A couple days ago I wrote about StolenID Search in my Computerworld blog. Since then I’ve noticed that I was a bit late in the game in analyzing this. Folks like Martin Mckeay, AndyITGuy, Dana Epp, and others heard about the service and have similar postings.
I even see that Scott Mitic, CEO of TrustedID, tried to address our concerns at the TrustedID blog. I’m still not on-board and I believe that many of the objections raised by myself and others are valid.
Here are a few of my still-lingering concerns:
First, the TrustedID blog posting seems to primarily focus on the initial search offering located at their homepage (http://stolenidsearch.com/). For instance, the post states that no data is retained from searches conducted at that page. But, if a user signs up for their monitoring service, the data *must* be kept; therefore, I see this as a red herring.
Secondly, Mr. Mitic states that entering your SSN or CC # in their search tool is safe because it is not accompanied by other identifiable information. To a certain extent, I can see his point on this—and this view is codified by many of the state breach notification laws which state that notification of a breach must occur only if you lose an identifying number along with the information needed to tie that number to a specific individual (i.e. CA SB 1386; AR SB 1167). However, Mr. Mitic doesn’t address the fact that, after the initial search, users are encouraged to sign-up for their service (which asks for an email address). As I stated in my Computerworld post, there are many ways to use an email address to find out the name (or other information) of its owner.
Thirdly, the TrustedID blog posting also mentions that their site is “built using the highest levels of security available on the Internet.” But then goes on to say that it is “not appropriate to explain details.” Again, I understand where he is coming from here but this does not address the concern. Some high level details are most certainly appropriate. I wouldn’t care about vendor products being used, patch levels, etc…, but it’s difficult to just accept that they use the “highest levels of security” without knowing what they consider as such.
Lastly, the blog posting addresses some concerns related to their site promoting a new style of phishing attack. I agree with Mr. Mitic’s statement that almost any successful site will generate copycats – but I don’t think that this is the primary concern. As stated by myself and others, security professionals have been training users for years to not blindly enter this information. By putting out a “legitimate” site that flies in the face of this advice, StolenID Search may be taking the industry a step back by desensitizing users and making them more susceptible to phishing ploys.
I believe that there are alternative ways for consumers to determine if their information has been compromised. Here is a short list taken from my initial Computerworld post.
- Sign up for a credit monitoring service (or just pull your credit report quarterly)
- Google it yourself. Don’t just rely on the standard Google query – use the deeper search methods typically referred to as Google hacking (for more info, check here, here, and here
- If you bank online, check your account daily
Let me know if you have additional suggestions, comments, or criticisms.
PS — while writing this, I also noticed that both Martin and Andy have updates (here and here, respectively).
We get plenty of ads saying to purchase someone’s spyware detection software…which in turn is spyware and bad.
All it will take is one phisher to giggle to himself and spam out an email to a nice looking site that offers this exact same service that StolenID Search provides, only they steal the information.
Besides, when you really get down to it, the lines are very vague and grey between someone harvesting information for some nefarious (or grey-nefarious) use and someone being less evil. “Mail Marketers” have long toed this line on whether they’re really spammers or not, and information houses do the same thing, hoarding information and selling it in bulk to other “companies” for marketing/sales leads.
LonerVamp
February 1st, 2007
Thanks for the comment, LV.
You make a good point — especially about the “Mail Marketers.”
Having a security background, I decided to go work for a company focused on email marketing and analytics for a year. It was very eye opening. The amount of data available on the American public is truly staggering — and the use of that data for marketing has been boiled down to a science.
I have to admit that I found it all very interesting. After a year, I just couldn’t take it anymore and moved back into a security role. But I do believe that the experience and insight gained through working in that environment first-hand was invaluable.
Perry Carpenter
February 1st, 2007
In as much as it may be tempting to find out if your “numbers” are out there, the prudent thing is to never enter such information into a website that is not completely trusted!
Gene Naftulyev, CISSP
February 1st, 2007
Amen
Perry Carpenter
February 1st, 2007