On the way home last night, our family stopped at a local ice cream parlor for dessert. While paying for our order, I noticed a clipboard and pen next to the cash register. On the clipboard was a form that invited customers to join the parlor’s Birthday Club to get a free dessert each year on their birthday. In order to join, all you had to do was fill-in a line on the form with your first and last name, mailing address, email address, and date of birth.
Almost two dozen people had already completed one of the lines on the form, and all of their information was plainly visible to anyone near the cash register.
The owner was the person who served us, so I figured I would give him an impromptu test. I took out my mobile phone, held it out in front of me, and pointed its lens at the clipboard as if I were taking a photo. The owner completely ignored what I was doing as he proceeded to enter our order on the cash register. I didn’t actually take a photo, but the owner had no way of knowing whether I did, or didn’t, capture an image of the form.
I loitered near the cash register for a few moments after the owner gave me my change. I casually chatted with him and made it obvious that I was studying the Birthday Club form while I took a few napkins and spoons.
The owner still said nothing about my interest in the form.
The woman who was in line behind us gave the owner her credit card and began to fill-out the Birthday Club form (I think my interest in the form may have piqued her interest in it). When she put down her wallet to pick up the pen, she let the wallet fall open on the counter. I could see her driver’s license behind a clear plastic window in her wallet. I could read her license number, home address, and date of birth.
After the owner swiped her Visa card, he put it down on the counter next to the woman’s wallet. I could easily see her account number.
I now had everything I needed to steal this woman’s identity without breaking a sweat.
Businesses that collect sensitive personal information from their customers have a responsibility to protect that information. If the owner of the ice cream parlor wants to run this kind of promotion, he should simply print small take-away flyers or business cards which describe the promotion and provide a link to a secure form on his Web site for customers to enroll in the Birthday Club. If this is too costly, he can simply display a Birthday Club promotional poster with his Web site URL and, perhaps, a QR code for patrons to scan with their cell phones. Better still, the owner could program his cash register to print the message, “Join our Birthday Club and get dessert on us!” on all receipts with the URL that customers can visit to enroll in the club.
Although the owner of the ice cream parlor was handling his customers’ Personally Identifiable Information (PII) irresponsibly, the burden of responsibility does not rest solely on the shoulders of businesses. Consumers also have a responsibility to protect their PII. The woman behind me in line had unwittingly provided me everything I needed to steal her identity using nothing but what she, herself, had made available. Fortunately for her, I’m one of the good guys. I work in the IT field and Information Security, or InfoSec, is my area of specialization and study.
NIST Special Publication 800-122 defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
Once an identity thief has access to your PII, he can empty your bank account, run up your credit card balance, open utility accounts in your name, and get medical treatment through your health insurance plan.
Here’s how you can avoid making the same mistakes that my fellow customer made when paying for her order:
- Never leave your PII where other people can see it.
- Never leave your wallet open anywhere in public. And, if you keep your driver’s license behind one of those clear plastic wallet windows for easy access, face it backward so nobody can see the front unless you take it out and show it to them.
- Be very discreet when handling your credit/debit cards, driver’s license, or state issued ID card during purchases. Make sure that you cover the front of the card with your palm when you hand it to the cashier, keep your eyes on the card the whole time, and get the card back as soon as possible. If the cashier handles your cards in an indiscreet manner, speak up!
If you’re really serious about protecting your PII, you’ll also want to follow these generally accepted best practices to help keep it from falling into the wrong hands:
- Keep any sensitive financial documents locked in a safe place at home.
- When at work, lock your purse or wallet in a secure place that only you can access (e.g., a steel locker or metal cabinet).
- Keep your PII safe from roommates, guests, and repairmen that come into your home.
- When you are not at home, keep what you carry to a minimum. Take only the ID card and credit/debit cards that you will actually need for that outing.
- Don’t ever carry your social security card. Leave it locked up at home. I’m well into middle age and no one has ever asked me to produce this document. Why take the risk of losing something that has the two pieces of information (your name and SSN) which are most valuable to an identity thief? Simply memorize your SSN and you’ll have it with you at all times.
- If you have a Medicare card, make a photocopy of it and black out all but the last four digits on the copy with a permanent marker. Carry the copy in your wallet. When you are going to the doctor’s office, you can take the original with you (but only then).
- Invest in a paper shredder and use it. Shred bank statements, credit card offers, receipts, insurance forms, credit applications, expired credit/debit cards, checks and related documents as soon as you don’t need them anymore.
- Never sign the back of your credit/debit cards. Instead, write “Ask to see photo ID” on the signature line of the cards.
- Completely destroy the labels on prescription medication bottles prior to throwing them in the trash.
- Don’t ever share your health insurance information with anyone offering free health products or services.
- Don’t ever send outgoing mail using your mailbox. Instead, drop it into a post office collection box or bring it into the post office itself. Remove any mail that arrives in your mailbox as soon as possible. If you go on vacation, request that the post office hold your mail until you return. When you return from vacation, pick up all of the collected mail at the post office yourself; do not have it delivered to your home.
- Opt-out of prescreened insurance and credit offers at: optoutprescreen.com
- Keep your household trash in your garage or in a lockable container, and never leave it out on the curb overnight before the morning of pickup. If you have a municipal or commercial trash pickup service, consider canceling the service and bringing your household trash to the dump or transfer station yourself. I began doing so years ago and—along with reducing my chances of identity theft considerably—it’s quite liberating to no longer be at the mercy of the pickup schedule.
Thus far, I’ve only discussed what actions you can take offline, in the ‘real world’, to minimize your identity theft risk. I haven’t discussed what you can do to protect your PII online. That will be the subject of my next several articles.
Securing your PII offline prior to taking steps to protect it online is appropriate.
Because, any successful identity thief knows that–although lots of folks obsess about things like worms, Trojans, viruses, and cyber-attacks–the weakest link isn’t your operating system, antivirus software or network firewall.