September 15, 2009, 8:56 PM — Organizations love to collect data on people, often in the name of identity and access control. But more often than not, the information gathering fails to improve security. In fact, it often makes matters worse, according to security experts speaking Tuesday at CSO Magazine's Digital ID World 2009 conference.
Employers want all the data they can get on a potential worker to ensure they won't do anything evil if hired, but they hire sinister seeds anyway. [See also: Hard Questions About Background Checks]
Retailers ask online customers lots of security questions to ensure they're the rightful owner of the credit card numbers they're using, but that does more to drive customers -- and their money -- to other sites than it does to prevent online fraud. [See also: Identity Management: Implementation Dos and Dont's]
Jeff Jonas, chief scientist of IBM's Entity Analytic Solutions division, described the first problem using a Las Vegas scenario.
Despite extensive background checks, crooked dealers have still been known to work the craps tables, partnering up with outside fraudsters on any number of schemes. The insider threat, he said, is alive and well in gambling halls along the strip and elsewhere.
"Organizations [like casinos] are getting dumber as more data becomes available," Jonas said. "They get overwhelmed and don't check all the details in front of them, like the fact that someone they're hiring has a criminal record and is likely to become part of a scam."
Jonas went beyond the insider threat to point out another chilling fact about all the data swirling around us: Thanks to the proliferation of mobile devices connecting to the Internet, especially laptops and mobile phones, it's becoming relatively simple for strangers to get a fix on your typical traveling habits, and that can be used to your disadvantage.
He noted that some 600 billion cell phone transactions are generated annually. Put the data from those transactions together and one can quickly get an idea of where you spend your time and who your friends are. And more often than not, the phone provider is more than happy to share that information with third parties. "The consequences for ID management systems are huge," Jonas said. "Your movements speak for themselves."