When my team and I find mismanaged confidential information in a security audit we launch
an awareness campaign around trash, recycling, and shredders. Not surprisingly, recycling bins, like
dumpsters, are repositories for plenty of corporate secrets.
But bank dumpsters are the worst (or best, if you’re a bad
guy). The large bank branches in wealthy
neighborhoods attract the most valuable dumpster data of all: personal
financial statements of millionaires. You heard right. Dive a dumpster
in Lake Forest or Bal Harbour and commandeer the bank accounts of the very rich.
I’ve noticed that ABN Amro and Chase Bank are particularly
lax in shredder placement. Private
bankers, every night, throw out reams of paper with names, addresses, bank
account details, social security numbers, and dates of birth. Even mother’s maiden
names are included on ducuments thrown out in ABN and Chase dumpsters around the US.
Climbing through these dumpsters is usually a crime (if not
performed as part of an authorized security audit, of course), since they sit
on private property – behind that crooked wooden gate in the parking lot. But I know of more than one Chase Bank branch in
wealthy neighborhoods with dumpsters in the alley – that is, in the public
Some communities have laws that inhibit trash picking, but
in general, the U.S. Supreme Court protects dumpster diving and trash picking
on public property, ostensibly to permit law enforcement to gather evidence
without a warrant. You don’t have to be
a freegan [a person who chooses to live off food and property retrieved from
trash] to see the value of that kind of accessibility. Identity thieves and all-around scum bags can
The personal financial statements of the very wealthy that I
mentioned are the documents used to "apply" for high end personal and
business loans and usually have all the info needed to set up bank-by-phone and
an Internet account. After all, the very
rich don’t usually do their own banking. Their accountants do it for them the old fashioned way, by balancing
ledgers against monthly statements. Enough time for a bad guy to set up wire transfers, print checks, and
connect to a Paypal account.
You bankers out there may want to have your dumpsters inspected and your "shredder culture" assessed before the bad guys do it for you.
Monster.com the job hunters website, has posted a web page and sent a massive email campaign to inform its users of the fraud and other malicious activity occurring on the site. Monster seems to be the fashionable new phishing target, so it posted this page to teach folks how to recognize and not fall prey to a phishing attack.
Last year we were all concerned about Sarbanes Oxley. This year it’s PCI. PCI is shorthand for the Payment Card Industry security standards that apply to any company engaged in processing credit card information. The VISA Cardholder Information Security Program (CISP) is one specific standard in this category. Compliance to these PCI standards is driving all manner of corporate risk management in tens of thousands of US businesses – from online customer-based transactions, to data storage, to document retention.
My buddy, Ben Rothke, just wrote a very intelligent article on the topic in CIO Magazine. The only thing I’d add is that PCI is commonly thought of as an "information" security problem when in fact it has a heavy physical security slant.
There are over twenty specific statements in the PCI requirements that pertain to physical security. For example, you should have video surveillance around sensitive systems and areas where credit card data is handled, physically restrict access to those areas, escort visitors and require rigorous access control, shred hard copies of documents with that data and protect against dumpster diving, etc.
A security executive from a Fortune 1000 company and another from a Fortune 100 told me separately recently over lunches that PCI is touching every aspect of their respective security operations – IT security, physical security, privacy, and business continuity. Both executives have found that promoting collaboration between those groups has been the key to meeting PCI requirements. PCI is just one more reason to promote a collaborative convergence attitude in your organization’s security program.
Phishing is an art. Which means you can expect see everything from masterpieces to
scribbles. This one lacks the elegance and
polish of most of the phishing mails I get and the subject header made me
The subject header, including typo, read:
Sing in reminder
The Body of the email simply suggested that you log in to
your Bank of America account, and provided a link to a website hosted by a guy
named Jose Alejandro Bonilla Jaramillo in Medellin, Colombia.
Be sure to sign in to your account regularly, otherwise it
may be suspended due to inactivity.
This message was sent to you on behalf of Bank of America.
Ce message a été vérifié par MailScanner
pour des virus ou des polluriels et rien de
suspect n’a été trouvé.
MailScanner remercie transtec pour son soutien.
The sad thing is, he probably hooked hundreds of bozos
typing in their credentials. Good work if
you can get it…
Holy cow, as I look deeper into the identity theft protection business it seems that LifeLock is pretty shady, both because the executives seem to be full of crap – if not outright criminals – and the service itself is wacky: pay us $10 a month for something that you could do for free in 12 minutes per year, and surrender your SSN and limited Power of Attorney to employees whose own backgrounds are not checked in the process. What are you…on drugs or something?? LifeLock is a Life Crock.
Check out this article and especially note the comments appended by readers.
What is it: A Web site service that
provides early warning detection to let you know if your identity has been
How does it do it:
According to the site, Identity Truth monitors many sources beyond simply
credit monitoring. They monitor public records plus public information floating
on the Internet. They claim to be able to do this without asking for your
social security number.
Status: Currently in beta.
Cost: The beta is free, with a limited invitation. $9.95 for a one-time search.
$9.99 per month for an ongoing service.
Early Review: IdentityTruth
first collects a bit of information about me, then plugs that data into a
powerful Web crawler-based Internet intelligence engine provided by
Cyveillance. The back end Cyveillance engine is impressive in many ways, especially
the fact that it can find things that not even Google can get its tentacles on,
like emails and chat room discussions—a popular forum where private rooms trade
credit card information.
I launched the service with
my cell phone as my primary number. Within minutes I began receiving text
messages to my phone and email detailing all the personal information that Identity
Truth found floating around “out there” about me. For example, it found every
place I’d lived since college, all my past phone numbers, and a few other
choice tidbits. The service determined that information from the Internet,
combined with information from my credit report (which it deduced somehow)
indicated a high likelihood that I was already a victim of cell phone fraud –
someone getting a cell phone in my name. I looked into it and found that all
the numbers were mine. But still – impressive.
Any time my personal information is out
there and potential usable in a fraudulent way, Identity Truth calculates the
risk to me and notifies me, suggesting ways to remediate the problem.
The competition: I
like it much better than LifeLock which seems never to notify me (only the
prospective creditor gets a message), or TrustedID which freezes my credit and
slows down transactions with lenders (overkill unless I know my identity has
Beta irritations: While
signing up was easy, the registration system questioned the veracity of the
password I chose. Now I know passwords. Passwords are in my blood!
So imagine my surprise when I entered one of my supremely excellent passwords
(easy to remember, hard to guess) and the IdentityTruth system plastered a
message across the screen declaring my password to be “Mediocre.”
My password certainly was not
mediocre. I imagine the system was looking for a random-looking long character
string – the sort of password one would have to write down and thereby make it
less secure. IdentityTheft needs to look at more factors besides length of a
password to determine its worth.
Another annoyance is when trying to view
In summary: IdentityTruth
looks like an excellent balance between its two competitors (LifeLock and
TrustedID) and if continues to do what it appears it can do, I’ll likely rely
on for years.
I dumpster dived my own garbage can. I didn’t have the guts
to pick through my neighbor’s garbage, but I wanted to see if there were
treasures in there. What I found were
plenty of banking and financial docs properly shredded, along with utility
statements and insurance papers that weren’t. Combined with my name and address (posted on
my mailbox, of course) this data would make easy work for a social engineering identity
Ignorance is bliss
There is a new Identity Theft prevention service. Extending far beyond PrivacyGuard and using
the amazing intelligence collection capabilities of Cyveillance. Identity Truth.com is still in beta but boasts
an “early warning system” whenever your personal information is “out there” and
about to wreak havoc with your credit. It
looks cool and at 10 bucks a month beats the hell out of the more expensive and
less thorough PrivacyGuard. The system
is only accepting a limited number of new subscribers during this beta stage,
and twice I’ve noticed the site was down.
I’ll sign up as soon as the site comes back online and will
write a review in a week or so. If any of you do the same, let me know your impressions.
In a recent post, Chance of Dying in Georgia Increased, one person left this comment:
They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
— Benjamin Franklin
They that can give up essential privacy to obtain a little temporary convenience deserve neither privacy nor convenience.
— Dan Geer
Last time I picked up a biography on Ben Franklin it was clear that Ol’ Ben led anything but a private life. And have you Googled Dan Geer recently? His whole career is splashed across the Internet. Not exactly a fierce defender of his own privacy.
None of us are. We don’t live in the mountains and walk around with paper bags on our heads for anonymity. We are social creatures, seeking to connect and relate with other people. Whether we wake up in the morning intending to be social – or public – or not is not the issue. Our lives are public.
I’ve heard some privacy folks claim that our consensual surrender of privacy through the ages was acceptable and natural, but the growth of the Internet and the storage and archiving of personal data is unnatural, unacceptable, and degrades society. Why? Because of the magnitude I suppose. Personal information in the 1950’s or 1450’s had less commercial value than it does today.
But I think the condition is the same – the rules are just changed. Being private today, as in 1950, means being "relatively" private. In the 50’s it meant that everyone in my community, church, town, office knew just about all of my personal business. Today it means that some databases and a few interested individuals know some financial and personal matters about me – and some urban surveillance cameras may watch me drive to the post office or to the Greenpeace office or to the NRA meeting. How is that fundamentally different than the 1950’s? Heck, it actually sounds better! Gee whiz, in the 1950’s the entire nation was absorbed in the private lives of politicians, actors, poets and other suspected closet communists. Every age has shown that privacy and liberty are relative to the whims of society.
In 1999, Scott McNealy said "You have zero privacy anyway. Get over it."
But I say, you have all the privacy in the world.