Chaos Program

A little while ago I saw a TV commercial that offered to pay people to make themselves targets for identity theft.

Oh, that wasn’t the intention. It was more a side effect of the campaign, which offered to pay people for referring friends to use the service. The part that made me start thinking about ID theft was the line that advised that, in order for you and your friend both to receive the cash the program offers, your friend must use your account number to sign up.

Have you seen the one? Sounds enticing, doesn’t it? It’s like free money!

Just as long as you trust your friends with access to your account. I have nightmares (well, not really, but play along with me on this) of greedy people putting their account number on a business card, or in an ad on Craig’s List, to get others to help them cash in on this program. So what if a complete stranger then hijacks their account? In a way, anyone that stupid deserves what happens to them.

I have an even worse nightmare that the company that ran the ad would say that their security is too good for someone to misuse an account just by knowing the account number. They have to also know something else, like a social security number! (For those folks who came in in the middle, SS number should never be used as a customer identifier because every use exposes it to possible theft).

Anyway, that’s just speculation. Maybe it’s not that bad. I hope not.

I’ll admit that an account number is not the prime target for identity theft. A single account number for a single business is much less useful than a social security number – and thank God for that! It would be scary to think of a company offering money to give up their social security numbers. How many people would fall for that?

But, believe it or not, that little account number still has some value. It’s still what’s known as personally identifying information. Laws that attempt to protect consumer privacy ordinarily list account numbers as the kind of information that companies should protect from sharing. In particular, Gramm-Leach-Bliley covers financial information that’s transferred electronically (such as when signing up for something on the web) and GLB includes account numbers in the list of things requiring enhanced security in order to protect privacy.

Notice, though, that the company isn’t violating GLB here. They’re not violating anyone’s privacy. They’re paying people to violate it themselves.

Brilliant marketing? Probably not, though it may be effective. The real question is, are the people who thought up this promotion hideously unethical or just morons?

That’s a trick question. They could be both.

Tags: identity theft, infosec, privacy

This entry was posted on Saturday, August 22nd, 2009 at 4:56 pm and is filed under security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.