Guarding against identity theft requires much vigilance

Over the last few days, online gamers who use the Sony PlayStation Network and subscribers to Sony's Qriocity music and video services have learned some disturbing news: A "criminal cyber-attack" last month on Sony's San Diego data center laid open the sensitive personal information of tens of millions of Sony customers, exposing them to identity theft and other data crimes.

But the story also lays bare a disturbing truth for the rest of us: If a high-tech stalwart like Sony can't be fully trusted, it's clear that data insecurity is here to stay - something we'll all have to cope with for the foreseeable future, despite continual efforts to keep it under control.

If you're tempted to become a neo-Luddite and forswear all use of Internet technology, rest assured that even that won't help. No matter how they get your data, companies privy to sensitive information can still put you at risk - a point illustrated Tuesday by the Federal Trade Commission's latest cases against two companies accused of lax practices.

The FTC, which has brought more than 30 such cases since 2003, accused Ceridian Corp. of storing sensitive data on its servers "in clear, readable text" rather than in encrypted form, and maintaining data indefinitely without legitimate need. It said the other company, Lookout Services Inc., failed to protect data behind user names and passwords, enabling a Web visitor to view the Social Security numbers of about 37,000 consumers.

Neither company paid any penalties or admitted wrongdoing. Both agreed to beef up security and submit to outside security audits every other year. And both of their cases, along with Sony's mea culpas, help illustrate two fundamental points made repeatedly by data-security experts.

One is that companies that handle sensitive data need to take basic steps to protect it, and to constantly guard against new vulnerabilities. It's a cat-and-mouse game, and the mice are always honing their skills.

The other is that technology users can't count on businesses to protect their data - even if the businesses do everything right.

"Unfortunately, the hackers are always one step ahead, and it doesn't mean that the company has done anything wrong," says Kristen J. Mathews, a partner at New York's Proskauer law firm and head of its privacy and data-security group. "Sometimes, it's impossible to be 100 percent secure."

What can technology users do? I put that question this week to Mathews and Chad Dougherty, leader of the Vulnerability Analysis Team at the highly regarded CERT Coordination Center at Carnegie Mellon University, which has been working to stay ahead of Internet vulnerabilities since the Morris worm struck in 1988.

Data thefts alone won't crash the Internet, but they expose security flaws and can undermine public confidence in it. So just like Mathews, Dougherty takes them very seriously. Here are five tips offered by Mathews or Dougherty, with considerable overlap:

Use separate passwords for every site, or at least every financial site. Yes, this is complicated for many people, but both Dougherty and Mathews call it essential. So-called PIN-vault programs may help.

"The important thing for people to keep in mind is that every unique organization they provide sensitive information to becomes another opportunity for that information to get compromised," Dougherty says.

The key, he says, is to "decouple the information" - to limit the risks you'll face from any single company's laxity. That way, if thieves get your password from one site, they can't use it at another.

Pay extra attention to e-mail passwords. You may think you don't need to be as cautious when accessing your Web mail as when you're logging in, say, to your bank. But you'd be wrong, Mathews says.

Think about all those "Forgot your password?" links you see every time you log in. They typically work by sending you an e-mail to the address you gave when you created the account. That works well - unless a hacker has hijacked your e-mail. If the bad guy has access to your e-mail, he can start resetting all your other passwords.

"If you don't have a secure e-mail account, it really puts all your other accounts in jeopardy," Mathews says.

Security questions can be foe - or friend. Mathews warns against security questions that repeat from site to site, or are too easy to guess. "A lot of people might know the name of your dog or your high school's team mascot," she says.

But there's an ingenious solution: Treat the security questions as an additional level of authentication.

"If a website asks you what was your first vehicle, make up a random word and treat that as a different password," Dougherty says.

You can even change the answer you give for your mother's maiden name, another common and problematic security question, especially for people like my daughters who use it as their middle names.

Watch closely for identity theft.

Monitor all your statements - credit cards, checking, phone, brokerage - for anomalies. You can pay for credit monitoring if you want, as Mathews does, but the real key is constant vigilance.

Given the rise in so-called medical-identity theft, in which thieves obtain care and stick you with the debt, Mathews adds one more place to watch: "explanation of benefits" forms from your insurer. They're often hard to read. But you can at least make sure you recognize the provider and date of service.

Consider a credit freeze. Mathews does this, too, and it's a smart move for anybody who doesn't need a lot of access to instant credit in the checkout line.

You establish a freeze by contacting each of the three national credit bureaus: Experian, Equifax, and TransUnion. State laws vary, but freezes are free for everybody in New Jersey and for identity-theft victims and the elderly in Pennsylvania.

You get a PIN number that enables you to temporarily thaw your report if you want to apply for credit, so a potential lender can check it.

The value is that an identity thief can't use your name and vital information the same way: to open a new account in your name.