Micheal’s rantings, ravings, and general banter

After reading the title, I’m sure you are curious as to what PII is. Or maybe you know already and just want to get to the rest of the post. Either way, PII is short for Personally Identifiable Information. Things like your Social Security Number, email address, driver’s license number, and yes, even phone number all encompass PII. So what does this have to do with anything?

Some time ago, the CEO of Lifelock had his identity stolen. Remember those commercials where he put his Social Security Number on the side of a truck, saying how he was so confident in his company, that he was giving away his information? Well, his identity has been stolen at least once. That’s right, at least once.

According to the ABC News article, the CEO has been waving his information in front of criminals for the past couple of years, making him a special target. If this happened months ago, why am I writing about it now?

Good question. This has been in a private “Ideas” post for some time now, and I’m just getting around to going through it. The other reason is that even though this is old news, it still presents a lesson to be learned. You must be careful where, when, and to whom you give your private information. Posting it on a TV commercial is not being careful. Remember the old addage “don’t talk to strangers?” Still holds true. People, even people who should know better, are forgetting this.

But this is not the only tale of ID Theft I have to tell. While taking online summer courses this past semester, one of the sites the class was to use was for taking quizzes and general classwork. The site did not make use of SSL, or Secure Sockets Layer, to encrypt the information going to and from their server. Not a big deal, you may say. And you’d be right, if the site in question didn’t ask for your student ID and/or your Social Security Number. Red flag! Why does a site like that need your SSN? Supposedly the site hooks in to software called Blackboard and according to this site, some schools still use your SSN as your identifier. Bad, bad, bad, bad, bad! This is not acceptable. Needless to say, I did not put that information in. Fortunately, my school doesn’t use your SSN as your identifier.

The fun doesn’t end here, no, there’s more of the tale to tell. Another school I attend (yes, I’m going to more than one college at once, maybe I’ll write a post about that later) has a Single Sign-on service. Not bad. It uses LDAP (I can’t tell you how I know this, or I might have to get MIB to erase your memory ;)), so various school-related websites and computers can verify your login information. For example, because I’m in the Computer Science program, I have access to both a Windows lab and a Linux lab, so you are able to login to both with your ID because the school uses this SSO deal. Not bad at all. They even use SSL on your webmail, account management, and so on. All except one place. When you login to the portal that Reslife has setup, they don’t use SSL, but you still login with your SSO ID and password. Oh the fun. It doesn’t matter if SSL is used everywhere else, if one place doesn’t, that’s the chink in your armor and it will be game over if someone decides to exploit that vulnerability. Can I say it? Please? EPIC FAIL!

Lessons learned? Let’s start with not giving out your PII, even if you are the CEO of a credit monitoring service. I think it is a good idea to use a credit monitoring service, but it should go without saying, stay away from Lifelock. Then, if a website doesn’t use SSL and/or asks for more information than you feel comfortable giving, either leave the site (I didn’t have the option, obviously), or don’t put it in. Lastly, just because SSL is used in some places, that doesn’t mean you can ignore the rest.