Jan 19 2008

I’m not the only one who sees the irony

Published by at 8:18 am under PCI,Privacy

Dan Goodin was at the Fortify documentary earlier this week and draws some of the same conclusions I do about the loss of JC Penney’s customer data.  And more importantly, he actually knows the names of the players, something I’m terrible at remembering.

NotEnough commented on my earlier post that GE Money is offering a year’s credit monitoring for those affected, which he says is not long enough.  He’s specifically talking about SSN’s, which don’t have a expiration date, can be set aside for a year or two and used to commit identity fraud when no one’s actively looking for that data set anymore.  This is part of why statistical correlation between a specific breach and identity theft is so hard.  I’d like to see if anyone has done an academic survey of the difference in level of identity theft in populations that have been victims of a breach and the general population, specifically over the long term.  

It’s becoming more obvious to me that despite many companies best efforts, my data is going to be at risk at some point in my lifetime.  That feels cynical, but as a security professional, I know it’s just realistic.  There are too many places that my data is being stored, too many connections being made, too many possible points of failure in the systems.  I’ve never been a big fan of paying a monthly fee to make sure my credit is safe, but given that my information may already be a commodity somewhere in cyberspace (or Russia), a small inconvenience and a few dollars a month might not be a bad price to pay for peace of mind.  Corporate America obviously can’t keep my data and credit safe, so it’s up to me to take steps of my own.

Rich Mogull recently switched to Debix and I’ll get him to talk about why and what they offer on the next podcast.  At this point, I’m not even sure what the proper questions are to ask when choosing a credit protection service, but I’m sure Rich’ll help me understand.  I already know I’m not going to choose LifeLock, but I am interested in knowing what other solutions are out there.  I want something I can live with long term, especially since the problem isn’t going to go away any time soon.

Technorati Tags: , , ,

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

3 Responses to “I’m not the only one who sees the irony”

  1. Ed - Alternatives to LifeLockon 22 Jan 2008 at 1:25 pm

    The two main competitors to Lifelock are Trusted ID and the LoudSiren Debix team. If you choose the latter sign up thru LoudSiren and in addition to the $25,000 AIG insurance you will have a $1,000,000 Debix guarantee. The important questions to ask are what does the insurance cover, or how strong is the guarantee? How do the fraud alert systems differ in terms of approving your credit or declining a thief. What is the price in year one and in subsequent years. LoudSiren is the best value but Trusted Id does have an extra option to freeze your accounts that may be a selling feature for some. They do charge extra though, $154.5 compared to $99. Prices are cheaper in the first year 109.95 and $89 if you use an affiliate link such as the one at http://www.identitytheftlabs.com. Identity Theft Labs also has a good comparison chart and reviews. It is important to distinguish between sizzle and steak, cake and icing. All offerings have value added features.

    I have to agree with you one hundred percent. Our information is out there and is likely to be compromised. This is why identity insurance is a must. Fraud alerts are definitely the best protection available but not full proof. Credit monitoring is not proactive and not a solution. It can mitigate the damage though. Freezes are another option but are best reserved for those who have experienced an attack. Hope this gives you some ideas about what to talk about.

  2. Mark T. Palmeron 25 Jan 2008 at 10:11 am

    So who’s watching (or regulating) the credit/identity monitoring companies? I’ve considered the possible value these services might have for me as well, but I can’t help thinking, “Whose watching the watchers?” What happens when one of these companies loses a tape with thousands of SSNs, account info, etc…? Thanks for the link to identitytheftlabs.com although why should I believe the information presented there when there is no way to identify who is operating the site. Who knows, maybe Gideon Yu and Launny Steffens own all three of these service/insurance providers.

    “Identity insurance”? Is that anything like “Alien Abduction Insurance”? No disrespect meant, but where does it end?

    I am not nay-saying the idea of proactively monitoring (being responsible?) for one’s own identity and information. Reality is that there will always be incidents like “lost tapes” that go unreported because someone thought, “It was just one tape. No big deal.”

    I enjoy your blog and look forward to continued discussions.

    Peace and Cheers,
    Mark T. Palmer

  3. Identity Theft Service Reviewon 03 Sep 2008 at 4:19 pm

    There are hundreds of companies that don’t properly secure there websites. Leaving hackers easy access to your personal information. If a computer hacker can hack NASA, then more than likely any other business is vulnerable. That’s why keeping your identity safe is very important. Nice post keep them coming.

%d bloggers like this: