The people's flag is deepest red

The long view of security strategies for your network.

In my last column, I introduced the federal government's Notice of Proposed Rulemaking to help protect customers of banks and other financial institutions against identity theft. The NPRM was published in July 2006 by a consortium of federal regulatory agencies. They issued a list of warning signs (“red flags”) of ID theft that financial institutions should act on to prevent ID theft.

The specific red flags are listed in Appendix J of the Notice of Proposed Rulemaking (NPRM). The 31 warning signs including the following highlights (I am summarizing):

Information from a consumer reporting agency

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In my last column, I introduced the federal government's Notice of Proposed Rulemaking to help protect customers of banks and other financial institutions against identity theft. The NPRM was published in July 2006 by a consortium of federal regulatory agencies. They issued a list of warning signs (“red flags”) of ID theft that financial institutions should act on to prevent ID theft.

The specific red flags are listed in Appendix J of the Notice of Proposed Rulemaking (NPRM). The 31 warning signs including the following highlights (I am summarizing):

Information from a consumer reporting agency

* Fraud alert
* Notice of address discrepancy
* Pattern of activity inconsistent with history and usual activity of applicant or customer
* Closure of an account for cause or abuse of privileges

Documentary identification inconsistencies (forgeries, bad photos, wrong information)

Personal information inconsistencies

* Addresses don’t match
* Inconsistent Social Security Number versus date range
* Correlation with known frauds
* Fictitious addresses or mail drops
* Bad phone numbers or answering services
* Incomplete applications

Address changes

* Immediate change of address after establishing account
* Undeliverable mail despite continued activity

Anomalous use of the account

* Bulk purchases of easily fenced goods (TVs, jewelry, etc.)
* Failure to make payments (or to pay after first payment)
* Changes in payment patterns
* Major change in spending patterns
* Sudden use of a formerly inactive account

Notice from customer or others

* Observed fraud
* Failure to receive statements
* Notification of successful phishing attacks
* E-mail from phishing attacks returned to actual institution

Other red flags

* “The name of an employee of the financial institution or creditor has been added as an authorized user on the account.”
* “An employee has accessed or downloaded an unusually large number of customer account records.”
* “The financial institution or creditor detects attempts to access a customer’s account by unauthorized persons.”
* “The financial institution or creditor detects or is informed of unauthorized access to a customer’s personal information.”
* “There are unusually frequent and large check orders.”
* “The person opening an account or the customer is unable to lift a credit freeze placed on his or her consumer report.”

These guidelines are useful not only for financial institutions: they also illustrate many principles of normal operations security. Being sensitive to anomalous behavior is important not only for normal security but also for resource management. Look for outliers in resource utilization, outliers in the first derivative (growth rates) of such utilization and in the second derivative (changes in slope) as well.

In my third and last column on this topic, I’ll review some of the comments filed on this NPRM.

Read more about security in Network World's Security section.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.