In December many of my press contacts were working on their 2009 in review and 2010 prediction stories, providing me a rare opportunity to reflect on the past year. Ordinarily when blogging we tend to focus on a hot topic or breaking story, and don't always take time to point out the trends (which can be difficult to spot). Today I want to share with you why our privacy is so important, how social media is changing what we think of as private, and how this is being used by the criminals to steal our money and data.
When Facebook changed their privacy policies last month and portrayed the changes as giving users more control, there was a lot of discussion in the security community on what controls we were, in fact, losing. The user community, on the other hand, seems to have mostly shrugged at us for making such a fuss over what they perceived as the trivial things listed in their public profiles.
Facebook isn't solely to blame, even if their new policy does make it easier for thieves, stalkers and creeps to more easily discover personal information. As users, we don't often consider how hard it used to be to gather trivial information about us like our birthdate, maiden name, hobbies, and alma maters.
This topic came up last week at lunch with a former colleague. I asked my friend if he posted personal information on his Facebook profile. He said, "No, nothing important." I asked, "Not even your birth date?" He replied "Well, the month and day, but not the year...". Accessing his public profile was enough for me to easily figure out his birth year, which in theory is enough to impersonate his identity.
In their most recent Data Breach Investigations Supplemental Report Verizon talks about an incident at a Canadian annuities firm. Through social engineering, the attacker was able to call the help desk and convince their personnel to provide him with account holders' credentials, allowing him to transfer money from seven accounts to overseas accounts and make off with their investments. In the brick-and-mortar world, we often confirm identities over the phone with information as basic as a birth date, where you went to high school, or the last four digits of your Social Security Number.
In 2008 it was big news when Sarah Palin's email account was hacked. How did they do it? Her birthdate, zip code, and where she met her husband were the password reset security questions. This information is all pretty trivial to acquire. When stories like hers make the press, we should all take note and think of how this might happen to us.
It's unfortunate that "meat space" has yet to catch up with cyberspace. I should not be able to access your bank account by simply knowing your birth date or postal code, but most traditional institutions take a very long time to adapt to change.
We need to determine when and where it is safe to disclose these details, and apply pressure to our banks, credit card issuers, phone companies, etc. to impose real security that confirms identity. Using tools like Facebook, LinkedIn, and Twitter is fun and creates incredible new ways of making and maintaining friendships and staying in contact with far away family members.
To this end our team has assembled a guide to help you understand Facebook's new controls. It includes advice on setting your privacy settings to avoid risk. I hope that those of you who are IT savvy will share this with your friends and family to make the task of changing these settings a little less daunting.
This is also an excellent time to review the other social web 2.0 tools like LinkedIn, Monster.com, Dice.com and the many others where we provide personal and private details. I have seen many a resume on LinkedIn that would easily allow me to compromise the person's identity. Some of us have not considered how the information we provide to business tools presents the same risk to us as data we submit to social tools.
Tony Ross, one of our global sales trainers, shared a great piece of advice with me this evening. He said that when he calls an organization to deal with one of his accounts, if they ask him something that is in his wallet he refuses. He asks them to please verify his identity using something that could not be found if he were the victim of a pickpocket. I take this advice to heart and encourage you to ask your providers to use more secure methods of verifying your identity.
Next year when I am asked to look back and reflect on what the security landscape looked like in 2010, I hope I can faithfully declare 2010 the year that internet users took back their privacy. That, however, will be up to you to decide.
Creative Commons image of Private Area courtesy of splorp's Flickr photostream.