Whilst some are putting a case for Identity becoming “the New Money”, ongoing cyber-attacks will challenge our thinking on whether we can place enough reliance on traditional analogue and digital Identities. One of the interesting consequences of recent cyber-attack is our society’s over reliance on traditional “analogue” Identity data in the digital age we live in. In the past, Identity data such as “mother’s maiden name”, our residential addresses or birth dates have been used as security identifiers to authenticate ourselves to our banks / telecoms providers / and other service companies. These credentials are used to prove that we are who we say we are when challenged over the phone ore remotely authenticated by a service provider. This method may have been valid in the past where such information was somewhat secret to the individual. However, it today’s world, such information is no longer completely private and is often accessible through a variety of online channels (some of which increasingly are being compromised). Companies are exploring and need to accelerate efforts to find alternative methods for identifying their customers through alternative means that are harder for fraudsters to guess or obtain through these types of attacks. These may include gathering information from smartphones, wearables, behaviours (voice, facial recognition) or other future technologies to support such efforts – for example checking which phone number the customer is calling from; recognising the customer’s voice; asking the customer to respond to an sms message or checking their location through their smartphone.
If we are able to de-value personal “analogue” Identity data, then the impact of breaches on consumers such as this would be far less. Additionally, if Identity data is de-valued, then such information would not be a target for cyber-criminals. Interestingly, healthcare records are estimated to be more valuable than credit card data which is often the focus of many breaches.
Whilst customers await changes from their service providers the following tips may be helpful, especially for those impacted by a data breach :
- Don’t panic. You are often one of several thousand if not million people that may be impacted by a breach.
- Confirm what information your provider has about you that may have been lost in the breach – e.g. which email, what identity data they relied upon (e.g. mothers maiden name or password), which credit card, what banking details? etc.
- Identify whether any personal information can be used by a fraudster on your behalf to approach your bank, service provider etc. For example, if your service password / mothers maiden name is used to authenticate you with your bank, you may wish to change this identify to something different in the future. This may apply to your mothers maiden name or even your birthdate if these are being used by your service provider to authenticate you – remember your service providers are often using this information soley for identification purposes and therefore such information does not need to be a true reflection of reality.
- Explore options for Identity protection and credit scoring services to keep updated on whether your identity / name is being used to open new bank accounts, credit cards or mortgages.
- If any passwords you have used are the same as other online services you have, it is strongly recommended to change them. Consider applying a random algorithm / pattern that generates passwords for different sites.
- Be wary of follow-on attacks which include unsolicited emails and phone calls that fraudsters may use to trap you into providing further information or offering you unauthorised services.
[su_box title=”About Protiviti” style=”noise” box_color=”#0e0d0d”]Protiviti is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.