Russ Harvey Consulting - Computer and Internet Services

Identity Theft

Identity Theft | Protect Your Identity | Safe Practices | Reporting ID Theft

Protecting yourself from identity theft requires being aware of the danger signs.

Identity theft information is now contained on three pages:

Report Identity Theft

If you have been a victim of identity theft (or suspect you have), contact the police to report identity theft.

How much do you know about cybersecurity?

Take the cybersecurity knowledge test to see how much you understand about online security and the terminology involved.

Once you've evaluated how well you understand the issue, read the information on this page to help you understand Cyber scams and how to avoid becoming a victim.

Online Crime Treated Like White Collar Crime

Much like white-collar criminals, online criminals face far lighter repercussions if they are caught than someone robbing a store or kidnapping for ransom because it is assumed that cyber crime is not as serious. Victims of white collar or cyber crimes would disagree.

As cybercrime begins to overtake physical offenses for the first time, we need to realize that as our world continues to be dominated by technology so is organized crime. There is a common misconception that these out of sight online attacks are victimless crimes or are not treated with the same level of importance as those that occur offline, and this needs to change. — Daniel Burrus

In addition, most of these crimes are committed abroad where it is much more difficult to prosecute the perpetrators.

Identity Theft: Obtaining Information by Deceit

Fraudulent phone calls, phishing emails and fake error messages generated by malware or website infections are all forms of identity theft perpetrated on innocent victims every day.

Identity theft, in a nutshell, is the obtaining of information about you that will enable someone else to impersonate "you" — allowing them to steal using your identity rather than their own.

While the thief obtains financial or other rewards as a result, you are left with the financial loss or debt as well as potential criminal charges. Unfortunately, it is much easier to obtain credit online than it is to prove that it wasn't you that made the application.

A Rapidly Growing Crime

Identity theft is a rapidly growing crime. These are some of the annual highlights:

384 million identities were exposed in 2014 as a result of data breaches. That's equivalent to the whole population of Western Europe. — Symantec
[2015] was truly a watershed year in terms of hacks and it's estimated that over one half of American adults had their identity compromised in some way. — ZoneAlarm Blog

2016 was a banner year for the number and severity of account breaches highlighted by the Yahoo! breach of 500 million accounts later revealed to include all 3 billion account holders.

As many as 143 million Americans are said to be affected, the company said, representing about half of the US population. Some UK and Canadian residents are also affected, the statement confirmed. — ZDNet on the 2017 Equifax data breach.
The personal information of about 37,000 Canadians held by TransUnion may have been compromised this past summer, leaving both of Canada's credit monitoring agencies with data blemishes on their record. — Times-Colonist on the 2019 TransUnion data breach.

Security Breaches Affect You

Each time there is a security breach of an online service that you use, it has the potential to reveal a pattern in your password use. In the very least it provides the personal information that was used to create and maintain your account.

It has NOT gotten better.

68% of breaches take months or longer to detect. — Menlo Security

Learn more about the privacy risks that these breaches entail and how you can better prepare yourself.

More About Data Breaches

Learn more about the history of data breaches including some of the largest and most damaging on record as well as how to prevent data breaches.

Other Forms of Exposure

Hacking is not the only way that data breaches happen.

Cambridge Analytica

Facebook allowed other companies like Cambridge Analytica to cull information about Facebook users. That information was reportedly used to affect the course of elections in at least one country.

There have also been reports that Facebook customer data was stored on websites unprotected by any security (you only had to know the web address to download the information).

NCIX Computers Never Wiped Customer Data Before Sale

One local example is the sale of personal information about former customers following the bankruptcy of computer retailer NCIX in Vancouver.

This personal information included IP, home and email addresses, passwords, credit card information and social insurance numbers.

Not only did the company fail to ensure that the computers containing customer information were wiped, but that data was so poorly encrypted that the information was sold on Craigslist.

Whoever is responsible for the careless disposal of the company assets is to blame. Bankruptcy protection should not provide leniency for those responsible for not securing that information, including the former officers of that company.

White Collar Crime Punished Lightly

Until such crimes are punished appropriately and to the same degree as a similar blue-collar crime, these breaches will continue.

It Used to Be Harder

Obtaining personal information is much easier than it used to be.

At one time you had to go to your bank, speak to a real person who would then compare your signature with a physical signature card stored at the bank to ensure that you were who you said you were before releasing funds or a providing a new credit card.

Credit Information Easily Accessed

These days credit card applications appear unsolicited in your mailbox and are easily obtained online.

  • Verification depends upon electronic data rather than hard copies (like the signature card previously used for verification).
  • The convenience of inter-branch banking and online transactions has resulted in poorer security.
  • The move to using your smartphone to do banking has additional risks, especially if your device is lost or stolen.

The convenience ends when there is a problem and the bank demands paper documents to prove your innocence.

Passwords: Your eSignature

For online transactions, passwords have replaced a signature (or the wax seal that kings used to use) with a password.

Many people really don't understand this form of electronic verification and view it as something that is imposed upon them rather than something added for their own protection.

“User Names” are Public

For most of your online accounts, your user name is your email address. Since your email address is essentially public, that leaves only the unique password to protect your account from unauthorized access.

Weak Passwords are Like Blank Cheques

Unfortunately, many folks don't take their passwords seriously.

Afraid they'll forget a password, they make it simple and use the same password or simple variations for every account they create.

Your passwords are like a series of unsecured blank cheques that you've already signed. The only limit is the size of your bank account or your credit limit.

I recommend that you learn how to create secure passwords and take advantage of other options like two-factor security to protect your online accounts.

Ignorance is Your Undoing

Many people don't understand the risks of using older or unsecured technology.

Securing Your Computer

You probably wouldn't leave your car unlocked and unattended with the keys in the ignition, especially with the windows rolled down. You would avoid parking it in a bad neighbourhood.

If you were foolish enough to do so, you shouldn't be surprised to find it gone when you returned.

The Internet's anonymity provides similar opportunities to exploit your ignorance.

Replace Obsolete Software and Hardware

Many continue to use programs like Outlook Express long after they were obsolete and unsupported (dangerous to use), just like Windows XP, the operating system it came bundled with.

From a security point of view, both were like skeleton keys — easy to use but ineffective in preventing security breaches.

Just as seat belts, car alarms and ignition keys are inconvenient, so is online security. Choose a good security suite and learn how to use it to protect your computer and your privacy.

Return to top

Protect Your Identity

Everyone is Gathering Information

Everyone is collecting information about you and your privacy is for sale.

[T]here is another reason websites track you — It's because you're worth a lot of money. Websites record your activity so they can sell your information to third party advertising platforms, essentially delivering ads that they hope are relevant to you. — ZoneAlarm Blog

With your email address, they can send their advertising right to your inbox. If they know your marital status and how many children you have, they can identify potential markets. The more you reveal, the easier it is to target you.

Your Purchases Reveal a Lot

An open (not password protected) 4 terabytes of data from the People Data Labs (PDL) and (OXY) contained cross-linked information on over 1.2 billion people was found on October 16, 2019. PDL and OXY are data enrichment companies. What they do is allow companies to search:

  • Over 1.5 Billion unique people, including close to 260 million in the US.
  • Over 1 billion personal email addresses. Work email for 70%+ decision makers in the US, UK, and Canada.
  • Over 420 million Linkedin urls
  • Over 1 billion facebook urls and ids.
  • 400 million+ phone numbers. 200 million+ US-based valid cell phone numbers.
De-duplicating the nearly 3 billion PDL user records revealed roughly 1.2 billion unique people, and 650 million unique email addresses, which is in-line with the statistics provided on their website. The data within the three different PDL indexes also varied slightly, some focusing on scraped LinkedIN information, email addresses and phone numbers, while other indexes provided information on individual social media profiles such as a person’s Facebook, Twitter, and Github URLs. — ZoneAlarm Blog

It is interesting that the data is an accurate copy of data obtained from 2 different companies blended into one database. Someone either was a very large customer of both companies or managed to hack both databases. What was the reason it was available on an open IP address ( rather than hidden away?

Someone should be held accountable for both scraping (collecting) such data then combining it for profit as well as allowing it to be copied into an unprotected cloud account unnoticed. Personally, I'd like to see both companies (and similar operations) bankrupted for this breach. Perhaps security and tracking of the users of such sensitive data would be enforced by other similar operations.

Your Purchases Reveal a Lot

Loyalty cards can provide you with free merchandise and more, but they give a huge advantage to retailers as well by allowing them to track your purchases.

Target determined that a teen customer was pregnant before they or their family knew — based simply upon tracking product purchases.

Dealing with Spam

Learn how to identify and deal with spam.

Don't unsubscribe from lists that you didn't ask to be placed on in the first place. Ethical companies don't use sneaky opt-out techniques in the first place.

Beware of Phone Callers

Phone calls about computer viruses, credit card deals, overseas credit card expenditures, holiday specials or warnings that you're about to get arrested for unpaid taxes are all scams. Just hang up.

Protect Personal Information

Do not post or release personal information over the phone. Never reveal the following sorts of information to an unverified caller:

  • Social Insurance/Social Security Number (only legislated uses require you to disclose your S.I.N.).
  • Mother's maiden name.
  • Where you were born.
  • Your birth year.
  • Bank PINs.
  • Passwords.

Be careful about revealing billing addresses and employment information as well.

Ad targeting: Trusting merchants, social media, and mobile providers with personal information is a still-relevant posting on ZoneAlarm's blog.

While the successful completion of many credit card transactions requires that the shipping address match the credit card's billing address, this information is not necessary for most other transactions.

Posting on Social Media Sites

People sometimes post things on Facebook or other social media (or say them over the phone) without thinking about the consequences.

Facebook and Google knows more about you than your family and friends do. And they never forget anything.

Information that allows you to recover a lost password should be something you remember, but strangers shouldn't. That security is lost if you post it on Facebook.

These personal bits are commonly posted by people:

  • Family genealogy.
  • Pet names.
  • Former residences and occupational information.
  • Marriage dates and locations.

Your favourite sports teams are a poor choice because sports is a popular conversational topic.

Password Recovery

Most accounts are compromised by using the password recovery mechanism which invariably requires the response to questions that many people know about you (including those listed above).

While they are easy for you to remember (the reason companies use them) but are too easy to research or bring up in casual conversation.

"The Cloud" Has Risks

Cloud computing (“in the cloud”) is becoming more important as we use smart phones, tablets and other portable devices to conduct business on the go.

While it may free you to access your information anywhere at any time, it also provides the same access to ANYONE in the world with an Internet connection.

Banning Encryption Short-sighted

Legislation is pending in some locations (including in the U.S.A. and possibly Canada) to ban encryption or to ensure backdoors are added. This is very short-sighted.

  • Effective encryption could help reduce the risk of hacks like those noted above.
  • Backdoors are vulnerable to unauthorized access. There is no such thing as a vulnerability that is only accessible by the good guys.
  • Weaknesses in software, especially unknown (or zero-day) exploits, make us all more vulnerable.

Yes, encryption is used by criminals. So are our roads, public utilities, telephone systems, etc. Should we remove everyone's access to those as well?

It would be better to close more zero-day loopholes than to hope that criminals and foreign governments don't find them and use them to negate our security protections.

Return to top

Safe Practices

Much of the Internet is broken, a result of greed and exploitation at the expense of the majority who simply want information and entertainment but don't consider the risks of their behaviour.

Choose your web browser for its ability to protect your privacy and security online rather than accepting what has landed on your system. Next, you need to change some habits to protect yourself from malicious attacks.

Use Encrypted HTTPS Sites Where Possible

I strongly recommend that you only connect to sites that are encrypted. Unsecured sites are not encrypted and are vulnerable to man-in-the-middle attacks.

This is particularly important when using online banking or when shopping online — including anywhere that you are sharing banking or credit card details.

Secure sites are indicated by https:// in front of the address and/or some sort of a padlock symbol. The display varies by browser:

  • Firefox, Google Chrome, Safari, Microsoft Edge and Opera all use a grey padlock to the left of the address.
  • Both Firefox and Edge display the HTTPS:// prefix; Chrome, Safari and Opera do not.

HTTPS:// Everywhere is a Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure.

Choose a Safer Browser

Your Browser Choice Matters

Your choice of web browser can make a difference in your ability to protect yourself online. Whichever browser you choose, the most recent version will usually have improved security features and/or have known security issues patched.

Firefox Recommended

Firefox's warning page for a reported attack site

Firefox is a much safer browser to use.

As an independent stand-alone product it is less vulnerable to cross-program security issues.

Because it isn't tied to an operating system or to a search company, it can focus on its users rather than those controlling the purse strings. It can perform all the features needed in a browser without the downside.

Have a look at some of the built-in security features of Firefox:

Firefox is also updated frequently, so security fixes and new benefits are available sooner.

Don't Use Internet Explorer

Internet Explorer is no longer being developed and is not recommended for routine surfing or browsing sites on the Web. While IE may be convenient, it is so tightly integrated into Windows that any security issue in any Microsoft product puts your entire computer at risk.

One of my pet peeves is programs that directly call Internet Explorer rather than the system's default browser. One example is TurboTax, where queries about sensitive data is being handled via an obsolete and insecure browser (a feature that users cannot change).

Windows 10 includes IE along with Microsoft Edge, however it was not intended to be used as your primary browser:

"You see, Internet Explorer is a compatibility solution," wrote [Microsoft security chief] Jackson in the blog. "We're not supporting new web standards for it and, while many sites work fine, developers by and large just aren't testing for Internet Explorer these days. They're testing on modern browsers. — ZDNet

Google Chrome

Google has paid free software vendors to automatically install Chrome as the user's default browser (few people check for the preselected options when installing this software). While replacing Internet Explorer as the dominant browser was a good thing, it was not so good when this practice replaced a browser like Firefox which protects your privacy.

Google Chrome has huge privacy risks, especially if you sign into your Google account while surfing (even if it is only for checking your Gmail). Google makes their money by exploiting information you provide and Google NEVER forgets.

More About Browsers

Learn more about web browsers and plugs and vulnerabilities in Internet software.

Return to top

Report Identity Theft

Begin Immediately

If you suspect you've been the victim of identity theft, the sooner you act, the sooner you can begin to resolve the issue.

Identity Theft is a Long-Term Problem

If you are the victim of identity theft, you can expect to fight to regain your credit rating for years — over and over again.

Victims report that it takes months or years to regain their credit rating, only to find that a new report forces them to start all over again.

While electronic data can quickly get you into trouble, financial institutions want physical (on paper) evidence that you're not responsible.

The Canadian Anti-Fraud Centre at 1-888-495-8501 can help you through the process. See the RCMP's Identity Theft and Identity Fraud Victim Assistance Guide for further help.

You should file a report with your local police and with credit reporting agencies (even though both have suffered significant data breaches):

Reporting identity theft or fraudulent transactions on your credit card(s) to the credit reporting agencies helps to prevent further abuse, particularly if someone tries to open new credit in your name.

You are entitled to one free credit report each year which discloses who has made requests for your credit report as well as allowing you to dispute errors.

It will likely be harder to prove identity theft than to execute it.

Equifax Untrustworthy

Equifax was hacked sometime between May and July 2017 but didn't report it until September.

Meanwhile, Some Equifax executives sold off their holdings.

Equifax has no credibility and can't safeguard your credit information. They used the least effective security possible. Shame on them.

Unfortunately TransUnion suffered a data breach in 2019 affecting 37,000 Canadians. It is disconcerting that those protecting businesses from fraud are so lax in their security that they are hacked, exposing private data intended to prevent fraud.

Unauthorized Purchases

Check your bills for unauthorized credit cards or charges for goods or services you did not receive (particularly from a foreign country).

However, unsolicited automated calls telling you that your credit card has been used to make a very large purchase are usually fraudulent attempts to secure your credit card information.

You may have to file a report with your financial institution(s) and to the police.

More About Identity Theft

More information about identity theft and how to prevent it:

Return to top

Related Resources

Related resources on this site:

or check the resources index.

Return to top

If these pages helped you,
buy me a coffee!
Updated: December 7, 2019