Protecting Your HOA from Identity Theft ID, Please?

Protecting Your HOA from Identity Theft

According to recent surveys, there are approximately seven to 10 million victims of identity theft per year in the United States alone. Criminals use a variety of methods, including stealing Social Security numbers, driver's license numbers, credit card numbers, ATM card information, telephone calling cards, and even your date of birth to gain access to your personal and financial information. Once an identity is stolen, it can take years—and cost thousands—to get it back.

With the advent of the Internet and its proliferation throughout our society, more and more people have turned to Web technology as a medium to manage both their personal and business lives. Homeowner's associations, co-op boards and management companies have also turned to this technology for expedience. But with all the convenience and speed of the Internet, online security and privacy have become a huge question. How can you reap the benefits of the Web while maintaining your privacy and protecting your assets?

Who Should Be Concerned?

The new trend for many condo communities and homeowners associations is to provide their residents with websites featuring information that can be shared among members, like upcoming events, legislative issues, and the date of the next HOA social event. One important factor that too often gets glossed over in the rush to provide a popular amenity is what can be done to protect vital information from hackers who are after more than just board election dates and meeting minutes. The point of identity theft and Internet fraud is not just criminal mischief, but profit. ID thieves are after your money and your credit.

Given that simple fact, it's vitally important to understand what information should and should not be stored online—because everyone is at risk, explains Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse. "We get numerous complaints about information collection, and identity theft is the reason," says Givens. When it comes to any organization that is forming a membership, which requires personal information, Givens recommends a less-is-more policy. "Don't collect information if you don't need it—and any information that is collected should have limited access. Sometimes HOAs collect unnecessary information."

While it is common to collect mailing addresses, telephone numbers, and e-mail addresses, additional information—like social security and driver's license numbers—should not be required for management companies, condo associations or HOA websites. According to Chris E. McGoey, a nationwide loss prevention expert with McGoey Security Consulting, any personal information that is used should be heavily protected, and every person involved should be aware of what is and what is not appropriate to include on a website.

"Homeowner associations must use great care before publishing sensitive personal identification information on the Internet," says McGoey, who pioneered a national robbery-and loss-prevention program in the early 1980's for convenience store giant 7-Eleven Inc. and has authored a book on retail security. "Personal information should only be published on the Internet with the knowledge and permission of the individual."

Edward Frank, president of the River Vale-based Arthur Edwards, Inc, a management company representing approximately 1,800 owners and associations, says he has offered Web services to his clients for the past year and business has improved on many levels—mainly in the transfer of information and reduction of administrative tasks. But security has remained an extremely important issue. "The website is just a great concept; it has eliminated some costs and increased communication, but we have limited [the use of] any personal information."

Hard-nosed Software

The safest route on the Internet means having the best software and strong firewalls to act as barriers against identity thieves. Without these technological roadblocks, the security of information is questionable. Industry experts recommend never uploading sensitive information to a broadband connection because a weak firewall will not keep skilled hackers at bay. Instead, financial and personal information should be stored on a private computer that has restricted access and is not connected to the Internet.

"Security software will not only help, but is essential to protecting a computer or network from security threats," says Kelly Martin, senior product manager for Symantec Corp., the company that originated the Norton Antivirus software, one of the most-used anti-virus programs worldwide. "Anyone using the Internet for personal or work purposes needs to understand that they may be vulnerable to an attack by a blended threat," she adds.

A "blended threat," by technical definition, means the worst risk to computer security since the inception of computer viruses more than 20 years ago. Blended threats are effective, explains Martin, because they combine the most harmful characteristics of worms, viruses, so-called "Trojan horse" programs, and malicious code to exploit existing computer and Internet vulnerabilities. Through the use of multiple methods, hackers and ID thieves can quickly defeat computer systems that employ just one form of Internet security, allowing them to plant viruses, extract personal information, and cause widespread damage.

"When blended threats encounter a single roadblock, they simply avoid it by using a different means to compromise the system," Martin continues. "As a result, it is important that organizations use a layered approach to computer security by employing security products at all levels of the network, from the desktop to the servers to the Internet gateway."

McGoey says it's very important that common sense steps are taken when defining a website's security features. For example, if the name of the HOA is the Smith Association, obviously the password, or even the log-in name, should not be "smith." And McGoey agrees with Martin that the best protection comes from a keen awareness of the Web and its various facets—especially security.

"The weakest link is an unprotected Web page that is accessible by the general public over an unprotected broadband connection," says McGoey. "Second weakest is a poorly constructed Web page with exposed HTML code, or a page protected only by a simple password related to the organization's name. Third is an association database that is accessible by members, but not protected by a hardware firewall, network router, or by a user name and password encryption process."

Who is Responsible?

In most cases, management companies, senior financial consultants, accountants, lawyers and board members have access to restricted information. In situations like these, all information is viewed at another level of security. However, Frank explains that these professionals are limited to what information they are allowed to see and they can't alter any financial data or personal information.

"They are allowed to view some additional information, but they can only view it - not make any changes; the software prevents that," says Frank, who uses POPS software. Approximately one-third of Arthur Edwards' properties have opted for a website and split the cost of running the site, which is approximately $50 per month.

Martin says that updating software programs is essential to keeping systems continually secure. "This step should not be looked upon as a burden—it could end up making all the difference in the world. Computer users need to keep operating systems, applications and security products up-to-date with the latest security patches, which are available from the vendor. They should patch known holes in software to reduce the chances of a blended threat entering from Web pages or e-mail."

If theft of information is discovered linking back to a website, there is little that can be done for the individual whose information has been stolen. In these cases, the authorities are notified, and a full investigation is launched. This reality should be discussed with any individuals submitting personal information for membership.

"Associations should learn what the laws and regulations are concerning disclosure of sensitive information and provide the minimum required in a public forum," says McGoey. "Individuals should only provide the minimum information required and no personal identifiers," he continues. "If allowed, use only your first initial and last name. It is highly recommended that board members use private mail boxes for mailing address purposes."

Who Can Help?

The Internet Fraud Complaint Center (IFCC) was created in response to a growing number of related identity theft cases, and counts as partners the FBI and the National White Collar Crime Center (NW3C). The IFCC receives Internet related criminal complaints, conducts research, and develops and refers the criminal complaints to law enforcement agencies for any investigation deemed to be appropriate.

In 2002, The IFCC released its second Internet Fraud Report. From January 1, 2002 to December 31, 2002, for example, the IFCC received 75,063 complaints. This included many different types of complaints, such as auction fraud, credit/debit card fraud, computer intrusions and unsolicited e-mail, generally called SPAM.

According to the IFCC, e-mail and Web pages are the two primary mechanisms through which fraudulent contact takes place. In all, 66 percent of complaints dealt with e-mail and 18.5 percent with fraudulent Web pages.

Since ID theft is far reaching, necessary steps must be taken to insure security. This should involve protecting not only individual information but an association's general account information.

"The equity in a HOA is sometimes huge and can run into the millions of dollars," says Givens. Thus, it's particularly important to take appropriate measures against fraud. Members of an association should be vigilant and implore that their management companies and board members attend to proper security and enforcement measures.

"There is a minimum expectation of privacy and for the information to be withheld from public view or access," says McGoey. "Individuals and associations who have a line of credit should check their credit report at least once per year to see if there is any activity on it that is unknown. Be wary of credit inquiries when you haven't attempted to obtain credit, or changes in the address on the report."

In order for an HOA or condo board to be safe from Web-based threats, individual members, board members and management agencies must work together, says Givens. "There should be background checks and screening on all people that have access to important information and there should always be a good security strategy."

McGoey agrees, but says that when it comes to the Internet the best way to secure information is with powerful software. A program offering "128-bit encryption is very powerful and will stop virtually every attempt to successfully hack a database. Encryption, coupled with firewalls or network routers, will make most databases reasonably safe," he says.

No one denies the monumentally positive effect the Internet has had on the way we live today. Communication, business, creative endeavors, and entertainment have all been changed and advanced through online technology, and most would say that the world is a better place for all the increased convenience and speed that such a global information highway provides. Positive as it is, however, the Internet also plays host to a wide array of threats and risks to our safety and the safety of our assets. By taking responsibility for our own information and privacy, we can make the Internet that much safer and more useful.

W.B. King is a freelance writer and a frequent contributor to The New Jersey Cooperator.

Related Articles

Condos and private docs on a waterway in New Jersey

The Case of the Unwillingly Shared Walkway

NJ Condo Association Argues Against Public Access

 Video surveillance security cameras graphic icons pictograms set vector

Q&A: Legal Surveillance?

Q&A: Legal Surveillance?

Census 2020

Census 2020

Be Counted Safely During COVID-19