Assessing the risks
Perhaps the biggest risk that accompanies the proliferation of personal information on the Web is the increased danger that the information will be used for identity fraud. Although overall identity fraud has trended down somewhat, 8.4 million people were victims of identity fraud last year, according to Javelin Strategy & Research , which publishes an annual survey report on the subject.
Of the information available about me on the Internet, the most troubling was my Social Security number, blatantly posted online by my own county government, for the convenience of lawyers, insurance agents -- and petty criminals interested in identity theft. Today, you need more than just a Social Security number to commit identity fraud, but a criminal who has that number is off to a great start.
"Various arrest records released by law enforcement have included criminals' confessions of using bulk scans of both paper and electronic records access," says Javelin president James Van Dyke.
While I was able to have my Social Security number redacted from the county Web site record by filling out a form with the Registry of Deeds, there's no telling if that information was already scraped by thieves. (On the plus side, the information from the county database didn't show up on Google or other search sites, probably because it resides in a database and must be queried rather than appearing on a Web page that is easily indexed by Web crawlers.)
Identity thieves can also cobble together Social Security numbers from different sources that publish different parts of the Social Security number as an identifier. For example, subscribers to LexisNexis can find the first five digits of a subject's nine-digit Social Security number, while Acxiom provides the last four digits in its reports (although that's harder to obtain, since Acxiom screens its customers). Federal tax liens use the full Social Security number, and state tax liens use the last four, says Ostergren. Both are publicly available on paper records, and in many cases the data is being republished on the Web.
Once a thief has the number, it can be used to unlock more data about you that can be used for identity theft.
The sheer breadth of information available about individuals online is also a concern. According to Rambam, having access to that much information makes it easier for criminals to obtain other identity authentication factors such as a mother's maiden name.
But others say that even having one or two authentication factors for an individual is no longer a guarantee of success in identity theft. Improved processes and consumer awareness are key reasons why new account fraud has remained flat in the past year, according to Javelin, and faster detection has caused account fraud losses to decrease by 21% from 2007 to 2008.
Barrett says that the number of authentication factors required is on the increase, and varies with the risk involved. Accessing an online subscription to the Wall Street Journal would require fewer authentication factors than would accessing a bank account. In fact, most financial institutions now require multiple authentication factors to open an account -- or even to process an address change. "If there's a high degree of risk it can be seven or eight or nine factors. If it's not it might be three or four. But it's not one or two."
As a test, I called my business credit card company and my bank. The credit card vendor asked for my account number and mother's birth date to access my account. To change my address, I also needed to provide my full name and the credit card's four-digit security code. That's four factors.
When I called my local bank with the same request, the representative asked for my name, middle initial, city of birth and mother's maiden name. (According to a security executive from the bank, representatives may also ask the branch location where you opened the account and how long you've had the account.) The representative did not ask for my account number, and she divulged my current address during our conversation.
But are four authentication factors today really more secure than two were 10 years ago? Four may be the new two. Because so much data about me is readily available online, right out of the gate I had found online two of the four factors needed to change the billing address for my credit card. But I still needed the physical card to determine the card number and security code.
More worrying was the fact that I had tracked down three of the four authentication factors needed to change my address with the bank (which is now reviewing its policies).
While both institutions require four authentication factors, the fact that the answers to some of those "authentication" questions about me are readily available online mitigates their value. In this case, an identity thief is two authentication factors away from cracking my credit card account and just one away from messing with my bank account data.
The banks might do well to increase the number of authentication factors in use -- even though it presents an inconvenience to customers. The challenge will be figuring out what questions to ask in a world where almost everything there is to know about you is publicly available online.
Privacy may be dead, as Rambam likes to say , but individuals can play a role in reducing their information footprint and shaping the information that is available about them. Keep reading our special report for steps you can take to control data about you.
This story, "What the Web Knows About You" was originally published by Computerworld.