Clueless about ID Theft
I’m not sure if Jon Ostik’s column “Want to prevent ID theft? Get back to basics” is a brilliant April Fool’s Day joke, or, an example of, as the Identity Theft blog claims, “Many “security professionals” are clueless about identity theft.”
Before anyone panics, the logical first step in any security process is an audit. No sexy technology here, just smart security professionals looking for weaknesses in every component of a technology system and every step of a process.
In an entire 850 word column, Ostik fails to mention minimizing data collection or storage. He talks about getting back to the basics where the basics don’t work. An audit of vulnerabilities isn’t what’s needed; an audit of requirements and use is. Why does your company have social security numbers? Could you get rid of them? Could you not use them for a credit check and throw them away?
He comes so close to asking the right questions, and offering the right advice. But then he doesn’t. So allow me.
Stop asking for social security numbers. If you can’t stop asking, stop storing them. If you can’t stop storing them, store them on an isolated database with tightly restricted access. Customers are becoming increasingly concerned with id theft. Offer them the option of a deposit or credit card payment as an alternative to offering credit yourself. Get back to basics, and ask how your organization can respect your customers, rather than putting them at risk.