Tuesday, September 30, 2008

Warning signs that a consumer's identity is compromised

AOL has a story from “Walletpop” this morning (Sept 30) of four signs to look for that your identity could be compromised

(1) You don’t get credit card bills when you expect them. That’s a sign that a thief could be using your account. One antidote is to monitor your credit card accounts online

(2) You get credit cards you didn’t apply for. Normally, this could mean a thief has tried to emulate you but has been sloppy, so you get the mailing. My own plan on this website would force institutions to notify you at a “preferred address” when an account is opened in your name, but it can happen accidentally now.

(3) You are denied credit despite the fact you think you have a good history. Check your own credit reports once a year (free) at "Annual Credit Report") with Trans Union, Experian and Equfiax. The last of these companies will expect you to wait a full year before giving you the free report again.

(4) You get calls from collectors (either first party collectors from vendors, or third party collection agencies) for purchases you did not make. Under the Fair Debt Collection Practices Act (FDPCA) you have certain rights, and can dispute the call immediately if not valid. Don’t allow a collector to threaten to sue you; that’s illegal. You definitely have rights under this law.

Monday, September 22, 2008

Even a Photo CD could leak consumer information is misprocessed (getting someone else's photos as well as yours)

There is a possibility that your information can leak even when you turn in a single-use camera for prints and a Picture CD. I had turned in a color (CVS) camera and a black-and-white (Kodak), even carrying 27 prints, to a CVS store for CD’s.

I was told that they could currently produce only the Kodak formatted CD’s. But for the black and white camera, I got back a CD with two pictures from the color, and then about 200 pictures taken by another family. The CD went into a loop and I had to reboot the computer.

For the color camera, I got back a Kodak CD. It processed OK and had all the prints, but it also had pretty much the same 200 extra prints belonging to the other family.

The pictures were those of a family’s visit to the DC zoo, which I recognized. They were harmless. But what if the pictures had been pornographic? What if they had been illegal for me to even possess? Or, what if they somehow had contained sensitive information?

The problem seemed to have to do with processing on the Kodak machine in the store. It may have become corrupted, or it may have been improperly used. (It should not have created a CD that could not be closed from memory without rebooting.)

So, even something as innocuous as picture CD’s could pose security issues, or leak of information in photos to other parties.

One problem is that both Kodak and CVS load additional software which is unnecessary for a user who only wants to copy the pictures to his hard drive and manipulate them himself.

In fact, a Ctl-Alt-Del in XP shows that the Kodak Software Updater Agent is always running, unnecessarily, after boot, unless it is closed manually.

Monday, September 08, 2008

Should companies vet individual employees for political or social conflicts as part of data security policy?

Could the current concern over consumer data security lead employers to screen job applicants for “hostile” political or social views that might pose a risk for customers?

Consider the concept of a “fraternal company” where the point of the company is to serve customers in a particular identifiable class. The class of customers could be any potential “controversial” group, ranging from LGBT people to members of evangelical denominations. Should an employer be concerned if it performs a “search engine reputation check” and finds political activity that would be inimical to the group?

I once worked for a company that specialized in selling life insurance to military officers. I became publicly involved in opposing “don’t ask don’t tell” in 1993 and later. When the company was purchased by a larger company, I transferred in order reduce the appearance of “conflict of interest” as I saw it. There never was any misuse of data, but I was concerned about “appearance” and there was arguably less “exposure” (especially to hardcopy data) at the new location.

Of course, companies merge, and often turn their operations over to outside vendors so that the data for various "fraternal groups" is consolidated and outside the scope of normal concern.

It’s also true that ten years ago and more, there was much less concern that consumer data could be stolen and misused if left lying around. It was acceptable then for companies to keep less secured copies of consumer data (especially in print), and this belief continued through all the data collection activities associated with Y2K. After 2001 or so, concern about consumer security grew very rapidly, and companies had to become much stricter about how their data was kept and who accessed it.

Wednesday, September 03, 2008

A new NCOA-based system should allow consumers to keep unlisted information from "public" data brokers

I want to remind the visitor that the September 25, 2006 posting on this blog gives my “project proposal” on how a system to protect consumer identity security would work. In short, it would be centered on a “preferred contact address” equivalent to the NCOA (National Change of Address) as managed by the United States Postal Service (and various contractors). In various circumstances, financial and lending institutions would be required to check this address as part of “due diligence” to prevent parties from copying existing persons and creating duplicate identities of these individuals for the purposes of fraud.

One requirement for such a (“new”) system (on a go-forward basis) ought to be that a consumer has the right to prevent this “preferred address” (or any preferred contact point, email, or cell phone) from being sold to data brokers for reverse lookup of essentially “unlisted” information (including family, real estate and income level information). Many companies (I won’t list them here) make this information available for very small purchase price per item to the public. The capability of misuse of such information (which is often incorrect anyway) has been a plot point in more than one soap opera recently—and that’s just “make believe”. These lookups are part of the “deeper Internet” (beyond normal search engines) that some reputation defense companies say that they can check for clients, and say that employers could check (and they indeed could). My own Congressman (a “moderate” Democrat) says that the practice of “for sale” data brokering operates barely within the parameters of what is “legally permissible” and presents troubling potential security (maybe even national security) issues.

Even so, I remember back in the 1980s, that – even in an older mainframe and large-business-driven world -- “promos” (identification information sold to target marketers) was a larger source of revenue for Chilton, a credit reporting company, than were legitimate credit reports themselves. I noticed this then because I maintained their billing systems.