Advertisement
Promo

Security threats Toolkit

Banks 'must try harder' on ID theft

Mark Vernon CNET News

Published: 05 Jul 2005 11:40 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Identity theft has been in the headlines again in recent weeks in both the US and in the UK, where an undercover reporter from one tabloid newspaper, The Sun,  was promised the details of thousands of bank accounts from a computer engineer in an Indian call centre. It led to a police investigation and left a series of banks — including Lloyds TSB, Barclays, Woolwich, and HSBC — with a PR nightmare on their hands.

The British consumer watchdog Which? earlier reported that a quarter of UK adults have had their identity stolen or know somebody who has been a victim of ID fraud. It is costing the country an estimated £1.3bn a year.

In the US, the FBI was recently contacted after hackers were rumoured to have broken into more than 40 million credit card accounts. MasterCard International confirmed a breach traced to a transaction processing company in Atlanta.

"Close to 60 percent of US consumers sampled in January 2005 expressed that they were worried about identity theft, and close to 6 percent admitted to switching banks to reduce their risk of becoming a victim of identity theft," says Sophie Louvel, a research analyst with Financial Insights' Consumer Banking practice. "Identity theft incidents have been taking their toll on banks and their customer relationships. Recent high-profile incidents of customer data theft at Bank of America, ChoicePoint, and LexisNexis will drive bank customers to worry further about the possibility of experiencing identity theft. But our survey results show that not all consumers worry about identity theft equally, and the crime does not impact all consumers across the US at the same rate."

Having said that, what is required is strategy for dealing with ID theft. Paul Henry, an IT security industry expert with CyberGuard Corporation, has a list of recommendations for enterprises to ensure that their customer data is not compromised.

"A strong security policy must be put in place and followed vigorously," he says. "Then you must be extremely careful to ensure that the companies you outsource data to fully support the policies, procedures, and technical safeguards you have put in place to protect your client's personal information." His point is that a chain is only as strong as its weakest link: banks must not let their outsourcing partners become that weak link. This goes beyond perimeter security to include physical security, as well as both access and application controls. "We are starting to see this problem in India, and unless enterprises are diligent about protecting their data, it will explode out of control like identity theft," he believes.

Henry has two tips in particular:

  • Firms that outsource their data to call centres should ensure that the security policy, procedures, and technical safeguards utilised by the outsourcing partner are equal to or better than their own.
  • Both regular and random risk assessments should be carried out at any outsourcing centre, especially if it is located in a high-commercial risk area — where bribery and corruption are endemic. Risk assessments should cover all domains of network security and should not be limited to gateway security.

Louvel believes that a security strategy must go even further than that. Recent data theft incidents prove that not only must financial organisations and other businesses enhance security around data access, they must take a look at mitigating the consequences of theft, once it happens. "While security must be improved, it will never be so strong that data theft becomes impossible," she warns. "Just as important is ensuring that when data is stolen it is not used to commit fraud. Effectively preventing criminals from using identity information requires a technology and organisational infrastructure for cooperation and data-sharing between creditors across industries, data brokers, and law enforcement agencies." Moves in this direction are being made in the US with new bills being proposed, including a bipartisan bill that would make business leaders responsible for data leaks from their companies and rules set by regulating agencies, such as the Federal Trade Commission.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
192 out of 256 people found this useful


In association with Network Liberation Movement

Talkback

Post a comment


Full Talkback thread

1 comment

  1. INSURE DATA The business expansion scope for bank... PRAVEEN DALAL

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:






Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

Campaigners criticise '£10bn NHS IT ov...

The National Health Service's flagship IT project has been criticised by a tax campaign group for running billions of pounds over budget. The NHS National Programme for IT (NPfIT)... More

1 comment

Climate research centre compromised

One of the UK's leading climate change research centres has had a security breach. The Climate Research Unit at the University of East Anglia (UEA) suffered a compromise of information,... More

1 comment

Government web-monitoring plans on hol...

Government plans to compel ISPs to process and store details of all web communications have been put on hold until after the next election. The Home Office told ZDNet UK on Wednesday... More

1 comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters