Identity theft

In the wake of the Target and other merchants’ data breaches where over one hundred million people have had their information stolen, it’s time to look closely at the public providing crucial personal information too easily. If their Social Security numbers, dates of birth and other sensitive information were leaked in addition to credit card information, these ongoing breaches would be much worse.

So the question is, why does our government agencies expect the public to reveal this type of information on the telephone to them? The answer, because it’s convenient for the government.

As an IT professional with a specialty in data security, I am well aware, and always conscious of the need not to give out information unless it’s really necessary, and only through secured channels, if possible. Those secure channels do not include using the standard phone. Why? Because phone connections can be hacked and spoofed.

For illustration, we use VoIP technology which means our phone calls use the Internet to transmit the calls. We have the ability to easily spoof the Caller ID so that the number shown to the call recipient is any of our choosing. Within two minutes, I can edit our phone line information so that the Caller ID shows the White House number! Obviously, we don’t do that, but we could. The hackers are not so reluctant.

My philosophy is to be very, very cautious giving out critical identity theft information during a single phone call. You’re asking for trouble if you provide it, as your identity can be stolen. Once stolen, it may take years of painful effort to resolve that theft. NBC reports that over thirteen million Americans had their identity stolen last year!

As an illustration of sloppy security, I had to deal with LEO.gov, (now changed to LEEP) the government’s “security conscious” Law Enforcement Organization to change the password on my InfraGard account. InfraGard is a membership group formed by the FBI to recruit specialists in various disciplines to help them block terrorist activities. As an IT expert, I received the invitation about five years ago, and as happy to help our government, joined.

Unfortunately, I cannot recall them ever doing anything useful but sending commercial news items in emails. They appeared to be just an aggregation from commercial news sources. In other words, a waste of taxpayer money.

The people at LEO.gov refused to provide a new password, as I would not give my full date of birth (in case it had changed) in addition to the other pieces of private verified information that I gave them in a single phone call. They would not accept a postal letter with it, partial information such as month and date, but not year or even the information split over two phone calls. It was their way, or the highway.

They couldn’t even provide a secure Internet address where an InfraGard member could enter that information and create a new password, something that has been common for over a decade in the commercial environment.

It was sad that a government agency was still stuck in the 90’s claiming that security was their goal!

Therefore, in spite of some suggestions that LEO, of all government agencies, should practice logical security and not just claim they do, and the intervention of an FBI agent who was my InfraGard liaison, they would not change my password. So my membership will expire one day for lack of activity.

That isn’t a big concern as another InfraGard member that I met at an event thought that InfraGard was nothing more than a networking group so you could get a new job. In other words, if you met another member they had been screened for ability and worth hiring. I see little value in InfraGard, but an enormous expense to the taxpayers.

If elected, I’ll be talking with the head of LEO or LEAP and make sure that they practice what they preach. They need to move into the twenty-first century. I’ll also find what InfraGard actually does with its budget and act in the best interests of the public.