Walmart got hacked by a security expert at a recent conference. The story was both funny and instructive, but it wasn’t funny for the Walmart employee duped into giving up all sorts of information the security expert could use to gain access to Walmart systems.
(The security expert) found out all about the store’s security, its cafeteria, who cleans it after-hours and who disposes of its garbage. He learned when employees are paid, who provides IT support, what computers, operating systems and anti-virus programs are used.
In short, he got all sorts of information that could be used in a hacker attack. How? A bit of research and an ability to spin a few lies over the phone.
Meanwhile, companies like Yahoo and LinkedIn, to name but two, have recently reported the exposure of signin information for their members.
Hackers continue to prove they can acquire confidential information about both businesses and individuals. Given this threat, one security consultant suggests you protect your identity in an unexpected way – lie.
Claudiu Popa suggests people need not give online services all the information they demand, and if need be, they can be dishonest so that if said services somehow leak confidential information to hackers, your information would prove useless.
In Popa’s words:
YOU are the custodian of your own personal information. For anyone to ask for the privilege of collecting and storing it, the burden of proof is on them to demonstrate:
- authority (who are they to expect the truth? If all they want is the ability to recognize that you’re the same person who set up the account, and that you’re reachable by email, then your identity, quite frankly, doesn’t matter)
- need – absolute need – not just an expression of their fetish for collecting diverse bits of interesting data they could at some point use to impress their advertisers.
- the verifiable ability to protect it (“your data is secure with us” is not a good way to gain my trust, for instance)
- an explicit promise to securely and verifiably dispose of it – all of it – when you no longer wish them to have it
Checking the above criteria for each site you use could take some time, but Popa clearly thinks it’s time well spent.
Check out the rest of his post. What do you think? Would you use his tactics to protect your personal information?