Your identity up for grabs

Security was a big issue in 2011 with more sophisticated and a wider range of threats than ever before wasting even more of everyone's time at a cost of billions of dollars.

For example, there was March's hacking of RSA and its SecurID token system (sorry to bring this up again RSA, but it really was a big deal). This incursion reputedly wound up costing EMC, RSA's parent company, around $55 million. Even bigger than EMC's financial bath were rumors that the virtual raid was conducted by our friends in China so they could hack the likes of Lockheed Martin, a SecurID customer, to acquire sensitive military intelligence.

MORE: 2011's biggest security snafus

IN PICTURES: From Anonymous to Hackerazzi: The year in security mischief-making

Then in April, Epsilon, the largest permission-based email marketer in the world, was hacked and millions of email addresses belonging to companies such as Kroger, TiVo, US Bank, JPMorgan Chase, Capital One, Citi, Home Shopping Network, Brookstone, Walgreens, The College Board, Disney Destinations and Best Buy were stolen a huge wave of phishing attempts. The cost to Epsilon is unknown but must have been mind-bogglingly huge.

Also in April ... and then in May and June as well ... Sony's PlayStation, Qriocity and Sony Online networks were hacked and personal data, including some credit card numbers, of some 78 million members were swiped by, among others, the Lulz Security hacking group. Sony had to take down its services at a loss of more than $170 million.

Those are just a few of the ridiculous number of security issues we faced last year (see Network World's "2011's biggest security snafus" for a more comprehensive list of last year's security OMGs).

Here's the thing about security: What happened in 2011 was just more of what happened in 2010, which was just more of what happened in 2009, which was ...

Thus, I was able to prognosticate in my doom-laden Backspin 2012 Outlook column that this coming year we'll see "Botnets, malware, hackers, distributed DoS attacks, spam, phishing ... just more of the same junk we've dealt with for years but an order or two magnitude worse. Several large financial organizations will suffer serious hacker break-ins and the details of millions of consumer accounts will be exposed. Business will simply carry on as usual."

That, in a nutshell, is the problem: Complacency. Many businesses will simply belly up to the bar, pay the piper and carry on.

But this isn't just an issue for the huge enterprise like RSA, Epsilon, and Sony; it's a problem that's endemic in business in general, all the way from the biggest commercial behemoths at the top down to the smallest SME outfits.

I just experienced a small-scale and very personal example of the kind of thinking (or rather lack of thinking) that underpins what's wrong with current business security practices.

I'm in the process of buying a house, and getting a mortgage these days, particularly if you are self-employed, is ridiculously tough. As with every time I've bought and sold houses, the process gets longer and more labyrinthine each year. While realtors, at least in California, generally seem to have got their online act together with digital signing of documents, the lenders ... well, not so much.

At least the lenders are now sending the loan documents as PDFs for you to print out and sign, but what the lenders haven't figured out, at least as far as my experience goes, is what counts as safe data-handling practices.

Today my broker had all the details finalized and she gave the lender my email address to send the documents to, but when I hadn't received the documents several hours later I called my broker. We quickly figured out the problem: My broker had given the lender a Gmail address for me that was wrong.

I was a little annoyed that my details were let loose on the 'Net, and then my broker said, "Oh, well, then they'll just bounce." Er, no ... 'cause the address they used is someone's address; I know because I tried to get it.

"Oh well" she said, "Even so, don't worry, the documents are password protected anyway." Then she added, "The password will have been sent in a separate email." Arghhhh!

The mortgage company eventually resent the messages to my correct email address. And the icing on this particularly crappy cake? The password they used was "1234." Words fail me.

My personal and financial details are laid out in those documents. If you get those, you know way too much about me. Want to impersonate me? You just got a blueprint. The only thing missing is my blood type.

If this is where we're at with consumer privacy in 2012, some 20-odd years after the commercial Internet appeared and with all of the experience that business has had or should have had, we're in bad shape and 2012 will see many of us have our identities stolen, our lives turned upside-down, and our time squandered as we try to fix what should never have been compromised in the first place.

Is anyone talking about legislation to make sure consumers are protected in these kinds of situations? No. Congress and the Senate are far more worried about ludicrous bills such as SOPA and PIPA and protecting the intellectual property of Big Media. When it comes to defending the interests of consumers? They simply don't care.

Am I going to complain? Maybe. Once I've got my mortgage and moved in.

Gibbs is on the move in Ventura, Calif. Relocate your thought to backspin@gibbs.com.

Read more about wide area network in Network World's Wide Area Network section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

• Bookmark this page
• Share this article
  •  
  • facebook
  • slashdot
  • digg
  • Reddit
  • stumbleupon
  • linkedin
  • twitter
• Got more on this story? Email CIO
• Follow CIO on twitter

• Share
  Share this article

  •  google+
  • facebookfacebook
  • slashdotslashdot
  • diggdigg
  • RedditReddit
  • stumbleuponstumbleupon
  • linkedinlinkedin
  • twittertwitter
• print
• email
• Bookmark