Friday, 10 January 2014

Redirecting Your Physical Identity

One of my pet hates is when mail for other people is delivered to my personal post office box.  But something that isn't normally considered is how annoying it could be for the person who didn't get the mail in the first place?

I'll use a recent real example, and in this case the misdirected post was for yet another optometrist.  Seriously, what is it with optometrists and security failure?  It has never been more true that there are none so blind as those who will not see.

There are three different failure conditions, all with a cost and an impact.

#1  The sender doesn't know the receiver didn't get the message.  They are spending money posting paper that never gets delivered.

#2  The receiver doesn't know anything about the message at all.  They are paying for the message to be sent, but are getting no value from it.

#3  The sender has included enough information on the outside of the envelope to allow anyone who sees it to steal the identity of the receiver.  They've assumed that the communication is private and can't be intercepted.

It's #3 that is the most troubling.  The name, address, account number, contact details and a number of other pieces of interesting information were on the outside.  This is sufficient to be able to reset the password of the legitimate receiver at the organisation of the sender.  After that, identity theft becomes very easy.

We know that information is being snooped off our networks, but we forget that every piece of physical mail is scanned and photographed to allow automated delivery.  Those photos are metadata, and almost certainly end up with the security services.

It isn't enough to keep our identities secure online, we have to remember to keep them secure offline as well.

Phil Kernick @philkernick

No comments:

Post a Comment