Your personally identifiable information: It’s valuable to someone



Matt Yonchak, Sales Engineer, Hurricane Labs

Smart Business
spoke to Matt Yonchak of Hurricane Labs about protecting your personal information online.
One of the most common responses I get from your everyday user when I bring up the topic of securing your personal information is “Who cares about my e-mail address? It’s not like anybody is going to call me or stalk me or something.” I’ll ask them why the level of caring about their e-mail address is so low and again I’ll get a flippant response such as, “So what if I get spam? I just delete it anyway.”
We all understand that we need to keep our Social Security numbers and credit card numbers safe. We know not to give out the login credentials to our online banking site. These are common knowledge, but what about your e-mail address or the contact information that exists in your mobile phone? How closely do you guard that information? My guess is not as closely as you should.
The fact of the matter is that all aspects of your personally identifiable information (PII) are valuable to someone. Remember the Storm worm? Back in 2008, spam e-mail from Storm was analyzed and was found to be generating 3.5 million dollars of yearly revenue from pharmaceutical spam alone. Trust me, as throwaway as you feel your Gmail address is, someone wants it and is devising a way to get it. Like most illicit activity, it is money that is driving the theft of your information. You may not think about it but your personal information is valuable to someone out there.

How your information gets out

So how is your PII being gathered? Believe it or not you’re giving it away. Yup. You are willingly giving your information to spammers and sometimes worse. I’ve done it the same as you and didn’t think twice about it. Ever sign up for a perks card at your grocery store of choice and give them your e-mail address along with your name and address? I have. How about a loyalty card at your pharmacy? You get money off your prescriptions and save on everyday purchases, right? It makes sense because you’re affecting your personal bottom line positively, but let’s think for a second about how the pharmacy is offsetting that discount you’re receiving. Not only are they gaining a loyal customer who is less likely to shop around for better discounts, but they are also taking your information and correlating that with your shopping habits. Then they take that information and turn around and sell it to a marketing company so that they can construct more targeted marketing efforts for you. Buy a lot of protein bars? Check your e-mail more closely next time and you’ll probably notice that you have advertisements and spam for things like protein shakes and weight loss drugs. Your buying trends are valuable and how is it all correlated? Your e-mail address.
How’s your Facebook page these days? Ever get a friend request from someone you didn’t even know existed? That’s because they don’t; they’re a bot. A fake person created for the sole purpose of gathering the personal information from your profile. Pretty devious huh? Not really, you’ve probably seen that and chose to decline the request because a) you don’t know them and b) their name is Akdjrsk Smith (doesn’t seem like a real name to me either, you would think that they could be a little more clever with their name generator). While that attempt to steal your information is pretty overt there are more crafty ways that Facebook attempts to get a hold of your PII. Playing games on Facebook is a pretty good way to ensure that your e-mail address ends up on some spammers list. It has been well documented that games like Farmville, Mafia Wars, and that game where you have to keep your fish tank clean (never understood that one, seems like more of a chore than a way to have fun) are nothing more than information harvesting vehicles. This is just a reminder that while you may have friends on Facebook, Facebook is not your friend.
The other very common way to get a hold of your personal information is through your mobile phone. If you have a smart phone you’re vulnerable to attempts at gathering your PII. The easiest way to have this happen to you is for you not to pay attention to the permissions on the apps that you’re downloading. If you ever see a permission on an app that says “Read Contact Data” or “Read Calendar Data, Write Calendar Data”, I would suggest taking a good, hard look at what that app does and ask why it would need access to that information. Again we see games as an easy attack vector for the uninformed mobile user. Games often have so many permissions associated with them that people accept and install without adequately reviewing what the game is doing in the background. The easiest way to protect yourself is to make sure that you are smarter than your smart phone.

How your information is valuable

Now that we know how the information is being disseminated to those trying to profit from it, let’s examine how valuable it actually is. We’ve talked about how spammers are using your information, but how profitable is it? I did some research to see how I could acquire mass amounts of e-mail addresses and I found a site where I could purchase bulk e-mail addresses for marketing purposes. There I found that I can buy more than 50 million e-mail addresses for $3,499. I found other options as well. I can purchase business e-mails by state. For example, I can buy more than 2 million e-mail addresses for businesses located within the state of Ohio for only $499. For those of you within the state of Ohio, what do you want to bet that I will find e-mail addresses for people within your company? Five hundred dollars is a drop in the bucket compared with either a targeted marketing effort or, worse, an actual attempt to get sensitive information from within said company. Spam is big business. It wouldn’t exist if it didn’t work and, unfortunately, it does.
How about your identity as a whole? How much is your life worth to an identity thief? According to Symantec, the black market value of my life is $22.22. Personally I’m underwhelmed. I thought I would be worth more than that. What they’re taking into account is your age, sex and the amount of data you work with online (bank accounts, 401(k), credit cards, etc.). If that is all that I’m worth do you think it’s really that difficult to purchase that information? The higher the worth the more difficult it is to obtain the information. According to an article by ComputerWorld if I were a 60-year-old male who has more than $10,000 in my checking account, I would only be worth a whopping $32.29. Realizing that it is that cheap for someone to purchase your identity should make you think twice about how much and the method in which you access your financial information online.
OK, lets forget for one second my own personal net worth, how about my company? Can my PII be a liability to my place of employment? Your info can provide a useful attack vector into your business. If I’m a hacker and I want to get into a company, what is the most vulnerable attack vector? The employees, of course. If I know more about you I can construct a clever phishing attempt or I can just call you on the phone and say that I’m from HR and I need XYZ. If I can provide you with your SSN or employee ID, chances are that you are going to be more likely to talk to me and provide me with what I want — a way in. All it takes is one weak link and someone with malicious intent can exploit it to their advantage.

How do I stop it?

As with most issues, knowledge is power. The power the hacker needs to penetrate your defense or the power a user needs to repel such an attack. By knowing what you should be wary of you’ve increased the level of difficulty exponentially that a criminal has to deal with. Chances are if it is too difficult for the criminal then they will move on to an easier target. People are targets of opportunity. Remove the opportunity and the threat will sometimes pass you by. Know what social media is after — YOU. How do these sites stay in business? Ads and your PII. You are fueling social media. This is not to say that you shouldn’t use Twitter, Facebook or LinkedIn. Just use them wisely. The same applies for your mobile devices. Use them wisely. The biggest thing that you can do is to have a healthy level of paranoia about your personal information. Even the things that seem innocuous to you can be valuable to someone. What you really need isn’t software to protect your PII, what you really need is constant vigilance!
Matt Yonchak is a Sales Engineer at Hurricane Labs. Reach him at [email protected].