Posts

Identity Theft

I received a very interesting email today:

Richard how can you say this is a fake? I am afraid you know nothing about Eddie Cobiness and this is an original as it was purchased from him personally and can have Ernest Cobiness his son to back it up. I have a vast collection of Aboriginal Art which I have collected for 20 years and have several Morrisseau’s and some I sold several years ago a cross Canada. I will back up all the art I sell and will not lose any creditability. If you are brave enough to give me your phone number I will call you on my nickel. If not please retract your statement.

—– Original Message —–
From: ( richard.cleaver@gmail.com)
To: xxx
Sent: Thursday, July 16, 2009 5:25 PM
Subject: Reply to your “Rare original Painting by the Late Eddie Cobiness”

You’ve received the following reply to your “Rare original Painting by the Late Eddie Cobiness”

From: richard.cleaver@gmail.com
this is a fake
You can respond to richard.cleaver@gmail.com by replying to this email

I keep a gmail account for casual email. It is the email address listed on this blog. It is there for folks to make contact with me directly as opposed to posting a comment. Many of my friends and colleagues follow the blog and they are not comfortable with posting online comments. I receive hundreds of emails on a monthly basis from people who follow the blog. I have never worried about sharing my email address before today.

I have never heard of Eddie Cobiness and I do not have an interest in Aboriginal Art.

I did not write the comment.

Someone used my email address in a fraudulent fashion. And there is really nothing that I can do about it. But it does scare me. Virtually anywhere a comment is placed, someone can use a fraudulent email address. There is no effective authentication mechanism to validate whether an email address rightly belongs to a specific owner.

I must admit that I am troubled by this email. I have to think about this type of identity theft and its implications.

Safe, Secure and Private

The European Network and Information Security Agency highlighted numerous security issues for social networking sites such as Facebook and MySpace. Although I was aware of most of the issues, some of them are a bit troubling.

I maintain an online presence through a blog, a photoblog, Facebook, flickr, LinkedIn and Twitter. One of the threats is digital dossier aggregation. The profile information that is maintained online can be downloaded and stored by third parties without personal consent. Sadly, secondary data is also often present. For example, there are statistics maintained on the sites that can be readily accessed. Recent visits, lengths of connections, comments. All of this secondary data can also be gathered and associated with a profile.

One that I had not really considered was face recognition. Several of my sites include my digital image. Not only can primary and secondary information be gathered but a dossier could be populated with a recent photo.

Phishing can become more sophisticated as a result. Through the collection of such data, phishing attacks can become far more effective by leveraging names of known contacts through existing social networks. In extreme cases, a phishing attack could become a whaling attack by selecting higher profile targets.

Another threat is profile-squatting and reputation slander through identity theft. I will often visit sites like Fake Steve Jobs or Fake Steve Ballmer. And the content is obviously fabricated. However, the ability to assume a digital identity and slander or profit from identity theft is a real threat. And it is not hard to do.

Governments are attempting to understand the potential issues associated with incidental disclosure of personal information. And put in place a regulatory structure to ensure privacy. A necessary action.

For example, I started receiving much higher than normal unsolicited email content from vendors. In one case, the content originated from a vendor that I work with quite closely. I did not understand why I was receiving the material from someone else in their company. The reason? Identity theft. Some salesperson, desperate to obtain contact information, dumped his business card roster into Jigsaw, a website that offers an exchange of contact information. Once that website had my identity information, they traded it to other sales people looking for an entry point into a corporation.

I went to the website with only one objective: to get my identity information removed. And guess what? I can”™t. I do not own the data. Some website has taken data from my business card and they can circulate that data freely without my consent. They have over 8 million individual names in their database.

Although the security issues are more prevalent with social networking sites, it can also happen if you hand out a business card.

Welcome to 1984.