Infosecurity Europe did a little research on the streets of London, showing that most people will trade away sensitive personal information for a chance to win something. I'd like to see some followup research to find out how people actually felt about giving up that information. I bet more than a few felt a little squeamish, but gave it up anyway:
HNS - Survey Reveals That People Will Give Away Their Identity For A Chance To Win Theatre Tickets:"... The first question researchers asked was, "What is your name?", which seems reasonable enough if someone is potentially going to send you some vouchers, 100% of those surveyed gave their names. They were then asked a series of questions about their views on the theatre in London. People were then asked if they knew how actors came up with their stage name. They were then told it was a combination of their pets name and mothers maiden name and were asked what they thought their stage name would be. Ninety four percent (94%) of respondees then went on to give their mothers maiden name and pet's name. To obtain the address and post code, researchers asked for their address details in order to post them the vouchers if they won, 98% gave their address and post code. To find out the name of their first school the question was asked, "Did you get involved in acting in plays at school?" and then "What was the name of your first school?". Ninety six percent (96%) gave the name of their first school, this answer along with mother's maiden name are key pieces of identity information used by banks.
In order to find out date of birth researchers said that in order to prove they had carried out the survey they needed their date of birth, 92% gave their date of birth and 92% also gave their home phone number in case there was a problem delivering the vouchers. At the end of a 3 minute survey, the researchers were armed with sufficient information to open bank accounts, credit cards, or even to start stealing their victim's identity. The researchers did not give any verification of their identity, their only tool was a clipboard and the offer of the chance to win a voucher for theatre tickets...."
Their techniques were sneaky and misleading, but someone trying to steal identities will be sneaky and misleading.
There was a great discussion of this at Bruce Schneier's blog in the comments section. Among other things, it was pointed out that just because people answered the questions about mother's maiden name etc. doesn't mean they answered truthfully.
ReplyDeleteThe real question is, how should financial institutions authenticate your identity?