A recent survey regarding identity theft, fraud and other financial crimes show what institutions are doing . . . now that we have heard from the "experts" let's hear from our experts at home . . . what are you doing to protect yourself from identity theft?
A new survey conducted by risk and compliance specialist Fortent shows that identity theft presents "the greatest emerging threat" to financial institutions. Fortent surveyed anti-money laundering compliance officers in both North America and Europe and found that new types of payment methods including pre-paid cards, mobile banking and "virtual world" transactions are expected to be hot topics requiring regulatory interest.
In the midst of the banking crisis, housing market crisis and recession, banks and customers are already stressed and these new methods of payment offer convenient options but also more risk for identity theft, fraud and other financial crimes.
Ed Baum, Fortent's Chief Marketing Officer explains that, "The expansion of payment platforms, while good for business, poses new risks on both the regulatory and security fronts. Our survey reveals that financial institutions are acutely aware that they must respond to these emerging threats."
Baum adds that "Financial institutions are finalizing their budgets now for next year, and the question on everyone's mind is how they are going to tackle these new threats when staff, technology, and training resources are already stretched."
Key Finding of Fortent's Survey About Financial Crime Threats include:
* Identity theft was cited most often (52%) as the greatest emerging threat.
* Virtual World, or on line payment systems was cited by 44% of respondents.
* Electronic checking was third with 40%.
* Employee fraud was cited by 32%.
* Store value or gift cards concerned 28%.
Retail banking continues to top the compliance officers' list of money laundering concerns at 77%. Once respondent explained that branch personnel are under pressure "to open accounts in volume to meet their goals, but fail to conduct the proper due diligence required."
The survey by Fortent also looked at threats by geographic regions. Eastern Europe, excluding Russia, leads the world in suspicious activity related to financial crimes. Russia, the Middle East/North Africa and then the rest of Africa followed as regions of great concern. While the United States may not have been on the top of this regional list, remember that every 19 seconds there is a new victim of identity theft in the U.S. For more information on identity theft concerns and reactions globally, read "Identity Theft Around the World."
Who are these people?
The Surveyors:
Fortent is in the business of providing risk and compliance solutions to financial institutions, government agencies, and individuals in over than 100 countries including 26 of the world's 30 largest financial institutions.
The Respondents:
Those surveyed included executives from 30 global, regional and national financial institutions including banks based in the United States as well as over seas. Survey respondents included SVP Regulatory Risk Management, AML Program Deputy Director, and Compliance Director and other positions of senior level compliance officers.
We'd like to do our own survey about what concerns consumers most in the areas of financial crimes.
What tops your list of concerns?
*Identity theft?
* On line payments?
* On line checking?
* Phishing?
* E-mail scams?
* Employee fraud?
(Remember our story on the Pizza Hut employee who helped herself to merchandise ordered with customers' debit and credit card numbers?) --Read "Identity Theft: Employers Beware"
Please share your thoughts in our comments section.
While this survey looked toward to regulatory solutions, we'd like to know what you're doing at home and work to prevent identity theft and financial crimes.
Are you:
*Shredding documents?
* Using anti-spyware programs?
*Using anti-phising programs?
We've heard from the experts in the field of financial crimes, now we want to hear from the experts at home- you! Please share your concerns and what you're doing at home to protect yourself from identity theft and financial crimes.
Safer Shopping On Line-Tips Just in Time for Our Holiday Shopping
The holidays are approaching and with it the busiest time of the year for families, people and businesses. How can you get all your shopping done in time for the holidays? By shopping on-line! But how can you stay save while getting more accomplished faster? Check out these tips and ask these questions before you buy.
Google and AARP have joined together in an effort to provide information on a number of important topics, including identity theft. One video that can help you this holiday season is "Safer Shopping On-Line." In this video, Google Systems Engineer Maile Ohye provides:
*information on trusting your on-line shopping experience and organizations
*four questions you should ask before you buy on-line
*how to tell if your on-line shopping site is secure and what they can and may do with your information once you provide it.
This engineer advocates not using public computers for shopping and banking on-line as they may not be safe. See our article 7 Steps to Protect Yourself with Shared Computers on ways to use a public computer to have a safer shopping experience.
Even the Dead Aren't Safe from this Crime: The UK Tries to Crack Down on Identity Theft
Identity Theft is the fastest growing crime worldwide and recently the UK identified Impersonation of the Dead or IOD as the fastest growing form of identity theft. It is estimated that over 100,000 cases of IOD fraud have occurred and that identity theft costs UK citizens over 1.5 billion pounds per year. What is being done about it and does it happen in the United States?
What The UK is Trying to do to Prevent Impersonation of the Dead
Records of the recently deceased are going to be shared with law enforcement and credit reporting agencies in a joint effort between the Registrars General for England and Wales, Scotland and Ireland. The credit reference agencies of Experian, Tracesmart Ltd. and Faraday Tracing Bureau have been the first to be approved to receive the list. Any organization can apply to receive the information on recent deaths but agencies will have to go through a strict application process and agree to operate within a strict licensing agreement. It is expected that an average of 12,000 deaths will be reported weekly.
In the past, death records were made public but there was no organized way for law enforcement and credit agencies to easily access this information to prevent identity theft. People who collected death information from obituaries and impersonated the deceased to obtain new credit or take over existing bank accounts committed many identity theft crimes.
"I welcome the release of death records which will not only help to combat identity fraud but will also reduce the impact on relatives of the deceased forced to deal with the consequence of their loved ones' identities being stolen," said Home Office Minister Meg Hillier who praises the initiative. The initiative will be reviewed in 2009 to verify that it has lowered the number of identity theft crimes from Impersonation of the Dead.
It Happens in the US Too
One of the most infamous instances of identity theft of the dead in the U.S. involves California resident, Tracy June Kirkland who was charged by federal prosecutors with aggravated identity theft and other crimes. Kirkland went beyond obituaries and did her identity theft research on a popular genealogy web site Rootsweb.com. With names, social security numbers and birthdates in hand, Kirkland would randomly call credit card companies to find out if the deceased person had an account. If she confirmed an account, she would change the address to one of her many rental mailboxes. Accounts she swindled included Macy's, GE Money Bank and Nordstrom Federal Saving Bank. Her three-year crime spree included various purchases and cash advances and used the personal information of over 100 deceased persons.
One of the resources offered by Rootsweb is free and up-to-date access to the Social Security Administration's Death Index.
What is the US Death Index?
The Death Index is a list of people who have died that includes their birth dates and Social Security numbers. It was originally produced for banks and lenders to ensure that people did not exploit the deceased personal information. The Death Index is updated monthly and made public by the Department of Commerce under the Freedom of Information Act.
Kirkland took advantage of the Death Index by exploiting a loophole and taking over accounts that were already open.
"The reason the Social Security Administration has it out there is to prevent fraud, and when it's used to perpetrate fraud it's because not all the checks and balances were in place on the financial institution's end," says Mike Ward a spokesman for Rootsweb.
Dorothy Clark, spokeswoman for the Social Security Administration, says she's not aware of any prior cases of the index being used to perpetrate fraud rather than prevent it. "None that I can attest to," she says. "Nothing that I can say concrete." (Hhhhmmm.) Makes you wonder if the US will pour "concrete" to close this "hole?"
It will be interesting to see the impact of the UK initiative on preventing identity theft and the US response to the uncovering of the obvious loophole in their Death Index initiative.
CNN used a hologram to "wisk" correspondent Jessice Yelin from Chicago to New York during election night reporting. What is in store for the future of holograms? And how could it affect your identity?
The election year of 2008 brought with it many surprising uses of technology, and new technologies. For years political parties and lobbyist have been able to use e-mail to reach large audiences, but this year, we see more. Beginning with "text messages" from President -Elect Barak Obama announcing his Vice Presidential candidate, entire cable channels purchased for a candidates platform to finally election night, and the introduction of holographic news anchors to walk the United States through the election night process.
Holographic news anchor? Yes, it's true. During CNN's election night reporting a holographic 3D, 360 image of reporter Jessica Yelin in Chicago was "transmitted" to CNN's election center in New York. During election night coverage, it appeared as if she was a "real" part of the news coverage from New York. How was this done?
CNN's virtual correspondent required 35 HD cameras, different shots at different angles, synchronization with the cameras in New York, 20 computers processing the data and 2 camera feeds at CNN headquarters. That's all. There is more to it than this, but most of it I think you have to be a computer engineer to understand.
When I first learned of the use of this technology, I thought, "Wow, straight out of "Star Trek." I am not the only one. John Chambers (of Cisco Systems) explained that he wanted technology straight out of Star Trek, and Emerging Technology Group and Marthin De Beer made it happen. During a presentation by John Chambers discussing this innovative technology, he and De Beer give a "virtual" presentation, with a presenter on one continent and one on another.
What are some possible uses for virtual presentation or holographic imagery?
- Education: Could professors perform lectures from the comfort of their offices? Or possibly students attend classes from the comfort of their homes?
- Business Travel: Could holograms be the next alternative to business travel, meetings, presentations and conferences? We already have web conferencing tools available, just think how much more effective it could be with face to virtual face contact - and how much more efficient.
- Counseling or Medical Services: Instead of calling your therapist, counselor or other medical professional could you have a virtual consultation? What happens to the office visit co-pay then?
- Recreation: Is this the next step in recreation? Could people actually use this for recreational travel? Or could it be the next new technology for video games, taking the "Wii" system several steps into the future?
- Virtual Shopping: Can holographic imagery give virtual shopping a whole new meaning? Would we move beyond the express lane and self service lanes, to virtual checkouts?
- Virtual Banking: Can I save myself a trip to the bank and complete basic services as well as loan and credit applications as a hologram?
With all these possibilities there are also a number of concerns that the technology of a virtual presence or holographic image creates. For example, who owns the image or hologram? What happens when enterprising individuals learn less expensive and complicated ways of created a holographic image? Could it be possible to capture my image and use it for identification, shopping or even medical services; just to name a few? Could holographic images be the next new technology in identity theft, fraud or other financial crimes?
The law rarely keeps up with technology. As a result, with every more useful emerging technology such as a holographic image there is a need to not only look to the future uses, but the future threats to our safety and identity that these types of new technology bring. After all, spam and phishing all started with a simple e-mail.
New York designates November 2008 as "Identity Theft Awareness Month in New York." What does this month offer consumers regarding protection and information from identity theft.
New York is focusing on their fastest growing crime in November. The New York State Assembly has recognized the pervasiveness of identity theft crimes in their state and confirmed a resolution that designates November 2008 as "Identity Theft Awareness Month in New York."
Identity Theft Statistics (2006)
* 8.3 million Americans were victims of identity theft
* Over 16,000 New Yorkers were victims of identity theft
* New York ranks 8th per capita in identity theft crimes.
* 33 billion dollars were stolen through identity theft.
* On average an identity theft crime robs victims over $6,000 and they incur an additional $1,200 in out of pocket expenses.
* It takes an average of 55 hours of personal time to rectify the consequences of identity theft.
New York also recently passed a state law requiring law enforcement to take full information in identity theft cases. However, it is estimated that a full two thirds of identity theft victims do not contact the police. New York hopes to change those statistics with awareness and prevention through the Identity Theft Awareness Campaign. Assemblywoman Audrey I. Pheffer, who introduced the resolution stated, "Identity theft is an extremely important consumer fraud concern and a serious financial crime. Working with the New York Credit Union Foundation and the Credit Union Association of New York to proclaim November 2008 'Identity Theft Awareness Month,' I believe, will educate the consumer and help prevent this crime." New York has also confirmed a resolution to support a public service campaign sponsored by the New York Credit Union Foundation and the Credit Union Associations of New York.
New York's recent program "Who Are You? Identity Thieves Really Want to Know" will focus on educating New Yorkers on how to avoid being an identity theft victim. The campaign included five video public service messages that feature Assemblyman Peter M. Revera and Assembly Minority Leader James N. Tedisco. There are also a series of longer videos featuring Mindy A. Bockstein from the New York State Consumer Protection Board. All videos are being produced in English and Spanish.
When James Tedisco speaks during the campaign, he speaks from experience. Tedisco was a victim of identity theft years ago. In 2006 an identity thief from Long Island, New York ran up $15,000 in under 24 hours using stolen credit cards. Tedisco was one of the two victims in this case. Interestingly, identity theft had only been on the books as a felony in New York since 2002.
The New York Credit Union Foundation and the Credit Union Association of New York's identity theft campaign comes right on the heels of a new awareness campaign launched by AARP and Google.
Will the identity theft awareness campaigns help?
Here's what Assemblyman Tedisco has to say: "Several years ago, I was the victim of identity theft. I know first- hand the stress and suffering it can cause. If this educational campaign helps even one person avoid the devastation of identity theft it is worth the effort."
While New York has officially dedicated the month of November as Identity Theft Awareness month, all citizens should take heed to being aware, safe and secure. As the holidays approach consumers will be shopping on line, in stores and by phone in record numbers. Taking the time to prevent identity theft can protect you from becoming not just an identity theft statistic, but a real victim and that's something we can all be thankful for this November and in the months to come.
AARP & Google Team Up to Offer Identity Theft Tips
AARP and Google have teamed up to create 6 videos to help consumers protect themselves from identity theft risks on line. And, you don't even have to be an AARP member to take advantage of these tips!
AARP and Google have teamed up to create 6 videos to help consumers protect themselves from identity theft risks on line.
Why are these two brands joining hands to offer identity theft protection tips? Each year over 10 million Americans become victims of identity theft. That's equates to a new identity theft victim every 19 minutes. In fact, identity theft is the number one consumer complaint in America.
AARP is a non-profit membership organization with a mission of helping people over the age of 50 to maintain independence, choice and control in their lives with options that are beneficial and affordable. As more and people over the age of 50 are using the internet, identity theft is a great concern for this age group and AARP wants to help their members protect themselves from this devastating crime.
Google of course is the innovative internet search technology that everyday connects millions around the world with just the information they are searching for on line. Google's Business Product Manager for Trust and Safety, Shuman Ghosemajumder shares Google's motivation for joining AARP to create thee videos.
"Record numbers of older Americans are going online to surf the web, connect with family and friends, share photos, and run online businesses. We hope the Online Safety video series will help AARP members keep their online information safe, private, and under their control," said Ghosemajumder.
Before you can make sure your online activity is safe, first you must secure your computer. The AARP offers these tips:
*Use a firewall and make sure it is turned on. (The video will even show you how.)
*Use antivirus software
*Use antispyware programs
Topics Covered In the AARP & Google Online Safety & Privacy Videos
*setting privacy controls in on line photo sharing sites
*configuring firewalls
*selecting safe and secure passwords
*shopping safely on line
*avoiding phishing scams
Where can you find these videos?
About 20,000 AARP members watched the debut of the video series on internet safety and online privacy at the associations annual member event. Anyone can now view these videos at one of two places, either the AARP web site at www.AARP.org/onlinesafety or on the Google Privacy Channel on YouTube at www.youtube.com/googleprivacy.
Both sites offer information on privacy and protection beyond the new 6 part video series. On the Google Privacy Channel page there are also videos on:
*What information Google collects when you use their search engine and how they protect it
*why Google keeps logs and what information they record
*steps you can take increase your privacy when searching on line
*information about privacy settings and questions and answers on how products work from engineers and product managers who designed them
In addition to the 6 part series on line safety, the AARP web site also offers more articles and videos on identity theft risks such as pop ups, e-mail scams and on line bidding sites.
While many people who use the internet are aware of YouTube videos, many consumers probably were not aware of the Google Privacy Channel. At the same time, AARP has 40 million members and 33 million readers of their magazine, the AARP Bulletin, but many members may not have taken advantage of their AARP website. This joint venture puts information about on line safety and privacy and identity theft protection right on line where many people work, shop, play and research and presents it in an easy video format that many consumers are already comfortable with.
Many of the risks for identity theft come on line activity. AARP and Google are offering identity theft protection tips that can be accessed right from your computer where the risks begin so that you can put the information to work for you right away.
Don't Go Surfing, If You Haven't Checked the Tank First
Don't let the phish in your email "tank" become sharks. Find out what you can do about them and about this important service that stops phishing scams.
That's PhishTank, not fish tank. There are no swishing goldfish or dancing betas here and rather than a tank that needs to be cleaned, PhishTank.com means to clean up the tank. The tank they want to clean up is the internet. PhishTank.com is a web site that acts as a collaborative clearinghouse for data and information on phishing on the internet.
What is phishing?
The name PhishTank refers to phishing, the type of scams that the site tracks. Phishing is any scam initiated in order to steal your personal information. The purpose of stealing your personal information of course is to steal your identity and commit financial fraud.
The most common form of phishing is through e-mails. Phishing e-mails usually appear to come from an organization that is well known and the e-mails often look and sound official. The e-mails are an attempt to collect your personal information such as social security numbers, credit card numbers, user names and passwords. In recent years, phishing scams have targeted victims by imitating PayPal, banks, the Better Business Bureau and even the IRS.
Phishing e-mails will attempt to get you to click on a link that takes you to an unsafe site in order to "phish" for your personal information.
How does PhishTank.com work to protect consumers from phishing attacks?
PhishTank collects and shares statistics and information about phishing scams on the internet. PhishTank also provides an open API for developers and researcher to integrate anti-phishing data into their applications free of charge.
PhishTank registrants are invited to submit suspected phishing, track the status of your submissions and verify whether or not their own or others submissions are verified to be phishing scams.
PhishTank Success
PhishTank just celebrated their second anniversary. In that time over 1 million phishing scams have been reported. Earlier this year PhishTank PC World honored PhishTank with the Top Product of 2008 award.
There are over 29,000 registered users of PhishTank. This means a large amount of shared information and that allows PhishTank to educate consumers on the latest scams and help them protect themselves from identity theft.
Tips for Recognizing Phishing E-Mails
PhishTank offers the following tips for avoiding being "caught" as the victim of a phishing scam.
* A generic greeting.
Phishing emails are usually sent in large batches. To save time, Internet criminals use generic names like "First Generic Bank Customer" so they don't have to type all recipients' names out and send emails one-by-one. If you don't see your name, be suspicious.
*A forged link.
Even if a link has a name you recognize somewhere in it, it doesn't mean it links to the real organization. Roll your mouse over the link and see if it matches what appears in the email. If there is a discrepancy, don't click on the link. Also, websites where it is safe to enter personal information begin with "https" -- the "s" stands for secure. If you don't see "https" do not proceed.
* Requests personal information.
The point of sending phishing email is to trick you into providing your personal information. If you receive an email requesting your personal information, it is probably a phishing attempt.
* A sense of urgency.
Internet criminals want you to provide your personal information now. They do this by making you think something has happened that requires you to act fast. The faster they get your information, the faster they can move on to another victim.
What's involved in registering to join and participate in PhishTank.com?
PhishTank.com is very user friendly. All it takes to join in the fight against phishing is to type in a username (one that will be displayed and identity you on the site), an e-mail address, password you create and a verification code. It's really that simple.
Consumer education is one of the largest nets in fighting identity theft. PhishTank.com has the latest hooks on how to avoid taking the bait for identity theft.
Web Applications And Security: How To Secure Custom Web Applications
Web Application Security Whether you're building a custom web application, or using one of the off-the-shelf/open source web applications for things like photos, monitoring, or any other PHP, ASP, Perl, AJAX or other language web app, on thing you MUST thing about is the security associated with it.
In this interview with Paul Herbka from South Seas Corporation (development and training company based out of Colorado), we go in depth in a discussion of web applications, security, and why it's important for any individual or business to seriously consider what their policy is for the security associated with any web-based applications they may delpoy online.
Mr Herbka also goes into reviewing some great security platforms for protection of any web-based application.
You can listen to the interview, and/or read the transcript below, for free.
(Paul even offers you a discount if you mention this interview when you call him.)
The following is a presentation of IdentityTheftSecrets.com.
Identity Theft Secrets: This is Jonathan Kraft with Identity Theft Secrets and I'm here again today with Paul Herbka. Today we're going to be talking about Web Application Security which doesn't sound like that exciting of a topic, but it's pretty amazing what can happen when you have a website or web application that gets hacked and all of your information for all of your customers is stolen and what do you do about that? So Paul's going to talk with us a little about that today.
Paul Herbka is actually the President of The Information Systems Security Association in Denver. He's the Vice President for South Seas Corporation which is headquartered in Littleton, Colorado and he's also a Certified Identity Theft Risk Management Specialist and has spoken at numerous conferences and I know you just have a wealth of knowledge here. So thank you very much Paul for taking a few minutes with us today.
Paul (web application expert): Absolutely - I appreciate the time to be with you and just share some information. Really I'm hearing a lot of buzz about Web Application Security. It's really become an age where if a company has a website, then they're legitimized and people feel they're a real company and "ok, I can do business with them, because they must be a real one if they have a website."
Identity Theft Secrets: You know what's funny about that - can I interject there real quick? I actually used to work at when it was US West/Dex, you know the yellow pages and I used to sell internet advertising back in 1999, I was a phone sales rep for internet advertising. I would call these businesses in like Pine Junction, Arizona and I'd say, "hey, we'd like to talk with you about getting your website set up on the internet." And seriously, people would go, "inter- what?!" And it's so funny to have gone from that in 1999 to today where having a website is being a "real business." Anyway, I just thought I would interject that there.
Paul (web application expert): No, that is funny and it's so true. It's funny - I was just talking to another gentleman and he wants to setup a website; he's like, "well, people keep asking me, what's your website?" As if, as long as they have a website, then he's legitimate. It used to be if you had a business card, you were legitimate and I think some people still do that. But now a lot of people printed up mass, different business cards - so now it's "ok, do you also have a website? - then you must be real!" So it's interesting to see that trend.
Well along with that trend is a lot of people are serving up applications and a lot of even government entities are going to where, "hey, now you can do everything online" -- and it's a mixed review, right? Some people say "great! Now I don't have to leave home - I can just do that, I can do it online; I can it while I'm traveling." Other people say "hey, this is scary, because now all of my information is "out there." "
The reality is a lot of different government entities are making it's job applications, etc, are all being done over the web which now means, people are putting in their social security numbers, their date of birth, their address, their home numbers, etc., and all that information is traveling. So obviously, security becomes a big issue in that as people are becoming very aware of the cost-savings by having a website. And not only that, but the ability to maybe be in one town or one country, but now offer things to the world, right? We saw those commercials a while back where they say, "hey, you might be a small business here but now you can do business worldwide by having a website." And you look at the people selling stuff on eBay and now all this stuff is out there.
Now one of the root issues is, is that stuff secure and is your web application secure? So there's actually a coalition out there called OWASP - I don't know if you've heard of them, but they have the OWASP "Top Ten" and what that is, is it's a list of the Top Ten issues or vulnerabilities that they are seeing in web applications. And I won't read through all of them, but the top ones are Cross Site Scripting, Injection Flaws, Malicious File Execution, Insecure Direct Ops References, etc. So basically, it's the ability for me to hack that website remotely and now it doesn't matter where I am, I can be in Russia, or China or wherever and hack into these websites and now I no longer have to worry about getting onto the network, right? I don't have to worry about getting into the physical building - they've given me access out on the Worldwide Web and opened it up for me to get in!
The interesting part of that is when people are developing those applications, all the programmers went through school - but in school, they never worried about security. They were worried about efficiency, right? Write better code, more efficient code, less code, the more it can do with less lines -the more efficient it is; the faster it runs, happier everyone is. So they worried less about security, or even not at all about security, and just worried about the efficiency of the code. Well now, what they're finding out is, this code is efficient, but it's very easy to fake or to hack and take advantage of these vulnerabilities that just aren't secure just because of the way it was written. Now when they look at these applications that have grown over the years, that are now thousands and thousands of lines of code, they either need to go back in and do code review or they need to find some other way to secure it.
So that's really become a key issue in web application and web application security. In fact one of the biggest things now that people are looking at are web application firewalls that are purpose-built firewalls specifically just for web applications.
Identity Theft Secrets: Can you explain more what that means?
Paul (web application expert): Sure! So web application is really focused on all the different things like SQL Injection, Cross-Site Scripting and Cookie Poisoning. Just a simple example of that, is like if you've ever done an order online and you see there's a large string at the top and then the last part is your order number? Well, if you go up and change that order number -- and it's not a secure website -- then you'll actually pull up someone else's order. Now that's interesting, but it's now a security risk if that order had their name, information, credit card number, address, etc., not to mention their order, which they may be ordering something that they may not want the world to see - depending on who they are and what they're buying or where they're buying it from.
Identity Theft Secrets: And may also include their credit card information in that order.
Paul (web application expert): Absolutely! Credit card information, the CVV code off their credit card, any of that stuff. And depending on again what they're doing it may also include - let's say you're doing a job application and you change that code, now you may be seeing someone else's job application; now it also has their social security number, their date of birth, their home address. As far as an identity thief, they're going, "hey, that's great! Game over! I've got all the information I need. This is fun." Of course the more sophisticated ones are saying, that's only the one-sies and two-sies; I'm going to go after the thousands and the tens of thousands or millions. For the hacker that wants to setup a script to just keep doing that - running through all the orders, that's an easy way to glean information without having to do much hacking.
Identity Theft Secrets: Right, the machine is doing all the hacking for them at that point. Gleaning some random order numbers over and over and over and over and over until it finds one and then it's grabbing all that information and then putting it into an Excel sheet or something and somebody can open that from wherever.
Paul (web application expert): Exactly and so we're finding that, more and more, people are going "ohhh, ok, we didn't realize!" They're starting to realize the implications of "yes, it was nice that you put this stuff out there; but now, what are the issues?"
So just as an example of what a web application firewall does is, if there are Web worms - so worms written specifically for the web. A regular firewall only has limited access to stopping that. But a web application firewall is built specifically to. Another example would be web vulnerabilities like Cross-Site Scripting, etc. A web application firewall knows about those -- a regular firewall has no clue. So that's something that's there. The other thing would be directory files or directory structures, brute force attacks, which is where they're basically just guessing passwords or guessing random numbers or guessing strings. Changing the cookies -- most people are familiar with what a cookie is on a website, but a cookie is basically something that says, "I've initiated, I've authenticated this transaction; whether it's a purchase or an inquiry or whatever for maybe my bank statements or maybe my access to my records, for medical or whatever." "I've done the authentication," so then it assigns a cookie to that session or to me so that when I do another request, it says, "oh, ok. I know who you are and I remember who you are." So if I can find a way to adjust that cookie or tamper with that cookie, called Cookie Poisoning, then I can now take that and get other people's information the same way. So that's one example. Brute force attacks are another example where a regular firewall doesn't know how to handle that; but a web application firewall is built specifically to help with that. So it doesn't matter if it's SQL or OS Injection, Cookie Poisoning, Hidden File Manipulation, Parameter Tampering and the list goes on. But there's a bunch of things -- SSL Flooding, a lot of people say, "well, I'm secure, I'm ok, no one can hack in because I'm using SSL VPN or I'm using SSL sessions, HTTPS -- so I'm good." Well, you can do something called SSL Flooding and again a regular firewall isn't going to know what to do about that; whereas a web application firewall can.
One of the best web application firewalls out there is an F5 Product and they call it ASM Application Security Manager. But it's basically specifically built to help with that and their whole company policy is to deliver applications that make them secure, but make them available all the time. They also do "low balancing" to make sure that it's got high availability.
So when we talk about web application security, really the two options are either, review all of your code and make sure it's secure which is kind of a nebulous thing to start off with anyway; not to mention a painstaking, time ...
Identity Theft Secrets: No kidding, hunting through lines of code trying to find vulnerabilities.
Paul (web application expert): Exactly and thousands of thousands lines of code which now are causing other things. You need to know not only that, but you need to follow the whole thought process of what's being passed, what should be passed, what are the legal ranges for the items being passed - do we have a way of checking for those legal ranges, testing if they are or aren't legal, etc. And then what happens, how do we handle the exceptions when it's a typo versus it's a hacker trying to get in? So we don't want to cut all sessions that don't have the right information, but we don't want to allow them either. So there's different issues there.
So those are the types of issues that people are facing and I think it's interesting that there are some people that say, "oh, well I'm not worried about that." Well, if that application is tied to a database or tied to your network which now has a database that has any information, again, people's names, social security numbers, their identity, you should be worried about securing that - otherwise you're going to have a breach and you're going to be in the newspaper, you're going to be on the "bad list" of companies to deal with because you don't secure their information correctly.
Identity Theft Secrets: Let's say I'm either government institution or a large business. Or even -- I work a lot with internet marketing people - those are some of the people I know just selling odds and ends of little products online. But they're storing credit card information, at least temporarily. If any of those people have issues, what are some good, just everyday resources for people to find details about what they need to do to secure web applications?
Paul (web application expert): Wow, great question! One is, I would say definitely; find yourself a good security consultant, right? Not just a computer reseller, firewall reseller, but find a security consulting company that focuses on that and there's several things they should do. One is they should be able to do assessments and penetration tests and web assessments to go and find out what are the issues on your website? Is it vulnerable to all those things we just discussed? And then two is, after they do that, they should give you a detailed report that not only says, "here are all the issues we found," but ranks them in the order of priority - here are the issues that are most important; like a high-red - oops, you've got to get this fixed right away. That way you know what your priority list is because no one has unlimited time, unlimited resources and unlimited money to go and just fix all them. You want to figure out what are the big holes that are serious violations or vulnerabilities that I need to plug up now!
Quite honestly, bang for the buck - I would recommend a web application firewall because that's going to stop - with all of your applications, the old ones, new ones, etc., long-term, the whole OWASP mentality is we'll learn how to program better and code better and make that a part of your whole development lifecycle and that's great. It's a great goal, but it's not going to get there quick enough. It's kind of like saying, ok, our car should be energy-efficient. Well that's not just going to work overnight - it's a good goal, but if you're driving an 8-cylinder SUV, it's not going to become energy-efficient overnight. So those are things you can add to that so that's it's protected and it's secure to give you time to fix the process behind and work with that.
The other thing is it's constantly getting updated as well from that vendor so that as new vulnerabilities are found, it's keeping up with that and you don't have to worry about it. Because people will just say, "well I'll just work it into my development lifecycle." Even if all their coders were of that same mentality -- which just being real -- they're not, is what about when a new thing comes out are you really going to stop production and coding to go tell everyone about this new thing - here you have to worry about coding it this way or are you just going to say, "well, we'll fix it up in the next version." If that's the case, you're still open to vulnerabilities and you're open to being breached and then you again have that high expense of being reactive to a breach; versus proactive on the front-end.
Identity Theft Secrets: Sure and what you've said before is that it's always - and I think "always" and "never" are two words you should always remember never to use - but, you've said it's always cheaper to be proactive then to deal with it on the back-end.
Paul (web application expert): Absolutely, absolutely! In fact, I want to say it's under 10% -- normally the cost for breaches is usually under 10% to deal with it proactively before it happens versus after the breach occurred because you've got all these fines and notifications and fees and things you've got to do. Not to mention all the hidden costs; customers don't trust you now so you lose business, the goodwill, things you're trying to do then to overcome that goodwill. So yes, if you look at the overall costs, always, always, always - which you should never use - (laughs) it's always more effective to be preventative - at least cost-effective to be preventative - unless you're just one of those gamblers who says, "I'm going to gamble and hope I don't have a breach before I go out of business." But hopefully most people are deciding they want to be in business a long time and therefore that's not a good policy because the chance of time is against you.
Identity Theft Secrets: Sure. If I'm looking for a solution, what types of solutions are available?
Paul (web application expert): Wow, there's low-end web application firewalls, there's "do-everything-in-one-box" type of UTM, Unified Thread Management box and the good thing about that is that they do everything. The bad news about them is that they are a "Jack-of-all-Trades, Master of None." So, they're going to be ok at just about everything, but they're not going to be great at anything. So I really recommend getting a purpose-built box specifically for something as high-volume, high-traffic as a web application where you need that delivery not to be slowed down, but you need it to be looking at everything and securing everything. So I would look at things like that; I would look at again, the F5 product which is really recommended which has great success. It works well, you plus it in and it works; it's what makes it a great solution and they are constantly increasing it and developing it to make sure it's always secure and it's always working to help you.
Then also look at the Data leakage-type products, like the Vontu product from Symantec that really helps you do that. Another thing that people don't realize when they're looking at the costs are just all the different fines. In fact, even the payment card industry has figured out this web application stuff is serious. In their new version, PCI DSS, Version 6.6, they've said, "you've got to have" it's no longer it's "nice to have" - they're saying now "you've got to have either code review, which means going through all those lines of code or you have to have a web application firewall." So they've now admitted to themselves and to their community, hey, if you're taking credit cards, if you're storing credit cards, no matter how temporary that might be, you need to have a web application firewall or you need to show improved and do the constant code reviews to make sure your code is always secure.
Of the two, the least expensive is going to be the web application firewall. Unless again, you only have one program and it's only a couple hundred lines long, then yes, do a code review. But if it's hundreds of thousands or millions of lines of code, a web application firewall is going to be less expensive and it's going to be easier to implement.
Identity Theft Secrets: You just mentioned too that there was some law or some rule that required people to have things set up. What other kinds of compliance changes or government issues - is the government getting involved as they do in lots of different arenas, so that ideally they'll protect and help people; but what kinds of compliance issues are people facing now when it comes to web application security outside of the one you just mentioned?
Paul (web application expert): I'm glad you asked that - in fact, it reminds me of a local news story here in Denver where the District Attorney for Denver has just published and said to all the different public websites, so any of the cities or counties or what not, "hey, this is serious and you should not be having people's social security number or private information out on public websites." And while that was a general rule that everyone thought they were following, everyone forgot and again it becomes more of the business process in the paper world that then got changed into the web world and people forgot how that became a security risk.
An example is now, public records for a house; who purchased the house and who's the lien against the house. Wedding information, all that stuff is now filed online and you can look it up online. Well because of that now, people worldwide have access to that, can go in there and get that and they're saying, "hey, we've got to take that off." If you've got a lien record, you're supposed to be taking the social security numbers off, you're supposed to be taking the private information off. So now that's something that's been kind of declared as an internal or external rule, depending on how you look at it, that says, "hey, we need to be doing this!"
Again, it's not something where people were doing maliciously posting information; they were just taking what they did in the paper world and automating it to the web world to make things easier for people. But in our "lust" for making things easier, we forgot about security and now we've opened people up to the possibility of having identity thieves get their information and use it maliciously.
Identity Theft Secrets: So as far as compliance issues, there's nothing specific necessarily that requires them to be compliant?
Paul (web application expert): Well, that's where it's interesting. There was no specific solution mentioned, but it basically said, "go through all of your web information, whether it's millions or thousands of pages of stuff you can get off the web and make sure that none of it contains social security numbers, credit card numbers, personal information.
So now there's a huge market out there for programs that can go out and search for that stuff automatically, right? Using the technology to go through and scan your whole farm of web pages and say, ok, where does that apply? And then, either wipe it clean or take those off and find a way to keep that information off of it - and that's important. So now there are programs and one of the things that the F5 product can do and that people are using, is the ability of the F5 product to say, "oopss, you're sending out this webpage, but it contains social security numbers. I should change that so that now it's generic, right? And I just put X's instead of the actual number." So that people see, yes, there is a social security number on this file, but they don't know what it is. So that's something that people are doing to automate that. Quite honestly, the payment card industry has said, if you aren't doing that, you're in trouble. Now the Denver District Attorney has said, yes, I want all the state's entities to do that; so it's becoming more and more and I don't think that's a rare thing, I think you're going to see that more and more and more whether you're a small business or government entity falling under the SEC or falling under PCI or SOX or HIPAA. Now all the members saying yes, we need to start securing our data because they're realizing that Identity Theft is a big issue.
So where can you go? Again I would go to ... by all means, you can get in touch with us and we can help you with a solution; we can help figure out what's the best solution. Is it easier to scan through your data, re-clean up your data or just filter it on the way out and change it all out? Or just not allow it? You know there are a lot of different solutions there, but I would say, start working on that and making it a priority. Otherwise you'll end up paying fines or breach costs, one way or another.
Identity Theft Secrets: I know that South Seas Corp offers people a lot of solutions, as we've talked about before, for dealing with web application security and a whole other variety of things. If people want to get in touch with you, how do they do that?
Paul (web application expert): Well, the best way is either email or phone. Our 800 number is 1-866-794-1655. Again, toll-free is 1-866-794-1655 or they can call me directly at 303-798-7588. Or they can email me, my email address is pherbka@SouthSeasCorp.com.
One thing I'd like to offer is that anyone who mentions that they heard it here, we will go ahead and give them a discount and we will give them a 2% discount on any web application firewall they buy from us or any services specifically for security by mentioning this ad. As long as two things: one is they are not an already pre-existing customer and it's on something they've already been quoted or already bought and two is that it's not on a government contract, because on government contracts I can't adjust the pricing that way.
Identity Theft Secrets: Well thank you very much for taking a few minutes with us to talk about web application security. I hope people are more informed about - if they have any sort of web application, they need to be looking at creating some security specifically around that web application.
I appreciate you taking a few minutes to share your expertise with us today.
Paul (web application expert): Absolutely and one other thing I forgot to mention is another resource they may want to go look at is the OWASP Top Ten. If you just Google OWASP Top Ten, it will give you the Top Ten List and you can drill down in that - here's all the things and here's what it means, here's how to do it, here's how to do the code review, here's some of the products that work against it. So that's a good resource as well -- so I neglected to mention that earlier. If you're in a web application environment, that's hopefully something you already know about but if not, that definitely would be a good place to go to.
There are also local chapters of the OWASP that have different meetings. I know there's a Denver Chapter, there's a Boulder Chapter - they're nationwide. I think they're worldwide, but they're at least nationwide and so you may want to look at if there's a OWASP Chapter in your area and get plugged into that because that's a good way to network with other peers that are concerned about security for web applications as well.
Identity Theft Secrets: Awesome! Well, thanks so much for taking the time with us today and we'll look forward to talking with you again soon!
Paul (web application expert): Sounds good, thanks so much for having me!
Interview - Searching for Email Security: Review And Policy Surrounding What Is Email Security?
Email Security Should you, as an individual, have a policy around email security? What is email security anyway??
In this interview with Paul Herbka from South Seas Corporation (policy and email security solutions review company based out of Colorado), we go in depth in a discussion of email security, and why it's important for any individual or business to seriously consider what their policy is for email security.
He also goes into a review of email security products and services.
You can listen to the interview, and/or read the transcript below, for free. (Paul even offers you a discount if you mention this interview when you call him.)
The following is a presentation of IdentityTheftSecrets.com.
Identity Theft Secrets: This is Jonathan Kraft and welcome back to Identity Theft Secrets. I'm here again today with Paul Herbka who does a whole bunch of things in the security protection industry. Works with a company, out of Colorado, called South Seas Corporation that does a bunch of different compliance issues and helps companies with their security issues. He's also the President of the Information Systems Security Association, the Denver chapter; Vice President of South Seas Corporation; is a Certified Identity Theft Risk Management Specialist (CITRMS) and he has a whole other bunch of things that he's done in this arena. He's spoken at a few different conferences. Paul, how are you doing today?
Paul (email security expert): I'm doing well thanks. How are you today?
Identity Theft Secrets: I'm doing awesome! Thank you for taking a few more minutes with us today to talk about email security. I think what's interesting -- people have heard a lot about worms and viruses and trojans and malware and all this stuff and most people don't even know what it is that is coming at their computer through their email. But most people now today also have installed some sort of protection, or they think they've installed some sort of protection, on their computer. Why should people still be concerned about email security?
Paul (email security expert): Well, there are really lots of reasons but probably the top two reasons would be; because on the inbound traffic, you can get all those bad viruses from the trojans and other things that then let people "own" your machine and then get your information out of it. The second reason would be because people can accidentally send stuff out not knowing it's confidential or that it's proprietary information or maybe they think it's ok with who they're sending it to and don't realize that other people can find that information out on email, that it's not secure, depending on how you have your email set up. So probably those would be the two biggest reasons - you can boil it down to: you can lose information whether it's on the inbound, people getting access or control. Or on the outbound, people getting information because it's being sent, whether it's accidentally or on purpose, or just they didn't realize that email wasn't secure.
I know I've had conversations with people and they've say, "well, I sent that to my friends over email - but no one can see that right?" (Laughs) For you and I, people that are in the world of security -- we laugh. But of course, that's open to the world! Anyone can see it, anywhere in the world -- it's on the worldwide web. That's the stream that it follows! So, depending on how they have their email set up; if people are using Yahoo or Hotmail or whatever. So then that's an interesting question; but yes, the biggest reason is because you're responsible for your people's information, whether it's your customers or your employees, or both. And that's an easy way, a door that just opens and swinging all day long, so it's an easy way to lose information.
Identity Theft Secrets: Sure, that definitely makes sense. Well and you're talking about from a company perspective, like if you have employees or something, and they're sending out your customer information or your employee information, that could be a pretty serious security threat to your company on an ongoing basis, right?
Paul (email security expert): Absolutely and in fact there are a ton of compliance laws that now make it more than just a security issue and make it more of a business issue - a business risk; because there are now fines and notification laws and other actions and responsibilities that you have to do if that information gets out. So say for example, if someone emails a spreadsheet -- they were supposed to send some information on a customer to someone and they just send the whole spreadsheet. Well now, that information can be out there and even if that other person on the other end didn't get it, someone may have caught it on the interim and it can be a problem.
The other thing is that the FBI has done a lot of studies and they find that over 70% of breaches are actually internal jobs. And they split it out into different percentages; some of them are malicious, some are just people didn't realize what they were sending and other times people just didn't realize they were sending this stuff to someone who didn't have an official obligation or an official capacity to have that information and they just sent it, not knowing -- just thinking they were being a good citizen or doing their job as a corporate employee. So you see a lot of that and really email seems to be one of the easiest ways - and again it happens both the inbound and outbound but it's different.
So I thought I'd take just a minute and talk about some of the inbound issues versus the outbound and then go from there. Is that ok?
Identity Theft Secrets: Sure! What are the top issues that people in this arena are facing? If I own the company, or even if I'm just at my home computer, what are the top issues that I should be aware of?
Paul (email security expert): Sure! So the first one is - everybody is deciding if they want to go green and they want to spend less on gas and so what they're doing is they are saying, "hey, let's do webinars and let's do this free web conferencing and web access and a whole bunch of different company products where they're doing webinars or web information and that's great! And you say, well, what does that have to do with email? Well, when you set those up, most of those say "open up Active X, install Active X" and you do that. Also for emails, a lot of people like the color and interactive emails that are more flashy and more fun to read and cooler to print out, less DOS looking, so they want the XML, HTML etc. Well, by adding all those things to the computer, now when I read email, I can open up an attachment and it may just be a simple picture but there may be some malware attached to that picture, whether it's a virus or a trojan or something that's going to be used to do either do a root kit or take over that computer, make it part of a botnet. So there's a lot more things that it can do and now, because of the cool abilities within Active X and Java and all these other new technologies - now you don't even need as much work being done from the end-user - they don't have to open something and run an application - they just have to open the email and look at the picture. In some cases, they just have to open the email and then it runs it for them. In other cases, depending on what Active X or what not you have in place, you just need to get the email and then depending on how you're doing your email reading, it could actually activate some of those Active X or different controls and run malware as well. So it's become a world where everything is more powerful and does things behind the scenes -- which is great -- until you put it in the wrong hands and now it becomes an easier tool to hack into your company. So that's on the inbound side.
On the outbound side, it's really a lot of people not realizing, "opps, this is confidential information," because they deal with it all day long. So people become desensitized to "This is Confidential" or "This is Proprietary Information," etc., and as much as you tell them about it and talk about it and put it on there, if you put it on all your documents, eventually they say, "oh that's on everything, I'm just going to send it anyway." They're just trying to help speed-up the process and make more business and make things happen quicker. So they think they're doing something good, but they're actually giving away something that they shouldn't.
Identity Theft Secrets: Right - so how do you fix that?
Paul (email security expert): Well, one of the easiest fixes, which is unpopular with the end-users, but popular in the tech field, is just to turn off all those cool applications and applets and things, such as Active X and Java and HTML email and things like that. Unfortunately, many times the owners of the company are the end-user that likes the "pretty," that likes the other stuff and says, "no, we're going to enable that because I like getting my emails with all the pretty pictures and who it's from and the logos and all that. I don't want to just look at boring black and white." So that's one challenge to that solution.
So some other solutions that are out there are solutions that will actually filter email and filter out attachments, filter out web content that they're looking at and really help with that. The other option is to get some kind of a solution that actually does encryption so that as you're doing things, it's encrypted and you're only working with secure people. Now the challenges, that's only if you're in a world where you're not getting emails from a lot of unknown people, that you have known people that you're going to work with and you can kind of set up that encryption. Or number two, it's really good for outbound stuff but it's very hard for the inbound stuff. So typically what we find is that you need to find something that does filtering on the inbound stuff -- that looks at the email and will cut up/strip-off all the negative applications and there are some that actually bring them in and run them in a virtual world - like a little VPN environment and see if it has that code in it and if it does, it doesn't allow it in and if it doesn't, then they allow it through.
So those are the types of solutions that I think people are going to start moving to because they allow the end-user to have the pretty, cool-looking applications that are self-automated while still getting the security for the corporation. So that's the trend I see happening really in the inbound email protection or email scanning. And most of the top competitors are adding those things, they've got the anti-virus, anti-spyware, anti-spamware, you name it and anti-this, that and the other thing and they're adding the suites, but they keep finding that their solution still isn't complete enough because the bad guys find one other way to attach it or sneak it in or hide it under the radar. So I think we'll continue to see those being developed.
On the outbound, there are several things you can do and there's a number of products are probably smaller as far as what can fix things on the outbound and what can really scan for that. In particular, there's a product out there called Vontu DLP8 and what it does, Vontu was actually bought a little while ago by Symantec, so most people have heard of Symantec, and what it does is it actually does scanning and it's pretty cool because it will do, really it works with data at rest, it works with endpoint protection, it works with network data and it actually does a full enforcement so that it will actually look at things going out anywhere from email, instant messaging, web traffic, secure web traffic, HTTPS, etc., and it will actually look for that and stop things. One of the neat things that it does - especially in today's world of compliance, is that it will look specifically for things such as social security numbers or credit card numbers or whatever specific things that you put together. It actually does something called a "fingerprint" of that information. So let's say that you have internal documents that are Confidential or Proprietary Information, it will say, "hey, anytime this document is trying to be sent out, don't let it." And the cool thing is you can actually set it for your own policies, so you can say, "hey, let it, but make the end-user pick, here's why I can let it out, here's the justification, I'm sending it to a business partner under a NDA or I'm sending it to a customer and it's their own information or I'm sending it to an approved partner or whatever." That's one option.
Identity Theft Secrets: Can I ask you a quick question about that?
Paul (email security expert): Oh absolutely!
Identity Theft Secrets: How much time do you figure that adds in for the end-user, I mean for the company. Because obviously, if every email you're sending or every third email you're sending has a little box that pops up and says, "this is potentially a harmful email to send, why can you send this?" And obviously they check that box - it's fine, it's good. But, that adds in time into the workday which ends up costing an employer more. How much time do you figure that adds in and how do you factor in that added cost factor?
Paul (email security expert): That's a great question, great question! So, first and foremost is it only does that, it only has that pop-up for things that contain the credit cards or social security numbers, etc. So, hopefully, the number of emails that have that stuff in it are few and far in between. Unless you're with a credit processing company and then you may say, "I'm going to turn that rule off and I'm just going to log everything. So I won't ask, I'll just notify and log or I'll just log it, but I'll go ahead and send it anyway." Or, depending if that's not the type of information that normally should be going out, maybe you just have them block it no matter what and when the pop-up comes and says, "hey, you're trying to send out information you shouldn't be" and that works.
So yes, that's a great question - you really need to justify, do I have that on for everyone or do I not have it on? So it depends upon how much of that type of information you're sending out. Now if you're the approver for home loans and you're always sending that information out, then clearly you're not going to want to pick the option where they have to justify live unless you need that for auditing and logging and then you may want it because it makes them more aware --they've got to say exactly why they're sending it and think about, is this only for the customer that I'm sending it to or is this a partner that is truly under a NDA. So while I say it could add to the cost, the other calculation you need to see is how many millions of dollars are we going to lose in business in customer name, or name recognition or brand quality and/or in fines and notification fees if we do have a breach. So there's always two sides to the coin; one is what is it going to cost us proactively and then what is it going to cost us reactively? And the proactive costs are always less expensive than the reactive costs.
Identity Theft Secrets: Sure, that makes sense.
Paul (email security expert): So that would be how I look at that and justify that and figure out which solution works there. It's funny because you're seeing now, at least I'm seeing the trend of many DLP products; whether it's data leakage prevention, or data loss prevention products out there and they all do different levels of things. And really I think the best one that I've seen is Vontu, it's the most complete, it's the most granular and yet it's very flexible in that you can set it to be granular or not based on your needs for those departments or those people.
Identity Theft Secrets: When you say "granular" - what do you mean?
Paul (email security expert): When I say granular I mean I can actually say, "look for any numbers, "x" number of numbers, dash "x" number of numbers, dash "x" number of numbers or any strings of nine digits." I can look for any variance; I can get as granular as I want to look for ....
Identity Theft Secrets: So you just mean really detailed that can get ...
Paul (email security expert): Yes, very detailed exactly. Very granular in what it can filter and what it can look for and then also granular or detailed in the actions I can do. So the other really cool action that is important about that product is that it allows you to do logging, right? So it's one thing to be able to say, look this employee was sending out bad information and it's another thing to be able to log it so that either when you fire them or when you sue them for sending out all your information, or you get sued for that breach, that you can then turn it around and point it to that person because you have the data and the logging of that data to show where the breach happened and it wasn't your company being lackadaisical about security, it was just a bad employee.
Identity Theft Secrets: So basically this is all about CYA.
Paul (email security expert): Oh, one hundred percent! In the business world unfortunately, I think most security comes down to CYA. First and foremost hopefully it comes down to -- this is the right thing to do to protect our data, our customer's data and our own employee's data. But on the business level, it's definitely a CYA and an insurance policy against if it does happen, how do we minimize our risk, our exposure and our fines?
Identity Theft Secrets: So talking about fines - I know that government likes to get involved in all of this to try and regulate it, to try and help people and a lot of times in the process, they create rules which penalize the people who are being most penalized anyway, a lot of times that comes back to the business owner or the individual. Are there any recent compliance changes in this arena as far as email security is concerned that people need to be aware of?
Paul (email security expert): Well, I think the biggest one is that they're now starting to say, "it doesn't matter what size of business you are, we're going to come after you if you lose your customer's data; and we don't care if it a thousand names or a hundred names of customers from a small Mom and Pop shop or it's a hundred names or a thousand names from a large IBM-type company." They're really trying to crack down and make the businesses pay and so a lot of the issues out there come down to that.
The other thing is in the payment card industry arena, they've added some more information and laws that say, "hey, we're going to track this and we're going to make sure that you're compliant. And not only are you compliant but now all of the business partners or sub-contractors you use have to be compliant as well." So that trend is now waning and the ripple effect is now coming down to the small Mom and Pop shops, the small one-man contractors, five-person contractor shops. Whereas before, they didn't have to be compliant, but the big company that they were a sub-contractor to did. Well now, they're coming down to the rules saying, "Nope, everyone along the chain has to be compliant and therefore we're going to make you do audits as well. We're going to make sure you prove your compliance." And email is one of the easiest links to show that someone is not compliant on and is one of the most widely used. I don't know anyone who doesn't use email. I take that back, I know one person who doesn't use email, but that person is retired and is happy ...
Identity Theft Secrets: Living in Fiji!
Paul (email security expert): ...and is happy not to be using it. For the majority of us out there, email is a way of life and it's a requirement and so you just need to make sure that it's secure.
Identity Theft Secrets: Obviously you guys offer some solutions, or as a company, you come in and do offer some solutions to people as well. I know you partner with a lot of people; you've mentioned Vontu a couple of times here in the conversation. If people wanted to get a hold of you for help with their email security, what would be the best way for them to go about doing that?
Paul (email security expert): I think this best way to do that is if they send a gold bullion cube to me directly and then I will be very responsive on the help and support for them.
Identity Theft Secrets: Gold bullion cube?! How much gold is in a gold bullion cube?
Paul (email security expert): Well, it depends, if it's a one-ounce one or a hundred-ounce one ...
Identity Theft Secrets: Right! A hundred ounces will get you quicker results!
Paul (email security expert): That's right, that's right! No, to be serious though, customer service is very important, we don't care if you're a large customer or a small customer our business is built on references and it's built on good customer service and a good reputation. So you don't have to send the gold; if you do, I'll keep it and will cheerfully accept it!
But the easiest way would probably be through our 800 number, that number is 1-866-794-1655, 1-866-794-1655 or they can call me directly at 303-798-7588 or even easier, they can use email which we just discussed everyone uses, most everyone uses. My email address is pherbka@SouthSeasCorp.com.
Identity Theft Secrets: And you mentioned in a previous interview, I'm sorry to interrupt you there, but you mentioned in a previous interview we did actually, that if people mentioned, when they are a new customer of yours, that you would give them a discount if they heard about it through this interview.
Paul (email security expert): Absolutely and we will give them a discount - it will be somewhere between 2 and 5% depending on the product or the solution that they pick. But I'll guarantee them 2% discount and up to 5% discount on any of the solutions they have just for mentioning that they saw it here on your network.
Identity Theft Secrets: Great! Well, thank you very much and obviously you are a wealth of knowledge -- appreciate you taking a few minutes to talk with us today about email security.
Paul (email security expert): Thank you and have a great day!
