Are You Faking It?

Sunday, January 06, 2013

Rebecca Herold

65be44ae7088566069cc3bef454174a7

Are you faking it online? Or faking it at work?  While faking it certainly has its benefits in both places, I want to touch upon a couple of concerns I have with using fake identities.

Is real data *really* fake data?

Example #1…

A few weeks ago I got a text message from a phone number I didn’t recognize, with a rather odd message. I sent a text back asking, “Who do U think U sent ur txt 2?” The response, “Myrtle!”  I’m not Myrtle.  Turns out they were using a phone number they had found online that was associated for the Myrtle they knew.  That number associated with Myrtle was my real number.  Turned out this was a site, amongst a growing number of similar others, that is providing what they are touting as fake identities for others to use to test software and applications. However, upon doing some searches on their site, all the data items I found were actually verifiable names, addresses, social security numbers, and so on. It appears they took real data items and just mixed them, to a certain degree, to create what they are calling fake identities. They were mixed completely; at least not for the data items I looked at. For example, the phone numbers and social security numbers were partnered with addresses for the actual vicinities where such numbers would actually be found. So, instead of creating a true fake identity, the sites are creating new identities composed of a cobbled-together mish-mash of real information; I call them Franken-IDs.

Example #2…

The previous experience reminded me of a situation that occurred in the mid-1990’s when I was responsible for information security and privacy at a large multi-national financial and insurance organization. After many meetings and messages, I finally convinced business leaders to stop using social security numbers are the primary customer identifier for most of the business services from that point going forward, and to allow existing customers to request another number if they did not want their SSN to be used as their identifier.  Keep in mind, at that time there were not laws or regulations against using SSNs as identifiers like there are today.

However, whenever a customer asked to have a new account number, the business managers told the customer service representatives to simply make up a new number that met the same format. They kept the format of an SSN because they didn’t want to take all the time and cost necessary to build a completely new database on the mainframe; it would be too expensive, they said. So, the various customer service agents throughout the business units started to simply make up number, in the SSN format, to replace the real SSN whenever a customer requested their SSN to not be used.

A few months down the road customer complaints started to trickle then, and then come in more frequently. It seems that a large portion of customers were customers of multiple business units, including the investments and 401K services. The customer statements were printed and sent to these customers using the customer ID (which was the SSN) of the customers, and many of the so-called “bogus” numbers that were made-up by the customer service reps were actually real SSNs of other customers! So, through the programming logic that was in place, the people who had the made-up SSNs ended up receiving the statements of the people for whom the SSNs were real and valid. Oops. They hadn’t thought of that.

Of course the information security and privacy area found out about this after all the complaints had come in. We worked with all the business units to establish a process to create IDs that would not be actual SSNs for others. By knowing how SSNs are constructed we were able to accomplish this. FYI, no SSNs with an area number in the 800s, 900s, or with a 000 or 666 area number, have been assigned; and an area number of 666 will never be assigned. So, if you want a truly bogus SSN, or a fake identifier that must be in the form of an SSN, use a number starting with three digits from these possibilities.

So…

The previous examples provide just two examples of how “fake” data, that was in actuality real data for someone, somewhere, resulted in some minor to major bad impacts. We could probably collectively brainstorm many other ways such “fake” identities that consist of actual personal information could negatively impact others.

It *IS* a good, and recommended, practice to use data for testing, and for IDs, that are not actual date for any individuals.  So, when you are considering the use of services that provide what they claim to be bogus or fake data for your organization to use for testing, or when you are determining identifiers for customers and employees, ask yourself the following:

  1. Could the data be actual identifiers for real people?
  2. If phone numbers, could they be real for someone? If so, could people start calling them? You can create truly bogus phone numbers by creating one by using 555-0100 through 555-0199; they are specifically reserved for fictional use – except for the 800 area code where only 800-555-0199 reserved
  3. If SSNs, could they be real for someone? If so, what could the potential impacts be? Make sure you use a bogus SSN generator that will NOT create real SSNs by knowing how real SSNs are constructed.
  4. If credit card numbers, could they be real for someone? If so, could people actually start using them?
  5. And ask yourself similar questions for other types of personal identifiers.

Are fake online identities *really* harmless?

There are growing numbers of sites urging businesses to create fake Twitter IDs to follow their business ID to make it look like they have lots of customers, and to create fake Facebook IDs to follow and friend the business Facebook page, and basically urging the use of fake IDs on all other types of social networking sites for the same reasons. Facebook recently released statistics showing that there are more than 83 million fake accounts on its social network. This is over 8% of all their accounts. Businesses and other organizations (such as political groups, religious groups, and other types of membership or interest groups) are increasingly using face social media accounts they created to “like” and “follow” and “endorse” and…the list goes on…their organizations as a marketing differentiator. Businesses are faking it as a marketing move to make their business look more popular than what it actually is.  Celebrities are faking it to make it look like they are much more popular than they really are.  Some individuals in general are faking it to simply give themselves an ego boost; I guess imaginary friends are better than none, at least from their perspective? There are now even businesses making large amounts of income by selling these fake identities/friends/followers/etc. to such attention-starved organizations and individuals as their only business activity. So, no harm, no foul, right? Well, that depends.   

Sometimes what seems like a harmless act will actually be something you realize upon thoughtful consideration as something that could result in harm of some kind.  Consider the following:

Now think:

  1. Do you want your business participating in activities that pranksters, fraudsters, crooks and pedophiles are also doing?
  2. Could this damage your organization’s reputation or brand value?
  3. Could this be viewed as unethical? (Usually…yes!)
  4. Could this result in your business having it’s industry rating lowered, or being removed from some type of designation, such a Better Business Bureau stamp of approval, Good Housekeeping Seal, etc.?
  5. Is it really worth the risk just to get better stats about how many people are “like”ing or “following” your social media business presence?

Bottom line for all organizations, from the largest to the smallest:  If you are thinking about using fake identities within your business, or are already using them, carefully and thoughtfully consider the potential negative impacts along with the positive. Then, make a decision based up how much risk of damage to your business’s reputation, and what possible problems could occur to individuals that actually possess your “bogus data,” that you have with your considered/current “faking-it” activities.

Additional information about using fake online identities

Here are just a few other articles discussing a much wider range of issues related to using fake online identities (there are hundreds of others out there for you to see if this topic intrigues you):

This post was written as part of the IBM for Midsize Business (http://goo.gl/S6P7m) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

Cross-posted from Privacy Professor

Possibly Related Articles:
13828
General PDAs/Smart Phones
Information Security
Identity Theft Privacy Cell Phone
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.