Beware of emails phishing for your ID
Did you ever get an email message from your bank — or maybe from another bank you don’t use — telling you about a security breach?
You’re asked to log in and provide personal information to avoid having your account suspended.
David Lennick recently received such an email. He was almost, but not quite, taken in.
“ I’ve become used to seeing these things, usually claiming to be eBay or PayPal, and I’ve seen other bank ‘messages’ from banks I’d never dealt with,” he writes.
“ But this one showed up just a couple of weeks after I’d gotten online access to my bank account. And it didn’t have the tell- tale misspellings or bad grammar.” He printed out the email and showed it to staff at his bank branch.
“ Nobody at my branch was aware of these things showing up, so obviously the banks need to spread the word as well.” Banks are waking up to these emails, called “ phishing,” since they’re phony and designed to fish for personal and financial information from the recipient. You can now find prominent warnings at bank websites. CIBC, for example, shows copies of a dozen fraudulent emails sent to customers and illustrates what to look for in a valid message ( your name, consistent branding, no sense of urgency). Education is welcome, but not enough. Businesses must work harder to safeguard their customers’ personal information. Ann Cavoukian, Ontario’s information and privacy commissioner, has just released a report on identity theft, one of North America’s fastest growing crimes. “ We believe that the single largest cause of identity theft is the existence of poor information management practices on the part of organizations,” says the executive summary. Consumers can take steps to minimize becoming a victim — and the report lists a dozen self- help tips — but the problem is largely out of their hands. “ We place the problem in the hands of organizations that collect massive amounts of personal information and leave it largely unencrypted and in clear view of both insiders and outsiders alike.”
Cavoukian, appointed in 1997 and now in her second term, won’t let companies off the hook when it comes to change.
“ In the first paper we wrote about identity theft in 1997, we didn’t place the responsibility squarely on businesses. Now we do,” she said in an interview. “ We believe that businesses have to lead on identity theft. The first step should come from them.”
Identity theft involves using personal information to masquerade as someone else.
Suppose you take the bait after receiving a “ phishing” email. Thieves could gain illegal access to your bank accounts or take out new loans or credit cards in your name.
Meanwhile, you may not notice anything unless you comb through your bills and statements and monitor your bank- account balance frequently. The 30- page report talks about best practices businesses can use in protecting customer data, such as disguising the sensitive elements of records. Why, for example, is it necessary to print the client’s entire credit card number on sales receipts?
“ Four digits will suffice, with the remainder being masked. This is commonly referred to as ‘ truncating’ a number of the digits of one’s credit card number.”
Cavoukian is now an advocate for truncation. On a recent trip to the dentist, she made sure the dental office — which had been printing the entire credit card number — changed its practices.
“ If you deal with businesses that don’t truncate, let them know,” she advises.
Publications Ontario doesn’t truncate, as she found out recently from several people who had purchased government information online.
“ I wrote to them right away,” she says.
Cavoukian has jurisdiction over the provincial public sector. But business privacy comes under federal legislation, the Personal Information Protection and Electronic Documents Act.
She’s pushing the Ontario government to pass its own business privacy law, as have Quebec and British Columbia.
Something else she’d like to see: A law forcing companies to notify customers if there’s been a security breach.
California was the first to enact a breach notification requirement in late 2003. Many U. S. states have followed suit.
“ This is becoming the norm in the United States,” she says. “ We should show leadership in Ontario. I’ve written to Government Services Minister Gerry Phillips to tell him.”
Identity Theft Revisited: Security is Not Enough
is available at the commission’s website, www.ipc.on.ca ( click on What’s New), along with brochures on how business and customers can protect personal information. Ellen Roseman’s column appears Wednesday, Saturday and Sunday. You can reach her by writing Business c/ o Toronto Star, 1 Yonge St., Toronto M5E 1E6; by phone at 416-945-8687; by fax at 416865-3630; or at erosema@thestar.ca by email.