Russ Harvey Consulting - Computer and Internet Services

Identity Theft

Obtaining Information by Deceit

Identity Theft | Protect Your Identity | Recommendations | Reporting ID Theft

A hooded man with an “Anonymous” mask sits before a laptop computer.
When your identity is stolen, you lose some things, but gain others.

 

You could lose all the cash in your bank account, or the title to your home.

 

But you might gain a criminal record, or a lien on your home mortgage.
PCMag

Identity theft information is contained on three pages:

  1. Identity Theft: obtaining information by deceit
  2. Phone Fraud: scamming by phone
  3. Phishing: email scams

The information was written with computers in mind, but these warnings also apply to smart phones and tablets.


Obtaining Information by Deceit

Fraudulent phone calls, phishing emails and fake error messages generated by malware or website infections are all forms of identity theft perpetrated on innocent victims every day.

Identity theft is obtaining information about you that will enable someone else to impersonate you, allowing them to use your identity rather than their own.

While the thief obtains financial or other rewards, you are left with the financial loss or debt and may face criminal charges for crimes done using your ID.

Unfortunately, it is much easier to obtain credit online than it is to prove that it wasn't you that made the application.

Identity theft can be prevented if you take personal information and security seriously.

A Rapidly Growing Crime

Identity theft is a rapidly growing crime.

Online crime is more lucrative than traditional crime.

  • Cybercrime is very profitable and low risk.
  • The same Internet that opens the world to us, exposes us to the world's criminals.
  • Criminals seldom get caught or prosecuted because most are located overseas.
  • The vast potential market of gullible “marks” ensures success.
  • Corporations are more interested in profiting from the information they gather online than securing that information.
  • Data breaches are far too common and weaken our security without significant penalties for that business.

By ignoring security protocols and failing to learn about cybersecurity, people place themselves and their money at risk.

  • Most criminal activity is based upon threats or transfer of trust.
  • People don't understand the technology they're using.
  • Mobile phones provide avenues of attack using deception and SIM card swapping.
  • We treat cybersecurity like something imposed on us rather than something protecting us.

How much do you know about cybersecurity?

Test your knowledge about cybersecurity. It could help prevent identity theft from making you a victim.

Take the cybersecurity knowledge test to see how much you understand about online security and the terminology involved.

Once you've evaluated how well you understand the issue, read the information on this page to help you understand Cyber scams and how to avoid becoming a victim.

It Used to Be Harder

Obtaining personal information is much easier than it used to be.

At one time you had to go to your bank, speak to a real person who would then compare your signature with a physical signature card stored at the bank to ensure that you were who you said you were before releasing funds or a providing a new credit card.

Credit Information Easily Accessed

These days credit card applications appear unsolicited in your mailbox and are easily obtained online.

  • Verification depends upon electronic data rather than hard copies (like the old signature card).
  • The convenience of inter-branch banking and online transactions has resulted in poorer security (e.g., four-digit PINs).
  • Using your smartphone to do banking has additional risks, especially if your device is lost or stolen.

The convenience ends when there is a problem and the bank demands paper documents to prove your innocence.

Passwords: Your eSignature

For online transactions, passwords have replaced a signature (or the wax seal that kings once used) with a password.

Many people really don't understand this form of electronic verification and view it as something that is imposed upon them rather than something that protects them.

[R]ecent Verizon research shows…unsecure passwords are the cause of over 80% of all data breaches at companies.
ZoneAlarm

Users Don't Take Passwords Seriously

Unfortunately, many don't take their passwords seriously.

Afraid they'll forget a password, they make it simple and use variations of the same password for every account they create.

The reality is that the majority, 91%, recognize that using the same or similar passwords for multiple logins is a security risk, yet 58% do it anyway. These people mostly or always use the same password or variation of the same password.
LastPass Blog

Once hackers have one password, they can use it to hack into other services, just like a Twitter hack that exposed users data because an administrative assistant reused passwords:

A hacker found a personal e-mail account for the administrative assistant previously mentioned.

 

[T]he hacker researched social networking sites to find the answer to the "secret question" required to reset the account's password.

 

In going through the e-mails in the account, the hacker apparently found the password used by the administrative assistant on other sites, and correctly assumed that person used that password on their Twitter corporate account at Google Apps.
Ira Winkler

Weak Passwords are Like Blank Cheques

Think of your passwords as a series of unsecured, pre-signed blank cheques. The only dollar limit is the size of your bank account.

Use a Password Manager

Learn how to create quality passwords and take advantage of other options like multifactor authentication to protect your online accounts.

A good password manager not only helps to provide unique and strong passwords for every site, but also can protect you by warning you when the site address doesn't match the address recorded for the site.

Unfortunately, password managers don't work on the CRA website because of very unusual and unnecessarily complicated login procedures. The CRA's suggestion? Manually enter the password!

Don't Post Answers to Security Questions

Be careful NOT to post the sorts of information on social media typically used for the “forgot my password” recovery.

We found that 51% of people believe there is no way a hacker could guess one of their passwords from information they've shared on social media.

 

But we know hackers aren't dumb — if you're being targeted and don't have a strong password guarding your account, it would take a hacker seconds to do a search on your social media profile, learn the name of your pet, family member — even learn when your anniversary is — and use that info to guess your password.

 

Don't make it that easy for them — try to be a bit discreet on social media.
LastPass Blog

Choose Your Software Carefully

You probably check the doors and windows in your house before going to bed at night.

You need to secure your computer and software with the same diligence.

Ignorance is Your Undoing

Many people don't understand the risks of using obsolete or unsecured technology, especially the software you use to access the Internet.

Online security is inconvenient but so are seat belts, door locks and insurance.

Choose a good security suite then learn how to use it to protect your computer and your privacy.

Victims Unfamiliar with Technology

Most of the victims of identity theft are using technology they don't understand.

The politicians making the laws that are supposed to protect you seldom understand the effects those laws will have on privacy. They obtain most of their advice from the very companies that are exploiting consumers on the Internet.

Return to top

Protect Your Identity

Everyone is Gathering Information

Everyone is collecting information about you and your profile is available for sale to anyone willing to pay.

Do NOT buy into the myth that privacy means you have something to hide.

Companies spouting the “nothing to hide” line claim they're “just collecting metadata”, but will accuse you of hacking if you returned the favour.

[T]here is another reason websites track you — it's because you're worth a lot of money.

 

Websites record your activity so they can sell your information to third party advertising platforms, essentially delivering ads that they hope are relevant to you.
Check Point blog

With your email address, they can send their advertising right to your inbox.

The more you reveal, the easier it is to target you. If they know your marital status and how many children you have, they can identify potential markets.

Loyalty Cards

Loyalty cards can provide you with free merchandise and more, but they give a huge advantage to retailers as well by allowing them to track your purchases.

Retailers like Home Depot ask if you'd like an email receipt. That's a sneaky way to obtain your email address.

Your Purchases Reveal a Lot

The sorts of items you buy, particularly the precise combination of items, can tell a lot about you.

Target determined that a teen customer was pregnant before they or their family knew — based simply upon tracking product purchases.

Protect Personal Information

Do not post or release personal information over the phone. Never reveal the following sorts of information to an unverified caller:

  • Social Insurance/Social Security Number (only legislated uses require you to disclose your S.I.N.).
  • Mother's maiden name.
  • Where you were born.
  • Your birth year.
  • Bank PINs.
  • Passwords.
  • Passport information.
  • Driver's licence.

Be careful about revealing billing addresses and employment information as well.

The successful completion of many credit card transactions may require that your shipping address match the credit card's billing address.

This information is not necessary for most other transactions.

Personal DNA Tests

Most people would be leery of any request to fingerprint them yet millions have ordered personal DNA tests without considering the potential privacy issues.

Tracking your genealogy has become very popular. Sites like Ancestry and 23andMe offer kits to take your DNA and use it to tell you more about your family history.

This has never happened before. It hasn't happened with fingerprints, it hasn't happened with DNA. Until now there's been a line, that unless you commit a crime we don't record the facts of your body.
Alvaro Bedoya

There is nothing more personal than your DNA.

Unlike your credit card number or your bank account password, if your genetic information is stolen or simply given away without your consent by a company that possesses it, it can't be changed.
Consumer Reports

Privacy Costs

But these sites aren't as private or innocuous as they'd have you believe.

When you're consenting [to the terms and conditions], you're not only consenting to [use of] your own DNA, but you're in effect consenting on behalf of everybody you're related to. Our laws of consent are not really designed for something like this.
B.C.'s Privacy Commissioner

In fact, they sell your DNA data to third parties and often retain more rights to your DNA than you do after you agree to their contract.

But the DNA and genetic data that Ancestry.com collects may be used against “you or a genetic relative.” According to its privacy policies, Ancestry.com takes ownership of your DNA forever. Your ownership of your DNA, on the other hand, is limited in years.
Joel Winston

If you're going to get involved with these companies, realize that they hold all the cards. Be sure to examine their privacy policy and opt out (where possible) for your own protection.

In an internal memo, Pentagon leadership has urged military personnel not to take mail-in DNA tests, warning that they create security risks, are unreliable and could negatively affect service members' careers. [S]ervice members were encouraged to get genetic information from a licensed professional rather than a consumer product.New York Times

Posting on Social Media Sites

People sometimes post things on Facebook or other social media (or reveal them to strangers over the phone) without thinking about the consequences.

Facebook and Google knows more about you than your family and friends do. They never forget.

Information that allows you to recover a lost password should be something you remember, but strangers can't know. That security is lost if you post it on Facebook.

These personal facts are commonly posted by people:

  • Family genealogy.
  • Pet names.
  • Former residences and occupational information.
  • Your school and other educational information.
  • Sports teams and celebrities you admire.
  • Marriage dates and locations.

Password Recovery

Unfortunately, these answer the commonly-used questions that password-recovery options employ.

Most accounts are compromised by using the password recovery mechanism which invariably requires the correct response to the very personal questions people post on social media.

Sure, you will remember the answers (the reason companies use them), but so will everyone that views your posts. (Hint: it isn't just your friends and family.)

These questions are too easy to research or bring up in casual conversation.

"The Cloud" Has Risks

Cloud computing (as “in the cloud”) is becoming more important as we use smart phones, tablets and other portable devices to conduct business on the go.

While it may free you to access your information anywhere at any time, it also provides the same access to ANYONE in the world with an Internet connection. All they need is your email address and password.

Banning Encryption Short-sighted

Legislation is pending in some locations (including in the US and possibly Canada) to ban consumer encryption or to ensure that back doors for police access are added. This is very short-sighted.

  • Effective encryption could help reduce the risk of hacks like those noted above.
  • Back doors are vulnerable to unauthorized access. There is no such thing as a vulnerability that is only accessible to the “good guys.”
  • Weaknesses in software, especially unknown (or zero-day) exploits, make us all more vulnerable.

Yes, encryption is used by criminals. So are locks, fences, roads, public utilities, telephone systems, etc. Should we remove everyone's access to those resources as well?

It would be better to close more zero-day loopholes than to hope that criminals and foreign governments don't use them to defeat our security protections.

Return to top

Recommendations

Much of the Internet is broken, a result of greed and exploitation at the expense of those who simply want information and entertainment but don't consider the risks of their behaviour.

It is recommended that you examine your security practices closely to see if they are up to protecting your online identity and privacy.

Anyone telling you otherwise is probably exploiting your ignorance.

Online Security Course

Lockdown is a 90 minute online course that will dramatically reduce your risk of having your online accounts hacked. Learn more…

Neil expertly and passionately breaks down personal security into small, actionable episodes that my parents could even understand.

 

[G]reat for reluctant tech users for whom technology is alienating, frustrating, but also necessary.

Protect Your Phone

Your smart phone is a portable computer with access to a great deal of your personal data, not to mention a very common method of multifactor authentication.

That smartphone in your pocket is an identity thief's dream. It has your email, IM, social media, and other apps, potentially logged in and available. It contains personal data galore, including all your contacts.

 

A thief who has unfettered access to your phone owns your identity, period.
PCMag

Watch Out for Malicious Attachments

One of the most common methods of attack are to send a phishing email with an infected attachment.

Learn more about safer email practices including how to avoid malicious attachments.

What Are Headers?

If you have issues with an email you received, whether it is because you're reporting spam or something else, you'll be asked to look at “the headers.”

See finding the headers to learn how to locate these.

Use Encrypted HTTPS Sites Where Possible

HTTPS is a secure protocol used by websites that encrypts traffic between the site's server and your browser.

Few sites use the old HTTP protocol by default (but may load it if you directly request it based upon a link you're following or a bookmarked site).

If you load just the domain name (e.g., domain.com) into your browser's address bar, it should load a secure site if one is available. Be sure to change your bookmarks accordingly.

Learn more about HTTPS how it keeps you safe.

Choose a Safer Browser

Your choice of web browser can make a difference in your ability to remain safe online.

Keep it Updated

Whichever browser you choose, the most recent version will usually have improved security features and/or have known security issues patched.

Firefox Recommended

Firefox is a much safer browser to use. As an independent stand-alone product it is less vulnerable to cross-program security issues.

Because it isn't tied to an operating system or a search company, it can focus on its users rather than those controlling the purse strings.

Stop Using Google Chrome

Google Chrome has huge privacy risks, especially if you sign into your Google account while surfing (even if it is only for checking your Gmail).

Google makes their money by exploiting information you provide. Google NEVER forgets.

The widespread use of Chrome also gives Google a huge amount of control over how the Web works.

Don't Use Internet Explorer

Internet Explorer is no longer being developed and is not recommended for routine surfing or browsing sites on the Web.

While IE may be convenient, it is so tightly integrated into Windows that any security issue in any Microsoft product puts your entire computer at risk.

Microsoft should have killed it off with the release of Windows 10 and Microsoft Edge.

More About Browsers

Learn more about web browsers and plugs, vulnerabilities in Internet software and how to browse safer.

Additional Resources

More information about how to prevent identity theft:

 

Report Identity Theft

Are You a Victim?

If you have been a victim of identity theft (or suspect you have), contact the police to report identity theft.

Begin Immediately

If you suspect you've been the victim of identity theft, the sooner you act, the sooner you can begin to resolve the issue.

A Long-term Problem

It will likely be harder to prove identity theft than to execute it.

If you are the victim of identity theft, you can expect to fight to regain your credit rating for years.

Victims report that it takes months or years to regain their credit rating, only to find that a new report forces them to start all over again.

While electronic data can quickly get you into trouble, financial institutions want physical evidence (i.e., paper copies of their official forms) that show you're not responsible.

Think of how hard it is to obtain physical copies of documents generated by someone else.

Huge Financial Costs

There are huge personal and financial costs if you become a victim.

The Canadian Anti-Fraud Centre at 1-888-495-8501 can help you through the process.

File a Report

You should file a report with your local police, your financial institution(s) and with credit reporting agencies.

But there's not much your local police can do for you. For starters, you'd have to show that an actual crime happened, which is much more difficult when it's digital.
CNET

When reporting improper use of a credit card to our local police we learned that purchases had been made out of province and mostly without presenting the physical card. How someone could get away with paying off a utility bill for a fixed address with a stolen credit card is confounding.

Unauthorized Purchases

Check your bills for unauthorized credit cards or charges for goods or services you did not receive (particularly from a foreign country).

In most cases you have to still pay the full bill and notify the credit card company about unauthorized charges within 30 days.

Beware of Unsolicited Calls

We're calling from MasterCard and VISA.…

Unsolicited automated phone calls about your credit card are usually fraudulent attempts to secure your credit card information.

These calls may attempt to scare you with claims that very large purchases “have been noted on your credit card.” Notice they don't specify the card used.

Never respond to requests to prove your identity or verify your card details. Remember, they called you.

Credit Reporting Agencies

Reporting identity theft or fraudulent transactions on your credit card(s) to the credit reporting agencies helps to prevent further abuse, particularly if someone tries to open new credit in your name.

You are entitled to one free credit report each year which discloses who has made requests for your credit report as well as allowing you to dispute errors.

Related Resources

Related resources on this site:

or check the resources index.

Buy Me A Coffee

 

Return to top
RussHarvey.bc.ca/resources/identitytheft.html
Updated: February 13, 2023