How to avoid identity theft; by Peter Wood, Chief of Operations, First Base Technologies (www.fbtechies.co.uk)
In the 21st century, your digital identity is also your cheque book, your credit rating and your status in the community. If you lose your digital identity you may have to convince credit card companies, insurance companies, banks and even the police that you were not responsible for actions and expenditure carried out in your name. This process could take months and is extremely stressful.
Criminals use a variety of techniques to steal your identity – over the phone, face-to-face and via the internet. Many people are particularly vulnerable to ID fraud when they’re using their computer, so here are some common Internet scams and how to avoid them.
The dangers of phishing
Criminals create e-mails that appear to come from legitimate banks, insurance companies, eBay and so on. Unsuspecting people will click on a web link in the e-mail, which then takes them to a fake web site where they enter their name, password, credit card details etc, unaware that this personal information is going straight to a criminal gang. Although there are safeguards in both the processes that banks use and the e-mail software, many people still fall for these scams.
The safest thing is to ignore any invitation to click a link, but instead browse directly to the web site you know belongs to the organisation in question. This may take a little more time, but is the safest method. Once there you will quickly see whether the e-mail was genuine or not.
Many e-mail programs now include a feature which pops up a warning when you hover the mouse over a link in an e-mail. If you see this warning, don’t click the link! Simple! Just delete the e-mail.
To protect yourself from phishing attacks, follow these rules:
Never open e-mails from people you don’t know. Delete them and empty the bin.
Never reply to phishing e-mails. No real financial institution will ever ask you for your credentials in an e-mail.
Check the web site address when you are buying something over the Internet – open a second browser window and use a search engine to find the site. If the addresses don’t match, it’s probable that the site you are on is fake.
Check your bank and credit card statements carefully and report any unfamiliar transactions.
Why is wireless networking risky?
For a start, the information you type whilst using a wireless network (to browse the web or send an e-mail) can be intercepted by a criminal as easily as you can tune a radio into Radio One. If your wireless network doesn’t use encryption, a villain can easily read your name, your password and your credit card number, and then he has all he needs to commit ID fraud. Next, if your wireless network has no authentication, anyone can use your Internet access to launch attacks on other people or to download illegal content. If that happens, your service provider and the police will come knocking on your door rather than the criminal’s.
Finally, if you have an easy-to-guess password or don’t have the latest software installed, your PC could be under attack directly over your wireless network. Criminals can then grab whatever information they want from you, or use your PC as a store for illegal material, or plant malicious software.
The problem is that the wireless network you buy in a shop is intended to be easy to use, rather than safe from attack. Most large companies know they have to spend the time and effort to set up wireless networks securely, but home users often just buy the equipment and plug it in! That makes them easy targets for criminals. Ensure you know how to make your wireless network secure – get the computer shop to show you how or ask a local computer expert to help you. Use our free guide from http://www.fbtechies.co.uk
What’s the deal with Trojans?
Trojans are malicious programs hidden inside apparently friendly software, like screen savers, games and even web pages. Once a PC is infected with a Trojan, the machine is no longer yours. Trojans can capture your passwords as you type them, copy your credit card details off the screen and to harvest all your personal, private information – then send it all to a criminal somewhere else on the Internet without you being any the wiser. Trojans can also allow an attacker to control your PC without your knowledge, and to use your computer to attack someone else or to act as a conduit for pornography or other illegal material. To protect against Trojans, always use a personal firewall, up-to-date anti-virus and anti-Trojan software. Make sure you understand how to make your PC safe and keep it safe – get the computer shop to show you how or ask a local computer expert to help you.
General computer advice
Always use a personal firewall. Using a personal firewall will prevent most unauthorised access to your computer, so long as it is configured properly! There are several free firewalls available, but it may be worth considering spending some money and buying one that will offer you support. Two of the most popular personal firewalls are Zone Alarm and Outpost.
Always use an up-to-date anti-virus program. Anti-virus programs alert you to the presence of malicious code such as viruses and Trojans, and usually block it too. Make sure your anti-virus software is set to do daily scans as well "active" scanning – so whenever you copy files, download attachments, etc, you will be alerted if there is something nasty present. If you need to delete malicious software yourself, make sure you empty the recycle bin afterwards.
Has your computer got a password?
Is the password strong enough? Make sure that everyone who uses your computer has their own strong password. If you are using a modern version of Windows, you can use pass phrases instead of passwords – and phrases such as "my dream car is a Ferrari 360" are very easy to remember but much, much harder to crack than "passw0rd".
Do you use wireless hotspots at airports or hotels? If so, be careful! Do you realise that there is no security at all on free wireless hotspots? An attacker could be monitoring the airwaves for the information being sent from your laptop to the Internet. Not only that, if you don’t have a personal firewall and have poor password quality, that attacker could even be stealing information (documents, personal information, etc) from your computer at the same time you are using it! This illustrates again why firewalls and access controls are so important.
Keeping the rest of your ID safe
Never dispose of documents that contain any information that could be of use to an ID fraudster without shredding them first. These might include anything containing your name and address, bank details, signature (even a copy signature), any bills for utilities such as electricity, gas, water and rates, any credit card vouchers or receipts with your credit card information on them. Tearing up documents is not good enough – a determined criminal will just tape the pieces back together! You can purchase a home shredder fairly cheaply from most stationery shops these days. If you really can’t afford a shredder, tear up the documents into the tiniest bits possible and mingle them up with the rest of your rubbish – don’t just dump the bits on top.
Store your important documents in a secure place. Keep your passport, driving licence, birth and marriage certificates and similar documents in a safe and hidden place – an under-floor safe is best.
Never send important documents through the "normal" post – only send copies, and use registered post or special delivery so they are signed for by the recipient. If at all possible deliver them by hand. Always ask for these documents back, so that you can take responsibility for disposing of them yourself – that way you can be sure they are securely disposed of and not just dumped in someone else’s rubbish.
Be careful with your PINs and change them regularly. When you get a new credit card, go straight to a cash machine and change the PIN to something you will remember. Don’t use your birth date, any part of your postcode or car registration number. This same rule of thumb applies to any other code you have to use, such as an alarm system code. Don’t make it easy for them by using sloppy codes or PINs! Consider changing your PINs at least every quarter. That will really add a good layer of ID fraud prevention.
Watch those credit and debit cards and insure them. You should never write your PIN down – but if you really, really must, never keep it with the card itself. Chip-and-pin is more secure than the old signature method because it uses the security premise "something you have" (the card) and "something you know" (the pin number). If you can, use shops that employ chip-and-pin machines in favour of those that still use signatures. Watch how till attendants use your card – make sure they don’t slip it into any device you don’t recognise (this could be a "skimming" device, as seen on the TV programme).
Take out credit card insurance such as that provided by CPP – you can also use this to insure your important documents. In the event of a loss, the insurer will contact all the banks and credit card agencies – your cards will be cancelled immediately and new ones automatically re-issued. This saves a lot of phone calls and costs very little. CPP also provide key fobs and other stickers – so that if something of yours is mislaid, the majority of nice people out there will dial the number on the sticker and the insurer will then arrange to have the item returned to you.
Only carry the credit and debit cards that you’ll need and stash spares somewhere safe. Many of us have more than one credit or debit card, but do we really need to carry all of them at once? It is always good to have a backup – then if something happens to one of your cards, at least you’ve got a spare in a different location. This is a really good idea when on holiday or travelling for business – if you keep some cards back in the hotel safe in a spare wallet (remembering to select a sensible access code for the safe!), then if your "usual" wallet gets snatched or mislaid you’ve got backups! This can prevent what could potentially be a major nightmare situation if you are abroad – or even staying away on home turf.
Don’t allow anyone to overlook you typing in your PIN into a card payment machine. Use your hand to shield the keyboard of those chip-and-pin devices you use in shops, so that that the shop assistant and people around can’t see your PIN being entered.
Be security aware around ATMs – bank’s "hole in the walls". Have a look at the ATM, does the bit where you insert the card look "bulkier" than usual? If so, this might be a device that steals the information from your card. With your head close to the keypad, look up – can you see anything that might be a tiny camera to record the pin number you enter on the keypad? If you see anything like this, do not use the machine, don’t stop and tell anyone about it (they might be the criminal and you could put yourself at physical risk) – go into the bank and report your suspicions immediately. If it is after bank hours, go to a safe location and contact the police.
Is there anyone "loitering" around the ATM? If so, don’t go anywhere near. If someone comes up to queue behind you when you are already using it, use your body to shield what you are doing from that person.
Watch what you say to people
Never, ever divulge any kind of password, PIN, Internet logon information (such as for on-line banking), or any similar information over the telephone, in person, down the pub, in a restaurant, in a document – or anywhere for that matter! Fraudsters will often engage in something known as "Social Engineering" to "engineer" secret information out of you that they could then use for nefarious purposes. And you never know, a fraudster could be listening in at a neighbouring table at the restaurant or the pub!
A legitimate organisation such as a bank or similar will never ask you for your PIN or entire password. The only person that will ever ask you for this type of information is a criminal. The criminals that conduct ID fraud are con-artists – they are highly personable and persuasive – they know how to use body language and conversation in such a way as to win people’s trust. Just like you tell your children to be wary of strangers, you should be too!
Watch who you employ and be careful of your house keys and security. Do you have a cleaner? Do you trust them? In the same way that companies "vet" their employees for trustworthiness, you should do the same for anyone that you will have entering your house. Get references and follow them up. Do whatever other checks you can, such as word-of-mouth.
Never let anyone you don’t know or haven’t vetted into your home. If someone comes to your door to, say, read the meter – check their ID. They won’t mind being asked and, these days, will most likely expect it.
Do you need other people to have your house keys? Be careful there too – you might trust them, but will they know to be careful with your keys! If you fall out with them, or you change cleaners (who may have had a key) get the door locks changed. Don’t leave your keys lying around any more than you’d leave your credit or debit cards lying around. If you can, keep them on a separate fob from your car keys and in a different place.
If you have a burglar alarm, use it! Make sure to change the code at least once a year and always when you change your locks. Make sure to use different PINs and passwords from your partner or spouse – that way, if their security is compromised, yours isn’t or vice versa.
Answerphone messages. "I’m sorry, there’s nobody here. Feel free to come and ransack my house". That probably speaks for itself, but never say anything that reveals what you are up to on your answerphone or voicemail outgoing message – keep it simple. Just say "I can’t take your call at the moment, please leave a message". It could be you… don’t think "it could never happen to me". It can and it does. Hopefully the TV programme illustrated that it can happen to all types of people from all walks of life.
First Base Technologies is exhibiting at Infosecurity Europe 2007, the information security event. Now in its 12th year, the show provides an education programme, 300 exhibitors and 11,600 visitors. Held on April 24 to 26 in the Grand Hall, Olympia, this is for information security people. Visit www.infosec.co.uk
About the BBC1 programme
ID Fraud: They Stole My Life was broadcast on BBC1 at 9pm on Wednesday January 31. Identity theft is the fastest growing ‘new’ crime in Britain. Thousands of unsuspecting people are having their money and lives plundered by criminals. Now, the police are mobilising to tackle the crime. This film has unprecedented access to the City of London Police identity fraud unit and reveals shocking details on how easy it is for the crooks to copy our lives. If we allow them to….
About First Base Technologies
First Base Technologies has provided information security and testing services since 1989. First Base reports that its approach combines ethical hacking techniques and commercial vulnerability scanning. First Base can complement these skills with social engineering, staff interviews, documentation reviews and traditional physical security, giving a review of business risks.
