Keeping a Computer’s Secrets : TRW Has Tightknit Security Blanket for Credit Histories : WILLIAM T. TENER
When a Corona del Mar woman recently applied for a small home equity loan from Bank of America, she was stunned to learn that details of her past were known by strangers. A mortgage company working for the bank sent her a computer printout of her credit report. The report included information dating back as far as gasoline purchases made in 1973.
“How is it these people can get this information?” she wanted to know.
Her experience was not unusual. Nowadays, it’s nearly impossible to escape the grasp of credit information companies. And the largest such service in the nation is TRW Inc.’s Information Services Division in Orange.
TRW maintains records on 143 million consumers in America. The job of making sure no one gains unauthorized access to the firm’s files falls on William T. Tener, director of operational and regulatory compliance at the Information Services Division.
Through its work with U.S. aerospace and defense agencies, TRW has developed the latest in computer security software devices. It can detect an unauthorized access of a computer system almost immediately, Tener said.
Together with its strong efforts to prosecute hackers and criminals alike and to help law enforcement officials capture them, TRW has learned by monitoring hacker “bulletin boards” that it has gained a tough image that has persuaded hackers and criminals to go elsewhere.
In an interview with Times staff writer James S. Granelli, Tener described the information that TRW accumulates, how it protects the information and what criminals are doing to exploit a society dominated by computerized credit.
Q. How can an average citizen be hurt by the information that is stored in the computers of government agencies, businesses or credit information compilers like TRW?
A. There are many different ways people can be hurt. In one case, a private investigator came into local police agencies during the day to use their computers to get DMV data so he could trace automobiles and repossess them. Criminals could get a driver’s license number and start to build a phony persona. If I wanted to be a crook, the first place I’d tackle is an insurance company to find out the names of people who had the most accidents. Then I’d sell phony insurance policies to them.
Crooks are a lot more creative. You don’t see someone sneaking into a room and pulling a file out of a cabinet, except on television.
Q. So the damage could vary greatly?
A. Yes. The people who break into computer systems could do it for solicitation of a product they want to sell. Or they could go into the computer to victimize an individual: get credit in that person’s name, try to get Social Security benefits, try to get an income tax refund. Or they could build a phony persona, or profile, to get loans or extensions of credit.
Q. What kind of information do credit information firms compile?
A. Well, I can only speak for what we compile. It’s accounts-receivable data--purchases, payments, non-payments--from the various banks, retailers and other businesses that subscribe to our consumer credit service. Once a month, we get an accounts-receivable file from our business subscribers on what their customers bought and what they paid or didn’t pay for. We also compile identifying information on those customers, such as names, addresses, year of birth, Social Security numbers and employer names. And we list public record data, like bankruptcies, tax liens and civil court credit judgments.
There is nothing about marriages or divorces or number of children in our files. We don’t carry salary. We don’t go out and interview neighbors on credit standing or anything like that.
There’s a second database that we have for business credit, and it’s maintained the same way. It carries strictly the names of the officers and accounts-receivable data.
Q. How frequent is computer crime?
A. That’s difficult to say. In the early 1960s, one consultant came out with a book claiming it was rampant, and another consultant said those figures were overinflated. In the subsequent years, everybody is stating they really don’t know how big it is.
The latest statistics coming out of the National Bureau of Standards (now called National Institute of Standards and Technology) claim that most of the problems in computer crimes--65% of the computer problems--are errors or omissions, meaning somebody made a mistake. Then there’s 6% where it’s a disgruntled employee operating internally. There’s another, I believe it’s 13% to 16%, where it’s an employee that was mischievous and wanted to go after something in the computer. And the rest is external fraud.
Q. Can’t the lack of hard information on how much computer crime exists be attributed to a reluctance by companies to reveal how often their computers are broken into?
A. Absolutely. We hear constantly that some company has had a computer crime but does not report it. Sometimes the company may not know the individual or be able to identify the individual or prove that a specific individual actually got in the computer. So even if it’s reported, the case would go nowhere.
And in credit fraud, you’re also confronted with some police departments that have a monetary limit on which cases they’re going to accept. They’ve got to work the murders, the burglaries and the rapes, and they can only put so many people on credit fraud.
Q. But the damage could be more extensive than out-of-pocket losses.
A. If a person is victimized, there are going to be quite a few problems. I’ve seen situations where individuals are victimized by criminals who use the information to flood the market with credit applications. It takes probably a month to straighten out the credit. And we have to go through the process of explaining to credit grantors why the credit granted isn’t legitimate. That’s hard for some credit grantors to understand, especially when they’re not aware of how credit fraud is perpetrated.
Q. What is computer crime costing us as citizens and consumers, including viruses, which are small programs inserted into a computer that can destroy or scramble data or replicate themselves quickly, taking up valuable computer storage space?
A. I don’t have any idea of that figure. In some cases you don’t really know how much has been caused. If you look at the recent electronic virus introduced by a Cornell graduate student, you had 60,000 computers that were played around with. It wasn’t deliberate that we can tell, but there is over a hundred man-years trying to reconcile the computers after that had been done. It’s an enormous cost.
Q. How frequent are such random computer viruses? A. It’s picked up quite a bit. This year, probably about 60 of these viruses have been introduced into computer systems around the country. The damage done by the student reached several universities, but it’s under control now. Most of these viruses are designed as non-malicious . . . but most have caused damage in terms of lost data or lost resources or lost utilization. IBM had a virus that forced them to shut down an internal message system for a few days to clean it up.
Q. What is the total monetary loss to consumers and credit agencies from computer thefts of credit information?
A. I don’t have any figures. It’s in the hundreds of millions of dollars, conceivably. Everybody says they have unreliable figures because not everyone reports them and no one ever seems to collect those numbers in the aggregate. For normal credit fraud, those are tracked fairly well by the Visas, the MasterCards and the individual banks. And that kind of fraud has been decreasing quite a bit in the last few years.
Q. Why is that?
A. There are more controls. When I initially got into security, which was the mid-1970s, you had people who would just submit any type of data to a credit bureau. The credit bureau would take that data, not knowing if it was legitimate or not, and just create a credit file. Also, credit defrauders would just submit applications that were totally false accounts--totally false persons--and people would grant credit on that. As a result, a lot of the banks put in expert systems and other ways to monitor accounts. Credit bureaus started truncating account numbers--displaying only partial account numbers on computers--so if somebody did get into the file through some means, he still wouldn’t have full account numbers and couldn’t use it on an application.
Q. How can individuals protect themselves against computer crime?
A. There are a couple of ways they can help themselves. One is to review the information in these databases. In our case, they can come through consumer relations and review their files. If they’ve been denied credit, they can do it within 30 days with no charge. Otherwise, it will cost $8 to review the file. Once they know what’s in there, they have the ability to monitor it and maintain that it’s correct. TRW also has various services to help consumers monitor and maintain correct information in the files.
Q. Would a credit information company such as TRW be the most likely target of computer crime?
A. I don’t think so. Government agencies are a prime target for hackers. There were hackers who were getting into TRW several years ago. We had a couple of accesses. We went on a program where we started monitoring the bulletin boards, tracking their activity and prosecuting them when we caught them.
Q. Credit information companies may be truncating credit card numbers, but burglars and robbers could get the numbers by stealing the cards.
A. Robberies almost always included the theft of credit cards. I’m not so sure that’s true anymore. The data that I see from Visa and MasterCard shows that thefts of credit cards have decreased significantly. And even the fees that the two companies were charging the banks have actually been reduced because they don’t have as great a problem with that anymore.
Q. Have credit cards become less useful to criminals?
A. I’m not sure they’ve become less useful. Basically what they’re doing is either creating their own personas or picking up numbers through bank or department store garbage, rather than ripping off somebody’s credit card.
Q. What are companies doing to protect against illegal access?
A. I’d say almost any responsible database maintainer would have computer security software systems on their computers at this point. Those security systems have been around for well over a decade, and everybody should be using them. There’s also the issue of somebody masquerading as a legitimate user or an internal employee getting into the database. To distinguish that type of activity, there has to be a more sophisticated manner of watching those individuals in that type of activity. So intrusion detection systems have been developed to look at the total operation of a computer and try to define things that are abnormal. Some of it is TRW’s Discovery security system. What these new systems do is look at all the activity a company runs on its computer.
Q. What are some of the sophisticated identification procedures used to make sure the person using a computer is authorized to do so?
A. You can start with a little credit card-type mechanism that has a password in it that has to match the password that’s on the computer. There’s also a key that you put into your microcomputer before you dial into a mainframe computer. There’s fingerprints. There’s voiceprints. There’s the rhythm in the keyboard as you’re hitting it. They’ve even got a new one that measures the sweat content of your forehead. There’s various biological mechanisms, even a retina scan: A person looks into a microscope-like object that scans the retina pattern in the person’s eye to identify the individual coming into the computer. When you get into a high-security application, that’s when you want to start using these types of devices.
Q. What kind of high-security applications would use those devices?
A. Government agencies. Anybody that has extremely critical applications, like the nuclear industry.
Q. TRW touts its Discovery software as the first to monitor access at the time it occurs and block abnormal requests. How does it work?
A. Discovery builds a pattern of every subscriber’s access into our system. It measures the type of data that they’re putting in their inquiries: Are they always using the Social Security number? Are they always using place of employment? We’re also looking at the error rate that they usually have, the time of day they call, the part of the nation they’re calling from and so forth. After we’ve built that pattern, every time an inquiry comes in from that subscriber on a daily basis, we match it to that pattern. We’re looking for any deviation in the way they’re accessing our system. We’ve even isolated employers or their employees, depending on who normally pulls reports.
Q. So the system monitors deviations by employees authorized by your bank or retailer subscribers to get information from TRW?
A. Yes. One woman who was working in an establishment was about to get married, and she wanted to find out how much money her boyfriend had as far as credit. Well, she dials this up as her normal mode of operation, except she doesn’t quite have the same amount of information or type of information that she would have off a her routine credit application. And she comes into our system. We were able to track the case and report it immediately.
Q. What happened to her?
A. I don’t know. We’re not the victim in that case, so we can’t prosecute. It’s up to the company. In most cases, it’s either a warning or termination based on whatever the company’s internal procedures are.
Q. TRW also touts the system’s ability to educate itself automatically.
A. Right. A company may change the data that it requests on an application. One of our subscribers may have a consumer who doesn’t want to give a Social Security number, thinks it’s an invasion of privacy. The system has to be able to tell from a false alarm. Every time we used to get one of these alarms, we’d have to call our subscriber and validate whether the inquiry was legitimate. Now, we’ve built into the system an education function that allows for some deviations within certain thresholds.
Q. You maintain files on 143 million consumers across the country. From whom do you collect credit information?
A. We collect it from banks, credit card companies, retail establishments, collection agencies, savings and loans, credit unions, doctors, dentists, sales finance companies, mortgage companies and so on.
Q. Do you just get debts that are due?
A. No. We want their total files on accounts receivables--the goods and bads. As a result, our files show predominantly good, positive credit information. An individual has 20 good accounts and one 30-day delinquency, we’re going to have all 20 open accounts and the 30-day delinquency.
Q. Are there people you don’t have information on, besides children or those who live in the woods?
A. I’d say that would be about it.
Q. What about somebody who rents, who does not and never has owned a credit card, who has always refused to give out a Social Security number as part of identification, has no loan history, never even applied for a loan or any kind of credit? Could that person still show up in your files?
A. He may have a tax lien or a judgment against him. And if he’s renting, we may have him from a tenant report, which is a service that looks for renters.
Q. It’s tough to avoid you guys, isn’t it?
A. I think in this day and age, it’s tough to avoid any computer.
