Junk Mail and Identity Theft

Every year up to 3 million Americans find out that credit accounts have been opened under their name with their permission. About 400,000 of this is due to stolen mail. These are usually mail sent to you by various companies that you most often ignore. The best way to prevent these from being stolen is to prevent them from coming. Here are a few things you can do to stop junk mail from ever getting to your mailbox.

Contact the Credit Bureaus Opt-out line. You may reach them at 888-567-8688 (888-5-OPT-OUT). You can tell them that you opt out of pre approved insurance and credit cards. These may get stolen from your mail and get activated giving an identity thief access to an account without your knowledge that he may use and you will billed for his purchases.

Register with the National Do Not Call Register. If you still haven’t done this, make sure your do it as soon as possible. You can do this by visiting their website or by dialing toll-free number 888-382-1222. This database is maintained by the Federal Trade Commission. Having your number listed here prevents most telemarketers from contacting you for any promos or offers. This also tells you not to entertain telemarketers as you know you opted to never be contacted. Be very wary of telemarketers asking for your personal information. This also prevents their company or the company they represent from sending you anything via the mail.

Contact List Brokers. List Brokers are entities that pool information from phonebooks, public records, etc. These companies pool this information and prepare mailing lists and phone lists to companies and businesses. You can ask them to remove you from their lists but you will have to contact them individually.

Get in touch with the DMA or Direct Marketing Association. This is a trade group with 5200 member businesses. These businesses use direct mail, phone calls, or the internet to directly pitch their products to us consumers. These businesses bypass the traditional store and allows for cost savings which allow them to sell products at a lower price. You may ask them to provide you a list of their members so you can limit your interaction with businesses that are DMA member of good standing. Or you may ask the DMA for ways you can opt out of their member’s services.

These are just 4 relatively simple ways to prevent receiving junk mail and ultimately prevent them from being stolen. Do not forget that identity theft may only be avoided through diligence and caution.

Identity & Access Management in the Cloud

Last week I was asked to give a presentation at the IBM Tivoli User Group on Identity & Access Management In The Cloud to IBM employees, IBM Business Partners and customers of IBM Tivoli Security products. I soon realised that my first problem was going to be defining The Cloud. Not everyone I spoke to in advance of the presentation knew what The Cloud was!

So What Is The Cloud?
The Cloud seems to be a term bandied about all too readily these days and for many people it merely represents everything that happens on the Internet. Others, however, are a little more strict with their definition:

“For me, cloud computing is a commercial extension of utility computing that enables scalable, elastic, highly available deployment of software applications while minimizing the level of detailed interaction with the underlying technology stack itself.”

“Computing on tap – you get what you want literally from a socket in the wall.”

“Cloud computing is just a virtual datacenter.”

Wikipedia, naturally, has its own definition.

Cloud computing is Internet based development and use of computer technology. In concept, it is a paradigm shift whereby details are abstracted from the users who no longer need knowledge of, expertise in, or control over the technology infrastructure “in the cloud” that supports them.

Of course, there are different levels of computing that a provider in the Cloud can offer. The usage of a particular software application (eg Google Docs) is just one such offering. Another would be akin to a software development platform (think Google App Engine, Microsoft Azure and Salesforce’s force.com). Then, of course, there are the raw infrastructure services – servers provisioned “on-tap” for end-user usage (eg Amazon Ec2).

We are probably all users of Cloud services if we think about it. A quick look inside my Password Safe vault reveals almost 300 different User ID & Password combinations for services on the net including:

  • Blogger
  • Twitter
  • Facebook
  • LinkedIn
  • Google Docs
  • Gmail
  • Screenr
  • ChartGo

The Enterprise Model
While it is easy to see how personal usage of Cloud applications has grown over recent years, it may come more of a surprise to learn how the Enterprise is adopting Cloud usage.

According to EDL Consulting, 38% of enterprises will be using a SaaS based eMail service by December 2010. Incisive Media report that 12% of Financial Services firms have already adopted SaaS, mainly in the CRM, ERP & HR fields. And our friends at Gartner reckon that one-third of ALL new software will be delivered via the SaaS model by 2010.

My guess? SaaS is already happening in the enterprise. It is here and it is here to stay.

With any change to the enterprise operating model there will be implications – some real and, just as critical, some perceived.

In the Perceived Risks category, I’d place risks such as loss of control; storing business critical data in the Cloud; reliability of the Cloud provider; longevity of the Cloud provider. Of course, these are only perceived risks. Who is to say that storing business critical data in the Cloud is any less risky that storing in the enterprise’s own data centre? There may be different attack vectors that need to be mitigated against, but that doesn’t mean the data is any less secure, does it? And who says the enterprise has to lose control!

Real risks, however, would include things like the proliferation of employee identities across multiple providers; compliance to company policies; the new attack vectors (already described); privacy management; the legislative impact of data storage locations; and, of course, user management!

Cloud Standards
As with any new IT delivery methodology, a raft of “standards” seem to appear. This is great as long as there is wide-spread adoption of the standards and the big suppliers can settle on a specific standard. Thanks goodness for:

These guys, at least, are attempting to address the standards issue and I am particularly pleased to see CSA’s Domain 13 on Identity & Access Management insisting on the use of SAML, WS-Federation and Liberty ID-FF.

Access Control
And on that point, the various Cloud providers should be congratulated on their adoption of security federation. Security Assertion Markup Language (SAML) has been around for over 6 years now and is an excellent way of providing a Single Sign On solution across the enterprise firewall. OpenID, according to Kim Cameron, is now supported by 50,000 sites and 500 million people have an OpenID (even if the majority don’t realise it!)

The problem, historically, has been the problem of identity ownership. All major providers want to be the Identity Provider in the “federation” and Relying Parties were few and far between. Thankfully, there has been a marked shift in this stance over the last 12 months (as Kim Cameron’s figures support).

Then there are the “brokers”. Those companies designed to make the “federation” process a lot less painful. The idea is that a single-authentication to the broker will allow wider access to the SaaS community.

Symplified and Ping Identity seem to be the thought leaders in this space and their marketing blurb comes across as comprehensive and impressive. They certainly tick the boxes marked “Speed To Market” and “Usability” but again those perceived risks may be troublesome for the wary enterprise. The “Keys To The Kingdom” issue rears its ugly head once more!

Identity Management
SPML is to identity management as SAML is to access management. Right? Well, almost. Service Provisioning Markup Language (SPML) was first ratified in October 2003 with v2.0 ratified in April 2006. My guess? We need another round of ratification! Let’s examine the evidence. Who is currently using it? A Google search returns precious little. Google Apps uses proprietary APIs. Salesforce uses proprietary APIs. Zoho uses proprietary APIs. What is the point of a standard if nobody uses it?

Compliance & Audit
Apparently, forty times more information will be generated during 2009 than during 2008 AND the “digital universe” will be ten times bigger in 2011 than it was in 2006! Those are staggering figures, aren’t they? And the bulk of that data will be quite unstructured – like this blog or my tweets!

The need for auditing the information we put out into the digital universe is greater than ever but there is no standards based approach to Compliance & Audit in the Cloud!

Service Providers are the current custodians of the Compliance & Audit process and will likely continue to do so for the time being. Actually, the Service Providers are quite good at this as they already have to comply with many different regulations across many different legislative jurisdictions. Typically, however, they present Compliance & Audit dashboards tailored to vertical markets only.

It’s understandable, I guess, that for a multi-tenancy service there will be complications separating out relevant data for the enterprise compliance check.

Moving To The Cloud
There are providers out there who claim to be capable of providing an Identity Management as a Service (IDaaS) which sounds great, doesn’t it? Take away all that pain of delivering an enterprise robust IdM solution? In practice, however, it works well for enterprises who operate purely in the Cloud. These solutions already understand the provisioning requirements of the big SaaS operators. What they can’t do quite as well, though, is the provisioning back into our enterprise systems! It’s not enough to assume that an enterprise runs everything from their Active Directory instance, after all. Also, we have to remember that using an IDaaS is akin to giving away the “Keys To The Kingdom”. Remember our perceived risks?

An alternative is to move the enterprise IdM solution into the Cloud. Existing installations of IBM Tivoli Identity Manager or Sun Identity Manager or {insert your favourite vendor here} Identity Manager could be moved to the cloud using the IaaS model – Amazon EC2. The investment in existing solutions would be retained with the added benefit of scalability, flexibility and cost-reduction. Is this a model that can be adopted easily? Most certainly, as long as the enterprise in question can get its head around the notion of moving the “Keys To The Kingdom” beyond its firewall.

Conclusion
The next generation of user is already web-aware – SaaS is here to stay – and SSO is finally within our grasp with only a handful of big players dragging their heels when it comes to implementing standards such as SAML v2.0. It was also intriguing to play with Chrome OS last week (albeit an early prototype version). Integrating desktop sign on with the web just tightens things that bit further (in a Google way, of course).

Provisioning (whether it is Just-In-Time or Pre-Populated) is still the pain-point. Nobody seems to be using SPML and proprietary APIs abound. Nailing this is going to be critical for mass adoption of SaaS solutions.

While Provisioning is the current pain-point, however, Governance, Risk & Compliance will be the next big-ticket agenda item. The lack of standards and proliferation of point solutions will surely start to hurt. Here, though, I run out of ideas…. for now. Seems to me that there is an opportunity for a thought leader in this space!

How to Protect Yourself Against, and Mitigate Damages From, Identity Theft

We’ve all heard of it. But we all think that we’re invincible to it. Identity Theft!

What is it? It refers to the preparatory stage of acquiring and collecting someone else’s personal information for criminal purposes.

Identity theft techniques can range from unsophisticated, such as dumpster diving and mail theft, to more elaborate schemes.

If your identity is stolen, do you have a plan in place to mitigate the damages? If not, you should at least bookmark this, just in case you need it in the future.

Identity thieves are looking for the following information:
• full name
• date of birth
• Social Insurance Numbers
• full address
• mother’s maiden name
• username and password for online services
• driver’s license number
• personal identification numbers (PIN)
• credit card information (numbers, expiry dates and the last three digits printed on the signature panel)
• bank account numbers
• signature
• passport number

There are things that you can do to protect yourself from identity theft, and there are steps that you can take to minimize the damage and help bring the thief to justice.

Here are 5 things that you can do right now to protect yourself:
1. Do not sign the back of your credit cards. Instead, put ‘PHOTO ID REQUIRED.’
2. When you are writing checks to pay on your credit card accounts, DO NOT put the complete account number on the ‘For’ line. Instead, just put the last four numbers. The credit card company knows the rest of the number, and anyone who might be handling your cheque as it passes through all the cheque processing channels won’t have access to it.
3. Put your work phone # on your checks instead of your home phone. If you have a PO Box, use that instead of your home address. If you do not have a PO Box, use your work address. Never have your SIN printed on your checks. (DUH!) You can add it if it is necessary. But if you have It printed, anyone can get it.
4. Place the contents of your wallet on a photocopy machine. Do both sides of each license, credit card, etc. You will know what you had in your wallet and all of the account numbers and phone numbers to call and cancel. Keep the photocopy in a safe place.
5. When you travel abroad, carry a photocopy of your passport. We’ve all heard horror stories about fraud that’s committed on us in stealing a Name, address, Social Insurance number, credit cards, etc…

If your identity does get stolen, what kind of things can you expect to have happen?

Here are just some of what they can do:
1. Access your bank accounts
2. Open new bank accounts
3. Transfer bank balances
4. Apply for loans, credit cards
5. Make purchases
6. Buy cell phone packages
7. Credit line approved by retail stores
8. Access your driving record, and change your information online

If you are a victim, here’s some critical information to act on immediately:
1. Cancel your credit cards immediately. But the key is having the toll free numbers and your card numbers handy so you know whom to call. Keep those where you can find them. This is why we photocopy them (see above). Call your local bank/financial institution as well.
2. File a police report immediately in the jurisdiction where your credit cards, etc., were stolen. This proves to credit providers you were diligent, and this is a first step toward an investigation (if there ever is one).
But here’s what is perhaps most important of all:
3. Call the nationwide credit reporting companies immediately. Ask them to put a fraud alert on your name and credit report. The alert means any company that checks your credit knows your information was stolen, and they have to contact you by phone to authorize new credit.

Here are the numbers for two national credit bureaus:
1.) Equifax: 1-800-465-7166
2.) TransUnion Canada: 1-877-525-3823
3. Order free copies of your credit report from each of the nationwide credit reporting companies.

Have you even been a victim of identify theft? Tell us your story and maybe others can learn from what you did, or didn’t do.