• Home »
• Self-Help Resources »
• Identity Theft

Identity Theft

Obtaining Information by Deceit

Identity Theft | Protect Your Identity | Recommendations | Reporting ID Theft

There are a few basic psychological tricks that phishing attacks and phone scams attempt to use against us — and the pandemic has provided the perfect environment for them.
— BBC Future

---

Identity theft information is contained on three pages:

1. Identity Theft: obtaining information by deceit
2. Phone Fraud: scamming by phone
3. Phishing: email scams

The information was written with computers in mind, but these warnings also apply to smart phones and tablets.

---

Obtaining Information by Deceit

Fraudulent phone calls, phishing emails and fake error messages generated by malware or website infections are all forms of identity theft perpetrated on innocent victims every day.

Identity theft, in a nutshell, is the obtaining of information about you that will enable someone else to impersonate "you" — allowing them to steal using your identity rather than their own.

While the thief obtains financial or other rewards as a result, you are left with the financial loss or debt as well as potential criminal charges. Unfortunately, it is much easier to obtain credit online than it is to prove that it wasn't you that made the application.

A Rapidly Growing Crime

Identity theft is a rapidly growing crime. Online crime is more lucrative than traditional crime.

I see several important reasons for this.

• Most criminal activity is based upon threats. The vast potential market of gullible “marks” ensures success.
• People don't understand technology they're using, either at home or in the workplace.
• Mobile phones have provided a new avenue of attack: SIM card swapping.
• We treat cybersecurity like something imposed on us rather than something protecting us.
• We forget that the same Internet that opens the world to us, exposes us to the world's criminals.
• Corporations are more interested in profiting from the information they gather from us online than securing that information.
• Security breaches are far too common and weaken our security without significant penalties for that business.
• Cybercrime is very profitable and the criminals seldom get caught or prosecuted because they're overseas.

Threats from “Tax Authorities”

The Canada Revenue Agency (CRA) will not phone, text or email you unexpectedly (with few exceptions). Nor will the government phone you to tell you your SIN has been compromised.

• Never follow links in texts or emails.
• Look up your tax documentation for accurate information (i.e., your Notice of Assessment).

Know what to expect when the CRA contacts you. The CRA will never:

• set up a meeting with you in a public place to take a payment
• demand immediate payment by Interac e-transfer, bitcoin, prepaid credit cards or gift cards from retailers such as iTunes, Amazon, or others
• threaten you with arrest or a prison sentence

The following are resources provided by the CRA:

• Slam the scam — Protect yourself against fraud.
• Samples of fraudulent emails.

Security Breaches Affect You

Each time there is a security breach containing your information, it has the potential to reveal a pattern in your password use. In the very least it provides the personal information that was used to create and maintain your account.

Equifax Data Breach

Equifax was hacked sometime between May and July 2017 but didn't report it until September. Equifax used the least effective security possible.

Meanwhile, Some Equifax executives sold off their holdings.

As many as 143 million Americans are said to be affected, the company said, representing about half of the US population. Some UK and Canadian residents are also affected, the statement confirmed.
— ZDNet

TransUnion Data Breach

TransUnion suffered a data breach in 2019 that affects Canadians.

The personal information of about 37,000 Canadians held by TransUnion may have been compromised this past summer, leaving both of Canada's credit monitoring agencies with data blemishes on their record. TransUnion says someone fraudulently accessed data using a customer's login credentials.
— CBC

Getting Worse, Not Better

It is disconcerting that those protecting businesses from fraud are so lax in their security that they can be hacked, exposing private data intended to prevent fraud.

The number, frequency and size of security breaches are not improving. Companies are protecting their servers, not their users' information.

Often companies don't even realize they've been hacked until long after the data has made its way into the dark web.

68% of breaches take months or longer to detect.
— Menlo Security

More About Data Breaches

Learn more about the privacy risks that data breaches create and how you can better prepare yourself.

The history of data breaches includes some of the largest and most damaging on record as well as how to prevent data breaches.

Other Forms of Exposure

Hacking is not the only way that data breaches happen.

Facebook is NOT Your Friend

Facebook allowed other companies like Cambridge Analytica to cull information about Facebook users. That information was used for unethical purposes such as affecting the outcome of elections and attempting to modify the moods of users.

There have also been reports that Facebook customer data was stored on websites unprotected by any security (you only had to know the web address to download the information).

Social media like Facebook seem to raise particular risks, with phishers enjoying a much higher hit rate — perhaps because they can glean more information to personalise their messages, and because we are so keen to build our friendship group. Quite simply, the more you use a particular social network, the more likely you are to fall for a scam on that app.
— BBC Future

One of the best security moves you can make is to get off Facebook.

NCIX Computers Never Wiped Customer Data Before Sale

One local example is the sale of personal information about former customers following the bankruptcy of computer retailer NCIX in Vancouver.

This personal information included IP, home and email addresses, passwords, credit card information and social insurance numbers.

Not only did the company fail to ensure that the computers containing customer information were wiped, but that data was so poorly encrypted that the information was sold on Craigslist.

Whoever is responsible for the careless disposal of the company assets is to blame. Bankruptcy protection should not remove liability for those responsible for not securing that information, including the former officers of that company.

Online Crime Treated Like White Collar Crime

Much like white-collar criminals, online criminals face far lighter repercussions if they are caught than someone robbing a store or kidnapping for ransom because it is assumed that cyber crime is not as serious. Victims of white collar or cyber crimes would disagree.

As cybercrime begins to overtake physical offenses for the first time, we need to realize that as our world continues to be dominated by technology so is organized crime. There is a common misconception that these out of sight online attacks are victimless crimes or are not treated with the same level of importance as those that occur offline, and this needs to change.
— Daniel Burrus

In addition, most of these crimes are committed abroad where it is much more difficult to prosecute the perpetrators.

White Collar Crime Punished Lightly

One of the reasons that the loss of personal information occurs is that companies don't see any reason to spend money to protect information they didn't pay for in the first place.

Until such crimes are punished appropriately and to the same degree as a similar blue-collar crime, these breaches will continue.

It Used to Be Harder

Obtaining personal information is much easier than it used to be.

At one time you had to go to your bank, speak to a real person who would then compare your signature with a physical signature card stored at the bank to ensure that you were who you said you were before releasing funds or a providing a new credit card.

Credit Information Easily Accessed

These days credit card applications appear unsolicited in your mailbox and are easily obtained online.

• Verification depends upon electronic data rather than hard copies (like the signature card previously used for verification).
• The convenience of inter-branch banking and online transactions has resulted in poorer security.
• The move to using your smartphone to do banking has additional risks, especially if your device is lost or stolen.

The convenience ends when there is a problem and the bank demands paper documents to prove your innocence.

Passwords: Your eSignature

For online transactions, passwords have replaced a signature (or the wax seal that kings once used) with a password.

Many people really don't understand this form of electronic verification and view it as something that is imposed upon them rather than something that protects them.

[R]ecent Verizon research shows…unsecure passwords are the cause of over 80% of all data breaches at companies.
— ZoneAlarm

Users Don't Take Passwords Seriously

Unfortunately, many don't take their passwords seriously.

Afraid they'll forget a password, they make it simple and use variations of the same password for every account they create.

The reality is that the majority, 91%, recognize that using the same or similar passwords for multiple logins is a security risk, yet 58% do it anyway. These people mostly or always use the same password or variation of the same password.
— LastPass Blog

Once hackers have one password, they can use it to hack into other services, just like a Twitter hack that exposed users data because an administrative assistant reused passwords:

A hacker found a personal e-mail account for the administrative assistant previously mentioned. [T]he hacker researched social networking sites to find the answer to the "secret question" required to reset the account's password. In going through the e-mails in the account, the hacker apparently found the password used by the administrative assistant on other sites, and correctly assumed that person used that password on their Twitter corporate account at Google Apps.
— Ira Winkler

Weak Passwords are Like Blank Cheques

Think of your passwords as a series of unsecured, signed blank cheques. The only limit is the size of your bank account.

Learn how to create secure passwords and take advantage of other options like multi-factor authentication to protect your online accounts.

Don't Post Answers to Security Questions

Don't post the sorts of information typically used for the “forgot my password” recovery on social media.

We found that 51% of people believe there is no way a hacker could guess one of their passwords from information they've shared on social media. But we know hackers aren't dumb — if you're being targeted and don't have a strong password guarding your account, it would take a hacker seconds to do a search on your social media profile, learn the name of your pet, family member — even learn when your anniversary is — and use that info to guess your password. Don't make it that easy for them — try to be a bit discreet on social media.
— LastPass Blog

Choose Your Software Carefully

You need to change some habits to protect yourself from malicious attacks.

You probably check the doors and windows in your house before going to bed at night. You need to secure your computer and software with the same diligence.

Ignorance is Your Undoing

Many people don't understand the risks of using older or unsecured technology.

Victims Unfamiliar with Technology

Most of the victims of identity theft are using technology they don't understand. Nor do the politicians making the laws that are supposed to protect you.

• Victims use passwords that are easily guessed and often repeated everywhere.
• Their passwords may have been compromised in a data breach (that's why you change ALL your passwords when you're notified of a breach.)
• Victims don't use a password manager or unique, strong passwords for every account.
• Victims run obsolete email programs and vulnerable web browsers with obsolete or insecure addons and vulnerable plugins.
• Victims are unwilling to learn about risky behaviour or change their habits to reduce those risks.

Online security is inconvenient. So are seat belts, locks and insurance.

Choose a good security suite and learn how to use it to protect your computer and your privacy.

Return to top

Protect Your Identity

Everyone is Gathering Information

Everyone is collecting information about you and your profile is for sale.

[T]here is another reason websites track you — It's because you're worth a lot of money. Websites record your activity so they can sell your information to third party advertising platforms, essentially delivering ads that they hope are relevant to you.
— Check Point blog

With your email address, they can send their advertising right to your inbox.

The more you reveal, the easier it is to target you. If they know your marital status and how many children you have, they can identify potential markets.

Weird Online Data Dump

An open (not password protected) 4 terabytes of data from the People Data Labs (PDL) and OxyData.io (OXY) contained cross-linked information on over 1.2 billion people was found on October 16, 2019. PDL and OXY are data enrichment companies. What they do is allow companies to search:

• Over 1.5 billion unique people, including close to 260 million in the US
• Over 1 billion personal email addresses. Work email for 70%+ decision makers in the US, UK, and Canada.
• Over 420 million LinkedIn URLs
• Over 1 billion Facebook URLS and IDs.
• 400 million+ phone numbers. 200 million+ US-based valid cell phone numbers.

De-duplicating the nearly 3 billion PDL user records revealed roughly 1.2 billion unique people, and 650 million unique email addresses, which is in-line with the statistics provided on their website. The data within the three different PDL indexes also varied slightly, some focusing on scraped LinkedIN information, email addresses and phone numbers, while other indexes provided information on individual social media profiles such as a person's Facebook, Twitter, and Github URLs.
— Check Point blog

It is interesting that the data is an accurate copy of data obtained from 2 different companies blended into one database. Someone either was a very large customer of both companies or managed to hack both databases. What was the reason it was available on an open IP address (35.199.58.125) rather than hidden away?

Who's Accountable?

Someone should be held accountable for both scraping (collecting) such data then combining it for profit as well as allowing it to be copied into an unprotected cloud account unnoticed.

If both companies (and the company officers) were bankrupted for this breach, perhaps the tracking of such sensitive data would be less attractive and companies would spend money securing the data as carefully as they secure the computers it is hosted on.

Loyalty Cards

Loyalty cards can provide you with free merchandise and more, but they give a huge advantage to retailers as well by allowing them to track your purchases.

Your Purchases Reveal a Lot

Target determined that a teen customer was pregnant before they or their family knew — based simply upon tracking product purchases.

Dealing with Spam

Learn how to identify and deal with spam.

Don't unsubscribe from lists that you didn't ask to be placed on in the first place. Ethical companies don't use sneaky opt-out techniques in the first place.

Beware of Phone Callers

Phone calls about computer viruses, credit card deals, overseas credit card expenditures, holiday specials or warnings that you're about to get arrested for unpaid taxes are all scams. Just hang up.

Protect Personal Information

Do not post or release personal information over the phone. Never reveal the following sorts of information to an unverified caller:

• Social Insurance/Social Security Number (only legislated uses require you to disclose your S.I.N.).
• Mother's maiden name.
• Where you were born.
• Your birth year.
• Bank PINs.
• Passwords.
• Passport information.
• Driver's licence.

Be careful about revealing billing addresses and employment information as well.

The successful completion of many credit card transactions may require that your shipping address match the credit card's billing address.

This information is not necessary for most other transactions.

Personal DNA Tests

This has never happened before. It hasn't happened with fingerprints, it hasn't happened with DNA. Until now there's been a line, that unless you commit a crime we don't record the facts of your body.
— Alvaro Bedoya

There is nothing more personal than your DNA.

Unlike your credit card number or your bank account password, if your genetic information is stolen or simply given away without your consent by a company that possesses it, it can't be changed.
— Consumer Reports

Tracking your genealogy has become very popular. Sites like Ancestry and 23andMe offer kits to take your DNA and use it to tell you more about your family history.

Privacy Costs

But these sites aren't as private or innocuous as they'd have you believe.

When you're consenting [to the terms and conditions], you're not only consenting to [use of] your own DNA, but you're in effect consenting on behalf of everybody you're related to. Our laws of consent are not really designed for something like this.
— B.C.'s Privacy Commissioner

In fact, they sell your DNA data to third parties and often have more rights to your DNA than you do after you agree to their contract.

But the DNA and genetic data that Ancestry.com collects may be used against “you or a genetic relative.” According to its privacy policies, Ancestry.com takes ownership of your DNA forever. Your ownership of your DNA, on the other hand, is limited in years.
— Joel Winston

If you're going to get involved with these companies, realize that they hold all the cards. Be sure to examine their privacy policy and opt out (where possible) for your own protection.

In an internal memo, Pentagon leadership has urged military personnel not to take mail-in DNA tests, warning that they create security risks, are unreliable and could negatively affect service members' careers. [S]ervice members were encouraged to get genetic information from a licensed professional rather than a consumer product. — New York Times

• Ancestry receives German “big brother” award for misleading information.
• Your genetic data isn't safe — Consumer Reports.
• DNA tests expose more than we think.
• Genetic testing firms share your DNA data more than you think.
• Your DNA is a valuable asset, so why give it to ancestry websites for free?
• How DNA companies like Ancestry and 23andMe are using your genetic data.
• 5 biggest risks of sharing your DNA with consumer genetic-testing companies.
• Ancestry.com takes DNA ownership rights from customers and their relatives.
• The pros and cons of genetic testing.
• How to delete your data from every DNA testing service.

Posting on Social Media Sites

People sometimes post things on Facebook or other social media (or reveal them to strangers over the phone) without thinking about the consequences.

Facebook and Google knows more about you than your family and friends do. And they never forget anything.

Information that allows you to recover a lost password should be something you remember, but strangers can't know. That security is lost if you post it on Facebook.

These personal facts are commonly posted by people:

• Family genealogy.
• Pet names.
• Former residences and occupational information.
• Your school and other educational information.
• Sports teams and celebrities you admire.
• Marriage dates and locations.

Password Recovery

Unfortunately, these answer the commonly-used questions that password-recovery options employ.

Most accounts are compromised by using the password recovery mechanism which invariably requires the correct response to personal questions.

Sure, you will remember the answers (the reason companies use them), but so will everyone that views your posts. Hint: it isn't just your friends and family.

These questions are too easy to research or bring up in casual conversation.

"The Cloud" Has Risks

Cloud computing (as “in the cloud”) is becoming more important as we use smart phones, tablets and other portable devices to conduct business on the go.

While it may free you to access your information anywhere at any time, it also provides the same access to ANYONE in the world with an Internet connection.

• How do you secure the cloud? New data points a way.
• Top cloud security controls you should be using.

Banning Encryption Short-sighted

Legislation is pending in some locations (including in the US and possibly Canada) to ban encryption or to ensure backdoors for police access are added. This is very short-sighted.

• Effective encryption could help reduce the risk of hacks like those noted above.
• Backdoors are vulnerable to unauthorized access. There is no such thing as a vulnerability that is only accessible to the “good guys.”
• Weaknesses in software, especially unknown (or zero-day) exploits, make us all more vulnerable.

Yes, encryption is used by criminals. So are locks, fences, roads, public utilities, telephone systems, etc. Should we remove everyone's access to those as well?

It would be better to close more zero-day loopholes than to hope that criminals and foreign governments don't find them then use them to negate our security protections.

Return to top

Recommendations

Much of the Internet is broken, a result of greed and exploitation at the expense of those who simply want information and entertainment but don't consider the risks of their behaviour.

Lockdown Security Course

Lockdown is a 90 minute online course that will dramatically reduce your risk of having your online accounts hacked. Learn more…

Neil expertly and passionately breaks down personal security into small, actionable episodes that my parents could even understand.

 

[G]reat for reluctant tech users for whom technology is alienating, frustrating, but also necessary.

Watch Out for Malicious Attachments

One of the most common methods of attack are to send a phishing email with an infected attachment.

Learn more about safer email practices including how to avoid malicious attachments.

What Are Headers?

If you have issues with an email you received, whether it is because you're reporting spam or something else, you'll be asked to look at the headers.

See finding the headers to learn how to locate these.

Use Encrypted HTTPS Sites Where Possible

HTTPS is a secure protocol used by websites that encrypts traffic between the site's server and your browser.

Learn more about HTTPS how it keeps you safe.

Choose a Safer Browser

Your choice of web browser can make a difference in your ability to remain safe online.

Keep it Updated

Whichever browser you choose, the most recent version will usually have improved security features and/or have known security issues patched.

Firefox Recommended

Firefox is a much safer browser to use. As an independent stand-alone product it is less vulnerable to cross-program security issues.

It isn't tied to an operating system or to a search company, so it can focus on its users rather than those controlling the purse strings.

Google Chrome

Google Chrome has huge privacy risks, especially if you sign into your Google account while surfing (even if it is only for checking your Gmail).

Google makes their money by exploiting information you provide. Google NEVER forgets.

Don't Use Internet Explorer

Internet Explorer is no longer being developed and is not recommended for routine surfing or browsing sites on the Web. While IE may be convenient, it is so tightly integrated into Windows that any security issue in any Microsoft product puts your entire computer at risk.

More About Browsers

Learn more about web browsers and plugs, vulnerabilities in Internet software and how to browse safer.