"Catch Me If You Can" isn't just a hit movie. It's also the modus operandi for a growing band of street criminals and their hacker allies who trade in consumer credit card information, Social Security numbers and other personal and internal company data that wash across millions of Web sites every day with increasing velocity.

It's ironic that while some other types of crime are declining or have stabilized, identity theft is booming - doubling to roughly 162,000 cases last year. Identity theft is the leading consumer fraud, according to the Federal Trade Commission (FTC). The FTC reports as many as 700,000 consumers may be victims of identity theft this year, costing each person an average of $1,000.

While the search for causes and cures is endless, several key elements stand out.

First, more consumer and business data are online. For good reasons, organizations are automating the way they do business to cut costs, speed service and reach customers, suppliers and partners more easily.

Second, despite the costs of identity theft, the Web is still the best friend businesses and consumers ever had. People and organizations are not going to scrap the Internet because of identity theft; but everyone needs to get more serious about managing identity theft.

The sad realization: many organizations are still in the dark ages compared to the identity thieves they are up against. Today's identity thieves, often with inside experience, can outsmart businesses at nearly every turn.

It's not hard to figure out why.

Ask yourself. Who is more likely to be successful: a full-time hacker searching for a security hole into a company's systems, applications and data or a developer with a thousand other things to do besides plugging every conceivable security hole?

Stretched Resources

It's not that we don't have the security tools and smarts to manage the problem.

The real issue is that most information technology (IT) departments are too stretched to devote the resources to keeping up with the thieves, let alone get ahead of them by designing systems that are so sophisticated the thieves can't get in. Still, the most effective deterrent to identity theft is making an organization's IT architecture so airtight that thieves decide it's not worth it.

After all, there is fundamentally nothing new about identity theft, which amounts to exploiting holes in existing technology. Instead of rifling trash bins for credit card receipts and wiretapping phones, today's thieves steal data using a mouse and keyboard, and sell their booty to the highest bidder on the street.

So it follows that organizations need to get more serious about fighting this growing menace. Most important, they need to replace the patchwork of security systems currently in place with an overall security architecture that plugs the holes inside and outside the enterprise, makes sure the right people have access to the systems, applications and data they need and keeps everybody else out.

Here is a plan of attack to get ahead of the identity thieves.

First, shut the door on former employees and temporary employees who maintain valid company IDs and passwords. With employee turnover running at 100 percent in industries like retail, it's not unusual for 20 percent of company accounts to belong to employees who haven't worked for the organization for five years or longer. These accounts never expire and allow former employees to roam freely inside the enterprise.

Clean Up Permissions

An even bigger inside problem is current employees who have unrestricted access to company systems and data unrelated to their job responsibility. Security policy should restrict employee access to pertinent areas of the business. Why should a customer service rep be allowed to access company inventory data?

Moreover, if somebody is trying to gain access to areas unrelated to their job, the enterprise should be able to monitor this activity closely and take appropriate action.

Second, recognize that today's homegrown security code is highly vulnerable to hacker attack. A hacker can access a public Web site linked to an internal distributed file system and gain access to company and customer files. For example, many organizations now put customer best practices online so that other customers can gain insights. As this happens, hackers are finding ways to access applications that provide information on other users, which they can use to steal their identities.

The fix is to replace patchwork security code with a sophisticated security architecture that closes the holes between different parts of the business and outsmarts the thieves at their own game.

Third, organizations need to randomize data to protect individual customer identity and privacy. While customization of individual data is clearly here to stay, this raw data must be kept under strict lock and key so that others cannot use it to invade individual privacy. For example, does the marketing department need access to everyone's name and address, or just access to macro trend data? Companies can extract macro data from individual customer information, which will protect privacy rights and yield nearly the same business benefit.

The point: enhanced security doesn't have to be a business inhibitor. In fact, if implemented wisely, security is a business enabler. It's up to organizations to take preventive steps that will strengthen the business as well as defeat the bad guys.

SIDEBAR: Biometrics ID Solution

Better access controls into computers and networks are a strong strategy to fight identity theft. Biometrics is one way to provide higher-level access control. A measure of how much biometrics has grown comes from Secure-It Inc., the East Longmeadow, Mass., firm, best known for its computer lock-down gear. It now boasts national distribution of the U-Match MatchBook biometrics fingerprint device from BioLink Technologies International Inc.

The U-Match MatchBook is a stand-alone digital fingerprint reader that functions as a lock on a computer or a network that can only be accessed by authorized persons. It authenticates the end user in a local network or Internet environment. Most importantly, the user's fingerprint is never captured. Instead, the MatchBook creates a 500 byte secure template and scrambles the algorithm at the point of scan. The device connects via a USB connection and can use any finger for authorization.

Included with the Matchbook is authorization software called Authenteon Center 4.5. This software allows for user identification using a one-touch local or network login with multiple user support. AC 4.5 supports all Windows and Novell servers including XP Pro client and server applications. To eliminate password logins, there is an option to allow only the biometrics login.

Healthcare organizations also see biometrics as a way to protect privacy and minimize any potential of ID theft. One indication of growth in this area: Sentillion, Inc., a provider of authentication, single sign-on solutions for healthcare organizations, just received a major order from San Diego-based Sharp HealthCare to provide the largest network of biometrics authentication solutions ever installed in a healthcare environment. Sentillion will provide more than 7,000 Identix, Minnetonka, Minn., fingerprint readers for Sharp's network of hospitals, medical centers and care facilities.