March 28, 2008 at 9:29 am
I'm more concerned about biometric-
The people who are concerned about medical data have a good point (with which I can sympathize), but their concern raises the bigger issue - producers of software who don't "get it" about how important their apps are and how important it is to properly test and secure. Lots of software companies "get it", and I'm happy for that. But lots don't.
The post about latex fingerprints and contacts with iris images correctly points out that small-time theft of biometric info is not an issue. The issue is a database that is not properly secured, allowing the mass theft or modification of personal data. It would only take one large company cheating on its security to release enough biometric info to fowl up people's lives for years. And as other posts have pointed out, we can't change our fingerprints- that info would be available to the wrong people for life!
Before phishing filters became popular (I used to get multiple attempts each week), I was amazed at the number of people who choose to make it their full time job to steal from others over the internet. They're not going away, and I'm sure they'll figure out creative things to do with any data they can get from us.
___________________________________________________
“Politicians are like diapers. They both need changing regularly and for the same reason.”
March 28, 2008 at 9:54 am
Interesting answers, and with these new Mission-Impossible-3D printers, I think I'd avoid biometric data as well.
Here in the US, there are starting to be some devices that work off fingerprints, like garage door openers. Instead of a keypad, you, or your kid, can enroll and use that to open or close the door if you're standing there.
Actually, my new laptop has a finger print reader. I tried it when I got it, works well for login/logff (still requires a password) and 2 factor auth. However since I rebuilt it that day, I haven't used it again. Not sure I want my fingerprints out on the WWW where they might be "borrowed".
March 28, 2008 at 9:56 am
Biometrics are the most scary because they would be binary data. Biometric data would not be human-readable, so how could you know if it was the original, copied, or altered? You can easily take a digital photograph and use PhotoShop to alter its appearance. I would expect the same vulnerability with biometrics.
There are strict rules in place for handling credit card data, as per the Payment Card Industry (PCI) Data Security Standard, at https://www.pcisecuritystandards.org/. The actual standards document is at https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
We desperately need electronic health records, now. Recently a family member was taken to the ER and then admitted to the hospital. The ER had no idea of health history or even current medications, the doctor phoned that in to the ER but that info was not forwarded to the in-patient department.
March 28, 2008 at 10:42 am
Definitely biometric.
March 28, 2008 at 10:46 am
Biometric data is way more concerning.
Like many have said, you cannot change it easily if it is compromised. Credit cards are protected against fraud, at least to the point you can challenge fraudulent charges.
What happens when somebody says "Well, we have your fingerprints, so it must have been you that took out the money, accessed the computer, etc..." Breaking into your home is another concern. Signals can be replicated, if you know what to replicate. If somebody knows your credit card number, pin and all, they can enter it into most systems. If biometric becomes common, it is only a short time before ways to replicate fingerprint, retinal scan patterns, etc. for the readers are developed, once you have the pattern to match. I see horror stories of challenging improper authorizations, and having little leg to stand on, since it says right here it was your fingerprints...
March 28, 2008 at 12:11 pm
How about this, then consider it when combined with biometrics
March 28, 2008 at 3:34 pm
Being responsible for safeguarding data, I would treat both with equal importance, equal security. However, I would be more concerned with the theft of biometric data.
March 28, 2008 at 3:58 pm
Its all very well and good to discuss "Stolen" data but a very real concern to thousands of people is the screwed-up records as I will explain.
Experien, Equifax, TRW and the banks are selling data to each other and merging data daily. They are destroying good data by ignoring little details like for example your middle name.
Ask Mary Lee Smith, Mary Lu Smith, Mary L Smith and Mary Smith and they will tell you what happens to their SSN and Credit Score.
Now you want to do the same with AIDS and Hepatitis information ????
Hospitals are now applying Isaac Fair Credit Scores to health information and getting it wrong. Recent examples include noticing an Equifax change in credit a few days after blood tests in a hospital where the patient had used valid health insurance. (no credit card payments were made in days before or after the visit).
Inquiries to Equifax produced stonewalling before finally admitting the hospital had "updated" her score. This only after having the FTC bully them about the details.
Another family member reports having problems with health insurance in California tracked down to three records of her SSN being using in Florida by illegal immigrants. God knows when and if in the the future the wrong blood type and heath history may some day kill the rightful owner of the SSN.
Sorry about this rant but the details are factually true.
March 28, 2008 at 4:15 pm
Can you tell me this last comment means in terms of the question re: credit cards and biometrics?
A SSN is a unique identifier as well as anything else is. If they are saying John A Doe with SSN 123 is the same as John B Doe with SSN 345, then that is just poor data meshing.
The same mistake can be made with biometrics. If they are saying at bioid 457 is the same as bioid 687, because the first and last names are similar, that is equally bad. In the previous scenario, if they companies incorrectly mesh people with two different SSNs together because the names are similar, they can make the same mistake with bioids and allocate bad data to the wrong bioid. I do not see how biometrics make the procedure of poor data meshing better or worse... Maybe I am just misundertanding the rant. I mean rant in a good way, that you are completely justified in being upset that companies can hurt people's credit history by poor practices. I'm just unsure how it relates.
March 28, 2008 at 5:23 pm
To Aurelio,
Oh that life and databases were so simple.
I think the "How can it be..." examples you postulate are perfect examples of why the errors occur. It's because no one single ID key exists.
Your Bank Account numbers vary from account to account and yes, somewhere in the system there is your SSN. So wouldn't it be a perfect world if your accounts were referenced as SSN-AccountID or any complex key including bank ID and clearing number. and the same with your motrgage and court case and Sears and BlueCross ad infinirum...
But obviously not or we would not have errors.
In addition, I can start work and provide my employer with any BOGUS SSN and it may take weeks for the IRS to notice.
Same with hospitals and any service which demands an SSN as data.
My close friend and her neice have been battling identity "Theft" or identity "Screw-up" for years.
My friend has finally identified it as an almost identical named person in the same city who has a lengthy prison record.
She cannot get data from the Police Dept on the grounds it infringes the felons rights. She cannot get any interested lawyer since its a case without any profit motive. The IRS, Equifax, California Courts and all say they can produce a statement of innocence, but the system is so tightly interwoven with Sears, and credit unions and anybody who can access your credit, that its a nightmare.
When one Federal Credit Union was challenged with the fact that her mortgage was tranferred to CountryWide Bank years ago and yet still showed her a having an existing loan, they simply deleted years of good credit history at a single stroke.
Me personally ? I have not checked my credit score in ten years - I don't want to know and I just go forward but I can understand how she and thousands of others feel damaged and numbed by a system which is protective of their corporate activities and so far, very very difficult to penetrate even with the help of the FTC.
"You cant prove a negative.." is a simple quote from them.
March 28, 2008 at 5:32 pm
Ron,
I don't think you get what I am saying. Obviously I don't get what you are saying, or I wouldn't be asking.
How are you saying this relates to whether the misuse and/or leakage of biometric data is better or worse than the same with CC info?
I think I get it now. I think you are subtly trying to say that having a single biometric ID would solve these scary issues.
If so, that is not true. In your example of CC issues, a SSN is a single identifier that the CC company could use to say John A Doe is different than John B Doe. In your example, they performed poor data meshing techniques, and applied incorrect data to the incorrect SSN because the names are similar. The exact same thing can happen to biometric data. Because you are linking data to a unique ID does not mean you are doing it correctly. You could just as poorly associate John A Doe with John B Doe using two different SSNs as you could using two different bioIDs.
Let me know if I am getting what you are trying to get at.
My question is how does poor data practices relate to biometrics vs. cc info? Poor practices can be used with both. If a CC company cannot distinguish Johh A Doe from John A Doe Jr., even though they have two different SSNs, that same incompetence can apply if they have two different bioIDs.
Or are you not saying that a unique bio id would solve the mess?
March 28, 2008 at 5:40 pm
The question I think relates to if either was fraudulently obtained or misused, which is scarier.
If I get what you are saying though, I think you just proved the point that if your bioID was fraudulantly obtained or misused, you would be in an even bigger nightmare than if the same happened to your credit card.
Once you have a unique ID, you can start associating all kinds of things with it, be it biometric ID, SSN, CC, whatever. An yes, as soon as biometric scan become common, a way to replicate the signature will soon follow. Not only that, any db that uses it would have it, the same as almost any company you do business with potentially has access to your cc info. The question is which is more important to keep safe. They are both important, but in our society, it seems like a misused bioid would be much harder to argue with.
March 28, 2008 at 7:52 pm
I have been reading through all the posts here and I admit that perhaps I had gone off topic.
The last few posts talk about the mechanics of relational data and our best efforts to create the Key ID and that's fine, however as a SQL architect I am horrified by are reports from the real world, personal friends and internet and TV news.
Nobody wants to be held responsible for errors, Thats human psychology, but corporations owe it to us to have open access to our data or an ombudsman available who does have the political power to do inspectiions of data and report or fix it.
There are practical solutions that we as a society should mandate now before it becomes a bio-tech-data snafu.
At the point of customer contact can we implement e.g. driver license card swipe to avoid mis-spelled firstname lastname address. ?
Can our customers validate their personal name address etc by internet or email or automated phone.?
Do customer lists pass simple integrity checks before we merge data?
As the gatekeepers of information we are employed by our masters to guard data which will be disseminated to other corporate systems, We have a moral duty to keep our own data safe, but as well as that we are the expert witnesses too. We are obligated to watch and complain if we see tehnology ignoring the rights of the little guy.
March 31, 2008 at 8:29 am
Aurelio Alvarez (3/28/2008)
A SSN is a unique identifier as well as anything else is. If they are saying John A Doe with SSN 123 is the same as John B Doe with SSN 345, then that is just poor data meshing.
Aurelio be very carefull here. SSN is not unique and can be reused once a person has passed (or both them and their spouse or children if collecting SS) almost immediately (they do try for a cooling period). There have been several cases of multiple people (living) even being issued the same number in error (poor management for sure).
As for the issues mentioned, somewhere my info got meshed with another person once and they listed because a company put my middle nam in the last name field then somehow Equifax and got both our data overlapped. Forutnately I knew based on the data where the issue started and other than havin a stupid alias which is invalid all else was corrected. Also, there is a big debate now about SSN becuase the number is for tax purposes only and was never ment to be used for any other manner. In fact as I recall by law no company can ask you for the who SSN number for identification (this is why many ask for the last 4). The government i starting to realize they need to enforce this fact and it is slowly happening. I even expect on day that SSN is replaced by the stupid new "READ ID" thing entirely just because of this. Also, it is very important to note that SSN is not in fact a secret number that no one else can not get a hold of, it was the credit companies too lazy to create their own number that broke this whole thing. There is also a way to get a brand new SSN under special circumstances with regards to ID theft now so it is still safer overall than biometrics as pointed ou with the I can't gt a band new me statements earlier. But then again who knows what the future holds for say something like a "Ghost in the Shell" type scenario.
April 1, 2008 at 2:36 pm
I am being pretty practical I believe. In all the examples, the errors were not because the SSN is not unique, but because the data analysts at some point DECIDED that John B Doe is John C Doe. I'm not saying that a SSN is universally unique no matter what. I think we're missing the practical point and the question.
Which is scarier abused, a SSN or a bioID... I'm not going to argue about somebody starting work with a fake SSN, or having three SSNs because of a change, which is also of record I'm sure. If you change your SSN, there should be a trail, and if you accidently got two bioIDs, applied for another because somebody GOT A HOLD OF IT just like everyone will HAVE IT the same way everybody has our SSN, then that will be of record in the future. For a bioID to be useful, everybody has to be able to access the database that has it. For a credit check to work, you need the SSN to look people up. If we switch to bioIDs, then others will need a record of your finger, iris, or bioid for it to be of any use. That everybody has your SSN still misses the question of what is scarier abused, a credit card or a finger print. Maybe the question has changed though to whether we are advocating moving to bioIDs.
Viewing 15 posts - 16 through 30 (of 33 total)
You must be logged in to reply to this topic. Login to reply