Played by Leonardo DeCaprio in the Steven Spielberg-directed film Catch Me If You Can, one-time fraudster Frank Abagnale knows a thing or two about security systems.
During his time on the wrong side of the law, Abagnale posed as an airline pilot, a lawyer and a doctor. These days Abagnale is firmly on the right side of the law, and has worked with the FBI for over 30 years.
In a Q&A session before his keynote at the RSA Conference Europe 2007, Abagnale spoke to ZDNet.co.uk about security projects such as the UK ID scheme and explained how one weak link can compromise a whole organisation.
Q: You recently said that technology is making it easier to perpetrate fraud. Could you elaborate on that point?
A: Forty years ago I forged cheques on a Heidelberg printing press that filled the room, took three printers to operate, and I had to build scaffolding to get up to the top of the press itself. Today if you are forging cheques you can open your laptop and pick a graphic, and in 15 minutes have a beautiful four-colour cheque. Obviously there are no con-men any more — the victim never sees you and you never see the victim. Now you can do it by the internet, in your pyjamas.
How big an issue do you think identity theft really is?
Stealing identity is the simplest crime of all, as simple as counting "one, two, three". Individual identities have a high net worth, yet [some] mortgage companies throw out their records, and you can find them in a dumpster. The problem is, companies and governments need to ask themselves what they are doing to protect the identity of employees — most do nothing. They need to invest in identity management, and put authentication on laptops.
What are the factors that make identity theft easy?
Businesses can have details on 6,000 policy holders, and one employee who's on minimum wage can sell it. They [businesses] have nothing in place, this takes place every single day.
You go to the gym to work out, and they take a copy of your driver's licence and credit card details, and hold them in an unlocked filing cabinet. A person in the gym is on minimum wage, say $6 an hour, and you go to them and say "I'll give you $50,000 if you get me this information. I don't know you, you don't know me, just go and write these details down, then put everything back — don't take anything or remove anything". Selling information for profit is easy, if you don't get caught.
Aren't there technological ways to strengthen security, though?
Technology, and the use of technology to defeat criminals, is improving. However, there is no foolproof system, and whoever says there is fails to take fools into consideration.
What are your views on biometrics to strengthen security?
The most important thing for humans is privacy. I wouldn't want to supply my biometrics for transactions. I support biometrics for...
...access to buildings and computers, but do you trust Visa with your DNA? I wouldn't. Once you lose your DNA you've lost your identity forever. As long as information is stored somewhere there's going to be breaches.
The UK government seems to claim that the National Identity Register won't be breached. Are you in favour of identity cards?
I'm not big on ID cards — you're giving the government information that someone else can access. ID cards make it 100 times easier to steal that information, because it's concentrated in one place.
That the ID Cards scheme was passed into law was not a good idea. Nothing is really secure; if the money is right, you can forge a passport to back fraudulent activities — you can forge ID cards. You can replicate holograms, dyes in paper, and give terrorists access to Britain.
With the ID cards scheme, all it takes is one weak civil servant to be bought off, and one weak link can [compromise the system].
So how concerned should businesses be about their employees?
Businesses should be very concerned about their employees. Most don't do background checks, because an employee started out as a receptionist. But now, guess what? They're an accounts executive, with access to [sensitive] information.
Companies should do background checks before they employ someone, and continue to do background checks, every 90 days.
But wouldn't that infringe on someone's privacy?
Basically the employee would grant permission to do background checks, as a condition of employment. It's a right of the company to do background checks on employees, to make sure information stays within the company. You can't just keep hiring people, because one weak link breaks the chain.
What's your opinion on a data-breach notification law for the UK?
In the US, every time there's a breach, you get a letter. Absolutely I'm in favour of data-breach laws — if someone gets into a company's systems, or there's a breach, by law companies have to send their customers notification within 24 hours. It lets the person take action themselves.
People have a right to know if their information has been breached.