Blog

01Nov, 2018

Cybercrime

Identity Crime, Privacy and the Importance of PCI DSS Standards

Identity crime is a growing and critical security threat that has long-term financial, legal and psychological implications for both individuals and organisations.

The legal definition of identity crime used by law enforcement throughout Australia was developed by the Australian Transaction Reports and Analysis Centre’s Proof of Identity Steering Committee. It defines identity crime as a generic term to describe activities/offences in which a perpetrator uses a fabricated identity; a manipulated identity; or a stolen/assumed identity to facilitate the commission of a crime(s). This type of crime is usually from identity theft, which describes the theft or assumption of a pre-existing identity (or a significant part thereof), with or without consent and whether, in the case of an individual, the person is living or deceased.

Identity crime is on the rise worldwide. In the US, the number of identity crime victims grew by 8 per cent in 2017 growing to 16.7 million victims, an increase of more than 1.3 million victims from the previous year[1]. The statistics in Australia are much more dramatic. Symantec’s Cyber Security Insights report shows that one in three Australian adults, or six million people, fell victim to identity theft, credit card fraud or had their passwords compromised.[2]

According to Australian Federal Police, “Recent estimates by the Attorney-General’s Department indicate that identity crime costs Australia upwards of $1.6 billion each year, with the majority (around $900m) lost by individuals through credit card fraud, identity theft and scams. More alarmingly, identity crime continues to be a key enabler of serious and organised crime which in turn costs Australia around $15 billion annually[3].”

Identity crime in financial services is grouped into two large categories, namely ‘New Account Fraud’ and ‘Existing Account Fraud’. In New Account Fraud, a criminal opens new accounts such as bank accounts, credit card accounts or even utility accounts, using the stolen information such as credit card data, birthdates and drivers licence information. In Existing Account Fraud, criminals take over someone else’s account and make transactions such as withdrawing money, taking instant loans, changing passwords and blocking the original owners from accessing the accounts.

How does identity crime happen?

There are a number of ways cybercriminals obtain personal data. A common cause is human error from individuals falling victim to phishing attacks and card skimming. However, given the size of the identity crime business, organised cybercriminals are increasingly attacking organisations with a large number of customer IDs, such as contact centres, banks, credit bureaus and other financial institutions that process and store sensitive data. A simple Google search will reveal the number of large organisations that have fallen victim to this kind of data theft.

Source: https://www.gao.gov/assets/690/683842.pdf

The year-on-year growth in cybercrime has forced Governments globally to implement legislation and regulatory compliance measures that enforce fines for failing to keep data secure. The restrictions (and associated fines) have now become law, and amongst those regulations is Australia’s Notifiable Data Breach Scheme, which came into effect on 22nd February 2018, and Europe’s General Data Protection Regulation (GDPR), which became effective May 2018. Under the Notifiable Data Breach Scheme, companies that fail to comply can be fined up to 2.1 million dollars, while under Europe’s GDPR, fines of up to 20 million pounds or 4% of turnover are possible if companies are found in breach.

The key to reducing the risk of data theft is not new. The facts are that complying with PCI DSS guidelines is critical to securing and protecting credit card and other sensitive data from malicious attacks and human error. While PCI DSS compliance does have a focus on cardholder data, compliance does assist in protecting all personally identifiable data which is required under the Notifiable Data Breach Scheme and GDPR.

PCI also released an update to its guidelines in May 2018, and the twelve mandates are as below:

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
  • Requirement 3: Protect stored cardholder data.
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks.
  • Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.
  • Requirement 6: Develop and maintain secure systems and applications.
  • Requirement 7: Restrict access to cardholder data by business need to know.
  • Requirement 8: Identify and authenticate access to system components.
  • Requirement 9: Restrict physical access to cardholder data.
  • Requirement 10: Track and monitor all access to network resources and cardholder data.
  • Requirement 11: Regularly test security systems and processes.
  • Requirement 12: Maintain a policy that addresses information security for all personnel.

While all twelve requirements are needed to achieve PCI DSS compliance, many of the requirements help prevent identity crime. Specifically, we’ve highlighted requirements 3,4,5,7,9,11 and 12, which will help protect against identity crime and work in tandem to make systems secure. These requirements cater to two major functions:

  1. The prevention of a network breach.
  2. Ensuring that criminals are unable to decipher the data if breach and data loss was to occur.

Preventing data breaches is a complex task. It usually involves a combination of;

  • Network and infrastructure security (firewalls, identity management and authentication )
  • Application security (secure coding, application firewalls, etc.)
  • Awareness and education (employees and customers, )
  • Robust processes (secure coding)

Keeping data secure in spite of a data breach is a much harder task and involves:

  • Tokenisation of all critical data
  • Data masking at all touchpoints
  • Strong encryption

The data security measures also act as a solution to ID theft and greatly reduce the possibility of criminals getting access to the data.

IPSI are leaders in providing tools and services that reduce the risk of identity crime including sensitive data scanning and PCI DSS compliant payment processing. To discuss how we can help please contact us on 1300 975 630 or email us at assistance@ipsi.com.au.

References:

[1] Identity Fraud Hits All Time High With 16.7 Million U.S. Victims in 2017, According to New Javelin Strategy & Research Study accessed 13 November 2018 at https://www.javelinstrategy.com/press-release/identity-fraud-hits-all-time-high-167-million-us-victims-2017-according-new-javelin

[2] 2017 Norton Cyber Security Insights report accessed 14 November 2018 at https://au.norton.com/cyber-security-insights-2017

[3] Identity Crime – Australian Federal Police accessed 13 November 2018 at https://www.afp.gov.au/what-we-do/crime-types/fraud/identity-crime

 

Related Articles

The benefits of mandatory data breach notification laws in Australia

Mandatory data breach notification laws would result in greater security for Australians and improved protection of their sensitive information. And i

Read More

Cost of data breach report (with Australian Statistics)

Ponemon Institute 2013 Cost of Data Breach report The 2013 Cost of Data Breach report published by the Ponemon Institute (sponsored by Symantec) revea

Read More

How to survive a data breach

In the past two years, LinkedIn, eHarmony, Twitter, Adobe and, most recently, Target have suffered data breaches that together exposed more than 120 m

Read More

Credit card data discovery tools lay the foundation for good data security

Card Holder Data (CHD) discovery tools are becoming essential in identifying none secure sensitive data locations. Since December 2013, a series of da

Read More