CAT | Identity Theft
Irish Data Protection Commissioner Billy Hawkes has stepped in to have a database of civil registration records removed from the website IrishGenealogy.ie. The problem is that the database contains information on living persons which is often used for identity verification.
That would include things like mother’s maiden name and birth date. While these are public records, previously they had required payment of a fee, and it was not easily searchable on-line.
Of course, in the era of social media, these kinds of authenticators should have been disposed of long ago. Too many of them can be easily discovered by looking through Facebook accounts and the like.
This case also highlights the troubling nature of public records. In the past records were public in the sense that anyone could go to a government building and access the paper records. They could not be easily be searched as a whole, and the entirety of the records pulled into a private database. This is a kind of security by obscurity, but a useful one. With Internet records, many people are not comfortable with just how public much of this information is. The old inconvenience placed a low but real barrier to data access, effectively insuring that it was only done for specific people and for specific purposes. It is not at all clear how to get that without loosing all the advantages of Internet accessibility.
Brian Krebs has written an excellent discussion and analysis of credit monitoring / credit protection services, and some steps you need to take to protect yourself. You should read it.
Welcome to episode 13 of our podcast for September, 2013.
In this episode I will talk about:
A major security breach at Adobe
How airplane mode can make your iPhone vulnerable to theft
Russian plans to spy on visitors and athletes at the winter Olympics
Whether you should move your cloud storage to the EU to avoid surveillance
Identity thieves buying your personal information from information brokers and credit bureaus
How to stop google using your picture in its ads
Why carelessness lead to the capture of the operator of the Silk Road
And how Browser Fingerprinting allows websites to track you without cookies.
Please let me know what you think, and leave suggestions for future content, in the comments.
Brian Krebs has an interesting blog post on how all of the credit card information was stolen by a hacker from a website that sells stolen credit cards.
This is in the “don’t know whether to laugh or cry” department.
This article discusses the risk from “deep packet inspection” by ISPs. The article states that at least 100,000 people in the US are being tracked with this technology right now. If true, the impact of this could be huge. Whereas a website can only track you when you are actually visiting that site, your ISP can see all of your activity on any website or other service you use. The idea is that the information collected could be sold to advertisers to better target marketing messages to you. If you had been looking at car sites, you might see more car ads next time you visit an advertising supported website like CNN.com.This is certainly not the realm of science fiction. The Chinese government is already using this technology on a massive scale as part of their national censorship infrastructure. They use it to detect forbidden words and phrases, “Tibet” being at the top of that list right now.Most of us assume that the bad guys are “out there” on the net, and assume that our ISPs are basically just passing our traffic along without looking at it. If they start this kind of inspection, it opens all kinds of additional risks. Once the equipment is there, a rogue sysadmin could tune it to watch for passwords, personal information, bank information, etc. It opens a whole new set of vulnerabilities.Anonymizer’s Total Net Shield, and Private Surfing (with full time SSL enabled) provide significant protection against this threat. Both allow you to tunnel your traffic to Anonymizer without the ISP being able to inspect it, other than to see that it is going to Anonymizer.It is shocking to me that this kind of thing should be possible without explicit user consent. Maybe we need a “truth in labeling” law for Internet service providers. A bottle of Napa Merlot can not be so labeled unless it is from Napa and made from merlot grapes. Similarly, it should not be called an “Internet Connection” if you can’t go everywhere (some ISPs are restricting certain perfectly legal protocols). If the ISP is going to spy on you, it should be in big red letters. Maybe I am OK with that, but I certainly have a right to know in advance.
As a followup to my discussion of risks of online tax filing, here is an article on security weaknesses at the IRS. Report: IRS bungles may imperil data
It does not appear that this is particularly connected to online filing, but rather an overall laxness in their security.
The Motley Fool has a nice blog post on issues involved in electronic filing of tax returns.
There are a couple of important points to be made here. First of all…
- The IRS has all your information and it will be in digital format (accessible by computer);
- You are exposed to some points of vulnerability when filing electronically, rather than on paper;
- The information on your PC is vulnerable to theft (whether you send it electronically or just use tax software);
- Your information is vulnerable on the Internet-accessible servers to which you upload your data; but
- On the flip side of the coin, paper returns are subject to loss, theft and mishandling as well, both in transit and within the IRS.
It is somewhat similar to using a credit card. You can risk online theft when conducting an e-commerce transaction, or real-world theft when handing over your card to a minimum wage worker over a store counter. Risks exist both ways.
At this time I think the jury is out on which is safer, but, for the record, I file electronically.