My Adventure in Mommyhood

Friday, May 13, 2011

Identity Theft

You never think it will happen to you. The data you sent to buy that whiz-bang new application over the Internet will never come back to haunt you. You’ve dealt with reputable company. All critical information was transferred through a page under HTTPS protocols.

All’s well and good. 

Or you think all is good. Until ‘the’ call comes. Some unknown voice wanting to ‘confirm’ the personal information you sent to the software company. And the caller identifies themselves as a representative of the software company you just did business with.

You refuse to give them the info they request. They get angry and demand that you provide them with your personal information. This, not being you first rodeo, you refuse to provide the caller with the information he wants and, abruptly, he hangs up.

Then, coincidentally, you go to your online banking webpage and try to log in. The password doesn’t worth. It doesn’t even recognize your login name.

By now, you are starting to put two and two together and coming up with five. The call was an attempted ‘social engineering’ call. Or, as many states call it, a felony. It’s when someone contacts another by phone or other telephone device using a false pretense to get information out of them they are not entitled to.

Of course, this happened on a week-end, so I couldn’t call the bank to cancel credit or debit cards. Or find out if they had hit my credit card accounts.

Monday approaches with some degree of anxiety. First thing I did is call the bank to discuss what happened.

I bank with a relatively small, local bank. They farm out the actual server hosting and online banking software management from another firm, that shall remain nameless.  I never thought about how secure the bank’s online security was. Like most people I know, I just took it for granted without really thinking about it.

When this happened, I started to wonder exactly how well their security would protect my money.

Apparently, pretty well. There had been three attempts at getting into my account. After the third incorrect attempt, the bank’s software locked them out and wouldn’t let them back in. 

I am betting that whomever was attempting to get into my account didn’t realize that the only way to unlock the account was to call the bank and go through some pretty thorough authentication before they would even talk about passwords or unlocking my account.

Then we spent about half an hour looking for any unusual transactions. [I seldom write checks for this very reason.] And figuring out what the account balance was, etc.

After going through all this, both the bank and I were satisfied that the people who had called me, hadn’t managed to get past their security. 

I consider myself a pretty savvy computer users. I have run very large computer networks. I made tons of money certifying that the large network installations I was running were “Y2K” compliant. I’ve read a plethora of books about online security. I know about people trying ‘social engineering’ by calling people and asking them to confirm information they had no right to have in the first place. 

So, I didn’t give them any information. My bank had a much more robust security system than I thought it did. Even if had told them what they wanted to know, they still wouldn’t have been able to get into the bank’s system.

Changing everything after this attempt was a complete pain in the butt. But, I guess that is life in the 21st century.

The rules that are out there about computer security tend to be taken pretty lightly – Passwords get written a sticky note and stuck to the bezel of your monitor for everyone to see. You use the same password for multiple accounts. You go years between changing your passwords. You use your birthday, address or telephone numbers for passwords.
And, despite our somewhat lacks attitude about security, most of the time, we get away with it.

I have about a dozen accounts I use on various different systems. All highly secure passwords that get changed often. All written down and stored separately from the computers – then encrypted with PGP.

So, nothing really happened because the bank’s security system kept them out and I wouldn’t answer any questions about my personal data to help them figure out my password at the bank.

But, it was a wake up call. You can’t afford to get complacent with your passwords and/or to give out your personal data to strangers that call you out of the blue, on a weekend and casually ask you to confirm ‘some details”. (They know, if they can get into the account before Monday, the legitimate card holder can’t tell anyone that their identity might have been stolen. And they have the rest of the weekend to drain your account.)

It isn’t that the bank wouldn’t absorb the loss. They would have. But, even without anyone getting into my bank’s computer, it cost me about 8 hours on the phone. Plus cancelling all my plastic money. I cannot image how long it would have taken to deal with this, if they had gotten in and stole everything.

The moral of the story is that you should take everything your IT gal/guy says about security seriously. If s/he says change passwords, every month and don’t use your dog’s name as your password, s/he isn’t just flapping her/his jaws. In a networked system, where it could effect a large number of users, servers, etc any breach of security could cost thousands of dollars in lost time while your IT guy/gal goes through every component of the system to make sure none were penetrated.

I am not going to say what software company let my personal information get out in the wild. I will give them a chance to make it right and tell me how they are going to fix their system so it can’t get hacked, again. Or, I will stop buying stuff from them.

This is the same attitude any customer should take when dealing with a company, retailer, etc. that insists their system is “safe”.

Everybody’s site is safe, until it isn’t. And even though the bank will go after a hacker, if enough money is involved, it is better for you and your bank if you follow the rules your IT manager lays out. And follow them at home, as well as at work.

[1] The company I bought the software from is on the other side  of the world. They would not, casually, call me up and ask these questions. This was my first tip off that something was wrong. Here it was in the middle of the weekend, but there it was probably mid-day on Monday.

I worked with tech support to handle some problems on another brand of laptop. Their tech support was in the Philippines. The person I talked to was, clearly, not an native English speaker. He couldn’t answer my questions and, instead, explained to me how to set up my computer so he could control it from the Philippines.

Now, depending on how you look at it - this is very cool or very, very scary. 

It was clear the customer service rep in the Philippines had no idea what was going on. He just wandered around in the laptop for about a half an hour, seemingly clicking on whatever he encountered. When he did accidentally discover the reason the trackpad wasn’t working, he didn’t know how to fix it.

So, I took the laptop back and got back the money that paid for it.

No comments:

Post a Comment