Earlier this week, I threw up a quick blog about a new service, TrustedID’s StolenIDSearch.com. That blog post generated a regrettable amount of rancor.
Unfortunately, I was moving quickly and didn’t sufficiently explain all the details in that blog post. I’ve been deeply embroiled in the Julie Amero scandal and then flew to the ISOI conference at Microsoft. At the same time, I have to run a software company. So sleep has been at a premium and I rushed a few things I shouldn’t have — like that blog post. (I’m not whining — I love my hectic life!)
First of all, let me agree with many of the comments and say that that I don’t believe StolenIDsearch.com is a perfect idea. There are problems with this type of service, and they’ve been picked up by others and I won’t rehash the details. However, a lot of the issues mentioned have been addressed in a blog post by the TrustedID CEO here.
A little background from our side: Over the past couple of years, we’ve come across lots of compromised data. At first, we did a variety of things, like contact individuals whose identities had been stolen, sharing stolen credit card numbers with banks, and of course, cooperating with organizations like CERT and financial institutions. After a while, however, we came to the conclusion that there simply wasn’t a valid clearinghouse of this type of information.
Enter TrustedID, a company well-funded by some of the top people in Silicon Valley. The company’s mission is to provide credit-protection services for consumers, and they seem to be doing a good job of it. The CEO, Scott Mitic, is a former senior executive with Fair Isaac, an organization with a very strong record of consumer protection and privacy (one doesn’t get a job easily at Fair Isaac ). The rest of the staff at TrustID are serious professionals with excellent backgrounds, and as Scott puts it, “consumer privacy runs in their blood”.
So Scott contacted me about a new idea they had, which was to provide consumers a way to check if their credit cards had been stolen. The idea was a simple: You went to a highly secure site, entered your credit card number, and it came back with whether or not it may have been compromised. Along the way, they would display an ad for their credit protection service in order to fund the service.
Subject to our performing a due diligence on the company, we agreed to collaborate with a small amount of information sharing, We started cautiously, and, in fact, are still treading cautiously.
However, we know that the fundamental problem is an international clearinghouse is needed for stolen information, with involvement by reputable financial institutions and government agencies. At the conference last week, we met with other security experts on the matter, and I hope to see some progress in this area.
As for StolenIDSearch, we may continue to collaborate with them to a limited degree, as we do with many other security companies. However, we are focusing our major efforts on creating this international clearinghouse with other security and privacy experts — I believe this is a much better solution to the problem of stolen data.
Alex Eckelberry