Protecting your Identity

August 1, 2010 at 12:23 am | Posted in Data Protection, Identity Theft | 7 Comments
Tags: , , , , , , ,

A post on Twitter from @backupify the other day amused me …

“Google Apps has the same vulnerability as Microsoft products: Users”

They were making the point (explained further in their blog) that, according to a poll,  a significant number of administrators, if they were fired, would take with them business sensitive information.  Now, I’m not looking at those that take business sensitive information (customer databases, price lists, R&D files) as serious as that might be.  What interests me is that a significant number said they’d take a key set of credentials with them.  Yet another reminder of how vulnerable our online identity can be.

It also occurs to me that you can’t always expect to mitigate users’ behaviour with software based controls, particularly when those users are members of the general public, with, at best, a sketchy idea of what online security is all about.  back in 2003, I was working as lead architect on an Identity Management solution for ABSA, South Africa’s biggest retails bank (and now part of the Barclays group).  3 customers had funds removed from their accounts through ABSA’s internet banking facilities, in what appeared to be the country’s first documented case this type of crime.  It transpired that the 3 customers had picked up a keystroke logger, not having the necessary security software installed on their home PCs.  Nevertheless, it was their Bank that reaped the bad publicity.

Since then, banks around the world have done much to try to protect their customers, offering free or highly subsidised anti-virus software, offering various alternatives to the wholly inadequate use of passwords for authentication and even in some cases, confirming transactions through SMS message to your mobile phone.  My business bank account is protected by a token, which generates a one time password (OTP) as well as a conventional password.  My Bank also supplies me with free anti-fraud software from Trusteer.  The Rapport browser plug-in protects session information stored in the browser and defends against man-in-the middle attacks, trojans and phishing scams.  Most significantly for this discussion, it also monitors the user’s activity on the web and warns if the user attempts to use their Internet banking password in conjunction with another site.

Still though, users will continue fall victim to identity theft because of unwise behaviour online.  So, I was pleased to see Macafee launch a decent eguide to Identity Theft on their website recently.  As well as the guide, Macafee provide an online self-assessment tool.  By answering a series of questions, you can build a picture of the risks you run of identity theft, based on your online behaviour.  The risk assessment tool generates a detailed report in PDF.

Working through the tool, I found that my risk is assessed as moderate.  I could guess as I carried out the assessment which answers were affecting the score, but I feel comfortable that I’m making informed decisions to accept some risks.  After all, you can’t remove all risks, only mitigate some and accept the rest.  In fact, for many years, Marcus Ranum, who is widely credited with designing the first ever commercial firewall, published a picture of a set of wire cutters, under the title “The Ultimate Firewall”.  This illustrates the basic dichotomy in computer security – that for total security you can’t have any connectivity.  All security is a compromise with usability.

The Macafee eGuide and risk assessment tool are welcome resources, provided that they’re brought to the attention of users.  Of course, their publication coincides with the launch of Identity Protection features into their flagship consumer packages.  These features prompt the user for permission before Personally Identifiable Information (PII) is sent to a web site.  This is the consumer equivalent of the Data Loss Prevention (DLP) solutions, which are beginning to be deployed by large organisations.  These packages aim to identify information assets (files to you and me) on computer systems) that contain PII and apply policies to control what can be done with those files.  This in turn limits the dangers of accidental or malicious leakage of the PII through USB sticks, email attachments, printed copy and so on.  All these technologies will of course help, but ultimately, each of us is responsible for protecting our identity through responsible online behaviour.  At least for now, too many users are completely unaware of the risks in what they do online.   To find out more about the risks, try starting at the UK Information Commissioner’s website.

Advertisements

7 Comments »

RSS feed for comments on this post. TrackBack URI

  1. The irony with the wirecutters is that by introducing “airgap” firewalls you often increase vulnerabilities, as data goes by unaudited/untraceable sneakernet.

    On the plus side, users can also be the biggest benefit to security if educated well. I’ve seen several cases where a suspicious user or sysadmin has raised the alarm when all the automated security systems were sitting around fat dumb and happy.

    Must catch up for coffee soon, I can tell you about my cunning plan that will upset a lot of DLP vendors if I get it working 🙂

    • Good point Nik. I’m currently working on a project where security awareness training for the project team is happily one of our FIRST priorities. Unusual but no less welcome.

      • Yep, “patching the human” is an important and tricky process. You might find http://www.social-engineer.org of some interest…

  2. Just had a quick play with the Mcafee tool; it’s a reasonable dipstick but has a few issues:

    – US centric; Social Security Number in the US is vastly more useful than a UK NI number for fraud
    – Simplistic questions; for example “Do you use wifi”, with no caveat about encryption
    – Failure to take into account physical threats, e.g. do you lock up or hide sensitive documents stored in the house

    Still as it is primarily a marketing tool I guess they don’t want anyone to score too highly 🙂

    • …and if you rely on physical security measures in your staff’s homes, do you have any right to audit?

      • Sod them, I’m thinking of my personal data 🙂 But on a more serious note I would expect to; it’s a major and often overlooked vulnerability to corporate data. Whether you have the right or not is probably an issue for terms of employment and/or release of information, e.g. “If you want to take information home, you must allow periodic inspection” etc.

  3. […] be used elsewhere.  In a previous post, I described how my bank allows me to be warned if I try to re-use internet banking credentials on another site, by providing me with a free copy of Trusteer Rapport.  This protection can be easily extended to […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: