Friday, April 25, 2008

Loose Wi-Fi offiice networks can be an issue for medical, financial, legal consumers

On April 25 (tonight), WJLA (ABC) in Washington DC presented a story of the risk of consumer identification information (or medical, legal, or especially financial information) when given to businesses with office wireless networks that have not been properly secured. “Wireless dumpster divers” can often fish for consumer information. In some cases, security switches on wireless routers have been left on.

The story appears as part of “7 On Your Side: Wi-Fi Dangers” where investigator Aaron Titus demonstrated how easily information could be gleaned from an office, to the anger of at least one law office. The link is here.

The report suggests that consumers who use such services check their names out at SSNBreach. SSNBreach is part of the Liberty Coalition.

Medical information must be secured, when transmitted or exposed, according to HIPAA (Health Insurance Portability and Accountability Act) requirements. Normally medical applications would need extra security that should protect information even if a hacker got access. It would be surprising if personal information from medical offices was captured in an exercise like this. In 2002, I had a phone interview for a mainframe job motivated by complying with HIPAA privacy requirements.

This problem would seem to be related to a larger issue of wireless security in general, especially for people who travel with work. Although most large companies would arrange proper security for traveling employees, large breaches or leaks from major corporations have occurred numerous times, as well documented in news reports (partly just through laptop or diskette theft as well as access compromise). A different problem could occur as people travel on personal business and take laptops and depend on motel or cafĂ© wireless access. I’ll probably write more about this later. But a good article, "Security issues when using outside networks," by Edward K. Zollars on the Tax Adviser explains why wireless and even broadband security can get out of hand: Ethernet was designed when computers were large, expensive and stationary, and physical mobility of machines was not a consideration. The link is here.

A couple of other important articles: Barb Bomman: WPA Wireless Security for Home Networks: link (on Microsoft). She also has an article about airports and motels "On the Road Again" here.
and "Understanding the Wireless Network Connection Dialog Box in XP" link here.

Monday, April 21, 2008

What would REAL ID really do?

The Washington Times has an important editorial on Monday April 21, 2008, “Real facts on REAL ID,” on p A16, here.

The Times takes the position that REAL ID would have prevented the acts of Timothy McVeigh and most of the 9/11 hijackers. It recognizes that some people view the proposed act as a threat to privacy and civil liberties.

The Times points out that the law would not take over production of driver’s licenses or DPS ID’s from states. It does prepare for sharing of specific fields of information among the states and with the federal government. On its face, it would not give information to private companies.

It seems productive to imagine a program where consumers could opt in to its use to identify them for loans and mortgages. In some situations, if used that way, it could lead to much more ready apprehension of anyone who purported to be that person, and provide a deterrent to ID theft. It might even prevent other scenarios where someone could be framed for a crime.

Friday, April 11, 2008

RealID - could it be a boon for consumer identity security?

Today the ACLU sent out an email to its supporters to contact their Representatives to block bills that would enable states to fund their compliance with the RealID Act, which was passed in 2005 as a rider to the Emergency Supplemental Appropriations Act for Defense, the Global War on Terror, and Tsunami Relief, 2005.

The original law was HR 418 with the govtrack link here.

RealId is said to be the federal effort to implement at national identity card.

Of course, I understand the civil liberties-based concerns about this bill. I’m also concerned, however, about political action that consists of mailing form-generated emails to politicians that are one-sided and essentially emergency, knee-jerk reactions.

Some form of a “RealID” concept, possibly connected to NCOA, could become a foundation for stopping consumer fraud and identity theft, if addition systems were developed and if lenders were required to use such systems as part of due diligence in granting loans.

Isn’t it silly that we find ourselves manually shredding paper documents (or driving them to community shreds such as those sponsored periodically by NBC4 in Washington) because we can’t make banks and other lenders be more careful about whom they are lending to?

Of course, it’s tough. “Know thy customer” rules could have a deleterious effect on some kinds of small business, and could lead to more Internet regulation.

Monday, April 07, 2008

Mortgage brokers and lenders were reckless; this undermines consumer identity protection

An article by Gretchen Morgensen on the Business Page of the Sunday April 6 New York Times “A Road Not Taken By Lenders,” link here illustrates another flaw in our approach to consumer identity protection.

She points out that mortgage applicants have to supply and sign documents verifying income and allowing lenders to check incomes with the IRS. Yet, many lenders didn’t bother to check. Most had systems of sales quotas that encouraged looking the other way. Not only did they make loans to people who could not pay soon, they could have been encouraging security problems for some communities.

The point of the story is that there is a lot more due diligence that lenders can do to verify applicants, and this story (also available by Podcast on the New York Times website) does give some examples. They don’t do it because of the pressures of “extreme capitalism,” as professor David Callahan wrote in his 2004 book “The Cheating Culture.” It’s odd, when you hear so much about tenant checks and the qualifications to rent an apartment, in a society so biased toward “home ownership.”

Friday, April 04, 2008

"Ordinary" workplace security problems expose consumers

More incidents or corporate and government breaches seem to come in.

Advance Auto in Roanoke, VA admitted around April1 that information on about 56000 customers was stolen by a hacker. The story appeared on Knoxville TN station WBIR, here.

At NIH, a laptop with the names of patients was stolen from an employee’s car. Senator Norm Coleman (R-MN) has audited government agencies and found that few are following required encryption standards yet. AP story is “Patients' Names on Stolen NIH Laptop,” March 24, 2008, link here.
Physical security is becoming increasingly important in workplaces as more people work from home and take work home on laptops.

And on April 2 AP Business Writer Mark Jewell reported that TJX could pay $24 million to Master Card for a security breach, story here.

Workplace security, for both IT professionals and customer service workers, is becoming a real issue.

Wednesday, April 02, 2008

Data brokers and state fusion centers: could they help identify consumers getting credits?

State governments have formed “intelligence fusion centers” to share information about possible threats, including (particularly with New York State) identity theft, particularly inasmuch as impersonation represents secondary security threats. A huge variety of sources is included, even car rental records (from tourists).

The Washington Post has a story by Robert O’Harrow Jr. on the front page of April 2, 2008, “Centers Tap into Personal Databases: State Groups Were Formed after 9/11,” link here.

One particularly obscure data broker, Entersect, was discussed. The company is so obscure as not to have a usable home page on the Internet now. The name reminds me of the IMS database concept “Intersection data.”

The question remains, could a system be designed to check across many of these databases so that lenders (mortgages, car dealers, banks with business loans) could more reliably identify applicants?