Part of my business is practical security advice to our customers, so I am not a novice or unaware of good security practices. Even so, I have experienced credit card fraud as well as a communications company business account take-over. Both were NOT due to any security laxness on my/our part. Both WERE due to unbelievably stupid authentication procedures at the companies whose job it is to authenticate.
The business account, a DSL account with Covad, was taken over and changed from our control. Covad said the usurper gave two pieces of identification information that they required: 1. our business name 2. our business address. DUH! When I challenged this through customer service, asking to speak to supervisors upwardly in line, I was promptly and indignantly stopped by each "droid" with a simple, "sorry, that is our policy for authentication, and we can't change it." When I asked to speak to the person in charge of formulating these authentication policies, I was given a phone number that got me to a menu loop that got me to no one.
The credit card fraud came after a credit card application at Micro Center. I only applied, since it would give me another $300 off a laptop. I was suspicious of their practices, when they asked me to fill out a paper application at the store. I grilled them on what happened to the paper application; where my information was stored; and who had access to it. They said the paper copy data was input right there at the store by an employee, while I waited; then the paper was shredded. I asked to watch the input, which they would not allow. I asked to have the paper returned to me, so I could shred it. This, of course, was silly, and I only used it to intimidate and challenge their casual security awareness. I still couldn't and don't know what they did with the paper, while it was out of my sight. They did return it to me, after they had it somewhere in the back for a time.
As it turned out, within a couple months, someone gained "authentication" to that credit card account (which I was about to cancel) and changed the email address and mailing address on the account. After doing so, they waited a couple weeks and attempted to charge an expensive electronics item to the card. Fortunately for me, the card company called me to authenticate the purchase. Unfortunately for me, their procedures for authenticating access to the account allowed someone else to change my information and begin to usurp my identity.
Since then, I have been on the warpath against STUPID authentication procedures. I called every credit card, bank, account of any type that I have. I asked them what they use to authenticate -- how do they confirm that I am me?
Most use two pieces of public information: my social security number or my date of birth or my mother's maiden name or my address or my phone number; all of which are PUBLICLY AVAILABLE TO ANYONE!!! They did not require any "secret" information that only they and I could know. DOUBLE DUH!!!
Worst of all, the credit card company fraud department was not allowed to give me detailed information that they had regarding the attempted fraud and ID theft. They said they could only give this to law enforcement.
ID theft and fraud advisors tell you to report such to local authorities. I tried this. If you relish put-downs and insults from local "Barney Fifes" who have no understanding of this type of crime, I recommend doing so. The detective told me that he saw no evidence of a crime being committed and that I must bring him some evidence before he would do anything. Remember, the credit card fraud department would not release anything to me directly.
You are also urged to fill out an FBI report. You cannot talk to an agent directly over the phone; you can only fill out a form on a website -- from which I never received any response.
So, as I said, my real war is with the various companies who hold my private accounts and their STUPID authentication methods. The onus must be placed on them. It is their job to ensure that my accounts are not compromised, not mine. It is their job to authenticate, and it is their job to create policies and procedures and employee training that supports best practices. This is not the job of their customers! Customers are not security aware, let alone experts.
Start requiring secret user IDs. Require cryptic passwords. Start requiring a secret verbal password or secret code for phone authentication -- emphasis on SECRET, and something odd that someone can't guess (lots of people know your dog's name -- another DUH!).
I know all of this is hard and people don't like anything difficult these days. But as Bruce Schneier has been telling us for years, security is a tradeoff. You can't have both security and ease or freedom. If you want security, you must put forth some effort and you must think.
As a customer with accounts, I need to do my part to protect my information and accounts, but I cannot protect what I don't control. I want everyone to get real about authentication. I have demanded realistic authentication procedures regarding every account I have. If a company did not have secret authentication available or was unwilling to listen to me, I simply canceled the account immediately -- don't need them; others are willing to listen and work on their authentication policies. But it will take more than just me getting real about this.
I urge everyone I talk to -- demand secret authentication practices from companies. Too bad if people whine because it is inconvenient. Fraud and account compromising will not go away and only get worse if both sides are not aware and willing to work at security. It's a company's job to make your account information safe, and your job to demand it and cooperate. In general, everyone can do a better job.
One last thing about personal information -- quit giving it out, just because someone asks for it! Example: I went into a Dollar Store. I stood in line to pay for my $2.00 worth of goods. I wasn't sure what I was hearing the clerk say to customers ahead of me, until I watched the woman ahead of me make her credit card purchase. Then I realized he was saying the same thing to everyone, whether cash or credit card: "I need to enter your phone number to complete this transaction." I realized everyone ahead of me had willingly and demurely without question given him their phone numbers, which he entered into their system. No one refused. No one challenged. You better believe I did! And I turned around and told the rest of the line that they did not need to comply.
So many times we are asked for bits of personal information, and we fork it over without question. Anything we submit can or will be tied to us and used. We may not have control over how someone else stores and authenticates, but we do have control of what we give out, and we do have the right to question and refuse. A simple NO works just fine.