Background checks not fit for purpose

Organizations love to collect data on people, often in the name of identity and access control. But more often than not, the information gathering fails to improve security. In fact, it often makes matters worse, according to security experts speaking Tuesday at CSO Magazine's Digital ID World 2009 conference.

Employers want all the data they can get on a potential worker to ensure they won't do anything evil if hired, but they hire sinister seeds anyway.

Retailers ask online customers lots of security questions to ensure they're the rightful owner of the credit card numbers they're using, but that does more to drive customers, and their money, to other sites than it does to prevent online fraud.

Jeff Jonas, chief scientist of IBM's Entity Analytic Solutions division, described the first problem using a Las Vegas scenario.

Despite extensive background checks, crooked dealers have still been known to work the craps tables, partnering up with outside fraudsters on any number of schemes. The insider threat, he said, is alive and well in gambling halls along the strip and elsewhere.

"Organisations [like casinos] are getting dumber as more data becomes available," Jonas said. "They get overwhelmed and don't check all the details in front of them, like the fact that someone they're hiring has a criminal record and is likely to become part of a scam."

Jonas went beyond the insider threat to point out another chilling fact about all the data swirling around us. Thanks to the proliferation of mobile devices connecting to the Internet, especially laptops and mobile phones, it's becoming relatively simple for strangers to get a fix on your typical traveling habits, and that can be used to your disadvantage.

He noted that some 600 billion cell phone transactions are generated annually. Put the data from those transactions together and one can quickly get an idea of where you spend your time and who your friends are. And more often than not, the phone provider is more than happy to share that information with third parties. "The consequences for ID management systems are huge," Jonas said. "Your movements speak for themselves."

On hand to describe the second problem was Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. He unveiled newly conducted research showing that consumers aren't liking that online retailers insist on asking a lot of security questions. They want companies to put better authentication technology in place to verify their identities instead.

For his report, sponsored by device identification software vendor ThreatMetrix, Ponemon surveyed more than 500 Internet users and found that 78 percent of respondents believe online merchants, banks and social networks should use technology such as a cookie or other invisible software to protect their identity while only 21 percent want online vendors to require more personal data from the consumers themselves. In other words, people are willing to let trusted online vendors profile their computers if it means increased security and reduced need for them to share personal information.

Privacy remains a vexing concern among respondents, but they are increasingly willing to bend on the issue if it means better protection from fraud without all the questions. Nearly 70 percent of respondents said they'd be willing to have their computers authenticated by an online merchant before purchases are completed and 75 percent said computer authentication is preferred because it's more convenient than remembering passwords or answering pre-selected questions.

"Given the negative attention to and connotations of cookies and similar types of tracking software, we were surprised to find that an overwhelming majority of consumers surveyed were comfortable with the idea of having their computers profiled in order to be identified by online vendors," Ponemon said. "However, the finding is consistent with the value consumers place on convenience and their desire to have a more secure, trusted transactional experience online."