Tuesday, January 22, 2008

Credit Monitoring - A Vector for Hackers?

It's happened. Driving home tonight, listening to FOX WJNO, I heard a country music-based jingle for a credit monitoring service.

"They say a man should always dress for the job he wants
So why am I dressed up like a pirate in this restaurant?
It's all because some hacker stole my identity
Now I'm in here every evening serving chowder and iced tea

Should have gone to Free Credit Report dot com
Could've seen this coming at me like an atom bomb
They monitor your credit and send you e-mail alerts
So that you don't end up selling fish to tourists in t-shirts"

Catchy - and certainly an indication that identity theft protection is headed for the mainstream. But WJNO listeners should beware - you could end up selling fish to tourists anyway.

The problem with consumer credit monitoring services like FreeCreditReport and other online identity protection services is this: the sign-up processes of these services are so easily spied upon that they expose consumers to the very problem they claim to solve - identity theft.

Yes, you read that right - while there is growing awareness of identity theft as a problem, consumers are not yet broadly aware that critical vulnerabilities exist during the account creation processes that have not yet been addressed by any of the major credit monitoring companies - or, for that matter, any of the online banks.

Think about it. During the service application or credit card application process, the maximum possible amount of personal data is exposed to hackers running key-loggers or screen-capture software on your system. Yet at this time, no meaningful legal relationship yet exists between you and the company requesting the data.

Not following my argument? Think about the amount of data you shared the last time you applied for a financial service, such as a credit card or loan, online. Think about the data you shared last year, while submitting your taxes. Did someone tell you up front that they would take responsibility for any data lost by you during the sign-up process?

I didn't think so.

And, chances are, you shared a lot of data during that session - your social security number, your spouse's social security number, your employer, your bank account details, your address - everything on the identity thief's checklist.

There's no doubt that the Citibank ads of last year, and the new FreeCreditReport.com radio commercials are good for consumer awareness. However, these companies need to do more to protect data during the sign-up process - and during the browsing session as well.

Consumers need to speak out as well. Consumers should insist on using services and technologies like the one that we've developed - Authentium SafeCentral, which uses our patent-pending VERO secure session technology.

This kind of technology enables true end-to-end protection for data against key-loggers and screen-capture-based spyware, even if you're just starting out your relationship with a financial service provider.

There is no reason why your provider shouldn't enable this service - we give it to them for free. Alternatively, starting Feb 26th, you can go over to www.authentium.com and sign up for the service yourself.

All of us at Authentium use SafeCentral every day. We wouldn't dream of signing up for a new personal financial management service, credit monitoring service, or bank account, without firing up SafeCentral first.

You should think about making this a habit too.

No comments: