Demoxi Blog

I’ll be moderating a panel tonight entitled Profits & Privacy: At What Cost? for the Washington Technology Industry Association (WTIA) . We’ll be discussing the ill-defined business and regulatory trade-offs that companies face every day as they deliver services to an online audience. We have some great speakers:

• Charlene Brownlee, Davis Wright Tremaine
• Chris Hoofnagle, Associate Director, Samuelson Law, Technology & Public Policy Clinic and Senior Fellow, University of California-Berkeley Center for Law & Technology
• Ken McGraw, Chief Compliance Officer, Zango
• Basem Nayfeh, Chief Technology Officer, Revenue Science
• Stephen Toulouse, Lead Program Manager for Policy and Enforcement with Xbox LIVE

Should be a fun event!

This has been verified on Snopes.com and by the FBI.
http://www.snopes.com/crime/fraud/juryduty.asp

It is spreading fast so be prepared should you get this call. Most of us take those summons for jury duty seriously, but enough people skip out on their civic duty, that a new and ominous kind of scam has surfaced.

Fall for it and your identity could be stolen, reports CBS. In this con, someone calls pretending to be a court official who threateningly says a warrant has been issued for your arrest because you didn’t show up for jury duty. The caller claims to be a jury coordinator. If you protest that you never received a summons for jury duty, the scammer asks you for your Social Security number and date of birth so he or she can verify the information and cancel the arrest warrant. Give out any of this information and bingo! Your identity just got stolen.

The scam has been reported so far in 11 states, including Oklahoma, Illinois, and Colorado. This scam is particularly insidious because they use intimidation over the phone to try to bully people into giving information by pretending they’re with the court system. The FBI and the federal court system have issued nationwide alerts on their web sites, warning consumers about the fraud.

freeIDENTITYprotect.com launches!

A 6 year old vision has finally come to fruition today with the launch of freeIDENTITYprotect.com. You no longer need to search the internet for hard to find means of protecting your identity, nor do you have to pay for identity theft protection services that are and always should be free.

Identity theft is on the rise as it is very hard to catch those that perpetrate the crime. I believe the launch of freeIDENTITYprotect.com could not come at a better time, with consumer awareness of identity theft at an all-time high primarily due to the myriad paid services and the media.

freeIDENTITYprotect consolidates the best-of-breed free services available today in one location. The free services include access to credit reports, credit bureau fraud alerts, credit card offer reduction, National Do-Not-Call List access and a junk email reduction service. Even if you are already a user of these services on the internet, freeIDENTITYprotect could not make enrolling any easier. My favorite component is the visual dashboard providing access to all available services complete with step-by-step and video instruction. You also receive alerts notifying you when the services expire and it’s time to renew or order new credit reports.

Ok, so what’s the catch you may be asking. What do I have to buy? Other than buying me lunch if you are ever in town, the answer is zero, zilch, zippo! You don’t have to buy a thing unless you want to upgrade to the paid version of the service offering additional levels of protection (coming in March 2008).

Fraudsters are using more sophisticated techniques to steal identities and make money. A large underground black market for stolen personal credentials exists on the internet. These credentials include credit card and social security numbers and are just a few clicks away from fraud or identity theft. That’s why freeIDENTITYprotect has partnered with Cyveillance, also known as the “World Leader in Cyber Intelligence”, to deliver the latest internet monitoring technology to alert you if your credit cards or social security number have been compromised.

The paid version of the service, also known as premiumIDENTITYprotect, combines credit card and social security number monitoring with $25,000 AIG identity theft insurance with no deductible, professional restoration services in the event of identity fraud and a $1 million service Guarantee.

I personally know people who have had their identities stolen and it took them months to restore their good credit. I am sure they would have preferred to have a trained agent guiding them through the restoration process.

Just because you have identity theft protection, doesn’t mean you should let your guard down. Be vigilant and don’t ever put your social security number on the side of a bus. Be aware of your surroundings as I discuss in my recent blog Pump Up Your Protection. You will find additional resources on the FTC website www.ftc.gov/bcp/edu/microsites/idtheft/consumers/about-identity-theft.html. Be aware, as it is an effective weapon against many forms of identity theft.

We hope you enjoy freeIDENTITYprotect.com as much as we are enjoying bringing the service to you. We look forward to your feedback.

Click. Protect. Be Free.

One of the most common ways to “hack” into somebody’s account actually doesn’t involve hacking at all. The easiest method is simply to learn some information about them and then use the “forgot username” and “forgot password” features that many sites now offer.

Implemented wrongly, these features can actually be a very big security liability. The right way to do it is to ask the question, then send an email with password reset instructions (but not the actual password). The wrong way is to validate the user and then simply tell them their password.

Why? Because most security questions are very common and easy to figure out - so if I know a little bit about you, I can easily answer them.

What makes a good security question? It’s not just about scarce information, it’s about non-public information.

Some of the most common questions are “What is your high school mascot?” “What city were you born in?” “What’s your favorite pet’s name?” “What was your first street name?” “What was your first phone number?” and “What is your company’s street name?”

The problem with these questions is that they’re all easily answered on my MySpace page. Birth information is public record - it can easily be looked up. So can my previous addresses, phone number, and where I work. It’s all out there somewhere on the internet.

Better questions are things like “What is your frequent flyer number?” or “what are the last 4 digits of your credit card number?” But even these fail. Many people other than me know my FF number, including my secretary, airline attendants, and TSA employees. The last 4 of your credit card won’t work either since many sites list it as a way to identify transactions.

So what do you do? Simple: Let the user choose their own question.

A good questions should be something that can’t be guessed or looked up, doesn’t change over time, and is easily memorable.

As a user, you should choose something that nobody can easily figure out. My favorite question is “What is your favorite Prime Number?” Another great one I use is something like “Last 3 words on page 15.” It’s useless to you unless you know what book I’m talking about. You could even use a bible here, since there are so many versions in print that it’s almost impossible somebody else will have the same one as you. Another one I once used was “What’s my cell phone serial number?” It’s clearly printed on the back of my phone, and always in my pocket if I should need it. (Just remember to update your question if you get a new cell phone!)

Whether you’re implementing this feature on a website, or simply choosing your own security question - don’t pick something that others can easily guess or look up about you.

Ryan Jones
Sr. Mgr, Product Marketing

What’s your password? Shh! Don’t tell me, just think about it for a second. Do you recognize it in this list:

• password
• 123456
• qwerty
• abc123
• letmein
• monkey
• myspace1
• password1
• blink182
• (your username)

If so, please stop reading and go change it (but don’t forget to come back here!)

The list above is the top 10 MySpace passwords according to PC magazine, but if we add in the “Hackers” popular passwords of god, sex, love, and money, there’s a good chance we’ve guessed one of yours.

So why am I talking about passwords? It’s because I just had one of my email accounts cracked. The cracker then used my email account to gain access to other accounts of mine on different websites. All in all, it took a long time to repair what little damage they did; and it would have been a lot harder if I hadn’t caught it before they locked me out of my email account.

Don’t let somebody steal your online accounts. Here’s some tips you can follow to make sure your accounts are secure:

1. Don’t use the same login on multiple sites
2. Don’t use the same email for all your accounts
3. Use different passwords on every site
4. Make your passwords secure. If you need help generating one, try this tool (you don’t have to use all 63 characters.) Another great technique is to think of a mnemonic like “four score and seven years ago” and turn in into a password like “4Sa7Ya” (just don’t use that one!)
5. Change your passwords at least once a month.
6. Don’t give out your passwords to anybody, or any untrusted websites.

I know that secure passwords can be hard to remember, but that’s where Demoxi can help. Passwords stored in Demoxi are stored on your own computer - so there’s less risk of somebody hacking in. They’re also encrypted, so nobody will be able to read them without logging in to your Demoxi account on your computer.

Good luck,

Ryan Jones
Sr. Manager, Product Marketing

Identity Theft is a crime that affects 9 million people each year in the US.  The average victim spends over 175 hours trying to remedy the effects of this crime.  When it comes to Identity Theft, being prepared can save you time repairing the problem if you are an unfortunate victim. 

First, if you don’t check your credit report at least every four months, I advise you to do so.  You can obtain a free credit report once per year from each of the three major credit bureaus at www.annualcreditreport.com.  If you space out the reports, every 4 months you should be looking at a free credit report from one of the three credit bureaus. 

After reviewing the credit report, save a copy in a safety deposit box or fire proof safe.  This preserves a record of what your credit looks like today.  In the event of identity theft, the problem will be easier to repair if this record is available.  Every four months when a new credit report is obtained, it is added to the safety deposit box.  After one year, three credit reports will be stored.  When the fourth report is obtained, replace the last report from that bureau with the new report.  This way, you always have the most current three credit reports available.  Make sure to shred discarded reports. 

Additionally, copy everything in your wallet (front and back) and any credit cards, social security cards, medical cards etc that may not be in your wallet and keep that information in the safety deposit box with your credit report.   Make sure you label the copies from your wallet “WALLET”.  In the event your wallet or purse is stolen, you have an immediate source of valuable information about what exactly is in the hands of a thief.  You also have the 800 numbers of all the credit card companies.  You can immediately call them and let them know of the theft.  Update this photocopy at a minimum once a year.

In future blogs, I will discuss additional preventative measures to protect against Identity Theft.  However sometimes it is out of your control, such as a database breach of a company you do business with.  It’s best to be prepared in the event it happens to you. 

California is a self pumping state, meaning you have to pump gas yourself. There is no attendant. Considering the weather is nearly always perfect in CA, it’s not a big deal. Since I am always questioning, have you ever tried to pump $.01 or $.02 of gas? I don’t think it’s possible to do. The pumps always start at $.03! Try it next time you fill up your tank. Where is the extra $.03 going? If a busy gas station fills 500 cars per day, that’s an extra $15/day or almost $5,500/year to the station owner.

Gas expands when it is warmer. Filling your tank first thing in the morning when the gas and your tank is cool will save you about $.15-$.20 per tank. This more than makes up for the $.03 extra the station makes.

I know many people will take advantage of others when given the opportunity. Staying on the gas station theme, identity thieves are becoming bolder and taking advantage of trusting gas station patrons. Here are a few well known scams that are easily avoided:

• Take your keys with you when you fill up your tank especially when you have family waiting in the car while you pump. I hear many stories of cars stolen with the kids still strapped in the back seat while the owner is watching the pump.
• While some trusting gas station patrons are sliding their credit card in the card reader, an identity thief pulls up next to the passenger door, or walks up to the door, opens it and takes the purse or wallet on the passenger seat. The driver doesn’t know it happened until they get home and look for their wallet. Within hours, those stolen credit cards are added to an organized crime internet site used solely to buy and sell credit card numbers. It could show up in an IRC chat room, a web site designed to buy and sell cards or an FTP site. This is a growing multimillion dollar market and is run primarily by organized crime units. Keep your passenger doors locked when pumping gas.
• Credit cards are not just stolen from gas stations. They are also stolen from gym lockers, restaurant card readers and retail stores and any other place they are used. Keep an eye on your credit cards at all times when they are being swiped, so you know they were not swiped through a second card skimmer used to record the card number.

It’s time to pump up your awareness of identity theft. In this arena, knowledge is power. Check back often for additional insight and tips on protecting your identity.

Be safe.

This week, we launched Demoxi Labs with the availability of our Service and OpenID APIs. The client-side API and companion SDK is for developers targeting the Demoxi platform. The server-side OpenID API is for publishers to allow Demoxi members to automatically login to their websites.

So why does the world need yet another widget API (or YAWAPI as we considered calling it)? Well there is really no identity-centric widget platform that

• supports a simple and familiar web programming paradigm;
• has access to deep public-key cryptography;
• is portable across major operating systems and browsers; and
• runs where you take identity — on the web, your desktop, and on your phone.

Now that’s a tall order, and of course we’re not completely there yet, but you get the idea.

The advantages of such a platform is to clear the way for a rich experience that gives users real reasons, beyond single sign-on, to control their online identity. I mean single sign-on is cool and necessary but not sufficient to get users excited. Hey, my online, but oft technically-challenged, Dad already has a single sign-on solution. He uses the same password for just about everything.

So far, there has been great technology developed for identity (OpenID, oAuth, SAML, XDI, etc.) but little reason for regular folks to use it. It’s like we’re asking users to buy-off on a super secure set of car keys without offering them the car too.

So the idea is to give you, the consumer, a secure, trustworthy place for your identity and create an open environment where developers can give you cool stuff to do with it — a platform where the applications go with you, instead of trying to make it work the other way around.

On November 1-2, the FTC held their Ehavioral Advertising: Tracking, Targeting, and Technology conference on behavioral targeting. Public comments are now available and Demoxi’s can be found here.

The main point is that consumers must have control of their online information so that they can better protected themselves. In October, we commissioned a survey to find out how consumers managed their own information. We found they didn’t know how. The majority of people believe controlling their identity online is important, but they do not have the tools to do so. So it’s not surprising that 50% of those polled stated they would not visit a site if there was a risk it would link to their personal information.

To that end, we support the “Do Not Track” list called for by the privacy community for the simple reason that consumers need increasing ways to take back control of their online experience. In many situations, tracking is perfectly fine. If I have a deep relationship with an online vendor, I expect good service which comes from tracking my purchase history. However, that deep relationship is at my choosing. If I don’t want that deep relationship, I should have an easy and transparent way to get out.

According to a recent study I read, 40% of consumers read privacy statements online before sharing their information. That’s a shockingly high number, but it’s not quite as high as it should be.

Even more shocking (according to a recent PC World article) is that despite reading privacy policies, most users completely fail to understand them.

Part of the problem arises from the hidden privacy policies that even some lawyers can’t understand, but a much bigger problem lies in the inability of many Americans to understand the difference between privacy and security.

Often used interchangeably, privacy and security are two very different ideas.

Information is Private if the subject of the information has control over it.

Information is Secure if the owner of the information can control it.

It’s also important not to confuse privacy and security with anonyminity. Often confused with privacy and security, anonymous data is actually neither. Anonymous data is simply data that has no subject.

These definitions may all sound similar but there is a vast difference between subject and owner - especially on the web where the subject and owner are rarely the same.

Everything you do online can be tracked. What sites you visit, what you searched for, what ads you clicked, how long you spent on pages, etc. Contrary to what some may believe, none of this information is in itself private. All of this information is legally owned by the collecting agency - in this case the website (whether through cookies, logs, analytics programs, etc.)

The responsibility of keeping this data secure (including who has access to it) is then entirely up to the gathering website, and is hopefully detailed in their (perhaps improperly named) “privacy policy.”

This is where problems arise. In America, we tend to focus on the need for security instead of the right to privacy.

As companies continue to gather information about their visitors, greater emphasis is needed on privacy. It’s time to let users control what information these sites can gather.

This is where Demoxi can help – by giving users more control over what data they share on the web. Our goal is to help users determine when they’re the “subject” and allow them to control exactly what it is they’re sharing.

The simple lesson here is that the mere presence of a privacy policy on a website doesn’t in itself ensure privacy. Only you, the user, can actually control your privacy on the internet. More security will likely help, but it’s not the answer.

Ryan Jones
Senior Manager, Product Marketing