Protecting your IdentityAugust 1, 2010 at 12:23 am | Posted in Data Protection, Identity Theft | 7 Comments
Tags: Data Loss Prevention, firewall, Identity Management, keystroke logging, Macafee, Marcus Ranum, Personally Identifiable Information, phishing attack
A post on Twitter from @backupify the other day amused me …
“Google Apps has the same vulnerability as Microsoft products: Users”
They were making the point (explained further in their blog) that, according to a poll, a significant number of administrators, if they were fired, would take with them business sensitive information. Now, I’m not looking at those that take business sensitive information (customer databases, price lists, R&D files) as serious as that might be. What interests me is that a significant number said they’d take a key set of credentials with them. Yet another reminder of how vulnerable our online identity can be.
It also occurs to me that you can’t always expect to mitigate users’ behaviour with software based controls, particularly when those users are members of the general public, with, at best, a sketchy idea of what online security is all about. back in 2003, I was working as lead architect on an Identity Management solution for ABSA, South Africa’s biggest retails bank (and now part of the Barclays group). 3 customers had funds removed from their accounts through ABSA’s internet banking facilities, in what appeared to be the country’s first documented case this type of crime. It transpired that the 3 customers had picked up a keystroke logger, not having the necessary security software installed on their home PCs. Nevertheless, it was their Bank that reaped the bad publicity.
Since then, banks around the world have done much to try to protect their customers, offering free or highly subsidised anti-virus software, offering various alternatives to the wholly inadequate use of passwords for authentication and even in some cases, confirming transactions through SMS message to your mobile phone. My business bank account is protected by a token, which generates a one time password (OTP) as well as a conventional password. My Bank also supplies me with free anti-fraud software from Trusteer. The Rapport browser plug-in protects session information stored in the browser and defends against man-in-the middle attacks, trojans and phishing scams. Most significantly for this discussion, it also monitors the user’s activity on the web and warns if the user attempts to use their Internet banking password in conjunction with another site.
Still though, users will continue fall victim to identity theft because of unwise behaviour online. So, I was pleased to see Macafee launch a decent eguide to Identity Theft on their website recently. As well as the guide, Macafee provide an online self-assessment tool. By answering a series of questions, you can build a picture of the risks you run of identity theft, based on your online behaviour. The risk assessment tool generates a detailed report in PDF.
Working through the tool, I found that my risk is assessed as moderate. I could guess as I carried out the assessment which answers were affecting the score, but I feel comfortable that I’m making informed decisions to accept some risks. After all, you can’t remove all risks, only mitigate some and accept the rest. In fact, for many years, Marcus Ranum, who is widely credited with designing the first ever commercial firewall, published a picture of a set of wire cutters, under the title “The Ultimate Firewall”. This illustrates the basic dichotomy in computer security – that for total security you can’t have any connectivity. All security is a compromise with usability.
The Macafee eGuide and risk assessment tool are welcome resources, provided that they’re brought to the attention of users. Of course, their publication coincides with the launch of Identity Protection features into their flagship consumer packages. These features prompt the user for permission before Personally Identifiable Information (PII) is sent to a web site. This is the consumer equivalent of the Data Loss Prevention (DLP) solutions, which are beginning to be deployed by large organisations. These packages aim to identify information assets (files to you and me) on computer systems) that contain PII and apply policies to control what can be done with those files. This in turn limits the dangers of accidental or malicious leakage of the PII through USB sticks, email attachments, printed copy and so on. All these technologies will of course help, but ultimately, each of us is responsible for protecting our identity through responsible online behaviour. At least for now, too many users are completely unaware of the risks in what they do online. To find out more about the risks, try starting at the UK Information Commissioner’s website.