Don’t Automatically Provide Private Data
Data in its various forms have distinct value. The value is to the owner of the data in that if it were to leave the company in an unauthorized manner (insider or external), the liability would be rather substantial. There is a value to the person whose data is described. If a consumer’s data is stolen, they have years and years of issues and worry regarding identity theft. Most pertinent, there is a value to the attacker who has successfully breached the system and secured the data. These records have different values based on the composition. For example, a person’s credit card information is worth substantially less than a medical record.
As this is the case, the attackers will use various methods to steal data. This has taken the form of complicated, multi-step attacks taking the form of complicated, multi-step attacks taking a certain level of expertise and tools. On the other end of the spectrum, there are very basic attacks focussed on the user and pleasing to their basic need to help someone else.
One such attack involves the deviant simply asking for a quick favor to help them authenticate the user. In particular, the person receives an email from a well-known company asking for additional information or a scan of a piece of identification in order to authenticate it was truly the particular user placed the order. This request, regardless if the order was actually made or not, seems simple enough. The alleged company was asking for assistance to help in ensuring the person was actually the one placing the order. The end supposed result was to reduce an opportunity of identity theft. This attack appealed to the person’s need to reduce any chance of their identity being stolen.
When the user or consumer is asked for private information, it may not be the best idea to simply provide this. Even if it seems as though they are providing a service to you or protecting you in one form or another, the supposed company probably is simply working to do what they claim is being protected against-identity theft.
About the author
Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.