Shostack + Friends Blog Archive


Clueless about ID Theft

I’m not sure if Jon Ostik’s column “Want to prevent ID theft? Get back to basics” is a brilliant April Fool’s Day joke, or, an example of, as the Identity Theft blog claims, “Many “security professionals” are clueless about identity theft.”

Before anyone panics, the logical first step in any security process is an audit. No sexy technology here, just smart security professionals looking for weaknesses in every component of a technology system and every step of a process.

In an entire 850 word column, Ostik fails to mention minimizing data collection or storage. He talks about getting back to the basics where the basics don’t work. An audit of vulnerabilities isn’t what’s needed; an audit of requirements and use is. Why does your company have social security numbers? Could you get rid of them? Could you not use them for a credit check and throw them away?

He comes so close to asking the right questions, and offering the right advice. But then he doesn’t. So allow me.

Stop asking for social security numbers. If you can’t stop asking, stop storing them. If you can’t stop storing them, store them on an isolated database with tightly restricted access. Customers are becoming increasingly concerned with id theft. Offer them the option of a deposit or credit card payment as an alternative to offering credit yourself. Get back to basics, and ask how your organization can respect your customers, rather than putting them at risk.

One comment on "Clueless about ID Theft"

  • Cypherpunk says:

    Too much focus on SSNs. SSNs are just a symptom of the problem. The problem isn’t that Blockbuster Video knows my SSN; the problem is that Citibank will make a loan to someone who knows my SSN and assume that it’s me! Citibank is at fault, not Blockbuster. Banks have to stop making loans based on information that is public knowledge. The SSN cat is out of the bag, it’s too late to try to pretend that it’s some big secret that no one should know.

Comments are closed.