Security has been a research thread of mine for years. I have studied computer security since about 2005 (my first patent application was in early 2006). As a result, I often look at the security aspects of processes and procedures that I encounter in daily life, such as credit card fraud, financial fraud, and identify fraud. My personal security plays a common role in these thoughts. We get a lot of mail, "paper mail" via the US Postal Service, and while much of it is junk advertising, some of it is financial in content - credit card statements, credit card offers (usually unsolicited), bank and finance statements, and miscellaneous items like stock proxy solicitations. Quite simply, I shred all of these that I do not need to retain.
* credit card statements - keep for a year or two, then shred;
* credit card offers - use immediately or shred (usually: shred immediately);
* bank and finance statements - keep for tax purposes, then shred at end of life (seven years or so);
* stock proxy statements - exercise the vote, then shred; and
* stock proxy documents (e.g., annual reports, 10K statements) - these are too thick to shred, so they just go in the recycling as they are not personalized in any way.
My minimum rule is to shred anything that has an account number, personal information (name, address), or any identifying number (such as a ballot number). This absolutely includes credit card numbers, Medicare numbers, Social Security numbers, or any parts thereof.
The risk is that a Bad Actor can get access to the shredded material and use manual or automated processes to reassemble the documents to get information useful for fraud or identity theft. After a few years, I realized that by shredding sensitive documents, I was providing the Bad Actor a clue: anything shredded was valuable and everything else was not. Therefore, I started shredding the entire packet: envelope, explanator letters, and sensitive documents. Ths roughlly doubled the amount of shredded matter, making the reassembly puzzle more difficult to solve. I now go even farther and shred random bulk mail, intermixed with sensitive documents. This doubles again the reassembly puzzle. The Bad Actor will have to process a lot of magazine subscription requests to get the the useful stuff.
Finally, I put the shredded paper into the "yard waste" bin where it will be mixed with my banana peels and apple cores to make compost. And with all the apple cores and banana peels from my neighbors. Where this was not allowed, I would mix the shredded material with used cat litter; this may not destroy the little puzzle pieces, but the Bad Actor will have a very unpleasant time of reassembly.
Some materials do not compost: credit cards and backup CD-R disks come to mind. I do eventually shred these to make physical recovery difficult, but I demagnetize the strips on the credit cards becore I shred them. These bits of plastic get mixed with regular garbage.
Even electronic information can be hacked. As I write that, it seems pretty self-evident, but I have a specific transaftion type in mind. I will occasionally pay bills by sending a credit card number in an email message. I split the credit card information into (at least) two messages, each of which contains only part of the information. The first eight digits and the expiration date may go in the first message, and the final eight digits with the CVV code go in the second. The person on the receiving end need merely "glue" the bits of information together to effect the transaction. This splitting is not a lot of protection, but the Bad Actor will have to find and hack both messages to extract useful information.
For those who have fireplaces, another option is to burn the documents. However, one must be careful to thoroughly stir the ashes to break up the page structure of the documents, preventing reconstruction. I would also feed the pages into the fire a few at a time, as the center of a wad of pages may not reliably burn. Stirring would reveal unburned pages and allow for a second attempt at destruction. Once cool, dump the ashes with other garbage.
If you have confidential documents on computer media, the options change dramatically A good quality USB flash-drive could survive a fire. It may look pretty messy on the outside, but the electronic contents may work when in the hands of a suitable expert. If you are concerned about the contents of a USB drive or an SD/micro-SD card, smash them with a hammer and check that this produces small pieces and that the chips are damaged. The circuit board (usually green) may be recoverable if the chips are intact. If you are concerned about the contents of a disk drive or a "harddrive", you can either drill holes in it or dismantle it. Drill right through the metal shell, not just in the circuit board (often green). The disks rotate inside a vacuum or a special atmosphere (e.g., helium), so one hole is pretty safe, but drill all the way through the platters if you can. I take old disk drives to Boy Scout troops and let them disassemble the drives to learn how they work (an extension of the Computer Merit Badge). A destructive teenager can accomplish a lot with simple tools. The platters within modern disk drives are glass, so I recommend a good whack with a hammer. If you shake the disk and hear a rattling sound, you have hit it hard enough. For CDs, CD-Rs, DVDs, DVD-Rs, and BluRay disks, your best bet is to shred them. Sometimes it is sufficient to bend them in half (break them in half if you can), but extreme physical damage is the objective. Except under the most extreme techniques, the information in RAM (memory sticks) is lost within a few minutes of turning off the computer (typically seconds).As a special case, modern copiers have computers inside them - meaning that they have disk drives or other storage. If you surplus a copier, be sure that the data is wiped to your satisfaction by the copier technician.
In the end, no security scheme is perfect. A Bad Actor with sufficient motivation and technology can undo the simple actions, so be destructive. Your damage may convince the Bad Actor that it would be easier to steal data from someone else, and that would be success.
No comments:
Post a Comment