One of the downsides of being a security consultant is that I can never stop noticing (and subconsciously assessing) the risks that people inadvertently expose themselves to as they go about their normal lives.
Here are some examples, from just the last few months:
I was at my financial institution, waiting in line. A few feet away a bank employee and a customer were jointly filling out some sort of query on a credit card transaction. I heard the customer’s first and last names, contact phone numbers, credit card type and number and a raft of other bits and pieces that put together would allow me to search for additional details from well-known sources, thereby allowing me to put together a complete profile of this person. Did the customer recognize this? Probably not! Should the bank employee have been a bit more sensitive to the issue and suggested a less public spot? Definitely, but that would need the bank employee to be aware of the potential issue.
At the gas station I regularly see receipts from previous purchases stuck in the machine’s receipt collector or floating on the ground. While there are more sophisticated scams and easier methods to collate personal information, carelessly leaving receipts around is not a good practice.
On a long transatlantic flight very recently I had a ringside view of a passenger logging in to various secure sights using credentials he was reading off a file he had open on his laptop. For ease of reading he had the font size on the file ramped up, so with very little effort it was possible to pick up site name, his user id for that site and password. Despite not really focusing on what he was doing I noticed that he was reviewing a bunch of documents that were clearly marked “Confidential” ; presumably containing information not meant for curious co- passengers.
On the positive side, it seems to me like there is a vast improvement in awareness of all things security related and the importance of identity protection. However the issue is whether this awareness translates into people recognizing the problem holistically, and limiting the risks they take with their actions or merely doing a few things here and there that in themselves are incomplete.
To illustrate my point:
I know someone who owns a shredder and assiduously shreds all junk mail or papers with her name and address. This she told me keeps anyone going through her trash from picking up personal data. But she is also an inveterate online shopper, loves the convenience it offers and blithely ignores all security warnings when accessing content on online websites. Her rationale is that she needs to see everything displayed on a web page, before making a purchase! She politely heard me out as I talked of malware and Trojans but I doubt anything changed with that conversation.
Another acquaintance told me he never uses his Facebook or other social media credentials when logging into websites, for fear his password will be stolen. Even after I explained to him that social media logins do not provide passwords to the sites using them for authentication, he appeared unconvinced. And yet this same individual has his passport number, date of issue, date of expiry and a few other choice bits and pieces from an identity perspective stored on his phone and only at my insistence did he finally put a password on it.
And there are countless more stories I could tell you…
What we are talking about is synonymous with the home owner who leaves doors and windows open, with valuables in full view, and then laments their loss. Identities have value and we need to secure them, even if it means sacrificing convenience. Every one of us is ultimately the owner of our identity and personal information. Identity thieves and hackers are getting a hold of this information only when we leave it lying around, inadvertently share it in public places or entrust it with organizations that do not merit this responsibility. We need to take this responsibility seriously and even if it introduces an overhead, recognize that it is in our best interest to safeguard our identity. When it comes to organizations that store our data we need to petition and raise our concerns within our communities and in our government to put in place standards and controls that protect personal information. It’s no longer something we can glance at in the news or something that happens to others, the threat is now in our own backyard and we need to mitigate risks or pay the price.