Avoiding Identity Theft

Identity theft is the fastest growing crime in America. According to the Federal Trade Commission, the number of identity theft incidents reached 9.9 million in 2003, and is estimated to have taken the average victim $500 and 30 hours to resolve. This article is designed to help network administrators and consumers understand the issues surrounding the rapidly growing concern of "Identity Theft".

This article is designed to help network administrators and consumers understand the issues surrounding the rapidly growing concern of "Identity Theft". By understanding the concerns you can make better decisions on how to deploy systems that don't set the stage for abuse and can better protect your customers, employees and computer users. Ensure your company has proper policies in place, and they are reviewed frequently. Many companies have information disposal policies in place, but fail to enforce and ensure policy compliance. The average employee thinks very little about the information they toss away daily. It is important to understand how Identity Theft occurs, how to avoid it, and to work with company security officers and human resource departments to ensure employees follow these very important policies. Identity theft is not a new problem, but the Internet has made it much easier for thieves to pose as someone who they are not.

Many cases of "Identity Theft" are performed by company insiders, placing the responsibility and liability on the employer. The Information Security field is faced with a growing list of concerns. Identity Theft is one of the fastest growing yet still often under acknowledged security threats today.

Reasons for Identity Theft

Committing Crime - Using the identity of somebody to hide the real perpitrator of a crime.

Profit - Profit at the expenses of someone else. Sometimes personal information is sold to others, and sometimes to more than one person!

Trying to hide - Sometimes the reason for stealing another person's identity is to hide from some past "skeletons in the closet". This could be from a prior crime, debt, a spouse or for a variety of reasons.

Employment - Illegal Immigrants may try to use your Social Security Number (SSN) and date of birth for employment purposes or to obtain a birth certificate. Additionally criminals may also desire to steal your identity in order to hide a shady past, and seek legitimate employment.

Methods of Stealing Identity

Misinformation - Thieves often try contacting banks and posing as a client. The thief is often already armed with information that the bank needs to identify you. Things like account number, SSN#, mother's maiden name, etc.

Over-use of SSN# - Collecting and misuse of over used Social Security Numbers (SSN)

Shoulder Surfing - The act of watching and listening from a nearby location as you key in your telephone calling card number or credit card number, or listening to your conversation while you give your credit-card number over the telephone in a public location.

Phishing - Creating and using e-mails and Web sites designed to look like those of well-known, legitimate businesses, financial institutions, and government agencies to deceive Internet users into disclosing their personal information. Phishing scams typically operate counterfeit web sites that lure consumers into revealing their personal and financial data, including social security numbers, bank and credit card account information, and details of online accounts and passwords. In fact during the time I was writing this article, I was presented with a Phishing scam against a well known bank via my email. Read more about Phishing

Pharming - Similar to e-mail phishing. Pharming seeks to obtain personal or private information through domain spoofing. Pharming 'poisons' a DNS server by sending false information into the DNS server resulting in a user's request being redirected elsewhere. However your browser will show you are at the correct Web site. This makes pharming a bit more serious and difficult to detect. Phishing attempts to scam people one at a time with an e-mail, while pharming potentially targets large groups of people at one time through domain spoofing.

Skimming - Stealing your credit or debit card numbers by capturing the information in a data storage device is a practice known as "skimming." They may swipe your card for an actual purchase, or attach the device to an ATM machine where you may enter or swipe your card.

Hacking - Hackers have various ways of obtaining personal information. The typical user connected to the Internet has no concept about computer security, and many of these users have compromised computers. These compromised systems provide a wealth of personal information to the experienced hacker. And much of this gained information has a resale value. In addition, these compromised computers can be used to help infiltrate additional computers.

Dumpster Diving - A term used for going through the trash (or dumpster) to obtain helpful information in stealing an identity. It is truly amazing the things people discard that can be helpful in finding additional information about a person they are potentially targeting for Identity Theft.

Avoiding Identity Theft

Use PIN numbers wisely - Never use the last 4 of your SSN#, and never use your telephone number or birth date. Don't carry PIN numbers in your purse or wallet. Memorize your passwords and personal identification numbers. Keep your PIN numbers somewhere that only you know. Don't give out your PIN or write them on your credit cards or ATM cards. Learn how to change your PIN number, and change it from time to time.

Shredding - Shred credit card receipts, credit card offers, and old bank account statements. Do not put critical personal information in the trash to avoid the "dumpster diver". Also shred old paycheck stubs and W-2 forms that contain your social security number and often your name and address.

Careful System Development - When developing computer systems and "Point of Sale" systems, always be vigilant to decrease the chance of aiding the thief in stealing your clients' identities.

Carry only necessary information - Do not carry identity information with you that is not necessary. Example birth certificate & SSN#. It used to be common to carry your Social Security card with you (I still know people that think they should carry it). Now it is best to store it in a safe place, memorize your number, give it out only when important, and only show it to people that really need to know.

Dispose of sensitive data properly - Often times information can be obtained by robbing your mailbox, or going through your trash (a tactic known as "dumpster diving"). Try not to allow information to be available through these places. If you're a business or corporation, never allow employee or customer information to go to the dumpster without first shredding the material. Even if you have a policy in place, review it, at minimum, annually and ensure all your employees understand how important it is to maintain information security.

Beware of billing statement cycles - Always be aware of billing cycles and statements. If you do not receive a statement on time, inquire about it. It could have been diverted by a thief.

Safeguard Receipts - Protect your debit, credit, and ATM card receipts and shred them before disposing them.

Watch online transactions - If you pay bills or bank online, change your passwords frequently. If someone has obtained your username and password, changing them frequently will reduce the odds of them using the information, and reduce the damage a thief may cause. Never use easy to guess passwords, and always use a combination of alpha and numeric characters. Always ensure that you get a secured site by looking for a lock that designates a secured web-site

Stay virus & spyware free - Always keep computers clean of Viruses, Worms, Trojan horses, and Spyware.

Safeguard Information - Store personal information in a safe place. Consider a lock box or safety deposit box to protect SSN#, birth certificate, account information, etc.

Question requests for your information - Never feel bad to question someone, or ask them to provide credentials to prove who they are. Most reputable and seasoned professionals will not be upset because you feel threatened or vulnerable. In fact I am always glad to hear a consumer question the need for the information I request.

Protect your mother's maiden name - Maiden names are often used as passwords to access accounts over the telephone. Be careful when using family tree tracers and genealogy service web sites.

Never provide SSN# or Credit card info in an email - Most email is very insecure, and it is very easy to search through massive amounts of email for patterns of numbers like those used in credit card and SSN numbers.

Who's Who - There are many registries of accomplished people on the Internet, and you must be very careful what is posted in these registries. Recently I had a person who was concerned about SPAM, and yet a quick Internet search found this individual on a Who's Who registry. I quickly knew where he lived his age, college, email addresses, wife's name and maiden name, address, etc. etc. etc. Think about it!

Protect what you put on Web sites - Don't give away too much personal information on your business or family web sites. Full names, addresses, date of birth is too much information. By obtaining your "place-of-birth" the identity thief can possibly get your duplicate birth certificate

Do not use SSN# as a driver's license number - If your driver's license has your SSN# on it, consider having it changed. If your license is stolen, your SSN# may be used against you.

Personal Checks - It used to be common to have your SSN# printed on your personal checks. This is no longer a good idea. In fact, with it printed on your checks, you already are providing at least two key things... your SSN# and bank account information. Often checks include your phone and address information too. Is the clerk that accepted your check trustworthy?

Know your Credit - Periodically order a copy of your credit report. It could contain surprises or keys to Identity theft issues. Not only is it a good idea to ensure you have no surprises when you do need to apply for credit, it is also beneficial in spotting a possible thief before they get too far.

Passports - Are very helpful in allowing someone else to skip the country.

Birth certificates - Protect your Birth Certificate. It is a very important document both in the right hands or the wrong hands.

Be Stingy - Any time you may be asked for any of your private or personal information, and offers you a chance to receive a major credit card, prize, or other valuable item, but then asks for personal data such as your Social Security number, credit card number or mother's maiden name ask them to send you a written application form.

Reporting Identity Theft

If you think you have been a victim of identity theft there are things you can do...

Report stolen cards - Report to the card issuer immediately and request new card numbers. Always respond to written credit card receipt notifications received in the mail

Contact the Social Security Office - If you suspect someone is using your social security number to establish credit or new accounts, contact the office of the Inspector General Hotline: (800) 269-0271 or e-mail oig.hotline@ssa.org

Make your state's Attorney General aware Click Here to find your state

The three major credit-reporting agencies are Equifax, Experian and TransUnion. All three agencies have the ability to mark your information for "fraud alert" should you fall victim. Here is some helpful information for contacting them....

Equifax 1-(800) 525-6285 http://www.equifax.com/
Experian 1-(888) 397-3742 http://www.experian.com/
TransUnion 1-(800) 680-7289 http://www.transunion.com/

For a monthly cost Equifax has a service that alerts you when a significant change is made against your credit. This service does have a cost, but so does the theft of your Identity. Monitoring your credit file can help alert you to fraudulent activities like when someone tries to get credit in your name - so you can act before serious damage is done.

In Conclusion

While identity theft is not a new concern, like many things the growth of the Internet is bringing new problems and methods of theft into the limelight. We as network and systems administrators must do our part to protect our data assets and those of our customers and employees. We must question age old methods such as the use of Social Security Numbers as a unique identifier of people. We must also be the advocates of change within our companies, and educate others, and push for solid policies and procedures for the protection of personal identities. Every day the world becomes more electronic, and it is ultimately our responsibility to tame this growing concern.

Here is a great link on the Federal Trade Commissions web site (Identity Theft) it contains helpful information on the subject of Identity Theft.

Links

Here are just a few key links on the Internet to help you in your endeavors. I encourage you to take identity theft very seriously! It is a rising crime and computers just make it easier than ever before.

Privacy Rights Clearing House - PrivacyRights.org
Identity Theft Prevention & Survival - Identitytheft.org
Federal Trade Commission - Identity Theft Home
Fight Identity Theft - FightIdentityTheft.com
Spyware Guide - SpywareGuide (Identity Theft)
National Criminal Justice Reference Service - Identity Theft - Facts & Figures
Anti-Phishing Work Group - APWG

About Jeff McDermott

Jeff has been involved with computers and technology since 1977 and currently has over 27 years of experience. He recieved his initial computer training and experience while serving in the U.S. Army. He has studied computers through various college and industry courses over the years, has taught courses in computing, has been Internationally published for his work with both software & hardware development for the physically and mentally handicapped. Jeff has been a computer consultant, helping many small to medium sized businesses take advantage of computer technology. Jeff has served as a security specialist and firewall administrator/engineer for a major Fortune 300 company. Jeff has a very diverse computer background, with the following areas of influence: Programming & Software Development; Networking/LAN/WAN Web Development; Information Security; Relational Database Design; Consulting; Hardware design and support; Years of management in the technical arena; I.T. Director; Creator/Webmaster of securitypanel.org for several years. Jeff is currently is the Supervisor of the Network Operations Center of a major ISP, and additionally heads up the advanced technical support team.

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on WindowSecurity.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update.



Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Solution Center

Readers' Choice

Which is your preferred network auditing solution?