Who am I? Who ARE You?

Privacy in the connected world

In new research released in October this year by Veda Advantage it was found that more than 1.5 million Australians had credit cards illegally skimmed, and 1.2 million had bank accounts illegally accessed, while almost 1.2 million (7%) Australians had personal mail stolen. Veda Advantage’s research also shows with more than one in five Australians aged 16 years or older have had someone steal their identity, try to access their bank accounts; have had credit cards stolen or skimmed or suffered attempts to steal their bank account PIN (personal identification number).

The humble person on the street is taking most of the blame for not being careful enough with their personal details. With Veda Advantage’s findings, showing that almost 70% of Australians have failed to take even simple measures to protect their identity.

However, I have experienced three examples in the last few months of large organisations operating as if it is 1999, not 2009, putting their clients and customers identity at immediate risk:

1. Real-Estate Agency – In a noble attempt to cut down their postage costs, and to save the rain forests from destruction (a cause close to my heart) wanted to provide email invoices/receipts to their customers, and charge $5.50 for paper copies. When questioned regarding the sensitivity of data provided within the emails, they were totally blasé about their Privacy Requirements. Even the Government’s own privacy department showed little interest.
     
   Email is one of the most insecure methods of transporting information. The standard email provides zero protection for the confidentiality and integrity of data. For example, if Joe Blogs receives the Real Estate’s email while he is connected to a wireless hotspot, it is highly likely that a third party has captured the email. The scariest part of this is that it requires next to no technical knowledge to do – my Boss’s nine year old can do it. It is also perfectly possible for an attacker to strip out an attachment, and replace it with one of their own, providing another avenue for phishing style attacks.
     
   So what could be the consequence of their actions? When you applied for your driver’s license, or require a license renewal, what information did you have to provide? Tenancy agreements, tenancy receipts, utility bills? These are all vital parts of your identity. This information must be protected, not emailed around.
     
   There are many alternative methods for the Real Estate Agency to securely provide the invoices to their clients – if only they would care enough to ask.
     
2. My other example which all too often occurs for me, is my phone company wishes to contact me regarding their latest offers or to query my account. After answering the phone, I am asked by the caller to provide passwords and other identification details. When I refuse to hand these over, they just don’t understand. Guys – you rang me... you need to authenticate to me! I’m not going to give those details out to anyone who phones me. Judging by the confusion it causes to the caller, I can only assume that most members of the general public provide their authentication details to anyone who calls.
     
   One possible solution is very simple – The phone company should have me choose a Pass Phrase that is attached to my account. They can use that Pass Phrase to authenticate themselves to me, and then I can trust them enough to provide them with my authentication details. Personally, I would also be changing the Pass Phrase every time it is used.
     
3. After reading the news this week, alarm bells should be ringing for Night Club customers in Brisbane this week. Certain night clubs in the Fortitude Valley Entertainment District are to be implementing finger printing controls in an attempt to identify known troublemakers before they enter the night clubs. I am very sceptical that a Night Club is able to maintain adequate physical and logical security of their computer systems. It is highly unlikely that they are going to be audited in the adequacy of the systems that they are using, and whether or not the images taken are deleted after the biometric information has been collated and stored. Additionally, are the Night Club owners going to securely delete all information from the systems prior to disposal?
     
   The consequences of a compromise of these systems could be devastating for protecting your identity. The blasé attitude authorities and the general public have regarding biometrics is enough to keep me awake at night - unlike passwords or other authentication techniques, your biometric data cannot be changed. Once compromised, your finger prints, facial features, eye retina's will forever remain the property of someone else.

While I totally agree with Veda Advantage’s findings, and in no way dispute, that almost 70% of Australians have failed to take even simple measures to protect their identity. Corporations are failing to take identity theft of their clients seriously. It is up to responsible Australian business to start the shift in mentality and take control of leakage of their client’s identity information.

e-Sentinel is currently investigating security and privacy issues with bio-metric devices, and will publish findings in early 2010.

e-Sentinel is one of Australia’s most trusted, independent providers of information assurance and computer system validation solutions working with clients in passenger air transport, medical, pharmaceutical, manufacturing, critical infrastructure (airports), finance, banking and gaming.

Bill Robson is e-Sentinel’s lead Penetration Tester and over the past decade has assessed the security of some of the largest corporations in the UK and Australia. His passion for information security keeps him on the leading edge of security research and trends in the connected world.