Article printed from SiteProNews: http://www.sitepronews.com
  HTML version available at: http://www.sitepronews.com/archives.html

 
Identity Protection is Up to You
By Trevor Bauknight

Last week, Atlanta-based Choicepoint (http://www.choicepoint.com),
a giant consumer information clearinghouse revealed that some
of the massive amounts of personal data the company stores on
virtually every American citizen was compromised. We found out
about this because some 30,000 Californians received mail
warning them that the personal information in question may have
belonged to them. That was the tip of the iceberg.

Since the initial story broke, we have found out that the
compromised information was not restricted to Californians. Only
the notification was. Why? California is the only state where
the law requires such notification. The company says it sent out
an additional 110,000 letters when investigators told them that
people outside California may have been affected; but the Los
Angeles County Sheriff's office investigating the incident
suspects that the number of people affected may reach half a
million nationwide.

What is ChoicePoint?

ChoicePoint is a data broker holding some 19 billion records
obtained from government, insurance and business sources. The
Electronic Privacy Information Center (EPIC - http://www.epic.org)
describes the company this way: "According to a recent quarterly
statement filed at the Security and Exchange Commission,
ChoicePoint sells: 'claims history data, motor vehicle records,
police records, credit information and modeling services...
employment background screenings and drug testing administration
services, public record searches, vital record services,
credential verification, due diligence information, Uniform
Commercial Code searches and filings, DNA identification
services, authentication services and people and shareholder
locator information searches...print fulfillment, teleservices,
database and campaign management services...'".

Since its spinoff from Equifax in 1997, the company has built
its massive databases through the strategic acquisition of some
60 companies, among them: Pinkerton, Inc., a pre-employment
screening company; Bridger Systems, a USA Patriot Act compliance
company and Bode Technology Group, a DNA identification company.
According to EPIC: "At Privacy International's Big Brother Award
ceremony held in Cambridge, MA on March 7, 2001, ChoicePoint
received the 'Greatest Corporate Invader' award 'for massive
selling of records, accurate and inaccurate to cops, direct
marketers and election officials.'" Powerful stuff.

What Happened?

The ChoicePoint website points out (in boldface): "This
incident was not a breach of ChoicePoint´s network or a 'hacking'
incident, and did not involve any of ChoicePoint´s customer
information." They're right. The data wasn't stolen. It was
sold. And we can safely say that with a 22% growth on net sales
of $918 million and 4% year-over-year growth in net profit, the
company came out pretty well on the transactions.

Sometime last year, about 50 companies were set up for the
specific purpose of accessing ChoicePoint data and defrauding
private individuals, and these businesses became ChoicePoint
customers in their own right with working logins and passwords.
They proceeded to guzzle and exploit ChoicePoint data; and in
only a few months, at least 750 cases of actual identity theft
originated in the abuse of this data. Organized crime has taken
on new dimensions in the age of the Internet, and to say that
this was "not a breach of ChoicePoint's network", while
technically true, leaves the most important things unsaid.

As the infamous computer hacker Kevin Mitnick
(http://www.defensivethinking.com) points out in his book on
"social engineering" _The Art of Deception: Controlling the
Human Element of Security_, a determined criminal need not be
technologically-inclined to help herself to the data she wants.
ChoicePoint's failure was in doing the very thing it claims to
enable its customers to do -- verify that their customers are
who they say they are.

What Should You Do?

Everyone is potentially impacted by this incident. As private
individuals, you must be ever more vigilant of your personal
identity. Some of the best ways to do that are outlined at the
EPIC site above. Your credit report is usually the first
indicator that something has gone wrong, and checking it
rigorously and regularly for unusual queries, account activity,
etc. should be your first order of business. Mechanisms are
finally being put in place to allow you to do so free of charge,
and details are available at

http://www.ftc.gov/bcp/conline/pubs/credit/freereports.htm

When using the Internet, always be wary of phishing schemes
designed to lure you into supplying your personal information
to illegitimate businesses masquerading as banks, eBay or even
the IRS and FBI. Protecting your computer against spyware and
viruses is getting easier now that Microsoft is supplying free
software for doing so. But the key to computer security is
keeping yourself educated and paying attention to security
warnings, certificate verifications and unrequested changes to
your system configuration and preferences. At Cafe ID
(http://www.cafeid.com), a portion of our website and our time
is dedicated to keeping our customers up-to-date on the latest
information regarding these threats.

As business owners, you must be able to verify that the account
you're opening is really for Mrs. Elder and not for a 41-year
old Nigerian man. This is apparently so difficult that not even
ChoicePoint can manage it, and it has billions of records and
powerful databases at its disposal. Business owners must demand
more accountability from these private, profit-driven data
brokers, and that, too, is a tall order given that ChoicePoint
claims as customers at least 35 Federal government agencies and
numerous state and local agencies. The SBA (http://www.sba.gov)
and the FTC (http://www.ftc.gov) are excellent resources to help
you find out what you need to know and who you need to contact
with your concerns.

Establish policies governing interactions with potential
customers, and don't waver from them. Be suspicious of requests
to do things differently for people, even if they sound like
they know the jargon or things that maybe only the right people
should know. Such manipulation is at the heart of social
engineering. Do everything you can to establish your business
identity and secure it with digital certificates and strong
passwords. Your company website may be the most visible and the
most vulnerable aspect of your Online Identity, so make sure
you're dealing with reputable hosting companies. And don't
attempt to conduct official transactions via e-mail. Addresses
are easy to spoof, as the myriad phishing schemes illustrate.

If you think you already may be a victim of identity theft,
there are several steps you should take immediately. Write to
your creditors and inform them of what's going on, and use
registered mail. Keep paper records of everything. Law
enforcement is keenly aware of and interested in this problem,
and they should be among the first people to know if you feel
your identity has been stolen.

Those are great starting points, but the road is long and
winding. Failure to walk it, however, can be disastrous to you,
your family and your business.

================================================================
Trevor Bauknight is a web designer and writer with over 15 years
of experience on the Internet. He specializes in the creation
and maintenance of business and personal identity online and can
be reached at trevor@tryid.com. Stop by http://www.cafeid.com
for a free tryout of the revolutionary SiteBuildingSystem and
check out our Flash-based website and IMAP e-mail hosting
solutions, complete with live support.
================================================================

Copyright © 2005 Jayde Online, Inc.  All Rights Reserved.

SiteProNews is a registered service mark of Jayde Online, Inc.