As a security pro, I get really ticked off when a supposed security company, in this case Identity Guard, screws the pooch. My wife asks me why I seem to see all of the problems with companies and security… and I have to guess it’s just cause I am…ahem… aware. Maybe acutely so… but it’s incidents like this with Identity Guard that must be noticed so we can help protect innocent folks who are not security paranoid.
During my conversation with Identity Guard, manager ‘Phillip’ first said, “we have no security…”, then when I pressed, he said, “we don’t have customer facing security,” which in my opinion is just as bad.
So, here’s why I am bitching.
I had an issue… immaterial here…so I called Identity Guard. Before they would talk to me, though, they needed to ‘validate’ my identity. Sure. No problem.
But herein lies the problem: Every single piece of identifying information was essentially public information. Hello? You read that right. In a day when data breaches and identity theft are ‘de rigueur’ for all manner of bad guys, social security numbers, addresses, email and even credit card numbers are fair game as public information. One mislaid statement. One dumpster dive. One … as happened to me recently, data breach by a major bank… and it’s no better than writing down your passwords.
Where is the security, Identity Guard? I would have to think that part of your services would be providing excellent security and privacy controls. I stand corrected. I would have thought that adding a layer or two of your own security controls in addition to verification of public information would be a no-brainer. Again, I stand corrected. I also would have thought your customer-facing representatives would not attempt to defend a flawed identification and authentication mechanism.
Here’s what you need to do, in my opinion, of course.
- As banks and other security conscious companies do, add non-public security questions that must be answered from a slate of possibilities.
- I just had to verify myself to a French server and it actually knew what kind of license plate I had in 1993. I failed the first time I tried to answer that one.
- Stop using Social Security Numbers for any form of verification. You are perpetuating a false sense of security in your more naïve customers.
- Allow your customers to enter specific data into a “text field” on their profile, so additional verification can be made with your internal authorized agents.
Any of these are far better that what you are doing now. When I spoke with Natalie at Identity Guard, she was unaware how much data is really public, and should not be used for any form of user identification.
I had really hoped we were past this point of amateurish security by now. Again, Identity Guard has corrected my misperception.
When you or any of your associates are considering such services, perform a closer examination of their security. In this case, user authentication. I am sure, with a little more awareness, we can get the security slacking companies to notch up their game – or lose reputation and business quickly.