Identity Theft and Your Personal Information
--------------------------------------------
Identity theft is apparently the in thing these days. By media accounts, hackers and evildoers lurk everywhere trying to steal your personal information. In the past few months, one company after another is being forced to admit customer data has been lost or stolen. In many cases, they have then come forth repeatedly over the next few weeks, or even months revising the estimated number of impacted customers. To date, I dont think any have ever lowered those numbers. Identity Theft and Respected Companies
--------------------------------------
Generally speaking, these arent fly-by-night organizations. These are respected companies who weve come to trust. In many instances, the loss wasnt even the work of a malicious hacker or other mystical force beyond their control; it was simple carelessness. The frequency of such reports of identity theft is making it difficult for consumers to feel confident in those with whom we do business. Customers are outraged that companies are not doing more to protect their information from the forces of evil. You and Your Personal Information
---------------------------------
What about you? How are you at keeping you personal information under wraps? Some of these high profile incidents were the result of a trivial mistake that could have happened to anyone, including you. Lets consider two events that didnt make the front page of C|Net or CNN. The Keys To The Castle
----------------------
I consult for a client who doesnt trust me. Its nothing personal, they dont trust anyone. Whenever I visit this site, I am forced to contact the client throughout the visit to have them type a credential, or password, to grant access to a server or router. Its really annoying. I really respect this client. They dont really know me; Im the consultant. Theyre taking the proper steps when dealing with a consultant, providing the absolute minimum amount of information required. They would never give me unsupervised access to the network, and certainly wouldnt consider giving me passwords to their servers or routers. Not on purpose anyway. Then there was the day I was working alongside the client and needed to reconfigure a router to complete a task. Its a long walk to the clients office to get the password for that particular router. Yes, this is a client who apparently has a unique password for every piece of equipment they own. Conveniently the client does keep a password protected file on a USB key that contained the needed information. The client was completely appropriate and even asked permission before using my laptop to fetch the file. I consented, and even made the gesture of turning away while he unlocked the file and retrieved the required password. Have you ever used Google Desktop Search? Its a very cool, and aptly named, program that is a Google for your PC. It will index your files and make them searchable through a fast, flexible, and easy to use interface. Itll even cache the contents of files so if you move it off your hard drive, youll still be able to see the contents of what was once there. Normally it does all this in the background when you computer is sitting idle. It also does it anytime you open a file. Your Personal Information Is The Prize
--------------------------------------
You guessed it. Logins, passwords, public and private IP addresses. You name it, I had it. The client who would never give me a single password had turned over all of them at once. What kind of wondrous data was now available? Personnel records, salary data, trade secrets? Maybe, if this was a corporate client. What about an academic, a University even? Student records, financial aid forms, and grant information. The possibilities were endless. I promptly deleted the cache. The customer didnt want me to have the information, nor did I. Would You Hand Your Credit Card To A Stranger?
----------------------------------------------
The previous example showed how simple it is to inadvertently reveal a large amount of data. Its funny how easily a person can dismiss this type of loss. After all, its not your data, right? So lets get a bit more personal. Convenience And Computer Security Are Rarely Compatible
-------------------------------------------------------
I have a good trust relationship with my next client. She is quite comfortable with me administering and securing the corporate network. When it comes to her personal credit card information however, well, not so much. Pretty much every web browser available these days has quite a few convenience features designed to make your day to day net experience simpler. One of these convenience features came into play in this example, specifically the Firefox browsers auto-completion feature. Not too long ago, I was tasked by this client to make arrangements for transfer of an internet domain to their ownership. Not a difficult task, she could have handled it herself. She was quite a capable computer user; she just didnt want to be bothered with the process. I set aside 20 minutes to go through her domain registrars step-by-step transfer wizard. I summoned the client to explain the details of the transfer displayed on my laptop screen. Facing the payment options screen the client asked if she could proceed. I relinquished control of my laptop and she entered the credit card information required to complete the transaction. Web Browsers Cache Your Personal Information
--------------------------------------------
Most modern web browsers, for convenience, will cache information entered into web forms. The intent is to be able to recall this information if its requested by another form. The following day, I was in the process of registering another domain with the same registrar and was surprised, for half a second, when the payment screen pre-populated using the same information used the day before. In addition to the credit card information I also had my clients personal home address, and telephone number. This was quite a bit of personal information the client never had any intention of giving me. So What's Your Point?
---------------------
These two examples are very different but do share two important attributes. First, data the client intended to keep private was revealed to me. Second, the reason for the compromise of the data was due to the victim working with said data on a computer they neither owned nor were familiar with. Under different circumstances, the end results could have been quite devastating. Conclusion
----------
When using a computer system you do not own, perhaps at a kiosk, or Internet Caf, be aware that the computer itself is going to remember a lot of what youve done as part of basic functionality. Additionally, most entities that are going to provide you with access to a computer, including your employer, probably have systems in place that could collect additional data you dont desire to share. Even WiFi hotspots that allow you to use your own notebook or PDA to surf the web while sipping coffee can be a potential information collector. The moral of the story is, when dealing with computer systems that arent your own, never handle data or documents that you wouldnt want left behind unprotected. In all odds, once you walk away from that computer, youve done just that. |
