Saturday, November 18, 2006

Why Do We Keep Blaming Identity Theft Victims?

I just got done reading an article by Mark Seagraves (WTOP Radio) about 478 laptops that have been stolen from the IRS. Mark was able to obtain this information via the "Freedom of Information Act."

At first, I thought "here we go again," but in reality -- there are probably thousands of laptops that have disappeared in the private sector that were never made a public record via the "Freedom of Information Act."

In fact - in a lot of the data breaches observed - the breached seem to disclose as little as possible. I wonder if we know about every data-breach that might have occurred?

Articles about missing laptops compromising "millions" make good stories, but in reality, laptops are a desirable item and get stolen all the time. It's entirely possible they are bought and sold on the black market and even used by criminals, who are clueless of their "information value."

I predict sometime in the near future, we'll see a story on information was compromised by the theft of a smart phone. They're pretty easy to steal and (desirable), also.

On the other hand - with chat forums selling personal information for a few dollars a pop - the amount of compromised information out there is potentially huge.

Recently, we saw stories where personal information was being harvested off hard-drives that were thrown-away, or given to charity. How many hard-drives have been discarded without removing the information on them?

Again - with the amount of personal information being stolen and used in financial crimes - who knows? Some "expert" will argue that none of it has been used and the criminals using it are unlikely to comment.

No matter where it comes from, the astronomical increase in identity theft, clearly indicates that a lot of information is being compromised - whether stolen from a laptop, garbage can, or via malicious software, sometimes referred to as crimeware.

I had to chuckle recently when some "security experts" observed that in most identity theft cases, the information compromised came out of trash cans. Whether they are right, or wrong - the information sent in mass mailings starts in a database - sold for a profit and printed on a computer.

The only difference is the method of mail being used. Trust me, the Postal Inspection Service investigates a tremendous amount of fraud that is sent via snail mail and mail fraud is nothing new.

Yes - according to the experts - we are to blame and need to take action to ensure criminals don't compromise the sensitive information being sent to us in mass mailings. Is anyone paying us for our time to rectify a problem, we didn't create? Has anyone ever considered that maybe we shouldn't be mailing this type of information and then making it too easy to obtain one financial instrument, or another?

We see technology fixes, which are highly publicized, but seem to have short lifetimes after "saavy" criminals defeat them. An example of this is the "chip and pin" technology - which seemed to be compromised in no time at all on older ATM machines.

There are still a lot of older ATM machines to be used.

I've also seen "experts" blame people for not keeping their virus protection up-to-date, or falling for social engineering schemes. Are they to blame for e-commerce sites that are easily faked and complete "do it yourself" scamming kits routinely available on the Internet?

An entire security industry has grown up around this problem and if you want protection - which doesn't always work - you need to line someone's pockets. In fact - in many instances - you not only have to line their pockets once, but you also have to pay for all the countermeasures that are developed when their measures are defeated.

Businesses love income streams.

Then there are the faux providers of protection, which can lead to more information being sifted from your computer if you happen to download their "fixes." It's very difficult for most consumers to determine - who is reputable and who is not - when their ads are right next to each other on the Internet.

Sadly enough - one of the solutions has been to offer "identity theft insurance," which means that people are being asked to finance their own protection. A lot of this is being sold by the same people, who are buying and selling all the information that caused the problem in the first place.

We need to address to the real issue, which is there is too much information out there that is "poorly protected" and easily accessed for "dubious purposes."

Please note that I'm not advocating that people don't need identity theft protection, or to protect their systems. Virus protection, firewalls and identity theft protection are probably good things to have in the current enviroment we are dealing with.

And I'm not saying all the "experts" are wrong. Trust me, a lot of them are hard working, thoughtful and dedicated people trying to make a difference. The problem is that money can buy a lot of experts and those using and abusing people's personal information have plenty to spend.

We need to stop believing that technology can cure the problem and realize we are dealing with a social issue. The bottom line is that a lot of sensitive personal information is being poorly protected and too many people are being victimized by the use of it.

Since so much money is being made by making "sensitive information" too easy to access, the people making a lot of money are resistant to change. Until we make it less profitable for them to continue "enabling" the problem, the problem isn't going to disappear and is likely to grow.

If the people enabling the problem are "resistant to change," perhaps the answer is to create laws to protect the innocent and make it a little harder for the guilty to do business as usual!

Blaming victims for something they didn't cause is getting a little old!

2 comments:

Gary said...

Hi Ed.

I have a minor quibble with your comments about chip-and-PIN seemingly being compromised 'in not time at all'. That was indeed a fair reflection of the initial news stories at the time of the incidents but in fact I understand it was the conventional old-fashioned magstripes that were compromised, not chip-and-PIN per se. I'm not saying chip-and-PIN is inherently uncompromisable, just that it *appears* to be secure at present.

Kind regards,
Gary

Ed Dickson said...

Gary,

Very good point - I added that the cards were compromised on older machines.

Thanks for the feedback.