Thursday, May 22, 2025

Increase in Identity Fraud

A recent report from Transunion, https://tinyurl.com/TransunionFraudReport suggests a disturbing increase in credit fraud using both synthetic and stolen identities.  Here are my thoughts.

There is no more important rule in banking than "know your customer."  Unfortunately, this works against the pressure for new accounts.  Every banker must learn to balance these.  

My credentials folder begins with my birth certificate and my Social Security Card, but also contains my high school diploma, my military discharge, my college degree, my passport, RealID drivers license, my Global Entry Card, my health insurance card and Medicare Card, my certificate of retirement from IBM, my Naval Postgraduate School Identity card, my professional certification, and two Club Identity cards.  There is a spread sheet listing all the credentials with their issue date, and the name and address of the issuing authority.

Any and all of these documents are available to support any application that I might make.  While any of them might be forged, the chances that the collection is forged is vanishingly small.  While few people have all these documents most have some of them.  

Most of the issuing authorities can be queried to test the accuracy and authenticity of the document.  While some of the documents were issued in the analog age, most of the issuers now use digital systems and records.  They could all offer an online verification capability at low cost or even at a profit like the credit bureaus.  While it is unlikely that all issuing authorities will ever offer such a service, the numbers will increase as costs go down and value increases.  

These documents speak only to my identity and existence, not to my character, capacity, and collateral.  For those one must look to the plethora of data about me held by the commercial, financial, and other institutions with which I do business and can use as references.  Many, not to say most, of these are customers of and contributors to the credit bureaus that record and sell my credit history.

In short, there is a plethora of evidence that lenders can rely upon to know their customers.  There will always be some bad lending decisions, some the result of fraud.  Tolerating a small amount will always be more efficient than eliminating it all, but striking the balance is what bankers are paid to do.

    


 

Friday, May 16, 2025

Insider Risk (not Threat)

Over the last decade the media has been full of "threat," almost to the exclusion of "risk."  It should not surprise anyone that insider risk has been written of as "insider threat."  It is true there is a small threat from insiders but it has a very low rate of occurrence.  The real concern for insiders arises from consequences, not threat.  The high rate threat comes from outside, not inside.  Outsiders damage the brand: insiders bring down the business.  The threat is from the outside, risk from the inside.

Most of our employees really do want to do their jobs.  In the rare cases where they fail it is more likely to be accidental rather than malicious.  "The dummies have it, hands down, now and forever."  No matter how damaging, mistakes tend be overlooked, accepted as normal and unavoidable, and forgiven.  Even malice is more likely because of a management failure to train,  supervise, and reward, rather than a failure of motive on the part of the employees.  

Conrad Hilton, the founder of Hilton Hotels, used to display in his guest rooms what he called the  Eleventh Commandment, "Thou shalt not tempt."  My favorite ethical test is, "Nice people do not do that."  I learned my second favorite ethical test at Nortel in Canada.  When i asked my client to describe Nortel's ethical culture he said, "Behave as though your mother were watching."  Good managers watch like "Mother."  

Malicious insiders may be needy, greedy, or disgruntled.  The needy or greedy resort to fraud and embezzlement, while the disgruntled lean toward destruction.  Even the fraud may be rooted in part by a failure ot management to properly address error.  The employee makes a mistake; no one notices.  He repeats it and again no one notices.  He begins to think that a deliberate act, one in the direction of his benefit, may similarly go unnoticed.  

Watch for good numbers.  If the numbers are too good to be true, they are not true.  

The disgruntled employee is most likely upset because he believes that his worth and his contribution to the enterprise have not been properly recognized and rewarded.  However, that feeling did not occur suddenly,  He did not go home happy on Tuesday night and come in and take the place apart on Wednesday morning,  The disaffection grew slowly over time.  It likely did not go unnoticed.  His managers likely knew that he was not happy but had delayed taking action until it was too late.   Perhaps please, thank you, and attaboys are the most efficient controls.  While not a substitute for proper compensation, they do not cost much.  

Speaking of proper compensation, the higher up the management chain, the more important it becomes.  It must take into account the economic contribution of the scope managed.  It must also take into account the economic discretion that the officer exercises.  One of the reasons that we see corruption in government is that officials are not compensated in proportion to the power and influence that they exercise.  While such compensation may be hard to justify politically, it does work to limit corruption.

While management tends to worry about IT, and IT failures get the media attention, most fraud takes place in business applications.  Workers steal where they work, e.g., accounts payable and receivable, payroll, goods, inventory, credit.  IT people are more likely to convert capacity than to manipulate business applications.  

While management tends to focus on those engaged in low level routine, think clerks and tellers, the real damage comes from officers and professionals.  Tellers steal small and are caught early.  Officers steal big and may not be caught for years.  However, one must take into account the power and fragility of IT, when managing employee satisfaction and morale.  

Few embezzlers started out to steal big.  They started small but it was not detected: temptation. It became habitual and grew in magnitude over time.  Early detection and correction is essential.  

One last thought before we go.  The most effective control over insider risk is management supervision.  Everyone deserves to be supervised by someone who knows enough to understand and appreciate what they do.  On the other hand, automated controls and procedures are often more efficient than expensive supervision.  While we use them because they are efficient, they are effective only in the presence of good management.  They are hardly ever effective in controlling managers and executives.  

In summary, think risk not threat, error before malice, business before  IT, managers and executives before tellers and clerks, supervision before automation.  

 

Wednesday, April 30, 2025

Where to Spend your Next Security Dollar


Strong Authentication

At least two kinds of evidence, at least one of which is resistant to replay.  Mandatory for all but the most trivial systems and applications.


Privileged Access Management

Limited number of uniquely identified, authenticated, accountable, and supervised privileged users (no sharing of IDs or passwords).  Mandatory for all large enterprises, recommended wherever there must be more than one privileged user.


Document Management System

a system, process, or database to capture, track and store electronic documents such as PDFs, word processing objects, and digital images of paper-based contentproviding accountability for all content, changes, and access or use.  Mandatory for intellectual assets (IP), personally identifiable information (PII), client, customer, and employee relations, or financial records; recommended for all confidential or sensitive information.  


Structured Network

Layering of your network such that user to application, application to application, server to server, and server to file and storage system communications are isolated from one another such that any layer to layer communications require additional authentication and privileges or capabilities.  This can be implemented using wiring and "firewalls," or cryptography (e.g., VPNs, Software Defined Networks (SDNs).  Recommended for all large enterprises.  

Friday, April 18, 2025

Travel Guidance

 Canada, France, Germany, Denmark, and Ireland are issuing new guidance to their citizens traveling to the United States.

https://www.travelandtourworld.com/news/article/france-denmark-germany-and-ireland-join-canada-in-urging-travelers-to-use-burner-phones-at-us-borders-amid-digital-surveillance-and-detention-fears-new-update-you-need-to-know/

I have always cautioned business executives to use "disposable" devices when traveling abroad or crossing into the US.  No data, just clients for accessing business e-mail, data, and applications in the enterprise or cloud. This is because customs agents have extraordinary power to search and seize without cause or warrant. There have been abuses but mostly by over-zealous agents; no discernible pattern. I do not think that there is a policy but DHS has consistently refused to disclose whether or not they have given instructions to the agents.

 

All that said, if surveillance, seizures, and detentions have increased under the new administration, I have not seen any reports. This new guidance from these countries may result from nothing more than uncertainty, or it may even be political. Nonetheless, if there is a problem, I plan it to alert and advise you.  Watch this space.  

 

I am leaving the country in May and returning in June. All of my data is already in the cloud, mostly for device independence.  Just before returning,  I plan to erase the clients from my phone and tablet.  It will be simple enough to reinstall them from the app store after I clear customs.


Monday, March 31, 2025

Signal Gate

 I find that if one Googles SECOPS the "meaning" includes information technology.  I confess that in my course of information security management at the Naval Postgraduate School to O-3s and O-4s I did teach SECOPS.  However, the concept dates from when the only information technologies of interest were paper, telegraphy, telephone, and radio, long before we had invented the term "information technology."

In the first armed conflict of my life, known colloquially as WWII, we taught "Loose lips sink ships."  One does not repeat many things that one learns in the course of one's job.  

We taught not media but content.  What information did we want to keep secret; media was hardly even thought of.  Even  as I taught it, it was about what those who were to carry out the "operation" had to know about it and the potential for them to leak it.  At the O-4 level, it hardly occurred to us that the Secretary of Defense and his peers and colleagues were part of the operation and a potential source of a leak.

The association with IT deals with the porous nature of IT and the potential for adversaries to learn the content from our leaky media.  

Let us start from the non-IT meaning of SECOPS, any "information about a military operation is born classified as SECRET, regardless of whether or not it is ever recorded or shared.  At the "operational" level, O-3 and 0-4, your life may depend upon the continued secrecy of what you must know to carry out your mission.  Therefore, such information is born SECRET; one must share that information, by whatever means, only on a "need to know" basis.  Said another way, if the sharing is not essential to the success of the mission, then do not share.

Add modern recording and sharing technology to the equation; just think "chat" in its many forms.  Many implementations of chat, including iMessage, Signal, WhatsApp, and, more recently, RCS.  provide device to device encryption.  In the network, the traffic is encrypted.  However, it is in "clear text" on every device in the group.  The more participants, the greater the probability that the content will leak, or even that one or more of the devices in the group have been compromised.  

Most implementations of multi-party chat, like Signal, will enable any member of the group to see the identifier of the sender of any message.  However, the larger the group the less likely that every member will know, or even recognize, every other member (Oh!  That Jeffrey Archer).  Moreover because of the limits of the screen they may see the identities of all the members of the group only upon request rather than by default.  We call silent members lurkers. 

Said another way, multi-party chat is not considered to be sufficiently secure for SECRET data.

In the Second World War, the British were reluctant to share intelligence with us because they feared that we might leak.  Our Wave Bombe operators, who never told anyone what they had done during the war, were shocked, when after forty years the Brits began to talk about ULTRA.  9/11 happened in part because the CIA and the FBI did not trust the others security.  The consequences of Signal Gate will include a loss of trust and a reluctance to share vital intelligence.  

Most of those with any knowledge about a military mission will have been indoctrinated in operational security, both in training and experience.  Here we had a case of novices, those who did not have experience, who had not grown up in the tradition of SECOPS.






Monday, August 26, 2024

Recent Massive Data Breaches

 Given the recent breach of a data broker, the credit bureaus, and the Dark Web, everyone's personal data is available for a rapidly declining price.   We are all vulnerable but the bad guys cannot get to us all.  That said, the prudent will freeze their credit reports, use strong authentication, and maintain a vigilant posture.

I am not a big fan of data monitoring services; they are targets and increase one's personal attack surface.  However, we really need to monitor the social security numbers of children.  They are often used in synthetic identity applications.

Business should rely on full name and address or name and place and date of birth, not SSNs, as identifiers; no one else with my name lives where I live or was born at the same place and time.  SSNs were necessary when storage (in 80 column cards) was dear.  They are not even necessary in modern databases and cheap storage.  The last four or five digits of the SSN may be used for verification and as tie breakers in some applications.

Monday, May 20, 2024

"Securable" by Design

"Secure by Design" suggests that one can design an airplane that cannot run out of fuel or collide with terrain or another aircraft.  Rather, the goals should be "Securable by Design" and "Safe Out of the Box."  Such a design should begin with a  statement of ranked requirements in which security requirements are included with all others.  For example, things that the product must not do should be ranked  with things that it must do.  Failure modes must be explicitly identified along with the indicators of failure and the indicated corrective action.  Engineers have been doing this with hardware for millennia.


Complete requirements describe:

• The environment in which the system must operate (including natural and artificial hazards and threats)

• The market or market conditions

• The results that the system must produce (e.g., move passengers and freight, computing application, user programming)

• Performance (e.g., passenger load, range, speed, users, standard operations per unit time)

• How it must function

• Required/forbidden controls (e.g., over-ride of automated controls)

• The granularity of the controls (maximum rate of climb, number of named users or resources; controls must be sufficiently granular that one can implement the rule of least privilege.)

• Things that it must not do (e.g., stall near cruise speed, leak information between users or compartments)

• Specific threats that it must resist (e.g., lightning, easily anticipated abuse and misuse, hostile use of controls) • Cost for overcoming resistance (e.g., cost of attack)

• Impermissible failure modes and their alternatives (e.g., halt before leaking)

• Reliability

• The availability of the system (mean-time before failure, mean-time to recovery)

• Efficiency

• Maintainability (“Function may not trump maintainability and reliability.”)

• Compatibility

• How it is to be demonstrated (e.g., testing, third-party evaluation)

• Other


Complete Specification

By habit and culture, engineers use a complete specification for a system. By contrast, IT developers often work from a specification that is less than complete. A complete specification includes an expression or description:

• Of how the system is to achieve the requirements

• What functions it will perform

• What it will look like

• What materials it will be built from

• What controls and interfaces it will present

• How it will fail (failure modes)

• Indications or evidence of failure

• A model or prototype

• Users or operators manual

• Assembly processes

• Testing or demonstration procedures

• Other