Category Archives: Identity Theft

Phishing by Rogers?

Is it phishing if an ISP does it?
We do apologize but we are unable to locate your account with the information provided. To answer your question more precisely please reply to this e-mail with your account/wireless number, date of birth and full billing address including the postal code. Please note if there is a password on your account you will need to provide it or we will not be able to access your account. Once we are able to locate and access your account and provide you with the information requested. We will reply within 24 hours.

Early morning kvetch, Paul Madsden, ConnectID, Thursday, September 06, 2007

Even if it’s not, it’s just asking for somebody to intercept it.

-jsq

Aged Old Code

pic_large21yearold.jpg Old wine or whisky can become more complex and interesting. Old code becomes insecure:
Or at least become more vulnerable. I’ve recently been helping a client with their secure coding initiative and as a result I’ve been reading Mike Howard and Dave LeBlanc’s Writing Secure Code which reminded me of an important aspect of maintaining a secure code base which often gets overlooked: That is that as code ages it becomes insecure.

Evolve or Die, by arthur, Emergent Chaos, August 29, 2007 at 7:47 AM

The state of the art in discovering vulnerabilities advances. I remember when nobody worried much about buffer overflows. Related to that, programs get used in environments they weren’t written for. Who really cared about buffer overflows on the early Internet when just getting it working for a few researchers was the goal? Related to that, the number of people motivated to break code keeps increasing, especially those with monetary motivation. With enough eyes are bugs are shallow also means with enough eyes all vulnerabilities become easy to find. Or, in this postmodern world, even computer programs are largely what people perceive them to be, and those perceptions change.

For example, Jeff Pulver perceives Facebook’s video messages as videophone. How long before somebody perceives it as a phishing method? Where there’s humans there’s humint.

-jsq

Publish All SSNs

567-68-0515

Richard Nixon’s SSN

This would solve the ongoing problem of everybody from credit card companies to telephone companies using social security numbers as authenticators:

Now is your chance for the best opportunity to reduce identity theft. Submit comments to the FTC here. I suggest saying something like this.

Publish All SSNs! by Pete Lindstrom, Spire Security Viewpoint, 31 July 2007

I know I already said this was a good idea, but now Pete’s proposing a practical venue to try to get it done.

Sure, the current political commissar at the FTC will never go for this, but such comments will remain on file, and someday a better FTC may act on them.

So follow Richard Nixon’s lead and publish all Social Security Numbers. Oh, he didn’t do that himself? Well, if it had been public, it wouldn’t have done anybody any harm when lots of other people did.

-jsq

Banks Passing the Buck

It’s good that banks are trying to fight identity theft and other online fraud, but:
Internet advocacy group InternetNZ and the NZ Consumers’ Institute have both come out swinging over the New Zealand Bankers Association’s (NZBA) decision to allow victims of Internet banking fraud to be potentially held liable for losses.

New Zealand: Consumer Advocates to Fight Banking Online Fraud Liability Code, Paul Ferguson, Fergie’s Tech Blog, Tuesday, July 24, 2007, quoting Brett Winterford on ZDNet Australia.

Hm, maybe passing the buck isn’t the best way for banks to do this.

-jsq

Identify Theft Prevention

Here’s a useful list of mobile computing security guidelines, plus some links to collections of information loss incidents:

http://attrition.org/dataloss/,
http://breachalerts.trustedid.com/,
http://doj.nh.gov/consumer/breaches.html,
http://www.privacyrights.org/ar/ChronDataBreaches.htm

—: Information Security Policy 101 – Mobile Computing Policy,by The Trusted Toolkit, The Trusted Toolkit Blog, 23 July 2007

-jsq

Negligence and Breaches

richard_thomas.jpg
Banks, shops and government departments have exposed thousands in Britain to the risk of fraud through “horrifying” breaches of data protection laws, a watchdog said on Wednesday.

In his annual report, Information Commissioner Richard Thomas, whose office enforces the Data Protection Act, said firms must do more to secure people’s private details.

“The roll-call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying,” he said in the report.

Privacy watchdog warns of “horrifying” breaches, The Scotsman, Reuters, 11 July 2007

He’s not talking terrorism, so we can hope this is not just more FUD. Continue reading

Fidelity Horse Already Out of Barn

blumenthal.jpg Maybe breach discovery is catching on:
“This significant security breach at a Fidelity National Information Services, Inc. subsidiary – compromising 2.3 million consumers – demands answers and actions to protect citizens from identity theft. My office is aggressively pursuing additional information from Fidelity, and will ensure the company adheres to Connecticut law requiring prompt notification to consumers whose personal private information may have been compromised.

“As a first step in our investigation, we are contacting the company to seek information, including the scope and magnitude of the security breach, consumer notification measures and remedies that may be implemented.”

Connecticut Attorney General’s Statement On Fidelity Security Breach Involving 2.3 Million Consumers, by admin, 4 July 2007

Amusingly enough, the CT Att. Gen.’s own web pages say: “The site is currently unavailable. Please visit us again later.” Continue reading

Passport Friction

Ben Hyde has an interesting bunch of thoughts about verification friction:
We recently got new passports, a project that was at least a dozen times more expensive and tedious than doing my taxes. I once had a web product that failed big-time. A major contributor to that failure was tedium of getting new users through the sign-up process. Each screen they had to step triggered the lost of 10 to 20% of the users. Reducing the friction of that process was key to survival. It is a thousand times easier to get a cell phone or a credit card than it is to get a passport or a learner’s permit. That wasn’t the case two decades ago.

Friction, by Ben Hyde, Ascription is an Anathema to any Enthusiasm, 10 May 2007

He mentions some cases where friction may actually be socially useful, as in making it harder to get liquor and easier to get condoms, or some automobile traffic engineering. Then he gets to the especially interesting part. Continue reading

REAL ID Blues

Fergie notes that apparently all those complaints to DHS had some effect:

Senate Judiciary Committee Chairman Patrick J. Leahy (D-Vt.), citing concerns about Americans’ privacy, signaled yesterday that he will push to repeal a provision of a 2005 law aimed at creating new government standards for driver’s licenses.

Leahy, who has co-sponsored bipartisan legislation to repeal the provision, spoke out as the debate intensified over the Real ID Act, which requires states to create new tamper-proof driver’s licenses in line with rules recently issued by the Department of Homeland Security. States must begin to comply by May 2008 but can request more time. After 2013, people whose IDs do not meet those standards will not be allowed to board planes or enter federal buildings.

A similar Democrat-backed bill to repeal the provision is pending in the House. At least seven states have passed laws or resolutions opposing implementation of Real ID. Fourteen states have legislation pending. By yesterday, the DHS had received more than 12,000 public comments in response to the rules.

Leahy, Others Speak Out Against New ID Standards, By Ellen Nakashima, Washington Post Staff Writer, Wednesday, May 9, 2007; Page D03

You may be wondering why you didn’t hear about this law in 2005, when it was passed.

Continue reading

Real ID? No, Say DHS’s Advisors

The U.S. Government is proposing to implement a national identification scheme, yet the department that is supposed to implement it can’t get its own advisors to agree:
The Department of Homeland Security’s outside privacy advisors explicitly refused to bless proposed federal rules to standardize states’ driver’s licenses Monday, saying the Department’s proposed rules for standardized driver’s licenses — known as Real IDs — do not adequately address concerns about privacy, price, information security, redress, “mission creep”, and national security protections.

Homeland Security’s Own Privacy Panel Declines to Endorse License Rules, Ryan Singel, Threat Level, Wired Blog Network, 7 May 2007

The committee says REAL ID is not “workable” or “appropriate”.

This doesn’t mean DHS won’t implement REAL ID, however, with is approx. $21 billion cost to taxpayers and greatly increased paperwork required of all citizens, increased likelihood of identity theft, not to mention the obvious surveillance state implications.

Today, 8 May 2007, until 5PM EST, is the last chance to comment to DHS about REAL ID.

-jsq