Obtaining Information by Deceit
Identity theft information is contained on three pages:
- Identity Theft: obtaining information by deceit (this page)
- Phone Fraud: scamming by phone
- Phishing: email scams
Report Identity Theft
If you have been a victim of identity theft (or suspect you have), contact the police to report identity theft.
Huge Financial Costs
There are huge personal and financial costs if you allow yourself to become a victim.
How much do you know about cybersecurity?
Take the cybersecurity knowledge test to see how much you understand about online security and the terminology involved.
Once you've evaluated how well you understand the issue, read the information on this page to help you understand Cyber scams and how to avoid becoming a victim.
Online Crime Treated Like White Collar Crime
Much like white-collar criminals, online criminals face far lighter repercussions if they are caught than someone robbing a store or kidnapping for ransom because it is assumed that cyber crime is not as serious. Victims of white collar or cyber crimes would disagree.
As cybercrime begins to overtake physical offenses for the first time, we need to realize that as our world continues to be dominated by technology so is organized crime. There is a common misconception that these out of sight online attacks are victimless crimes or are not treated with the same level of importance as those that occur offline, and this needs to change. — Daniel Burrus
In addition, most of these crimes are committed abroad where it is much more difficult to prosecute the perpetrators.
Identity Theft: Obtaining Information by Deceit
Identity theft, in a nutshell, is the obtaining of information about you that will enable someone else to impersonate "you" — allowing them to steal using your identity rather than their own.
While the thief obtains financial or other rewards as a result, you are left with the financial loss or debt as well as potential criminal charges. Unfortunately, it is much easier to obtain credit online than it is to prove that it wasn't you that made the application.
A Rapidly Growing Crime
Identity theft is a rapidly growing crime. Online crime is more lucrative than traditional crime.
I see several important reasons for this.
- People don't understand technology they're using, whether it is at home or in the workplace.
- We treat cybersecurity like something imposed on us rather than something protecting us.
- We forget that the same Internet that opens the world to us, opens us to the world's criminals.
- Corporations are more interested in profiting from the information they gather from us online than securing that information.
- Security breaches are far too common and they weaken our security without significant penalties to that business.
- Cybercrime is very profitable and the criminals seldom get caught because they're overseas.
- Most criminal activity is bases upon threats. The vast potential market of gullible “marks” ensures success.
Security Breaches Affect You
Each time there is a security breach at an online service that you use, it has the potential to reveal a pattern in your password use. In the very least it provides the personal information that was used to create and maintain your account.
As many as 143 million Americans are said to be affected, the company said, representing about half of the US population. Some UK and Canadian residents are also affected, the statement confirmed. — ZDNet on the 2017 Equifax data breach.
The personal information of about 37,000 Canadians held by TransUnion may have been compromised this past summer, leaving both of Canada's credit monitoring agencies with data blemishes on their record. — Times-Colonist on the 2019 TransUnion data breach.
Getting Worse, Not Better
The number, frequency and size of security breaches are not improving. Companies are protecting their servers, not their users' information.
Often companies don't even realize they've been hacked until long after the data has made its way into the dark web.
68% of breaches take months or longer to detect. — Menlo Security
Learn more about the privacy risks that data breaches create and how you can better prepare yourself.
More About Data Breaches
Learn more about the history of data breaches including some of the largest and most damaging on record as well as how to prevent data breaches.
Other Forms of Exposure
Hacking is not the only way that data breaches happen.
Facebook is Not Your Friend
Facebook allowed other companies like Cambridge Analytica to cull information about Facebook users. That information was used for unethical purposes such as affecting the outcome of elections and attempting to modify the moods of users.
There have also been reports that Facebook customer data was stored on websites unprotected by any security (you only had to know the web address to download the information).
One of the best security moves you can make is to get off Facebook.
NCIX Computers Never Wiped Customer Data Before Sale
One local example is the sale of personal information about former customers following the bankruptcy of computer retailer NCIX in Vancouver.
This personal information included IP, home and email addresses, passwords, credit card information and social insurance numbers.
Not only did the company fail to ensure that the computers containing customer information were wiped, but that data was so poorly encrypted that the information was sold on Craigslist.
Whoever is responsible for the careless disposal of the company assets is to blame. Bankruptcy protection should not provide leniency for those responsible for not securing that information, including the former officers of that company.
White Collar Crime Punished Lightly
One of the reasons that the loss of personal information occurs is that companies don't see any reason to spend money to protect information they didn't pay for in the first place.
Until such crimes are punished appropriately and to the same degree as a similar blue-collar crime, these breaches will continue.
It Used to Be Harder
Obtaining personal information is much easier than it used to be.
At one time you had to go to your bank, speak to a real person who would then compare your signature with a physical signature card stored at the bank to ensure that you were who you said you were before releasing funds or a providing a new credit card.
Credit Information Easily Accessed
These days credit card applications appear unsolicited in your mailbox and are easily obtained online.
- Verification depends upon electronic data rather than hard copies (like the signature card previously used for verification).
- The convenience of inter-branch banking and online transactions has resulted in poorer security.
- The move to using your smartphone to do banking has additional risks, especially if your device is lost or stolen.
The convenience ends when there is a problem and the bank demands paper documents to prove your innocence.
Passwords: Your eSignature
For online transactions, passwords have replaced a signature (or the wax seal that kings once used) with a password.
Many people really don't understand this form of electronic verification and view it as something that is imposed upon them rather than something that protects them.
[R]ecent Verizon research shows…unsecure passwords are the cause of over 80% of all data breaches at companies. — ZoneAlarm
Users Don't Take Passwords Seriously
Unfortunately, many don't take their passwords seriously.
Afraid they'll forget a password, they make it simple and use variations of the same password for every account they create.
The reality is that the majority, 91%, recognize that using the same or similar passwords for multiple logins is a security risk, yet 58% do it anyway. These people mostly or always use the same password or variation of the same password. — LastPass Blog
Once hackers have one password, they can use it to hack into other services, just like a Twitter hack that exposed users data because an administrative assistant reused passwords:
A hacker found a personal e-mail account for the administrative assistant previously mentioned. [T]he hacker researched social networking sites to find the answer to the "secret question" required to reset the account's password. In going through the e-mails in the account, the hacker apparently found the password used by the administrative assistant on other sites, and correctly assumed that person used that password on their Twitter corporate account at Google Apps. — Ira Winkler
Weak Passwords are Like Blank Cheques
Think of your passwords as a series of unsecured, signed blank cheques. The only limit is the size of your bank account.
Don't Post Answers to Security Questions
Don't post the sorts of information typically used for the “forgot my password” recovery on social media.
We found that 51% of people believe there is no way a hacker could guess one of their passwords from information they've shared on social media. But we know hackers aren't dumb — if you're being targeted and don't have a strong password guarding your account, it would take a hacker seconds to do a search on your social media profile, learn the name of your pet, family member — even learn when your anniversary is — and use that info to guess your password. Don't make it that easy for them — try to be a bit discreet on social media. — LastPass Blog
Choose Your Software Carefully
You need to change some habits to protect yourself from malicious attacks.
You probably check the doors and windows in your house before going to bed at night. You need to secure your computer and software with the same diligence.
Ignorance is Your Undoing
Many people don't understand the risks of using older or unsecured technology.
Victims Unfamiliar with Technology
Most of the victims of identity theft are using technology they don't understand. Nor do the politicians making the laws that are supposed to protect you.
- Victims use passwords that are easily guessed and often repeated everywhere.
- Their passwords may have been compromised in a data breach (that's why you change ALL your passwords when you're notified of a breach.)
- Victims don't use a password manager or unique, strong passwords for every account.
- Victims run obsolete email programs and vulnerable web browsers with obsolete or insecure addons and vulnerable plugins.
- Victims are unwilling to learn about risky behaviour or change their habits to reduce those risks.
Online security is inconvenient. So are seat belts, locks and insurance.
Choose a good security suite and learn how to use it to protect your computer and your privacy.
Protect Your Identity
Everyone is Gathering Information
Everyone is collecting information about you and your profile is for sale.
[T]here is another reason websites track you — It's because you're worth a lot of money. Websites record your activity so they can sell your information to third party advertising platforms, essentially delivering ads that they hope are relevant to you. — ZoneAlarm Blog
With your email address, they can send their advertising right to your inbox.
The more you reveal, the easier it is to target you. If they know your marital status and how many children you have, they can identify potential markets.
Weird Online Data Dump
An open (not password protected) 4 terabytes of data from the People Data Labs (PDL) and OxyData.io (OXY) contained cross-linked information on over 1.2 billion people was found on October 16, 2019. PDL and OXY are data enrichment companies. What they do is allow companies to search:
- Over 1.5 billion unique people, including close to 260 million in the US
- Over 1 billion personal email addresses. Work email for 70%+ decision makers in the US, UK, and Canada.
- Over 420 million LinkedIn URLs
- Over 1 billion Facebook URLS and IDs.
- 400 million+ phone numbers. 200 million+ US-based valid cell phone numbers.
De-duplicating the nearly 3 billion PDL user records revealed roughly 1.2 billion unique people, and 650 million unique email addresses, which is in-line with the statistics provided on their website. The data within the three different PDL indexes also varied slightly, some focusing on scraped LinkedIN information, email addresses and phone numbers, while other indexes provided information on individual social media profiles such as a person’s Facebook, Twitter, and Github URLs. — ZoneAlarm Blog
It is interesting that the data is an accurate copy of data obtained from 2 different companies blended into one database. Someone either was a very large customer of both companies or managed to hack both databases. What was the reason it was available on an open IP address (126.96.36.199) rather than hidden away?
Someone should be held accountable for both scraping (collecting) such data then combining it for profit as well as allowing it to be copied into an unprotected cloud account unnoticed.
If both companies (and the company officers) were bankrupted for this breach, perhaps the tracking of such sensitive data would be less attractive and companies would spend money securing the data as carefully as they secure the computers it is hosted on.
Loyalty cards can provide you with free merchandise and more, but they give a huge advantage to retailers as well by allowing them to track your purchases.
Your Purchases Reveal a Lot
Target determined that a teen customer was pregnant before they or their family knew — based simply upon tracking product purchases.
Dealing with Spam
Learn how to identify and deal with spam.
Don't unsubscribe from lists that you didn't ask to be placed on in the first place. Ethical companies don't use sneaky opt-out techniques in the first place.
Beware of Phone Callers
Phone calls about computer viruses, credit card deals, overseas credit card expenditures, holiday specials or warnings that you're about to get arrested for unpaid taxes are all scams. Just hang up.
Protect Personal Information
Do not post or release personal information over the phone. Never reveal the following sorts of information to an unverified caller:
- Social Insurance/Social Security Number (only legislated uses require you to disclose your S.I.N.).
- Mother's maiden name.
- Where you were born.
- Your birth year.
- Bank PINs.
- Passport information.
- Driver's license.
Be careful about revealing billing addresses and employment information as well.
The successful completion of many credit card transactions may require that your shipping address match the credit card's billing address.
This information is not necessary for most other transactions.
Personal DNA Tests
There is nothing more personal than your DNA.
Unlike your credit card number or your bank account password, if your genetic information is stolen or simply given away without your consent by a company that possesses it, it can't be changed. — Consumer Reports
Tracking your genealogy has become very popular. Sites like Ancestry and 23andMe offer kits to take your DNA and use it to tell you more about your family history.
But these sites aren't as private or innocuous as they'd have you believe. In fact, they sell your DNA data to third parties and often have more rights to your DNA than you do after you agree to their contract.
But the DNA and genetic data that Ancestry.com collects may be used against “you or a genetic relative.” According to its privacy policies, Ancestry.com takes ownership of your DNA forever. Your ownership of your DNA, on the other hand, is limited in years. — Joel Winston
- Your genetic data isn't safe — Consumer Reports.
- DNA tests expose more than we think.
- Genetic testing firms share your DNA data more than you think.
- Your DNA is a valuable asset, so why give it to ancestry websites for free?
- How DNA companies like Ancestry and 23andMe are using your genetic data.
- 5 biggest risks of sharing your DNA with consumer genetic-testing companies.
- Ancestry.com takes DNA ownership rights from customers and their relatives.
- The pros and cons of genetic testing.
- How to delete your data from every DNA testing service.
Posting on Social Media Sites
People sometimes post things on Facebook or other social media (or reveal them to strangers over the phone) without thinking about the consequences.
Facebook and Google knows more about you than your family and friends do. And they never forget anything.
Information that allows you to recover a lost password should be something you remember, but strangers can't know. That security is lost if you post it on Facebook.
These personal facts are commonly posted by people:
- Family genealogy.
- Pet names.
- Former residences and occupational information.
- Your school and other educational information.
- Sports teams and celebrities you admire.
- Marriage dates and locations.
Unfortunately, these answer the commonly-used questions that password-recovery options employ.
Most accounts are compromised by using the password recovery mechanism which invariably requires the correct response to personal questions.
Sure, you will remember the answers (the reason companies use them), but so will everyone that views your posts. Hint: it isn't just your friends and family.
These questions are too easy to research or bring up in casual conversation.
"The Cloud" Has Risks
Cloud computing (as “in the cloud”) is becoming more important as we use smart phones, tablets and other portable devices to conduct business on the go.
While it may free you to access your information anywhere at any time, it also provides the same access to ANYONE in the world with an Internet connection.
- How do you secure the cloud? New data points a way.
- Top cloud security controls you should be using.
Banning Encryption Short-sighted
Legislation is pending in some locations (including in the US and possibly Canada) to ban encryption or to ensure backdoors for police access are added. This is very short-sighted.
- Effective encryption could help reduce the risk of hacks like those noted above.
- Backdoors are vulnerable to unauthorized access. There is no such thing as a vulnerability that is only accessible to the “good guys.”
- Weaknesses in software, especially unknown (or zero-day) exploits, make us all more vulnerable.
Yes, encryption is used by criminals. So are locks, fences, roads, public utilities, telephone systems, etc. Should we remove everyone's access to those as well?
It would be better to close more zero-day loopholes than to hope that criminals and foreign governments don't find them then use them to negate our security protections.
Much of the Internet is broken, a result of greed and exploitation at the expense of those who simply want information and entertainment but don't consider the risks of their behaviour.
Watch Out for Malicious Attachments
One of the most common methods of attack are to send a phishing email with an infected attachment. Often these documents appear to be either invoices or notices of items shipped. If you open the document, you infect your computer or device.
Malicious Microsoft Office attachments are more common than malicious batch scripts and PowerShell scripts. — Tech Republic
Unless you're expecting such a document, DON'T open it, just delete it.
How to Verify Legitimacy
If you're unsure, verify the legitimacy of the document by calling the company using the contact information found on a recent invoice or statement.
- NEVER use the contact information provided in the email.
- NEVER click on links within the email (links can be faked).
Use Encrypted HTTPS Sites Where Possible
I strongly recommend that you only connect to sites that are encrypted. Unsecured sites are not encrypted and are vulnerable to man-in-the-middle attacks.
This is particularly important when using online banking or when shopping online — anywhere that you are sharing banking or credit card details.
Secure sites are indicated by
https:// (notice the s) in the address and/or some sort of a padlock symbol. The display varies by browser:
- Firefox, Google Chrome, Safari, Microsoft Edge and Opera all use a grey padlock to the left of the address.
- Both Firefox and Edge display the HTTPS:// prefix; Chrome, Safari and Opera do not.
HTTPS:// Everywhere is a Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure.
- Mozilla's HTTPS and your online security looks at the strengths and weakness of HTTPS.
Choose a Safer Browser
Your Browser Choice Matters
Your choice of web browser can make a difference in your ability to protect yourself online. Whichever browser you choose, the most recent version will usually have improved security features and/or have known security issues patched.
Firefox is a much safer browser to use.
As an independent stand-alone product it is less vulnerable to cross-program security issues.
Because it isn't tied to an operating system or to a search company, it can focus on its users rather than those controlling the purse strings. It can perform all the features needed in a browser without the downside.
Built-in Security Features
Firefox has built-in security features including one that warns you about reported attack pages:
Firefox gets a fresh update of forgery sites a whopping 48 times a day!
Firefox is designed to protect your privacy and is updated frequently, so security fixes and new benefits are available sooner.
Firefox's Private Browsing mode allows you to surf without saving information about the sites and pages you've visited. Neither cookies nor passwords are saved.
Because Firefox is updated frequently, security and privacy fixes and new benefits are available sooner.
Don't Use Internet Explorer
Internet Explorer is no longer being developed and is not recommended for routine surfing or browsing sites on the Web. While IE may be convenient, it is so tightly integrated into Windows that any security issue in any Microsoft product puts your entire computer at risk.
One of my pet peeves is programs that directly call Internet Explorer rather than the system's default browser. One example is TurboTax, where queries about sensitive data is being handled via an obsolete and insecure browser (a feature that users cannot change).
Windows 10 includes IE along with Microsoft Edge, however it was not intended to be used as your primary browser:
"You see, Internet Explorer is a compatibility solution," wrote [Microsoft security chief] Jackson in the blog. "We're not supporting new web standards for it and, while many sites work fine, developers by and large just aren't testing for Internet Explorer these days. They're testing on modern browsers. — ZDNet
Google makes their money by exploiting information you provide. Google NEVER forgets.
Google originally paid free software vendors to automatically install Chrome as the user's default browser (few people check for the preselected options when installing software). While replacing Internet Explorer as the dominant browser was a good thing, it was not so good when this practice also replaced browsers which protect your privacy, such as Firefox.
Google Chrome has huge privacy risks, especially if you sign into your Google account while surfing (even if it is only for checking your Gmail).
More About Browsers