Where should security be applied to prevent Identity theft?
By Mike Davies of VeriSign [sponsors of Compliance and Privacy]
What a wonderful place the internet is, only today I registered for free at 10 online sites.
I now have a new email address, will be alerted about the latest holidays, electrical goods or jobs that interest me, am a registered user at a major political party's website, have a brochure from a healthcare provider being posted to me, gained access to a computing magazine's website as well as a national newspaper, and will be attending a talk on aromatherapy.
The information I provided to register varied by site but included name, email and physical address, mothers maiden name, salary, political persuasion, preferred holiday dates (when my house will be empty), gender, date of birth, employer's name, mobile telephone number and job title.
At no point during any of the registrations was the personal data I entered secured. This worries me and it should worry you too.
Let us say that my name and address make up 10% of my identity, and that my mother's maiden name along with my employer represents another 10%. If you combine both sets you may now have 30% of what is required to commit some form of ID fraud. In other words the value builds as the data collected grows. It may only take a fraudster one socially engineered phone call to find out the missing pieces of information required to achieve their aim.
Internally at VeriSign we are calling this Synergistic Data Collation (SDC) but the principles behind it are not new.
Security forces around the world have for decades built up intelligence piece by piece, realising that even small amounts of data can be combined to create a larger picture.
But how do fraudsters get hold of this information?
The most obvious way is key logging, where a piece of malicious code sits on a PC and records all keystrokes made, anti virus suppliers work very hard to protect consumers against this threat.
Another way is known as “packet sniffing”, where a malicious program is placed on a network, either by a fraudulent employee or via a Trojan. The “sniffer” will inspect packets of data collecting specified data strings, such as names and addresses. This is the main reason credit card numbers are always encrypted in transit, even within the banks or retailers own internal networks. It is perhaps surprising that identity data that can be used to apply for a credit card is not always protected to a similar level.
But ID theft is not the only consideration.
The Data Privacy laws in the UK are very clear that responsibility starts when a company receives private information from an individual. This was based on the postal model where the receiving company has no control of the delivery channel and it is up to the individual whether they trust their data to the Postal Supplier whose brand is on the postbox.
Online the delivery channel is unbranded, in fact the brand the consumer sees and is therefore trusting is the domain name and branding of the website. Interesting word domain. “Dictionary.com” defines it as “ A territory over which rule or control is exercised.” It is no wonder that consumers feel comfortable giving private data, they feel like they are already in the suppliers shop.
It is inexpensive and simple to set up a secure link when collecting consumer data and by doing this we can help reduce ID theft which is in the interests of all online service providers and more importantly the consumer.
The internet is a wonderful place, we just need to make sure that private data is protected so that our own experience of it stays wonderful.