Category Archives: Identity Theft

More SSN Exposures

Well, and I just signed up for a federal tree planting program:

The Social Security numbers of tens of thousands of people who received loans or other financial assistance from two Agriculture Department programs were disclosed for years in a publicly available database, raising concerns about identity theft and other privacy violations.

Officials at the Agriculture Department and the Census Bureau, which maintains the database, were evidently unaware that the Social Security numbers were accessible in the database until they were notified last week by a farmer from Illinois, who stumbled across the database on the Internet.

“I was bored, and typed the name of my farm into Google to see what was out there,” said Marsha Bergmeier, president of Mohr Family Farms in Fairmount, Ill.

U.S. Database Exposes Social Security Numbers By RON NIXON, New York Times, April 20, 2007

And she found not only her own farm and social security number on the web, but also 30,000 others. The Agriculture Dept. says probably 100,000 to 150,000 people are at risk. Ah, I see they’ve narrowed it to 38,700 people.

Continue reading

Truth is a Property of Networks

Dave Weinberger types out of a drug- and fatigue-induced haze:

Truth is a property of networks.

I can only guess at what I mean, starting with the obvious: Rather than thinking that truth is a relationship between the propositions we believe and the way the world is, such that the propositions represent the world, in the networked world the truth is argued for and connected via links. For all but the most mundane of truths, the network of conversations gives us more shades, nuances, and reasons to believe. Which leads me to think that if truth isn’t an emergent property of networks, then understanding is.

Networked truth, Dave Weinberger, Joho the Blog, 13 April 2007

I think he’s right, except it’s not either/or: it’s both.

Continue reading

How Many is Two?

Oh, this is too precious. A bank thinks two-factor authentication means a username and a password. As Bruce Schneier clarifies:

Um, hello? Having a username and a password — even if they’re both secret — does not count as two factors, two layers, or two of anything. You need to have two different authentication systems: a password and a biometric, a password and a token.

So how many is two? The bank’s interpretation is linguistically syntactically and semantically correct. However, their context is all wrong.

Risk management requires context, not category error.

-jsq

Postmodern Identity

Gunnar Peterson compiles some realizations by several people that there is no such thing as a unique identity, and people ought to get over that idea and think in terms of attributes. He concludes with:
Hunter S. Thompson said “buy the ticket, take the ride.” But don’t conflate yourself the ticket and the ride.

Openly IDentify your attributes with Open ID, 1 Raindrop, Gunnar Peterson, 15 March 2007

Don’t confuse the map for the territory; there may be multiple maps, and none of them completely describe the territory. Don’t confuse the sign with the signifier or the signified. Etc.

Information security needs to work itself forward historically from logical positivism at least to semiotics and postmodernism. Understanding what we don’t know and stopping pretending that there is such a thing as an absolute identifier would be good risk management.

-jsq

SSN: Identifier or Authenticator?

Spire Security Viewpoint lists some salient points about social security numbers (SSNs), among them this one:
There are over 150,000 people (my estimate) with “defendable” access to your SSN right now. They aren’t secret.

SSNs Re-Re-Re-Revisited, 8 March 2007

And you’re ten times more likely, he says, to be victimized with identity fraud by one of these authorized people than by somebody else. And his main point is that the problem with SSNs is not their use as identifiers, rather their use as authenticators. After all, if everybody knew SSNs as readily as names, credit card companies and the like would have to stop using them as authenticators. Then they’d have to use something better for authentication. That would be better risk management.

-jsq

ID Theft Virus Map

Brian Krebs has used google maps to plot the locations of victims of identity theft:
I based the story in part on a cache of stolen data I found online (more on how I obtained it in a bit). The data was being compiled by a password-stealing virus that had infected many thousands of computers worldwide; the particular text file that I found included personal information on 3,221 victims scattered across all 50 U.S. states.

Tracking the Password Thieves, Brian Krebs, Security Fix,

He didn’t have to look up the locations of the victims to map them; the virus had already done that for him, sometimes accurately, sometimes not. The virus cared because banks flag transactions that are from unexpected geographical locations. Continue reading

Phishing Report

Sure, phishing is bad, but how bad is it? The Anti-Phishing Working Group posts periodic reports, such as the one for December 2006. APWG received more than 20,000 phishing reports for at least as many phishing sites. While 146 brands were hijacked by phishers, 16 brands accounted for 80% of phishing campaigns that month. And the country doing the most phishing: the U.S.

-jsq

Known Identity Thieves?

Adam posts some interesting hypotheses about how much of identity theft is perpetrated by thieves known to the victims:
Now, if (1) is true, then for all ID theft victims, 40% should know the perpetrator. If (2) is true, then perhaps 11% of ID theft is committed by someone who the victim knows, and 90% of that is detected. Perhaps it’s 90% of ID theft is committed by someone who the victim knows, and that’s only detected 27% of the time.

Identity theft numbers: Javelin vs. FTC, Adam Shostack, 13 Feb 2007

Read his blog for the details. As he says, his hypotheses should be testable. And which (if either) hypothesis is correct should have some bearing on measures that will work to prevent identity theft.

-jsq

Reputation as Asset

Jon Harmon writes in an interesting commentary about the HP pretexting scandal (I recommend reading his whole post), in which he recommends a post of Chief Reputational Officer (CRO):
Postscript: Mark my words. Five years from now, the office of CRO will be commonplace among global corporations. And ten years from now, the CRO will vie with the CFO as the most likely path to the office of CEO. Reputation is a corporation’s most valuable capital asset and those who manage it best will be rewarded handsomely.

Empty Seat at the Table Devastating in HP Debacle Jon Harmon, Force for Good, 10 December 2006.

On the one hand, I get a bit of reflex reaction to that suggestion, of “is this just more perception over content, of which we already have too much in the corporate world?” Continue reading