CAT | Identity Theft
Irish Data Protection Commissioner Billy Hawkes has stepped in to have a database of civil registration records removed from the website IrishGenealogy.ie. The problem is that the database contains information on living persons which is often used for identity verification.
That would include things like mother’s maiden name and birth date. While these are public records, previously they had required payment of a fee, and it was not easily searchable on-line.
Of course, in the era of social media, these kinds of authenticators should have been disposed of long ago. Too many of them can be easily discovered by looking through Facebook accounts and the like.
This case also highlights the troubling nature of public records. In the past records were public in the sense that anyone could go to a government building and access the paper records. They could not be easily be searched as a whole, and the entirety of the records pulled into a private database. This is a kind of security by obscurity, but a useful one. With Internet records, many people are not comfortable with just how public much of this information is. The old inconvenience placed a low but real barrier to data access, effectively insuring that it was only done for specific people and for specific purposes. It is not at all clear how to get that without loosing all the advantages of Internet accessibility.
Brian Krebs has written an excellent discussion and analysis of credit monitoring / credit protection services, and some steps you need to take to protect yourself. You should read it.
Welcome to episode 13 of our podcast for September, 2013.
In this episode I will talk about:
A major security breach at Adobe
How airplane mode can make your iPhone vulnerable to theft
Russian plans to spy on visitors and athletes at the winter Olympics
Whether you should move your cloud storage to the EU to avoid surveillance
Identity thieves buying your personal information from information brokers and credit bureaus
How to stop google using your picture in its ads
Why carelessness lead to the capture of the operator of the Silk Road
And how Browser Fingerprinting allows websites to track you without cookies.
Please let me know what you think, and leave suggestions for future content, in the comments.
Brian Krebs has an interesting blog post on how all of the credit card information was stolen by a hacker from a website that sells stolen credit cards.
This is in the “don’t know whether to laugh or cry” department.
This article discusses the risk from “deep packet inspection” by ISPs. The article states that at least 100,000 people in the US are being tracked with this technology right now. If true, the impact of this could be huge. Whereas a website can only track you when you are actually visiting that site, your ISP can see all of your activity on any website or other service you use. The idea is that the information collected could be sold to advertisers to better target marketing messages to you. If you had been looking at car sites, you might see more car ads next time you visit an advertising supported website like CNN.com.This is certainly not the realm of science fiction. The Chinese government is already using this technology on a massive scale as part of their national censorship infrastructure. They use it to detect forbidden words and phrases, “Tibet” being at the top of that list right now.Most of us assume that the bad guys are “out there” on the net, and assume that our ISPs are basically just passing our traffic along without looking at it. If they start this kind of inspection, it opens all kinds of additional risks. Once the equipment is there, a rogue sysadmin could tune it to watch for passwords, personal information, bank information, etc. It opens a whole new set of vulnerabilities.Anonymizer’s Total Net Shield, and Private Surfing (with full time SSL enabled) provide significant protection against this threat. Both allow you to tunnel your traffic to Anonymizer without the ISP being able to inspect it, other than to see that it is going to Anonymizer.It is shocking to me that this kind of thing should be possible without explicit user consent. Maybe we need a “truth in labeling” law for Internet service providers. A bottle of Napa Merlot can not be so labeled unless it is from Napa and made from merlot grapes. Similarly, it should not be called an “Internet Connection” if you can’t go everywhere (some ISPs are restricting certain perfectly legal protocols). If the ISP is going to spy on you, it should be in big red letters. Maybe I am OK with that, but I certainly have a right to know in advance.