The ID Space

By Jodi Florence

Let me share a story of frustration with you.

Back in July I visited the hospital for a routine test my doctor wanted me to have.  I filled out several pages of personal information for insurance purposes, presented my ID and  insurance card, made my co-payment and went on my merry way.  A month later I receive a letter informing me that my healthcare insurance company is beyond 30 days payment and for me to follow up with my provider.

The easiest and most efficient way for me to check on a claim is to log-in to my account online.  But seeing as I don’t have a need to log-in often, I forgot my password.  So I clicked that familiar “I forgot my password” link which took me to a screen where one secret security question was presented: What is your favorite food?

Hmm, good question.  Did I set up the account when I was hungry?  Was I craving something specific right then that I used as the answer and just knew I would remember?  Was I on a diet and missing chocolate?

I proceeded to try several answers.  None of which worked.  I was then completely locked out of my account and forced to call customer service.

On the phone with customer service I still couldn’t remember the secret question answer, and so the only solution was to delete my online account and have me go back online to re-register and set up a new one; with a new username, password, and of course, secret question.

Have you ever been through a similar experience?  What about your customers? Would they find this scenario familiar in dealing with your company?

Chances are high they would.  And more than likely it’s negatively impacting your customer satisfaction.

Think about how much easier it would be to dynamically generate a security question that the customer can actually remember; and how you could reduce password reset calls and improve your call center performance.

Now, do something about it.

By Jodi Florence

Last week the Wall Street Journal examined a new pilot program the FDIC approved that is designed to encourage banks to create simple, low-cost deposit accounts.  They featured a great graphic showing the demographic breakout of U.S households without a savings or checking account in 2009.

70+ million people live outside the credit and banking system in the United States.  The global unbanked market size is estimated at 2 billion.  In the identity verification market, the unbanked market is sometimes referred to as a “thin file” because only a little bit of information can be found on these people.  Obviously using credit data doesn’t work well because they don’t have a credit history with the credit bureaus.

Having a strategy to identify this market is important not just because of the level of risk involved but more importantly because of the opportunity.   Wouldn’t you like 70 million or so more customers? Downloading our whitepaper “Turning Thin Files into Fat Profits” can help you understand how identity proofing technologies can help create more profit in your business.

By Jodi Florence

In Georgia, summer vacation is over.  It’s already back to school for the majority of the state and all the “What I did this summer” essay reports are due.  So in keeping with the back to school spirit, this post is IDology’s official summer report on identity…

Ever gotten one of those notification letters that your personal information might have been compromised?  If so, there is no need to panic.  But you do need to take action to protect yourself.

The Atlanta Journal and Constitution covered this very topic Sunday and gave some great tips about how to minimize your exposure, especially if your information was a part of a data breach.  The first tip is related to passwords:

Using unique passwords for each website you visit, including shopping sites and online banking sites.  This limits any breach to just one website, should thieves obtain access to the password.

What a perfect segue to tell you about a new event that took place in the identity industry this summer.  Last month, I attended the Cloud Identity Summit hosted by Ping Identity where the ultimate goal in the minds of the attendees from some of the most brilliant security minded companies concerned with identity verification and identity management was to eliminate passwords.  The reason being, they just aren’t secure.  Especially because in reality consumers don’t use unique passwords for every website they visit.  And passwords are just too easy to phish, hack or guess.

There were lots of great speakers and plenty of interest in collaborating to solve Internet identity issues at the summit.  Eric Sachs from Google clearly stated Google’s goal is to eliminate passwords.  PayPal’s Andrew Nash talked about identity providers brokering trust between consumers and businesses.  VeriSign’s Nico Popp discussed liability and the impact it has on identity trust.  One new initiative I learned about is the work Eve Maler (also of PayPal and known by some as @xmlgrrl) is doing with the Kantara Initiative through the User-Managed Access (UMA) Work Group.  As explained on the work group site, UMA involves:

For example, a web user (authorizing user) can authorize a web app (requester) to gain one-time or ongoing access to a resource containing his home address stored at a “personal data store” service (host), by telling the host to act on access decisions made by his authorization decision-making service (authorization manager).

The requesting party might be an e-commerce company whose site is acting on behalf of the user himself to assist him in arranging for shipping a purchased item, or it might be his friend who is using an online address book service to collect addresses, or it might be a survey company that uses an online service to compile population demographics.

UMA clearly has implications in the consumer identity market.  Being more marketing minded than technical, I found the use cases discussed here the most interesting because they show the benefits to consumers in scenarios that are easy to understand and/or imagine.

Looking at the regulatory side of identity, Congress is considering legislation that would create a federal notification act for data breaches.  Bankinfosecurity reports:

One bill pending on the floor of the U.S. Senate is Senate Bill 139, sponsored by California Sen. Diane Feinstein. The Data Breach Notification Act would cover any agency or business that uses or stores personal identifiable information and make it mandatory that if a breach occurred, the victims would be informed.

This bill, along with the recently reintroduced Carper-Bennett legislation, is aimed to protect consumers and businesses from identity theft and account fraud. The Carper-Bennett legislation, entitled the Data Security Act of 2010, applies to financial institutions, retailers and government agencies, and would require these entities to: safeguard sensitive information, investigate security breaches and notify consumers when there is a substantial risk of identity theft or account fraud.

The law is designed to address the under reporting and hiding issues of data breaches.  Four states (Alabama, Kentucky, New Mexico and South Dakota) still don’t have a security breach law and a recent report by Verizon and the Secret Service examining data breach incidents showed 2/3 of the data breaches covered had not yet been disclosed or never would be.

After hearing this, getting one of those notification letters should be looked at as a relief that you are being made aware of the risk and can be more vigilant to guard your identity!

By Jodi Florence

If the heat wave hasn’t gotten my fellow Georgian’s singing the blues this summer, the largest health insurance company in the State might just do it.  Blue Cross and Blue Shield of Georgia are warning 70,000 people that their personal medical information, Social Security numbers and credit card data might have been compromised because of a breach in web site security. 

This news coincides with the latest statistics related to security breaches which ranks healthcare as the #2 industry for data breaches.   According to this article, Linda Foley of the Identity Theft Resource Center (ITRC), the organization that tracks data breaches, says there have been 325 reported data breaches (through June 25) in 2010 .  The top three industries are:

• Business – 36 percent;
• Healthcare – 29.2 percent;
• Government, military – 16.9 percent.

The article also discusses the breaches this year and the rise in healthcare breach incidences:

Foley attributes the rise in percentages of healthcare incidents to the recent enactment of federally-mandated breach reporting requirements. Increasingly, breaches are caused by hacking, insider theft, and a great deal of accidental loss, she adds — especially in the healthcare industry, where missing laptops have increased in the first half 2010.

Larry Ponemon, president of Ponemon Research Institute, sees a continuing rise in healthcare breaches. Healthcare companies, including insurers, will see more data breaches because of new compliance requirements that demand greater vigilance and penalties for failing to properly notify breach victims, he says. “These new compliance requirements appear to have heightened privacy and data protection practices for healthcare providers and business associates.”

As Internet Security Month comes to a close, it seems fitting to use this time to introduce a new video segment we are doing at IDology called “Identity Street Beat.”  As the name implies, we’ve hit the streets interviewing consumers on identity topics.  This month we focused on Internet Security and consumer concerns.  The episode is less than 3 minutes, so no need to bring popcorn. 

Over the coming weeks, look for more episodes of IDentity Street Beat on a variety of identity topics such as privacy, payments, passwords, age verification, shared secrets and more.  And, if you have a question or topic you want to see addressed, let us know through the comments section and we’ll see about getting it covered.

By John Dancu

With a background in investment banking, I’m always interested to see where venture capitalists are investing.  According to a Wall Street Journal article I read earlier this week, privacy-related start ups are the new favorite.

Consumer privacy, while not a new issue, is definitely a hot topic of late; thanks mostly to the Facebook controversy over the past few weeks.  And it looks like the market is ripe with 3 privacy-related companies recently closing a combined total of $35M in funding.  But as analysts point out in the article, these companies still face the challenge of getting people to pay. 

Here’s a list of a few of the privacy start-ups the article spotlights:

What do you think?  As a consumer, would you pay a subscription rate for any of these services?  And if so, how much?

By Jodi Florence

Are you an early adopter of the iPad?  If so, beware.  Your email information might have been compromised along with 114,000 other owners; and possibly every iPad 3G owner in the United States.

iOuch.  But if you are a victim, you’re in good company.  Along with several big wigs and celebrities, your risk of spam marketing and malicious hacking have increased.  Valleywag reports:

The breach, which comes just weeks after an Apple employee lost an iPhone prototype in a bar, exposed the most exclusive email list on the planet, a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm Emanuel’s information was compromised.

According to Valleywag and several other news articles, the data breach appears to be AT&T’s fault.   

Exacerbating the situation is that AT&T has not yet notified customers of the breach, judging from the subscribers we and the security group contacted, despite being itself notified at least two days ago. It’s unclear if AT&T has notified Apple of the breach.

 Timing of the breach couldn’t be worse.  Rumors of AT&T and Apple’s relationship aside, it’s Internet Safety Month!

By Jodi Florence

June is national Internet Safety Month.  Of course we should be mindful of Internet Safety all year long, but this month was designated by the U.S. Senate three years ago to be the official awareness month (not to be confused with National Cyber Security Awareness Month which is October).

A quick Google search for “internet safety month 2010” will lead to several initiatives aimed at consumers this year; all with very helpful reminders about protecting children and ourselves online.  But what should businesses be doing?  Here are 5 things a business can do this and every year during Internet Safety Month:

1. Simplify Your Company Privacy Policy – When’s the last time you read your company privacy policy?  Is it easy to read?  How long is it? The purpose of a privacy policy is to communicate what type of information you’re gathering on your customers and how that information is being used.  Having a simple, easy-to-understand policy fosters trust between you and your consumers.    Be sure that your marketing and legal teams work together to prevent inaccuracies and that the most recent copy of the policy is easily accessible by your customers.
2. Review Your Identity Theft Protection Plan- Yes, the deadline for Red Flag Regulations was delayed for some until the end of 2010 but this shouldn’t prevent you from adopting an Identity Theft Protection Plan.  Identity theft is still the fastest growing crime and the intent of Red Flag is to help identify, prevent and mitigate instances of identity theft.  Conducting an annual review of your Identity Theft Protection Plan ensures you’re meeting compliance requirements and also serves as way to identify potential fraud risks to your business before becoming a victim.
3. Assess How You Verify Online Consumers -  How much personal information do you require from your customers?  What’s your identity proofing process?  How much manual review are you doing on suspicious activity?  How do you authenticate returning customers?  These questions are all components of your risk strategy, but more importantly they help define your overall growth potential.  You should be using scalable technology that protects both your business and consumers, without hindering the customer experience or hurting overall satisfaction.
4. Hold a Safety Training for Employees – While some industries are required to hold regular training sessions addressing information security,  it’s always a good idea to have an annual training with your employees to highlight important items.  Even the most conscientious employees need a gentle reminder about best practices and standard procedures.  (It’s probably also a good idea to serve bagels or doughnuts as extra incentive to attend.)
5. Promote Internet Safety Month To Your Consumers – Follow the lead of YouTube, Sprint and Comcast and promote Internet Safety Month to your consumers.  No matter what size your business is, your customers want to know what you’re doing to protect them.  Create an email campaign, e-newsletter or blog post to tell them.

June is short so you may not be able to finish all these before the end of Internet Safety Month.  But I know you can do it before National Cyber Security Awareness Month rolls around when we’ll have a list of Cyber Security Tips for you!

By Jodi Florence

Reading Seth Godin’s blog, his Sort of private post introduced me to a new service that helps provide a little privacy to things we want to share with people on the Internet.

Like bit.ly and tiny.url, Trick.ly is a new service that shortens a URL but instead of being open to anyone to access, you can password protect it.  People can only see where the link goes when they know how to answer your made up (case sensitive)  “secret” question/clue.

So for example, let’s say I only wanted my customers to access “Check out the new new features in our latest product release…http://trick.ly/39D “  I would set up the password and clue to be something only my customers could answer. As a marketer, there are some interesting use cases provided your audience enjoys riddles.  But as a consumer, there are many good use cases for sharing information with groups while keeping unwanted eyes from it (think pictures of your kids..summer vacation..last weekend’s margarita party…)

A further look into Trick.ly and it seems the service launched earlier this month.  The first blog post was on May 3 and discusses why the service came about:

Casual Privacy for the web.

How many times have you heard someone say “Hey, can I get a little privacy here???”

As funny as it may sound, often times that’s all we really want: “a little” privacy.  We don’t care if it’s secure enough to keep the NSA out, we just prefer that:

1. The stalkers move along.
2. Strangers can’t look at our anaytics or “stumble on” it.

We wanted to create an easy-to-use security system for tribes.

No need to sign your whole friendlist up so they can view the link — for that matter, you don’t need to sign up either.

Of course, we all need to be careful to not confuse private with secure.  While Trick.ly does help provide some privacy around access, you should always remember whatever information you are sharing behind a Trick.ly URL is still on the Internet.

By:  John Dancu

Facebook announced it’s implementing new security tools (and procedures) intended to prevent unauthorized login to an account.  It seems as if they are going to be using “shared secrets” to verify the person behind suspicious activity.

When we see that someone is trying to access your account from an unusual device, we’ll ask the person to answer an additional verification question to prove his or her identity as the real account owner,” Popov wrote.

That might include asking you to provide your date of birth, identify a photo of a Facebook friend, or ask a previously supplied security question.

Popov said this process won’t happen often, only “on the rare occasion that we notice something different.

I’m pleased Facebook is taking steps in the right direction, but I can’t help but remind them of the dangers involved using static knowledge based authentication (i.e. shared secret questions) instead of a dynamic knowledge based authentication (KBA) solution.  Remember Sarah Palin’s Yahoo account breach?  The hacker was able to access her account because he could easily guess the answers to her secret questions.

The next step for Facebook in their embrace of identity authentication tools is to evolve their strategy and use a dynamic KBA solution.  This takes away the danger of someone correctly “guessing” answers, and reduces the risk of a data breach since they wouldn’t have to maintain a database for 400 million members’ secret questions and answers.

IDology has long blogged on the topic of shared secrets and dynamic KBA. Some related posts are:

“Secret Questions” Give Dynamic KBA a Bad Wrap

How Dynamic KBA Could Have Stopped Palin’s Email from being Hacked

By:  Jodi Florence

I recently read a news story on digital photocopiers and the data secrets they hold and how this information can be accessed in photocopiers that are resold.  CBS proves just how easy it is for companies (and governments) to unwillingly expose their employees and customers to identity theft.

Here’s a snippet of what happened and what was discovered:

Juntunen picked four machines based on price and the number of pages printed. In less than two hours his selections were packed and loaded onto a truck. The cost? About $300 each.

Until we unpacked and plugged them in, we had no idea where the copiers came from or what we’d find.

We didn’t even have to wait for the first one to warm up. One of the copiers had documents still on the copier glass, from the Buffalo, N.Y., Police Sex Crimes Division.

It took Juntunen just 30 minutes to pull the hard drives out of the copiers. Then, using a forensic software program available for free on the Internet, he ran a scan – downloading tens of thousands of documents in less than 12 hours.

The results were stunning: from the sex crimes unit there were detailed domestic violence complaints and a list of wanted sex offenders. On a second machine from the Buffalo Police Narcotics Unit we found a list of targets in a major drug raid.

The third machine, from a New York construction company, spit out design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks.

But it wasn’t until hitting “print” on the fourth machine – from Affinity Health Plan, a New York insurance company, that we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.

When one thinks about identity theft, it’s easy to overlook the copier as posing a risk.  And you can pretty much bet that almost every single company has a copier or 2 in their offices.  Seems like now would be a great time to incorporate the copier into your Red Flag identity theft prevention and overall data protection strategy!