Wednesday, June 24, 2009

Teaching a Nation to be Scammed

Why we open ourselves up to identity theft

Why do people give out their social security number to phishers who call them? Why do they email mortgage applications to fraudulent companies? A few decades ago, we might have been able to explain the problem by lack of education. They just don’t know the dangers or the risks. Today, that is a weaker and weaker argument. Clients contact me all the time reporting that they knew something was strange, or they knew that they should never give information over the phone, but they ignored their inner voice and exposed information anyway. Why?

In part, it is because all of our lives we have been taught how to be scammed. The very agencies that we trust to protect us have instilled habits and patterns that make it easier for criminals to manipulate us. From school to work, from local to federal government, we have unwittingly prepared ourselves psychologically to expose the deepest private details about ourselves. Before privacy and security in this country can really make a revolution, these practices must be changed.
I am not advocating mistrust of the government’s intentions in regards to any certain practice- this is not a conspiracy theory. I am advocating a healthy distrust of the humans who must handle that information. According to a recent article by Robert Siciliano, “As much as 70% of all identity theft is committed by someone with inside access to organizations such as corporations, banks or government agencies, or simply someone who has an existing relationship with the victim.” The point to this article is not the intention of the legislation behind these practices, but rather the citizen training that occurs when procedures become habits.

First, we have been taught to trust authority figures from a very young age. We have not been taught how to verify them. This skill is absent from many people who panic when they receive a message from someone claiming to be their bank. Using the internet, the Better Business Bureau, or referring to the number on their statement or the back of their card often escapes these victims. Why isn’t their first reaction to verify any form of contact? They were never taught to do so. Did you ever verify your teachers? Even in college? Did you check what degree they held, or even if they had a criminal past? Has a police officer ever encouraged you to take their badge information and verify with the local precinct? Unlikely. Children are taught “don’t talk to strangers” but at the same time we instruct children how to identify a police officer in case they need help. This is similar to when credit card company telling consumers never to give their personal information out over the phone, but then calling a consumer to request that same information to verify transactions. Have you ever gotten a list of questions that call center representatives should be asking you to verify your identity? Do you know if it is or isn’t against company policy for them to ask for your full social security number or the last four digits? If you don’t, then you may be exposing your information to an insider threat at that organization, and you may never know.

In addition to trusting authority figures, we are often asked to repeat our social security numbers or use them as identifiers. Each time we say the number in a response to the request, we have made it just a little easier to say again the next time. The more we reveal the number, the less private we feel it is and we tend to treat it as such. One of the biggest points of contention for this point is the military’s use of SSNs as identifiers. Not only does it pose greater risk to those who are protecting our country, but these individuals maybe at a higher risk while deployed or on active duty. Often military personnel do not have the time, access to resources, or ability to communicate with the credit bureaus. It isn’t just the military, although I expect more protection for the troops from them, it is also employers and professionals. All sorts of companies from dental offices to video rental shops have been using SSNs as account numbers or identifiers for decades. Not only does this expose your information to many more potential insider threats, but it also psychologically devalues the information for us. If I use my social security number at the rental store to pick up the newest DVD, it becomes far easier to hand it out to a solicitor offering to place my information in a prize drawing. The same goes for date of birth. I cringe every time I see a promotional offer come in the mail. Usually a post card that says “Happy Birthday! Good for One Free Meal on January 1st.” Nothing like a flyer announcing my birthday to leave a pit of worry in my stomach- there is no such thing as a free meal, right?

Usernames and passwords are also often overlooked. People seem to be aware of how important it is to keep these secure- yet most people (over 50%) use the same user names and passwords for everything. Remember what I said about insider threat? How easy would it be to compromise every bank account and email address you have if just one insider decided to? If your email address and a password are all you use, even better. Once they have access to your email account, all the accounts you have registered with that email become exposed. Some of us may even be exposing our work email, and our companies, with this practice. Some may even be conversing with their doctor through websites using the same information. Although public backlash forced the city to rescind the request, Bozeman recently required that job applicants provide the usernames and passwords for their internet sites. The news spread quickly, I am sure catching the eye of many a potential hacker and insider threats alike. Many professionals use social networking sites such as Twitter or Facebook. Unfortunately, many of the applications for these sites are run by third parties who are not reviewed by the social networking site for privacy or security compliance. Almost universally, your username and password are requested. Again- these sites may do what they repute… but what else is happening with your information? Who else may be looking at it, unbeknownst to you or the third party application?

Finally, biometric data and DNA- while these are being touted as the crowning achievement in security and crime fighting, the dangers associated with its abuse are staggering. The Washington Post reported last year on the expansion of the US DNA database program. With this extension, “The U.S. government will soon begin collecting DNA samples from all citizens arrested in connection with any federal crime and from many immigrants detained by federal authorities, adding genetic identifiers from more than 1 million individuals a year to the swiftly growing federal law enforcement DNA database.” This includes those arrested and not convicted. I understand that when you commit a criminal charge that you lose some rights, including some rights to privacy. However, including this information from people that are not convicted is a dangerous precedent to set. Not only are you denying them the right to privacy, but you are denying them the rights to control their DNA without any criminal charge. This implies that no one has the right to withhold their DNA. Although fingerprint databases are used as a comparison- it isn’t an accurate one. Fingerprints are just a recording of the lines in your fingers. Your DNA contains much more information about yourself and your family. If that DNA is “misplaced”, it is the equivalent of “misplacing” a whole finger- not your print records.

Just as your SSN can be used to verify your identity, and it can also be used to fraudulently use your identity- your biometric data and DNA is the same. Think about the last time you submitted a urine analysis for a job application. Did you hand the cup directly to your manager? No- of course not. You- and the company that hired you- relied on the nurses, lab technicians, truck drivers and others to safely handle the sample and the information corresponding to it. An insider threat here can result in medical history becoming exposed or misrepresented. Still not convinced? Well, while the FBI tries to block attempts at searching for false matches, youth on social networking sites are posting their STD test results. This is the best evidence available to demonstrate the lack of understanding of privacy and security at all levels of society, which is a direct result of the prevading lack of education. I encourage privacy professionals to at least mention to their employer that they think UAs are an invasion of privacy, especially if you “have nothing to hide” from them. If we, in the industry, don’t set the example- there will be no one left to teach others. This is why the attitude of any administration occupying the White House is critical to the whole privacy structure. The only way to teach privacy and security is by example.

Although not the intention, these practices create a “habit” amongst citizens that your blood, salvia and urine are unimportant and should not be protected. For those who claim that only those with “something to hide” should be concerned, let’s look at the lessons we can learn from other DNA databases. Last year, the Daily Telegraph reported that “Millions of profiles on the national DNA database have been handed over secretly to private companies without the consent of those involved”. If biometric information can be bought and sold as a commodity- the world becomes a dangerous place. Losing control over any information that is used to definitively identify is dangerous- be it a social security number, or a sample of blood. Information for background checks are also a category of information we are trained to give without much thought. As an article published just today pointed out, most applicants are unaware of the "likelihood that much of the PII collected during a background check will travel far beyond the security of U.S. privacy laws to a foreign call center or data warehouse with little to no standards for privacy protection... rightful owner of the Personally Identifiable Information does not even have to be notified when it is sent outside of the country... providers continue 'offshoring' personal data to low-cost labor markets by using companies internationally to increase profits..." Further, "Employee personal data can also be 'repurposed' by background check companies and ATS/JBS providers to be used in another format or product, and also resold to skip tracers, lawyers, data aggregators, and marketing lists to be bought and sold again and again. The growing popularity of offshoring, repurposing, and reselling of PII data has led to identity theft and lost privacy." (

Every time you have a person walk through a process of providing private information, you are creating a habit. It makes it easier for them to provide it again. Regardless of the intended purpose, insider threat for misuse is too great to be balanced by the benefit these practices report to have. Simple principles, taught early, can change the face of identity theft, fraud and scams from the ground up. While politicians and corporate executives fight round after round to hammer out better privacy and security policies that continue to fail attempts to catch up with technology, as consumers we can conduct our own privacy revolution by simply promoting privacy and security awareness in our communities and children. None of these practices provide an impenetratable shield- nor am I advocating outright refusing all requests for information. I am simply advocating that we make it harder to invade our privacy, that we understand exactly where and how our information is used and the potential for misuse.

*Ask current financial institutions, companies and associates how they handle and protect your information. Ask them how they might notify you of a potential breach, and what additional precautions they may have available. What are their record retention and disposal policies? How do they ensure proper disposal of e-waste?

*Ask your financial institutions and other companies what is required to access your information and account. Ask what is necessary to make changes. Some companies use the telephone number you are calling from as part of the identification process. Phone numbers can be easily spoofed, and old phone numbers never get corrected. You may wish to change the information they use to verify you.

*When dealing with a company that asks personal information to identify you, inquire about other methods of verification. Can you place a password instead? What happens if you claim to have forgotten the password, or your social security number? What is their security procedure? Be concerned if the customer service representative doesn’t seem to know. These are the people who handle your information, and if they don’t understand the verification system they can’t use it correctly.

*When you have the opportunity to raise concern about the use of private information- do. Companies respond to complaints- just look at Bozeman. In another state, a temp agency recently changed the appearance of their applications after receiving complaints regarding the use of the full SSN. Now they only ask for the last four until they place an individual in a job.
Teach youth- who are at a higher risk for fraud and identity theft- the right habits to protect their privacy and the right questions to ask.

*Insist on authority verification- there are many consumer protection agencies at the local, state and federal level that can verify the legitimacy of a company. Always insist on initiating a phone call if private information is to be discussed, even if it means calling the same person right back.

*Insist on privacy where possible- especially if you have nothing to hide. Perhaps you have nothing to hide from your potential employer or government, but how can you trust the dozens- sometimes hundreds- of other people who have access?

*Never assume that information will be used only as intended. Assume insider threats and data compromises, and monitor your credit report and financial statements for fraud. You may use or call 877-322-8228 to obtain free copies of your report.

*Treat your information like currency. When I fill out a survey form in a department store to obtain a discount, I know that I’m exchanging my personal information for their use in marketing or advertising in exchange for the 10% off. Is it worth it? Is saving $3.50 on that blouse worth the risk of that information being exposed? If you’re not willing to have the information posted on a billboard for $3.50, chances are it is not worth the risk. Recently, when I voice this concern, I have found retailers accepting just my name and zip code in exchange for the discount. I turn in a mostly blank form, and they get a happy shopper.