Category Archives: Internet Safety

OK..lahoma Identity Theft?!

I stumbled on an interesting article today about data privacy, or really the lack thereof, for registered sex offenders in Oklahoma (and ultimately the State’s government employees as well). It seems that anyone on this list, or any other offender list in OK, has had their SSN numbers exposed on the Internet for the past 3 years.

…The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years. Up until yesterday, April 13 2008, anyone with a web browser and the knowledge from Chapter One of SQL For Dummies could have easily accessed – and possibly, changed – any data within the DOC’s databases.

What I find interesting is that a feeble attempt to protect this information was made at first. It wasn’t completely corrected until the writer of the article pointed out to the Department of Oklahoma Corrections that it wasn’t just criminals whose SSN numbers were exposed but also private data on the government employees could be found and downloaded easily.

Shortly after discovering this problem (thanks to reader AJ, who hesitantly pointed it out), I spent the following day working my way up the DOC’s call tree. Eventually, I found my way to George Floyd and explained how bad of an idea it was to have a SQL query as a parameter…

The following day, both the SVOR and Offender Search were taken down “for routine maintenance”. Great, I figured, they discovered an overlooked hole and were working to patch it up. However, when the sites came back up, I noticed that the “print-friendly page” still had a SQL query in the URL. Putting the “social_security_number” in, however, no longer displayed social security numbers. It took me all of ten seconds to figure out a way around their fix. This slightly-modified URL brought back all 10,597 SSNs once again.

…I emailed again, this time explaining the problem much more clearly and advising in BOLD, RED, CAPS that the “roster page” should be taken down immediately. I also demonstrated the power of the ALL_TABLES table, the contents of an “interesting” table named MSD_MONTHLY_MEDICAL_ACTIVITY, and how even their information was available for all to see…. That, apparently, did the trick. Soon thereafter, the sites underwent “routine maintenance” and the “roster pages” were no more. I guess they weren’t too thrilled about having their personal data up on the ‘net for all to see

Leave a comment

Filed under identity theft, Internet Safety

A Good Perspective on Social Networking Identity Verification Issues

Zach Martin, editor of CR80 News recently published an article about the identity and age verification issues we are facing in social networks. You definitely should check it out but in case you don’t have time here are some important highlights:

When trying to get into a bar or club there is typically someone at the door checking IDs. But on social networking sites there is no bouncer, which means there’s no way to tell whether you’re corresponding with a 15-year-old girl or a 32-year-old man.

It’s the same no matter where you go. MySpace, Facebook, and professional networking site LinkedIn, do little to make sure people are who they claim to be. “There is a general feeling that social networking is the wild west of identity management and a lot of bad things happen because proper controls haven’t been put in place,” says Roger K. Sullivan, president of the Liberty Alliance Project management board.

The stories range from the tame to the tragic.

A student not happy with an administrator at school creates a profile on a social networking site. Even though the student is a woman she creates a profile that is a man and then flirts with the administrator in order to cause her embarrassment later.

At a Catholic school in the Chicago suburbs, an administrator monitors the popular social sites on a regular basis just to make sure nothing out of the ordinary is happening. She has run into instances where students create accounts in other peoples’ names – people who actually exist – and then make false statements. For example, one student set up an account as a real person from another school and made statements about the student’s sexual proclivities while giving out her real phone number.

In 2006, a fake profile led to the suicide of a 13-year-old Missouri girl. A classmate’s mother originally created the profile to find out if Megan Meier was saying anything bad about her daughter. But then it was used to gain Meier’s confidence and then to tear her down. Angry messages went back and forth, and it ended with Meier hanging herself.

There’s also the need to prevent pedophiles from contacting children online. MySpace has agreed with different states’ attorney generals to adopt better technologies that will help identify underage users so they can be protected from predators, but the social networking site hasn’t figured out how it’s going to do it.

The vast majority of sites don’t do anything to try to confirm the identities of members. The sites also don’t want to absorb the cost of trying to prove the identity of their members. Also, identifying minors is almost impossible because there isn’t enough information out there to authenticate their identity.

But this may all change. As sites become more scrutinized they will have to take steps to make sure people are who they say. “There will be a trend to use a third party that leverages database information that will be able to vouch for you and provide a more certain level of identification,” says Eric Skinner, chief technology officer at Entrust, an Addison, Texas-based digital identification vendor.

There are a handful of vendors that are offering online identity vetting. Most are working with financial institutions, but they see business opportunities with the social networking sites.

The article goes on to describe some social networks and their use of identity verification including one of our clients FunkySexyCool and their use of our system. It also discusses the privacy concerns related to age verification of minors and provides a possible solution the Liberty Alliance is discussing essentially related to ID 2.0

Liberty Alliance’s Sullivan, who is also vice president of Oracle Identity Management, says it’s only a matter of time before social networking sites offer tiers of identification assurance, which could be used to confirm a minor’s identity. For example, if a 14 year old wanted to sign up on MySpace without a parents’ permission they would be placed on the lowest ID tier. “They would be put into a question mark bucket,” Sullivan says.

But if one parent went online and confirmed his child’s identity they would be raised up a tier. If both parents did it they would go up two tiers. The parents would be authenticated through public records and online databases.

Eventually there would be a fourth tier as well. A minor would physically go to a trusted source with documents that prove their age and identity. These identity assurance sources don’t exist, but it’s something the Liberty Alliance is working toward, Sullivan says.

The next task force meeting will be later this month and I’m looking forward to seeing how the conversation progresses. I firmly believe we can find several ways to combat the issues at hand including both an educational approach and technological approach.

On another note, I’m off to the RSA Conference next week. IDology has a booth this year so if you are in San Fran, stop by and see us.


2 Comments

Filed under Age Verification, Identity 2.0, Identity verification, Internet Safety, MySpace, protecting kids online, security, social networking

Internet Safety Technical Task Force Kicks Off

We had the kick-off meeting for the Internet Safety Technical Task Force this week.  As I expected, there are a lot of differing opinions of the committee members.  It should be an interesting year to watch how things progress. 

I believe the key to progress is being able to listen and keeping an open mind.  Which is just what I intend to do.


Leave a comment

Filed under Age Verification, Internet Safety, MySpace, protecting kids online, Richard Blumenthal, sexual predators, social networking

Taking Internet Safety To Task…

It’s official! The Task Force to focus on identifying effective online safety tools and technologies, including age and identity verification has been created and was announced today.  If you recall, this Task Force was an important element in the MySpace and Attorneys General Multi-State Working Group announced last month. 

The Task Force is being led by John Palfrey who is the Executive Director at the Berkman Center for Internet & Society at Harvard Law School.  And among its members are organizations concerned with this issue including Non-Profits, Academics, Prominent Internet Businesses and Technology Companies, of which IDology is one of the appointed members.  Other member names you will recognize are AOL, Symantec, Microsoft, Verizon, Google, Facebook, Xanga, Yahoo, WiredSafety.org and more.

Personally I’m excited about this opportunity.  In the press release issued by the Berkman Center today, Palfrey says:

“We should work together – private firms, technologists, experts from the non-profit world and leaders in government – to solve online safety issues as a joint effort.”

I couldn’t agree more with Palfrey.  The task force faces a very difficult issue where there are differing opinions.  I believe all of its members need to keep an open mind and a team approach if we are going to make headway in solving this problem to create a safe online environment for our children.

I look forward to having healthy, productive discussions on the issues at hand.


4 Comments

Filed under Age Verification, child safety, Facebook, Identity verification, Internet Safety, MySpace, protecting kids online, social networking, Xanga

MySpace Sees the Identity and Age Verification Light…

Today’s press release out of North Carolina Attorney General’s Office Roy Cooper is a big deal. Here’s the first paragraph:

In a victory for social networking safety, Attorney General Roy Cooper and 49 other attorneys general today announced that MySpace has agreed to significant steps to better protect children on its web site, including creating a task force to explore and develop age and identity verification technology.

It’s been a long 2 years in this education process and the fruits of our labors are finally coming to fruition. Given MySpace’s leadership position and popularity, gaining recognition and cooperation from them will only serve to help advance identity and age verification technologies growth in the market. Here are some words that are music to my ears:

MySpace acknowledged in the agreement the important role of age and identity verification technology in social networking safety and agreed to find and develop on-line identity authentication tools.

Obviously there is still a lot of work to do but I’m glad to see that we are all going to roll up our sleeves together and do what is best for our kids – find a way to help keep them safe online.

3 Comments

Filed under Age Verification, child safety, Identity verification, Internet Safety, MySpace, protecting kids online, Richard Blumenthal, sexual predators, social networking

Internet Life Down Under Changing in ’08

Come January 20, the Aussie’s will be following new government mandates for Internet content which require age verification for mature and adult-oriented material.

Admittedly I’m not completely up to speed on the issues in Australia but this article says that:

“Australia has long carried a reputation for having one of the most restrictive censorship protocols in the western world.”

Whether you agree or not with their censorship practices, this decision is very interesting (and positive) for a few reasons. First, it shows that an infrastructure can be put into place that includes age verification to grant access to mature content. And also that the citizens of Australia have embraced the need to protect kids and can have a higher level of confidence in what their children have access to online.

I’m curious to watch how this will progress and see if any other countries follow suit.

Leave a comment

Filed under Age Verification, Australia age verification, Internet Safety, protecting kids online

Putting A Face To Identity Theft

What image comes to your mind when you think about identity thieves?

I would guess it isn’t this couple:

id couples

 

Yet these young 20 something’s are suspected of crimes including ID Theft and forgery. You can read about it here and here.

This story just goes to show that it isn’t only faceless criminals hiding behind computer screens that we need to protect ourselves from it’s also the Joneses living next door.

Leave a comment

Filed under fraud, identity, identity theft, identity theft crime, Internet Safety, Internet Security, keeping up with the joneses, To Catch an ID Thief