Obtaining Information by Deceit
Identity Theft | Protect Your Identity | Recommendations | Reporting ID Theft
When your identity is stolen, you lose some things, but gain others.
You could lose all the cash in your bank account, or the title to your home.
But you might gain a criminal record, or a lien on your home mortgage.
Identity theft information is contained on three pages:
- Identity Theft: obtaining information by deceit
- Phone Fraud: scamming by phone
- Phishing: email scams
The information was written with computers in mind, but these warnings also apply to smart phones and tablets.
Obtaining Information by Deceit
Fraudulent phone calls, phishing emails and fake error messages generated by malware or website infections are all forms of identity theft perpetrated on innocent victims every day.
Identity theft is obtaining information about you that will enable someone else to impersonate you, allowing them to use your identity rather than their own.
While the thief obtains financial or other rewards, you are left with the financial loss or debt and may face criminal charges for crimes done using your ID.
Unfortunately, it is much easier to obtain credit online than it is to prove that it wasn't you that made the application.
Identity theft can be prevented if you take personal information and security seriously.
A Rapidly Growing Crime
Identity theft is a rapidly growing crime.
Online crime is more lucrative than traditional crime.
- Cybercrime is very profitable and low risk.
- The same Internet that opens the world to us, exposes us to the world's criminals.
- Criminals seldom get caught or prosecuted because most are located overseas.
- The vast potential market of gullible “marks” ensures success.
- Corporations are more interested in profiting from the information they gather online than securing that information.
- Data breaches are far too common and weaken our security without significant penalties for that business.
By ignoring security protocols and failing to learn about cybersecurity, people place themselves and their money at risk.
- Most criminal activity is based upon threats or transfer of trust.
- People don't understand the technology they're using.
- Mobile phones provide avenues of attack using deception and SIM card swapping.
- We treat cybersecurity like something imposed on us rather than something protecting us.
How much do you know about cybersecurity?
Test your knowledge about cybersecurity. It could help prevent identity theft from making you a victim.
Take the cybersecurity knowledge test to see how much you understand about online security and the terminology involved.
Once you've evaluated how well you understand the issue, read the information on this page to help you understand Cyber scams and how to avoid becoming a victim.
It Used to Be Harder
Obtaining personal information is much easier than it used to be.
At one time you had to go to your bank, speak to a real person who would then compare your signature with a physical signature card stored at the bank to ensure that you were who you said you were before releasing funds or a providing a new credit card.
Credit Information Easily Accessed
These days credit card applications appear unsolicited in your mailbox and are easily obtained online.
- Verification depends upon electronic data rather than hard copies (like the old signature card).
- The convenience of inter-branch banking and online transactions has resulted in poorer security (e.g., four-digit PINs).
- Using your smartphone to do banking has additional risks, especially if your device is lost or stolen.
The convenience ends when there is a problem and the bank demands paper documents to prove your innocence.
Passwords: Your eSignature
For online transactions, passwords have replaced a signature (or the wax seal that kings once used) with a password.
Many people really don't understand this form of electronic verification and view it as something that is imposed upon them rather than something that protects them.
[R]ecent Verizon research shows…unsecure passwords are the cause of over 80% of all data breaches at companies.
Users Don't Take Passwords Seriously
Unfortunately, many don't take their passwords seriously.
Afraid they'll forget a password, they make it simple and use variations of the same password for every account they create.
The reality is that the majority, 91%, recognize that using the same or similar passwords for multiple logins is a security risk, yet 58% do it anyway. These people mostly or always use the same password or variation of the same password.
— LastPass Blog
Once hackers have one password, they can use it to hack into other services, just like a Twitter hack that exposed users data because an administrative assistant reused passwords:
A hacker found a personal e-mail account for the administrative assistant previously mentioned.
[T]he hacker researched social networking sites to find the answer to the "secret question" required to reset the account's password.
In going through the e-mails in the account, the hacker apparently found the password used by the administrative assistant on other sites, and correctly assumed that person used that password on their Twitter corporate account at Google Apps.
— Ira Winkler
Weak Passwords are Like Blank Cheques
Think of your passwords as a series of unsecured, pre-signed blank cheques. The only dollar limit is the size of your bank account.
Use a Password Manager
Learn how to create quality passwords and take advantage of other options like multifactor authentication to protect your online accounts.
A good password manager not only helps to provide unique and strong passwords for every site, but also can protect you by warning you when the site address doesn't match the address recorded for the site.
Unfortunately, password managers don't work on the CRA website because of very unusual and unnecessarily complicated login procedures. The CRA's suggestion? Manually enter the password!
Don't Post Answers to Security Questions
Be careful NOT to post the sorts of information on social media typically used for the “forgot my password” recovery.
We found that 51% of people believe there is no way a hacker could guess one of their passwords from information they've shared on social media.
But we know hackers aren't dumb — if you're being targeted and don't have a strong password guarding your account, it would take a hacker seconds to do a search on your social media profile, learn the name of your pet, family member — even learn when your anniversary is — and use that info to guess your password.
Don't make it that easy for them — try to be a bit discreet on social media.
— LastPass Blog
Choose Your Software Carefully
You probably check the doors and windows in your house before going to bed at night.
You need to secure your computer and software with the same diligence.
Ignorance is Your Undoing
Many people don't understand the risks of using obsolete or unsecured technology, especially the software you use to access the Internet.
Online security is inconvenient but so are seat belts, door locks and insurance.
Choose a good security suite then learn how to use it to protect your computer and your privacy.
Victims Unfamiliar with Technology
Most of the victims of identity theft are using technology they don't understand.
- Victims use passwords that are easily guessed and often reused elsewhere.
- Their passwords may have been compromised in a data breach (that's why you change ALL your passwords when you're notified of a breach.)
- Victims don't use a password manager much less unique and strong passwords for every account.
- Victims run obsolete email programs and vulnerable web browsers with obsolete or insecure addons and vulnerable plugins.
- Victims are unwilling to learn about risky behaviour or change their habits to reduce those risks.
The politicians making the laws that are supposed to protect you seldom understand the effects those laws will have on privacy. They obtain most of their advice from the very companies that are exploiting consumers on the Internet.
Protect Your Identity
Everyone is Gathering Information
Everyone is collecting information about you and your profile is available for sale to anyone willing to pay.
Do NOT buy into the myth that privacy means you have something to hide.
Companies spouting the “nothing to hide” line claim they're “just collecting metadata”, but will accuse you of hacking if you returned the favour.
[T]here is another reason websites track you — it's because you're worth a lot of money.
Websites record your activity so they can sell your information to third party advertising platforms, essentially delivering ads that they hope are relevant to you.
— Check Point blog
With your email address, they can send their advertising right to your inbox.
The more you reveal, the easier it is to target you. If they know your marital status and how many children you have, they can identify potential markets.
Loyalty cards can provide you with free merchandise and more, but they give a huge advantage to retailers as well by allowing them to track your purchases.
Retailers like Home Depot ask if you'd like an email receipt. That's a sneaky way to obtain your email address.
Your Purchases Reveal a Lot
The sorts of items you buy, particularly the precise combination of items, can tell a lot about you.
Target determined that a teen customer was pregnant before they or their family knew — based simply upon tracking product purchases.
Protect Personal Information
Do not post or release personal information over the phone. Never reveal the following sorts of information to an unverified caller:
- Social Insurance/Social Security Number (only legislated uses require you to disclose your S.I.N.).
- Mother's maiden name.
- Where you were born.
- Your birth year.
- Bank PINs.
- Passport information.
- Driver's licence.
Be careful about revealing billing addresses and employment information as well.
The successful completion of many credit card transactions may require that your shipping address match the credit card's billing address.
This information is not necessary for most other transactions.
Personal DNA Tests
Most people would be leery of any request to fingerprint them yet millions have ordered personal DNA tests without considering the potential privacy issues.
Tracking your genealogy has become very popular. Sites like Ancestry and 23andMe offer kits to take your DNA and use it to tell you more about your family history.
This has never happened before. It hasn't happened with fingerprints, it hasn't happened with DNA. Until now there's been a line, that unless you commit a crime we don't record the facts of your body.
— Alvaro Bedoya
There is nothing more personal than your DNA.
Unlike your credit card number or your bank account password, if your genetic information is stolen or simply given away without your consent by a company that possesses it, it can't be changed.
— Consumer Reports
But these sites aren't as private or innocuous as they'd have you believe.
When you're consenting [to the terms and conditions], you're not only consenting to [use of] your own DNA, but you're in effect consenting on behalf of everybody you're related to. Our laws of consent are not really designed for something like this.
— B.C.'s Privacy Commissioner
In fact, they sell your DNA data to third parties and often retain more rights to your DNA than you do after you agree to their contract.
But the DNA and genetic data that Ancestry.com collects may be used against “you or a genetic relative.” According to its privacy policies, Ancestry.com takes ownership of your DNA forever. Your ownership of your DNA, on the other hand, is limited in years.
— Joel Winston
In an internal memo, Pentagon leadership has urged military personnel not to take mail-in DNA tests, warning that they create security risks, are unreliable and could negatively affect service members' careers. [S]ervice members were encouraged to get genetic informationfrom a licensed professional rather than a consumer product.— New York Times
- Ancestry receives German “big brother” award for misleading information.
- Your genetic data isn't safe — Consumer Reports.
- DNA tests expose more than we think.
- Genetic testing firms share your DNA data more than you think.
- Your DNA is a valuable asset, so why give it to ancestry websites for free?
- How DNA companies like Ancestry and 23andMe are using your genetic data.
- 5 biggest risks of sharing your DNA with consumer genetic-testing companies.
- Ancestry.com takes DNA ownership rights from customers and their relatives.
- The pros and cons of genetic testing.
- How to delete your data from every DNA testing service.
Posting on Social Media Sites
People sometimes post things on Facebook or other social media (or reveal them to strangers over the phone) without thinking about the consequences.
Facebook and Google knows more about you than your family and friends do. They never forget.
Information that allows you to recover a lost password should be something you remember, but strangers can't know. That security is lost if you post it on Facebook.
These personal facts are commonly posted by people:
- Family genealogy.
- Pet names.
- Former residences and occupational information.
- Your school and other educational information.
- Sports teams and celebrities you admire.
- Marriage dates and locations.
Unfortunately, these answer the commonly-used questions that password-recovery options employ.
Most accounts are compromised by using the password recovery mechanism which invariably requires the correct response to the very personal questions people post on social media.
Sure, you will remember the answers (the reason companies use them), but so will everyone that views your posts. (Hint: it isn't just your friends and family.)
These questions are too easy to research or bring up in casual conversation.
"The Cloud" Has Risks
Cloud computing (as “in the cloud”) is becoming more important as we use smart phones, tablets and other portable devices to conduct business on the go.
While it may free you to access your information anywhere at any time, it also provides the same access to ANYONE in the world with an Internet connection. All they need is your email address and password.
- How do you secure the cloud? New data points a way.
- Top cloud security controls you should be using.
Banning Encryption Short-sighted
Legislation is pending in some locations (including in the US and possibly Canada) to ban consumer encryption or to ensure that back doors for police access are added. This is very short-sighted.
- Effective encryption could help reduce the risk of hacks like those noted above.
- Back doors are vulnerable to unauthorized access. There is no such thing as a vulnerability that is only accessible to the “good guys.”
- Weaknesses in software, especially unknown (or zero-day) exploits, make us all more vulnerable.
Yes, encryption is used by criminals. So are locks, fences, roads, public utilities, telephone systems, etc. Should we remove everyone's access to those resources as well?
It would be better to close more zero-day loopholes than to hope that criminals and foreign governments don't use them to defeat our security protections.
Much of the Internet is broken, a result of greed and exploitation at the expense of those who simply want information and entertainment but don't consider the risks of their behaviour.
It is recommended that you examine your security practices closely to see if they are up to protecting your online identity and privacy.
Anyone telling you otherwise is probably exploiting your ignorance.
Online Security Course
Lockdown is a 90 minute online course that will dramatically reduce your risk of having your online accounts hacked. Learn more…
Neil expertly and passionately breaks down personal security into small, actionable episodes that my parents could even understand.
[G]reat for reluctant tech users for whom technology is alienating, frustrating, but also necessary.
Protect Your Phone
Your smart phone is a portable computer with access to a great deal of your personal data, not to mention a very common method of multifactor authentication.
That smartphone in your pocket is an identity thief's dream. It has your email, IM, social media, and other apps, potentially logged in and available. It contains personal data galore, including all your contacts.
A thief who has unfettered access to your phone owns your identity, period.
Watch Out for Malicious Attachments
One of the most common methods of attack are to send a phishing email with an infected attachment.
Learn more about safer email practices including how to avoid malicious attachments.
What Are Headers?
If you have issues with an email you received, whether it is because you're reporting spam or something else, you'll be asked to look at “the headers.”
See finding the headers to learn how to locate these.
Use Encrypted HTTPS Sites Where Possible
HTTPS is a secure protocol used by websites that encrypts traffic between the site's server and your browser.
Few sites use the old HTTP protocol by default (but may load it if you directly request it based upon a link you're following or a bookmarked site).
If you load just the domain name (e.g., domain.com) into your browser's address bar, it should load a secure site if one is available. Be sure to change your bookmarks accordingly.
Learn more about HTTPS how it keeps you safe.
Choose a Safer Browser
Your choice of web browser can make a difference in your ability to remain safe online.
Keep it Updated
Whichever browser you choose, the most recent version will usually have improved security features and/or have known security issues patched.
Firefox is a much safer browser to use. As an independent stand-alone product it is less vulnerable to cross-program security issues.
Because it isn't tied to an operating system or a search company, it can focus on its users rather than those controlling the purse strings.
Stop Using Google Chrome
Google Chrome has huge privacy risks, especially if you sign into your Google account while surfing (even if it is only for checking your Gmail).
Google makes their money by exploiting information you provide. Google NEVER forgets.
The widespread use of Chrome also gives Google a huge amount of control over how the Web works.
Don't Use Internet Explorer
Internet Explorer is no longer being developed and is not recommended for routine surfing or browsing sites on the Web.
While IE may be convenient, it is so tightly integrated into Windows that any security issue in any Microsoft product puts your entire computer at risk.
Microsoft should have killed it off with the release of Windows 10 and Microsoft Edge.
More About Browsers
Learn more about web browsers and plugs, vulnerabilities in Internet software and how to browse safer.
More information about how to prevent identity theft:
- Prevent identity theft with these 11 essential steps.
- How to protect yourself against identity fraud.
- How to enable data theft protection measures.
- Fraud Awareness & Prevention.
- Privacy, identity & online security — US Federal Trade Commission.
- BetterDefend's articles on identity theft.