Identity Theft Can Have Catastrophic Consequences

identity theftI just finished reading a mystery novel that deals with identity theft and fraud.  It’s a great whodunit that’s set in New York City in 2060.  For all the changes in technology, it’s amazing how much is still the same in the future (I assume).

The premise of the story is that a CEO of a large and powerful company decides to steal the identities of many of his employees to perpetrate murders.  Since he is at the top of his company, he has access to credit card accounts, phone numbers, emails and other personal information of his employees – this is a problem, but I will get to that later.  He has a counterpart at another company, who is doing the same thing.  The twist is that each one commits crimes against the others victims.  Sound confusing?  It’s like Hitchcock’s Strangers on a Train.   

Here’s how elaborate this fraud is.  The CEO of one company sends an email from his top security officer (CSO) to book a limousine to take him to an airport.  He uses the CSO’s corporate credit card to book the trip.  The CSO has used this service in the past, so is considered a somewhat regular customer.  The CEO reprograms his phone so that it appears to be the CSO’s phone and uses it to confirm the appointment.  The limo driver picks up the CEO (assuming it’s the CSO) at 10:00pm and takes him to the airport.  Since the CEO is similar in build to the CSO, and it’s dark, he can physically impersonate the CSO with a little bit of makeup and a wig; this is a mystery after all.  The limo driver confirms everything with his company by phone and the appropriate logs and records are updated.  Once the limo reaches its destination, the CEO commits his crime and casually walks away from the scene.

Farfetched in the real world?  Not at all.  Even though the book is fiction and set in 2060, all of the technologies and capabilities to do this exist today.  So let’s look at what made this identity theft and subsequent crime possible.

When the police investigate, of course all roads lead to the CSO.  Phone records, the limo companies logs and credit card records implicate the CSO.  In this case he has an airtight alibi (of course) and he and the police assume it’s identity theft and fraud.  His first course of action is to shut down his phone and credit card and run a security check on all systems.  This is a smart thing to do even today.

Even though it appears this was a failure of technology, a failure of process is also to blame.  The CEO should not have access to the personal information of his employees.  He had the CSO’s credit card, but also the card’s security code.  The CEO should not be able to send email from his CSO’s email account.  Unfortunately, this is not something terribly hard to spoof today.  In each case, technology could help prevent the identity theft, but procedures outlining information access controls need to be there first. 

Identity theft has become a huge business, whether people want to steal money or commit more heinous crimes.  Preventing it can be difficult because you need to rely on the security of the organization that has your information.  One would hope your own employer is taking the necessary steps to protect that data.

Here are a few questions to think about:

  1. Are paper documents with PII shredded once no longer needed?
  2. Is personal information stored in locked cabinets, if it’s on paper?
  3. Are electronic documents with PII encrypted and stored in a system with limited access?
  4. Do you give your user IDs and passwords to others inside or outside your organization?
  5. Do you lock your desktop or laptop when you leave it?

 

These are a few of the questions you can ask to see how good your organization is at preventing identity theft.  Remember that much of business is still done with paper, so assuming that you are protected because your computers are locked tight doesn’t guarantee anything.

Some of the deficiencies and remedies are policy and process, and some is technology.  Hopefully identity theft and fraud will be less prevalent in 2060, so start thinking about changing a few of your habits today.  A few simple changes will go along way. 

 

Photo credit Don Hankins

Comments 2

  1. That’s a interesting blog. Employee’s just assume their PI is protected by their employers. We need to ask our employers for a Privacy Policy on our own personal data and how its stored, online or paper folders, or both.

Leave a Reply