Lazy identity thieves have just got an early Christmas present – Google Dashboard

Google have launched ‘Dashboard‘ to address privacy concerns.  It lets you see the data Google holds on you. The idea is you can then manage your data and more importantly that which Google holds.

I’m not a huge user of Google services other than the web search, and I try not to be logged in when using that.  But I do use Gmail for one off registrations and so on, and I have tried out a number of their services out of curiosity.

So it was interesting to log in and visit my dashboard.  I saw:

• long forgotten docs,
• emails (including spam),
• a couple of calendar appointments from three years ago,
• old web searches (I used to work for an agency that dealt with people worried about kids viewing porn so there some interesting ‘research’ searches there)
• chat histories
• tasks
• gadgets I created
• contacts and more

It was quite an education but once the dust settled not particularly surprising and probably not that useful to a malicious user.

But it did strike me that if I were a more dedicated member of the Google fan club then Dashboard would hold a hell of a lot of quite sensitive information, made more so by the fact that it is displayed on one a single web page.

Building a full identity on someone might be quite a laborious task, but it’s just been made a damn sight easier, so long as you have a person’s Google account credentials.  And as we know these are two-a-penny if you know where to look.

Lazy identity thieves have just got an early Christmas present.

Overall I think it’s a good move by Google and a great way to educate users on just how much of their information is out there.  But if there has ever been a good reason to immediately change your Google password to a really strong one, often, then this is it.

Google Dashboard - you is here

ASB Online Vault – not a great idea

The ASB Bank is offering a new service to its online banking customers.  Using Online Vault they can make the website the place where they store their personal information – all of it.  This includes passport numbers, medical and insurance details, Inland Revenue details, contact and next of kin details, drivers license details and more.

Does anyone else think is a bad idea?

Ok so of course all your banking details are there already. Unless you have accounts with other banks of course which is actually a good way of protecting yourself in these uncertain times. But apart from having all that info in one place so you can locate it quickly (provided you can get to a computer) why would you centralise all that info somewhere which is out of your control?

In fact, if you do need to get to the information and can only do so using the Online Vault, you’re probably somewhere where you can’t trust the computer you’re using to be secure anyway.

We all know how easy it is to obtain passwords, which is why we have different passwords for different online accounts.  What seems at first like a great idea probably seems like a great idea to cybercriminals too.

ASB really is making itself a target here.  It’s promoting bad practice (all your details stored online under one password), and it’s asking customers to supply information it really has no place having.  I just hope they have a really good insurance policy for when someone has their entire identity stolen from the site.

How to be worth more than 89p on Facebook

 According to Trend Micro, an email address along with a date of birth full name from a facebook account is worth 89p (NZ$2.33) to a cybercrook.

To avoid having your identity stolen, Trend say you should look for the padlock, use social networking privacy settings, protection software and vary your passwords.  The advice is good and just what you would expect from a commercial operation that makes its money by convincing people that they will be secure if they just rely on the right technology (theirs of course) and set it up properly. Even the password comment suggests the technology will save you here.  There’s no suggestion that your new password need be a good one and hard to guess, just different from last week, month, year or other website.

Perhaps what they’re suggesting is that  if it’s going to cost more than $2.33 worth of time and effort for a cybercriminal to get your details, then maybe they will move on.  This tactic resembles one I used when as a student I used to go door to door selling  invisible markers that came with bright stickers. The line when something like this: “If you’ve got a sticker and the neighbour hasn’t, guess where is the burglar going to go?”

Of course there were multiple reasons why this might not be the case, but it made me a lot of commission. For example, if you have a sticker but leave your front door open and your stickerless neighbour keeps theirs closed, who’s going to get home and find their brand new double cassette ghetto blaster missing (yes it’s a while since I was a student).  Likewise, even if you both lock your dooors and windows, but your ghetto blaster is proudly displayed in the front window, you’ll probably have to go next door to listen to your Def Leopard tracks for a while.

So where does the analogy fit in or is this just pointless reminicing about the 80′s?  

Well think of the open window.  Even with a password, good privacy settings and anti-malware on your machine, if you join networks or groups on social sites anyone else in those groups can usually see your pages. And usually anyone can join those groups.  For example if you join the New Zealand network on Facebook, then potentially anyone in the New Zealand network can see everything you post. This includes your date of birth, full name and email address if you were foolish enought to post these.

So Trend should also say ‘Don’t join any networks (which kind of makes social networking a whole lot less fun).

They should also warn you to restrict the amount of personal identification you post ( don’t display your wares in the front window) and think very carefully before responding to messages or opening unexpected attachments least they fall victim to social engineering or malware such as Koobface. 

Just because you have a sticker on your letter box doesn’t mean you shouldn’t lock your door.