Episteme

Mike's random thoughts and ramblings

My New Web 2.0 Identity Theft Scheme

So, I was reading the latest posts over at Web Worker Daily, and I came across the announcement of the new service for Backing up physical data. From the article:

"This week I’m going to hit up a new service that aims at backing up your important physical data. KeepYouSafe.com has built a secure storage network for your vital personal information like medical records, drivers license copies, passports, wills, credit card copies, financial records, insurance papers, basically everything in your wallet and personal filing folders that you deem important.

The service allows you to scan and upload documentation to your Online Safe Deposit Box through a web browser. Is it secure? KeepYouSafe says they employ military grade encryption to keep data safe. There are also multiple servers worldwide so that if anything happens; there will always be a copy available."

I read that, and almost fell off my chair. And then I went to the site and was reduced to asking myself: "is this Adam playing a joke?"

Checking out KeepYouSafe.com, I noticed a few things that got my spidey sense tingling on a crazy level:

  1. Nowhere on the site is there any identifying information - there's no information on the company founders, no information about the background of the company, and generally, no identifying information at all. And nothing in the domain registry info, either.

  2. Their terms of use abdicate all responsibility - Okay, so, surely, they're going to take responsibility for the information, right? Much like a bank, there's going to be some sort of insurance that if they lose my data, they're going to pay for it, right?

Uhh... no. From their terms of use:

2. KEEPYOUSAFE.COM AND ITS SUBSIDIARIES, AFFILIATES, OFFICERS, EMPLOYEES, AGENTS, INVESTORS, MEMBERS, PARTNERS AND LICENSORS MAKE NO WARRANTY … (vi) THAT THE DATA AND FILES YOU STORE IN YOUR ACCOUNT WILL NOT BE LOST OR DAMAGED OR EXPOSED;

Even more important to my security spidey sense was their technical white paper about their security architecture. It's worth a read - it's just about the perfect document that could give someone who has never done any security a complete sense of false security. (That said, I like their use of One Time Passwords, assuming that they did it right).

Seriously, I don't know these guys from Adam - this may very well be a legitmate service. My point is that it's impossible to know them, actually, since there's no identifying information. And that should be terrifying to anybody who uses them.

As far as I'm concerned, my secure documents are going in two places: close to me and in a location that has a good understanding of my need to transfer risk to them. This organization isn't actually allowing the transfer of risk - if they were, they'd be insured against any loss of personal info and they'd have the requirement to reimburse users for loss.

Of course, this would be a great idea for an identity theft scam:

"Please scan and send me all of your important data... I'll protect them, I promise. (But my terms of service say that I don't have to.)"

Gives me the willies.

Share this post

About the author

Michael Murray

Michael Murray