How Easy is it to Steal an Identity?
I was surfing the web tonight and I came across an article on Scientific American. The author asked some friends for permission to break into their bank accounts and then went to work trying to steal their identity. The ease at which he was able to do so is startling.
He first used a variety of techniques to gather information including reading the target's blog and googling them and then he used that information to break into the user's email accounts via password resets. Once he had access to the target's email he would be able to receive password reset emails from their bank accounts and he would then have access to their money.
All of this work could be accomplished in a few hours and the entire security of the target's identity was hinged on an email account that asked only for the user's birth date (which the author was able to figure out.) In an age where there are countless tools to document your life, career and every waking moment online, this article is a great reminder to think before you post.
What can you do?
• Test the password reset functions on your email and bank accounts. How do they authenticate the request? Do they ask security questions? Can those questions be easily learned on the web?
• Google yourself. What can you learn?
• Do you blog? Are you on Facebook or another social networking site? What have you said about yourself?
• Does your family blog? If your brother's blog mentions that he had you over for your birthday it could expose information that is useful to someone who has targeted you.
• In general, be aware of the trail of breadcrumbs you are leaving on the internet. Think twice before you post personal information on a blog or social networking site.
• When choosing security questions, choose obscure ones that nobody is likely to know or be able to figure out.
Disinformation can also be your friend. This strategy was used extensively (and to great success) by the Allies in World War II. The principal is that you deliberately publish false information. Maybe your birthday on your is intentionally wrong. Anyone attacking your accounts will not have this information to use against you.
Similarly, when I create an account online and have to select and answer security questions I will put answers that are technically incorrect but are likely to be the first thing I think of when I see the question.
There is a lesson to be learned here for online service providers as well. We need to be careful about what kind of information we disseminate when we assist users in resetting their passwords, and we need better ways to authenticate our users since we are living in a world where personal information is often trivial to find online.
Additional information and tips on protecting your identity can be found on the Norton Family Resource site.
Update: There's a great conference going on in Seattle, WA right now called Gnomedex. One of my colleagues is there and she's just let me know about a very relevant presentation delivered by search marketing pro Danny Sullivan entitled "Search Life Meets Real Life". In his presentation, Danny explores how search, the accessibility of web tools and all the bits of information we post online have the potential to collide with our real lives. He just posted his presentation to his blog, check it out here: www.daggle.com
Message Edited by Sondra_Magness on 01-19-2009 04:03 PM