Is online identity theft real?

I find it ironic how some security firms like to dismiss online identity theft based upon the FBI/CSI study especially since 56% of all breaches were classified as “Don’t know how information was taken”. How is that possible?

If a legitimate user name and password is used to access a computer, it is not flagged as a breach. Data thieves want to be able to access data and remain invisible for as long as they can. That is why there are groups out there that will pay for user names and passwords. We have seen dishonest employees, outside service personnel, visitors and anyone else who may have access to a company been responsible for copying passwords. Recently some ex-directors of a company paid current employees for passwords to their old company’s network.

Just by the way employees manage their passwords makes it so easy for people to steal and sell passwords. Post-it Notes with passwords are copied using a cell phone camera. Phishing emails requesting information. People assign weak passwords that can be broken quickly. No matter how it is done, the point is that people are the weakest link to their own security.

So yes, online identity theft is real but often unrealized and undetected for a long time.

Solution: A password security management solutions. There are many different solutions out there: Software, tokens, biometrics, and smartcards. As the CEO of a company that offers a smartcard based, password managers I do have a bias. And while I believe some solutions are far better and securer than others, I still would rather have people use something then nothing at all. Companies or technology cannot stop data breaches, but the goal has to be to make it so difficult for the thieves, yet easy for the employee, that they look for easier prey.