Wednesday, April 13, 2005


First ChoicePoint, Now Lexis-Nexis - Your Identity Is For Sale

A few weeks ago when news of the ChoicePoint data-warehouse compromise broke, I wrote an article called "Identity Protection Is Up To You" (http://www.cafeid.com/art-choice.shtml). I suggested that the story that emerged was misleading in the way the central problem was framed to deflect criticism away from ChoicePoint and onto some shadowy group of people taking advantage of the gee-whiz high-tech Internet to defraud an upstanding corporate citizen and the people that corporation "serves". But the problem seems to be that your personal identity is for sale, and the problem is that you have no idea who's buying.

This week, it's information giant Lexis-Nexis, a division of an Anglo-Dutch publishing concern called Reed Elsevier, increasing its estimate of the number of potential victims (ten-fold, from 32,000 to 310,000). Once again, the security breach that led to the "misappropriation" of customers' names, addresses, Social Security numbers and driver's license information was human, rather than technical in nature. CNN reported that the thieves were able to fool the company into giving them working passwords on 59 occasions. This is "social engineering" at its finest, and it shows that it doesn't matter how much a company spends securing its network when its employees are able to be cajoled into giving out the passwords.

What's going on here?

ChoicePoint and Lexis-Nexis have several things in common: Both companies purchased existing companies that experienced these security breaches prior to their purchase. Both security breaches were the result of social engineering rather than computer hacking. Both companies were performing well financially dealing in the lucrative sale of this data. And, perhaps most interestingly, both of the companies that were purchased were previously founded by the same man, Hank Asher, a wealthy Boca Raton, FL business man and technophile who also became a government informant after being identified as an unindicted co-conspirator in a cocaine smuggling scheme.

One company he founded, DBT Online, Inc., the subsidiary of ChoicePoint whose data was compromised, was also the company hired to purge Florida's voter rolls of "ineligible" voters prior to the infamous 2000 election. The other, Seisint (the one purchased recently by Lexis-Nexis) was the company hired to architect the incredibly-named MATRIX (the Multi-State Anti-Terrorism Information Exchange), a secretive project funded largely by the federal government to do data mining in the name of national security. Seisint was the victim of the most recent massive database-compromise scandal. Check this link for more information on this project: http://www.aclu.org/Privacy/Privacy.cfm?ID=14894&c=130

This should give you pause even without taking the conspiracy theories into account (and there are some wild ones out there). This is far-reaching information and these companies are trusted by our government, by us, to get it right; and confidence men are able to get at this information out the back door while computer experts are busy boarding up the front to keep out the very people whose lives' details fill these databases.

What should you do?

With each of these news stories that breaks, it's becoming more evident that there's little you can do to protect your data. You no longer own it once it's in the databases of these companies, and you're dependent upon human beings to guard it, or at the very least not give out the passwords. There weren't that many points of vulnerability. Only a handful of Seisint employees, as few as 15, overseen by Florida state police, were responsible for maintaining records in the company's database.

The first thing you should do is write your representatives in government to demand oversight and accountability of these private concerns in whom so much trust is place. Write a real letter, on paper, seal it in an envelope and put it in the mail to your state and Federal representatives. Go to http://www.vote-smart.org and type your 9-digit ZIP code into the search box on the left in order to find detailed information, including contact addresses, for all your representatives. If you don't know your 9-digit ZIP code, you can find it by entering your address at http://www.usps.com/zip4

The next thing you should do is determine a way to keep an eye on your credit reports, since these are usually the first indicators of identity theft. New laws have been passed requiring each of the three major credit reporting agencies to provide you with a free copy of your report each year. This is only possible through a single website - http://www.annualcreditreport.com or by calling 877-322-8228 or writing Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. You'll need to supply your name, address, Social Security number and date of birth, and if you've moved recently, a previous address.

The law requiring this service allows you to request your reports all at once or to stagger them, ordering one at a time throughout the year. We recommend this course, as it will allow you to view activity every four months and locate potential trouble sooner. This is all detailed at the Federal Trade Commission website at http://www.ftc.gov. The Electronic Privacy Information Center also maintains a valuable resource at http://www.epic.org.

Your Social Security number is a powerful entity, and you should take care to protect it. It has become a de facto universal identification number, used by financial and educational institutions among others on whom the idea that the number is not meant to be used as identification is lost. When asked to provide the number, always ask if the number is really required and when the eyes of the person you're asking glaze over, if there is an alternative number you can use.

Most people feel compelled to provide accurate information when filling out forms requesting personal information; but unless the information is truly required (i.e. they need a real address to deliver your order or your street address needs to match your file to make a credit card purchase) there's no real need to feed the beast.

In general, if you're receiving something for money, you should fill out the information accurately because there may be legal issues involved. For example, if you were registering your domain name at our website at cafeid.com, your contact information needs to be correct by law; but, on the other hand, there's no need to give out your real address to sign up to read an online newspaper article (at least one website, http://www.bugmenot.com, even makes it easy to use phony information!) The idea is that you should know who is asking for your personal information and why they need it before you hand it over.

Therein lies the biggest problem with these private information clearinghouses, and the one thing that will eventually bring about reform. The fact is that you cannot know what the company knows about you without becoming a customer (if that's even possible or affordable), but a skillful social engineer could pay Seisint a quarter ($0.25) for a basic report once they've finagled a password out of a gullible employee.

The credit reporting agencies played this game as long as they could and had to be forced to provide you with your credit information for free. You still have to pay if you're in the East or South! But the only solution to this ongoing and growing problem is a complete overhaul in the laws that allow these companies to collect and sell your personal information without protecting and informing you in the process. Millions of government dollars and reliance upon this information by the government itself is a good deal of inertia to overcome; but it has to start somewhere. Grab a pen.

-----

About the Author

Trevor Bauknight is a web designer and writer with over 15 years of experience on the Internet. He specializes in the creation and maintenance of business and personal identity online and can be reached at trevor@tryid.com. Stop by http://www.cafeid.com for a free tryout of the revolutionary SiteBuildingSystem and check out our Flash-based website and IMAP e-mail hosting solutions, complete with live support.


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 7:07 PM

0 Comments:

Post a Comment

<< Home