Friday, October 31, 2008

Referencing the Managed Identity Services Survey Results

I've had a few requests from various people asking if they can refer to or quote the Managed Identity Services Survey results. My answer each time has been that I have no issues as long as they don't re-sell the results in any way and to make sure they attribute it to my blog.

So, I've taken the liberty of licensing the survey results under Creative Commons as follows:

Creative Commons License
The Managed Identity Services Survey and Results by Ian Yip is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License.

In fact, if you cast your eyes over the right column of the blog, you'll notice I've now licensed everything I write/produce on here the same way. Of course if you're planning to refer to the survey results, it would be great if you could tell me just so I know. You don't have to, but it would be nice :-)

Tuesday, October 28, 2008

Results for Question 14 of the Survey

If you were paying attention when I released the Managed Identity Services Survey results yesterday, you may have noticed it was missing the results for question 14.

As I explained at the time, the graphs didn't reflect the actual numbers so I had to take a closer look before publishing them. They've now been corrected and the results updated accordingly.

Now comes the task of working with Identropy and our unbiased third party helper to determine the recipient of the iPod touch. Stay tuned.

Monday, October 27, 2008

Managed Identity Services Survey Results

The Managed Identity Services Survey was closed 2 weeks ago. I said at the time that I had to consolidate the data to produce useful results. It took a little longer than I expected but it's done. A very special thanks to my better half for helping to produce the charts below. And if you thought question 14 was a pain to answer, it was nothing compared to trying to graph the results for it. (Update: I had to remove the results for Q14 because the numbers were a little wonky. Something was lost in the translation between the raw results and the visuals. I'll update accordingly when they are corrected. Update 2: Q14 results have been corrected and uploaded. They are now available at the end of this post.)

If you don't see your exact answer (for those that bothered to type into the "Other" box for your response) in the results it was because I consolidated it into one of the other answers.

Unfortunately, I can't seem to figure out how to make this blogging engine display images at full size within the page. It seems to only allow for a much smaller version to be inserted and forces the reader to click on each for a full size image. In light of this, I'll take some time within the next week to produce a PDF version of these results for those that prefer an actual document and don't feel like clicking through each image. I'm also planning to write a whitepaper that aims to summarise the survey and give some additional insight based on viewing the data in different ways (this one will take some time so please be patient).

If you are up to it, please feel free to write up your own analysis of the results. Be sure to let me know and I'll link to it.

Without further ado, I present *drum roll*...the results along with the corresponding questions (as I said, you'll need to click on each image for a larger version...unless you have a magnifying glass).

Question 1 - Which country do you live in? (optional)

Comment: Although this was optional, almost everyone completed this question.

Question 2 - Which organisation do you work for? (optional)

Comment: I won't publish the breakdown of all responses here because only roughly half the respondents filled this in. Here is a sample of some of the companies represented: IBM, Oracle, Accenture, Duke University Medical Center, Lehman Brothers, Apple, Tiffany & Co.

Question 3 - How large is your organisation?

Question 4 - Which industry vertical does your organisation best fit into?

Question 5 - What is your role within the organisation?

Question 6 - What do you consider to be your primary area of focus?

Question 7 - Where do you fit into the decision making process?

Question 8 - What services (if any) do you currently outsource?

Question 9 - What stage of your identity management journey are you currently at?

Question 10 - Which of the following solutions have you implemented and how?

Question 11 - If you decided to outsource your identity management infrastructure, which model would your preferred approach be?

Question 12 - What do you see as the biggest barrier to outsourcing identity management?

Comment: I included some of the raw answers left by various people here because while I could probably have consolidated them, I felt it was useful to leave them alone for all to see.

Question 13 - What do you see as the biggest benefit that outsourcing identity management provides?

Comment: I included some of the raw answers left by various people here because while I could probably have consolidated them, I felt it was useful to leave them alone for all to see.

Question 14 - When do you believe your organisation (or other organisations) will be ready for each of the following outsourcing options?

Thursday, October 23, 2008

Part 2 of my conversation with Amit Jasuja from Oracle

I mentioned yesterday that I spoke with Amit Jasuja, Oracle's Vice President of Development for their Identity Management Product Suite. This is the follow up post to part 1, which focused on Oracle Adaptive Access Manager (OAAM). In this post, I'll cover some of the other things we discussed.

It's probably a good idea to point out that we discussed some roadmap items and even though Amit didn't remind me that items on a roadmap are not guarantees that functionality will make it into the planned release, I'll do Oracle the favour of mentioning it on their behalf. I used to have to do this all the time so I'm aware of the drill :-)

Apart from discussing OAAM, I revisited some of the questions I asked Oracle President Charles Phillips when I met him earlier this year (because Charles didn't really answer them completely) and Amit obliged.

Essentially, part of the strategy for Oracle's overall software stack (particularly Fusion Middleware) is to have everything be "hot pluggable" with their Identity Management suite. But let me take a step back for a moment. Like many other large vendors out there, Oracle's been pushing an open strategy around Service-Oriented Architectures (SOA) and the fact that all their products will eventually support the ability to leverage (and underpin) an enterprise service bus (or whatever buzzword you feel like using). One of the main benefits in doing so is to allow for a vendor agnostic architecture where organisations aren't "locked in" to specific products (note that the industry is a long way from this being a reality despite all the hype). There are other benefits but that's a topic for another day.

The organisations arguably making the most noise around SOA are IBM and Oracle. But Oracle is making more noise (and it seems progress) around the notion of Enterprise Identity Services (Nishant Kaushik in particular seems to be spending lots of time on this) and Amit was quick to point out that the Identity Management group will be keeping with the strategy of openness while being mindful of having to show the value Oracle's products can provide over their competitors. In short, most of Oracle's software will eventually be built to support the use of SOA-like interfaces thus allowing for interoperability with competitive solutions (assuming the likes of IBM, CA, Sun and Novell build products that support the relevant standards for the relevant use cases). It will then be up to Oracle to convince organisations that even though they could use a competitor's product, Oracle's Identity and Access Management suite is the best option because of additional benefits. Amit mentioned some examples like certified support for the Identity Governance Framework (which I should point out was originally an Oracle initiative but has since been submitted to the Liberty Alliance to carry forward) and perhaps things like "quick start" initiatives with pre-built policies for use with Oracle software.

It's great to see Oracle's strategy is to make all their software "play nice together" while being open at the same time. In reality however, the sales teams will sell whatever combination of products that will fit into a customer's budget. If they have to drop products out of the solution proposal to bring it under budget, they will. It's just how the sales teams work, especially if their numbers aren't 100% tied in to Oracle Identity and Access Management software sales :-)

We also briefly touched on various pieces of the Identity and Access Management suite being "pre-baked" into other Oracle software products (e.g. there's a lot of work being done to embed Oracle Virtual Directory within other products) before moving on to exploring Oracle's relatively new Entitlements Server (OES), itself a prime candidate for being embedded within other products. I didn't want to focus on functionality because I already knew about it at a high level. I was more interested in where Oracle's headed with the product from a strategic standpoint.

The obvious direction is to have OES be the fine-grained authorisation engine for just about everything, but Oracle's software stack is HUGE. In other words, it's not an easy task (even if they go with the SOA approach) and I don't think it's going to happen very quickly. Knowing this, I shifted the focus purely to the Identity and Access Management products and their use of OES to externalise authorisation. The answer: yes, but not yet. I used Oracle Identity Manager (OIM) as an example and Amit told me that the plan is to allow for the externalisation of OIM authorisation policies to OES in the next release (e.g. delegated administration settings). He did note that OIM can already provision to OES out of the box (I would have been VERY surprised if that wasn't the case).

Finally, we moved on to speaking briefly about Governance, Risk and Compliance (GRC) that controversial "catch all" three letter acronym. I wanted to know Oracle's plans around identity-centric GRC. If you aren't familiar with the whole GRC thing, I've written about it in the past so have a quick read and then come back.

As it stands today, Oracle's GRC product is much more focused on the financial and enterprise governance (and compliance) aspects and is hooked into their Finance, ERP and CRM applications. In terms of Identity Management and compliance however, we tend to hear a lot more about identity and user account focused access controls, attestation and segregation of duties (SoD). The products in this area receiving the most press of late are SailPoint's IdentityIQ and Aveksa's Compliance Manager.

Oracle's GRC product doesn't actually compete in the identity-centric GRC area (at least not directly). But in light of Sun's very recent launch of its Identity Compliance Manager and Novell's entry into this space through their Access Governance Suite (which is actually Aveksa re-branded via an OEM agreement), I wanted to know if Oracle had any plans to expand their GRC offering to address identity-centric compliance.

Amit's answer was that Oracle does in fact have plans to do this and they are looking at expanding the capabilities of the existing GRC product instead of building a brand new one. This essentially means that the GRC product will get additional features and hooks into the Identity and Access Management suite and vice versa. This includes things like building on the existing attestation capabilities of OIM and supporting the ability to deal with SoD policies through mining existing user entitlements and also using preventative measures (like CA will have once they finish integrating the features of the recently acquired IDFocus product).

Despite Amit almost calling me a journalist on the call, I'm far from one. What I'm trying to say is that I didn't really take any notes. I just spoke to him about a topic I find very interesting and now I'm writing about it. Hence if any of you in the Oracle community (Nishant? Clayton? Mark? Anyone else?) want to confirm, deny, correct or add to any of this (or part 1) feel free to do so via the comments. If not, we'll all just take everything I've said as fact and hold product management to my claims :-)

Ultimately, talking about plans which make a lot of sense means very little other than to communicate intentions. They key will be how Oracle executes and how quickly they do it. Otherwise, they might as well be telling us they want to put a guy on Jupiter.

Wednesday, October 22, 2008

Part 1 of my conversation with Amit Jasuja from Oracle

For those that are unaware, Amit is Oracle's Vice President of Development for their Identity Management Product Suite.

I tried to catch him during his last visit to London but our schedules didn't allow for it. This time, it hasn't quite gone 100% to plan either as I'm not available on the day he's in London this week. So we had to make do with a chat on the phone today while he's in Prague for the Burton Group Catalyst Conference. And before anyone asks, yes Oracle PR set up the call. I'm not one to turn down interesting conversations about Identity Management.

Naturally the topic of conversation was related to all things Oracle, particularly their Identity Management products. Top of the list of topics was Oracle's release of the new version of their Adaptive Access Manager (OAAM) product. To his credit, Amit let me take the conversation wherever I wanted.

I did actually start by asking about OAAM, given how little I knew about it (never having seen it in action). This blog post details the part of our conversation that was focused on OAAM. We spoke about other things as well, which I will write about in a follow up post.

I'd only read about OAAM through articles, data sheets and whitepapers. Oracle's whitepapers are actually pretty good compared to the other large vendors as they give away quite a lot of information. Others tend to release short, crappy whitepapers that don't say a lot so you're forced to speak to their sales reps in person if you want to learn anything.

I didn't want to focus on the press release because to a person who doesn't know a great deal about a product (i.e. me), being told about new features is pretty useless. My aim was to understand OAAM a little better. So I started by asking how Oracle positions OAAM against Access Manager (OAM), and Entitlements Server (OES) (which they got via the BEA acquisition earlier this year).

Oracle sells their products much like other large vendors. They go with a solution approach and then figure out which products fit the specific customer requirements. Oracle does this by using an "Access Management Suite" umbrella, under which they slot OAM, OES, Oracle Identity Federation and to a certain extent their Enterprise Single Sign-On (ESSO) offering (which is actually Passlogix re-branded via the OEM agreement).

The other bits and pieces I just mentioned are as you would expect: OAM does web access management and course-grained access control (just like the other large vendors), OES does fine-grained access management and is very much focused on programmatic controls and SOA (with a big dose of XACML), Identity Federation does all the Federated Identity stuff (SAML, Liberty, WS-* etc.) and ESSO does desktop single sign-on.

OAAM on the other hand, is another animal altogether. None of the other large vendors have a product like it (I wrote about the Bharosa acquisition last year) and it does do a lot of useful things (assuming it works as prescribed). Amit mentioned that OAAM is typically implemented by organisations that are looking to address fraud or simply want more than prescriptive, static, course-grained access controls that the standard web access management products provide.

OAAM does this via behavioural analysis based on risk scoring. I don't know how sophisticated the policies can get but the key is that it does this in real time based on a multitude of factors including the meta-data around the user's persona, session details, contextual information and historical aspects of the user's known actions. For example, if a person typically puts through a trade once a week of a value around $1000 and they suddenly do multiple trades on a single day, each of a value greater than $5000 then this could raise a flag or even prevent the actions. There are obviously thresholds and a bunch of policies that need to be implemented to make this happen and I'm under no illusions that it's the easiest thing in the world to do.

Amit was also correct in pointing out that people have to be careful when implementing these policies because you can potentially get lots of false positives and will have to spend time tuning them. This is something I'm quite familiar with from my time spent in data security. Whenever there are a bunch of contextual factors in play, you will no doubt get false positives. If you don't manage it properly, you will get LOTS of false positives effectively rendering your solution useless.

The thing that surprised me was that it also takes into account the information you're dealing with, not just identity and session information. I'm talking about the business data, which allows for more data-centric policies (something that is sorely lacking in many access control environments). Of course, I'm a bit biased in this respect because thanks to my time in data security, I now think everything should be related back to data in some way instead of being based on static, reactive access controls. In other words, I think real-time security controls need to take identities, context and data into account. Again, Amit did warn against balancing the data-centric stuff against performance. The more in-line data you watch for, the slower OAAM is going to get.

OAAM does have more features than I've mentioned (including additional authentication mechanisms you won't find in stock standard web access management products) but I don't work for Oracle so I won't go through all of them. If you're really interested, go read the supporting materials.

I still think there's more that could be done to improve the product. They've only scratched the surface of sophistication that one could have in performing data-centric, identity and context aware controls based on real-time behavioural analysis. But it's a decent start towards making access control more pro-active instead of the traditional reactive measures we've had to implement in the past. Most importantly, it's something the other large vendors don't have (but would love to be able to whip out in a sales situation). So for now, Oracle can wave it around in the faces of the competition.

I should stress once again that I have yet to see it in action so I can't speak for its reliability, ease of implementation or that it does everything Oracle says it can do. But as the saying goes: "in the kingdom of the blind, the one-eyed-man is king" :-)

I'll write about the other things we spoke about in a follow up post.

Monday, October 13, 2008

Managed Identity Services Survey now closed

The survey's officially closed. Thank you very much to the 70 respondents who took the time and effort. I know question 14 was a real pain :-)

I'll be releasing the basic results soon (and follow up with a more detailed analysis later), but here's a teaser:
  • Over half work for organisations with more than 1000 employees.
  • Many work for organisations in the technology industry, but financial services and healthcare are well represented too.
  • In the decision making process within their organisations, roughly 43% consider themselves decision makers while around 36% consider themselves influencers.
  • The most commonly outsourced service guessed it, software development.
  • When asked what stage of their Identity Management journey their organisation was at, one response gets rather specific: "Sunsetting an old provisioning tool (CA's) (in production 3 years) and replacing it with a new one (Sun's)".
  • Lots of people have implemented Active Directory and LDAP (not surprising), but Federated Identity Management is the least prevalent solution (I'm actually not surprised, but some might be given all the vendor hype around Federation).
The full results are very interesting. I'll post them up as soon as I consolidate the data (e.g. USA, US, United States, United States of America all mean the same thing so I have to standardise the result set accordingly).

I'll also organise the logistics of determining the lucky iPod touch recipient with Identropy. The process will be as transparent as we can possibly make it.

Thursday, October 09, 2008

October is the month to be aware

I must have missed the "World Security Awareness Month" memo.

I've already pointed out the awareness initiatives in Australia and the UK this month. Apparently the whole of October is National Cyber Security Awareness Month in the US. This one's a US Department of Homeland Security initiative though, not one conjured by an office equipment supplier as a marketing exercise. Here's an article that summarises some of the things going on. For some comic relief, here's what Microsoft suggests that people do.

Without further ado, I officially declare October to be:

Worldwide Don't Let The Bad Guys Steal Your Financial Details To Commit Fraud But Then Again It Doesn't Matter Because There's No Money To Be Stealing Anyway Thanks To Greedy Bankers Awareness Month.

That should cover any other "awareness initiatives" that pop up this month.

Wednesday, October 08, 2008

It's National Identity Fraud week in the UK as well?

I mentioned the fact that next week is National Identity Fraud Awareness Week in Australia. What I failed to realise is that this week is National Identity Fraud Prevention Week here in the UK. I've either been REALLY tuned out of the mainstream media or their marketing needs some work.

The same company is behind both initiatives. I gave them a bit of a backhanded compliment remarking that I thought it was a good marketing campaign to sell their paper shredders. But the execution needs a little work and they need to pay attention to the finer details starting with:
  1. The URLs - the Australian site's URL is while the UK site is No wonder I couldn't find the UK site when I first heard about the Australian one. Also, both campaigns officially use the term "Fraud". Why the heck does the Australian URL have "theft" in it? Fellowes need to hire some "consistency police". To that effect, I rescind my kudos to them for being educated enough to use the term "fraud" instead of "theft".
  2. Why does the UK get a "Prevention Week" while Australia gets an "Awareness Week"? Are they implying the UK have gone beyond awareness and need to think about prevention while Australia are behind the times?
On the other hand, I'm probably just being really picky.

Tuesday, October 07, 2008

We've hit the target of 50 responses

I extended the deadline for the Managed Identity Services Survey yesterday, but the number of responses crept over 50 overnight. This is great news of course because it means that I'll be able to release the results and a lucky person will be the recipient of the iPod touch.

As a result, the survey will definitely be closed at 11:59pm GMT (London time) on Sunday 12th October 2008 and won't be extended.

Monday, October 06, 2008

Survey deadline extended

We've just gone past the deadline for the Managed Identity Services Survey. Unfortunately, the number of survey responses hasn't quite hit 50, although it was very, very, very close.

If you read the full set of rules, you would have noticed the following:
"The survey will be closed at 11:59pm GMT (London time) on Sunday 5th October 2008 unless the target number of 50 responses has not been reached."

As the rule states, I have to extend the deadline. The new deadline is now 11:59pm GMT (London time) on Sunday 12th October 2008, which is an extension of a week (the survey rules have been updated to reflect this extension with a link back to this blog post for details). The number of responses should hit 50 well before the week is up, but there's no harm in collecting more.

Here's the direct link to the survey. Once again, thanks to all participants to date. I know it takes some effort to fill in, but we're in for some very interesting results (not to mention the iPod touch).

Friday, October 03, 2008

Survey closes in a few days

Here's a friendly reminder that the Managed Identity Services Survey closes on Sunday night (October 5th). That's in 2 days so if you've been meaning to get around to it, now's the time if you want a chance at the iPod touch courtesy of Identropy.

I know some find it difficult, which might be why we haven't hit the 50 response mark yet. We're over 50% of the way there though so let's make an effort to get to the target. Feel free to forward it on to other informed individuals. Remember, unless there's 50+ responses I'm not publishing the results. It also means no one gets the iPod touch :-(

By the way, if all the "bail-outs" actually bothered to complete what they started we'd be well and truly past the finish line with time to spare.

I'm not a baseball fan, but I can't think of another corny cliche at the moment: "Bottom of the 9th and we need a home run. Batter up!"

IBM tries to rain on Novell and HP's parade

The cynic in me is crying out for this blog post, so here I go.

It's not that I enjoy pointing out my ex-employer's boneheaded moves, but...ok so I do just a little bit.

IBM issued a press release today harping on about:
"migration services and competitive migration pricing for abandoned HP Identity Center security software customers aimed at helping them benefit from IBM's broad capabilities for securing and efficiently running IT for their business."
For those that don't remember, HP got out of the Identity Management software business earlier this year and left their existing customers with a bit of a problem. Then along came Novell on their horse offering to ease the pain in partnership with HP.

From what I can gather by reading the Novell and HP partnership press release, existing customers get equivalent Novell Identity Management software for free (until the middle of 2009) and some migration tools jointly developed by HP and Novell. There is no mention of free services however, so I assume there's some cost there.

I didn't see the word "free" anywhere within IBM's announcement. So my question is, are they going to guarantee that the combined software and services costs are going to be less than Novell's? If not then what the heck is the point of offering to "Bail Out HP Security Software Customers" (part of the press release's headline)?

Oh, it gets better:
"In response to HP's discontinued identity management products, IBM offers competitive migration pricing for software and migration services through IBM Internet Security Systems (ISS)..."
Notice the problem? IBM ISS specialise in network security! Talk about picking the wrong business unit to offer up as the service provider. It would have made a bit more sense if they had said IBM Security and Privacy Services (which was the division I worked for before doing my IBM Tivoli thing) or IBM Software Group Services (who used to try to bill me out to customers because I knew stuff, even though I worked for the IBM Tivoli technical sales team - management usually said no by the way, except for a few times I had to run customer training sessions because they supposedly "asked for me by name"). Both these business units have had years more experience deploying the Tivoli Security suite of products. They also have a heck of a lot more people that have the necessary skills to do the work.

Here's a few speculative reasons why they might have made this announcement:
  1. To piss Novell off a little bit and also hopefully catch all the existing HP customers that don't like Novell for some reason. Of course, there's nothing stopping customers from going to Oracle, CA or Sun. I dare say they'd willingly give existing HP customers "competitive pricing", which by the way means nothing becase it's not quantifiable.
  2. A boneheaded IBM ISS executive was trying to figure out how to increase ISS revenue and decided on this particular tactic.
  3. A boneheaded IBM executive was trying to figure out how to increase IBM revenue and decided on this particular tactic. The executive then thought that since it was security related, they would use the ISS business unit to deliver the solution because "hey, we acquired them 2 years ago as one of the world leaders in providing security solutions right?"
I wonder if the other consulting and services business units within IBM knew about this before the press release. My guess is not, but all you IBMers out there can correct me if I'm wrong. And if I'm right, there's going to be a few IBMers walking around today asking the same question and wondering why IBM has once again decided to compete with themselves.

This ISS rant assumes one thing of course, and that is that they actually find customers who want to switch from HP's Identity products to IBM Tivoli at a potentially higher monetary cost. I've already said I don't really see the financial value (I won't argue all the other bits because I'm trained to argue IBM Tivoli business value in my sleep).

In short, all of you working for ISS can just go about your business as if none of this ever happened. Well, all except the sales people who I'm sure will be told that they now have a new "innovative offering" to be peddling.

In other news buried within the same press release (I don't know why IBM keeps mashing multiple bits of news into the same press release), they announced:
"IBM Tivoli Security Policy Manager -- Brand new IBM software that provides customers the ability to develop centralized security policy management for managing application entitlements driven by compliance, data security and intellectual property protection. The adoption of SOA and Web 2.0 technologies poses unique security policy management challenges for managing user entitlements -- the loose coupling of services and mash-up applications across a business creates multiple policy management points, each of which may require its own administration. The IT reality to manage these policies and entitlements in an environment full of different vendors' technology is manual, error-prone and creates costly islands of security administration. Tivoli Security Policy Manager, available by end of 2008, provides standards-based, centralized application entitlement and SOA security policy management capabilities to help users strengthen access to new applications and services and improve policy compliance and operational governance."

Are you back from your eyes glazing over yet? Let me cut to the chase for you: the long marketing blurb basically means IBM Tivoli are releasing their Entitlement Management product later this year. I've seen it in action but am not at liberty to say anything at this stage thanks to the NDA. That said, it's probably not fair for me to be commenting anyway because I've only seen the Beta version, not the fully-fledged "we've tested the crap out of it and made it all nice and pretty" version. Well, maybe not the "nice and pretty" bit. If you've seen IBM software interfaces, they are rarely "nice and pretty". But I'm biased because I use a Macbook Pro as my personal computer :-)

If you work for IBM ISS, feel free to send any hate mail my way...

Is the PCI guy serious?

Version 1.2 of the PCI Data Security Standard was released yesterday. If you're really interested, you can find some analysis on what's new here, here and here (or via your favourite search engine of course).

I'm not sure how much more useful PCI DSS version 1.2 will be compared to the "worthless v1.1 incarnation" in a practical sense, but if comments by Bob Russo, General Manager of the Payment Card Industry Security Standards Council are anything to go by I'm not holding my breath.

On page 2 of an article today, he's quoted as saying:
"Today we say if you're going outside the network, you need to be encrypted, but it doesn't need to be encrypted internally. But as an example, if you add end-to-end encryption, it might negate some requirements we have today, such as protecting data with monitoring and logging. Maybe you wouldn't have to do that. So we'll be looking at that next year.
Is he serious? Or was he misquoted? Or maybe the comment was taken out of context? Or maybe my eyes are deceiving me?

Just because you have end-to-end encryption doesn't mean data is any more secure. Sure, if you have any of your disks stolen, then you're probably ok. But what about protecting consumers against your employees that have legitimate access to the data? If there's no monitoring and logging then there's no psychological deterrent and audit trail if something does happen!

I'm shaking my head in disbelief right now...

National Identity Fraud Awareness Week Australia

Here's a first, at least for Australia. A company has taken the initiative to raise awareness of Identity Fraud.

National Identity Fraud Awareness Week Australia is being run in partnership with Crime Stoppers Australia, the Australian Taxation Office and Veda Advantage (who do credit scoring of some sort). Apparently they've also run it in the UK, Canada and Japan.

The most interesting part of this is that the company responsible for the initiative is Fellowes. And what do they do? They sell office equipment! Strange you say? That's what I thought too, until I realised that one of the things they suggest people do to help prevent Identity Fraud is to shred all documents. The shredders they suggest? Fellowes shredders of course!

So here we have an office equipment company running a marketing campaign to sell shredders by promoting Identity Fraud awareness. I might sound a little cynical here, but I actually think it's a really good "think outside the box" marketing campaign. I'd never heard of Fellowes before, but now I have. They also picked up on something people are REALLY concerned about and will naturally take notice of.

Extra points to them for using the term "Identity Fraud" and NOT "Identity Theft". Kudos also for getting the ATO and Crime Stoppers involved.

I wonder if my bank just lost a whole bunch of credit card numbers

I'm talking about one of my banks in Australia, specifically the one that issues my credit card.

I'm wondering because they left a message for me to call them back URGENTLY. When I called, they basically said they had to cancel my card and issue me a new one because it had "potentially been compromised". When I asked if there had been any fraudulent activity, they answer was no.

So here I am, scratching my head wondering why my credit card had to be cancelled when there wasn't any suspicious activity (actually there wasn't any activity whatsoever on my card because I tend to use my UK credit card nowadays). The customer service person simply said "oh, the security department has determined that your card might have been compromised. It could have happened when someone swiped your card using a card reader capable of capturing the information required to produce a duplicate card."

I'm no genius, but if someone had indeed done that, how the heck would the bank know unless the card is actually used (and even then it would be speculation because they don't actually need to copy the card to commit fraud)? It's not like there's a big alarm that goes off and gets sent back to my bank when a card is copied. If that's what happens, then it would have had to be a criminal smart enough to hook their system up to the bank and send them the information successfully (kinda like the virus Jeff Goldblum uploads to the alien spaceship in Independence Day) yet be stupid enough to actually do it.

I suspect that they just lost a bunch of credit card numbers. I may never know for sure because it's not mandatory in Australia for companies to disclose any data loss incidents (this should change in my opinion - every institution in the world that stores personal or financial details should be made to disclose incidents just like US companies).

Which bank? No not that one (you'll only get this reference if you're familiar with the banks in Australia and have seen some of their marketing campaigns).