Slashdot Mirror
No-Fail Identity Theft – Live and In Person
ancientribe writes "A researcher performing social-engineering exploits on behalf of several US banks and other firms in the past year has 'stolen' thousands of identities with a 100 percent success rate. He and his team have posed as investigators for the FDIC (among other things), and numerous times have literally been able to walk out the door with pilfered identities. The reason: organizations are typically so focused on online ID theft that they've forgotten how easy it is for a criminal to socially engineer his way into a bank branch or office and physically hack it."
The human element.
Defective Logic
I love the ad for LifeLock at the top of the page. Didn't the CEO just fall victim to identity theft?
Those who believe the Internet is private,
find their privates are on the Internet.
A wise man once told me, "There is no security patch for human stupidity." I guess he was right...
Internet theft: Wholesale
in-person theft: Retail
We make up the difference in volume!
I'm not worried about Retail level theft. It's the wholesale one that is more worrisome.
if internet theft has a success rate of 1 in a thousand but puts millions of people at risk it's more worrisome.
Some drink at the fountain of knowledge. Others just gargle.
people are the weakest link in any security system. Film at 11.
In Soviet Russia jokes are formulaic and decidedly non-humorous.
I don't know if you can say it's related to online identity theft though; this sort of social engineering predated that by decades, and its always worked well.
So much of it is about knowing the right number to call, or the right person to approach.
People just need to be suspicious, but suspicious is massively unhelpful to people who legitimately need help. No one ever calls me for security credentials because I am the documentation gestapo; instead they approach one of the other people who can set them up, because they know that those people won't ask as many questions.
On the one hand, I know I don't need to be as thorough as I am, on the other hand I know that the one time I'm not, I'll give access to the wrong person.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Let me be the first to say, "well duh!"
Why is this even news? This isn't social engineering, it's old fashioned fraud, the kind that has existing for thousands of years. Talk slick and carry fake documents, and you can make your way into the heart of most businesses. Even banks.
Don't blame me, I didn't vote for either of them!
Step one, find a birth certificate for a person of the same gender as you, and around the same ago.
Register at your local university and obtain student card in the name of the person on the birth certificate, withdraw before you have to pay anything (this step may vary with your university, I know it is possible at the Uni that I attended).
Obtain utility bills in the name of the person on the birth certificate.
There you go, 100 points of ID!
Use to obtain other forms of ID etc. (If you're in the USA finding the social security number would probably be useful too.)
If the person isn't dead (to create a "new" id, make sure that the birth certificate is for a person who died quite young), then you can have a field day getting access to whatever.
Enjoy.
I wank in the shower.
People are much too obsessed with the image of a diabolical Cheetos-eating hacker without any social skills. The most effective criminals in the world are friendly, well-dressed, and outgoing. And usually only technologically-competent enough to get the job done.
Ever heard of mustard squirters? They squirt your back with mustard, then inform you of the fact you have mustard on your back. They proceed—presumably generously—to wash it off for you: In doing so, they take your wallet. No technology. Tremendous success rate.
Come on. Some people out there need to read the works of Frank Abagnale, or at least Kevin Mitnick.
"Insanity in individuals is something rare - but in groups, parties, nations and epochs, it is the rule."
I think this story is a fake. The FDIC does not audit or insure credit unions, the NCUA does. So either the author of the article got the initials wrong or the whole story is social engineering.
When someone from some esteemed institution of higher learning discovers this, then maybe the "identity theft" groupthink will end.
#1. Banks make money when your identity is stolen The profit comes in the form of transaction penalties when you start reversing the charges and possibly the bank's "identity theft services."
#2. No one seems to have any interest at all in shedding some light on the credit process. Why isn't it quite transparent to all consumers?
The entire "identity theft" scheme works is overwhelmingly favors the banking industry and it's no one's fault but ours.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Pretend to be a researcher. Approach bank president. "Hi, I'm Bob Researcher from State U. I'd like to test your bank's security for you." [insert fear mongering as necessary]
If successful, yay! Free identities!
If unsuccessful, meh. You're legit!
While it may have a higher success rate, the fact of the matter is that "in-person" identity theft poses a much higher risk ratio for the would-be criminal.
I'm sure if the researcher were really going to jail for his "crimes", he might not be so cavalier (and calm) when committing them, and this might affect the 100% success rate.
Epic NON-Fail
Gone are the days when IT security testing firms are looking for Unix expertise. Now they're looking for actors.
Posing as an official will get you inside. What next, they'll pose as cops? Next time, they should walk in with FBI badges and guns. Flash the badge and then have the FBI have a chat with them.
This "study" is so bogus. I hope the FDIC presses charges against these morons.
Who cares if you get my spoofed IP address, but what happens when you run into a real member of the FDIC or whatever agency you are pretending to be from. He plays along and has you arrested. Or even if you pull off the fraud and obtain their information they still know what you look like at the least and may get some DNA or fingerprints to put on record.
Not to mention the whole issue of hitting up 100 people in a hour is a bit hard to pull off.
But the pay sucks :(
This is how I used to get my furniture : put on a work uniform w/ a few friends doing the same, show up to a motel w/ a shipping/receiving invoice, get a desk clerk to sign it, and carry a couch or whatever out. Almost 100% success rate at chain motels.
PC moderators can suck my White pierced, tattooed dick. If you think pride == hate, s/dick/Aryan meat mallet/g.
I can't tell you the number of times I've had to call a client who has never heard my voice before and say "Hi, I'm the computer guy, I need you to let me do some stuff on your system" and have them volunteer their passwords. Um, HELLO? I could be an impostor.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Education and knowledge are the patch for human stupidity. The whole point of the article was that because people are so focused on online security threats, they are becoming lax with old-school threats.
If people just understood the "online" part of "online security threats" this would not be an issue. I am genuinely disappointed that your everyday American is so ignorant about what the internet actually DOES.
Make technology classes mandatory as part of literacy education.
a few caveats:
1. sometimes, education as a "patch" takes years, but it does work
2. yes, education depends on the motivation of the learner, but if rewards (like having a job, pay, etc.) are tied to internet literacy, then learners will be sufficiently motivated
3. no exceptions...everyone, including John McCain, must learn the basics
Thank you Dave Raggett
Folks forget that "Hackers" include oh say Kevin Mitnick (not a code monkey but always up for a bit of SE)
and in the right outfit you could walk into most any business, park yourself in the lobby with an EEE PC with the BackTrack logo on the lid and then hack the place blind. Chances of getting caught??? near nil
Any person using FTFY or editing my postings agrees to a US$50.00 charge
You seriously think banks make money on identity theft? You're either deluded or confused, or perhaps, both.
#1. Banks make money when your identity is stolen The profit comes in the form of transaction penalties when you start reversing the charges and possibly the bank's "identity theft services."
I haven't seen a major bank EVER charge for "transaction penalties" when it comes to cleaning up after fraud. And I only say "major" banks because I havent personally dealt with every little bank across the country. Even 10 years ago, before identity theft was even close to the problem it is today, the only cost incurred by consumers was typically the time to make the phone calls (and sometimes, write letters). Back then, many banks still had $50 fraud liability clauses, but even then they rarely enforced them. Today, it is quite common for banks to specifically advertise that they have a $0 fraud liability. And those "identity theft services" are never compulsory, and almost always just amount to saving you the effort of all the phone calls and letters you would have to otherwise take care of yourself.
#2. No one seems to have any interest at all in shedding some light on the credit process. Why isn't it quite transparent to all consumers?
Really? Have you been living under a rock for the last 5 years? The credit process is easier and more transparent today than it has ever been. The only consumers that it is not transparent to are the ones who are too lazy to do something as simple as obtaining their own credit report.
The entire "identity theft" scheme works is overwhelmingly favors the banking industry and it's no one's fault but ours.
Nevermind that fraud prevention and detection is the #1 security-related cost for any bank. I fail to see how a system where banks must spend millions of dollars a month and employ thousands of people favors those banks, when there is no back-end profit to make up for it.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
No one would do this because there are cameras all over the place. Why would anyone want to be recorded while stealing identities? It happens online because no one sees them. No risks.
None of that crap would pan out where I work.
Need help getting through a door? Sure, people will let you through a door if you're lugging a load. Then they'll see you don't have your badge on, offer to help you find the office and person you're looking for, and if you don't know what name or location to give, they'll stick right with you until you figure it out or security comes along to help.
Selling copiers? "Oh, man, dude, nobody on this floor has the authority to buy anything! Lemme walk you over to the facilities guy that you *must* have an appointment with. He'll get you a temp badge or an escort if you need to look around."
New hire? "Gee, ya know, I hate to be a pain about this but you really do have to keep your badge on in the building. Lemme hold your box while you find it."
Lost your badge? "Gee, ya know, you're gonna get hassled a bunch without it. Do you know where Kathy's office is? Let me show you; she can issue you a temp badge for the day."
Lugging in a server or anything that looks remotely computer-like? The security guard will have you sign in and call down someone from IT to escort you.
Visiting executive? Unless you're the commish, in which case you'll be covered by a phalanx of security, even the lowliest of the low in this place will give you a friendly wave, say hi, and offer you a lanyard for your badge while you're in the building. "Oh, that's OK, I can wait till you find your badge. Do you want me to show you where you're going/where to get a temp badge/to security?" In fact, this is one of the few times a data input operator can pull rank on the highest executive in the organization and you'd better believe that no office lacks for people who would relish the opportunity.
Bluff your way past security and take an elevator ride to an upper floor, looking for something? Big deal. All the doors are on card keys and if you knock, the person who answers is going to lead you right back through the "Gee, I hate to be a pain about this but you really have to wear your badge in the building" routine.
Walking around in the hall looking semi-lost because you got in but realize you can't get through any of the doors? You'll be directly challenged by someone who will walk you directly to your manager (if you can provide a name and location) or directly to security.
If by some total breakdown (say, you've got a decent fake badge and you piggyback on someone to get through a door) you get into the work area and plop down in a conference room, you're gonna get caught in short order. Plug in your laptop? If you haven't pre-reserved the room, you'll trip port security, that port on the router will shut down, the telecomm lady will get an automatic page and head up to that conference room to see who's screwing around by plugging in an unregistered MAC. Just turning on a laptop with wireless enabled chances setting off the scanner that's sometimes running in every building; in that case, you get a quick visit from scary men with badges and guns. You're a contractor on site and you plug in a wireless access point? See the sentences immediately previous, plus you get tossed out, fired if you're a sub, lose your individual security clearance, and the overall contract holder gets in seriously hot water. Just sit there and try to look important? The conference room reservations are controlled by the nearest secretary. As soon as s/he sees you in the room, you'll get asked to do a formal reservation. "If the room is free, you can have it, but I need your name and badge number for the log book. By the way, where's your badge?" In offices where the conference rooms aren't tightly controlled, people get used to dropping in so if you're sitting there without a badge, you're going to get questioned. If you don't know the right jargon, the right person to say you're working with, the right organizational attributes to assign to yourself, you're going to be questioned. Even the most tim
Second that. I've worked in the private sector, state government, and (currently) federal, and the federal government were the only ones that really paid attention to security.
Of course it took like three weeks between me getting hired and me getting a computer account due to all the background checks, but I know why they're there.
In the 1950s in the town I live (Chenoa, IL), 2 "inspectors" came in to audit the books of the local bank. They stayed for 4 hours pouring over the materials, and appeared knowledgable and professional. They stayed through lunch, when the manager and several other big wigs went out to get a bite - the "inspectors" walked out with the entire cash reserve (since the vault was unlocked to allow them access to the ledgers) Never caught.
meh
I come from a country with a very high criminality rate. As a result, every system I run across there is way more secure than the ones here in the US. People there simply don't trust each other so every system (e.g., even checking a book back into the library) has plenty of checks along the way. People here in the US say that such a trend would hurt our economy by making it harder and slower to do certain things like getting credit. This is rubbish. Businesses don't want that to happen so they will figure out ways to use technology to expedite such processes. This is what I see back home. A lot of technology is applied to make sure that people can perform any transaction safely swiftly. Do you know those secure id cards that have a digital display and a different token is generated every so often? Banks are now offering them for free back home to validate any transaction you do on the web.
In short, solutions do exist. We just don't bother looking for that because the US is a safe enough place. If we were forced to (like we do back home), we would find them.
There are places with tight security like that, and I've been to some of them. The overhead is high. For bidding purposes at a major aerospace company, we used to estimate that running a project at SECRET doubled the bid, and running at TOP SECRET ran the price up by 4x or more. At the higher levels, computers are in metal rooms with welded seams raised off the floor (so Security can check underneath) and with RF-tight airlocks. Signing documents in and out of files takes a big chunk of staff resources and time. There's a big bureaucracy associated with accountability.
One of the serious side effects of running highly classified projects is that the people working on them become obsolete in place. They're so cut off from the outside world that they don't keep up, outside their very narrow area of expertise. That's why I left aerospace and went to the commercial world.
made purchases using debits
And the merchant is on the hook for those transactions. They paid penalties for taking the bad card, plus the balance, plus the lost merchandise.
Debit/credit is pretty much the same from the average retailer's perspective, just another cost of doing business.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Operations serious about security do a badge exchange when you enter the facility. You present your "outside" badge, which is validated at the security checkpoint, and exchange it for your "inside" badge, which never leaves the facility. This forces the security people to really check your outside badge, and makes the inside badges harder to copy, since they're not seen outside the facility. Information about what areas you're allowed to access appears only on inside badges. Outside badges won't open anything; inside badges may also be keys.
Comment removed based on user account deletion
Learned about this is Psych 101, it's terrifying and good to be aware of.
Bystander Effect (Genovese Effect)
"The bystander effect (also known as bystander apathy, Genovese syndrome, diffused responsibility or bystander intervention) is a psychological phenomenon in which someone is less likely to intervene in an emergency situation when other people are present and able to help than when he or she is alone."
Maybe if we didn't have such a bloated Federal Government those bank employees would be more inclined to say, "I'm sorry, I didn't notice your search warrant."
I know, private insurance could never work, so we have to be content with raids on our banks. Damn that Hamilton.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Read as some wry humor:
Thanks for the list of challenge I have to overcome... I probably would have been caught on my first try, photographed, and my identity established and put on a no-entry list. Now I'll be able to plan for each situation.
Thanks to you I also know I have to copy a mac address - a crossover cable and a microcontroller with ethernet for an ARP request is all I need. Then I'll be able to collect the fractional pennies with the virus I upload.
You see sir, the human element is the weakness. Pride, and the seven deadly sins are the tools to exploit it.
(So I don't get black helicopter hovering over my house, I was making a point and have no interest in the IRS other than they get my 1040 processed every year)
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
But orgs are not not so focused on online ID theft that they're stopping it. So really they're unfocused on online ID theft, and even more unfocused on in-person ID theft.
Because they don't pay the costs. Any focus on ID theft is an extra cost that doesn't save them any money, because the theft doesn't cost them as much.
Make the orgs liable for mishandling the IDs. Make them indemnify all costs, including the victim's labor to recover and even just monitor for exploitation for years later.
And make them liable for copyright violations when they copy personal data without express permission for that transaction, and they won't be giving it away to risky people anymore, either.
Then you'll see them "focused" like a laser.
--
make install -not war
Bingo. I have a set of truly amazing skills that I will take into retirement this year. In the private sector, those skills are worth approximately ... nothing.
That doesn't bother me. I like my current job very much; my time here certainly hasn't been wasted. After I retire, I have a number of options unrelated to my current job. But it is definitely true that my IT experience here isn't something you'd call "portable" by any stretch of the imagination.
I used to be the sysadmin for a high school, and my ONLY serious student-related security breach was when I found a keylogger attached to my photo ID system. I locked the photo ID system in the server room and sawed the keylogger in half.
Faculty and staff breaches? Daily. Teachers gave passwords to coworkers, students, interns, and even their own children. Parents called me for students' online-grade-retrieval passwords, I'd refuse to issue it without ID, and they'd call a teacher and get it no questions asked. Principal ordered me to not lock my office during the day. A janitor yelled at me when I asked him to not unlock the library to get a student use the circulation desk phone after hours. Janitors would open any door for anybody, no questions asked. I even saw the principal try to prevent district maintenance personnel from installing a burglar alarm.
My screensaver timeout was 5 minutes. Everyone else's was 20 minutes, and after an avalanche of complaints, I made it 1 hour--and one teacher complained persistently about this to the principal--I lied and said that I can't make individual exemptions to the policy, lest I be forced to do it.
Turns out I had a pointy-haired principal who wanted nothing more than to make all the teachers and staff "happy" at the expense of security. If a teacher didn't want to have to type their password every morning, they shouldn't have to.
I don't work there anymore, and am currently in a private-sector company where security is given proper respect.
I was watching a professional thief turned consultant on TV a few years ago describe his best and easiest scam. He would get a rent-a-cop uniform and stand outside a bank branch somewhere at the night depository. When people came to the bank to make their night deposits, he explained that it was broken and the bank had hired him to collect the bags. He claimed that most people actually gave him their night deposit bags!
No, definitely not airtight. I was only responding to the notion that you can bluff your way in, plop down in a conference room, hook up to the network, and do bad things. That's the scenario the GP was discussing and it can't happen here, or, if it can happen, it's unlikely to give anyone any better information than how poor is the quality of the carpet and furniture in our conference rooms.
You bring up good points. Let me take a stab at them.
The security on them is the picture that has to match the face. We're tranisitioning to HSPD12 (RFID smart cards for ID and access) as quickly as we can. The point isn't that the ID badges are of much use in a technical sense. The point is that you must have one of ours. A badge from anyone outside isn't good enough. If you have an accurate-looking fake badge, you can defeat much of our first line of security.
You can't, however, get through any doors with your fake badge. We use separate access-control cards.
Yes to the first question, no to the second. If someone finds a USB stick, they're going to treat it like radioactive anthrax. A lost USB stick means that someone has lost a device that may contain taxpayer (sensitive but unclassified) data. If you possess SBU data you're not supposed to have, you get in big trouble. Nobody wants that. Also, it is almost universally true (though this was definitely not the case not so long ago) that no one will plug into an IRS computer anything that wasn't issued to them by the IRS.
If, OTOH, you're talking about putting malware of some sort on those USB sticks and hoping someone plugs just one of them in, you have a point. However, we run constant scans on the network looking for unapproved software. The last time a contractor in my building plugged in a personally-owned USB stick with various non-IRS-issued applications, his account was locked off the LAN within 5 minutes. Within 10 minutes, Security had concluded a stern talk with his supervisor. He was a good guy, just new to the place and not yet "in the groove" when it comes to security. He took his suspension and a couple of weeks later got back to work with a bit more appreciation for the fact that we mean it when we tell people not to plug anything into the network that wasn't issued to you by the IRS.
I've been around for 26 years. I know this has happened. And in every case I know of, the offender left the office in handcuffs. Slashdot actually had a story about these incidents some months ago. Yearly, we'll have a few hundred incidents. Most are extremely benign, accidental compromises of a few scraps of disjointed information from a single account. The few deliberate "copy and sell" cases with which I am familiar have sent people to jail. Pretty much no one wants to risk that.
Besides, our access isn't as easy as you might think. I can easily access the computers of people who have massive amounts of SBU data. Their default settings, however, place that data in folders protected by Windows encrypted file system. I can't read their stuff. I can get a recovery key for times when there's been a system crash, but doing so requires documentation and approval from the encryption staff and they are, technically, the only ones who actually use the key, i.e. it's initiated from their end over the network. Everything they do is fully monitored.
I say bureaucratic. They aren't the same thing. From the outside, they look the same until you understand the need for both control mechanisms and continuity of service in the public sector. Those things completely trump efficiency so, to someone who doesn't understand why things are the way they are, government generally seems so inefficient as to be incompetent. It just goes with the territory.
As for your assertion that there must be a way to penetrate our security, I'm sure you're right. No system is perfect.
I take your post as humor and appreciate it. One serious note, though - our security has many layers and it is a violation of that security to make publicly available any information in sufficient depth and detail and sufficiently accurate as to enable someone to defeat that security.
I painted in rather broad strokes and some of the colors are a little off. Please don't consider it a blueprint. You'd be quite disappointed.
From personal experience, I can tell you that you NEVER get caught "off guard" if you're actually prepared.
As for "gaining my trust"... even my own MOTHER doesn't know my passwords, nor is she likely to gain them from me. Why? For obvious reasons, and some not so obvious ones. Its called "need to know". If she doesn't know them, she's less likely to choose something similar for, say, her hotmail or gmail account... or less likely to write it down to remember it, or less likely to send it in clear text.
I have relatives who were caught off guard walking the streets in their native hometown, while I choose not to be caught off guard even in my own back yard or bedroom. Why? Put it simply, A, my own safety is MY priority, and B, I actually care about not being caught off guard.
Those whom I referred to as "stupid" and "ignorant" are people who neither value their safety, nor their privacy, nor the organization they are members of. Generally, the bigger an organization is, and the bigger the disconnect is between employees and employers, the more likely it is that data security will only be followed on the surface to avoid being fired or punished, but will not be taken seriously in any other case. How do I know this? I've seen it when I did IT, I've seen it when running the family business (hell, secretary was leaving people's payroll list on the desk, wide open for anyone to read the weekly payrolls and client lists, and yes, I almost fired her on the spot. I didn't, but that's because I couldn't fire people, parents did that part of the business.)
" What luck for rulers that men do not think" - Adolf Hitler
Gibble gobble goop.
The eternal struggle of good vs. evil begins within one's self.
Thanks, but I wasn't really trying to convince anyone. I was just pointing out that reasonable steps could be taken to guard against obvious attacks.
An apology - I'm sorry that I can't explain exactly how security is set up to isolate a single machine that gets rooted. Going into that much depth in a public forum is, itself, a violation of our security. Suffice it to say that this isn't the sort of scenario that causes me to lose sleep.
Confession 1 - The "caught in 5 minutes" thing was a fluke. Security admitted as much. Most machines get scanned only every few days. This guy just happened to plug in his USB stick right before his scan started.
Confession 2 - Pen testing has been done against us and we've failed. Not in any big ways, but we've had people hand over their passwords. We've had a couple of cases where physical access was gained. When this testing was done, though, the investigators had access to sufficient knowledge of our SOPs and culture that they were able to pull off things that no one who isn't already an employee could accomplish. The only really disturbing tests that I've heard of have been a few cases where an investigator entered an office (they had their badge to get in the building and an access card to get through doors), got to the cube farm, took off his badge, and proceeded to walk around for a half-hour without being challenged. That's an embarrassing failure but it's happened at least a couple of times.
The theme here is that getting in isn't a piece of cake. Once in, the chance of discovery is high. If you're not discovered, you probably can't steal the data. If you're an employee who can steal the data, our monitoring will probably catch you and you won't like the result.
Many layers. One of them should do the trick.
a valid proof of ID, I'm not surprised in the least.
Bank's have certainly outlived their usefulness. They are far too concerned about making money themselves than they are in keeping the money of their customers safe. Real security costs too much and security theater works just as good for public image and getting customers. For example, ID theft protection services. As a bonus this one actually makes the bank money too!
Something is seriously wrong when it's impossible to find a bank that will cash a US Treasury check (and in increasingly more cases a check drawn on their own bank) anymore unless you have an account with them.
Those that still do allow non-accountholders to cash a check drawn on them will require two random forms of ID (something they've made up to meet the law (reg. C? I think it is) on verifying ID, which is just ambiguous enough) a driver's license, CC, vehicle registration, etc. any of which could easily be forged and most of which are utterly useless for verifying that someone is who they say they are.
Pardon my LISP-like sentence structure, even though I haven't done any coding in LISP at all for years.
Of course I didn't RTFA... why would I do that? You really are new here aren't you? Don't let my UID fool you.
More specifically, you can't be a Lifelock customer if you advertise your SSN. The service doesn't work as advertised.
Here is the problem. What is the going rate for an identity? $5? Probably less now. Perpetrating small time identity theft is a low risk crime, but to make it profitable you have to use those identities. Using them in the US is a lot higher risk. If you want to get rich, you either need to sell those identities, and/or be in a country where there is little chance of prosecution and no chance of extradition. This means that the real threat is online theft of a lot more identities. This is all risk vs. reward. For business, it is a decision. You have to measure the risk, which means weighing a number of factors, such as the likelihood of the incident happening, and what the damage would be. The chances are higher of a theft of your customer database, and the damages would also be a lot more severe. The cost of training everyone to a significant level about low volume identity theft is not going to be returned to you. Therefore you don't consider it a high priority. Setting up security for your customer database is definitely going to be returned to you, so you do it. It is all Return on Investment.
Open Source: Eroding the Digital Divide
Not at all. See my previous post on that subject.
Good point. Our contract cleaning crews are required to go through higher-security areas during the day, when the employees are around and can watch them. They are allowed to clean the normal office spaces after hours, but there is virtually never any information left out in breach of the clean desk policy. All paper with sensitive information is locked up. If you don't, one of the after-hours security audits will catch you, a big orange ticket on your desk greets you the next morning, and you have to go begging to your manager to get your files back. We have plenty of *really* messy desks here, but nobody leaves data lying about.
That doesn't mean the cleaning crew can't get to it. They just have to be willing to break into (stronger than average) cabinets, know which drawers to break, know which folders to take, etc. That's a lot of risk for little potential reward and I don't know of anyone who has gone down that path. Cleaning crew misdeeds, in my experience, have been limited to pilfering small items.
But I take your point that there are always "out of the blue" attack vectors.
The only potentially serious data loss we've had in my office involved on of these, even though we didn't actually lose any data. In the middle of the night, someone stopped on the main road next to the office, blocking a lane of traffic. They then walked to the nearest first floor glass wall, smashed it, and grabbed 5 or 6 desktop computers that they carried across the lawn, put in their vehicle, and drove away. From start to finish, it took perhaps 90 seconds. As it turns out, the particular office they broke into housed a public education office so they got nice computers but no data. Since then, we've instituted roving security guard patrols 24/7/365.
Like I've said in other posts, we're not perfect. Just pretty darn good, IMO.
still no...
/. so i'm assuming you're a dude), and somehow trick you into thinking I gave you a strawberry ice cream cone, your f*cking perception
If I shoot you in the balls (this is
doesn't mean anything, you still have no balls.
Come on, you are just being silly now! In any case the sensation of having one's balls shot off (extending your assumption of maleness) would guarantee that a perception of customer satisfaction will not be attained, unless of course said customer is a hard-core masochist with castration fantasies.
A real world example is a product like say the iPod, which although it costs more than an equally specked device is, by a segment of the market, perceived to be far superior. If you sell something with greater (capacity | functionality | fidelity) to a person who perceives the iPod to be for a cheaper price, they will feel that they have made do with a cheaper product, had they spent the extra money, they would actually be happier! Now for another segment of the market, who form their perception on the basis of pure specs (and so are unable to perceive that the iPod, despite the higher pricetag, is in fact the superior product <g>), will see things differently. But in both cases, the customer satisfaction derrives not purely from the physical object, but in how that object is perceived. Of course, should said object stop working, perception can very quickly change.
As I said before if you play the perception game, everyone loses...Enron, "3 strikes, your out" laws, and the whole Bush administration are examples
You may have noticed that not too many people still feel overwhelmingly positive about all of these things anymore. Stuffing up is not a good way to lift you the public's perception of you. As the poet sang, "You can fool some people sometimes ..."
Noone here, I trust, is saying that substance and perception are entirely unrelated. If I you buy a product and it is robust and works well you are more likely to form a better perception of it, so are reviewers and so is the buying public. Providing "quality goods and services" (whatever 'quality' may mean) is perhaps the best way of influencing the buyer's perception of your products. But, at least in a capitalist market driven economy, where people get to make spending choices based on their own personal foibles, and there is not central authority to tell them what "objective reality" is, that's all it is. It is certainly not the driving force! Perception is, because that's what makes people open their wallets. Perhaps there in some future ideal society quality will be the driving force, but it isn't in this crazy world we live in.
As jellomizer, so correctly pointed out, firms providing services in areas where sensitive customer data must be stored are caught in a dilemma. Namely that of providing the best quality security on the one hand (necessary for long term survival) and or merely surviving in the market if their sercurity proceedures are perceived by customers to constitute an unbearable annoyance. It's not as black and white as you would like it to be.
What if a person had someone's identity and was about to wire their money throughout several safe-haven offshore banks? Any thoughts on the safest ways and how to actually get money in hand? The accounts will be in his name, but I want the cash in my hand. Many responses and inputs appreciated.