Security measures, such as one-time passwords and phone-based user authentication, considered among the most robust forms of security, are no longer enough to protect online banking transactions against fraud, a report from research firm Gartner Inc. warns.
Increasingly, such measures are overwhelmed by online criminals looking to pillage bank accounts using valid login credentials stolen from customers, the report says.
Going forward, banks need to quickly implement additional layers of security to protect their customers from falling victim to online fraud, says Avivah Litan, Gartner analyst and the report’s author.
Whether it’s online banking or healthcare privacy, school ID badging or casino floor identification needs, technology continues its race to keep ahead of the crooks, frauds and protection challenges.
Gartner’s warning, for example, comes amid a sharp uptick in fraud involving the exploitation of valid online banking credentials. Last August, NACHA, the Electronics Payments Association, issued an alert warning members about attacks involving the theft of online banking credentials, such as usernames and passwords mostly from small- and medium-size businesses. Cybercriminals used the stolen credentials to take over corporate accounts and initiate unauthorized transfers of funds via electronic payment networks, NACHA says in its warning. NACHA, with more than 11,000 financial institutions as members, oversees the Automated Clearing House (ACH) electronic payments network.
Here are five ways that identification is being improved in healthcare, casinos, education, city government and through a controversial national ID card program.
Show Your ID, Then Your TemperatureIf you have the flu and are going to the doctor’s office, you better have your photo ID ready.
An increase in identity theft across the country, including in the healthcare industry, has prompted the adoption of a federal law – the Red Flags Rule – designed to prevent patients’ insurance information and other personal details from being stolen.
The law, to be enforced by the Federal Trade Commission, requires healthcare providers, along with other businesses and organizations, to have policies and programs in place to prevent identity theft. They must be able to spot the “red flags” to stop a crime from occurring, according to the FTC.
One way to do this is by requiring all patients to present photo IDs when they visit a hospital or doctor’s office.
Although the law’s implementation has been delayed several times and it’s not expected to take effect until June, some local hospitals have decided to go ahead with their new policies anyway.
Lawrence General Hospital in Massachusetts had already begun its public awareness campaign to prepare patients for the transition, according to hospital spokeswoman Barbara Keller.
“We are happy to start it early because it gives our patients time to prepare, bring their identification, and understand what it is all about,” she says. “Even though it is not required until June, we think the advance period of preparation is a good thing.”
Posters and brochures have been placed around Lawrence General letting patients know it will no longer be sufficient enough to just give their names when walking into the hospital as they have done for years.
Three hospitals in Haverhill, Bradford and Westborough are putting a compliance officer at each facility, according to spokesman Alfred Arcidi.
While many local healthcare facilities are just now adopting photo ID policies, Parkland Medical Center in Derry, part of the Hospital Corporation of America chain, has required them for many years along with other forms of identification, according to spokeswoman Angela Dickens.
In yet another solution for healthcare, Baptist Health South Florida (BHSF), a not-for-profit healthcare organization in South Florida, is using Fast-Pass identity management technology in its hospitals, including Baptist Hospital, Baptist Children’s Hospital, Doctors Hospital, Homestead Hospital, Mariners Hospital and South Miami Hospital.
“We wanted a product that could be used in several hospital settings to protect the security of our patients and staff,” says Mike Durr, vice president of Baptist Health.
The system identifies, captures and logs visitors, volunteers, employees and vendors who enter the facilities. The system can perform cross checks for criminals, sex offenders and other internal watch lists. It also will provide an electronic audit trail of all activity that can be printed, e-mailed or stored.
The Look of IdentityIn a casino, security is all about being able to make quick and easy identifications. The Choctaw Nation of Oklahoma has deployed or plans to deploy approximately 1,200 IQeye HD megapixel cameras for surveillance of high-value areas at four of its casinos, including gaming floors and tables, cashier windows and cash counting rooms, entryways, main choke points and parking lots.
Brett Green, integrations managers for Choctaw Nation, says that the technology is assisting the security team meet surveillance objectives, “The high level of image detail aids us in combating slot ticket scammers and also in disproving slip and fall claims,” he says. It definitely has a deterrent effect on our staff; we’ve seen no inside jobs in terms of cheating.”
The cameras, from IQInVision, provide forensic-level images of the gaming floors and slots and some key locations in the back of the house – vault, safe areas – delivering the clarity the security team demands so that it can protect its assets and its customers.
Employee theft can seriously impact the bottom line, and soon after system deployment, Green says that casino security directors were able to go back to their Governing Councils to show measurable return on investment.
Special School ID NeedsTo protect its students and to help it comply with the Jessica Lunsford Act, Broward County Public Schools in Florida installed a security solution from Johnson Controls. The act, which took effect in September 2005, set requirements to prevent sexual offenders or predators from having access to Florida public school district campuses.
Dr. Joseph Melita, executive director, Special Investigative Unit and Professional Standards, Broward County School District, says the system provides the District with an electronic method of identifying anyone who enters the school buildings and grounds.
Using Security Identification Systems Corp.’s (SISCO) Fast-Pass system, the system provides a standard method to document and track visitors as they enter and exit school sites. It offers high-speed level 1 checks against local, state and national sexual offender databases and level 2 checks against FBI and state and local law enforcement databases. The system will also be used to confirm authorization for student pick-ups. Furthermore, the project involves streamlining the volunteer program with an online application process.
A unique feature of the system is its network-wide connectivity. If a visitor moves from building to building, each attempt to gain access will be reflected in real-time throughout the district. The system can also work as a district-wide messaging center. For example, an Amber Alert, hurricane warning or other emergency could be communicated instantly to every workstation in the network.
Common ID, Uncommon AdministrationFor Oklahoma City, it took one day to change the way city officials viewed their security. That day was Sept. 11, 2001. After that day, the U.S. government issued Homeland Security Presidential Directive (HSPD)-12, requiring “a common identification standard for federal employees and contractors.” For Oklahoma City, that meant creating a new system for issuing ID cards to city employees, vendors and contractors.
Unfortunately, Oklahoma City was no stranger to emergencies. It ramped up its security program after the Murrah Federal Building bombing in 1995, but it still issued a variety of ID cards. After 9/11 and HSPD-12, it coordinated the look and feel of its ID cards, enhancing its security system at the same time.
“Governments often face emergency situations and need a uniform badge,” says Aaron Hallmark of Dowley, Inc., a security systems integration company working with the city. “They want the ability to verify authenticity at a glance.”
City officials implemented the use of two Fargo printers, both of which reside in the Police Department’s Permits and ID section, to print police and vendor ID cards and the city’s ID cards.
On the cards, the photo is the predominant feature. The proximity cards are sequenced so when a user is assigned a card, the number is registered, and the user’s access to the system is tracked. City officials can control exactly who has access to what areas in the city facilities. The cards also are used as identification when an official enforces city codes and ordinances, such as keeping property free of dilapidated buildings. If someone has to take action on behalf of the city for violations, he or she has verifiable identification. Two years ago, the city added a holographic overlay to its cards.
Today, the city uses about 4,000 cards, laminated with a special holographic film created with the seal of Oklahoma City. An unusual aspect of the city’s ID card program is that there are multiple administrators. Access control is administered by managers who can add or delete access rights for their areas. The process is automatic through an interface between AMAG Technology for access control and PeopleSoft Enterprise software.
“Each department within the city is like its own company,” adds Hallmark, “and it can assign people access control through a central database. This is a little unusual. In most applications there is one administrator. In the City of Oklahoma City, there are several. Cards are associated with a department, but the database is visible to everyone.” Some departments have touch ID controls that allow access with a thumbprint or computer sign-in capabilities, but all also have readers to record employee time and attendance.
Today, Oklahoma City uses ID cards extensively for visual identification and access control, printing cards for both purposes in-house. A photo ID card is used for visual security, and a proximity card with a bar code is used for building and department access. Even street entertainers and ice cream vendors wear an official city ID card.
The city’s new ID card system has gone a long way toward helping with security, controlling who has access to what areas and tracking that access, according to Hallmark. If there’s a question of who was in a particular location and for how long, the administrator of the system can track that information.
National ID and ControversiesNo doubt, there are millions of ID cards for identification of city workers, hospital employees, students, casino workers and game players. But there are multi-millions of IDs – more than 201 million license holders out of 308 million people – when it comes to state driver’s licenses, the most held personal identification in the United States.
Unlike many other countries, America has no national ID. States and various federal agencies issue driver’s licenses, which are considered the nation’s de facto identity card and a common document in most enterprise hiring processes. However, and similar to the rollout of various types of security technology, the tragedy of 9/11 encouraged the federal government to strive for more secure identification of people. That mission led to passage of the REAL ID Act of 2005 (Rearing and
Empowering America for Longevity against acts of International Destruction), a U.S. federal law that imposes certain security, authentication, and issuance procedures standards for the state driver’s licenses and state ID cards, for them to be accepted by the federal government for “official purposes” as defined by the Secretary of the Department of Homeland Security (DHS). It has defined “official purposes” as presenting state driver’s licenses and identification cards for boarding commercially operated airline flights and entering federal buildings and nuclear power plants.
Each card must include, at a minimum, the person’s full legal name, signature, date of birth, gender, driver’s license or identification card number. It also includes a photograph of the person’s face and the address of principal residence. It is required to have physical security features designed to prevent tampering, counterfeiting, or duplication of the document for fraudulent purposes. It will use common machine-readable technology, with defined minimum data elements, the details of which are not spelled out, but left to DHS in consultation with the Department of Transportation.
For the states, May 10, 2011 remains the deadline for full compliance with the REAL ID Act. People born on or after Dec. 1, 1964, will have to obtain a REAL ID by Dec. 1, 2014. Those born before that will have until Dec. 1, 2017 to obtain one.
The act is somewhat controversial. Some critics see it as a slippery slope to a national ID card while others, often the states and their driver’s license issuing departments, believe it is an unfunded mandate that demands millions of scarce dollars, slow processing, and an iffy security outcome.
In fact, all 50 states have either applied for extensions of the original May 11, 2008 compliance deadline or received unsolicited extensions. By last October, 25 states approved either resolutions or binding legislation not to participate in the program.
And, just before the end of 2009, the DHS Secretary automatically extended some REAL ID deadlines for most states.
Extensions and Alternatives“When we requested the extension, we told Homeland Security staff that we are not committing the commonwealth to comply with the REAL ID Act,” says Kurt Myers, Pennsylvania Department of Transportation’s deputy secretary for safety administration. “We have been clear from the beginning that unless the federal government fully funds REAL ID, Pennsylvania does not intend to participate.”
That state’s stand is telling. Pennsylvania has long been and continues to be a leader among states in the security of its driver’s license products, processes, systems and facilities.
In addition, with President Obama’s selection of Janet Napolitano, a critic of the program, to head DHS, the future of the original law remains uncertain, and bills have been introduced into Congress to amend or repeal it. The most recent, called PASS ID, would kill many of the more burdensome technological requirements but still require states to meet federal standards in order to have their ID cards accepted by federal agencies.
PASS ID would eliminate REAL ID requirements that are considered excessive, such as the obligation to verify birth certificates with the issuing department, and shared national databases. However, critics charge PASS ID will still require the storage of digital records of documents proving citizenship, such as birth certificates. It may also allow less secure technology like radio frequency identification to be incorporated into drivers’ licenses.
Whether it is REAL or PASS ID, identity technology rumbles forward. For example, in early January at the
International Consumer Electronics Show, Samsung Mobile Devices displayed an electronic ID card prototype featuring a new chip that stores personal information like an identification number. Its RF-powered AMOLED (Active Matrix Organic Light-Emitting Diode) technology for enhanced electronic ID cards can securely store biographical information and digital imagery in the card.
Then more secure was the aim of February’s Winter Olympics in Vancouver, Canada. The games will boast a multi-million dollar security arsenal including security video, satellite monitoring, cellular telephone monitoring, computerized background checks, biometric identification cards, toxic material scanners and detectors, traveler profiles and overhead communications/monitoring blimps, among other technologies.
Still it is easier to identify hundreds of hospital workers, thousands of college students and Olympics athletes than it is to verify and identify multi-millions of U.S. drivers, both technically and politically.