Friday, November 11, 2005
With news reports of industry facing more and more scrutiny over identity theft, fundamental change in protection from this crime may be on the horizon. The development is welcome, but the temptation to let others handle a seemingly intractable problem is strong and plays into thieves’ hands.
We hear about multifactor authentication technology and laws forcing companies to inform the public. And it’s not that these are bad ideas, but the temptation is to view them as panaceas, which just isn’t true. Nothing done from the top down will be a cure-all for identity theft. We must accept responsibility for our own identities.
I suggest the following for consumers wondering how to protect themselves against identity theft and other security threats of the high tech world:
1) Use a free e-mail address for transactions. This will make it a lot tougher for thieves to trace your name back to financial information. As an added bonus, the practice provides added protection against online stalkers.
2) Track your identity before something goes awry. Tools are available. MyPublicInfo (MPI), for instance, provides the Public Information Profile (PIP), a tool that helps to trace the public "threads" that run through our lives. The PIP aggregates public information from disparate sources into a complete and legally conforming personal profile. Through my Web site, I provide a link to more information about the PIP.
3) Avoid following links or buying from e-mail spam, which could really be a message from phishers, those who send “spoof” e-mails that masquerade as legitimate messages.
4) Enter your personal information only at familiar Web sites. Charlatans known as pharmers can redirect a DNS to a fake site designed to steal information. Exercise extra precaution by making sure the site features https—not simply http.
5) Use a double-blind, untraceable 800-number if you date online or must post a phone number to the Web or to a classified ad. Thieves and online stalkers can find out where you live and just about anything else from a home phone number. Companies such as PrivateTel (www.privatetelsolutions.com), NetworkIP (www.networkip.net), and others provide applicable 800-number services.
6) Never provide your Social Security number. Most of the time, the information is unnecessary, making any request for it suspect. Exceptions include when you call your credit card company for information, and the organization asks for the final four numbers of the number.
7) Beware social engineers, identity thieves who gain victims’ trust before stealing personal and financial information. Social engineers use psychological techniques to give themselves a veneer of legitimacy. For instance, they may claim to work for charitable donations. Typically, they solicit via phone.
8) Whenever possible, use a credit card instead of a check. Should thieves get hold of your credit card information, you will encounter far fewer obstacles as you rectify the situation. With your checking account information, thieves can get your money for good and leave you bereft of recourse.
9) Avoid the use of a cordless phone to communicate details of your personal and financial information. Thieves can easily intercept conversations from cordless phones, which are susceptible to widely available eavesdropping technology.
10) Vary the passwords you use. By having only one or two passwords for all your online access, you make the identity thief’s job easy.
BONUS TIP: One of the major ways identity thieves obtain your information is by infiltrating your computer with spyware and viruses that record keystrokes and lift data from your hard drive. Install at least one anti-spyware program and run a sweep once per week. Run an effective virus shield at all times, and use a reliable firewall.
By taking a number of simple steps, you can greatly reduce your risk of becoming a victim of identity theft. Nothing thwarts the identity thief like the well-informed, cautious consumer.
The online security most people know, username plus password, is one-factor authentication. It’s a combination that cannot withstand the threat of online identity thieves, who easily crack the one-factor system. Multifactor authentication does a much better job of counteracting the sophistication of identity theft. Reports indicate federal regulators have recognized multifactor authentication’s promise and have put the banking industry on notice to implement multifactor technologies. It’s a savvy move against a prolific crime.
Multifactor identification is the best, most accessible weapon we have against identity thieves. The banking industry—in fact, any industry that conducts transactions online—owes the public the protection from identity theft that multifactor authentication provides.
Multifactor authentication calls for additional verification, beyond the security of a password, from the consumer. An Oct. 27 article in InformationWeek’s Wall Street & Technology [link unavailable] reported that regulators from the Federal Reserve and Federal Deposit Insurance Corp. have given “banks until the end of 2006 to implement two-factor authentication.”
Consumers cannot give multifactor verification for their transactions unless the companies with which they transact make it possible. And for this, regulators are right to require two-factor authentication. Consumers can do a number of things to protect their identities online, but the onus of responsibility for stopping identity theft is with industry.
Two-factor and multifactor authentication have been gaining momentum for a while. The October 2005 issue of Banking Technology [link unavailable] reported that the bank Lloyds TSB will be conducting a two-factor authentication trial with 30,000 of its 2 million customers.
The push for two-factor and multifactor authentication has been growing for a while, and with good reason. Studies will probably lend credence to multifactor authentication’s benefits.
We simply cannot fight identity thieves anymore with passwords and usernames. To try to do so is silly. Just like signatures, our antiquated system for authenticating off-line transactions, usernames and passwords are quaint ways to protect ourselves against criminals in today’s online environment.