Friday, July 25, 2008

You want my what? Really.

They say that identity theft is a larger and more profitable business than drug trafficking.

I wonder why.

Hmmm, I don't know, maybe because EVERYONE HAS MY PERSONAL INFORMATION.

Help desk analyst I talked to recently:

"In order for me to help you, I'll need your Social Security Number."

My response: Really?

Person from certification body auditing my credentials:

"If you'll give me your Social Security Number, I might be able to save some time in collecting the information I need."

My response: Really?

Nurse at doctor's office that I spent all of 6 minutes at:

"I'll need all of your information filled out on this form, including your Social Security Number."

My response: Really.

Enough is enough. In the past 3 weeks, I've been asked for my Social Security Number by 7 people that I didn't know or inherently trust. Some of these people had legitimate reasons for asking for my info, but for others it was simply them wanting to "save some time".

As security professionals and evaluators of controls and procedures, we should be first to say, "Hey, how about we NOT ask for their SSN and maybe use other sources of info to verify their identity?"

I know what you're thinking.Wait, let ME say it. Social Security Numbers are one of the few reliable sources of personally identifiable information out there. I understand this. I just wonder why organizations worldwide use them so publicly and openly.

Bottom line: our Social Security Numbers shouldn't be the one and only source of information that we use to identify the people that interact with us. Organizations all over the world should be a little more creative with this process.

And to the people that GIVE this information so freely to the people that request it, all you need to do is say one word: "Why?" The organization or person should be able to answer this. If the response you're given makes your stomach hurt, just say: "Is there another piece of information that I can give you to identify me?" Most of the time there will be, and asking simple questions helps to limit the exposure in a number of ways.

Let me wait, there is too much, let me sum up:
  • If you're in a crowded area, and someone asked you to verbally give them your credit card number, would you do it? I hope not. Granted, the number of people that can memorize 12 to 16 digits after hearing them once is pretty limited, but you get my point.
  • The majority of the time, call center operators that ask for anything related to your Social Security Number are only asking for the last 4 digits. Most of the time this is all that's visible to them on the monitor in front of them. If someone is asking for the full meal deal, take caution and again ask, "Why?".
  • Stay on the side of caution when ANYONE asks for your SSN. Be cautious. Once you give it up, that's it. It's not like you can call American Express and ask them to issue you a new one.
All in all, let's work a little harder in keeping private information just that: PRIVATE. Organizations that need to identify us as consumers can do a better job of storing information about us that don't require something so personal, and we as customers and affiliates can do our part by questioning and limiting the use of our individual so-called secret number.

No comments: