Preventable Identity Theft
Identity Theft is a very prevalent issue in today’s world. It happens too often to be ignored. I’m sure you know at least one person who has been the victim of Identity Theft. And the sad thing is that in most cases it’s very preventable. Even sadder is that most people don’t realize that they might be the cause. Not as in being the victim’s themselves but as in innocently putting other people in harms way. Well intentioned people are doing things they believe are safe but are instead very dangerous.
Let me give you an example. I founded and run a software company called LandlordMax which sells real estate rental management software to property management companies, individual real estate investors, and so on. As part of this, the software allows you to store information on your tenants so that you can figure out what’s going on with your properties. For example, you can keep track of your tenant’s leases, payments, their address, invoices, receipts, employers, contacts in case they skip out on you, notes, basically a lot of information.
What’s scary is that we continually get requests for the software to store additional pieces of information that shouldn’t be stored on any desktop computer. Even on computers secured by computer security experts. For example did you know that Visa and MasterCard explicitly tell you NOT to store the full credit card numbers in your databases, that you can potentially be held liable for doing so. All you’re allowed to store is at most the last 4 digits. The next time you buy something at your local store with your credit card, look at your receipt. All you’ll see is the last 4 digits of your credit card, nothing more. This is not random, it’s a security measure to prevent credit card theft.
Knowing this, you’d be surprised by what confidential information we’ve been asked to store within the software on our users computers. We’ve been asked to store tenant’s credit card numbers, driver’s licenses, scanned images of driver’s licenses, passports, Social Security Numbers, and so on. Confidential information that should never be stored on any desktop computer.
The scary part is that a desktop computer is not that secure. Not only that, but these are sometimes desktop computers used in homes or businesses of people with little or no security expertise. With no IT (or security) professionals setting up these computers.
But even if only the most advanced computer users stored this type of information, it’s still not enough. These are computers used for everyday usage, not hardened and locked down computers. All it takes is for someone to surf online to one bad website with a browser that has a zero day exploit and it’s game over! In many cases it’s the action of the user that compromise the system, not the system itself. This is also why secured computers are never used for daily activities such as surfing the net. They are locked down so tight that they’re pretty much dedicated to one and only one function (such as a database server).
And even with these systems it’s still a very bad idea. But what’s scarier is that many of the people making these requests are already storing this type of information in plain old Microsoft Word and Excel documents on their laptops. Computer files that are completely unprotected. I also know some people are scanning things confidential documents and saving them as images on their computers, again completely unprotected. These are computers connected to the internet!
This problem isn’t just limited to computers either. How many physical filling cabinets do you think contain all kinds of identity information they shouldn’t? Have you ever rented an apartment or house where the landlord wanted to keep a copy of your drivers license and/or your credit card number?
It’s not that these people want to do harm, it’s that they don’t know any better. Whenever we’re asked about storing these types of information we always tell them we don’t, and then we proceed to very strongly advice against it explaining the issues and how they could potentially be help liable for damages. In most cases that’s the end of it, but unfortunately it’s not always.
What about the poor tenants themselves? How comfortable would you be knowing that your landlord (or the company managing the property you’re renting) has all your information on a desktop computer? Scary isn’t it?
And this is why we will NEVER offer the ability to store this type of information within our software. It’s just bad news on all levels. No good can come of it. This information should never ever be stored on a desktop computer (or in a filling cabinet). Never ever!
And this is why I wrote this post today. From now on we’re going to point people who make such feature requests to this post, and hopefully some of you will too. Let’s try to prevent this from happening. Please do go ahead and comment and share your stories, hopefully we can help people better understand the implications of storing this type of information on their computers. It’s not that they mean any harm, it’s that they don’t really understand the potential dangers. Let’s teach them and hopefully we can reduce identity theft together!
· May 8th, 2009 · 4:17 am · Permalink
What will your customers do instead? Probably storing the data they can’t save in your software in Excel instead. At least it will be their responsability but the problem is still there.
· May 8th, 2009 · 2:20 pm · Permalink
Hi Anthony,
You’re right, some might store it in Excel/Word. But at the very least we won’t be part of the problem. And hopefully with this post we can educate as many as possible!
· May 9th, 2009 · 9:53 am · Permalink
Excellent and timely post, Steph. I don’t blame people for not knowing how dangerous this is – but I do blame them when they know and do it anyway. Hopefully your customers will now not only know that this is bad policy, but also *why*.
Kudos for addressing in such a conscise and reasoned manner.