in addition to amendments to privacy legislation and regulation so victims can more easily access and correct their personal information records.
The paper will be presented in a free 90-minute webinar on April 29, 2009.

Gartner Releases Report on Data Breaches and Consumer Reactions
According to a survey by Gartner, Inc., approximately 7.5 percent of U.S. adults lost money as a result of some sort of financial fraud in 2008, in large part because of data breaches. Analysts said this is having an adverse effect on consumer victims who are significantly changing their financial transaction behaviors. Gartner found that payment card fraud (credit, debit and ATM card fraud) was the method most actively used by crooks to steal money, claiming 36 percent more victims in 2008 than other types of fraud. New-account fraud, in which a thief steals identity information to open a new account, occurs less frequently than payment card fraud, although Gartner estimates that up to half of all new-account frauds involve synthetic identities, and therefore many cases go unreported.

CFA Releases Report on Identity Theft Services
The Consumer Federation of America (CFA) has released a new report, "To Catch a Thief: Are Identity Theft Services Worth the Cost?" that explores the types of services currently offered in the identity protection marketplace. It covers the fees such services charge, how they describe what they do, the claims they make about the benefits of membership, and how what they do compares with what consumers can do to protect themselves. To address the concerns raised in the report, CFA recommends that law enforcement take steps to stop misleading claims and practices that harm consumers, such as preventing them from obtaining their free annual credit reports, and look at the security of sensitive personal data provided by consumers to these companies.

ICFE note: Last fall, ICFE completed and issued a report with similar objectives. ICFE's Report is available online, plus versions for Holders of Protected Information and for Consumers. Especially for organizations with activities that involve storage and transmission of consumer data, ICFE recommends a careful review of both reports prior to making any operational decisions.

Obama Orders Review of Cybersecurity
President Barack Obama has ordered a two-month review of the government's cybersecurity efforts. Melissa Hathaway, a former Bush administration aide, has been tasked with conducting this review. Her focus will include taking ongoing cybersecurity programs and developing recommendations for ensuring that they are aligned with government and private-sector needs, according to a statement released by the White House. The Administration is asking for $355 million in next year's budget to fund the Department of Homeland Security's (DHS) cybersecurity work. The president's goal is to make sure the cybersecurity efforts encompass the homeland security, intelligence, law enforcement, military and diplomatic mission areas of the U.S. government, according to the document.

Privacy, Identity, and the Use of RFID and RF-Enabled Smart Card Technology
In this article, the Smart Card Alliance investigates current concerns of state policy makers as they examine the use of RFID technology in identity cards and the implications that holds for protecting privacy and personal information in identity applications and systems. The brief examines best practices for privacy-secure identity systems from the point of view of card technologies. It was prepared by the Identity Council of the Smart Card Alliance, a non-profit public/private partnership organization whose members include both government users and card technology providers.

Using FIPS 201 and the PIV Card for the Corporate Enterprise
Corporate enterprises have always required employees to carry cards or badges that verify the employee's identity and allow the employee to access enterprise resources. However, changes in both the regulatory environment and the amount of risk that enterprises face from unauthorized access are driving executives to reevaluate their identity management practices. This Smart Card Alliance article summarizes the benefits of considering the FIPS 201 standard as a starting point for achieving identity assurance and access control across the corporate enterprise.

U.S. Leads JTC 1 Effort to Address Jurisdictional and Societal Issues of Biometric Technology
Biometric technology is used in many applications worldwide, allowing both public and private-sector entities to authenticate an individual's identity, secure national borders, and restrict access to certain physical and online settings. A new Technical Report released by Joint Technical Committee (JTC) 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) provides guidance and clarification on jurisdictional and societal issues related to the use of biometrics for the identification of people.

ISO Releases New Technical Specification on Pseudonymization to Protect Privacy Information in Health Informatics
A new ISO technical specification will help to reconcile the increasing use in healthcare of electronic processing of patient data with increasing patient expectations for privacy protection. ISO/TS 25237:2008, Health informatics - Pseudonymization, contains principles and requirements for privacy protection using pseudonymization services for the protection of personal health information in databases. Pseudonymization allows for the removal of an association with a data subject. It differs from anonymization in that it allows for data to be linked to the same person across multiple data records or information systems without revealing the identity of the person.

New OECD Publication: Online Identity Theft
Using widely available Internet tools, internet thieves trick unsuspecting computer users into providing personal data, which they then use for illicit purposes, causing mistrust of online payment and banking services. This book defines identity theft and studies how it is perpetrated, outlines what is being done to combat the major types of ID theft, and recommends specific ways that ID theft can be addressed in an effective, global manner.

Obama Administration: Constitution Does Not Protect Cell-Site Records
The Obama administration says the Fourth Amendment prohibition against unreasonable searches and seizures does not apply to cell-site information mobile phone carriers retain on their customers. Mobile phone providers keep such information for up to eighteen months. Historical cell-site location information includes the tower connected at the beginning of a call and at the end of the call. The position is being staked out in a case pending before the 3rd U.S. Circuit Court of Appeals in Philadelphia. At issue is whether the government can require federal judges to order mobile phone companies to release historical cell-tower information of a phone number without probable cause.

Privacy Group Asks FTC to Investigate Google
The Electronic Privacy Information Center has asked the Federal Trade Commission to investigate the privacy and security safeguards of Gmail, Google Docs and other cloud computing services offered by Google to customers. The filing points to a security breach that may have improperly exposed the files of Google Docs users to others. The full filing is available online.

RRS Settles with FTC Over ID Theft
The Rental Research Services, Inc (RRS) and Lee Mikkelson (vice president and managing officer of RRS) have settled Federal Trade Commission (FTC) charges that they failed to properly screen potential customers, leading to the sale of at least 318 credit reports to identity thieves. RRS is an organization that provides consumer information to individuals and business clients, such as landlords seeking credit reports on potential tenants. The settlement prescribes that RRS cease providing information to anyone lacking legitimate claim to it. It was also ordered to enlist a security procedure to protect data and to submit to a third-party audit every other year for 20 years.

Spam Spreads Faster with Discovery of Automated Attacks
Cybercriminals are spreading infections far and wide across the Internet by hammering hundreds of thousands of websites each day with SQL injection attacks. SQL attacks take aim at the database layer of websites. Initially they were manual attacks designed to pilfer customer data from merchant websites. That changed last June when someone figured out how to automate the attacks, and use them to plant infections. An infected PC thereafter gets put to work delivering spam and spreading more infections. Any sensitive data, such as log-ons and account number, get stolen.

New Internet Fraud Scheme Uses Google Trends
Cyber attackers have discovered a new way to defraud internet users. In this new scheme, attackers choose a popular search term that they identify from Google Trends, which is regularly updated with the top 100 most searched items. They find a website that is already highly ranked for that particular search term and then build a malicious site that contains the same content as the legitimate site, enabling the bogus site to rise to the top of the search rankings. Links deliver users to a website where they are served a Trojan called FakeAlert.

Please check the IDSP Events Calendar for regularly updated event information.

For further information on any of the items above, and updates on the Panel, please visit the IDSP website