recommended reading

Social networking sites a treasure trove for identity thieves

The increasing amount of information individuals share on social networking Web sites also could put them at greater risk of identity theft, according to identity management professionals.

The amount of personal information posted on social networking sites has made it easier for criminals and others to collect data and impersonate individuals online, said identity specialists speaking on Thursday at a panel in Washington hosted by the technology lobbying group TechAmerica.

"The definition of personal identifiable information will continue to expand," said Rick Kam, president of the consulting firm ID Experts. "Our approaches must also evolve."

The number of phishing incidents where individuals are asked to enter their personally identifiable information into a third-party Web site has increased sharply in recent years, said Dianne Usry, deputy director for incident management at the Internal Revenue Service's Office for Privacy, Information Protection and Data Security.

To comply with an Office of Management and Budget mandate intended to combat the increase in identity theft, the IRS is limiting its use of Social Security numbers both on printed documents and as a way to authenticate online visitors to its Web sites. Last year the IRS decreased the number of documents and letters with Social Security numbers by 8 million.

"The IRS will never get away from paper," Usry said. "We're actually more concerned about the possibility of a data breach from paper documents than from online."

The IRS does not keep statistics on the number of phishing attempts that successfully steal personal data, but most domestic phishing sites usually are shut down within three hours, she said. International sites take longer to shutter.

"The criminals are more active and so are we," Usry said. "We hope awareness is going up along with activity."

Social Security numbers are no longer the only target of online criminals, according to the panel members. Social networking sites such as Twitter and Brightkite allow individuals to post a stream of updates that include where they are. The popular photo-sharing Web site Flickr allows users to see exactly where a photo was taken. By aggregating the data about an individual's activities and movements, someone can create a detailed account about the person's work or personal life, according to Ian Glazer, a senior analyst for identity and privacy strategies at Burton Group.

"Individuals and organizations should treat their location as an enterprise asset," Glazer said, adding that disclosures made on social networking sites like Facebook could reach much larger audiences than users intended.

Also on the rise is medical identity theft, whose victims account for 3 percent of all identity theft, according to Dan Steinberg, an associate at Booz Allen Hamilton. Steinberg said medical identity theft is especially troubling because in addition to financial damage, the act can result in physical injury or loss of life.

One of the most common forms of this type of theft is when an individual uses someone else's information to seek medical care, either with or without their consent. The impostor's patient information is then added to the authentic patient's record, creating the possibility that the victim might receive a misdiagnosis or mistreatment when he or she visits a doctor or hospital.

Steinberg said health care providers can prevent this by verifying the identity of patients before providing care. Many providers now request identification when patients arrive, but the practice is not widely followed.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.