Identity Theft Countermeasures
By Michael Ross
This article was published by ComputorEdge, issue #2829, 2010-07-16, as the cover article, in both their PDF edition (on pages 6-10) and their website.
After years of hearing horror stories and warnings about identity theft, a growing number of people are realizing the dangers and risks of becoming a victim, and they are fighting back. Yet at the same time, a huge number of their compatriots are still falling prey to the types of scams within this broad category — both online and off. For instance, the number of identity theft incidents in 2008, versus 2007, increased a substantial 22 percent, to 9.9 million, according to a study published by Javelin Strategy & Research on 9 February 2009.
Many cases of identity theft are unavoidable by the individual, such as when a company or government entity loses sensitive information. But far too many of the cases could have been avoided had the victim taken some basic security precautions. Before getting into the details of how to fight back, first consider the most common methods by which identity thieves gain the information that they need in order to take the place of their victims — at least, just long enough to grab some money and run.
Vectors of Attack
Similar to how central bank notes replaced gold and silver coins as money, cash was later supplanted by bank checks for larger purchases, which made it far less common for people to be walking around with sizable sums of cash on their persons. In turn, credit cards and debit cards nowadays continue to push paper checks into the dustbin of history. Thus it should come as no surprise that financial fraud at the consumer level generally targets credit and debit cards. Whereas in the past, a thief would have to physically confront and threaten his intended victim, these days such pilfering can be done over a phone line or an Internet connection. The age of digital money has certainly given us terrific convenience, but at the same time we are far removed from our actual wealth, which now is simply represented as digits stored on computers, possibly on the other side of the country.
Modern-day highwaymen have no need to wear masks or bandannas, nor do they need to brandish firearms as they did when bringing terror to the innocent home or stagecoach. Instead, you may only see a pretty and smiling waitress, as she merely brandishes a check for lunch at your favorite restaurant, and brings to your table a chocolate mint to soften the sticker shock. But when she walks away with your credit or debit card, and moves behind the counter, it takes only a moment for her to run your card through a hidden device that reads its information, and transmits it wirelessly to an accomplice nearby, who within minutes will have e-mailed the information to others waiting to charge big-ticket items on your account, before you even leave the restaurant. In fact, some people become so adept and bold at "card skimming", that your card can remain in sight almost the entire time. In a common ruse, a larcenous waitress pretends to drop your card, and as she retrieves it from the floor, she swipes it through a skimmer hidden under a long skirt or under a serving tray.
Perhaps our modern thief is not able to obtain a job interfacing with the public — and their credit cards. That doesn't mean that your card information is impossible to obtain. Dumpster diving is not limited to homeless people looking for discarded food and clothing: Anyone can rummage through commercial trash receptacles, in search of sensitive financial information, which they can use themselves for making fraudulent purchases, or sell to criminal syndicates just about anywhere on the planet with telephone and Internet service. Retailers and their customers are generally becoming more cognizant of the dangers of tossing out credit card slips, computer printouts of financial account information, etc. But the data divers keep at it, always hoping to make a quick buck from a slow learner.
Not everyone relishes the idea of leaping into dumpsters in the dark of night. A less athletic criminal may prefer "pretexting" his way into your financial life, by posing as a trustworthy person working for a legitimate company or government organization, and attempting to get you to divulge your confidential information, such as a password to a bank account, or credit card details. Let's say he is pretending to work in the online security department at a large bank with millions of customers. If the prospective mark who picks up the phone turns out to not even have an account at that bank, the criminal can simply apologize for calling the wrong phone number, and then try another number. Other possible guises include an investigator at a major credit card company, or a representative from one of the big credit bureaus. The miscreant can try to pass himself off as a member of law enforcement, but that entails much greater risk should he get caught.
If you limit your retail purchases to cash, and you never fall prey to any pretexting attack, does that mean that you are immune to identity theft? Sadly, it doesn't, as long as you have some financial accounts online. For instance, you might receive an unexpected and official-looking e-mail message that appears to be from your online bank, Big Bux Savings. The message explains that, for whatever reason, you need to log into your account, and the nice people have helpfully included a link in the message for you to click on. You do so, and it takes you to a website that looks exactly like the one that you normally see when you log into your account. The only difference is that the address at the top of your Web browser is not the usual "https://www.bigbuxsavings.com/" but instead something like "http://bigbuxsavings.ix.com/" or, more brazenly, something like "http://220.127.116.11/". Your first attempt at logging in will fail — at least, from your perspective. To the criminals who created the fake website, your login attempt succeeded beautifully, because now they have your username and password, and will use it to drain your account as fast as they can. The favored name for this is "phishing", a term which is most likely a variation of "fishing", since the original e-mail message was acting as bait to lure the unsuspecting prey.
These are not the only ways that a tech-savvy bad guy can attempt to get your money, but they cover the majority of cases, and give you an idea of how easy it is for our reliance upon digital money to turn sour.
Vanquish those Villainous Vectors
Even though there are innumerable identity thieves out there, continually devising new methods of attack, you can successfully defend yourself against most of them. Let's address the four major attacks listed above, in that order.
To completely reduce the risk of becoming a victim of card skimming, you could use only cash for paying for any retail goods and services. After all, credit and debit card transactions in the outside world are much riskier than those performed online. But that would be rather inconvenient in today's digital world, and would also entail the risk of carrying around a lot more cash. A better approach is to insist upon keeping your card in view throughout the entire transaction, even if that means walking over to the cashier and requesting that the check be brought over, so you can pay it right there.
The best way to combat the dumpster divers is to be vigilant about shredding any papers that you are disposing of (preferably in a recycle bin, and not the trash). Your humble paper shredder could turn out to be worth its weight in gold (or at least silver). It is admittedly more difficult to get others to follow the same best practice. In those instances where you are on the spot — such as when providing personal and financial information at a medical or dental office — be sure to ask them what happens to any printouts. If someone processes your credit card using a manual imprinter, ask for all copies that the merchant is not required to keep, so you can shred them at home. The biggest challenge is the companies who store your personal data on their computers — and even worse, share them with other companies. Any time you open an account, insist that they flag your account to not allow distribution of your data to any other company, including subsidiaries and partners. Then call back a few days later, to verify that they made the change. Be prepared to be disappointed at how many companies ignore or flub the first request.
Pretexting is most efficiently defeated by simply asking for the caller's name, company, and toll-free telephone number. You can tell them that you are busy at the moment, but will call back shortly. Verify the telephone number with your records, before calling. By calling the company's number yourself, and asking for the representative by name, it confirms that she at least works for the company she claimed. If the request is legitimate, then the caller shouldn't have a problem with your request, and may be impressed with your wisdom in employing this simple but effective method. But if it is a pretexting attempt, then she may hang up immediately, or give you bogus information; either way, you have nipped that attack in the bud.
Phishing is of course best countered by not taking the bait — in other words, never click on a link within any e-mail message if it supposedly will take you to a site where you are expected to login. It is much safer to open a new browser window, and type in the Web address of the bank or other destination, or use your bookmarks, since you probably have that address saved already in your browser. Also, if you do ever notice an address that looks suspicious, do not proceed any further, but instead follow the aforesaid procedure. In the earlier example of "http://www.bigbuxsavings.com/" versus "http://bigbuxsavings.ix.com/", the only part that matters is what is just to the left of the ".com". The "ix.com" is a red flag, while the ""bigbuxsavings" in "bigbuxsavings.ix" does not make it legitimate. Keep in mind that financial firms and other organizations that store sensitive information in accounts that you can log into, should never ask you to click on a link in a message, but instead will simply instruct you to go to their site, or call their toll-free number. Lastly, your odds of inadvertently chomping on a baited hook are greatly reduced if you minimize the hooks in the water: Use an e-mail service with top-notch spam filtering, such as Gmail.
Other Strategies for Defense
Although not guaranteed to prevent you from becoming a victim, the methods outlined above can make a huge difference, especially when supplemented with additional countermeasures. When asked to give out your Social Security number by anyone other than the Social Security Administration or your employer, ask if a substitute number can be used. As noted earlier, shred all of your personal papers before tossing them in the recycle bin — particularly those from banks, credit card companies, and insurance companies. Switch to "paperless account statements".
When typing in your PIN at an ATM machine, retail store, or gasoline pump, shield the keypad from prying eyes. Bear in mind that those eyes do not necessarily have to be close and looking over your shoulder; they can be in a nearby van, using binoculars. Never use an ATM machine that looks very new or in an unusual location, because fake ones have been deployed and have snared many banking customers. When going out, only carry the cards and personal information that you would need for that particular trip.
Protect your postal mailbox and its contents. Collect the mail promptly, and drop off any important outgoing mail at a post office, and not an unprotected mailbox. Stop mail delivery if you will be away for awhile.
Keep an eye on your wallet or purse, even in the office. In the home, protect your confidential information from anyone outside the family, including service personnel making house calls. Avoid storing financial and other sensitive information on laptops and USB flash drives, or at least strongly encrypt it.
On your computer, be sure to use a firewall (to monitor both incoming and outgoing traffic), and periodically run up-to-date antivirus and anti-spyware programs if you ever download files or attachments from unverified sources. In fact, only open attachments from people you know and trust, and only after scanning for viruses. For surfing the Internet, use any browser instead of Internet Explorer. Never type in confidential information on any website if it is not a secure page; look for the image of a padlock in your browser and an address beginning with "https://". If you are sharing your computer with anyone else, logout of all secure sites when you are done using them, clear the cache, and close your browser.
Never give out confidential information over the telephone, and never send confidential information via unencrypted e-mail messages — including splitting credit card numbers into multiple messages, because that affords little protection.
Before disposing of any hard drive or computer containing one, delete all of your personal files, empty the Recycle Bin, and then utilize a "wipe" utility to sterilize all of the free space, using multiple passes, even if that requires running the process overnight. Otherwise, thieves and pranksters can recover your "deleted" data because it still resides on the hard drive even though the files are no longer seen by the operating system.
If you fear that your identity has in fact been stolen, contact the proper authorities. If it involves any financial data, immediately contact those institutions. Note that the Federal Trade Commission (FTC) has information on identity theft, as does the Privacy Rights Clearinghouse page "Identity Theft & Data Breaches".
Most if not all of these security measures can take extra time and effort, but they are nothing compared to the financial loss and sense of violation if and when you fall victim to identity theft. An ounce of prevention is worth a pound of cure.
Copyright © 2010 Michael J. Ross. All rights reserved.