|
Presentations
E-TERRORISM, PRIVACY & TRADE, WHAT DO
THEY HAVE IN COMMON?
June 27, 2002
by Catherine Johnston, President & CEO,
The Advanced Card Technology Association
of Canada
It is a pleasure to be here today. I would
like to thank Vida and Michael for this opportunity
and thank all of you for being here. Today's
topic is e-terrorism, privacy and trade,
what do they have in common? We are going
to look at:
Electronic terrorism, what is it?
How big is the threat?
How does it impact trade?
What does privacy have to do with it?
What is the bottom line?
How do cards factor in?
I have 40 minutes today and I need to do
a lot of things. First I'm going to scare
you, both on a professional and personal
basis by telling you the risks you are facing.
Then I hope to make you feel a lot better
by telling you how you can minimize those
risks… and then…I'm going to tell you what
you have to do to protect yourself, while
your governments and banks study their next
steps.
What is e-terrorism? Think back to the early
eighties, at least those of you who, like
me are old enough to remember that time.
We had big corporate mainframes and you really
never heard about people breaking into them.
Then pc's came along and again, there weren't
really security issues. It's 20 years later
and all that has changed. Computer security
has become a big issue. That pc no longer
sits isolated on your desk. Today it is linked
to millions of other computers via the Internet.
It is no longer just a word processor or
database, but a communication, marketing
and sales tool. PCs and mainframes are an
integral part of our daily lives. Without
them our financial services, telecommunications,
energy and utilities, transportation, emergency
services, medical and countless other functions
wouldn't work. Let's make this a little more
personal.
How many of you use email?
How many of you work for companies that use
a web site as a marketing tool or actually
support online sales?
And one last question…
How many of you believe that e-commerce has
lived up to its potential?
Let's go back to the question: what is e-terrorism?
In the early days there were hackers. More
recently we seen activities from hactivists
and governments are now warning of e-terrorists.
OCIPEP, the government of Canada's Office
for Critical Infrastructure Protection and
Emergency Preparedness has provided these
definitions.
Hacker
-Punks in cyberspace - want the glory of
the break and to be infamous amongst their
peers.
-Motivated by power and money.
Hactivist
-Protesters in cyberspace - have deviating
ideology from that of society's majority
with regard to political and social issues.
e-Terrorist
-Terrorist in cyberspace - wants to instill
fear by making a statement that is seen,
felt and remembered.
As we lunch today, a web site called ruckus.org
is holding a "Tech Toolbox Action Camp"
June 24 to July 2. They have six technology
tracks including secure communications, electronic
intelligence, counter-surveillance, and cyber
civil disobedience.
Session highlights include:
- Internet Activism and the Law: What Works,
What Doesn't and What Will Get You Arrested
- Beat the Heat: What to do when the cops
burst open the door and yell, "Don't
touch that keyboard!"
These are the electronic counterparts of
the activists in Kananaskis who want to disrupt
business and governments. Along with hackers
they can successfully do that with the help
of email and the Internet. In the second
half of 2001, attacks increased by 79%. High
tech, financial sector, media/entertainment,
and energy sectors showed highest number
of attacks.
39% of attacks appear to have deliberately
selected the target.
What impact does this have on trade? If you
are using the web for e-commerce, either
through marketing or online sales, you are
dependent on your site being available to
viewers. With email brochures, you need access
to delivery lines. Your computers must be
functional to handle order processing, billing
and other business functions. All this provides
an attractive target for hackers and hacktivists.
Most of the attacks over the past years have
been in the form of mail bombs or floods.
A worm or virus is sent to you and uses your
email addresses to send messages to all your
contacts. Sometimes it seems harmless, because
it doesn't damage your data, but think of
the internet as a big phone line. It is one
thing if you phone me and my line is busy,
but if tens of thousands of you try to call
numbers within my exchange it won't matter
if my line isn't in use, you won't get that
far because you will encounter a no circuit
condition. The internet certainly has huge
capacity, but by flooding domain name servers
with email generated by viruses, you can
severely disrupt internet service. Perhaps
the most well known attack of last year was
Code Red. Were any of you hit by it? Well,
if you haven't been yet, you might still
be as there are an estimated 18,000 computers
still infected, still propagating that virus.
Microsoft says that viruses cost us 13.2
billion dollars last year; I'm assuming that
is US. It is an interesting figure but I
don't think it is anywhere near the actual
cost. It also does not factor in two key
components related to trade; that is the
impact of 7/11 in terms of cross border delays
in the movement of goods and the dramatic
drop in business as we all focussed on our
tv's for days and even weeks.
That leads us to our third group, the one
called e-terrorists. Ironically, Hollywood
was the first to identify this potential,
with movies like Die-Hard, the one where
terrorists took control of air traffic control
and flew a plane into the ground. The CIA
recently stated that they believe the US
will be cyber-attacked by China, who of course
denies it, but it is sadly inevitable that
e-terrorism will become the new war front.
We must find ways to fortify our data networks
to protect business and critical infrastructure.
In a few minutes I will outline how we do
that.
I said there were two key components related
to trade, the first being a disruption of
business. The second is business that doesn't
happen because people are afraid of using
the Internet for e-commerce. Either they
worry about fraud, or a loss of privacy.
This is a major part of why the e-commerce
market has not lived up to its potential.
There is a growing feeling that too many
people or companies are tracking us through
the web. The term cookie has taken on a sinister
meaning. Perhaps Sesame Street was ahead
of all of us when they identified the cookie
monster. More and more people lie about themselves
when asked to fill out online questionnaires.
It isn't that we've become more paranoid,
but we are tired of people who call us at
mealtime or flood our e-mail with unsolicited
offers. We are becoming more protective of
our private information.
Data, both corporate and personal is a new
currency and it must be protected. We can
only guess the cost to us of an unfulfilled
e-commerce market, but we are beginning to
understand the value of our personal data.
One of the fastest growing crimes of the
past ten years is identity theft. The harm
to a consumer's credit and daily life can
be devastating. Victims of ID theft often
have trouble getting new credit cards or
loans because of the damage to their credit
ratings.
How can someone steal your identity? By co-opting
your name, Social Insurance number, drivers's
license, health card, birth certificate,
credit card number, or some other piece of
your personal information for their own use.
In short, identity theft occurs when someone
appropriates your personal information without
your knowledge.
Here are some ways that identity thieves
work
They open a new credit card account, using
your name, date of birth, and Social insurance
number. When they use the credit card and
don't pay the bills, the delinquent account
is reported on your credit report
They call your credit card issuer and, pretending
to be you, change the mailing address on
your credit card account. Then, your imposter
runs up charges on your account. Because
your bills are being sent to the new address,
you may not immediately realize there's a
problem.
They establish cellular phone service in
your name
They open a bank account in your name and
write bad checks on that account
Let me warn you about a new scam. If you
receive an e-mail request that appears to
be from your Internet Service Provider (ISP)
stating that your "account information
needs to be updated" or that "the
credit card you signed up with is invalid
or expired and the information needs to be
reentered to keep your account active,"
do not respond without checking with your
ISP first. According to information received
by the FTC, THIS MAY BE A SCAM
An alarming trend we are seeing targets senior
citizen's who own their homes. Identity thieves
are successfully taking out mortgages against
those home and of course are defaulting on
the payments.
You have to wonder how someone can get enough
information to be able to impersonate you.
Start by looking at your wallet. Virtually
every piece of personal information is printed
on the face of the card for everyone to see…your
address, credit card numbers and expiry date,
driver's, OHIP and social insurance numbers.
Your place of birth, car license plate, vehicle
identification and insurance information
are all there. And as a bonus to anyone finding
or stealing your wallet, they get your picture
and signature from your driver's license!
If they don't get all your ID, but only one
piece, they will use it to get more. For
example, your driver's license will help
them get your birth certificate and social
insurance number card. These in turn will
be used to get a passport in your name.
Everyone is a potential target. Oprah, Ted
Rogers and Tiger Woods have been hit. If
this doesn't worry you, let me point out
that as of March this year, an identity was
stolen every 60 seconds in North America.
That was in March. Now it is every thirty
seconds. You are a target and you won't know
you've been hit until the damage is done.
It normally takes thirteen months from the
time your identity has been compromised until
you know you've been hit.
This crime is devastating because it will
be harder for you to prove you didn't commit
these acts than it was for someone else to
impersonate you. Above and beyond the personal
aspect, this crime has an effect on the economy
and trade. The cost of this fraud is born
by everyone.
If someone runs up credit card bills in your
name, you are only liable for $50.00 in this
country, but it would be wrong to assume
that the issuing bank covers all the cost
of the fraud. Earlier this year, when pushed
by the government to explain why credit card
interest rates still go as high as 28% when
we had the lowest prime rate in 40 years,
bankers listed the cost of fraud as one of
the reasons, so if you don't pay off your
balance every month, you are absorbing a
part of that cost. If you are a merchant,
you already know you pay and if you are an
internet merchant you wince at the mere thought
of the cost to you. By the way, approximately
45% of credit card fraud losses come from
counterfeit cards.
If someone counterfeits your OHIP card, you'll
be affected in many ways. It has been estimated
that there are as many as 18 million OHIP
cards in the province, but we only have 12
million citizens. How much of our health
care budget is spent on services provided
to people with counterfeit cards. The budget
this year is $25.5 billion dollars, a 7.3
% increase over last year. It is 38% of the
provincial budget, not counting capitol and
debt servicing expenditures. We know what
the losses are from counterfeit credit cards
and they use exactly the same technology
platform as our OHIP cards.
We know who counterfeits them, because when
law enforcement conduct raids and seize counterfeit
credit cards, they inevitably find OHIP or
other provincial health cards, drivers licences
and Canadian social insurance cards. We know
from the RCMP and OPP that you can buy counterfeit
OHIP cards from organized crime for about
$1000 apiece in Toronto, or for more if you
are buying them in the US. We can easily
imagine what organized crime is doing with
that money and how it comes back into our
neighbourhoods in ways that cause us more
harm.
The thing I don't know is why the government
of Ontario and the Ministry of Health say
they can't calculate the fraud, but feel
it is marginal.
So what is the bottom line? We no longer
live in a world where we personally know
the people we do business with. They aren't
our neighbours any more, they are more likely
to be hundreds or thousands of miles away
and we must find a way of identifying and
authenticating them.
Who should have access to our computers and
networks? How do we stop people from impersonating
us? How do we take control of our personal
and private data? How do we cut credit and
debit fraud? How do we build confidence in
e-commerce?
I'm not going to solve the entire problem,
but I am going to tell you where we need
to start.
We know that we must give consumers, employees
and citizens a method to identify themselves
and we need to make that identification as
counterfeit resistant as possible. We need
to be able to grant them certain rights and
privileges such as the right to government
paid health services or the right to access
data and entry to secure areas and that must
be as tamper resistant as possible.
Today's magnetic stripe technology that we
use in our bank and government cards was
not designed to provide that level of security
and can no longer be used for these purposes.
Advanced card technologies, however, can
provide the necessary security to reduce
fraud and in turn, enhance privacy and business.
Smart cards, which place a computer chip
on a card, are used by many countries for
security and business applications. Optical
cards use a cd-rom like surface to provide
mass data storage capability on a card and
hybrids, like smart-cd's combine these to
give you the benefits of both.
We have been resistant to moving to this
technology in North America because of the
extensive mag stripe infrastructure in place
today. Banks have talked about the cost of
replacing millions of readers around the
world, but this is already happening in countries
where the financial institutions are working
to reduce fraud. Governments are beginning
to invest in these platforms to support better
identification for their citizen's to reduce
the appalling risk to life and property.
I'd like to ask you a few more questions.
How many of you have been a victim of credit
card fraud? How many of you have been or
know someone who has been a victim of debit
card fraud. How many of you know of someone
who has had his or her identity stolen?
One of these, or all of them will happen
to someone in your family based on the current
growth statistics. If you don't want that
to happen, you should actively urge your
banks and governments to move to smart and
other advanced cards.
What makes them so secure? I won't go into
many of the proprietary methods companies
use to secure their card products, but I
will point out that cards have a very rich
tool box of security features. You can employ
hardware, firmware and software security.
Biometrics, PKI certificates, encryption
algorithms, PINs, challenge and response
logons can all be used. In fact, they can
be layered to provide whatever level of security
your applications need.
Smart cards are also counterfeit and tamper
resistant. This is critically important,
as counterfeit cards are now a serious and
very costly problem.
But there are other reasons for moving to
smart cards. These miniature PC's will allow
you to combine the functions of several of
your existing cards, allowing you to streamline
your wallet. Some smart card applications
turn PCs and cell phones into personal ATMs.
That would be the most exciting breakthrough
since the initial introduction of ATMs in
the seventies.
The card provides security for applications
that would promote consumer confidence in
e-commerce, helping that market to develop
profitably. Governments can use smart card
applications to cut down on fraud in our
social system. The money that is saved could
be re-invested in services for Canadians.
Bruce Phillips, the former Privacy Commissioner
of Canada, recently told an audience that
this technology can be used to enhance our
privacy, when applications are developed
with proper privacy protection designs.
The magnetic stripe technology we have used
for the past forty years brought many conveniences
to our lives. We wouldn't go back to a time
where ATMs and credit cards didn't exist.
Now we need to advance, protecting our existing
conveniences and opening the door for many
more.
ACT Canada, since 1989 our role has been
to inform, educate and advocate on behalf
of advanced card technologies and our members.
We are working to reduce fraud and protect
people and are an advocate for more security,
products and convenience for all Canadians.
Thank you.
Catherine Johnston
President & CEO
Advanced Card Technology Association of Canada
905 426-6360
ACT Canada is an international non-profit
association for the advancement of card technologies.
We work on behalf of our members to promote
the awareness, understanding and use of all
advanced card technologies; including optical,
smart, capacitive and emerging technologies.
If you would like to learn more about ACT
Canada membership please visit the membership section of our web site or contact our office at
(905) 426-6360.
Please forward any comments, suggestions,
or questions to info(AT)actcda.com
|
 |
