So for those of you not playing along in the home game, ChoicePoint is a consumer credit & background information aggregator. This means that they accumulate information about credit histories, insurance claims, financial data and pretty much any other Personal Data they can get their hands on, then sell access to it.

Unfortunately, poor process security has led to the compromise of over 145,000 people’s identifying information and over 700 known cases of Identity Theft:

The perpetrators were able to dupe the company, which provides consumer data services to insurance companies, other businesses and government agencies, by passing themselves off as legitimate customers.

So just to recap:
1) A company which claims to be in the business of aggregating and analyzing data was repeatedly conned by people with fraudulent data
2) A company which claims to have processes in place to identify and prevent abuses by their customers didn’t find out that they were being scammed until the police came and told them
3) They keep restating up the number of affected accounts, which says to me that they’re still uncovering more abuse, either by the same group or other groups running the same scam against them.

Of my list above, #3 definitely worries me the most. Organized fraud gangs trade information about exploits just like they trade the information that those exploits produce. The breakdowns occurred at tht process level–they used front companies to bypass whatever security processes ChoicePoint thought they had in place to mount their attack.

ChoicePoint say that they’re instituting new and expensive security procedures to prevent this sort ot attack in the future. I wish them luck, since when they sneeze, I catch cold. But I’ll also be surprised if this does anything more than buy them some time until this incident either blows over or the Bad Guys come up with a new and improved process attack.

What we need is an acknowledgement that as the number of places this information is aggregated continues to grow, these sorts of incidents will become increasingly common. Thus, prevention alone is a lost cause. It’s time to accept this fact and begin to turn our attention toward improving mechanisms not just for preventing but also detecting and recovering from identify theft.

As an aside…

The way the attack probably worked is really very simple. They tried to set up a front company the first time and got turned down, so they tweaked the application and tried again. Maybe this time, they got to step two in the process, maybe not. In any case, the attackers keep changing variables in their approach until they finally determine the correct answer to each question along the way. If they are persistent enough, they will eventually breach the process and be able to act with impunity.

Process-level attacks like this are fairly common in the Private Banking world, which is where I first learned about them. The only response is a combination of constant refinement of your vetting processes and a consistent refusal to provide feedback to those you deny. In some cases, people would be escorted out of the Private Bank’s offices before they could even wipe their shoes on the matt. The risk of a lawsuit was less than the risk of a very expensive and potentially-embarrassing incident.