May 2, 2012
Identity theft is nothing new, but the rise of the Internet has turned ID theft into a multibillion dollar international business. There are plenty of companies out there that want to sell you protection services, for a fee, which usually involve some form of monitoring of your credit report and your accounts, plus an insurance policy, but there is little information on how to effectively protect yourself from being a target.
The Federal Trade Commission (FTC) has devoted an entire website to educating the public, and created pithy posters to promote their 3-Ds of identity theft: Deter; Detect; Defend. While detection and remediation are important, the best way to deal with identity theft is to deter it by protecting your information. Unfortunately, the deter portion of the FTC’s website is pretty light:
- Shred financial documents before you discard them
- Protect your social security number
- Don’t give out personal information to unknown parties
- Never click links on unsolicited emails
- Don’t use an obvious password
- Keep your personal information in a secure place at home
This is a fine list, but it really doesn’t go far enough to make it useful. As an example, the government says don’t use an obvious password. Well DUH! They don’t tell you how to create a non-obvious password, how to keep it secure, and how to remember it when you need it.
To understand how to protect yourself from identity theft, you first need to understand how thieves get your information. The FTC site refers to dumpster diving, skimming, phishing, hacking, and stealing. These are all true, but it is more useful to think in terms of targeted attacks and untargeted attacks. In a targeted attack, a thief is trying to steal YOUR identity. He is trying to take some piece of information he has obtained on you, combine it with other information, and using it to steal your identity. An example would be a thief rummaging through your trash can. The thief finds an envelope from your bank, a printed email with your address on it, and picture of your dog spot. He uses this information to visit your bank’s website and tries to get the bank to issue him a password by providing your billing address, your email address and your dog’s name in response to challenge questions. This is a very targeted attack and it takes an investment of time on the part of the thief.
An untargeted attack is often a hack of a website. An attacker steals your information, such as your user name, email address and password from one website and then tries to use that information on other websites. This attack is untargeted because the attacker is simply running programs against hundreds or thousands of people and sites. The thief is trying to steal SOMEONE’s identity but has no idea who you are. A recent study showed that 73% of users reuse their bank passwords on other sites. Thieves know that most people use the same passwords on multiple sites so if they can get yours, they can try it on every major bank and credit card company’s site and will get lucky some % of the time.
Based on these two types of attacks, there are several things you can do to make it harder for someone to steal your identity.
1. Use multiple email addresses – Your email address is half of the information a thief needs to get into many of your online accounts. If you use the same email address on every website, you increase your vulnerability to attacks. Set up separate email addresses for different purposes. Use one address for financial sites, a different address for commerce sites, and a still different address for your social sites. Ideally, you’d use a different address for every web site but this can be onerous to maintain. To simplify your life, use free email services like gmail and forward those addresses to a single email box. Gmail makes this process simple. Just click on the forwarding tab in your settings and add a forwarding address.
2. Use a password algorithm – The FTC recommends you use a non-obvious password, but they don’t tell you how to create one. Also, even if your password is complex, if you use the same password on every web site, a thief can steal your password from one site and use it on other sites. A password algorithm makes this process easier.
An algorithm is “a set of rules for solving a problem in a finite number of steps, as for finding the greatest common divisor. ” For passwords, we want to create a formula that allows you to create a password that is non-obvious, complex, unique to every website, and easy to remember. The best way to do this is to combine some characters which you re-use, with some characters that are unique to the site to create a password. As an example, let’s say you want to create a password algorithm that combines your birth date (January 1 1990), your dog (spot), and something unique. Your algorithm might be: month and day + Sp0t + 1st 3 letters of website url + exclamation point. With this algorithm, you’d end up with the following passwords for this list of web sites:
- www.amazon.com –0101Sp0tama!
- www.ebay.com –0101Sp0teba!
- www.google.com –0101Sp0tgoo!
As you can see, each password is unique. A thief who steals your password from one site won’t be able to reuse it. Even if the thief looks at the password, it won’t be obvious how the password was derived. It’s also easy to remember. You could visit the site only once a year and still remember the password. If your password is ever compromised, change your algorithm.
Create your own algorithm. Your passwords should be long (8 characters minimum but preferably longer), complex (containing a combination of letters, numbers and special characters), and unique to each system. Substituting numbers for letters, such as replacing an O with a 0, no longer adds complexity because the hacker tools test for this. Your best bet is to combine some random characters that mean something to you, with some characters that are specific to the site. Alternatively, you could try a random password generator that stores the passwords on your phone. There are several available for iPhone and android. I personally dislike this approach because it requires you to have your phone to get the password, but it is arguably more secure. Security is often a trade off with usability.
Either way, it’s a good idea to write down your passwords and store them in a secure place (a safe). Or, store your passwords on a USB drive in a password vault like KeePass (and of course keep the USB drive in your safe). If you ever need to change your passwords, its useful to have a list of sites. And if you are ever incapacitated, your spouse/significant other will need your passwords to get access to your shared data. These days, passwords are an important part of estate planning. Sorry to be a buzz-kill.
3. Lie – I know your mother told you to never lie, but lying is useful when protecting your identity. Many sites and companies will ask you for additional personal information, such as your mother’s maiden name, the make/model of your first car, or your favorite pet’s name. They use this information as challenge questions/answers to try to verify who you are, especially if you forget your password. Companies use these questions because they assume they will be easy for you to remember. Unfortunately, much of this information is available publicly. A thief specifically targeting you can use social sites like facebook, search engines like google and people search, and family tree sites like ancestry.com to try to guess this information.
The answers you provide are really just another set of passwords. Make something up. If your dog’s name is Spot, tell the website his name is Rover. Better yet, create another password algorithm for challenge phrases and tell the website his name is 07r0v3r04. It’s not like they’re going to check. Don’t forget to write these values down too and store in a safe place.
4. Get a P.O. box- Your home mailbox is a double source a vulnerability. First, unless your mailbox locks, thieves can and will steal your mail. Bank statements, credit card statements, and cancelled checks are like gold to a thief. Additionally, your billing address is often used to validate that the person using your credit card is you. If I know your card # and your home address, I can get a website to ship products anywhere. P.O. boxes help with both problems. They’re secure, meaning they’re locked and in a monitored location. This makes it harder for someone to steal your mail. Also, they’re harder to guess. Get a P.O. box that you use for all your financial relationships.
5. Buy another computer – Visit enough web sites, read enough email, and eventually you’ll run a high risk of becoming a victim of a virus, worm or phishing attack. Criminals are now writing special malware such as the “Gameover” virus designed specifically to steal your online financial credentials. One of the best defenses for this is to buy another computer that you use only for your online financial purposes. Do all of your banking, bill paying, etc on this computer, but never use it for email or general web browsing and never let your kids use it. Online banking doesn’t take much in the way of computer power, so you can get another pc for a couple of hundred dollars that will do the trick. Think of it as cheap insurance.
6. Stop sharing so much information – If you use social sites like facebook or google+, you are likely telling too much about yourself. While it’s cool to have everyone you’ve known since kindergarten wish you a happy birthday once a year, is it worth your identity? The less private information you publish about yourself, the less information is available for the bad guys to steal. If you insist on sharing this info, use the privacy settings to restrict it to friends only.
7. Pay your bills electronically – Every time you give someone a check, you are giving them your bank name, account number and a copy of your signature. Checks = evil. Reduce this and simplify your life by paying your bills electronically. PayPal is great for this because the only information you are sharing is your email address. If they don’t accept PayPal, use your credit cards or your bank’s billpay service.
8. Shred Everything – If you don’t already have one, buy a really good, high-volume shredder. Although the FTC recommends shredding “financial documents,” if you want to protect yourself from dumpster divers, you need to shred a whole lot more. Shred every junk mail offer for credit, insurance or banking. Shred every bill you pay. Shred every bank statement, credit card statement, and insurance document. Shred every email you print. Shred every work document you bring home. When in doubt, shred it. The idea is to give someone looking through your trash nothing that contains useful information. If this seems paranoid, it is. That’s a good thing. If sitting in front of a shredder every weekend doesn’t sound like your idea of fun, consider a shredding service like Shred Nations.
9. Buy some locks – Identity thieves are sometimes someone you know. Visitors to your house, repair men, maids, and casual friends are all possible identity thieves. Again, this may sound a little paranoid but a little paranoia is a good thing. Invest in a safe and/or a locking file cabinet and use it to lock up important papers. Don’t forget to lock up those unpaid bills and blank checks.
10. Use a monitoring service – Monitoring services are useful. Even if you take all the above steps, the possibility remains that someone will get a hold on some of your data and attempt to steal your identity. Get a monitoring service, but choose your service carefully. Lifelock is widely known due to its marketing, but the company has a lousy reputation. Choose a service from your bank or one of the credit reporting agencies.