Today the Washington Post hosted a live call-in show with Joel Winston, Associate Director for the FTC’s Division of Privacy and Identity Protection. He fielded questions about how individuals can avoid being vicitims of identity thieves. The Washington Post published an edited copy of the transcript of the show. I tried to find a copy on the FTC site, but then noticed all editorial rights were reserved.
Some interesting discussions occurred during the show…
He reminded listeners that now everyone has a legal right to request one free credit report each year. I encourage everyone to do so; you can find some significant, as well as many small, errors. These reports certainly are an interesting trip down memory lane. And when requesting them, it is VERY interesting the way the major credit reporting agencies (Equifax, Experian and TransUnion) use some of the most nondescript information from your credit report to verify your identity. It would be even better if you could get one free report from EACH of the major agencies since one may have different information from the other.
Some interesting portions of the show:
- “A Social Security number without a name can lead to identity theft, because the thief often can “reverse engineer” the name using public data services and online search engines. Truncated numbers are far safer, but not foolproof.”
Unfortunately many organizations believe that it is okay to use the SSN if no other types of personally identifiable information (PII) is used at the same time. This is a good reminder from the FTC…the agency that *WILL* and *HAS* applied severe penalties against companies…that using an SSN even on it’s own, and subsequently having an incident occur, could lead to some significant negative business impact.
- “Arlington, Va.: My cell phone was stolen and used by the thief to call other people. I reported this to the police but they refused to help me retrieve it and said it is not worth their time. I really want my phone back because it has lots of data. What can I do if the police refuse to help?
Joel Winston: I’m not sure what you can do if the police won’t conduct an investigation. You should, of course, contact your telephone carrier, which I assume you’ve done.”
There is so much information…so much PII…stored on most people’s cell phones. Not only their personal phones, but also on the phones they use for business.
I encourage companies to establish policies and procedures for their personnel to put passwords on their cell phones; not necessarily to be able to answer the phone (although that may be appropriate for certain people), but definitely to get to the phone book, incoming and outgoing phone logs, text messages, photos, website activity logs and so on. If they do not, they are not putting everyone in their phone book’s information at risk. Recall the Paris Hilton cell phone debacle and how upset all the folks in her phone book were for being exposed by her lack of security sense?
I have been impacted by someone else’s cell phone being stolen. One of my business colleagues and friends in California had his cell phone either lost or stolen, he thinks while at a restaurant. He did not notice it until his friends and business associates started calling his office phone the next day to ask him if he knew where his cell phone was…I was one of the people who called him. He did not have any security on his cell phone…a big embarrassment to a security guru such as he is. I was working late one night and my cell phone rang; I saw who it was from by the number on the display and thought it odd he would be calling me late at night. When I answered I knew right away it actually was not my friend, but a sicko who was going through all the phone book numbers…which also had everyone’s full name listed…and was calling those he wanted to “get to know”…ick…I had to get a Q-Tip after that call and clean out my ear. Fortunately nothing worse than a few more calls (which I did not answer) from the phone criminal occurred before my friend had his phone number cancelled. However, it could have been worse if my friend had stored even more information, including about himself, on the phone.
Put passwords on your cell phone! You’ll not only be protecting your own privacy, but the privacy of the others whose numbers are in your phone book or in your calling logs.
- “Technically, federal law defines “identity theft” to include credit card fraud. But, the far more damaging problem is when a thief gets your Social Security number and opens new accounts in your name. If they only steal your credit card number and make unauthorized charges, typically you won’t have to pay for them. The law limits your liability to $50 and most credit card companies waive even that.”
Identity theft is a darling phrase used most commonly in the media. However, many, many types of crime can be committed through the use of a wide range and combination of PII items.
Technorati Tags
information security
IT compliance
policies and procedures
identity theft
cell phone security
awareness and training
privacy