Russ Harvey Consulting - Computer and Internet Services

Identity Theft

Obtaining Information by Deceit

Identity Theft | Protect Your Identity | Safe Practices | Reporting ID Theft

Protecting yourself from identity theft requires being aware of the danger signs.

Identity theft information is contained on three pages:

Report Identity Theft

If you have been a victim of identity theft (or suspect you have), contact the police to report identity theft.

Huge Financial Costs

There are huge personal and financial costs if you allow yourself to become a victim.

How much do you know about cybersecurity?

Take the cybersecurity knowledge test to see how much you understand about online security and the terminology involved.

Once you've evaluated how well you understand the issue, read the information on this page to help you understand Cyber scams and how to avoid becoming a victim.

Online Crime Treated Like White Collar Crime

Much like white-collar criminals, online criminals face far lighter repercussions if they are caught than someone robbing a store or kidnapping for ransom because it is assumed that cyber crime is not as serious. Victims of white collar or cyber crimes would disagree.

As cybercrime begins to overtake physical offenses for the first time, we need to realize that as our world continues to be dominated by technology so is organized crime. There is a common misconception that these out of sight online attacks are victimless crimes or are not treated with the same level of importance as those that occur offline, and this needs to change. — Daniel Burrus

In addition, most of these crimes are committed abroad where it is much more difficult to prosecute the perpetrators.

Identity Theft: Obtaining Information by Deceit

Fraudulent phone calls, phishing emails and fake error messages generated by malware or website infections are all forms of identity theft perpetrated on innocent victims every day.

Identity theft, in a nutshell, is the obtaining of information about you that will enable someone else to impersonate "you" — allowing them to steal using your identity rather than their own.

While the thief obtains financial or other rewards as a result, you are left with the financial loss or debt as well as potential criminal charges. Unfortunately, it is much easier to obtain credit online than it is to prove that it wasn't you that made the application.

A Rapidly Growing Crime

Identity theft is a rapidly growing crime. Online crime is more lucrative than traditional crime.

I see several important reasons for this.

  • People don't understand technology they're using, whether it is at home or in the workplace.
  • We treat cybersecurity like something imposed on us rather than something protecting us.
  • We forget that the same Internet that opens the world to us, opens us to the world's criminals.
  • Corporations are more interested in profiting from the information they gather from us online than securing that information.
  • Security breaches are far too common and they weaken our security without significant penalties to that business.
  • Cybercrime is very profitable and the criminals seldom get caught because they're overseas.
  • Most criminal activity is bases upon threats. The vast potential market of gullible “marks” ensures success.

Security Breaches Affect You

Each time there is a security breach at an online service that you use, it has the potential to reveal a pattern in your password use. In the very least it provides the personal information that was used to create and maintain your account.

As many as 143 million Americans are said to be affected, the company said, representing about half of the US population. Some UK and Canadian residents are also affected, the statement confirmed. — ZDNet on the 2017 Equifax data breach.
The personal information of about 37,000 Canadians held by TransUnion may have been compromised this past summer, leaving both of Canada's credit monitoring agencies with data blemishes on their record. — Times-Colonist on the 2019 TransUnion data breach.

Getting Worse, Not Better

The number, frequency and size of security breaches are not improving. Companies are protecting their servers, not their users' information.

Often companies don't even realize they've been hacked until long after the data has made its way into the dark web.

68% of breaches take months or longer to detect. — Menlo Security

Learn more about the privacy risks that data breaches create and how you can better prepare yourself.

More About Data Breaches

Learn more about the history of data breaches including some of the largest and most damaging on record as well as how to prevent data breaches.

Other Forms of Exposure

Hacking is not the only way that data breaches happen.

Facebook is Not Your Friend

Facebook allowed other companies like Cambridge Analytica to cull information about Facebook users. That information was used for unethical purposes such as affecting the outcome of elections and attempting to modify the moods of users.

There have also been reports that Facebook customer data was stored on websites unprotected by any security (you only had to know the web address to download the information).

One of the best security moves you can make is to get off Facebook.

NCIX Computers Never Wiped Customer Data Before Sale

One local example is the sale of personal information about former customers following the bankruptcy of computer retailer NCIX in Vancouver.

This personal information included IP, home and email addresses, passwords, credit card information and social insurance numbers.

Not only did the company fail to ensure that the computers containing customer information were wiped, but that data was so poorly encrypted that the information was sold on Craigslist.

Whoever is responsible for the careless disposal of the company assets is to blame. Bankruptcy protection should not provide leniency for those responsible for not securing that information, including the former officers of that company.

White Collar Crime Punished Lightly

One of the reasons that the loss of personal information occurs is that companies don't see any reason to spend money to protect information they didn't pay for in the first place.

Until such crimes are punished appropriately and to the same degree as a similar blue-collar crime, these breaches will continue.

It Used to Be Harder

Obtaining personal information is much easier than it used to be.

At one time you had to go to your bank, speak to a real person who would then compare your signature with a physical signature card stored at the bank to ensure that you were who you said you were before releasing funds or a providing a new credit card.

Credit Information Easily Accessed

These days credit card applications appear unsolicited in your mailbox and are easily obtained online.

  • Verification depends upon electronic data rather than hard copies (like the signature card previously used for verification).
  • The convenience of inter-branch banking and online transactions has resulted in poorer security.
  • The move to using your smartphone to do banking has additional risks, especially if your device is lost or stolen.

The convenience ends when there is a problem and the bank demands paper documents to prove your innocence.

Passwords: Your eSignature

For online transactions, passwords have replaced a signature (or the wax seal that kings once used) with a password.

Many people really don't understand this form of electronic verification and view it as something that is imposed upon them rather than something that protects them.

[R]ecent Verizon research shows…unsecure passwords are the cause of over 80% of all data breaches at companies. — ZoneAlarm

Users Don't Take Passwords Seriously

Unfortunately, many don't take their passwords seriously.

Afraid they'll forget a password, they make it simple and use variations of the same password for every account they create.

The reality is that the majority, 91%, recognize that using the same or similar passwords for multiple logins is a security risk, yet 58% do it anyway. These people mostly or always use the same password or variation of the same password. — LastPass Blog

Once hackers have one password, they can use it to hack into other services, just like a Twitter hack that exposed users data because an administrative assistant reused passwords:

A hacker found a personal e-mail account for the administrative assistant previously mentioned. [T]he hacker researched social networking sites to find the answer to the "secret question" required to reset the account's password. In going through the e-mails in the account, the hacker apparently found the password used by the administrative assistant on other sites, and correctly assumed that person used that password on their Twitter corporate account at Google Apps. — Ira Winkler

Weak Passwords are Like Blank Cheques

Think of your passwords as a series of unsecured, signed blank cheques. The only limit is the size of your bank account.

Learn how to create secure passwords and take advantage of other options like two-factor security to protect your online accounts.

Don't Post Answers to Security Questions

Don't post the sorts of information typically used for the “forgot my password” recovery on social media.

We found that 51% of people believe there is no way a hacker could guess one of their passwords from information they've shared on social media. But we know hackers aren't dumb — if you're being targeted and don't have a strong password guarding your account, it would take a hacker seconds to do a search on your social media profile, learn the name of your pet, family member — even learn when your anniversary is — and use that info to guess your password. Don't make it that easy for them — try to be a bit discreet on social media. — LastPass Blog

Choose Your Software Carefully

You need to change some habits to protect yourself from malicious attacks.

You probably check the doors and windows in your house before going to bed at night. You need to secure your computer and software with the same diligence.

Ignorance is Your Undoing

Many people don't understand the risks of using older or unsecured technology.

Victims Unfamiliar with Technology

Most of the victims of identity theft are using technology they don't understand. Nor do the politicians making the laws that are supposed to protect you.

Online security is inconvenient. So are seat belts, locks and insurance.

Choose a good security suite and learn how to use it to protect your computer and your privacy.

Return to top

Protect Your Identity

Everyone is Gathering Information

Everyone is collecting information about you and your profile is for sale.

[T]here is another reason websites track you — It's because you're worth a lot of money. Websites record your activity so they can sell your information to third party advertising platforms, essentially delivering ads that they hope are relevant to you. — ZoneAlarm Blog

With your email address, they can send their advertising right to your inbox.

The more you reveal, the easier it is to target you. If they know your marital status and how many children you have, they can identify potential markets.

Weird Online Data Dump

An open (not password protected) 4 terabytes of data from the People Data Labs (PDL) and OxyData.io (OXY) contained cross-linked information on over 1.2 billion people was found on October 16, 2019. PDL and OXY are data enrichment companies. What they do is allow companies to search:

  • Over 1.5 billion unique people, including close to 260 million in the US
  • Over 1 billion personal email addresses. Work email for 70%+ decision makers in the US, UK, and Canada.
  • Over 420 million LinkedIn URLs
  • Over 1 billion Facebook URLS and IDs.
  • 400 million+ phone numbers. 200 million+ US-based valid cell phone numbers.
De-duplicating the nearly 3 billion PDL user records revealed roughly 1.2 billion unique people, and 650 million unique email addresses, which is in-line with the statistics provided on their website. The data within the three different PDL indexes also varied slightly, some focusing on scraped LinkedIN information, email addresses and phone numbers, while other indexes provided information on individual social media profiles such as a person’s Facebook, Twitter, and Github URLs. — ZoneAlarm Blog

It is interesting that the data is an accurate copy of data obtained from 2 different companies blended into one database. Someone either was a very large customer of both companies or managed to hack both databases. What was the reason it was available on an open IP address (35.199.58.125) rather than hidden away?

Who's Accountable?

Someone should be held accountable for both scraping (collecting) such data then combining it for profit as well as allowing it to be copied into an unprotected cloud account unnoticed.

If both companies (and the company officers) were bankrupted for this breach, perhaps the tracking of such sensitive data would be less attractive and companies would spend money securing the data as carefully as they secure the computers it is hosted on.

Loyalty Cards

Loyalty cards can provide you with free merchandise and more, but they give a huge advantage to retailers as well by allowing them to track your purchases.

Your Purchases Reveal a Lot

Target determined that a teen customer was pregnant before they or their family knew — based simply upon tracking product purchases.

Dealing with Spam

Learn how to identify and deal with spam.

Don't unsubscribe from lists that you didn't ask to be placed on in the first place. Ethical companies don't use sneaky opt-out techniques in the first place.

Beware of Phone Callers

Phone calls about computer viruses, credit card deals, overseas credit card expenditures, holiday specials or warnings that you're about to get arrested for unpaid taxes are all scams. Just hang up.

Protect Personal Information

Do not post or release personal information over the phone. Never reveal the following sorts of information to an unverified caller:

  • Social Insurance/Social Security Number (only legislated uses require you to disclose your S.I.N.).
  • Mother's maiden name.
  • Where you were born.
  • Your birth year.
  • Bank PINs.
  • Passwords.
  • Passport information.
  • Driver's license.

Be careful about revealing billing addresses and employment information as well.

The successful completion of many credit card transactions may require that your shipping address match the credit card's billing address.

This information is not necessary for most other transactions.

Personal DNA Tests

There is nothing more personal than your DNA.

Unlike your credit card number or your bank account password, if your genetic information is stolen or simply given away without your consent by a company that possesses it, it can't be changed. — Consumer Reports

Tracking your genealogy has become very popular. Sites like Ancestry and 23andMe offer kits to take your DNA and use it to tell you more about your family history.

But these sites aren't as private or innocuous as they'd have you believe. In fact, they sell your DNA data to third parties and often have more rights to your DNA than you do after you agree to their contract.

But the DNA and genetic data that Ancestry.com collects may be used against “you or a genetic relative.” According to its privacy policies, Ancestry.com takes ownership of your DNA forever. Your ownership of your DNA, on the other hand, is limited in years. — Joel Winston

If you're going to get involved with these companies, realize that they hold all the cards. Be sure to examine their privacy policy and opt out (where possible) for your own protection.

Posting on Social Media Sites

People sometimes post things on Facebook or other social media (or reveal them to strangers over the phone) without thinking about the consequences.

Facebook and Google knows more about you than your family and friends do. And they never forget anything.

Information that allows you to recover a lost password should be something you remember, but strangers can't know. That security is lost if you post it on Facebook.

These personal facts are commonly posted by people:

  • Family genealogy.
  • Pet names.
  • Former residences and occupational information.
  • Your school and other educational information.
  • Sports teams and celebrities you admire.
  • Marriage dates and locations.

Password Recovery

Unfortunately, these answer the commonly-used questions that password-recovery options employ.

Most accounts are compromised by using the password recovery mechanism which invariably requires the correct response to personal questions.

Sure, you will remember the answers (the reason companies use them), but so will everyone that views your posts. Hint: it isn't just your friends and family.

These questions are too easy to research or bring up in casual conversation.

"The Cloud" Has Risks

Cloud computing (as “in the cloud”) is becoming more important as we use smart phones, tablets and other portable devices to conduct business on the go.

While it may free you to access your information anywhere at any time, it also provides the same access to ANYONE in the world with an Internet connection.

Banning Encryption Short-sighted

Legislation is pending in some locations (including in the US and possibly Canada) to ban encryption or to ensure backdoors for police access are added. This is very short-sighted.

  • Effective encryption could help reduce the risk of hacks like those noted above.
  • Backdoors are vulnerable to unauthorized access. There is no such thing as a vulnerability that is only accessible to the “good guys.”
  • Weaknesses in software, especially unknown (or zero-day) exploits, make us all more vulnerable.

Yes, encryption is used by criminals. So are locks, fences, roads, public utilities, telephone systems, etc. Should we remove everyone's access to those as well?

It would be better to close more zero-day loopholes than to hope that criminals and foreign governments don't find them then use them to negate our security protections.

Return to top

Safe Practices

Much of the Internet is broken, a result of greed and exploitation at the expense of those who simply want information and entertainment but don't consider the risks of their behaviour.

Watch Out for Malicious Attachments

One of the most common methods of attack are to send a phishing email with an infected attachment. Often these documents appear to be either invoices or notices of items shipped. If you open the document, you infect your computer or device.

Malicious Microsoft Office attachments are more common than malicious batch scripts and PowerShell scripts. — Tech Republic

Unless you're expecting such a document, DON'T open it, just delete it.

How to Verify Legitimacy

If you're unsure, verify the legitimacy of the document by calling the company using the contact information found on a recent invoice or statement.

  • NEVER use the contact information provided in the email.
  • NEVER click on links within the email (links can be faked).

Use Encrypted HTTPS Sites Where Possible

I strongly recommend that you only connect to sites that are encrypted. Unsecured sites are not encrypted and are vulnerable to man-in-the-middle attacks.

This is particularly important when using online banking or when shopping online — anywhere that you are sharing banking or credit card details.

Secure sites are indicated by https:// (notice the s) in the address and/or some sort of a padlock symbol. The display varies by browser:

  • Firefox, Google Chrome, Safari, Microsoft Edge and Opera all use a grey padlock to the left of the address.
  • Both Firefox and Edge display the HTTPS:// prefix; Chrome, Safari and Opera do not.

HTTPS:// Everywhere is a Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure.

Choose a Safer Browser

Your Browser Choice Matters

Your choice of web browser can make a difference in your ability to protect yourself online. Whichever browser you choose, the most recent version will usually have improved security features and/or have known security issues patched.

Firefox Recommended

Firefox is a much safer browser to use.

As an independent stand-alone product it is less vulnerable to cross-program security issues.

Because it isn't tied to an operating system or to a search company, it can focus on its users rather than those controlling the purse strings. It can perform all the features needed in a browser without the downside.

Built-in Security Features

Firefox has built-in security features including one that warns you about reported attack pages:

Firefox's warning page for a reported attack site

Firefox gets a fresh update of forgery sites a whopping 48 times a day!

Privacy Features

Firefox is designed to protect your privacy and is updated frequently, so security fixes and new benefits are available sooner.

Firefox's Private Browsing mode allows you to surf without saving information about the sites and pages you've visited. Neither cookies nor passwords are saved.

Updated Frequently

Because Firefox is updated frequently, security and privacy fixes and new benefits are available sooner.

Don't Use Internet Explorer

Internet Explorer is no longer being developed and is not recommended for routine surfing or browsing sites on the Web. While IE may be convenient, it is so tightly integrated into Windows that any security issue in any Microsoft product puts your entire computer at risk.

One of my pet peeves is programs that directly call Internet Explorer rather than the system's default browser. One example is TurboTax, where queries about sensitive data is being handled via an obsolete and insecure browser (a feature that users cannot change).

Windows 10 includes IE along with Microsoft Edge, however it was not intended to be used as your primary browser:

"You see, Internet Explorer is a compatibility solution," wrote [Microsoft security chief] Jackson in the blog. "We're not supporting new web standards for it and, while many sites work fine, developers by and large just aren't testing for Internet Explorer these days. They're testing on modern browsers. — ZDNet

Google Chrome

Google makes their money by exploiting information you provide. Google NEVER forgets.

Google originally paid free software vendors to automatically install Chrome as the user's default browser (few people check for the preselected options when installing software). While replacing Internet Explorer as the dominant browser was a good thing, it was not so good when this practice also replaced browsers which protect your privacy, such as Firefox.

Google Chrome has huge privacy risks, especially if you sign into your Google account while surfing (even if it is only for checking your Gmail).

More About Browsers

Learn more about web browsers and plugs and vulnerabilities in Internet software.

 

Report Identity Theft

Begin Immediately

If you suspect you've been the victim of identity theft, the sooner you act, the sooner you can begin to resolve the issue.

Long-Term Problem

If you are the victim of identity theft, you can expect to fight to regain your credit rating for years — over and over again.

Victims report that it takes months or years to regain their credit rating, only to find that a new report forces them to start all over again.

While electronic data can quickly get you into trouble, financial institutions want physical evidence (i.e. paper copies of their official forms) that you're not responsible.

The Canadian Anti-Fraud Centre at 1-888-495-8501 can help you through the process. See the RCMP's Identity Theft and Identity Fraud Victim Assistance Guide for further help.

You should file a report with your local police and with credit reporting agencies (even though both have suffered significant data breaches):

Reporting identity theft or fraudulent transactions on your credit card(s) to the credit reporting agencies helps to prevent further abuse, particularly if someone tries to open new credit in your name.

You are entitled to one free credit report each year which discloses who has made requests for your credit report as well as allowing you to dispute errors.

It will likely be harder to prove identity theft than to execute it.

Equifax Untrustworthy

Equifax was hacked sometime between May and July 2017 but didn't report it until September.

Meanwhile, Some Equifax executives sold off their holdings.

Equifax has no credibility and can't safeguard your credit information. They used the least effective security possible. Shame on them.

Unfortunately TransUnion suffered a data breach in 2019 affecting 37,000 Canadians.

It is disconcerting that those protecting businesses from fraud are so lax in their security that they can be hacked, exposing private data intended to prevent fraud.

Unauthorized Purchases

Check your bills for unauthorized credit cards or charges for goods or services you did not receive (particularly from a foreign country).

However, unsolicited automated calls telling you that your credit card has been used to make a very large purchase are usually fraudulent attempts to secure your credit card information.

File a Report

You may have to file a report with your financial institution(s) and to the police.

Tax Fraud

Tax fraud is very common.

Never follow links in texts or emails.

Look up your tax documentation for accurate information (i.e. your Notice of Assessment).

The Canada Revenue Agency (CRA) will not phone, text or email you unexpectedly (with few exceptions).

Know what to expect when the CRA contacts you. The CRA will never:

  • set up a meeting with you in a public place to take a payment
  • demand immediate payment by Interac e-transfer, bitcoin, prepaid credit cards or gift cards from retailers such as iTunes, Amazon, or others
  • threaten you with arrest or a prison sentence

The following are resources provided by the CRA:

More About Identity Theft

More information about identity theft and how to prevent it:

Related Resources

Related resources on this site:

or check the resources index.


If these pages helped you,
buy me a coffee!


 

Return to top
RussHarvey.bc.ca/resources/identitytheft.html
Updated: September 3, 2020