Organisations are increasingly threatened by the criminal abuse of identity. From buddy-clocking and payroll fraud through to cyber theft of corporate secrets and illicit financial transactions, no organisation is immune. With little privacy left in the global business arena, measures to control and monitor identity should be at the forefront of business agendas.
These were some of the issues discussed at the November 2011 Identity Indaba which exposed delegates to a minefield of cyber crime stats and identity fraud modus operandi. Sponsored by Ideco Biometric Security Solutions (Ideco) at The Forum in Bryanston, the event was packed with an impressive platform of speakers tasked with presenting a series of solutions to the growing crisis.
“Fingerprint technology is the de facto methodology for identity control in South Africa.” These words from Marius Coetzee, MD of Ideco formed the crux of an address which examined the critical role that biometrics and identity management play in protecting businesses from the theft of time, assets, information and money.
Audit trails through biometrics
Coetzee explained how the expansive use of the Internet domain has pushed identity management to the forefront of security. With correct identity systems in place, he said, companies could keep accurate records and use the information as evidence in court – subject to the systems complying with standards.
Biometric fingerprint technology, he argued, ultimately closes down on the vulnerabilities created by computer freedom in a company. The use of pins, cards and passwords are no longer a reliable means of certifying identity due to their easy access by outside parties. Biometric fingerprint technology provides a comprehensive audit trail and provides evidence to be used successfully in court. “The transaction must ultimately match the identity of the person incriminated.”
Professor Anthony Minnaar
Introducing himself as “a criminologist specialising in security management,” Professor Anthony Minnaar from the University of South Africa shed light on the many forms of cybercrime, its various guises and the legal limitations associated with it.
Minnaar’s students comprise security managers and officers whose work requires them to learn not only how to protect data, secure laptops and perform their physical security duties, but also to understand the role of cybercrime and how to control it.
According to Minnaar, there is no legislated crime called cybercrime. It is considered a kind of fraud, and this, he said, is where the problem lies. Computing has escalated opportunities for crime, including theft of services, information piracy, electronic fraud, pornography, money laundering, marketing junk, abusive use of e-mail etc. These activities are a growing problem for legal practitioners looking for identity evidence.
Mark Eardley
SuperVision Biometric Systems’ Mark Eardley, gave insight into the rise of corporate cybercrime, the exploitation of identities and the loss of control in IT security.
According to a Feb 2011 report by The UK Cabinet Office and information assurance firm, Detica, £27 billion was lost to cybercrime in the UK in 2010, Almost 60% of these losses resulted from the cyber theft of corporate secrets. Companies need to do more to ensure that their competitive advantage is not under threat because cyber theft has shifted from stealing customer records, to stealing corporate secrets. They need to question what the value of their corporate data is to them. What would the consequences be if this data were stolen?
He agrees that the inside villain remains the biggest threat. A PWC report shows that 62% of SA businesses are hit by insider crime. The Mpumulanga Education Department for example, saw R5,5 million stolen via insider password fraud in October 2009. Omnia Holdings saw an insider steal R23 million over an eight-year period up to 2009.
Today, the market for stolen card details is saturated. Secrets are now more valuable and more attractive. Accordingly, sophisticated, targeted attacks on identity details are rife. Companies have to reinforce their IT security regularly in order to stay a step ahead of the cyber villain.
Michael Lotter
Michael Lotter from Stanley Security Solutions explored why South Africa has become a world leader in biometric applications.
He says South Africa has led the biometrics market for many years, thanks to its socio-economic environment. Workers want to work less, yet still be paid and they will find a way to do so. Companies have as a result had to protect their payrolls.
Many factors explain why companies have chosen to protect their payrolls with biometrics: The persistent use of buddy clocking, crime syndicates in operation behind the scenes, lack of successful prosecution, corruption and human error.
Citing The City of Cape Town as a biometrics success story, Lotter showed how installing biometrics as a data protection for its payroll saw huge results. “The R13 million they spent on the technology saw a payback within the first 3,7 months.”
He said moving away from manual to biometric clock-in systems will save a company substantially. This is particularly applicable to subcontractors. Rainbow Chickens, he said, used a lot of subcontractors who charged for a full day’s work regardless whether these hours were worked. Biometric technology empowered the company to pay only for the hours worked.
Hennie Ras
Dr Hennie Ras from FACTT, a company involved in asset handling, configuration management and supply chain support, spoke about using biometrics as an enabler of the industrial fingerprint. He discussed authenticating items in the supply chain and tracking the movement of stock.
Accountability, said Ras, is one of the major pillars in designing and operating a tracking system. Companies must develop a chain of custody report.
Item level visibility
Achieving item visibility through barcodes or RFID tags on items and assets, identifying product categories through EAN standard and GS1 standard enables item-level visibility in the supply chain, which in turn enables mass customisation. With these systems in place, accountability can be linked to a single item as opposed to an order or a consignment. The item-level code serves as the prime enabler of item level operations control.
The industrial fingerprint
This methodology combines biometrics (fingerprints) and 2D barcodes to provide item level accountability, traceability and authentication. It has been developed and patented by FACTT to support forensically hardened traceability solutions. It is used in asset handling and configuration management applications.
Benefits of combining biometrics and barcodes
The combination of biometrics and barcodes provides a non-intrusive and non-obstructive way to link people to items and processes. A chain of custody reporting is preconfigured, providing a very accurate account of who handled an item or process when and where.
Danny Myburgh
Danny Myburgh, MD of Cyanre, gave insight into the profile of IT-based forensic investigations.
Millions of transactions of legal relevance are being conducted electronically. The estimated number of Internet users worldwide has surpassed the 2 billion mark. In South Africa, a 2010 study revealed that the Internet user base had grown to 5,3 million.
Whether through spyware, hardware or software key logging, thumb-drive thugs, network/remote access or Internet servers, computer criminals will find a way to capture everything you put onto your server. In fact, Myburgh said his investigations have revealed that everything a company does electronically can be e-mailed out via criminal methods.
He revealed that investigations into well-known software products showed that not one picked up the advanced criminal spyware operating on company systems. “Such spyware reinstalls itself every three hours,” he explained. “Your virus protection libraries cannot keep up with the different naming conventions going through it.”
Myburgh also spoke about spoofed Websites (false Websites that look identical to the real Website). Banks, he said, are susceptible to this type of crime, hence the reason for once-off PIN numbers. He warned of cellphone Internet transactions being jammed mid-process, preventing the user from notifying the bank, thus allowing the hacker to gain access to private information.
Mike Henderson
Mike Henderson from XDS shed light on problems associated with identity control within the financial services industry.
No one steals an identity, Henderson warned, if they do not intend to use it for financial gain. “When it comes to identity fraud we are dealing with matters associated with credit applications and money, and this problem is very difficult to quantify.”
Identity fraud manifests itself in many guises. A customer is still able to fake a model identity scenario to a lending institution, get approved and disappear. Disappointingly, too many companies would rather put this kind of crime down to bad debt and move on, because it is so difficult to monitor.
Henderson warned of the frightening levels of fraud in South Africa. In one bank, he said, it was discovered that 70% of fraud involved its own staff. Vehicle finance cases face fraudulent ID problems, credit grantors face the issue of forged pay slips, cellular operators suffer huge losses to bad debt and syndicate fraud. Car insurance and medical fraud amount to billions per annum.
The only way ID movements can be effectively monitored is through facial and fingerprint recognition, said Henderson. In South Africa, fingerprint identity is catching on. Banks now have conditional access to biometric technology, but he warned, they need to tackle serious synchronisation issues before they are fully effective.
Julia Gilmour
Julia Gilmour, sales manager of the Kronos Division at Bytes Systems Integration, debated the question around labour management and biometrics – the perfect union.
Gilmour stated that companies can control where and when and how their labour moves around. Using biometrics, a blue-collar employee who is paid hourly, will not be able to buddy clock. Moreover, 30% of company absences are not genuine, she said, stressing how absence in large organisations needs to be managed.
Gilmour said integrating access control in an array of areas within a large corporation is very effective. A system can be used across many sectors from manufacturing to the stores. The solution, she said, not only tracks time and attendance, but also elevates security.
Andrew Whittaker
Andrew Whittaker, senior consultant at Ubusha Technologies discussed access governance assurance, explored best practices in services management and security, touching on legislative recommendations for good corporate governance.
The global financial crisis has forced shareholders to think twice about governance, risk and compliance. Employees have been given access to too much information in the past. Stressing his case for tighter access control in business domains, Whittaker explained that the recent stock market thefts that shook the world were due to traders having too much access to information due to front office and back office capabilities.
Whittaker explored what needs to be addressed with regard to access fraud. Companies need to ask: Do we know who has access to what? How did they get this access? Has approval of this access been re-certified?
Whittaker explored several scenarios around good governance for logical access management. These included:
* Ensuring that formal access management policies and procedures are in place.
* Approval of all requests is recorded for auditing purposes.
* Access is revoked as soon as an individual leaves the organisation.
* Access rights are easily reviewed when an individual’s organisational role changes.
* An individual’s access rights are reviewed every three months using the automated attestation solution.
* Recertification has to be applied frequently.
Robert Cameron-Ellis
Robert Cameron-Ellis, director of ENS Forensics, discussed new thinking on fraud/risk identification. What motivates a person to commit fraud?
The profile
The average size of fraud has gone up from R350 000 to a recent crime level of R53 million stolen over a period of five years. So who commits these crimes?
Cameron-Ellis says a fraudster has to be a person capable of committing the crime: this person normally holds a powerful position, is competent, experienced, intelligent, creative, understands controls, has a Bachelors degree and an ego. A typical fraudster is aged between 36 and 45 years, is in senior management, probably in finance and works in collusion with someone else.
A fraudster wants access to the key signatures that will entitle him to his loot. He will know how to buy a false ID, what story to tell the bank, how to gain access to passwords and PINs etc.
Cameron-Ellis stressed the importance of securing the following access points:
1. Do not use cheques, use EFTs.
2. Watch for collusion.
3. Get the database and bank accounts off the server.
4. Watch for chaos – it provides an opportunity for a fraudster to cover up.
5. Do not place too much trust on employees. The one you trust the most has the over-ride to the system as well as your password and is often the perpetrator.
6. Create a segregation of duties. This makes committing fraud difficult because different access levels need to be bypassed.
7. Put tight controls in place.
Identify the plumb targets in your organization, concluded Cameron-Ellis, and do a fraud risk assessment.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.