Security Watch

Hactivism Group Launches Anonymous Browser

Plus: Formation of an ID standards panel, update on the U.S. ID Theft Task Force and why banks might be an unsafe place for your money.

• By Russ Cooper
• 10/30/2006

From a corporate perspective, the bigger risk here is that the TOR network gets used to set up a server internal to your organization that’s participating in the TOR network. Such a server could be difficult to identify, given that the traffic to and from it is encrypted via SSL.

ID Theft Prevention, Management Standards Panel
Microsoft, Visa, Citi, AT&T, Dell, ChoicePoint and others have formed the Identity Theft Prevention and Identity Managements Standards Panel together with the American National Standards Institute (ANSI) and the Better Business Bureau (BBB). The panel hopes to quickly provide "solutions-oriented resources" to those affected by identity fraud. The group expects to produce a standard within 12-18 months, something they believe can be adopted by businesses and others dealing with identity information.

Like so many other panels, one hopes they achieve something substantial enough to affect the rise of identity fraud. The bigger question remains, however, whether what they produce becomes adopted – and, if so, how broadly?

ID Theft Task Force Makes Small Step In Right Direction
The U.S. Identity Theft Task Force, formed by the President Bush in May 2006, has submitted its recommendations. The Task Force is made up of 17 U.S. federal agencies and/or departments. Seven recommendations have been made.

None of the seven look stellar, but two stand out as long-overdue issues for the U.S. government: reducing the reliance on the Social Security number and finding alternative means of identifying individuals. While there will likely be heavy debate over any proposed alternative means of identification, the fact that the task force is even looking into alternatives is a step in the right direction. Another recommendation proposes to amend restitution statutes to allow identity theft victims to recover the costs they incur for time spent correcting problems, whether or not there was monetary harm. If this recommendation does nothing else, it will likely create a much stricter interpretation of "identity fraud."

We also can’t overlook the irony in the fact that you won’t be able to sue the government for loss of your private information -- due to sovereign immunity -- but you will be able to sue private enterprises.

HSBC Accuses Rivals of Security 'Arms Race'
A rather bizarre speech from the head of fraud detection in HSBC in the UK, Brendan Pickering, suggests that the fact that some banks have adopted two-factor authentication will make those banks with weaker security bigger targets for criminals.

Well, gee, what does he expect? His argument is that if your security is stronger than mine, I'll become the target. Without actually saying so, he seems to be suggesting that everyone should remain weak because that levels the playing field of potential targets.

Since it isn't April Fool's Day, we have to assume he's just unaware of the basics of security and risk management ... whoops, he’s Head of Fraud -- he should know this stuff. OK, then, I guess HSBC is just woefully ill-equipped for securing its customers and figures it can't afford better security measures.