Gallery

Who's the biggest threat to your identity? You.

Posted on 18 Apr 2007 at 11:05

Information intelligence is at the heart of what Detica does, and its senior fraud expert David Porter sees the irony in criminals exploiting the same data-mining techniques that are used by banks and governments to spot fraud. "These techniques range from very fast searching and fuzzy matching algorithms, through to unsupervised neural networks and clustering algorithms," he claims. This process can be fully automated - in the Black Hat world, the people who handle such tasks are known as Data Doggs. John Madelin, the head of UK practice for business continuity, security and governance with BT Global Services, has seen it all before and reveals that "for a small fee, $50 or thereabouts, they'd gather all data on you and prepare a three- to five-page detailed report. The fee implies this exercise probably took less than an hour thanks to the crawling tools used."

Privacy vs participation

This leaves us asking the difficult question of whether it's even possible to participate within social networking communities and blogs, both of which have become de facto components of modern online life, and still maintain a degree of privacy? Mike Greene, vice president of product strategy at security software company PC Tools, is convinced that total privacy is only an option if you don't tell the truth, and blames the dangerous growth of Web 2.0 data distribution on ego. "It's the virtual celebrity culture, where people want to talk about themselves and hope someone is listening," he insists. "If you want privacy, make up a name or leave social networking well alone."

Critics argue that social networking and blogging sites encourage people to divulge unsafe levels of personal information and don't do enough to police their content. However, it's always going to be difficult to control what people choose to publish about themselves. The problem is the internet is dominated by unstructured data - words, images, music - that's trickier to nail down and control than typical structured database data. "Websites need to be unequivocal when warning users of the potential danger of divulging personal data online," says Porter. But unless forced to do so by legislation, and to the best of our knowledge this isn't something that's even on the table, that simply isn't going to happen. So what's the answer to the participation and privacy conundrum?

Protect yourself

The best solution is to fib. Use different pseudonyms for each service, use different disposable email accounts, don't reveal intimate information. "You can control the use of the data to some extent by recommending participants only release fuzzy generalisations of their details," advises Navarro. "Not date of birth, but year of birth; not village of birth, country of birth and so on." The first thing you should do is set clear limits about what's acceptable to you personally and what isn't. Decide what information you want to be in the public domain (where anyone can access it), what should be for limited distribution (where only those you trust can access it) and, perhaps most importantly of all, what shouldn't be online at all. "Think about the answers you've given to security questions," suggests Cox. "Perhaps consider some false answers, such as adding a month to your birthday."

Don't think that this advice applies only to MySpace and its ilk; the truth is, anywhere that people gather to openly divulge information about themselves is like jam to wasps. At the Helsinki threat research labs of security specialists F-Secure, chief security officer Mikko Hypponen takes a keen interest in tracking just this kind of activity and has noticed that a general formula of "the smaller the website, the greater the risk" can often be applied. This is because many smaller online sites don't have the same robust security measures as their larger equivalents, because they simply don't have the budget. "However, they do still store lots of juicy data, such as customer databases and credit card information," Hypponen warns. "It's the perfect place for a criminal to source information, and stolen admin accounts from such shops are being traded online. Referred to as 'shopadmins' by the criminals, five of these can retail for around $1,000."