[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]
FIGHTING FRAUD: IMPROVING
INFORMATION SECURITY
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON
FINANCIAL INSTITUTIONS AND CONSUMER CREDIT
AND THE
SUBCOMMITTEE ON
OVERSIGHT AND INVESTIGATIONS
OF THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
FIRST SESSION
__________
APRIL 3, 2003
__________
Printed for the use of the Committee on Financial Services
Serial No. 108-19
89-407 U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
HOUSE COMMITTEE ON FINANCIAL SERVICES
MICHAEL G. OXLEY, Ohio, Chairman
JAMES A. LEACH, Iowa BARNEY FRANK, Massachusetts
DOUG BEREUTER, Nebraska PAUL E. KANJORSKI, Pennsylvania
RICHARD H. BAKER, Louisiana MAXINE WATERS, California
SPENCER BACHUS, Alabama CAROLYN B. MALONEY, New York
MICHAEL N. CASTLE, Delaware LUIS V. GUTIERREZ, Illinois
PETER T. KING, New York NYDIA M. VELAZQUEZ, New York
EDWARD R. ROYCE, California MELVIN L. WATT, North Carolina
FRANK D. LUCAS, Oklahoma GARY L. ACKERMAN, New York
ROBERT W. NEY, Ohio DARLENE HOOLEY, Oregon
SUE W. KELLY, New York, Vice JULIA CARSON, Indiana
Chairman BRAD SHERMAN, California
RON PAUL, Texas GREGORY W. MEEKS, New York
PAUL E. GILLMOR, Ohio BARBARA LEE, California
JIM RYUN, Kansas JAY INSLEE, Washington
STEVEN C. LaTOURETTE, Ohio DENNIS MOORE, Kansas
DONALD A. MANZULLO, Illinois CHARLES A. GONZALEZ, Texas
WALTER B. JONES, Jr., North MICHAEL E. CAPUANO, Massachusetts
Carolina HAROLD E. FORD, Jr., Tennessee
DOUG OSE, California RUBEN HINOJOSA, Texas
JUDY BIGGERT, Illinois KEN LUCAS, Kentucky
MARK GREEN, Wisconsin JOSEPH CROWLEY, New York
PATRICK J. TOOMEY, Pennsylvania WM. LACY CLAY, Missouri
CHRISTOPHER SHAYS, Connecticut STEVE ISRAEL, New York
JOHN B. SHADEGG, Arizona MIKE ROSS, Arkansas
VITO FOSELLA, New York CAROLYN McCARTHY, New York
GARY G. MILLER, California JOE BACA, California
MELISSA A. HART, Pennsylvania JIM MATHESON, Utah
SHELLEY MOORE CAPITO, West Virginia STEPHEN F. LYNCH, Massachusetts
PATRICK J. TIBERI, Ohio BRAD MILLER, North Carolina
MARK R. KENNEDY, Minnesota RAHM EMANUEL, Illinois
TOM FEENEY, Florida DAVID SCOTT, Georgia
JEB HENSARLING, Texas ARTUR DAVIS, Alabama
SCOTT GARRETT, New Jersey
TIM MURPHY, Pennsylvania BERNARD SANDERS, Vermont
GINNY BROWN-WAITE, Florida
J. GRESHAM BARRETT, South Carolina
KATHERINE HARRIS, Florida
RICK RENZI, Arizona
Robert U. Foster, III, Staff Director
Subcommittee on Financial Institutions and Consumer Credit
SPENCER BACHUS, Alabama, Chairman
STEVEN C. LaTOURETTE, Ohio, BERNARD SANDERS, Vermont
Vice Chairman CAROLYN B. MALONEY, New York
DOUG BEREUTER, Nebraska MELVIN L. WATT, North Carolina
RICHARD H. BAKER, Louisiana GARY L. ACKERMAN, New York
MICHAEL N. CASTLE, Delaware BRAD SHERMAN, California
EDWARD R. ROYCE, California GREGORY W. MEEKS, New York
FRANK D. LUCAS, Oklahoma LUIS V. GUTIERREZ, Illinois
SUE W. KELLY, New York DENNIS MOORE, Kansas
PAUL E. GILLMOR, Ohio CHARLES A. GONZALEZ, Texas
JIM RYUN, Kansas PAUL E. KANJORSKI, Pennsylvania
WALTER B. JONES, Jr., North MAXINE WATERS, California
Carolina NYDIA M. VELAZQUEZ, New York
JUDY BIGGERT, Illinois DARLENE HOOLEY, Oregon
PATRICK J. TOOMEY, Pennsylvania JULIA CARSON, Indiana
VITO FOSSELLA, New York HAROLD E. FORD, Jr., Tennessee
MELISSA A. HART, Pennsylvania RUBEN HINOJOSA, Texas
SHELLEY MOORE CAPITO, West Virginia KEN LUCAS, Kentucky
PATRICK J. TIBERI, Ohio JOSEPH CROWLEY, New York
MARK R. KENNEDY, Minnesota STEVE ISRAEL, New York
TOM FEENEY, Florida MIKE ROSS, Arkansas
JEB HENSARLING, Texas CAROLYN McCARTHY, New York
SCOTT GARRETT, New Jersey ARTUR DAVIS, Alabama
TIM MURPHY, Pennsylvania
GINNY BROWN-WAITE, Florida
J. GRESHAM BARRETT, South Carolina
RICK RENZI, Arizona
Subcommittee on Oversight and Investigations
SUE W. KELLY, New York, Chair
RON PAUL, Texas, Vice Chairman LUIS V. GUTIERREZ, Illinois
STEVEN C. LaTOURETTE, Ohio JAY INSLEE, Washington
MARK GREEN, Wisconsin DENNIS MOORE, Kansas
JOHN B. SHADEGG, Arizona JOSEPH CROWLEY, New York
VITO FOSSELLA, New York CAROLYN B. MALONEY, New York
JEB HENSARLING, Texas CHARLES A. GONZALEZ, Texas
SCOTT GARRETT, New Jersey RUBEN HINOJOSA, Texas
TIM MURPHY, Pennsylvania JIM MATHESON, Utah
GINNY BROWN-WAITE, Florida STEPHEN F. LYNCH, Massachusetts
J. GRESHAM BARRETT, South Carolina
C O N T E N T S
----------
Page
Hearing held on:
April 3, 2003................................................ 1
Appendix:
April 3, 2003................................................ 53
WITNESSES
Thursday, April 3, 2003
Beales, J. Howard III, Director, Bureau of Consumer Protection,
Federal Trade Commission....................................... 11
Brady, John J., Vice President, Merchant Fraud Control,
MasterCard International....................................... 33
Caddigan, Tim, Special Agent in Charge, Financial Crimes
Division, United States Secret Service, accompanied by Robert
Weaver, Deputy Special Agent in Charge, New York Field Office.. 8
Farnan, James E., Deputy Assistant Director, Cyber Division, FBI. 10
Hendricks, Evan, Editor and Publisher, ``Privacy Times''......... 34
McIntyre, David J. Jr., President and CEO, TriWest Healthcare
Alliance....................................................... 25
Mitnick, Kevin D., President and Co-founder, Defensive Thinking.. 27
Pratt, Stuart, President, Consumer Data Industry Association..... 31
APPENDIX
Prepared statements:
Bachus, Hon. Spencer......................................... 54
Kelly, Hon. Sue W............................................ 56
Oxley, Hon. Michael G........................................ 58
Gillmor, Hon. Paul E......................................... 60
Hinojosa, Hon. Ruben......................................... 61
Paul, Hon. Ron............................................... 63
Shadegg, Hon. John B......................................... 65
Beales, Howard............................................... 67
Brady, John J................................................ 86
Caddigan, Timothy............................................ 92
Farnan, James E.............................................. 98
Hendricks, Evan.............................................. 105
McIntyre, David J. Jr........................................ 114
Mitnick, Kevin............................................... 124
Pratt, Stuart K. (with attachments).......................... 130
Weaver, Bob.................................................. 141
Additional Material Submitted for the Record
Assistant Secretary of Defense, William Winkenwerder, Jr.,
prepared statement............................................. 145
Farnan, James E.:
Written response to questions from Hon. Sue W. Kelly......... 150
Hendricks, Evan:
Written response to questions from Hon. Sue W. Kelly......... 151
McIntyre, David J. Jr.:
Written response to questions from Hon. Sue W. Kelly......... 153
Mitnick, Kevin:
Written response to questions from Hon. Sue W. Kelly......... 156
FIGHTING FRAUD: IMPROVING
INFORMATION SECURITY
----------
Thursday, April 3, 2003
U.S. House of Representatives,
Subcommittee on Financial Institutions
and Consumer Credit,
Joint with the Subcommittee on
Oversight and Investigations,
Committee on Financial Services,
Washington, D.C.
The subcommittee met, pursuant to call, at 10:07 a.m., in
Room 2128, Rayburn House Office Building, Hon. Sue W. Kelly
[chairwoman of the Subcommittee on Oversight and
Investigations] presiding.
Present: Representatives Bachus, Kelly, Shadegg, Fossella,
Capito, Tiberi, Feeney, Hensarling, Murphy, Barrett, Renzi,
Maloney, Gutierrez, Hooley, Carson, Sherman, Inslee, Moore,
Ford, Lucas of Kentucky, McCarthy, and Matheson.
Chairwoman Kelly. The Committee on Oversight is pleased to
be able to have this hearing today.
Personal information has to be safeguarded throughout our
national credit system. Just as consumers shred their unwanted
mail and take care with their receipts, financial institutions
have to develop and upgrade their information security
procedures to protect consumers. Financial records such as
credit card numbers are combined with other pieces of personal
information, and they are the first targets of identity
thieves. Years of work are often necessary for both consumer
and business victims to correct damaged credit histories and
restore access to credit.
Today two subcommittees will hear from the witnesses on
three specific case studies to review current industry
practices and to ensure that proper security procedures and
protocols are in place or are being implemented.
Teledata Communications is a company in my home State of
New York that enables businesses to access credit bureau
information so they can grant credit to consumers. An employee
inside the company allegedly stole and sold passwords and codes
for accessing credit reports for thousands of people. According
to law enforcement, his actions resulted in millions of dollars
of financial theft.
TriWest Healthcare, an important health care provider for
our active duty military personnel, honored veterans and their
dependents, suffered the physical theft of its computer
hardware. The equipment stored personal information about many
of our heroes now involved in the war to liberate Iraq,
including the Chairman of the Joint Chiefs of Staff, General
Richard Myers. Fortunately, quick action by the company and the
credit bureaus appears thus far to have prevented misuse of the
information.
Another company, Data Processing International, in Nebraska
saw its database of millions of credit card numbers hacked from
the outside. It again appears that rapid action this time by
the company and the credit card companies have prevented
improper use of the numbers to date.
Through the examination of these cases the subcommittee
will review how credit issuers, third party vendors that
process transaction, credit bureaus and law enforcement
agencies coordinate efforts to limit harm to consumers when
data security is breached. Among our witnesses are officials of
the law enforcement and regulatory agencies involved with these
and other such cases, representatives of the companies
involved, one of the most notorious computer hackers in the
world, who is now a consultant, I am happy to report, and an
expert in privacy.
I want to thank my distinguished colleague, Representative
Spencer Bachus, the chairman of the Subcommittee on Financial
Institutions and Consumer Credit, for joining us in holding
this important hearing of our subcommittees. I also want to
congratulate him for his leadership in the bipartisan passage
of H.R. 522, the Federal Deposit Insurance Reform Act of 2003,
by the full House yesterday.
With that, I turn to Mr. Gutierrez.
[The prepared statement of Hon. Sue W. Kelly can be found
on page 56 in the appendix.]
Mr. Gutierrez. Good morning, Chairs Kelly and Bachus, and
members of the committee. Today more than ever identity theft
takes myriad forms. Modern thieves are using massive digitized
databases to access and steal consumers' personal information.
As too many people are learning the hard way, identity thieves
steal Social Security, bank account, and credit card numbers
and use them to commit fraud, very often destroying the credit
rating and financial future of their victims. Every year
thousands of these victims are left financially ruined, often
with severe credit problems and even false criminal records
that they must spend years working to erase. Even in minor
cases victims spend endless hours.
So we are gathered here today to discuss ways to help
consumers by increasing the security of data that contains our
personal information and to understand some of the possible
loopholes that have enabled these cases to occur in the first
place, to hear about data security efforts undertaken by the
companies that hold our private information, and look for ways
to help consumers have quick and better access to their
personal records when identity theft incidents occur. One of
the most fundamental problems is consumers are often left out
of the loop after their information has been stolen and this is
unacceptable.
In one of the cases that will be discussed today a former
employee of Teledata is being charged with the biggest identity
theft fraud in U.S. history. One of the most outrageous aspects
of this specific case is that in March of 2000 the alleged
perpetrator quit his job, but that didn't even slow down his
scheme. He only worked there for 10 months but the scam
continued for 3 years. The company security codes he allegedly
stolen still worked and were accessible right up to the moment
of his arrest. In the meantime 30,000 people had their
identities stolen and financial losses reached more than $2.7
million.
How could personal data be so easily accessible? What kinds
of safeguards do companies have in place to deter these
practices? I hope that this hearing will serve as an
opportunity to answer these questions and others. I thank you
for holding the hearing, and I look forward to the testimony,
and I ask unanimous consent that my complete opening statement
be submitted for the records.
Chairwoman Kelly. Thank you very much, Mr. Gutierrez. Mr.
Bachus.
Mr. Bachus. Thank you, Chairman Kelly, for telling me my
mike wasn't on, that is very important, and also for convening
this joint hearing of our two subcommittees to review issues
relating to the security of personal information. This is an
issue of critical importance to the financial service industry
and I believe this hearing is a timely one, and it is actually
one of a series of hearings that Chairwoman Kelly has been
holding over the past year or two on this issue.
This hearing, which is titled ``Fighting Fraud: Improving
Information Security,'' is one of many hearings that will be
held by the Subcommittee on Financial Institutions and Consumer
Credit regarding the security of personal information. I expect
that at some point our efforts will culminate in comprehensive
legislation addressing the broad issue of how secure consumers
feel with respect to their personal information.
Today's hearing will focus on three cases where sensitive
personal information was compromised through hacking or
physical theft of computer databases. Each case that we will
hear about today is illustrative of a different type of
security breach: An outside computer hacker, employee
misconduct, and a garden variety burglary. Using these cases,
we will review how credit issuers, third party vendors that
process transactions, credit bureaus, and law enforcement
coordinate efforts to limit harm to consumers when data
security is breached.
Fighting fraud and protecting the security of personal
information is a topic that unites financial institutions and
consumers. Each group is harmed by the fraudulent use of
personal information. Financial institutions are the victims of
fraud because the financial institution is usually liable for
any losses suffered as a result of that fraud. Consumers
obviously suffer unnecessary inconvenience and insecurity as a
result of fraud and they can be exposed to additional crimes
such as identify theft. Furthermore, at least a portion of
financial institutions' fraud losses can be expected to be
passed on to consumers in the form of higher prices. There can
be no doubt that when fraud is committed everyone loses.
For obvious reasons financial institutions take precautions
to prevent fraud, including precautions to protect the security
of personal information. In addition to the self-interest
financial institutions have in minimizing their fraud losses,
Congress has required financial institutions to maintain
appropriate standards relating to information security,
including standards to protect against unauthorized access to a
financial institution's customer records as part of the Gramm-
Leach-Bliley Act. The requirements as adopted by the Federal
banking agencies also require financial institutions to oversee
their relationship with third party service providers,
including having the service providers agree by contract to
implement a comparable information security program. It is my
understanding that the Federal banking agencies have been
examining financial institutions with respect to their
compliance with these requirements.
However, I remain interested in learning more about the
role service providers play with respect to information
practices and the ability to maintain appropriate information
security programs. It is my understanding that the Bank Service
Company Act gives the bank regulators broad authority to
examine third party providers. Two of the cases today
illustrate that greater oversight of these entities may be
necessary.
As part of Gramm-Leach-Bliley, Congress also enacted stiff
prohibitions against a practice known as pretext calling, which
is a fraudulent means of obtaining an individual's personal
information. Pretext callers contact a financial institution's
employees and attempt to obtain customer information usually
while posing as a customer whose information they are trying to
collect. This is a serious issue and one that both
Subcommittees--actually the Oversight Committee has held
several hearings previously. I am interested in learning more
about efforts to enforce this prohibition and the Federal Trade
Commission's advice on the amount of resources devoted to
fighting this fraudulent practice.
We will also hear this morning from Federal law enforcement
agencies about their approach to countering those who would
compromise the security of personal information. It has always
been my experience that law enforcement and the financial
services industry works well together with respect to pursuing
those who attempt to commit crimes against consumers and
financial institutions. I look forward to hearing about law
enforcement's perspective on this important topic, especially
with respect to representatives from the FBI, Secret Service
and FTC.
In short, financial institutions, Congress, the banking
agencies, and law enforcement have been working to address
information security and fraud prevention issues. Regardless of
the great pains taken by all these parties to protect the
security of personal information, the chance remains that a
breach may occur. Therefore, Congress must remain vigilant to
ensure that existing regulations are implemented appropriately
and examine whether new safeguards are necessary. Furthermore,
it is just as important for financial institutions to have
mitigation plans in place in the event that their information
security program is hacked or otherwise compromised.
In conclusion, let me say I am pleased that we will hear
from several witnesses today who will describe how various
parties took action to address recent breaches and prevent
subsequent fraud. Before we proceed I believe it is important
to mention to the entire panel that although this hearing is a
public forum, we should avoid discussing specific details which
may give criminals ideas or even a road map for doing further
harm.
Let me close by thanking Chairman Oxley for recognizing the
importance of improving the security of personal information
and scheduling this hearing. We must continue to work to
improve security and protect sensitive data to ensure the
consumers continue to have confidence in our nationwide credit
system as well as our financial services system in general. I
look forward to working with the chairman, Mrs. Kelly, and
other colleagues as we continue to examine this complicated
issue.
[The prepared statement of Hon. Spencer Bachus can be found
on page 54 in the appendix.]
Chairwoman Kelly. Thank you. Mrs. McCarthy, do you have an
opening statement?
Mrs. McCarthy. Thank you. I will wait for the testimony.
Chairwoman Kelly. Mr. Moore.
Mr. Moore. Thank you, Madam chair and Congressman Bachus. I
appreciate both of you convening this hearing. I appreciate the
witnesses being present. I want to reiterate, I won't say it
all, what Congressman Bachus and Congresswoman Kelly said
before, and that is this is a very important area. As a
district attorney for 12 years I worked closely with people in
fraud cases and a lot of the things--this was back in the 1970s
and 1980s, so a lot of the things we are talking about here
today weren't relevant then, weren't even around then. As the
Internet has expanded and accessibility of the Internet is used
not only by individuals but by financial institutions and other
organizations and private and important individual data is
contained in databases, I think it is very, very important that
we protect that information. I think individuals who have
private important information stored in those databases have a
right to expect that companies and institutions will take
adequate measures to protect that information. Obviously, theft
of that information, identity theft and theft of financial
information about an individual can cause great harm to a
person and to their family, and it ends up costing all the
consumers I think a lot of extra money.
So I am interested to hear what the witnesses have to say
and very much appreciate you being here.
Thank you.
Chairwoman Kelly. Thank you very much.
Mr. Shadegg.
Mr. Shadegg. Thank you, Chairwoman Kelly. I want to begin
by thanking you and Chairman Bachus for holding this important
hearing on information security. I also want to begin by
thanking one of my constituents, David McIntyre, president and
CEO of TriWest Healthcare Alliance, for agreeing to be here and
testify today.
My personal interest in identity theft and information
security began about 5 years ago when two of my constituents,
Bob and Joanne Hartle of Phoenix, Arizona were victims of
identity theft. My constituents, following their victimization,
were instrumental in securing the passage of the first State
law in the Nation criminalizing identity theft. Mr. and Mrs.
Hartle suffered the devastation of identity theft when a
convicted felon took Mr. Hartle's identity and made purchases
totaling over $100,000. In addition, this individual purchased
handguns using Mr. Hartle's clean record to get around the
Brady law. Finally and shockingly in this day of terrorism,
this individual also used Mr. Hartle's clean record and
military record to obtain security clearance to secure areas of
Phoenix Sky Harbor International Airport. As a result of this
victimization at a time when there were no State laws and no
Federal laws penalizing identity theft, Mr. and Mrs. Hartle
were forced to spend more than 4 years of their life and more
than $15,000 of their own money seeking to restore their
credit.
Their case led me to introduce legislation to criminalize
identity theft at the Federal level. The Identity Theft and
Assumption Deterrence Act of 1998 was signed into law by
President Clinton on October 30th, 1998. It gives for the first
time Federal law enforcement agencies, including those who are
represented before us here today, the authority to investigate
and prosecute identity theft.
But following the passage of that law, I found there was
more that needed to be done. We began to notice that the
Federal agencies with this new authority were unfamiliar with
it and did not have a habit of coordinating with local law
enforcement on these issues. So we began a series of meetings
that lasted over a year in Phoenix, Arizona between Federal law
enforcement agencies, including the FBI and others here today
and State and local law enforcement agencies, to try to resolve
the tough issues of who should act and what they should do in
the interplay between Federal and State laws and in the
interplay of these crimes where someone is victimized in one
place but lives many States away, thousands of miles away.
Mr. and Mrs. Hartle also turned their unfortunate
circumstance into something very positive. They established a
nonprofit organization to assist other victims of identity
theft. Their Web site, www.idfraud.net, is available to provide
guidance to any identity theft victims across the Nation, and
they have devoted themselves to this task.
Identity theft ranges from individual instances like the
Hartles involving small or large amounts to large organized
professional crime rings. In fact TriWest Healthcare Alliance
may well have been the victim of a professional identity theft
operation. Like the Hartles, Mr. McIntyre, my constituent, and
his company took an unfortunate circumstance, a burglary of
their computer in which data was stolen, and turned into a
positive model for other companies to follow.
Following the break-in of their Phoenix office and the
theft of computer hard drives containing their clients'
sensitive personally identifiable information, Mr. McIntyre and
TriWest Healthcare Alliance embarked upon an aggressive effort
to notify all 562,000 affected customers of the theft. The
stolen data included personally identifiable information such
as Social Security numbers, birth dates and addresses for
military personnel, one quarter of whom were on active duty at
the time, retirees and family members, all whom are served by
TriWest under a contract with the Department of Defense.
TriWest immediately reported the theft to the police,
notified the Department of Defense officials and launched a 30-
hour data run to determine what files were stolen. In addition,
the company established a dedicated e-mail address and set up
toll free telephone lines with a three-tier response network so
that customers would not experience long delays in trying to
find out information about the theft and about how it might
affect them. TriWest mailed letters notifying victims of theft
and provided guidance on steps they could take to protect their
credit. TriWest also posted a $100,000 reward for leading to
the conviction of those responsible for the theft.
In all, TriWest undertook great efforts to notify victims
of the theft at great financial expense to the company. But due
to their extraordinary efforts to date no information from the
stolen computer files has yet led to a single instance of
identity theft.
The nature of identity theft has changed and the threat is
more likely than ever to come from breaches of data security,
which is why I think this hearing is most appropriate.
According to an identity fraud manager at the Federal Trade
Commission, there is a shift by identity thieves from going
after single individuals to going after mass information. Law
enforcement experts now estimate that half of all cases come
from thefts of business data banks as more and more information
is stored in databases which are vulnerable to attack from
hackers.
The Identity Theft and Assumption Deterrence Act of 1998
was an important first step in the road to crack down on
identity theft crimes. However, more legislation is needed to
protect people from these thieves and from easily obtaining
Social Security and credit card numbers, to provide better
coordination between victims and credit reporting bureaus, to
establish procedures for businesses to follow in the event of a
data security breach like we will discuss today, and provide
stiffer penalties for those who steal and use other persons'
ID.
I look forward to the testimony of the witnesses and help
to identify areas in which a legislative response may be
needed. I yield back.
[The prepared statement of Hon. John B. Shadegg can be
found on page 65 in the appendix.]
Chairwoman Kelly. Ms. Hooley.
Ms. Hooley. Thank you, Madam Chairwoman and Mr. Chairman. I
appreciate the Chairs and ranking members of both subcommittees
in putting together today's hearing and look forward to hearing
more about our Nation's data protection. This is an important
hearing and hopefully it will be the first of many hearings on
the issue of identity theft. It is the fastest growing crime in
the United States. I know through these and other hearings we
will not only learn about the challenges in fighting identity
theft, but also hear unique and effective suggestions on how we
in Congress can better protect our consumers and financial
institutions from this crime.
I know I can speak for everyone on the Financial Services
Subcommittee when I say we are hear to listen with open minds
and to put whatever work is necessary into solving this
problem. This truly is a bipartisan issue, and in that regard I
would like to thank Mr. LaTourette from Ohio for working so
closely with me on legislation on identity theft that is nearly
ready for induction. I would also like to thank Mr. Frank and
all the members of the Democratic Task Force on Identity Theft
for pledging to work together on this issue.
In order to protect both consumers and industry, we all
certainly have our work cut out for us. But if the cooperation
and dedication of people like Mr. LaTourette and Mr. Frank and
the members of both subcommittees are any indication, we on the
Financial Services Committee are up to the challenge.
Thank you again, and I look forward to today's proceedings
and look forward to hearing from the panelists. Thank you.
Chairwoman Kelly. Mr. Hensarling. Mrs. Maloney just left.
Mr. Matheson. Mr. Barrett. Mr. Ford left. Mr. Lucas. Mr.
Tiberi. Mr. Feeney.
I will introduce our first panel: Mr. Tim Caddigan, the
Special Agent in Charge of the Financial Crimes Division of the
United States Secret Service, accompanied by Robert Weaver,
Deputy Special Agent in Charge of the New York Field Office;
James Farnan, Deputy Assistant Director of the Cyber Division
in the FBI; and Mr. J. Howard Beales, III, Director of the
Bureau of Consumer Protection in the Federal Trade Commission.
We look forward to having you here today, and we look
forward to your testimony. We will begin with you, Mr.
Caddigan.
STATEMENT OF TIM CADDIGAN, SPECIAL AGENT IN CHARGE, FINANCIAL
CRIMES DIVISION, UNITED STATES SECRET SERVICE, ACCOMPANIED BY
ROBERT WEAVER, DEPUTY SPECIAL AGENT IN CHARGE, NEW YORK FIELD
OFFICE
Mr. Caddigan. Thank you. Chairman Bachus, Chairwoman Kelly,
Congressman Sanders, Congressman Gutierrez and members of both
subcommittees, thank you for inviting me to be part of this
distinguished panel and the opportunity to address the
committee regarding the Secret Service efforts to protect our
Nation's financial and critical infrastructures. Let me also
take the opportunity to thank Chairman Oxley, Congressman Frank
and all the members of the full committee for their long-
standing support of the Secret Service and the interest this
committee has conveyed in our mission, our programs and our
employees.
With me today is Mr. Bob Weaver, Deputy Special Agent in
Charge of the Secret Service's New York Field Office and head
of the New York Electronic Crimes Task Force. I am also pleased
to be here with my colleagues and partners in fighting identity
crimes and related computer crimes from the Federal Trade
Commission and the FBI.
In my full statement for the record I provided an overview
of the Secret Service's investigative mission and our historic
responsibility for safeguarding our currency and financial
infrastructure. The Secret Service has statutory jurisdiction
to investigate a wide range of technology based crime,
including credit and debit card fraud, identity theft, false
identification fraud, counterfeit currency and checks,
financial institution fraud and telecommunications fraud. These
investigations are pursued through our 134 domestic offices
with additional support from our 20 foreign offices.
There is no shortage of information, testimony or anecdotal
evidence, regarding the nature and variety of cyber based
threats to our banking and financial sectors and the need to
create effective solutions. There is, however, a scarcity of
information regarding successful models to combat such crime in
today's high tech environment. One such successful model is the
New York Electronic Crime Task Force and the valuable formula
this task force has developed and applied to the prevention and
detection of computer based crimes.
Our New York task force has brought together 50 different
Federal, State and local law enforcement agencies as well as
prosecutors, academic leaders and over 100 different private
sector corporations. The task force investigates substantial
electronic criminal activity involving e-commerce frauds,
identity crimes, telecommunications fraud, and a variety of
computer intrusion crimes which affect a number of
infrastructures.
Since 1995, the New York task force has charged over 1,000
individuals with electronic crimes and the loss to Social
Security exceeding $1 billion. It has trained over 60,000 law
enforcement personnel, prosecutors and private industry
representatives in the criminal abuses of technology and how to
prevent them. The task force has identified tools and
methodologies that can be employed by our partners to eliminate
potential threats to their information systems.
We consider the New York task force to be the 21st century
law enforcement model that modernizes criminal justice and
incorporates partnership and information sharing within its
core competencies. Accordingly, Congress authorized the Secret
Service in the U.S.A. PATRIOT Act of 2001 to expand our task
force initiative to cities and regions across the country. We
have since established electronic crimes task forces in Los
Angeles, San Francisco, Chicago, Boston, Charlotte, Miami, Las
Vegas and Washington, D.C..
Our task force model stresses prevention through
partnership. We focus on the mitigation of damage and the quick
repair of any damage or destruction to get the system
operational as soon as possible after an intrusion occurs.
Let me mention one critical point about our partnerships
with other law enforcement agencies, academia and private
sector. Partnerships cannot be legislated, regulated nor
stipulated. Partnerships are voluntarily built between people
and organizations that raise the value in joint collaboration
towards a common end. They are fragile entities which need to
be established and maintained by all participants and built on
a foundation of trust. I cannot overstate the significance of
these trusted partnerships to the success of our task force
model.
Let me share with you some insights regarding a recent
ongoing case which our Omaha office is investigating in
conjunction with our Chicago, New York, and San Francisco task
forces. The case which came to our attention early February
through our contacts in the credit card industry involves an
unlawful intrusion into the computer system of a third party
credit card processor, the companies responsible for processing
credit card transactions of companies such as Visa, Master
Card, American Express and Discovery. We believe that multiple
machines combined to attack this processor's computer system
and unlawfully seized millions of credit card numbers along
with expiration dates from the company's filings. Our
investigation with the FBI determined that these multiple
servers were located both within and outside the United States.
The Secret Service is completing electronic forensic
examinations and is working with foreign authorities in
gathering further evidence concerning this attack.
I want to conclude my statement by again thanking the
members of both subcommittees and the full committee for their
strong support of the Secret Service and our investigative
mission.
[The prepared statement of Tim Caddigan can be found on
page 92 in the appendix.]
Chairwoman Kelly. Thank you very much, Mr. Caddigan. Mr.
Farnan.
STATEMENT OF JAMES FARNAN, DEPUTY ASSISTANT DIRECTOR, CYBER
DIVISION, FBI
Mr. Farnan. Good morning. I would like to thank the Chairs
of both subcommittees as well as the other members for their
opportunity to testify today. Holding this hearing demonstrates
your commitment to improving the security of our Nation's
information systems and this committee's leadership on this
issue.
My testimony today will address the activities of the FBI's
Cyber Division as they relate to a broad spectrum of cyber
criminal acts.
Last week a headline in the Atlanta Journal Constitution
announced Hackers Strike Georgia Tech Computer, Gain Credit
Card Data. The article goes on to discuss the information on
57,000 people that was available to the hackers, including
about 38,000 credit card numbers. The university had moved the
database from one system to another but it failed to put up a
fire wall to protect the data.
Incidents like this happen every week, even to
organizations at technology's leading edge like Georgia Tech.
American consumers and businesses are increasingly relying on
the Internet. E-commerce is growing in all sectors of the U.S.
economy. Although most e-commerce transactions are business to
business, e-commerce retail sales in the United States reached
$46 billion last year, up from $36 billion in 2001.
When Internet users, be they businesses or consumers, are
impacted by Internet crime, the viability of e-commerce is
compromised. When a cyber crime is committed, the FBI is in a
unique position to respond because it is the only Federal
agency that has the statutory authority, expertise and ability
to combine the counterterrorism, counterintelligence and
criminal resources needed to effectively neutralize, mitigate
and destruct illegal computer supported operations.
The FBI's reorganization of the last 2 years included the
goal of making our cyber investigative resources more
effective. In 2002 the reorganization resulted in the creation
of the Cyber Division where we have taken a two-tracked
approach to the problem. One avenue is identified as
traditional criminal activity that has migrated to the
Internet, such as Internet fraud, online identity theft,
Internet child pornography, theft of trade secrets and other
similar crimes.
The other nontraditional approach consists of Internet
facilitated activity that did not exist prior to the
establishment of computers, networks and the World Wide Web.
This encompasses cyber terrorism, terrorist threats, foreign
intelligence operations, and criminal activity precipitated by
illegal computer intrusions into U.S. computer networks,
including the disruption of computer supported operations and
the theft of sensitive data by way of the Internet.
The FBI assesses the cyber threat to be rapidly expanding
as the number of actors with the ability to utilize computers
for illegal harmful and positively devastating purposes is on
the rise. A typical case will come to the FBI through the
Internet Fraud Complaint Center, which later this year will be
renamed as the Internet Crime Complaint Center to more
accurately reflect its mission. In its fourth year of operation
the Center has proven to be a very successful clearinghouse,
receiving over 75,000 complaints last year on crimes ranging
from identity theft and computer intrusions to child
pornography.
If the Center, for example, received an intrusion report
from a company in, say, Birmingham, Alabama, we would first
attempt to locate where the intrusion took place. That same
company may have its servers in Minneapolis while the intruder
is routing through California and Europe. If the servers in
Minneapolis were hacked, the Minneapolis Cyber Crime Task Force
would be assigned to lead the case. The leads in California
could end up in Eastern Europe, Nigeria or even back in
Birmingham if an insider were involved. One of the FBI's
response teams would be called upon to preserve evidence and
that evidence would be forwarded to one of our new regional
computer forensic laboratories now located in Chicago, Dallas,
and San Diego. Simultaneously other FBI computer experts would
determine the extent and duration of the intrusion and whether
the attacker came from inside or outside the company. Depending
on the sophistication of the intruder, the case may be solved
in a few days or it may take years.
Cases are routinely complex and often involve international
connections. Cyber crime continues to grow at an alarming rate
and security vulnerabilities contribute to the problem. We will
soon begin staffing a public-private alliance unit within the
FBI which will work with administrators and security
professionals to reduce opportunities for criminals by
employing best practices and patching vulnerabilities before
they can be exploited. Through that unit's efforts combined
with the efforts of those in this committee problems like the
hacking experience by Georgia Tech will happen much less
frequently. The FBI will continue to pursue cyber criminals as
we try to stay one step ahead of them in the cyber crime
technology race.
I thank you for your invitation to speak today. I on behalf
of the FBI look forward to working with you on this very
important topic.
[The prepared statement of James E. Farnan can be found on
page 98 in the appendix.]
Chairwoman Kelly. Mr. Beales.
STATEMENT OF J. HOWARD BEALES, III, DIRECTOR, BUREAU OF
CONSUMER PROTECTION, FEDERAL TRADE COMMISSION
Mr. Beales. Thank you, Chairman Kelly and members of the
committee. I am Howard Beales, Director of the Federal Trade
Commission's Bureau of Consumer Protection. I am pleased to
present the views of the Commission this morning.
The Federal Trade Commission works to prevent and protect
information security on a number of fronts. We take law
enforcement actions, we provide victim assistance when security
breaches result in identity theft. We educate both consumers
and business and we hold public workshops to examine emerging
issues.
In our traditional role as a law enforcement agency the FTC
has brought civil actions to enforce privacy promises,
including cases where companies failed to take adequate
security precautions with consumers' personal information. When
an information breach is reported, the FTC staff activates our
protocol for triaging the breach. We evaluate the incident on a
number of levels, including the extent of the breach and the
type of information that was exposed. We also analyze any
jurisdictional issues. We do not have jurisdiction over banks
and common carriers, for example. In addition, we determine
whether there is an ongoing criminal investigation, given that
the breach may involve an underlying theft of information. We
coordinate any FTC investigation with criminal authorities
because we don't want to get in the way of an ongoing criminal
investigation.
When the Commission determines that law enforcement action
is appropriate we have two valuable tools to work with. First,
section 5 of the FTC Act, which prohibits unfair deceptive acts
or practices such as misleading promises about information
security; second, starting in May of this year, the Commission
will enforce the Gramm-Leach-Bliley Act safeguards rule for the
financial institutions within our jurisdiction.
Last August the Commission announced a settlement with
Microsoft regarding misleading claims about the information
collected from consumers through its passport services. The
Commission's complaint alleged that Microsoft misrepresented
the privacy afforded by these services, including the extent to
which Microsoft kept the information secure.
Microsoft is an important case because it involved alleged
misstatements about the security provided for millions of
consumers' sensitive information. In addition, it held
Microsoft to its security promises even in the absence of a
known breach of the system. Thus, the Commission found even the
potential for injury actionable when sensitive information and
security promises were involved and when the potential for
injury was significant.
The Microsoft case was followed by the Commission's case
against Eli Lilly. The Lilly case involved alleged
misrepresentation regarding the security provided for important
information. Like Microsoft, Lilly made claims that it had
security measures in place to protect the information collected
from consumers on its Web site. As in Microsoft, the Commission
charged Lilly with failing to have reasonable measures in place
to protect the information. The order in the Lilly case
prohibits the misrepresentations and as in Microsoft it
requires Lilly to implement a comprehensive information
security program.
It is important to note that the Commission is not simply
saying gotcha for security breaches. Although a breach may
indicate a problem with a company's security, breaches can
happen even when a company takes all reasonable precautions. In
such instances the breach does not violate the laws that the
FTC enforces. Instead, the Commission recognizes that security
is an ongoing process using reasonable and appropriate measures
in light of the circumstances. That is the approach the mission
took in these cases and in its Gramm-Leach-Bliley Act
safeguards rule, and it is the approach we will continue to
take.
As I mentioned earlier, in May the Commission's Gramm-
Leach-Bliley Act safeguards rule takes effect. The rule
requires financial institutions under our jurisdiction to
develop and implement appropriate physical and procedural
safeguards to protect customer information. The rule takes a
flexible approach, requiring greater security measures for the
most sensitive consumer information. It requires companies to
assess the risks they face, take reasonable and appropriate
steps to reduce those risks. Companies must also monitor their
security performance and adjust their programs as the risks
they face change over time.
The FTC also plays a role in improving information security
and in reducing risks to personal information by fostering
dialogue and educating the public on security issues. For
example, the Commission held a workshop last May to examine the
security of consumer information, both as maintained by
consumers on their own computers and by businesses on their
systems. In May and June of this year the Commission will host
workshops that focus on the role of technology again for both
consumers and businesses.
The cases of TriWest and Teledata communications Inc., in
which massive numbers of individuals' personal information was
taken are good examples of where the Commission carried out its
traditional education and assistance role. The staff provided
advice to those companies on how to notify the affected
individuals and what steps those consumers should take to
protect themselves.
From these experiences and others the FTC has developed a
response kit for businesses which have suffered information
security breaches. The kit tells businesses what steps to take
to respond to a breach and includes a form letter for notifying
the individuals whose information has been taken. These kinds
of information security breaches place substantial costs on
individuals and businesses. The Commission is committed to
reducing these breaches as much as possible through its civil
law enforcement authority and its education and assistance
programs.
Thank you for holding this hearing, and I look forward to
your questions.
Chairwoman Kelly. Thank you, Mr. Beales. I also want to
note that we invited Dr. William Winkenwerder, the Assistant
Secretary of Defense for Health Affairs at the Defense
Department to discuss the DOD's role in mitigating the impacts
of a theft at TriWest. Unfortunately, he had already accepted
an invitation to testify about this before the Senate Finance
Committee right now and his deputy is on travel.
Dr. Winkenwerder submitted a statement for the record and
with the members' unanimous consent I want to enter it into the
record at this time.
[The prepared statement of William Winkenwerder can be
found on page 145 in the appendix.]
Chairwoman Kelly. We thank all of you and I would like to
begin with you, Mr. Caddigan, asking you a couple of questions.
We commend the entire Secret Service and especially the agents
in the New York Field Office for your truly dedicated and
outstanding service to this country. We in New York are
understandably very proud of the tenacity of the New York Field
Office as it recovered from the destruction of its offices at 7
World Trade Center.
I would like to ask if your task force and the stronger
emphasis on information security since 9/11 has led to law
enforcement successes?
Mr. Caddigan. Madam Chairwoman, I think it is safe to say
yes, the proactive approach that the task force model in New
York takes with regard to partnering with businesses, it gets
on the front end of an issue. We help establish self-assessment
vulnerabilities in a particular entity. We can help mitigate
those on the front end. We can help develop a response plan for
that business should they be victimized. So do those actions
prevent activity or help mitigate that in the long run? Yes,
ma'am, I would say that it does.
Chairwoman Kelly. That is very good to hear.
Mr. Farnan, your testimony discusses two cases in which the
hacker was arrested overseas. How often are hacking cases
originated from an overseas point? Do you want to answer that?
Mr. Farnan. Much more frequently than we might care to
think about. What we have learned and the model we come from in
law enforcement is to typically think along State jurisdiction
lines and the FBI, of course we think when violations may cross
State jurisdictional lines. With the advent of the Internet and
the World Wide Web, we have to completely reevaluate those
jurisdictional lines. We now have to think of the entire planet
as a ground or platform from which perpetrators can act, and so
we do see a lot of activity from persons based in overseas
countries or outside the United States.
Chairwoman Kelly. Mr. Caddigan, do you want to address
that?
Mr. Caddigan. I think crime has become global in nature,
especially with the onset of the Internet and computer. What
can take place in a criminal activity in California can almost
instantaneously have the victim be victimized in Asia, for
example. So we do look at things as a borderless society with
regard to fighting crime. We do partner not only domestically
with business and law enforcement, but I think it is also as
critical to partner in the foreign arena with foreign
businesses, foreign law enforcement and governments.
Chairwoman Kelly. Mr. Farnan, is the FBI concerned that
large scale hacks or the denial of service attacks might be an
instrument of international terrorism?
Mr. Farnan. We are definitely concerned about that. In the
Cyber Division what we have done is aligned our priorities
along with those of the FBI. So counterterrorism is our number
one priority and our number one focus followed by
counterintelligence matters and then criminal matters in terms
of our third priority. So we are definitely concerned about
that. And we have seen, for example, terrorists who are
interested in communicating by way of the Internet, like in
many cases we all are. So we pay special attention to that
arena.
There are two other sort of elements that help us focus on
that. One is that in the international arena especially. We
have our legal attache program that is located in about 46
countries, I believe it is, and we are going to start in the
Cyber Division an Internet, or we have started an international
investigative support unit to work with our legal attaches to
make sure that we are addressing that very issue.
Chairwoman Kelly. Good. Thank you, Mr. Farnan.
Mr. Beales, can you give me more details? You mentioned
that you have taken some specific measures with the FTC to--
what measures, specifically, did you take with respect to the
three cases to help the victims?
Mr. Beales. Well, what we did was to discuss with the
companies the kind of a letter they might send and make
discussions about the letter. We have a booklet that is
consumer information about identity theft that is called
Identity Theft: When Bad Things Happen to Your Good Name. And
we make that booklet available and encourage companies to
provide that booklet to consumers in need of information about
what they should do next.
Chairwoman Kelly. Thank you. I am about out of time.
Mr. Farnan and Mr. Caddigan, I want to be sure, we want to
be sure, we need to be sure that there is no unnecessary
overlap or redundancy between the two of your agencies. I
wonder if you would be willing to clarify your authority over
cyber intrusions.
Mr. Farnan. Again we have our--well, the fact that Mr.
Caddigan and I are sitting next to each other and Dennis Holly,
who is sitting next to me is an agent actually assigned to FBI
Headquarters, resources permitting, I want to assign an FBI
agent to Secret Service Headquarters, I think we are working in
an extremely cooperative and complementary fashion. There is
enough crime, as I think you can sort of define from the
testimony today, to go around. There is plenty of work to do.
And with that, I think that our efforts complement each other.
We have specific mechanisms in place to make sure that happens,
including the sharing of personnel back and forth.
When it comes to intrusions, the one unique thing that we
may bring is the fact that if it is a State-sponsored or
foreign government who is trying to break into or hack into a
system in the U.S., it is one kind of unique area that the FBI
may bring to that. What we have done successfully is work on a
case-by-case basis at the field level all the way through the
headquarters level to make sure we are not duplicating and
complementing efforts.
Chairwoman Kelly. Mr. Caddigan, are you satisfied with that
answer?
Mr. Caddigan. I would concur completely. We recognize that
any single entity can't handle this problem alone. By working
together, combining our resources, combining our approach
methodologies, we do provide a better product to the public we
serve.
Chairwoman Kelly. So you feel that there is not a problem
with overlap there?
Mr. Caddigan. I think, as Mr. Farnan mentioned, we detailed
an Assistant Section Chief to the Cyber Division in
headquarters, so conflict is not an issue. We do coordinate at
the local level with our task forces. The Bureau has
representation and membership in each of our electronic crimes
initiatives throughout the country and, conversely, in smaller
environments where we are not present we have membership in
their initiatives.
So I would suggest to the panel that the cooperation does
exist at the highest level and although there maybe some
appearance of overlap it does mesh well together.
Chairwoman Kelly. Thank you. I am out of time. Mr.
Gutierrez.
Mr. Gutierrez. Thank you very much. First of all, I want to
thank Mr. Weaver and Mr. Caddigan and Mr. Farnan and all of
those that work with you at the FBI and Secret Service for the
work that you do.
I would like to ask Mr. Beales, I guess my concern is what
are the responsibilities of financial institutions that suffer
from intrusions to their client base in terms of information
from them? Is there a 48-hour, 72-hour window, a week, 30 days?
Is there something that says you must do this by the FBI's
call, the Secret Service knows, they are investigating how long
does it take and is there anything that says they have to do it
in a specific amount of time?
Mr. Beales. There is no specific requirement either to give
notice or to give notice within a certain period of time.
Notice is clearly appropriate in many circumstances and is
clearly the best practice and was what we have generally seen
in most cases that involve breaches. There are some cases
though where notice may not be as useful. And I think in the
case of the credit card hack that got the information about
credit cards, providing that information to the financial
institution so they could block fraudulent activity on those
cards is a more effective way to address the problem and
considerably reduces the need for notice to consumers.
Mr. Gutierrez. So I guess then what you are saying is we
have to rely on the credit card companies and the service that
is provided to protect the consumer but we are not--we don't
necessarily inform the consumer so that he can help protect
himself and you think there might be just best practices where
the consumer is left totally out of the picture and unaware? It
seems to me the credit and the reputation belongs to the
consumer and that credit and reputation is I trust--I entrust
it to the financial institution, to my credit card company, my
mortgage company and that they have a responsibility to me to
alert me. I mean, if my bank didn't call me because somebody
ripped off my money from my checking or bank account
immediately, I think I would get pretty angry about it. I guess
my question is don't you think there should be some best
practices established so that consumers can help themselves?
A booklet is nice and I am very happy that you issue that
booklet, but at what point do we trust the consumer to engage
and to cooperate with the Secret Service, with the FBI, with
the District Attorney's office or whatever it is that is
prosecuting the case. What do you think?
Mr. Beales. I completely agree with you that consumers need
to find out in most of these cases. And we have--in the
particular cases that are at issue here we have strongly
encouraged the companies to provide information to consumers
and try to make it easier for them to do that. I think there is
no question that is the best practice in most cases.
Mr. Gutierrez. So the best practice is trust the companies
to figure out when they should inform the consumer that their
credit has been somehow hurt or compromised and that somebody
has access to their information; we should just trust the
companies to do this?
Mr. Beales. We don't have regulatory authority.
Mr. Gutierrez. Who does?
Mr. Beales. I am not sure that there is any agency that has
authority to.
Mr. Gutierrez. So there is no authority that you understand
that anyone has?
Mr. Beales. There is authority and there are regulations
both by us and the bank regulatory agencies that govern the
front end, that require financial institutions to have in place
measures to prevent breaches of information security and to
take appropriate steps in order to keep that from happening in
the first place.
Mr. Gutierrez. I understand that. And I guess then that
maybe we should look at how it is ultimately the House of
Representatives or legislatively we deal with the issue given
that it is your testimony that there is no best practice other
than let the companies figure out how it is they should deal
with the consumers, but there is no 72 hours, 48 hours. So we
probably may need some best practices established to protect
the consumer because in the end that is who we have to protect
and that is who is most hurt in this situation.
Again, I want to thank the members of the Secret Service
and the FBI for their work because I know they have a lot of
work, especially after September 11th. I want to thank them for
all the hard work that they do. I want to thank folks at the
Federal Trade Commission, too. You do a great job there, too.
I wanted to see if we could figure out what we might need
to do, this committee and other committees. Thank you all so
much for your testimony this morning.
Chairwoman Kelly. Thank you, Mr. Gutierrez.
Mr. Bachus.
Mr. Bachus. Thank you. Mr. Beales, will the FTC be taking a
closer look at banks' third party providers with respect to the
service providers information security programs?
Mr. Beales. It is something that we are very interested in,
in looking at security cases and information security cases in
general. It is an area where the bank regulators also under
their safeguards rules also have authority and it is a place
where we would want to coordinate with the bank regulatory
agency as to who was in the best position to address any
particular case.
Mr. Bachus. Are you already doing that? Are you already
looking at these?
Mr. Beales. We talk to the bank regulatory agencies on a
very regular basis about a host of issues, including this.
Mr. Bachus. How about the bank's third party providers? Are
you all in contact with them or are you reviewing their
information security programs?
Mr. Beales. Well, we have--under the FTC rules we can't
talk about particular investigations. They are not public.
Mr. Bachus. I don't want specifics, but is it a part of
your general procedure? Do you----
Mr. Beales. Well, in our general procedures we are sort of
looking for cases everywhere. They may come from reports in the
media and they may come from complaints. They may come from
referrals from other law enforcement agencies, and if they are
in our jurisdiction and third party service providers, we would
be very interested in pursuing.
Mr. Bachus. Banks' third party service providers are within
your jurisdiction, aren't they, as far as their information
security?
Mr. Beales. Yes, I believe they are. They are also subject
to the bank's----
Mr. Bachus. I understand that. But I am just talking about
for a minute--without being specific, have you taken a closer
look at any of their information security programs?
Mr. Beales. We do not have any--we haven't done anything
that was specifically targeted to bank third party.
Mr. Bachus. I understand that. I am not talking about
target. I am just saying are there instances when you have
reviewed their information security programs?
Mr. Beales. If we review information, it would be in the
context of a particular investigation of a particular company.
Mr. Bachus. I understand that. I am not talking about
particulars, but have you done that? I know you have the right
to do it, and you might do it, but have you done it?
I am not going to ask specifics about companies, but I want
to know if that is part of your jurisdiction?
Mr. Beales. It is part of our jurisdiction.
Mr. Bachus. My question is, are you all taking advantage
of it? Are you all doing that? Are you reviewing or have you
reviewed any?
Mr. Beales. We have reviewed cases as they have come to our
attention.
Mr. Bachus. Banks, third-party providers?
Mr. Beales. Yes, sir.
Mr. Bachus. Okay. You know, on the DPI case, this
information was looked at, but it wasn't actually taken, is my
understanding.
Mr. Beales. I am not--I don't know that for sure.
Mr. Bachus. Okay. All right.
Are you aware of any identity theft cases that resulted
from the DPI hack?
Mr. Beales. I am not.
Mr. Bachus. How many personnel are dedicated to
investigating pretext calls at your agency?
Mr. Beales. There probably isn't anyone that is completely
dedicated. We are a small agency and people multi-task, but
there are--there are four or five staff members who have been
involved in pre-texting investigations.
Mr. Bachus. Let me ask the Secret Service, either one of
you gentlemen, Mr. Weaver or Caddigan, in your experience how
responsive have credit card issuers and processors been in
notifying the Secret Service of data penetrations or other
hacking events.
Mr. Caddigan. I think, as a general statement, it is safe
to say that they have been very responsive. We have ongoing and
longstanding relationships with the credit card companies
individually, the banks that they represent, and on occasion
the third-party processors as it becomes important for us to
deal with them.
Mr. Bachus. You have been in a position to know whether
they are cooperative, and they are?
Mr. Caddigan. Yes, sir. They are very cooperative.
Mr. Bachus. To Mr. Farnan, do you work closely with the
private sector in monitoring data penetrations?
Mr. Farnan. Well, one thing to keep in mind here is that
what has happened at the FBI is the former National
Infrastructure Protection Center has now migrated to the
Department of Homeland Security.
So what is happening is on the vulnerability side of the
house, the Department of Homeland Security is really assuming
that responsibility. And to focus our limited resources the
best we can, we are focusing more on the threat side of the
house. By that I mean, who is it out there that is causing the
problem.
So to answer your question, we are not directly monitoring.
Mr. Bachus. You are focusing on the perpetrators?
Mr. Farnan. Yes, sir.
Mr. Bachus. In our second panel, we are going to talk about
TriWest, what happened there. Now, you know, this hearing has
sort of focused on penetrations of data systems, hacking, that
nature. But in that case, someone either on the inside, it is
an ongoing investigation, or on the outside just walked in and
walked away with hard drives containing information on half a
million people.
Which obviously, if you had a preference for what you would
do, is, you know, go in and try to grab stuff. If you could
just walk in and take the hard drives out or the disk out, you
know, that would be the preferred method I would think for
thieves.
I read the testimony of TriWest's CEO, and it was 2 days
before they discovered this theft. From a law enforcement
agency perspective, what do you advise corporations that have
these large databases of how to protect them from a security
standpoint? Not someone hacking, but someone walking in or
somebody walking out, whether they walked in or not.
Mr. Farnan. One of the things that we tend to see is
sometimes we do tend to think of these cases as extremely
complex, because once when we get into the world of electrons
and what is happening in cyberspace, things can get complicated
pretty quickly. But in doing that, sometimes we forget the
fundamentals, sometimes we forget to lock the door.
So there are times when you have to look at, where does any
company or university or institution keep its servers, where do
they keep their mainframes, what kind of security, in terms of
locked doors, places in the building that kind of equipment is
kept. Is it kept on site in the same place as the corporate
headquarters or is it secured in an alternate location.
So sometimes even though we get into lots of victims
involved in these crimes, and the crimes can be really
worldwide in nature, sometimes we forget the very fundamentals.
And that is really, probably, the place to start with security
matters.
Mr. Bachus. I totally agree with you. I would think
fundamentally you worry about sophisticated--through the
network, but you obviously shouldn't--you should just protect
the front door.
How about the Secret Service? Any comments you would make?
Mr. Caddigan. I would concur.
I think in a proactive approach to information assurance or
information security, a company, an organization, an entity
needs to be concerned dually, both physical and cyber.
And when you look at vulnerability assessment, an
organization can be guided to conduct their own self-
assessment, I think you do--those things rise right to the top.
I don't know the particulars on this case, but as you describe
them you would ask the simple questions on the front end, is
there a lock on the door, is there protection on the hard
drive, what schedule do you use in order to verify that
information has not be compromised.
And again, not having any knowledge of this case,
protecting your cyber elements again is just as critical as
your physical elements. So it is easy to critique on the back
side, but the proactive approach I think might have determined
that vulnerability on the front side.
Mr. Bachus. Thank you.
Chairwoman Kelly. Mr. Caddigan, I want to follow up.
Just one quick question to Mr. Bachus's question, and that
is, about the way that the computers contain the information.
If people are lifting the hard drives, then it seems to me that
containing information that separates numbers from names and
Social Security numbers from addresses, things like that can be
done. Are you overseeing things like that? Are you looking at
things like that, or recommending things like that to
companies?
Mr. Caddigan. Yes, ma'am. Recommending would be the proper
word. We do have issues with regard to--these companies are
private sector. We can't mandate, we can't legislate, but we
certainly can recommend security mindedness. Those would be
exactly the type of things that we would ask you to consider in
how you collect and keep your data.
Chairwoman Kelly. Thank you. Ms. Hooley.
Ms. Hooley. Thank you. I am going to direct most of my
questions to Mr. Beales, but if any of you would like to jump
in, please feel free to do so.
I know you are to provide victims assistance and consumer
education.
Can you highlight, beyond your testimony specifically,
specific steps the FTC has taken in regard to consumer
education and victims assistance? Let me explain what I am
looking for.
I know in regard to victims assistance you have a
centralized database to aid law enforcement. Are there any
programs in place specifically to help victims of ID theft
clean up their credit, which as many of you know can be a long
and expensive process? And do you have any suggestions for new
ways to help in this regard? That is the first part of my
question.
The second part is, you have to finalize rules which
require financial institutions under FTC's jurisdiction to
develop and implement appropriate physical, technical and
procedural safeguards to protect consumer information.
Can you tell me which financial institutions might be
subject to this rule? Would the 400 companies which are
sponsored by financial institutions to process credit card
payments, such as DPI, be subject to the rule?
Then the third part of my question is, I know your--you
have been traveling around the country to educate local law
enforcement. I would like to know how well that has gone.
Can you tell us a little bit about the seminars, how many
cities have you traveled to, how often are they held, and what
might be coming next. And is there anything we can do to help
you with that?
I know I have used your brochures extensively for the
education piece. Thanks.
Mr. Beales. When consumers call our hotline for identity
theft to report a problem, the phones are answered by trained
counselors who will try to talk them through what they need to
do next.
Our role is to provide advice to consumers about the steps
that they need to take. We do that to the best of our ability,
but it is really up to consumers to do that.
There are private programs that will help consumers
individually on a one-on-one basis, go through the process of
cleaning up their credit. It is not something that we do or
would have the resources to do for the complaints we get. We
get--last year we had approximately 161,000 victims who
contacted our clearinghouse for information and assistance.
Ms. Hooley. Let me ask you, are there any other things? I
mean, I know what the directions are that you give victims, and
it can take 3 or 4 years. I mean, I think the average time is
an enormous amount of time to clear up their credit.
Do you have suggestions or ideas, any of you, about how we
can make that happen in a much quicker, less costly, less time
consuming, less frustrating way?
Mr. Beales. We are constantly looking for better ways to
do it, to make it simpler. We have--I mean that led us last
year to put out a uniform affidavit. So consumers could report
the fraud on one form and then submit copies to different
financial institutions, as one way to try to simplify the
process.
We are working--we have been working with the credit
reporting agencies to initiate a pilot program that would let
consumers just make one call to contact all three credit
recording agencies and establish a fraud alert. We expect that
program to go into place later this month.
We are continually looking as well for things that Congress
might do to make this simpler. At this point we don't have any
specific suggestions. But, it is something that we are very
much alert to, and looking for ways that we or you or anyone
else could make this process less of a hassle for the people
who are victims.
As to our Safeguards Rule, there are a wide variety of
firms that you wouldn't think of as financial institutions that
are or may be financial institutions under the Gramm-Leach-
Bliley Act rules that are subject to our jurisdiction and that
would be subject to the Safeguards Rule.
Accounting firms that do tax preparation and the like, for
example, may well be subject to the rules. Auto companies that
provide credit or dealers that provide credit or financial
institutions are subject to the rules.
The third parties that provide services, to banks or anyone
else, that involve handling sensitive information would likely
be financial institutions and subject to our rules.
It is a hodgepodge of who it is, there is no easy way to
describe the universe. But, our jurisdiction is basically any
financial institution, except banks or financial institutions
that are specifically regulated by some other regulator.
As to the law enforcement training, I believe we did five--
--
Ms. Hooley. Let me finish up that. The companies that are
sponsored by financial institutions, like DPI, are they under
your jurisdiction?
Mr. Beales. I believe they are, yes.
Ms. Hooley. Okay.
Mr. Beales. As to the law enforcement training, I believe
we did five cities last year. We did training programs in five
cities last year. We thought it was successful and useful.
We did those training programs in conjunction with the
Justice Department and with the Secret Service and the Postal
Inspection Service. We tried to bring in local officials, as
well, in each one.
This year we have five more planned in different cities
around the country, and we are continuing to pursue that
activity.
Ms. Hooley. How can we help you in increasing those numbers
for law enforcement, because I think that is a really important
piece, the law enforcement piece of identity theft.
Mr. Beales. Well, the--the piece that, I mean, the
training piece I mean is simply limited by resources. It is--it
is--it takes staff, time and effort. And we have tried very
hard to work with the other law enforcement agencies involved
to extend our resources and leverage them as much as possible.
Ms. Hooley. Thank you.
By the way, thank you for the booklets. We do send out a
gazillion of them.
Mr. Beales. I am glad to hear that.
Chairwoman Kelly. Mr. Shadegg.
Mr. Shadegg. I am going to pass.
Chairwoman Kelly. Mr. Renzi.
Mr. Renzi. Thank you, Madam Chairwoman.
Just two real quick questions, so then we can go vote.
I am really interested in the who behind all of this. You
know, we have heard that there are hackers involved and
terrorists involved, organized crime involved, and even
insiders. And I know the FBI and the Secret Service has done a
wonderful job in foiling some attempts. What can you share with
me as far as the who behind this.
I've got a little follow-up question. Thank you.
Mr. Farnan. First, our experience and our investigative
activity to date suggests one thing that really kind of stands
out. And that is, that the highest, the person that we are most
concerned about is, in fact, the insider as opposed to an
outsider. That person poses the most significant threat.
Secondly, what we focused on and what we are concerned
about are organized groups that may be attempting to obtain,
penetrate machines and obtain large amounts of data. And we are
very concerned, also, about the threats that are posed from
foreign countries, frankly.
But, one important point, I think, to emphasize is the fact
that it is the insiders. It is the people who have access to
the machines and to the data that really pose a significant
threat, which raises the question, who watches the watchers?
Mr. Renzi. Well said.
Congressman Shadegg and I share a real concern living in
Arizona with the border. We are reminded weekly of the threat,
particularly as it relates to terrorism. We recently just had
an Iraqi arrested down in the Tucson area. That goes to my
follow-up question, which is the market, the black market.
We have probably a sophisticated black market as it relates
to credit cards, as it relates to Arizona, drivers' licenses,
passports. Los Angeles has a whole market that is even bigger
than ours, because of the immigrants that move through our area
looking for identification and also the terrorists, I think,
that are also looking for that new identity.
Could you talk real quickly then about the driving force of
once the insiders or whoever have stolen this information, who
they are selling it to, where is the purchasing, the fencers, I
guess, is what I am talking about?
Mr. Caddigan. The insider threat is--the correlation of the
insider is permeated through many of the cases that we have.
The hacking community, the groups out there that do hacking
for a pastime, we think they fall maybe into three categories.
One is those doing it for the challenge. They want to show
that they can tap into your vulnerability and exploit you.
The second is political, which means they get into
websites. They deface them. They put a statement, a logo,
again, sometimes just for encouragement.
The other is for profit. So they are the ones that I think
we are all concerned about in law enforcement, those that are
getting in there and stealing information. We find, in many
cases, they make that information available in chat rooms on
the webpage.
They indiscriminately make it available to anyone willing
to pay for it. Thus, it is hard to track where the sources are
going to, because they are everything and anything.
Mr. Renzi. Your answer leads me to believe that there is
not an absolute purchaser. There is not an absolute market that
you have been able to identify, indiscriminate purchasers?
Mr. Caddigan. There is not an absolute market. I think that
is safe to say.
With regard to terrorism and the like, we do find--with
illegal immigrants, terrorists, those that are truly trying to
hide their identify, aren't using it to gain credit or to have
purchasing power, they are using it to be able to live and
exist with a different name that doesn't draw attention to
them.
Mr. Renzi. You are able to set up an electronic fencing
operation, a pseudo fencing operation, where you look on the
Internet and purchase that information and then go after that
individual, just like you would----
Mr. Caddigan. That does occur.
We have always had sting operations with regard to, as your
concern expressed, the immigrants. We have had some terrorism
links to those that are just trying to have different breeder
documents, and what they can get out of the breeder documents,
meaning passports, driver's license and the like. It is just
strictly to have a change of a named identity that they can use
at will. So it does run the gamut in that regard.
Mr. Renzi. Let me just thank you all of you for your
testimony today, and especially at this time in our Nation's
history for the work you are doing.
I know we are talking about incidents that have already
occurred today. I can't imagine the amount of incidents that
you have foiled. So thank you for that.
Chairwoman Kelly. Thank you very much.
We have just been called for two votes on the floor. So I
will eventually deal with that, but I want to note that some of
the Members may have additional questions for this panel, that
they may wish to submit those questions in writing.
So, without objection, the written hearing record will
remain open for 30 days for members to submit written questions
and to place responses in the record.
This panel is excused with our great thanks. We appreciate
the fact that you gave us so much of your time, and we look
forward to being in continual contact with you, because this is
quite a thorny issue. Thank you very much.
In light of the vote, I am going to recess this committee
for 20 minutes, and we will reconvene in 20 minutes for our
second panel. Thank you very much, gentlemen.
[Recess.]
Chairwoman Kelly. As the second panel takes their seats at
the witness table, and with the agreement of Members, I want to
recognize the gentleman from Arizona, Mr. Shadegg, for the
purpose of introducing our first witness before I proceed with
the rest of the introductions.
Mr. Shadegg. Thank you, Madam Chairwoman.
As I mentioned in my opening statement, I have the
privilege of having a constituent on this panel.
Mr. David McIntyre is here to testify about the burglary of
his company's office located in my Congressional district, the
burglary that occurred on the morning of December 14th, 2002,
and about the response by his company to that burglary.
Mr. McIntyre is president and CEO of TriWest Healthcare
Alliance, which is a private corporation that administers the
Department of Defense's TRICARE Program in a 16-State region in
the central United States. TriWest is the largest Department of
Defense contractor in Arizona.
Mr. McIntyre has more than 18 years of experience in
healthcare and healthcare policy and in the healthcare
business. He was previously Vice President of Blue Cross Blue
Shield of Arizona, which is where I met him.
For our purposes, Madam Chairman, he has 9 years of
experience serving on the staff of Senator John McCain. So he
is somewhat familiar with the hearing process.
As I mentioned in my opening statement, in the wake of the
burglary of TriWest's offices in Phoenix, Mr. McIntyre's
company aggressively responded.
Mr. McIntyre personally oversaw and took part in the plan
to notify customers about the stolen information and personally
telephoned a number of those whose credit card information was
stolen.
Mr. McIntyre has turned that negative experience, the
burglary of his company's offices, into a positive model for
other companies across the country who are victims of
information theft.
I appreciate him being here to testify, and I look forward,
as I am sure the rest of the panel does to his testimony.
Chairwoman Kelly. Thank you, Mr. Shadegg.
Our remaining witnesses on the second panel are Mr. Kevin
D. Mitnick, President and Co-founder of Defensive Thinking and
a computer hacking expert. Stuart Pratt, President of the
Consumer Data Industry Association. Mr. John Brady, Vice
President for Merchant Fraud Control of MasterCard
International, and Evan Hendricks, Editor and Publisher of
Privacy Times. We welcome you all. We thank each of you for
testifying here today.
Without objection, your written statements will be made a
part of the record. You will each be recognized for 5 minutes,
and if you don't know the color codes on the lights in front of
you, the green light is all go, and as soon as you see the
yellow light it means it is time to sum up because the red
light will come on. We all know what that means.
With that we will start with you, with Mr. McIntyre.
STATEMENT OF DAVID J. MCINTYRE, JR., PRESIDENT AND CEO, TRIWEST
HEALTHCARE ALLIANCE
Mr. McIntyre. Chairwomen Kelly and distinguished members of
the Financial Services Committee, thank you for the invitation
to appear before you today to discuss the important topic of
identity theft.
Congressman Shadegg, thank you for your overly generous and
very kind remarks, and I appreciate your long interest,
dedication and effective leadership on this critical consumer
issue. It, in fact, is an issue that affects every consumer in
America, probably a very unique one at that.
As Congressman Shadegg said, my name is Dave McIntyre. I am
the president and CEO of TriWest Health Care Alliance. We are a
private corporation that delivers health care services to the
Department of Defense and its beneficiaries in 16 states. We
serve 1.1 million people.
This was a very painful holiday period for me this last
year, because like a number of organizations in this country, I
have had the opportunity to learn firsthand about the
information theft.
What is most appalling to me, however, is that in many
cases, it takes the individual who suffers the identity theft
longer to clean up their credit report than is the jail term
that is served by the criminal who actually perpetrated the
act. As a consumer, as a business leader whose company suffered
the theft of the personal information of its customers, I am
grateful to you for your focus on this critical issue.
On Saturday morning, December 14th, one of our offices was
burglarized. Computer equipment and data files containing
confidential and personal information of more than 570,000
members of the military, their dependents and retirees was
stolen.
The information on the stolen hard drives included names,
addresses and Social Security numbers, which we are required by
the Federal Government to collect, along with other personal
information. Fortunately, it only contained 23 credit card
numbers.
I was told by experts shortly after the theft that the most
effective thing I could do was to get out in front of this
issue and notify consumers as quickly as possible. So that is
what we set out to do. We notified authorities on learning of
the theft.
Secondly, we contacted our DOD partners to jointly create
and implement a comprehensive three-pronged action plan to
protect our beneficiaries. We went to the media. Because many
of these people were away from home during the holidays
visiting their families. We wanted to make sure that we lost no
time.
The military worked through their chain of command and
notified every installation worldwide, so that we would reach
the leadership and all of the folks serving in the military.
We sent the first of what will now be three letters to the
individuals who were affected, to notify them of what had
occurred, and give them advice based in part on the counsel of
the FTC on what they could do to protect themselves.
This has been a joint effort, working with Dr.
Winkenwerder, the Assistant Secretary of Defense for Health
Affairs, the Surgeon General of each service and all of the
command structure in the military. It has been a fabulous
partnership, albeit at a time when they didn't have time to
spend on this issue.
Third we posted a $100,000 reward to aid law enforcement in
their efforts to try to detect who had done this. As you can
imagine we were devastated by this event. However, we focused
all of our energy on trying to do what we would want to have
done were we the consumer who was sitting on the other side.
Given the burden on the individual of placing a fraud flag
with three different credit bureaus, we worked with the credit
bureaus to develop a plan that has allowed us to request on the
behalf of our customers, not forcing them to do it, the actual
request of a fraud flag.
To date, more than 63,000 of the people on that list have
chosen that option, and we have done that work on their behalf.
Through this experience, I have learned a lot. I never
planned to become an expert or even close to someone who knew a
lot about the issue of information theft. I am pleased to be
joined by a number of other people who obviously know a lot
about this topic as well.
I have come to believe that the work that was done by
Congressman Shadegg needs to be built on in a couple of ways.
First, I think that every leader of any organization,
whether it is public or private, has an absolute obligation to
their customers, that when that information is compromised,
they have an obligation to inform their customer of the fact
that has happened. It is painful. It is awkward. It is
embarrassing. It is expensive. But you know what, it is not our
information, and unless you arm the consumer with that
information, they cannot protect themselves.
Second, as a consumer, I have observed the inconsistencies
in the last 4 months with how my credit card information is
handled. Half of the receipts from restaurants have the full
credit card number and authorization date or expiration date
posted on it. That is all you need and a name to go to the
Internet and buy something.
In addition, I still belong to the Senate Credit Union. I
went to the credit union to find out what comes on your
statement. Social Security numbers are printed on those
documents if you go and ask for the balance on your account
today. Same is true in the House Credit Union.
So we need to work to look at when is it necessary to have
the full Social Security number printed on the document, when
is it necessary to have the full credit card number printed.
I also think that penalties in this area for those who
perpetrate such crimes need to be looked at and significantly
enhanced.
Fourth, I believe that credit bureaus should allow
organizations to act on behalf of their customers, and that
they should establish consistent timelines for the updating of
fraud flags.
Thanks for the invitation to be before you today. I hope
that this is the year that you are able to take the incidents
that we have all faced and use them as leverage to further
protect consumers in this country. I look forward to answering
any questions you may have.
Thank you, ma'am.
Chairwoman Kelly. Thank you.
[The prepared statement of David J. McIntyre can be found
on page 114 in the appendix.]
Chairwoman Kelly. Mr. Mitnick.
STATEMENT OF KEVIN D. MITNICK, PRESIDENT AND CO-FOUNDER,
DEFENSIVE THINKING
Mr. Mitnick. Good morning, Chairwoman Kelly, Chairman
Bachus and distinguished members of the committee.
My name is Kevin Mitnick. I appear before you today to
discuss your efforts to review current industry practices
concerning security procedures for the prevention of electronic
theft of credit card information and identity theft.
I am primarily self-taught. My hobby as an adolescent
consisted of studying methods, tactics and strategies for
circumventing computer security, and for learning more about
how computer systems and telecommunications systems work.
I have 15 years experience circumventing information
security measures, and I can report that I have successfully
compromised all systems that I targeted for unauthorized access
except one.
I also have 2 years experience as a private investigator
with responsibilities that included locating people and assets
using social engineering techniques. Social engineering is the
same thing as pre-texting that Mr. Bachus spoke to earlier.
I have gained unauthorized access to computer systems at
some of the largest corporations on the planet and have
successfully penetrated some of the most resilient computer
systems ever developed. I use both technical and nontechnical
means to obtain source code to various operating systems and
telecommunication devices to study their vulnerabilities and
their inner workings.
Currently, I am the Co-founder of Defensive Thinking, a Los
Angeles based information security firm. I recently co-authored
with William Simon a book titled the ``Art of Deception,''
published by John Wiley and Sons, which has become an
international best seller. The book details nontechnical
methods and tactics, in essence pre-texting, that computer
intruders use to compromise valuable information assets,
including credit card information.
Social engineering is a method where the intruder deceives
his target into complying with the request based on false
pretenses and psychological manipulation.
It is important to understand, and all companies and their
employees need to realize, that the most insidious
vulnerability to information security are the well-meaning,
hard-working folks that use, operate and maintain information
systems.
The prevention and detection of social engineering attacks
should not be ignored or underestimated. In fact, the majority
of scams involving identity theft and credit card fraud include
social engineering on some level.
In an attempt to deter carding, many retailers are now
requiring an on-line customer to provide the three-digit CVC
number that card issuers have begun to use.
But the thieves also obtain the CVC number. With it, he is
able to use the information to commit fraud against
unsuspecting cardholders and merchants. I understand that the
subcommittee will be examining three recent cases involving
large-scale thefts of nonpublic, personal identifying
information and credit card details.
A major part of the problem is that the criminals only need
to obtain information that is stored or processed in thousands
of computers systems around the world. In February of 2003,
DPI, a credit card processing services company, reported that
an unknown intruder had compromised their network and gained
access to a database that held over 8 million credit card
accounts.
DPI did not release any details describing how the breach
occurred, citing cooperation with Federal law enforcement
officials. The DPI case was widely reported in the press
because of the astounding number of credit cards potentially
compromised.
But when examined closer, you will realize that these types
of attacks happen all the time. In my opinion, the committee
should not overlook that many similar attacks on networks
containing financial information are not detected by the owner
or operators. It is important to realize that many of these
security incidents remain undetected because of poor security
and auditing practices.
DPI has publicly claimed that the intrusion occurred from
the outside of the organization. Although, I do not like to
hypothesize on facts and circumstances of an any attack without
details, I would recommend that DPI consider the possibility
that the attacker had assistance from the inside of the
company.
Every day the security community announces new
vulnerabilities and operating systems in application software
that have been identified. Vulnerabilities in software can be
exploited to gain remote access to the target computer. Many
system programs contain programming errors that enable the
intruder to trick the software into behaving in a way other
than which is intended in order to gain unauthorized access
rights, even when the application is part of the operating
system of the computer.
Once a new vulnerability is recognized, the software
developer releases a patch, a modification to the software that
might be installed by individual companies, a process that may
be overlooked for days, weeks, months, even years. Meanwhile
companies using that software remain vulnerable or are forced
to disable or block access to the vulnerable service until the
patch becomes available.
Even then in many cases this is not enough. There are a
number of sophisticated hackers who are able to discover
previously unrecognized security vulnerabilities and then use
them to compromise global computer systems and networks.
I agree that it is essential to implement security
strategies to prevent, detect and respond to security threats
and attacks, but it is too easy to look in the wrong direction
for an answer. In my view, attempting to solve the complex
problem by micromanaging every on-line site that accepts credit
card transactions would turn out to be wasteful, inefficient
and not a very successful exercise.
Instead, I recommend that the committee look into a
different direction. I recommend that you explore mitigation
strategies which focus on improving the authentication of the
credit card user. In any on-line credit card transaction,
identity and authorization is based on the information a
consumer provides to the merchant. This is no better than a
static password.
There is an old saying among hackers. You never know if
someone else has your password. The reality is that a password
or its equivalent is too easy to steal. A first step towards a
solution would be to strip away the identity value of all
personal information.
If knowledge of a credit card number, expiration date and
the corresponding customer name and address is without value,
stealing this information would be a useless to an imposter.
Unfortunately, authentication technology has not yet
matured to the point of being able to provide an easy solution
to the issue. If not being done already, I would recommend that
the finance industry explore additional authentication methods
that may include digital certificates, identification of the
user's location based on IP address or telephone number, or
verification of a PIN through a separate communications
channel.
For example, consider this scenario. You have just placed
an Internet order for a new cell phone with a price tag of
several hundred dollars, and placed an on-line order with your
credit card information, but you were not required to give a
PIN number. Instead, you next dial your credit card company,
and when prompted you enter your card number. An automated
system then reads off the details of the transaction. You are
satisfied that the details are correct. The system tells you:
To authorize this transaction, enter your PIN number.
What would be the advantage of this approach? The thousands
upon thousands of individual retailers would not have access to
consumer PIN numbers. The fact that so many retailers store the
credit card numbers of on-line customers gives rise to the kind
of credit card theft that this hearing is addressing.
If they also store the customer PINs, then there is no gain
in security. The PIN becomes almost worthless as a security
element. But under the approach I have suggested, only the bank
would have access to the PIN number information. Under this
arrangement, the theft of the card numbers would be of limited
value.
In another area, I would also recommend consumer-awareness
training programs that educate people about the various scams
being used to steal their credit card details and personal
information, a practice that can prove highly valuable to
effectively minimize identity theft and credit card fraud.
I believe that all on-line retailers who accept credit
cards should be encouraged or required to do the following:
One, perform a regular, thorough risk assessment on their
information assets, especially systems that process or store
consumer financial and personal information.
Two, implement policies, procedures, standards and
guidelines as dictated by the results of the risk assessment.
Three, create an audit and oversight program that measures
compliance. The frequency of the audits ought to be determined
consistent with the mission. The more valuable the data, the
more frequent the audit process.
Develop a process to ensure meaningful and effective patch
management for all computer systems. Employ authentication
methods that do not use nonpublic personal identification
information, such as a mother's maiden name, birth date, birth
place, driver's license number, address, phone number or Social
Security number.
Next, effective audit procedures implemented from the top
down must be part of an appropriate system of rewards and
consequences in order to motivate system administrators,
personnel managers, and employees to maintain effective
information security, consistent with the goals of this
committee.
Next, establish a security-awareness training program
designed to educate their employees on the threats to
information security and to change employee behavior to foster
a secure environment. These would follow the security
recommendations described in detail in my book, ``The Art of
Deception.''
In terms of legislation, I recommend that the subcommittee
consider the following:
One, legislation that prohibits merchants or credit card
processors from electronically storing PINs or other types of
verification credentials such as the CVC, unless it is
essential to business needs.
Two, the requiring of periodic security assessment and or
penetration testing to evaluate the security posture of any
business that stores or processes credit card transactions, to
be performed by an independent information security consulting
firm.
Three, require encryption of stored financial or personal
information. If this was done by TriWest or by DPI, then the
information would not be accessible to the hackers.
Finally, I want to offer what I have deemed the most
important factor in security, the human factor. This is
essential, underlying all security issues, whether it is from
deceptive credit card thieves or terrorist operatives to blend
into our communities.
I believe it is essential to consider regulations that
mandate security awareness training as part of an overall
security program as required by HIPAA and the GLBA.
Thank you.
Chairwoman Kelly. Thank you very much, Mr. Mitnick.
[The prepared statement of Kevin D. Mitnick can be found on
page 124 in the appendix.]
Chairwoman Kelly. Mr. Pratt.
STATEMENT OF STUART PRATT, PRESIDENT CONSUMER DATA INDUSTRY
ASSOCIATION
Mr. Pratt. Chairwoman Kelly, Chairman Bachus, members of
the committee, thank you for this opportunity to appear before
you today.
For the record, I am Stuart Pratt, president of the
Consumer Data Industry Association, and we commend you for
holding this hearing on the implications of breaches in
information security in a number of different cases. In each of
these cases, you have asked us to comment on the security
breaches from the perspective of our members who operate as
nationwide consumer reporting agencies.
I will start with TCI Communications. Our members have no
direct relationship with TCI Communications, and we learned--
our members report to us that they learned about access codes
being compromised in particular through customer contacts with
us.
We work collaboratively with our customers. We worked
collaboratively then with law enforcement to assist affected
consumers. Let me just outline some of those steps.
Consumers received notices from consumer reporting agencies
as well as in partnership with our customers to make sure that
they were aware of the breach that had occurred with regard to
our information. Consumer's files were in some cases frozen
temporarily while we could get those notices to them.
Notification letters also then allowed consumers to take
advantage of free file disclosures, free access to monitoring
services that our members provide, as well as opting those
consumers out of pre-screened offers of credit, and also adding
fraud alerts to their files.
Beyond the priority of assisting consumers, we also took
proactive steps to ensure that the scope of the fraud was
contained. We analyzed the patterns that we identified through
the crime, and we then adjusted our pattern recognition tools
and initiated reviews all of all third-party access codes where
we had similar third parties having access to those. We began
rotating access codes more aggressively. Our customers are more
accepting of the rotation of those access codes today.
So we actually have a task force continuing to analyze yet
additional steps we can take to further remove access codes
from employees who might otherwise take advantage of the access
that they have.
We had no real involvement with DPI Merchant Services to
the extent that we have been able to ask our members that
question.
I will move on to TriWest. With TriWest, TriWest is not a
customer, it was not our information involved in this case.
TriWest, as they reported themselves, took very quick action.
On behalf of TriWest, many consumers then contacted consumer
reporting agencies. We provided them voluntarily with free file
disclosures. We also took them off a pre-screened offers of
credit again, added security alerts to their files.
These are just some of the various initiatives that we have
for assisting potential victims or real victims of identity
theft. A summary is included with our full comments here for
the record.
TriWest then proactively contacted our members and
coordinated an additional plan of work that would allow their
customers to have an easier time of adding additional
information to their files.
We learned a number of things through this experience. One,
criminal behavior by employees, we will never be rid of that
completely. But, of course, thanks to Mr. Shadegg, we have the
Identity Theft Assumption and Deterrence Act of 1998.
Those employees who had access to those systems, in fact,
violated that very law that you created in the first place.
They also violated the Counterfeit Access Device and Consumer
Fraud and Abuse Act of 1984. They violated the Fair Credit
Reporting Act, amended in 1996, which also prohibited access
and escalated criminal penalties as well as civil fines for
perpetrating this type of crime. So we do have a number of
different laws on the books today.
That being said, obviously everything that we can do to vet
employees who have access to sensitive information is a
critical element going forward. We must begin to learn to
measure the relative risks of various breaches. One of our
concerns from our members is that if we were to encourage the
entire Nation with every security breach to contact consumer
reporting agencies, this would not be hundreds of thousands,
but literally millions of contacts per year.
One of our member companies estimates that it was, in
servicing TriWest customers, which was the right thing to do,
it was the right time to do it, we have no question about doing
it, it cost one of our member companies $1.5 million in order
to accomplish that goal.
We obviously need to work with the Congress and work with
this issue to make sure that we are not on our own handling the
totality of that kind of cost. It would change and radically
alter how we do business today.
All of that being said, coordinating assistance for
consumers is important, and that is what our initiatives do for
victims of identity theft. We look forward to working with you
and this committee in this process, doing everything possible
for those consumers.
Thank you.
Chairwoman Kelly. I thank you, Mr. Pratt.
[The prepared statement of Stuart Pratt can be found on
page 130 in the appendix.]
Chairwoman Kelly. It gives me great pleasure to now call on
Mr. John Brady, who is a constituent of mine. And I am very
pleased to have him be here to testify from MasterCard today.
Mr. Brady.
STATEMENT OF JOHN J. BRADY, VICE PRESIDENT, MERCHANT FRAUD
CONTROL, MASTERCARD INTERNATIONAL
Mr. Brady. Good afternoon, Chairwoman Kelly, Mr. Bachus,
Mr. Sanders, Mr. Gutierrez, and members of the subcommittee.
My name is John Brady. I am the Vice President for merchant
fraud control for MasterCard International in Purchase, New
York.
It is my pleasure to appear before you this afternoon to
discuss the important topic of fighting fraud and safeguarding
financial information. MasterCard takes its obligations to
safeguard financial information and protect consumers extremely
seriously. This issue is top priority for MasterCard.
We have a team of experts devoted to working with law
enforcement and maintaining the integrity and security of our
payment systems. Our success in protecting consumers and
preventing fraud is due in part to the constant efforts we
undertake to keep our network secure.
The MasterCard Information Security Program is
comprehensive, and we continually update it to ensure that it
provides strong protections. Our member financial institutions
also have information security protections in place, including
those required under the applicable banking law.
Also, MasterCard's bylaws and rules require each member and
any third party acting on behalf of a member to safeguard the
transaction and account information. Our bylaws and rules also
require any merchant that accepts a MasterCard branded payment
device to prevent unauthorized access to the information.
In addition, MasterCard has a variety of consumer
protections and antifraud tools. For example, MasterCard has
voluntarily implemented a zero-liability policy with respect to
unauthorized use of U.S. issued MasterCard consumer cards.
Under this rule, a cardholder victimized by unauthorized use
generally will not be liable for any loss at all.
In addition, MasterCard has developed programs to protect
against unauthorized use of the MasterCard payment cards. These
include enhanced security features on the card, the MasterCard
address verification system, and our proprietary fraud
reporting system which helps identify fraud at merchant
locations and allows us to better focus our global merchant
auditing programs.
We also offer a program to our issuers called Risk Finder,
which assists issuers in proactively identifying fraud. These
and other MasterCard tools have proven extremely effective in
protecting cardholders and the security of our systems.
I would now like to discuss a recent example of how we
addressed a problem when it occurred. There was a recent
incident involving a data processor called DPI, Data Processing
International, who was acting as a service provider to a
MasterCard member bank in Ohio, which, in turn, was providing
bank card processing services for merchants.
Earlier this year DPI detected that someone had obtained
unauthorized access to its system. Although it is not clear at
this point how much data the hacker successfully exported from
DPI's system, we do know the hacker potentially had access to
approximately 10 million Visa, Discover, American Express and
MasterCard payment card account numbers.
Once DPI detected the problem, they took action, and
quickly notified the Secret Service and FBI as well as affected
payment card companies. MasterCard immediately took decisive
action to protect its systems, its members, and most
importantly MasterCard cardholders from fraudulent activity
related to this breach.
MasterCard interviewed the appropriate people at DPI in
order to determine the nature and scope of the breach.
MasterCard gathered the payment card account numbers and
forwarded them to the appropriate issuers via our MasterCard
alert system.
MasterCard hired a third-party forensic firm to act on
MasterCard's behalf during the investigation. MasterCard
remains in ongoing contact with issuers of the card numbers
that were involved. I am pleased to say that it does not appear
that these numbers have been involved with unusual activity as
a result of the DPI breach.
As a final point, I would like to note that law enforcement
agencies have done a commendable job in investigating this
breach. MasterCard works closely with these organizations and
greatly appreciates their efforts to resolve this issue.
MasterCard continually strives to provide its members and
MasterCard cardholders with strong protections. And we will
continue to develop new strategies and tools to prevent those
who seek to do harm from succeeding.
I would like to thank the subcommittee for inviting me to
discuss these issues, and I would be pleased to answer any
questions you may have.
Chairwoman Kelly. Thank you, Mr. Brady.
[The prepared statement of John J. Brady can be found on
page 86 in the appendix.]
Chairwoman Kelly. Mr. Hendricks.
STATEMENT OF EVAN HENDRICKS, EDITOR AND PUBLISHER, ``PRIVACY
TIMES''
Mr. Hendricks. Thank you, Madam Chairwoman and Mr.
Chairman.
A lot of times in the privacy community, we like to talk
about Supreme Court Justice Louis Brandeis, who wrote
eloquently about the importance of privacy in a civilized
society. But, he is also the one who wrote that sunshine is the
best disinfectant, and one of the themes throughout my brief
talk today is the importance of sunshine, that to improve
privacy you need sunshine and transparency. Just by having this
hearing today, you are bringing sunshine to a very important
issue, and providing a vital public service. I really commend
you for that. And again, thanks for the opportunity.
A few fundamental observations. The problem that we are
discussing today, of hacker access to sensitive data, data
leakages and identity theft in general, is going to get worse
before it gets better.
There are several reasons. One, is that we have now in our
society many databases filled with the personal data, and they,
to me, are the electronic equivalent of swimming pools without
fences around them. They are attractive nuisances.
The reason they are attractive is because our personal data
is worth a tremendous amount of money to many organizations,
and the criminals have figured this out.
The other thing is that identity theft losses are still a
fraction of the overall revenue generated by the credit
industry. So to this point, the Tower Group has just released a
report saying that they don't expect any major changes in the
practices of financial institutions because it can still be
written off as a cost of doing business.
I don't know if that is going to be very helpful to the
people who would be the victims of identity theft, though. In
addressing these problems, as I mentioned the lack of
transparency is a major issue that comes from all of those
cases. Thousands upon thousands of entities, large and small,
have instant electronic access to very sensitive data on over
200 million Americans.
Consumers generally don't enjoy that same kind of instant
electronic access to their own data. We must move toward a
society in which they do, and I will explain why and how.
Also, there is a lack of sunshine when things go wrong, and
that is the issue of, are people going to be notified when
their security is compromised. Currently there is not a
requirement of that.
I will talk about the culture of security that is really
needed, and we must develop and advance. Also another problem
that comes from all of these cases is the over reliance on the
Social Security number.
Now, in the Teledata Communications case, which I think is
one of the more important cases we are discussing this morning,
you see access as a vital part of the problem and the solution.
If those 30,000 victims would have had instant electronic
access or alert providing them that there had been activity on
their credit report, and one of your constituents from New York
or Alabama or Arizona saw there was an inquiry on their credit
report from Texas Energy Supply, which is one of the
institutions used for fraudulent access, then they would have
known something was wrong.
In fact, the credit bureaus have already started offering
this service, and they have discovered it is a very good
revenue stream. The problem is, they are charging as high as
$79 per credit bureau to get a credit monitoring service. If
you multiply that by all three credit bureaus, that can run
over $200.
It is a good business, if you can collect people's data and
sell it back to them at that price. But we should remember that
the Fair Credit Reporting Act gives you a right of access to
your credit report, and caps how much they can charge for it.
Yet, there is no cap for these sort of monitoring services I
see moving toward a system where we are plugged into our
personal data as being an important part of the solution.
So we should encourage that and see the economies of scale
and can make it a win-win for everyone. This is also a model
for the financial world. There are going to be databases of
sensitive financial information kept by financial institutions
that could fall outside the Fair Credit Reporting Act. I think
that access is going to be a very important issue to address
those problems as well.
Also, I was concerned in this case with the lack of
security in the TCI case. Because most of the credit card
companies, and Mr. Brady can probably speak a lot about this,
have software that monitors our purchases and activities, so
they can spot suspicious patterns of activities.
To my experience, I have not seen evidence that the credit
bureaus are using this, even though this was a case where there
was suspicious activity over and over again.
In the TriWest case, I think one of the most important
lessons emerging is the fact that the Social Security number
should not be used as an identifier, and really this is a
societal problem and a Defense Department problem, that they
require that the Social Security number as an identifier, and
just proposed a new rule to make it the health identifier for
soldiers.
I really fear that we will have soldiers returning from the
Gulf War to find that they are victims of identify theft,
because of over reliance on the Social Security number. We can
explore more of this later in questions if you like.
In the DPI merchant services cases, I think what was most
troubling was the secrecy that surrounded the problem. At first
they only revealed that there was a hit of credit cards. They
wouldn't disclose who--that DPI merchant services was the
credit card processor. Then they disclosed that.
DPI told the Detroit News that consumers who were concerned
about this should contact their issuing banks. Yet than they
declined to name which of the issuing banks were hit. There was
no systematic way. Then Visa levied substantial fines in the
matter, but wouldn't say who they levied the fines on or for
what amount or for what purpose.
So basically, this sort of secret society was saying, ``we
will make sure that your personal information is corrected, but
don't you worry your pretty little head about it.''
I think the model for addressing this is California, which
has passed a new statute, which takes effect July 1, which
basically requires notification of individuals when their
information is compromised in these sort of breaches.
What I like about the law is the flexibility it includes,
and I mentioned this in my testimony. The notice can be in
writing, electronically, in accordance with the Federal E-
signature law.
Mr. Hendricks. If the cost of notice were to exceed
$250,000 or were over 500,000 people, you could do it through a
combination of different ways and they list some of the ways
you could do it. Whenever you have a privacy problem,
reasonableness is the standard for the solution. Any solutions
have to be reasonable given the context. It is really case-by-
case.
The final thing is that when we have the issues of identity
theft, as some of your witnesses have said, the main problem is
the problem of cleaning up the polluted credit history. It is
time-consuming, energy-consuming and very emotional and
distressful. So the idea of having us plug into our credit
reports and having a more instant means of communicating with
our own data is an important part of the solution.
Thanks.
[The prepared statement of Evan Hendricks can be found on
page 105 in the appendix.]
Chairwoman Kelly. Thank you, Mr. Hendricks. I am going to
ask you, Mr. Hendricks, a couple of things. Having had my
credit card number stolen, my 95-year-old mother-in-law had her
credit cards stolen last week, and she has called me and said I
still have my credit card but the bank just called me and said
that my credit card number has been stolen and they are going
to give me a new credit card. She didn't really understand it.
My point is MasterCard called me when my number was stolen. The
issuing card company called my mother-in-law, the bank called
my mother-in-law. Since this is already being done, I wonder if
you have ever estimated the cost of what it would be for banks,
people, anybody to have to notify their customers, since there
are millions of us.
And after you answer that question I am going to go to Mr.
McIntyre and talk to him about his cost. So what do you think
that cost is going to be?
Mr. Hendricks. I don't know. I have not calculated the
cost. I would love to raise the money to do a really
authoritative study on that, because I think it is important.
But that is why I agree that there are cases where you have--
your solution has to be reasonable to the problem. And if you
don't see evidence of crime happening then you can find more
general ways to try and issue notice. What I don't think is
acceptable is that if you have a system where you know there
has been a hit of 10 million numbers, if you simply can't even
find out which banks--if you are trying to find out if my bank
has been hit, you can't find that out, that is a lack of notice
I think that is unacceptable.
Chairwoman Kelly. Given the free market one would hope that
the banks themselves would do some notification and do that
pretty quickly. But you sat there and testified that you felt
that the DOD should no longer use Social Security numbers as
identifiers. I am wondering--what clicked immediately in my
mind is how much is that going to cost?
Mr. Hendricks. DOD, I am told by a fairly authoritative
source, has a system--because a lot of soldiers do not have
Social Security numbers or their dependents in the health care
arena might not have Social Security numbers. So they already
have a mechanism for generating another random number that can
serve that identification purpose. We see this in a lot of
other places. You go out there in the Department of Motor
Vehicles in the District of Colombia and because of problems
they had with Social Security numbers being compromised now for
the last few years they will give you a randomly generated
number for a driver's license number. If you want your Social
Security number to be a driver's license number you have to
request it.
So I don't think there is a tremendous amount--in this case
the benefits far outweigh the cost, considering how we are
seeing these leakages and the rise in identity theft.
Chairwoman Kelly. Well, as a Congressperson we have to be
responsible for the way we spend the money. So we need to get
some kind of cost estimate.
Mr. McIntyre, I now would like to ask you a question about
how much it cost your firm to do the notification that you did.
You certainly acted responsively. I think you were a model in
the industry to show how rapidly and how proficiently people
could access the fact that their information had been stolen.
You did a number of things that had to have a bottom line cost.
What did it cost?
Mr. McIntyre. We had a lot of people cooperating and
helping us in that process and we are grateful to all of them,
including our colleagues in the Department of Defense. We have
spent about a million dollars to date. That is this real hard
cost. That is not the cost of having people work around the
clock in our company, which we did from the 23rd of December
all the way through the 3rd of January. And their impacts to
the individuals who were involved in the Defense Department as
well. So our real actual financial out-of-pocket cost is now
about a million. We are not done with this issue. We cannot
take our eyes off this issue nor in my opinion should we take
our eyes off this issue until either the perpetrator is caught
or we and the Defense Department are collectively convinced and
that is no more risk to the consumer from this information
being potentially in someone's hands.
Chairwoman Kelly. Mr. Mitnick, what is the single most
important step that financial services companies can take to
protect large consumer databases? Is there any one thing that
you would point out?
Mr. Mitnick. I wouldn't say there is one thing. It is
really a mixture of people, security processes and technology,
and developing an information security program, because the
attacker or the bad guys are going to look for the weakest link
in the security chain. If they can exploit physical security
weaknesses like with TriWest or potentially technical
weaknesses like DPI, the bad guys are going to get the
information. And again, I look at the information that is out
there like the Social Security number. Anybody with a credit
card and access to the Internet can access a variety of online
information broker Web sites and obtain anybody's Social
Security number. It is out there for sale. So it is really a
difficult issue when this information is readily available and
this information could be used to apply for extensions of
credit.
Chairwoman Kelly. Thank you.
Mr. Brady, I want to know what action you can take against
a member bank that violates your safeguards. Have you ever
taken action against--well, let me put it this way: Have you
taken action against the member bank with regard to the DPI
case?
Mr. Brady. I would be happy to talk to you about the DPI
case. I think the DPI case is an illustration of how the system
works, how the rules work in this case, such as the immediate
notification to us and our ability to protect the consumers by
getting the card numbers out there. And I can tell you this:
the DPI case with my input is being reviewed by senior
management. What I can further tell you is we have some
seriously big sticks that we can apply in this case. I think
you will see something probably in the next couple of weeks in
the public domain with exactly what our position is in the DPI
case, what specifics. So I have input into it, but I don't want
to go into great detail about it today other than to just let
you know that it is being looked at, it has reached the most
senior part of MasterCard and that we have definitive rules
that can be applied in this case and will be applied.
Chairwoman Kelly. Thank you. My time is up. Mr. Bachus.
Mr. Bachus. Mr. McIntyre, you mentioned the truncating
problem with merchants, people picking up the Social Security
number and using that. And just on reading the paper, at least
my impression is that a lot of identity theft and people using
people's credit cards is someone at the merchants getting that
information off the receipt. And Mr. Mitnick mentioned the fact
if you truncate the credit card, you mentioned that too. And
first of all, and I am sure--Mr. Brady, could you comment on
this--it is my understanding that credit card companies are
going to start requiring their merchants to do that in the very
near future anyway. So I think that problem will be----
Mr. Brady. If I could. That is absolutely true. That has
been a practice with ATM receipts and receipts when you go to a
gas station, truncation for years. But both card associations
are moving to that. That will be happening within the next 2
years, so you are absolutely correct. That has already been
addressed.
Mr. Bachus. Can you give us a target date on when that
might happen?
Mr. Brady. I can't give you the exact target date, but I
believe it is 2005. But I will confirm that and get back to you
on that.
Mr. Bachus. See if it could be speeded along. Mr. McIntyre,
you are talking about truncating and in the situation of a
merchant, but let's go back to your situation. Did you truncate
the Social Security numbers?
Mr. McIntyre. No, sir. Currently we are required to use the
Social Security number in its full breadth when we communicate
certain information. That is a topic that is under discussion,
and I will be making some recommendations to the Department of
Defense for the health care system in that area. The important
thing to understand, though, is we didn't e-mail the numbers
out. They didn't get released on a paper. Someone stole the
hard drives. And in doing it in the configuration that they
were in at that time it was a database that allowed them to
have access to the full Social Security number.
Mr. Bachus. Aren't there programs where even when they go
into your data base it can be programmed to where they can't
pull that out?
Mr. McIntyre. There is some amazing technology available in
the marketplace that I have actually put in place in our
organization over the last several months. The fact of the
matter is, though, if you go to today's standard it is not good
enough 6 months from now. And the challenge in this area is
there is so much growth in technology and it is changing so
rapidly. Those little Blackberries that we all carry, those
weren't available a year ago. It is changing so rapidly that we
have got--this is something that you constantly have to stay on
top of.
Mr. Bachus. Let me ask you this. The cost has been
mentioned. You spent a million dollars but actually the credit
bureaus--Mr. Pratt, I think he represents those companies--
didn't they spend about a million and a half a piece? Did you
testify to that on TriWest's case?
Mr. Pratt. One of our member companies did run the numbers
and spent about a million five.
Mr. Bachus. Who pays for that if we were to design
something and requiring someone to?
Mr. McIntyre. I pay for my own cost, which I assume is what
that organization is going to do. One of the reasons why they
were willing to move to a process by which we could assist them
in filing the fraud flag is to reduce that expense. So we took
on that burden, which we willingly do. I don't have any problem
with the million dollars I spent. I want to state that very
clearly.
Mr. Bachus. What I am saying, Mr. McIntyre, information was
stole from TriWest but it resulted in a million and a half to
one of the credit bureaus.
Mr. McIntyre. Actually the way it works, sir, when the
information is compromised the most effective things the
experts tell you that you can do if you have lost the type of
information that was stolen from our organization is to get out
in front of the issue as a consumer and file----
Mr. Bachus. I am not arguing with the fact it was done. I
am just pointing out----
Mr. McIntyre. The only place you can go is to those credit
bureaus.
Mr. Bachus. It was great that they did it. I am just saying
other people, as a result of that theft at TriWest, there were
other companies that incurred expenses of--actually greater
expenses than TriWest or comparable expenses.
Mr. McIntyre. No question about that. That is why hopefully
when they catch the person we can figure out how to be more
creative than just use the maximum 5 years, $250,000 penalty.
Mr. Bachus. Mr. Hendricks mentioned this. You know, as far
as notice in all cases, when you say notice in all cases what
if it interferes with a law enforcement investigation? What if
the information that you get is not usable? I mean, I guess I
am saying when you say notice in all cases, would you like to
qualify that?
Mr. McIntyre. One has to be very careful about under what
situations you are deciding to provide notice. Where you end up
in a case where the experts would tell you there is sufficient
information to misuse it and obtain credit, that certainly is
an area where you need to do notice. That is what happened in
our case and what has happened in a series of cases.
Mr. Bachus. I understand that. So actually notice in all
cases really is notice in all cases where it would be
reasonable to assume?
Mr. McIntyre. Absolutely.
Mr. Bachus. Not actually in a case where the information
wasn't usable or there wouldn't be any reason to notify?
Mr. McIntyre. And I think that California's standard is one
that is worthy of looking at. They do talk about reasonable
notice, reasonable timeliness under reasonable circumstances.
Mr. Bachus. That is what--and rush to notify in all cases.
I think, you know, there are times when it is not reasonable.
Mr. McIntyre. Agreed.
Mr. Hendricks. May I comment on that? First, you have a
reasonableness standard. I think my point is that the default
should be that there should be notice. The general rule should
be the notice and you have to justify when and why there will
not be a notice. What is also important here as we talk about
costs is look at the costs we have identified already just from
the lax security procedures, what the credit bureaus had to
spend to give people this rush of access to their credit
reports, to the notice that TriWest had to do to notify a
million people. Please don't forget the cost to the individuals
that then have to spend time and emotional energy working on
that. These are very costly matters if we don't get them right.
Mr. Bachus. If you all would like to respond. Do you have
any comment on that?
Mr. Pratt. Well, in terms of the broader discussion, we
agree that, first of all, not every security breach ends up in
large scale, for example, identity theft. Doesn't mean that
some don't. An example is in California 200,000 state
employees' records were ostensibly or allegedly stolen. Our
member companies cooperated with that breach as well. So there
are 200,000, there is 562,000 and the risk potentially of 10
million over here. So you can see where the concern rests.
We have tracked the 200,000 out of California and have not
had a single incidence of identity theft related to that. Now
does that mean we should do nothing? Of course not. But there
is a lot of qualification that has to be gone through and
deliberative process that we have to work our way through to
make sure we are doing the right decision at the right time. In
all of this obviously our members believe that if we have had
our information breached it is a responsibility we have to take
seriously, not just under fair credit but it is the right steps
at the right time for the consumer, and, no differently than
any other industry represented here at the table, we are going
to take the right steps for the consumer.
Mr. Bachus. I think you are in the better position in most
cases than people who don't have all the facts.
Mr. Brady, would you like to respond?
Mr. Brady. I guess I would like to respond specifically to
DPI and how it relates to this, because I think what you have
to understand in the DPI case is that there has not been fraud
on those accounts. And we notified the issuing banks promptly
of the issue and the issuing banks in turn may notify their
cardholders; in some cases they notified their cardholders. But
the message I want to send here is one of let's not create
panic here. You will read the headlines that something bad
happened but the by-line on page 6 is that something good
happened. And yes, something bad happened at DPI. But the
message is that a lot of good things happen. There are a lot of
people behind the scenes protecting the integrity of the
process.
Mr. Bachus. I think by talking about them to a certain
extent allows people to--you know, Mr. McIntyre was telling me
that happened to him, actually happened. There was a bank that
had something very similar. Had he had notice of that, he
probably could have avoided this entire incident. So I believe
by highlighting this and taking steps that we are already
preventing a lot of that and some of the proposals on the
table.
Mr. Mitnick. I have to ask a question of why would these
companies not encrypt the credit card and financial information
that is in their databases. Because if the bad guys are able to
break into these systems the information is unintelligible. So
maybe that is a standard that should be considered in the
industry.
Mr. Bachus. Certainly if that happens notifying people
would actually--I think that would be a downside. That would be
something you wouldn't want to do.
Chairwoman Kelly. Mr. Mitnick, what would that cost?
Mr. Mitnick. What would the notification cost or the
encryption? Well, there are different cost factors. If you
encrypt stored information it is relatively inexpensive. If you
are encrypting data in real time it is expensive. The actual
dollars and cents I don't have at my fingertips at the moment.
Mr. Pratt. I can attest to that. We operate as an
association information exchange at financial institutions.
When we have to hire three different terms to management in
description process and testing on a monthly basis for
penetration, it is staff, it is outside resources, it is
internalized resources, it is software programs. I think Mr.
McIntyre said it just right in every 6 months you have to
change everything because you have to ramp up to a whole new
standard because the criminals are moving almost with you and
keeping pace in a lot of cases.
Mr. Mitnick. Not necessarily with the encryption as long as
you are using an algorithm that has been widely accepted and
you are changing keys on a frequent basis. So that is my
comment for now. I had something, but it slipped my mind, that
I was going to say.
Chairwoman Kelly. Mr. Shadegg.
Mr. Shadegg. Thank you. Let me begin, Mr. McIntyre, with
you. Your testimony doesn't go into great detail about the
break-in. I think it might be helpful if we heard a little bit
more about how it was accomplished, how you discovered it.
Mr. McIntyre. Yes, sir. I will be as detailed as I can be
given the fact that it is still under Federal investigation
with the FBI, the Defense Criminal Investigative Service, and a
number of other entities, and hopefully they will crack it
soon. But we suffered a theft following another theft, and what
happened on this particular Saturday at a building where we
have no signage on the doors on the building that we are there
is that someone broke into the property management office for
that site and stole the master electronic key in order to enter
our suite. Totally undetected. Many of the offices around here
have those proxy cards. It allows you to know who is going in
and who is going out, what time they go in, what time they go
out, and their identity. And so it was a fairly sophisticated
job. Was it an insider job? We don't know. The authorities
don't know. They visited with 150 different people. They
polygraphed a lot of folks. They have caught other people who
have been engaged in other similar crimes, but not ours in the
process of this investigation. And we have a very serious
problem in Arizona as it relates to this issue, as you well
know.
Mr. Shadegg. It has already been brought out in your
initial testimony and questioning that you were required to
maintain Social Security number information for these
customers.
Mr. McIntyre. Correct.
Mr. Shadegg. It seems to me and, as you know, I have put a
lot of time into the health care industry, are we
disadvantaged, are we doing ourselves a disservice to require a
single number like that and to have--and to, for example,
require you to use it? I take it you use the Social Security
number because of a DOD reg and DOD is using Social Security
numbers by choice, presumably not by statute?
Mr. McIntyre. Forty years ago they used to use an ID number
and they switched to Social Security numbers. I am not an
expert in why they switched and what the complications were
that led to that. Probably somewhat trying to remember what all
your different numbers are because I can't remember my pin
number if I have been up all night. So there are different
issues that would lead one to do that. My Blue Cross/Blue
Shield card that I carry in my wallet has my Social Security
number on it. So this is something that we all--I think you all
need to take a look at. Where is that really necessary and what
are the complications if you are going to move away from that?
We are required to use them in our current contract.
Mr. Shadegg. To that point I would like to ask any member
of the panel that wants to make a comment. Do you think numbers
should be further restricted, the use of Social Security
numbers, and should the DOD be using a different number than
their Social Security? When I was on active duty in the
military they used four digits of my Social Security number and
it seems to me it is too broadly used. Anybody have a comment?
Mr. Hendricks. I would like to comment on that because I
think, yes, pending a study of the costs, the actual real
costs, they won't be hard to calculate, I think we should
basically place a moratorium on further use of Social Security
numbers. It is already required by banks and employers and we
have passed laws and we have this. But it is such an instrument
of choice by identity thieves and it increases the value of
information and the incentive for stealing it. So I think that
we should look toward having--especially in the health care
field it is very problematic that the Social Security number is
used.
The last thing you should remember is you didn't have time
to fit the most recent case onto your agenda. That is the
University of Texas, who got hit by an outside hacker. He was
hitting their system with random Social Security numbers and
once he found one it would suck it out of the system and was
able to get thousands and thousands of Social Security numbers
through this program. The University of Texas official said
this was a mistake. We should not have used the Social Security
number. We are changing. So I think we should do this more
systematically instead of lost and found, by trial and error.
Mr. Shadegg. You said pending a study of cost. It looks to
me there are costs everywhere here. We will have cost to notify
everybody. Mr. McIntyre recommended that there should be an
obligation to notify everybody. I think that ought to be
universally true. But that is expensive. Mr. Mitnick commented
about encryption and then we discovered you can encrypt stored
data but not current data. It is the current data that is at
least viable. So it seems to me we are going to face costs to
secure these systems no matter what. Go ahead.
Mr. Pratt. I thought I would set this into context a little
bit. We do have a difficult time in our society today with 40
million consumers moving every year, 3 million last names
change due to marriage and divorce, about 6 million or 7
million second homes in this country with a lot of folks who
move in between those two homes. There is a lot of flux in the
ways we think about identifying ourselves. When you and I think
about ourselves and we look at our own mail coming in the door,
we go I know who I am and I know what my information is. For a
database like a consumer credit reporting database which must
have reasonable procedures to assure maximum possible accuracy
of the information in the file, that is what the Fair Credit
Reporting Act tells us, it would be very hard for to us build
an accurate database if we did not have the Social Security
number at least for those internal accuracy purposes.
I think one of the issues that we haven't framed the
question quite this way is access by the general public to
Social Security numbers different than the use of the Social
Security number in certain matching processes internalized,
which allows us to build more accurate databases.
Mr. Shadegg. Mr. Mitnick.
Mr. Mitnick. It is fine to use a Social Security number,
but not to authenticate the person's identity. I think that is
where the mistake is being made. I know it is a very expensive
proposition, but the problem is people's Social Security
numbers are readily available. There is--for example, the U.S.
courts have PACER, public access court electronic records, and
anybody that has had a bankruptcy, anyone could subscribe to
the service and look at the party's Social Security numbers.
They are there for anybody's viewing. Social Security numbers
are easily obtainable and to use them as a means of
identification I think is a mistake.
Mr. Shadegg. Speaking of the government's complicity in
this, Mr. McIntyre, isn't one of the cases that you have in
this summary the result of the United States Senate publishing
Social Security numbers?
Mr. McIntyre. Yes, sir. I learned from a number of our
Nation's distinguished general officers that they received
training when they become a general officer on identity theft,
and they receive that because there was a practice up until the
late 1990s when on their confirmation in the Congressional
Record their Social Security number and name was printed.
Someone went out, published that on the Internet, it was taken,
they ordered credit and abused the credit of those general
officers. The striking thing to me was that criminal got only 2
years and 9 months for that crime. And it takes longer for
those people to clean up their credit records than it did for
the penalty that the criminal got.
Mr. Mitnick. One other case, I believe it was a New York
busboy had obtained the personal identifying information of
celebrities that were like the top 100 and started obtaining
their identity credentials and applying for credit. That was a
huge case out of New York that you might not be aware of.
Mr. Pratt. If I could add one point, I have heard Mr.
McIntyre say several times it takes longer for people to clear
up their credit history than it does for the perpetrator to
remain in jail. I appreciate his enthusiasm for quoting some of
the consumer groups in terms of that statistic. We are
processing consumers every day successfully through consumer
dispute processes. We recently looked at 5,000 credit reports
where security alerts have been added to see if additional
activity occurred in those files. In one-half of 1 percent of
the cases was there ever even a subsequent dispute relative to
that set of 5,000 cases where we had added security alerts to
the files.
I have to resist the characterization of our entire
industry of being slipshod and unable to keep information out
of the file and unable to be responsive. What is happening, and
this is why in our initiatives that you will see in our
testimony, it is a longitudinal crime. It isn't like burglary.
It is over a period of time. So in some cases we are able to
correct the initial information in the file but there is still
crime occurring or there is still more bad information on its
way to the credit bureau file.
So understandably from the consumer's perspective, that is
all the same thing to me. But from our perspective we are
wrestling with trying to keep the right information in the file
for safety and soundness purposes, which is of course important
to this committee, and at the same time to keep the fraudulent
information out of the file, which is something that we believe
is a top priority job, one for us just as it would be for
anybody else.
Mr. Shadegg. In defense of Mr. McIntyre and those consumer
groups, I can tell you that my constituents who brought the
first legislation to me they spent far longer than 2 years and
9 months trying to clean their record up, indeed probably four
or five times that length of time.
I guess the problem I have is the reality that both
summaries are wrong and really the real problem is how long it
takes to apprehend them, because in most cases they are not
apprehended at all.
Before the earlier act passed the response of law
enforcement--and I know this is not your responsibility--the
response of law enforcement was to say this isn't a crime. They
may have stolen your identity but until they use the credit and
you can show me the credit then I have a credit card fraud
case. And, by the way, I am only interested in that credit
fraud case if you live here and the credit card was used here.
If the credit card was used in Pennsylvania and you live in
Phoenix, Arizona, I don't care. So we have a serious problem we
have to address here.
I want to conclude by asking Mr. McIntyre if you would
describe how the fraud alert security mechanism works and what
changes or improvements would you suggest making to it?
Mr. McIntyre. I am very grateful to the credit bureau
industry for what they have done. I am sorry that my remarks
were misinterpreted, because I actually think that the Federal
laws need to be enhanced and the penalties. I think the bureaus
have done a good job of helping protect consumers wherein they
have been notified and they are aware they can get that
protection.
What I was advised to do was to contact the consumers, let
them know this had happened. Because the most effective thing
you can do when this occurs and you have information in the
public domain that could potentially be used to create credit
and misuse it is to put a fraud flag on your file. What that
does is it notifies those that may be interested in granting
you credit or may be contacted to grant you credit that they
need to verify you are who you say you are so your identity
isn't misused and you end up with a subsequent problem. That is
why we took that action. We were advised by the bureaus and the
FTC that was the best thing to do in this case.
What I have discovered, together with the bureaus, is that
we do need a process by which corporations that are willing to
do this on behalf of their customers can do it. It helps the
bureaus reduce cost and it helps the customer reduce the
hassle, because it was on average taking 3 hours for people to
go through this process just because of the sheer weight of the
volume that had been put onto the back of the credit bureaus.
The second thing I discovered is that in order to keep
people protected I now have to notify people every 90 days that
they have to go out and update their fraud flag because each of
the credit bureaus is on a different cycle. One of the credit
bureaus requires an update every 90 days. One of the credits
bureaus requires an update every 6 months. One of the credit
bureaus requires an update everybody 12 months. I think it
would be helpful for them and for us and for the customers to
have that in alignment.
The issue I face now is when I update people in the next 4
weeks that unless the crime has been solved, and I will update
them about that, but their information is potentially still at
risk. Guess what, some of my customers are now deployed. Their
fraud flags could drop if I don't make sure and the credit
bureaus together with me don't make sure that stuff stays. So
we are talking to the credit bureaus now and we are going to
talk to the Defense Department and the lawyers to figure out
how do we get around that problem.
Mr. Pratt. In fact, every one of those consumers when they
contacted the credit bureau can add a 7-year alert to their
file. So that once you contact the bureau what we are talking
about is two different things. The temporary alert is added by
the credit bureau without a question. In other words, the
consumer said I want you to believe me at least to a certain
extent, I don't have to go through a bureaucracy just to get a
fraud flag on the file. The key here is once the consumer
receives his or her file disclosure and goes over the report at
that time a 7-year alert can be added to the file and our
member companies are consistent across the board in adding 7-
year alerts. So I think there is a difference in practice, or
at least we need to clarify the practice here.
Mr. McIntyre. I would suggest in cases where the crime may
actually be solved because there is lots of focus of law
enforcement on it that the hassle of having a long-term alert
may not necessarily be the right action. But I am not an expert
in this area.
Mr. Pratt. Of course after a consumer discovers that he or
she is safe we will voluntarily remove that alert any time
during the 7-ear period.
Mr. Shadegg. I know I have more questions, but my time has
long since expired. I will yield back. If there is a second
round, I will take advantage of it.
Chairwoman Kelly. Mr. Renzi.
Mr. Renzi. Thank you, Madam Chair. Appreciate your
testimony and traveling all the way out here, especially from
Arizona, and sharing with us the sophistication behind the
theft operation and particularly that struck TriWest. Many of
you know, particularly my friend from Arizona, I am the father
of 12 children, 7 boys and 5 girls. I am particularly concerned
about the niche as it relates to how we take care of the
children's identity that has been stolen. If the identity of
the parents had been stolen, name, address, phone numbers,
everything, then obviously also the child's address. We go back
to the days of those spy movies where they would take identity
theft out of the obituaries. We now move forward into
electronic theft, full and complete information provided not
just on adults but on children. You can imagine a child of 5 or
6, 7 years old having their identity stolen from them and then
yet no flags go up until they are about 18 years old, 16 years
old and all of a sudden for the last 10 years their identity
has been stolen, their identity has been used.
So I would ask what kind of remedies, and I know there is
some talk in this area, what kind of remedies are you looking
at, what kind of means are we putting together to help protect
our children?
Mr. McIntyre. I can't respond to that part of the question,
but what I can tell you is we did many responses to that issue.
We looked at that. We were concerned about that issue. I have
three young kids, so it is the question of what impact is this
going to have on them. The fact of the matter is that in our
case all of the information, the breadth of it, on the people
over 18 was not also on the database for the people under 18.
In some cases it was just their name. In other cases there
wasn't any information because they were--the primary sponsor
was the one who was actually on the database.
What we did was we talked to the FTC, we talked to the
credit bureaus, we talked to others who were experts in the
industry what do you do, how do you deal with this issue? What
we did was set up a database. The database can be reviewed by
the primary sponsor to determine what information was on the
stolen hard drives to determine what secondary impact it may
have on them or their families and then to advise them of the
risks if you add a fraud flag for kids under 18 who have no
credit record, and then how you would go about doing that so
that they could make an informed decision on their own, and
then we have offered to assist them in that way.
Mr. Hendricks. I would like to respond to that because I am
working with some folks on a case right now where a young man
from Alabama was mixed up with an older person from Arizona
actually. Just an old-fashioned mixed file case based on a
similarity in Social Security numbers. They weren't the same
but because the algorithms, if they are just one or two digits
different they will merge the files. What is troubling in the
case is the young man from Alabama is basically being assigned
unpaid debts from when he was like 12, 13 and 14 years old. So
you would think the system would identify that at his age he
wouldn't have been able to incur those debts. But they don't
seem to have a system in place. He has had a terrible time
getting his files unmixed. His mother has gotten involved. So
when he became of age and his rite of passage, when he got to
apply for credit he was rejected. So there are some very old-
fashioned problems in this system.
Mr. Mitnick. In certain States like California, Texas and
Kentucky birth records are public record. You can go onto the
Internet and look up anyone's birth record which gives
criminals the ability to apply for that person's birth record
because all they need to do is send a letter to the Department
of Vital Statistics, give them the information on the birth
certificate, they get a certified copy of the birth certificate
back, and they become that child. They can get extensions of
credit set up and the account at the credit bureau. So that is
a problem that certain States have, birth records in the public
domain.
Mr. Renzi. Thank you. One of the things I know that is
being kicked around as a remedy is the idea--Mr. McIntyre, I
appreciate you mentioning it--is that those children who have
had their identities stolen from them would have an alert or
flag put on their credit. So that if anyone was checking their
credit, if anyone was using their credit, even when that credit
was being checked it would warn the person checking the credit
that, hey, this is a stolen identity. Let's say a child goes
through 10 years of that and then all of a sudden it is time
for them to use their credit. What I worry about on the alert
system is how do you then take it off? What detail is provided
to show that child was innocent. So as we look at remedies we
also not only impose the remedy to protect the child but then
the release in order to have the child given back.
Mr. McIntyre.
Mr. McIntyre. That is exactly why I felt uncomfortable
making the decision to advise people on what they ought to do
and that it made more sense to lay out the facts so that every
parent who might otherwise have someone on that list could look
at the information that was there and make an informed decision
on their own, and each parent needs to do that.
Mr. Hendricks. I agree this fraud alert is kind of a
sledgehammer. It is sort of all or nothing. And I think what is
common if have you a problem, you say we don't want my
information used for pre-screened offers, too. So you wipe
yourself from all those. Obviously we need a finer tuned system
so you can really sort of go in with the scalpel and fix
problems. But that is what we have now. To me that is why it is
very important to have instant access to your credit report so
you can see what is on it and what activity has there been on
it. That is the best way you can keep it accurate.
Mr. Mitnick. How about developing a partnership with the
Social Security Administration so these companies could
determine the age of the person requesting the extension of
credit, verify that the name really did match the Social
Security number, because it would be kind of strange for a 16-
year-old to be applying for a MasterCard.
Mr. Renzi. Well said. Creative idea. I serve on the
Veterans' Affairs Committee. At this point in our Nation's
history we have got women with children, men with children in
America who are being kicked out of their homes because the
checks, their military pay doesn't get home in time. And we are
looking at legislation that is going to protect our veterans
and servicemen and women so that you can't move them out of
their dwellings, you can't take away their cars if they are
late on a payment. I am thinking how this might tie in this
piece of legislation that we are working on in that if a
serviceman or woman was to have their identity stolen, and
since we are barely paying them enough anyway, the cost for
them to get their identification back is going to be enormous.
And that cost or that loss of revenues could then impact their
ability to house their family, to provide decent
transportation.
Is there an ability or would you be in agreement,
particularly Mr. McIntyre given the fact that you helped the
TRICARE portion and how it affects our servicemen and women,
would there be an ability to protect our servicemen and women
as it relates to identity theft?
Mr. McIntyre. I would be more than willing to look at that
with you. You have described exactly why I have no qualms nor
does my board to spent the kind of money and effort that we
have had to spend. The thing that concerned me greatly about
the case that involves us and the theft that was perpetrated
against us and the information involved is because we are
talking about people who serve all of us who do not make a lot
of money and a blight on their credit report can be the
difference between having a car, renting an apartment or buying
a house. And so we felt an absolute obligation to do what we
did. But I would be glad to work with you, sir, in that area.
Chairwoman Kelly. Thank you very much. We have just been
called for another vote. In the interest of time I am going to
call on Mr. Moore and I am going to call on Mr. Fossella. I
would like everybody to keep their questions and answers within
the 5-minute period, please.
Mr. Moore. Thank you, Madam Chairman. I wanted to just ask
you a couple of questions, Mr. McIntyre. We have talked before
and I appreciate the actions that your company has taken since
the theft, the burglary and the theft to try to--and your
personal call to the people but I wanted to ask, obviously I
think it is in everybody's best interest that not only do we
punish somebody who has committed a crime like this but we try
to prevent it in the future and that is the best way to protect
people, I think. I was concerned in reading some of the
materials, I think in your State, that I think it was 2 days
after the incident until you even learned that there had been a
theft.
What kind of security precautions did you have or security
systems did you have in place on the day of the incident? And
apparently they failed.
Mr. McIntyre. I have been asked by authorities not to
address all the details of the security systems and the like
because they are still attempting to catch who did it, and FBI
agents have interviewed over 150 folks and polygraphed a number
in this area. What I can tell you is that we were the subject
of a secondary theft. Whoever was responsible for this broke
into the property management office, the place where we had
this secondary office. They then stole the electronic master
key which allows you to get into a locked door undetected,
although it would read as though you were the property manager,
and enter our suite. And that is how the theft occurred. Thus
we weren't aware--it happened on a Saturday. We didn't learn
about it until first thing Monday morning when our folks when
in to turn on the computer and found out that the computer
system did not work.
Mr. Moore. Obviously there are video monitor systems and
security systems and other precautions that can be taken to
notify somebody if there has been an entry even if it appears
to be an authorized entry, because at some point they had to
steel the electronic key, isn't that correct?
Mr. McIntyre. Correct.
Mr. Moore. From your materials in your statement it appears
that you have and I hope that you are taking substantial
strides in trying to correct the system so something like that
doesn't happen again. If there is an unauthorized entry, you or
somebody would be notified immediately.
Mr. McIntyre. I will tell you that we have brought in
security experts, we have partnered with the Department of
Defense. They are now looking at their entire system worldwide.
They found deficiencies in their areas. But you know what is
interesting to me about this is that in Arizona 6 months prior
to the theft in our building, five financial institutions were
hit with a very similar crime. A bank in Tucson was hit 6
months prior after hours. Penetrated all the security systems,
got through, stole the hard drives, left the bank with that
information. And so this is something that unfortunately, given
the rise of the prevalence of information and the like, that we
have a real serious problem with in this country. That is why I
think when it does happen, even if they are able to get beyond
the safeguards, that is when we have to look at where are the
responsibilities for notification.
Mr. Moore. Absolutely. How long after the incident was it
that you notified the Department of Defense?
Mr. McIntyre. I notified the Department of Defense
immediately when I discovered there was a problem. They then
ran the database and we contacted the senior management in the
Department of Defense, not the operations people who we had
contacted the first day that we discovered it. We contacted
them once we had the database fully run and knew what the
extent of the problem was.
Mr. Moore. Thank you. I will conclude by saying when these
large databases exist and if in fact hard drives are stolen,
not just data or information from a computer system but hard
drives and there has to be a physical entry and I hope that you
have told me and I trust what you have said that your company
is looking at this very seriously and making sure this doesn't
happen in the future. I think financial institutions, anybody
else who has databases like this needs to take similar
precautions.
Chairwoman Kelly. Mr. Fossella.
Mr. Fossella. Thank you. I will just throw out two
questions and the second is sort of two parts and allow you to
answer in light of the time here.
First, Mr. Brady, in light of your efforts at MasterCard I
am sure you are doing what you think is providing the highest
level of security on the network. In your mind--if it has been
asked before I apologize--in your opinion what would be the
best thing that could be done to provide incentives perhaps for
other companies to do as you are doing and in providing the
highest level of security? And secondly, I will throw this out
to all of you. If you can answer me, great.
Earlier the Secret Service testified and argued, it seems,
for a better working relationship or continued working
relationship among different agencies and academic institutions
to prevent what has been alluded to a number of times here. In
your experiences how have those relationships been working and
what, if any, ways can those be improved? And the second part
of that question is the cost of prosecution and whether local
or State or Federal prosecutors are doing what they can given
the resources they have.
I will give you an example. It has been argued that perhaps
a local district attorney, given the nature of this type of
crime, will say, hey, I have a limited budget here; in my view,
the cost of following through on prosecution to indict with a
conviction is going to cost me X amount of dollars, which could
be, you know, such a disproportionate share of my budget that I
don't have those resources to follow through. So are there any
ways to, A, if in your experience that is true, and, B, if so,
are there any ways in which those situations could be addressed
in order to prosecute those crimes as efficiently and as
swiftly as possible?
Mr. Brady. Yes. I would like briefly to talk on your point
of security. MasterCard, without getting into too much data on
our security network, has a very robust network. We do outside
penetration testing on networks to ensure they are secure and
they are. One of the things that I really want today to bring
out here, and I alluded to it before, was there is no need for
hysteria because MasterCard is vigilant behind the scenes. When
there is a compromise and the DPI hack is one of those
examples, We notify the issuers, we follow the protocol, we not
only follow the protocol of MasterCard and working with law
enforcement, but the entity that was breached follows the
MasterCard protocol in place, the timely notification to us and
also the timely notification to law enforcement. We have
sufficient penalties in place so that if that didn't happen
that they could be fined on a per day basis, a draconian amount
of money.
So I think the law enforcement gentleman brought up that
these companies are coming forward, and part of that is because
there are effective rules in place to bring them forward when
something does happen. And the good news again with the DPI
hack is we are not seeing general fraud. But everybody is being
vigilant, looking at the account numbers, and monitoring the
account numbers on a daily basis.
And MasterCard has a wide array of fraud controls in place,
I know we are short on time, but we have controls in place for
auditing merchants, controlling fraud, and we have penalties
and policies in place for the bad actors that are in the
system.
So your second point was on law enforcement and our
relationships, and from where I sit we greatly value those
relationships. The gentleman from the Secret Service that were
here from this morning, the electronic crimes task forces that
have been put together over the past several years, the effort
is tremendous and it really fits a need out there. And I would
just like to say that one thing that was brought up this
morning about these hacks and what we find out from the hacks
is that there is little fraud on the hacks. When you see
account numbers that are being hacked we track it. There is
little fraud on it. And you know what it is? A lot of them that
are out there that are joy riding, that are stealing numbers,
that are causing harm. And the question is what do we and the
prosecutors that are out there, do with them not only in the
Federal level but the State levels. I will wrap up. Sorry. And
I think tougher penalties are important here because even
though there is not fraud there is a lot of costs when these
things happen.
Chairwoman Kelly. Thank you very much. The Chair notes that
some members may have additional questions for the panel. They
may wish to submit those in writing. Without objection, the
hearing record will remain open for 30 days for members to
submit written questions to the witnesses.
The second panel is excused with the committee's great
appreciation for your time. Thank you. I want to thank all the
members and staff for their assistance in making the hearing
possible.
This hearing is adjourned.
[Whereupon, at 1:25 p.m., the joint subcommittee was
adjourned.]
A P P E N D I X
April 3, 2003
[GRAPHIC] [TIFF OMITTED] T9407.001
[GRAPHIC] [TIFF OMITTED] T9407.002
[GRAPHIC] [TIFF OMITTED] T9407.003
[GRAPHIC] [TIFF OMITTED] T9407.004
[GRAPHIC] [TIFF OMITTED] T9407.005
[GRAPHIC] [TIFF OMITTED] T9407.006
[GRAPHIC] [TIFF OMITTED] T9407.007
[GRAPHIC] [TIFF OMITTED] T9407.008
[GRAPHIC] [TIFF OMITTED] T9407.009
[GRAPHIC] [TIFF OMITTED] T9407.010
[GRAPHIC] [TIFF OMITTED] T9407.011
[GRAPHIC] [TIFF OMITTED] T9407.012
[GRAPHIC] [TIFF OMITTED] T9407.013
[GRAPHIC] [TIFF OMITTED] T9407.014
[GRAPHIC] [TIFF OMITTED] T9407.015
[GRAPHIC] [TIFF OMITTED] T9407.016
[GRAPHIC] [TIFF OMITTED] T9407.017
[GRAPHIC] [TIFF OMITTED] T9407.018
[GRAPHIC] [TIFF OMITTED] T9407.019
[GRAPHIC] [TIFF OMITTED] T9407.020
[GRAPHIC] [TIFF OMITTED] T9407.021
[GRAPHIC] [TIFF OMITTED] T9407.022
[GRAPHIC] [TIFF OMITTED] T9407.023
[GRAPHIC] [TIFF OMITTED] T9407.024
[GRAPHIC] [TIFF OMITTED] T9407.025
[GRAPHIC] [TIFF OMITTED] T9407.026
[GRAPHIC] [TIFF OMITTED] T9407.027
[GRAPHIC] [TIFF OMITTED] T9407.028
[GRAPHIC] [TIFF OMITTED] T9407.029
[GRAPHIC] [TIFF OMITTED] T9407.030
[GRAPHIC] [TIFF OMITTED] T9407.031
[GRAPHIC] [TIFF OMITTED] T9407.032
[GRAPHIC] [TIFF OMITTED] T9407.033
[GRAPHIC] [TIFF OMITTED] T9407.034
[GRAPHIC] [TIFF OMITTED] T9407.035
[GRAPHIC] [TIFF OMITTED] T9407.036
[GRAPHIC] [TIFF OMITTED] T9407.037
[GRAPHIC] [TIFF OMITTED] T9407.038
[GRAPHIC] [TIFF OMITTED] T9407.039
[GRAPHIC] [TIFF OMITTED] T9407.040
[GRAPHIC] [TIFF OMITTED] T9407.041
[GRAPHIC] [TIFF OMITTED] T9407.042
[GRAPHIC] [TIFF OMITTED] T9407.043
[GRAPHIC] [TIFF OMITTED] T9407.044
[GRAPHIC] [TIFF OMITTED] T9407.045
[GRAPHIC] [TIFF OMITTED] T9407.046
[GRAPHIC] [TIFF OMITTED] T9407.047
[GRAPHIC] [TIFF OMITTED] T9407.048
[GRAPHIC] [TIFF OMITTED] T9407.049
[GRAPHIC] [TIFF OMITTED] T9407.050
[GRAPHIC] [TIFF OMITTED] T9407.051
[GRAPHIC] [TIFF OMITTED] T9407.052
[GRAPHIC] [TIFF OMITTED] T9407.053
[GRAPHIC] [TIFF OMITTED] T9407.054
[GRAPHIC] [TIFF OMITTED] T9407.055
[GRAPHIC] [TIFF OMITTED] T9407.056
[GRAPHIC] [TIFF OMITTED] T9407.057
[GRAPHIC] [TIFF OMITTED] T9407.058
[GRAPHIC] [TIFF OMITTED] T9407.059
[GRAPHIC] [TIFF OMITTED] T9407.060
[GRAPHIC] [TIFF OMITTED] T9407.061
[GRAPHIC] [TIFF OMITTED] T9407.062
[GRAPHIC] [TIFF OMITTED] T9407.063
[GRAPHIC] [TIFF OMITTED] T9407.064
[GRAPHIC] [TIFF OMITTED] T9407.065
[GRAPHIC] [TIFF OMITTED] T9407.066
[GRAPHIC] [TIFF OMITTED] T9407.067
[GRAPHIC] [TIFF OMITTED] T9407.068
[GRAPHIC] [TIFF OMITTED] T9407.069
[GRAPHIC] [TIFF OMITTED] T9407.070
[GRAPHIC] [TIFF OMITTED] T9407.071
[GRAPHIC] [TIFF OMITTED] T9407.072
[GRAPHIC] [TIFF OMITTED] T9407.073
[GRAPHIC] [TIFF OMITTED] T9407.074
[GRAPHIC] [TIFF OMITTED] T9407.075
[GRAPHIC] [TIFF OMITTED] T9407.076
[GRAPHIC] [TIFF OMITTED] T9407.077
[GRAPHIC] [TIFF OMITTED] T9407.078
[GRAPHIC] [TIFF OMITTED] T9407.079
[GRAPHIC] [TIFF OMITTED] T9407.080
[GRAPHIC] [TIFF OMITTED] T9407.081
[GRAPHIC] [TIFF OMITTED] T9407.082
[GRAPHIC] [TIFF OMITTED] T9407.083
[GRAPHIC] [TIFF OMITTED] T9407.084
[GRAPHIC] [TIFF OMITTED] T9407.085
[GRAPHIC] [TIFF OMITTED] T9407.086
[GRAPHIC] [TIFF OMITTED] T9407.087
[GRAPHIC] [TIFF OMITTED] T9407.088
[GRAPHIC] [TIFF OMITTED] T9407.089
[GRAPHIC] [TIFF OMITTED] T9407.090
[GRAPHIC] [TIFF OMITTED] T9407.091
[GRAPHIC] [TIFF OMITTED] T9407.092
[GRAPHIC] [TIFF OMITTED] T9407.093
[GRAPHIC] [TIFF OMITTED] T9407.094
[GRAPHIC] [TIFF OMITTED] T9407.095
[GRAPHIC] [TIFF OMITTED] T9407.096
[GRAPHIC] [TIFF OMITTED] T9407.097
[GRAPHIC] [TIFF OMITTED] T9407.098
[GRAPHIC] [TIFF OMITTED] T9407.099
[GRAPHIC] [TIFF OMITTED] T9407.100
[GRAPHIC] [TIFF OMITTED] T9407.101
[GRAPHIC] [TIFF OMITTED] T9407.102
[GRAPHIC] [TIFF OMITTED] T9407.103
[GRAPHIC] [TIFF OMITTED] T9407.104
[GRAPHIC] [TIFF OMITTED] T9407.105
�