Enterprises must secure networks, carefully screen employees and keep tight control of information they collect to avoid becoming pawns in identity theft schemes, experts said at a forum sponsored by New York-based American Express.
"We've seen a notable rise in phishing schemes and worm attacks designed to gather consumers' personal information," said Maxwell Marker, supervisory special agent with the FBI's Financial Institution Fraud Unit. "We've also seen many cases where people working for banks, car dealerships and credit card companies were recruited to steal information from within companies."
Panelists at last week's forum agreed that while it's up to consumers to carefully protect their information, enterprises must play an important role. This includes protecting electronic records with the proper security software and network management, carefully screening employees and adopting strict procedures for storing and handling customer information.
"I like to summarize best business practices as the three Ps: physical security, the need to secure paper and electronic records; personnel, companies carefully screening their employees; and procedures, not collecting information you don't need and shredding information you no longer need," said Ken Hunter, president and CEO for the Council of Better Business Bureaus. "Firewalls, antivirus protection and encryption are all necessary, and it's critical that companies only release the minimal information necessary to those who need it."
Though consumers are the biggest victims of identity theft, Hunter said enterprises pay a high price as well. "Businesses pay $48 billion a year to clean up after ID theft schemes," he said. "Businesses that are used are hurt by more than financial loss. Their reputations are also hurt."
He said enterprises doing business online must properly encrypt sensitive information sent over the Internet, and must constantly monitor online activity to see if someone's charging activity veers from the normal pattern.
Zyg Gorgol, senior vice president of American Express' Worldwide Fraud & Risk Capabilities division, discussed measures American Express takes to protect consumers. "We take the information of applicants and verify that information through third-party sources to confirm the names on the applications are the real people and that they did indeed apply," he said. "We have very strict access controls so people only get information they are authorized to have."
Gorgol used the forum to announce the results of a survey American Express commissioned indicating that consumers support companies that take tough measures to protect them.
Pennsylvania-based International Communications Research surveyed 1,024 consumers between Oct. 29 and Nov. 2 for American Express. Of those surveyed, 69% have noticed over the past year that merchants and credit card companies have stepped up identity verification when they make purchases. With identity theft reports on the rise, 68% said they like the stepped-up measures. Forty-three percent have been asked for zip code verification, followed by signature verification (36%), requests for additional personal identification (34%), and requests for additional security numbers (31%). Twenty two percent have received a call from their credit card company to verify a purchase.
The survey showed more people are being asked for the information thieves want the most. More than half (56%) have been asked for their Social Security numbers over the phone or in written form as part of an application or an in-person or online transaction.
Many requests are legally required, with 41% being asked for a Social Security number in a credit or loan application and 30% being asked for that information on employment forms. Other requests may not be legally required. More than a third (35%) have been asked for their Social Security number on medical insurance forms, 16% on college and school forms, 12% as part of an online transaction and 6% when making a purchase.
Panelists agreed phishing schemes have become a common method for stealing personal information, and the study appeared to bolster that point. More than one in five respondents (22%) said they've received unsolicited e-mail from a bank, an online shopping service or online retailer requesting personal financial information over the past year.
Dig deeper on Client security
IT Decision Center
IT Decision Center