Lately you may have noticed lots of news reports about hacking. There is the group that calls themselves Anonymous, that has hacked many sites and organizations because of the WikiLeaks scandal. Sony Playstation Network, Citi Bank and now Sega have all been hacked. This may make you nervous about what personal information you put on a website, it should scare the crap out of you!!! Aren't there government regulations that force companies to protect our personal data? Yes, however the oversight to ensure they are followed is minimal.
Let's learn about what happened to Citi Bank. I've read articles that talk about the sophistication of the hackers to uncover this security hole. Not to downplay the intelligence of the hackers, but this was a security hole that should have never been open. What the hackers figured out was that in the url, they saw there account number, so they simply changed it and figured out they were now accessing someone else's account. Then they likely wrote a program to automate the process to harvest hundreds of thousands of Citi Bank accounts. This is really web development 101. It would have likely added 1 day to the development to ensure that this couldn't happen. During the testing phase of the website, the testers should be testing to ensure that this can't happen.
So how does something like this happen, especially to a huge corporation such as Citi Bank? In the corporate world, new business is usually more important than security. Security is not easily quantified into how much money will be made because of securing the website. If the business creates a new product that can be sold on the website, that shows up on the bottom line as profit. Security is purely a cost to the business. Too many websites don't focus on security until they are forced to, usually because of bad PR caused by getting hacked.
It amazes me how much personal information people put about themselves on to the internet. Facebook is a perfect example of this. A clever identity thief could probably find many potential victims on Facebook. Think about how you determine your password that you use for your online bank? Do you use your kids names? Pet's name? What about the security questions like where did you go to high school, etc.? Can these things be figured out about you on the internet? When I answer these types of security questions, I intentionally answer them incorrectly, only I know how I answer them. I don't use passwords that contain words and only use passwords that contain lowercase, uppercase, numeric and special characters. This will help you protect your personal information. Personal data like credit card numbers and social security numbers should be stored encrypted in a database. The problem with this is that for a company to do so, they need to know when someone will be entering this data. If you place an order online and a company asks for you credit card number, they are likely encrypting it. But what happens when you fill out a form to get help with your order and decide that you'll put your credit card number in the form to help them find your order? Well, this is probably not encrypted and could be viewed by many people within the company and could be transferred insecurely which means it could be picked up by a sniffer program. If this happens, you can count on months of dealing with a credit card company to get back your good credit standing.
Another piece of personal information that people enter the most and don't seem to think about is birthday's. I recently went to my bank to withdrawl $500 and all's I needed was my name, account number and birthday. They didn't ask to see any photo ID at all. Yet, I could tell you so many people's birthdays by simply going to Facebook. Imagine you have a party at your home and you carelessly have left your bank statement in a drawer in the kitchen. Someone that you really don't know well, except your Facebook friends, could write down your account number and get your birthday from Facebook or some other website that you've entered your birthday into and potentially steal money from you. I know this sounds far fetched, but I'm sure this exact incident has happened to many people and they probably never thought it could.
You're probably wondering, should I ever use the internet again? Of course you should, just be aware of what you're doing. If you're entering personal information such as credit card numbers, social security numbers and birthday's, make sure that the website encrypts this data not just in the database, but while transferring the data to the database. In a URL, you probably have noticed http://, this is not secure, https:// is secure. So if your on a page that is asking for personal information, look up and see if you see https://, if you don't see this, leave the page and don't enter your data. If you decide to comment on this post, don't enter any personal information, because it's not secure. I'm only expecting people to enter their thoughts, not credit card numbers. Shred personal documents or lock them up, don't leave them lay around so anyone can find them. When filling out documents such as for in store credit and apartment rentals, ask to see how they secure your document. I feel that the most important thing in a store is not the money in the cash register, but all the in store credit documents that have everything a thief would need to steal your identity.