Page 334 -
P. 334
Chapter 8 Securing Information Systems 333
Identify theft has flourished on the Internet, with credit card files a major
target of Web site hackers. According to the Identity Fraud Report by Javelin
Strategy & Research, identity theft increased by 13 percent in 2011, with the total
number of victims increasing to 11.6 million adults. However, the total dollar
losses from identity theft have remained steady at about $18 billion (Javelin,
2012). Moreover, e-commerce sites are wonderful sources of customer personal
information—name, address, and phone number. Armed with this information,
criminals are able to assume new identities and establish new credit for their
own purposes.
One increasingly popular tactic is a form of spoofing called phishing.
Phishing involves setting up fake Web sites or sending e-mail messages that
look like those of legitimate businesses to ask users for confidential personal
data. The e-mail message instructs recipients to update or confirm records
by providing social security numbers, bank and credit card information, and
other confidential data either by responding to the e-mail message, by entering
the information at a bogus Web site, or by calling a telephone number. EBay,
PayPal, Amazon.com, Walmart, and a variety of banks are among the top
spoofed companies. In a more targeted form of phishing called spear phishing,
messages appear to come from a trusted source, such as an individual within
the recipient's own company or a friend.
Phishing techniques called evil twins and pharming are harder to detect. Evil
twins are wireless networks that pretend to offer trustworthy Wi-Fi connections
to the Internet, such as those in airport lounges, hotels, or coffee shops. The
bogus network looks identical to a legitimate public network. Fraudsters try to
capture passwords or credit card numbers of unwitting users who log on to the
network.
Pharming redirects users to a bogus Web page, even when the individual
types the correct Web page address into his or her browser. This is possible if
pharming perpetrators gain access to the Internet address information stored
by Internet service providers to speed up Web browsing and the ISP companies
have flawed software on their servers that allows the fraudsters to hack in and
change those addresses.
According to the Ponemon Institute’s seventh annual U.S. Cost of a Data
Breach Study, data breach incidents cost U.S. companies $194 per compromised
customer record in 2011. The average total per-incident cost in 2011 was $5.5
million (Strom, 2012). Additionally, brand damage can be significant, albeit
hard to quantify. Table 8.3 describes the most expensive data breaches that
have occurred to date.
The U.S. Congress addressed the threat of computer crime in 1986 with the
Computer Fraud and Abuse Act, which makes it illegal to access a computer
system without authorization. Most states have similar laws, and nations in
Europe have comparable legislation. Congress passed the National Information
Infrastructure Protection Act in 1996 to make malware distribution and hacker
attacks to disable Web sites federal crimes.
U.S. legislation, such as the Wiretap Act, Wire Fraud Act, Economic Espionage
Act, Electronic Communications Privacy Act, E-Mail Threats and Harassment
Act, and Child Pornography Act, covers computer crimes involving intercept-
ing electronic communication, using electronic communication to defraud,
stealing trade secrets, illegally accessing stored electronic communications,
using e-mail for threats or harassment, and transmitting or possessing child
pornography. A proposed federal Data Security and Breach Notification Act
would mandate organizations that possess personal information to put in place
MIS_13_Ch_08 Global.indd 333 1/17/2013 3:10:20 PM
