Opening disclaimer – this post has zero relevance to offshore outsourcing, so proceed at your own risk ;) I put it here as this site gives me a chance to reach out to the audience I respect and hopefully stop some of people you know from hurting themselves…

 A couple days ago a friend of mine tagged me with Facebook’s “25 Random Things About Me” chain letter; a day or so later another one of those tags hit my email. Naturally the topic came up in one of random office conversations, as it turned out I was far not the only one asked to write a few things just ‘cause our friends want to learn about us… The idea to write this post came up after David, one of my engineering directors, mentioned that responding to the tag can really hurt you.

 “Just random 25 things!?” you might ask. Yes, very much so, and let me point out just a couple most obvious ways it could happen:

    * Identity theft or identity fraud. That is a common crime that can have substantial financial and emotional consequences. Having been the victim of one I can point out a few immediate consequences – ruined credit score, calls from collection agencies asking me for the money I never owed, police reports, back and force with credit agencies…

    * On-line fraud and direct theft, with money disappearing from your bank, investment account, IRA or 401k fund… Chances are that if you are reading this post you are using on-line banking and can imagine what could happen that if someone can get hold of your ID and password.

    * Well, if someone with bad intentions gets hold of your ID and password they can raise all kinds of havoc in your life even if steeling money is not their cup of tea – think about being locked out of your email, Facebook profile, strange post showing up in your blogs…

 What is the connection between 25 random things and identity theft or loss of your password? It is much more straight forward than you might think.

 Not too many people put their SSN or mother’s maiden name in the Facebook essays.. yet here are examples of random things I found in my friends notes and in public blogs:

     * I was born in town called Mars but that doesn’t make me Martian

    * I have no creativity – I called my first dog Spot

    * If I could I would move to Barcelona for the rest of my life

 Doesn’t those remind you of password retrieval questions? “What city you were born in?”, “What was your first pet’s name?”, “What is your favorite city?”

 Thank you for sharing that you snort when you laugh and even more so for giving me enough information to get into your bank account!

 Another door which publishing private information opens to a malicious intent is related to the current methods of authentication. Before you establish your account with some secure systems they must authenticate you or identify that “you are who you say you are”. There is a method of doing that which is considered an acceptable standard in the healthcare and financial industries. It is based on asking you a number of random questions that apparently only you would know answers to – “What color was your 1993 Chevrolet Lumina?”, “What year did you graduate from the medical school?”, and so on. If you answer right say to 5 out 7 questions the system deems you as a match and grants you the access permission.

 Thank you Dr. B. Raggar for giving me enough information to spoof you (pretend to be you) and sign up for electronic prescription system! Now I can finally get myself enough of a painkiller without begging for it.

 Thank you, my dear friend Liz Wiener! Of course I would never hurt you! We had such a great time when we met once in Sugar Bawl… Plus knowing a few private things about you helped only slightly. Yet now with VPN access into the brokerage you work at should give me a few insights for my treading activities.

 Please keep in mind - identity theft is usually a crime of opportunity, so you may be victimized simply because your information is available. And even if you are paranoid it doesn’t mean nobody is following you… especially if you are on Tweeter.

 Closing disclaimer – my company specializes in software and services for the HealthCare industry, so most of us deal with issues of privacy and security on ongoing basis, most of us much more than we care to. I authored over 50 security policies and went through number of audits and scans. I am very sensitive to this topic and I might sound boring. Yet, this is serious. Please be careful which what you put out there. Avoid posting personal data in any public forums; attackers may be able to piece together information from a variety of sources over time, in case if you are still in doubt, please take a look Guidelines for Publishing Information Online for authoritative opinion …

 And please spread the word!

 February 6, 2009 Posted by Nick Krym