Russ Harvey Consulting - Computer and Internet Services

Identity Theft

Obtaining information by deceit

Identity Theft | Protect Your Identity | DNA Tests
Recommendations | Reporting ID Theft

A hooded man with an “Anonymous” mask sits before a laptop computer.

Identity theft information is contained on these pages:

  1. Identity Theft: obtaining information by deceit
  2. Vishing: scamming by phone
  3. Phishing: scamming by email
  4. Computer Support Scams

This page will help teach you how to prevent yourself from becoming a victim of identity theft.

When your identity is stolen, you lose some things, but gain others.

 

You could lose all the cash in your bank account, or the title to your home.

 

But you might gain a criminal record, or a lien on your home mortgage.
PCMag
93% of cybersecurity experts and 86% of business leaders believe global geopolitical instability is likely to lead to a catastrophic cyberattack in the next two years.
MasterCard: Securing the digital economy March 2023

The information was written with computers in mind, but these warnings also apply to smartphones and tablets.

Obtaining Information by Deceit

Fraudulent phone calls, phishing emails and fake error messages generated by malware or website infections are all forms of identity theft perpetrated on innocent victims every day.

Identity theft is obtaining information about you that will enable someone else to impersonate you, allowing them to use your identity rather than their own.

While the thief obtains financial or other rewards, you are left with the financial loss or debt and may face criminal charges for crimes committed while using your ID.

Spot Fraud. Stop Fraud. 6 red flags to look for.

 

Unfortunately, it is much easier to obtain credit online than it is to prove that it wasn't you that made the application.

Identity theft can be prevented.

Examine your security practices closely to see if they are up to protecting your online identity and privacy.

A Rapidly Growing Crime

Identity theft is a rapidly growing crime.

People place themselves and their money at risk when they ignore security protocols and fail to learn about cybersecurity.

How much do you know about cybersecurity?

Test your knowledge about cybersecurity.

The content on this page will help you to avoid becoming a victim of identity theft.

It Used to Be Harder

Obtaining personal information is much easier than it used to be.

At one time you had to go to your bank, speak to a real person who would then compare your signature with a physical signature card stored at the bank to ensure that you were who you said you were before releasing funds or a providing a new credit card.

Credit Information Easily Accessed

These days credit card applications appear unsolicited in your mailbox and are easily obtained online.

The convenience ends when there is a problem and the bank demands paper documents to prove your innocence.

Passwords: Your eSignature

For online transactions, passwords have replaced a signature (or the wax seal that kings once used).

Many people really don't understand this form of electronic verification and view it as something that is imposed upon them rather than something that protects them.

[R]ecent Verizon research shows…unsecure passwords are the cause of over 80% of all data breaches at companies.
ZoneAlarm

Users Don't Take Passwords Seriously

Unfortunately, many don't take their passwords seriously.

Afraid they'll forget a password, they make it simple and use variations of the same password for every account they create.

Though 91% of the respondents profess to understand the risks of using the same passwords across multiple accounts, 59% said they did so anyway. For 61%, it is the fear of forgetfulness that was the primary reason for password reuse. Fifty percent say they reuse passwords across multiple accounts because they want to know and be in control of their passwords all the time.
DarkReading 2018

Once hackers have one password, they can use it to hack into other services, just like a Twitter hack that exposed users data because an administrative assistant reused passwords:

A hacker found a personal e-mail account for the administrative assistant previously mentioned.

 

[T]he hacker researched social networking sites to find the answer to the "secret question" required to reset the account's password.

 

In going through the e-mails in the account, the hacker apparently found the password used by the administrative assistant on other sites, and correctly assumed that person used that password on their Twitter corporate account at Google Apps.
Ira Winkler

Weak Passwords are Like Blank Cheques

Think of your passwords as a series of unsecured, pre-signed blank cheques. The only dollar limit is the size of your bank account.

Use a Password Manager

Learn how to create quality passwords and take advantage of other options like multifactor authentication to protect your online accounts.

A good password manager not only helps to provide unique and strong passwords for every site, but also can protect you by warning you when the site address doesn't match the address recorded for the site.

Unfortunately, password managers don't work on the CRA website because of very unusual and unnecessarily complicated login procedures. The CRA's suggestion? Manually enter the password!

Don't Post Answers to Security Questions

Be careful NOT to post the sorts of information on social media typically used for the “forgot my password” recovery.

We found that 51% of people believe there is no way a hacker could guess one of their passwords from information they've shared on social media.

 

But we know hackers aren't dumb — if you're being targeted and don't have a strong password guarding your account, it would take a hacker seconds to do a search on your social media profile, learn the name of your pet, family member — even learn when your anniversary is — and use that info to guess your password.

 

Don't make it that easy for them — try to be a bit discreet on social media.
LastPass Blog

Choose Your Software Carefully

You probably check the doors and windows in your house before going to bed at night.

You need to secure your computer and software with the same diligence.

Ignorance is Your Undoing

Many people don't understand the risks of using obsolete or unsecured technology, especially the software you use to access the Internet.

Online security is inconvenient but so are seat belts, door locks and insurance.

Choose a good security suite then learn how to use it to protect your computer and your privacy.

Victims Unfamiliar with Technology

Most of the victims of identity theft are using technology they don't understand.

The politicians making the laws that are supposed to protect you seldom understand the effects those laws will have on privacy. They obtain most of their advice from the very companies that are exploiting consumers on the Internet.

Return to top

Protect Your Identity

Everyone is Gathering Information

Everyone is collecting information about you and your profile is available for sale to anyone willing to pay.

Do NOT buy into the myth that privacy means you have something to hide.

Companies spouting the “nothing to hide” line claim they're “just collecting metadata”, but will accuse you of hacking if you returned the favour.

[T]here is another reason websites track you — it's because you're worth a lot of money.

 

Websites record your activity so they can sell your information to third party advertising platforms, essentially delivering ads that they hope are relevant to you.
Check Point blog

With your email address, they can send their advertising right to your inbox.

The more you reveal, the easier it is to target you. If they know your marital status and how many children you have, they can identify potential markets.

Loyalty Cards

Loyalty cards can provide you with free merchandise and more, but they give a huge advantage to retailers as well by allowing them to track your purchases.

Retailers like Home Depot ask if you'd like an email receipt. That's a sneaky way to obtain your email address.

Your Purchases Reveal a Lot

The sorts of items you buy, particularly the precise combination of items, can tell a lot about you.

Target determined that a teen customer was pregnant before they or their family knew — based simply upon tracking product purchases.

Protect Personal Information

Do not post or release personal information over the phone. Never reveal the following sorts of information to an unverified caller:

Be careful about revealing billing addresses and employment information as well.

Legitimate financial services organizations like banks and credit card companies will never send you an email asking you to provide personal or confidential information (such as your debit or credit card number, passwords or identification such as Social Insurance Number or Driver's Licence).

The successful completion of many credit card transactions may require that your shipping address match the credit card's billing address.

This information is not necessary for most other transactions.

Posting on Social Media Sites

People sometimes post things on Facebook or other social media (or reveal them to strangers over the phone) without thinking about the consequences.

Facebook and Google knows more about you than your family and friends do and they never forget.

Information that allows you to recover a lost password should be something you remember, but strangers can't know. That security is lost if you post that information on social media.

These personal facts are commonly posted by people:

Password Recovery

Unfortunately, these answer the commonly-used questions that password-recovery options employ.

Most accounts are compromised by using the password recovery mechanism which invariably requires the correct response to the very personal questions people post on social media.

Sure, you will remember the answers (the reason companies use them), but so will everyone that views your posts. (Hint: it isn't just your friends and family.)

These questions are also too easy to research or bring up in casual conversation.

"The Cloud" Has Risks

Cloud computing (as “in the cloud”) is becoming more important as we use smart phones, tablets and other portable devices to conduct business on the go.

While it may free you to access your information anywhere at any time, it also provides the same access to ANYONE in the world with an Internet connection. All they need is your email address and password.

The stories you read about hacks & security breaches is only the tip of the iceberg. Not only do many organizations fail to report breaches promptly, they often take months to do so, choosing a “slow news day” to minimize reputational damage.

That means that your compromised passwords and data are often on the Dark Web or in the hands of foreign governments a long time before you become aware of the problem.

Banning Encryption Short-sighted

Legislation is pending in some locations (including in the US and possibly Canada) to ban consumer encryption or to ensure that back doors for police access are added. This is very short-sighted.

Yes, encryption is used by criminals. So are roads, public utilities, the Internet, etc. Should we remove everyone's access to those resources as well?

It would be better to close more zero-day loopholes rather than hope that criminals and foreign governments don't use them to defeat our security protections.

Return to top

Personal DNA Tests

Most people would be leery of any request to fingerprint them yet millions have ordered personal DNA tests without considering the potential privacy issues.

Tracking your genealogy has become very popular. Sites like Ancestry and 23andMe offer kits to take your DNA and use it to tell you more about your family history.

There is nothing more personal than your DNA.

This has never happened before. It hasn't happened with fingerprints, it hasn't happened with DNA. Until now there's been a line, that unless you commit a crime we don't record the facts of your body.
Alvaro Bedoya

If your DNA information is compromised, it is impossible to correct that loss.

Unlike your credit card number or your bank account password, if your genetic information is stolen or simply given away without your consent by a company that possesses it, it can't be changed.
Consumer Reports

The 23andMe Breach

After 6.9 million users had their data stolen from 23andMe, they sued. The company responded by blaming the users based upon the re-use of passwords revealed in a previous data breach.

While the users were negligent in failing to update their passwords, the company didn't go far enough to protect against brute force attacks which must have occurred to gain access to the data of all 6.9 million users.

Privacy Costs

But these sites aren't as private or innocuous as they'd have you believe.

When you're consenting [to the terms and conditions], you're not only consenting to [use of] your own DNA, but you're in effect consenting on behalf of everybody you're related to. Our laws of consent are not really designed for something like this.
B.C.'s Privacy Commissioner

In fact, they sell your DNA data to third parties and often retain more rights to your DNA than you do once you agree to their contract.

But the DNA and genetic data that Ancestry.com collects may be used against “you or a genetic relative.” According to its privacy policies, Ancestry.com takes ownership of your DNA forever. Your ownership of your DNA, on the other hand, is limited in years.
Joel Winston

Other Potential Implications

There are other potential costs to these tests because DNA companies are bound to look at other means to profit. All sorts of third-parties could benefit economically from purchasing personal DVA results.

In an internal memo, Pentagon leadership has urged military personnel not to take mail-in DNA tests, warning that they create security risks, are unreliable and could negatively affect service members' careers. [S]ervice members were encouraged to get genetic information from a licensed professional rather than a consumer product.New York Times

Consider how health and life insurance companies could use DNA indicators of risk including potential cancers to affect either your eligibility or premiums. Imagine if DNA-indicated diseases were excluded from such benefits.

Potential employers could use this data to screen job candidates and it could affect your ability to collect from a class-action lawsuit if your DNA indicates a higher than average risk for the cause listed in that action.

If You're Going to Proceed

If you're going to get involved with these companies, realize that they hold all the cards. Be sure to examine their privacy policy and opt out (where possible) for your own protection.

Once your DNA (or that of a close relative) is provided to one of these agencies, there is no going back.

Return to top

Recommendations

Much of the Internet is broken, a result of greed and exploitation at the expense of those who simply want information and entertainment but don't consider the risks of their behaviour.

It is recommended that you examine your security practices closely to see if they are up to protecting your online identity and privacy.

Anyone telling you otherwise is probably exploiting your ignorance.

Online Security Course

Lockdown, a 90 minute online course, will dramatically reduce your risk of having your online accounts hacked.

Neil expertly and passionately breaks down personal security into small, actionable episodes that my parents could even understand.

 

[G]reat for reluctant tech users for whom technology is alienating, frustrating, but also necessary.

Protect Your Phone

Your smart phone is a portable computer with access to a great deal of your personal data, not to mention a very common method of multifactor authentication.

That smartphone in your pocket is an identity thief's dream. It has your email, IM, social media, and other apps, potentially logged in and available. It contains personal data galore, including all your contacts.

 

A thief who has unfettered access to your phone owns your identity, period.
PCMag

Watch Out for Malicious Attachments

One of the most common methods of attack are to send a phishing email with an infected attachment.

Learn more about safer email practices including how to avoid malicious attachments.

What Are Headers?

If you have issues with an email you received, whether it is because you're reporting spam or something else, you'll be asked to look at “the headers.”

See finding the headers to learn how to locate these.

Use Encrypted HTTPS Sites Where Possible

HTTPS is a secure protocol used by websites that encrypts traffic between the site's server and your browser.

Few sites use the old HTTP protocol by default (but may load it if you directly request it based upon a link you're following or a bookmarked site).

If you load just the domain name (e.g., domain.com) into your browser's address bar, it should load a secure site if one is available. Be sure to change your bookmarks accordingly.

Learn more about HTTPS how it keeps you safe.

Choose a Safer Browser

Your choice of web browser can make a difference in your ability to remain safe online.

Keep it Updated

Whichever browser you choose, the most recent version will usually have improved security features and/or have known security issues patched.

Firefox Recommended

Firefox is a much safer browser to use. As an independent stand-alone product it is less vulnerable to cross-program security issues.

Because it isn't tied to an operating system or a search company, it can focus on its users rather than those controlling the purse strings.

Stop Using Google Chrome

Google Chrome has huge privacy risks, especially if you sign into your Google account while surfing (even if it is only for checking your Gmail).

Google makes their money by exploiting information you provide. Google NEVER forgets.

The widespread use of Chrome also gives Google a huge amount of control over how the Web works.

Don't Use Internet Explorer

Internet Explorer is no longer being developed and is not recommended for routine surfing or browsing sites on the Web.

While IE may be convenient, it is so tightly integrated into Windows that any security issue in any Microsoft product puts your entire computer at risk.

Microsoft should have killed it off with the release of Windows 10 and Microsoft Edge.

More About Browsers

Learn more about web browsers and plugs, vulnerabilities in Internet software and how to browse safer.

Additional Resources

More information about how to prevent identity theft:

Return to top

Report Identity Theft

Are You a Victim?

If you have been a victim of identity theft (or suspect you have), contact the police to report identity theft.

Begin Immediately

If you suspect you've been the victim of identity theft, the sooner you act, the sooner you can begin to resolve the issue.

A Long-term Problem

It will likely be harder to prove identity theft than to execute it.

If you are the victim of identity theft, you can expect to fight to regain your credit rating for years.

Victims report that it takes months or years to regain their credit rating, only to find that a new report forces them to start all over again.

While electronic data can quickly get you into trouble, financial institutions want physical evidence (i.e., paper copies of their official forms) that show you're not responsible.

Think of how hard it is to obtain physical copies of documents generated by someone else.

Huge Financial Costs

There are huge personal and financial costs if you become a victim.

The Canadian Anti-Fraud Centre at 1-888-495-8501 can help you through the process.

File a Report

You should file a report with your local police, your financial institution(s) and with credit reporting agencies.

But there's not much your local police can do for you. For starters, you'd have to show that an actual crime happened, which is much more difficult when it's digital.
CNET

When reporting improper use of a credit card to our local police we learned that purchases had been made out of province and mostly without presenting the physical card. How someone could get away with paying off a utility bill for a fixed address with a stolen credit card is confounding.

Unauthorized Purchases

Check your bills for unauthorized credit cards or charges for goods or services you did not receive (particularly from a foreign country).

In most cases you have to still pay the full bill and notify the credit card company about unauthorized charges within 30 days.

Beware of Unsolicited Calls

We're calling from VISA.…

Unsolicited automated phone calls about your credit card are usually fraudulent attempts to secure your credit card information.

These calls may attempt to scare you with claims that very large purchases “have been noted on your credit card.” Notice they don't specify the card used.

Never respond to requests to prove your identity or verify your card details. Remember, they called you.

Credit Reporting Agencies

Reporting identity theft or fraudulent transactions on your credit card(s) to the credit reporting agencies helps to prevent further abuse, particularly if someone tries to open new credit in your name.

You are entitled to one free credit report each year which discloses who has made requests for your credit report as well as allowing you to dispute errors.

Related Resources

On this site:

Found this resource useful?
Buy Me A Coffee

 

Return to top
RussHarvey.bc.ca/resources/identitytheft.html
Updated: March 31, 2024

Copyright © 1996– | Privacy | Navigation | RHC Design