Every time I see a new data loss story and the criticism of the organization or person who loses the data I am compelled to question whether we are thinking about identity theft correctly. As individuals of course we should protect our identity and avoid handing our credit card or account info to random websites or sales people over the phone.
- Never make a purchase or reveal personal information over the phone if you did not initiate the call.
- Never follow a link in an email to your bank, eBay, PayPal, or stock trading account. Never.
- Check you monthly statements for unusual activity.
- Get a credit alerting service to monitor changes to your credit card accounts.
But the real responsibility for identity defense lies with the banks, eBay, and PayPal. When financial institutions rolled out online services they assumed the liability for breached accounts. Their risk calculations were based on the expected incidents of spouses and room mates, who were privy to usernames and passwords, stealing from each other. Even now, most banks will cover your losses if your account is breached. But by being so careless banks are fueling the rise of cybercrime. I believe it is irresponsible.
Anyone savvy enough to be reading a blog right now is probably perplexed at the continued existence of spam. Have you ever bought Hoodia or Cialis from an email advertisement? Well, obviously, enough people do to make it an enticing business for spammers. But just as you cannot educate the masses to stop funneling money to the spammers, any approach to counter phishing cannot rely on end user actions. They must be countered by the banks.
If I were the brand manager at Bank of America, Wells Fargo, or Citi Group I would be mortified every time I saw a phishing email for my bank. Every single recipient, and there are millions of them, gets a strong message:
This bank is prone to phishing attacks. It does not care enough about its customers to defend their accounts. It does not understand technology. It is feeding the rise of cyber crime. This is one bank I will never do business with.
So, the next time you hear some pundit talk about the negligence of an auditor, or a government contractor who let their laptop or even a CD get lost or stolen think about the negligence of the banks and institutions that, through their in-action, support a thriving economy of identity theft.
Here is one cool company just coming out of development that has what I think is a workable approach to account protection. Grid Data Security is headed up by serial entrepreneur Paul Sitar. They sell an appliance that manages their system of One Time Passwords. What is great is that it leverages a user’s familiarity with passwords and usernames and it does not require a token (although there are ways to incorporate those as well). The user picks their own password and can change it anytime. But when they go to login they are presented with a grid like the one pictured here.
(Click here for full size screen shot. Try to guess what my password really is!)
Instead of typing in their password they type in the number in one of the corners of each of the characters in their passwords. They chose which corner when they picked their password. So, if my password were m0ney7 and I had picked the “Lower Left” I would type in 697561, the corresponding random numbers in the grid squares.
You get pretty fast at finding your numbers after about three times logging in.
Now, this is not perfect security. I can imagine an attack that captured screen shots over a period of several weeks to get enough data to figure out your password. And, just like tokens, it is susceptible to a man-in-the-middle attack where the phisher lets you log in for them. But it would significantly raise the bar for Phishers and keystroke loggers.
The other feature is that after you log in you can view a log of account access data which is the simplest but most effective way to alert you to the fact that something phishy is going on.
If my bank had Grid’s solution I would be able to check my account from the road with no qualms. If your bank had this it would make you feel better right? It is time for banks to start taking responsibility for cybercrime.