Identity theft information is now contained on three pages:
- Identity Theft: Obtaining Information by Deceit (this page)
- Phone Fraud: scamming by phone
- Phishing for Information: email scams
Report Identity Theft
If you have been a victim of identity theft (or suspect you have), contact the police to report identity theft.
How much do you know about cybersecurity?
Take the cybersecurity knowledge test to see how much you understand about online security and the terminology involved.
Once you've evaluated how well you understand the issue, read the information on this page to help you understand Cyber scams and how to avoid becoming a victim.
Online Crime Treated Like White Collar Crime
Much like white-collar criminals, online criminals face far lighter repercussions if they are caught than someone robbing a store or kidnapping for ransom because it is assumed that cyber crime is not as serious. Victims of white collar or cyber crimes would disagree.
As cybercrime begins to overtake physical offenses for the first time, we need to realize that as our world continues to be dominated by technology so is organized crime. There is a common misconception that these out of sight online attacks are victimless crimes or are not treated with the same level of importance as those that occur offline, and this needs to change. — Daniel Burrus
In addition, most of these crimes are committed abroad where it is much more difficult to prosecute the perpetrators.
Identity Theft: Obtaining Information by Deceit
Identity theft, in a nutshell, is the obtaining of information about you that will enable someone else to impersonate "you" — allowing them to steal using your identity rather than their own.
While the thief obtains financial or other rewards as a result, you are left with the financial loss or debt as well as potential criminal charges. Unfortunately, it is much easier to obtain credit online than it is to prove that it wasn't you that made the application.
A Rapidly Growing Crime
Identity theft is a rapidly growing crime. These are some of the annual highlights:
384 million identities were exposed in 2014 as a result of data breaches. That's equivalent to the whole population of Western Europe. — Symantec
 was truly a watershed year in terms of hacks and it's estimated that over one half of American adults had their identity compromised in some way. — ZoneAlarm Blog
As many as 143 million Americans are said to be affected, the company said, representing about half of the US population. Some UK and Canadian residents are also affected, the statement confirmed. — ZDNet on the 2017 Equifax data breach.
The personal information of about 37,000 Canadians held by TransUnion may have been compromised this past summer, leaving both of Canada's credit monitoring agencies with data blemishes on their record. — Times-Colonist on the 2019 TransUnion data breach.
Security Breaches Affect You
Each time there is a security breach of an online service that you use, it has the potential to reveal a pattern in your password use. In the very least it provides the personal information that was used to create and maintain your account.
It has NOT gotten better.
68% of breaches take months or longer to detect. — Menlo Security
Learn more about the privacy risks that these breaches entail and how you can better prepare yourself.
More About Data Breaches
Learn more about the history of data breaches including some of the largest and most damaging on record as well as how to prevent data breaches.
Other Forms of Exposure
Hacking is not the only way that data breaches happen.
Facebook allowed other companies like Cambridge Analytica to cull information about Facebook users. That information was reportedly used to affect the course of elections in at least one country.
There have also been reports that Facebook customer data was stored on websites unprotected by any security (you only had to know the web address to download the information).
NCIX Computers Never Wiped Customer Data Before Sale
One local example is the sale of personal information about former customers following the bankruptcy of computer retailer NCIX in Vancouver.
This personal information included IP, home and email addresses, passwords, credit card information and social insurance numbers.
Not only did the company fail to ensure that the computers containing customer information were wiped, but that data was so poorly encrypted that the information was sold on Craigslist.
Whoever is responsible for the careless disposal of the company assets is to blame. Bankruptcy protection should not provide leniency for those responsible for not securing that information, including the former officers of that company.
White Collar Crime Punished Lightly
Until such crimes are punished appropriately and to the same degree as a similar blue-collar crime, these breaches will continue.
It Used to Be Harder
Obtaining personal information is much easier than it used to be.
At one time you had to go to your bank, speak to a real person who would then compare your signature with a physical signature card stored at the bank to ensure that you were who you said you were before releasing funds or a providing a new credit card.
Credit Information Easily Accessed
These days credit card applications appear unsolicited in your mailbox and are easily obtained online.
- Verification depends upon electronic data rather than hard copies (like the signature card previously used for verification).
- The convenience of inter-branch banking and online transactions has resulted in poorer security.
- The move to using your smartphone to do banking has additional risks, especially if your device is lost or stolen.
The convenience ends when there is a problem and the bank demands paper documents to prove your innocence.
Passwords: Your eSignature
For online transactions, passwords have replaced a signature (or the wax seal that kings used to use) with a password.
Many people really don't understand this form of electronic verification and view it as something that is imposed upon them rather than something added for their own protection.
“User Names” are Public
For most of your online accounts, your user name is your email address. Since your email address is essentially public, that leaves only the unique password to protect your account from unauthorized access.
Weak Passwords are Like Blank Cheques
Unfortunately, many folks don't take their passwords seriously.
Afraid they'll forget a password, they make it simple and use the same password or simple variations for every account they create.
Your passwords are like a series of unsecured blank cheques that you've already signed. The only limit is the size of your bank account or your credit limit.
Ignorance is Your Undoing
Many people don't understand the risks of using older or unsecured technology.
Securing Your Computer
You probably wouldn't leave your car unlocked and unattended with the keys in the ignition, especially with the windows rolled down. You would avoid parking it in a bad neighbourhood.
If you were foolish enough to do so, you shouldn't be surprised to find it gone when you returned.
The Internet's anonymity provides similar opportunities to exploit your ignorance.
Replace Obsolete Software and Hardware
From a security point of view, both were like skeleton keys — easy to use but ineffective in preventing security breaches.
Just as seat belts, car alarms and ignition keys are inconvenient, so is online security. Choose a good security suite and learn how to use it to protect your computer and your privacy.
Protect Your Identity
Everyone is Gathering Information
Everyone is collecting information about you and your privacy is for sale.
[T]here is another reason websites track you — It's because you're worth a lot of money. Websites record your activity so they can sell your information to third party advertising platforms, essentially delivering ads that they hope are relevant to you. — ZoneAlarm Blog
With your email address, they can send their advertising right to your inbox. If they know your marital status and how many children you have, they can identify potential markets. The more you reveal, the easier it is to target you.
Your Purchases Reveal a Lot
An open (not password protected) 4 terabytes of data from the People Data Labs (PDL) and OxyData.io (OXY) contained cross-linked information on over 1.2 billion people was found on October 16, 2019. PDL and OXY are data enrichment companies. What they do is allow companies to search:
- Over 1.5 Billion unique people, including close to 260 million in the US.
- Over 1 billion personal email addresses. Work email for 70%+ decision makers in the US, UK, and Canada.
- Over 420 million Linkedin urls
- Over 1 billion facebook urls and ids.
- 400 million+ phone numbers. 200 million+ US-based valid cell phone numbers.
De-duplicating the nearly 3 billion PDL user records revealed roughly 1.2 billion unique people, and 650 million unique email addresses, which is in-line with the statistics provided on their website. The data within the three different PDL indexes also varied slightly, some focusing on scraped LinkedIN information, email addresses and phone numbers, while other indexes provided information on individual social media profiles such as a person’s Facebook, Twitter, and Github URLs. — ZoneAlarm Blog
It is interesting that the data is an accurate copy of data obtained from 2 different companies blended into one database. Someone either was a very large customer of both companies or managed to hack both databases. What was the reason it was available on an open IP address (184.108.40.206) rather than hidden away?
Someone should be held accountable for both scraping (collecting) such data then combining it for profit as well as allowing it to be copied into an unprotected cloud account unnoticed. Personally, I'd like to see both companies (and similar operations) bankrupted for this breach. Perhaps security and tracking of the users of such sensitive data would be enforced by other similar operations.
Your Purchases Reveal a Lot
Loyalty cards can provide you with free merchandise and more, but they give a huge advantage to retailers as well by allowing them to track your purchases.
Target determined that a teen customer was pregnant before they or their family knew — based simply upon tracking product purchases.
Dealing with Spam
Learn how to identify and deal with spam.
Don't unsubscribe from lists that you didn't ask to be placed on in the first place. Ethical companies don't use sneaky opt-out techniques in the first place.
Beware of Phone Callers
Phone calls about computer viruses, credit card deals, overseas credit card expenditures, holiday specials or warnings that you're about to get arrested for unpaid taxes are all scams. Just hang up.
Protect Personal Information
Do not post or release personal information over the phone. Never reveal the following sorts of information to an unverified caller:
- Social Insurance/Social Security Number (only legislated uses require you to disclose your S.I.N.).
- Mother's maiden name.
- Where you were born.
- Your birth year.
- Bank PINs.
Be careful about revealing billing addresses and employment information as well.
Ad targeting: Trusting merchants, social media, and mobile providers with personal information is a still-relevant posting on ZoneAlarm's blog.
While the successful completion of many credit card transactions requires that the shipping address match the credit card's billing address, this information is not necessary for most other transactions.
Posting on Social Media Sites
People sometimes post things on Facebook or other social media (or say them over the phone) without thinking about the consequences.
Facebook and Google knows more about you than your family and friends do. And they never forget anything.
Information that allows you to recover a lost password should be something you remember, but strangers shouldn't. That security is lost if you post it on Facebook.
These personal bits are commonly posted by people:
- Family genealogy.
- Pet names.
- Former residences and occupational information.
- Marriage dates and locations.
Your favourite sports teams are a poor choice because sports is a popular conversational topic.
Most accounts are compromised by using the password recovery mechanism which invariably requires the response to questions that many people know about you (including those listed above).
While they are easy for you to remember (the reason companies use them) but are too easy to research or bring up in casual conversation.
"The Cloud" Has Risks
Cloud computing (“in the cloud”) is becoming more important as we use smart phones, tablets and other portable devices to conduct business on the go.
While it may free you to access your information anywhere at any time, it also provides the same access to ANYONE in the world with an Internet connection.
- The biggest hacks of 2015.
- 2.9 million Adobe customer accounts were hacked.
- Adobe's security alert.
- Winkler: The real problems with cloud computing. Companies are protecting servers, not their user's information.
- Cloud Computing Top Threats.
- Sony hack: Costs of Cyber attacks and DIY data management.
- Cloud computing used to hack wireless passwords.
Banning Encryption Short-sighted
Legislation is pending in some locations (including in the U.S.A. and possibly Canada) to ban encryption or to ensure backdoors are added. This is very short-sighted.
- Effective encryption could help reduce the risk of hacks like those noted above.
- Backdoors are vulnerable to unauthorized access. There is no such thing as a vulnerability that is only accessible by the good guys.
- Weaknesses in software, especially unknown (or zero-day) exploits, make us all more vulnerable.
Yes, encryption is used by criminals. So are our roads, public utilities, telephone systems, etc. Should we remove everyone's access to those as well?
It would be better to close more zero-day loopholes than to hope that criminals and foreign governments don't find them and use them to negate our security protections.
Much of the Internet is broken, a result of greed and exploitation at the expense of the majority who simply want information and entertainment but don't consider the risks of their behaviour.
Choose your web browser for its ability to protect your privacy and security online rather than accepting what has landed on your system. Next, you need to change some habits to protect yourself from malicious attacks.
Use Encrypted HTTPS Sites Where Possible
I strongly recommend that you only connect to sites that are encrypted. Unsecured sites are not encrypted and are vulnerable to man-in-the-middle attacks.
This is particularly important when using online banking or when shopping online — including anywhere that you are sharing banking or credit card details.
Secure sites are indicated by
https:// in front of the address and/or some sort of a padlock symbol. The display varies by browser:
- Firefox, Google Chrome, Safari, Microsoft Edge and Opera all use a grey padlock to the left of the address.
- Both Firefox and Edge display the HTTPS:// prefix; Chrome, Safari and Opera do not.
HTTPS:// Everywhere is a Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure.
- Mozilla's HTTPS and your online security looks at the strengths and weakness of HTTPS.
Choose a Safer Browser
Your Browser Choice Matters
Your choice of web browser can make a difference in your ability to protect yourself online. Whichever browser you choose, the most recent version will usually have improved security features and/or have known security issues patched.
Firefox is a much safer browser to use.
As an independent stand-alone product it is less vulnerable to cross-program security issues.
Because it isn't tied to an operating system or to a search company, it can focus on its users rather than those controlling the purse strings. It can perform all the features needed in a browser without the downside.
Have a look at some of the built-in security features of Firefox:
- Firefox designed to protect your privacy.
- Firefox's Private Browsing allows you to surf without saving information about the sites and pages you've visited nor are cookies or passwords saved.
- Firefox gets a fresh update of forgery sites a whopping 48 times a day!
Firefox is also updated frequently, so security fixes and new benefits are available sooner.
Don't Use Internet Explorer
Internet Explorer is no longer being developed and is not recommended for routine surfing or browsing sites on the Web. While IE may be convenient, it is so tightly integrated into Windows that any security issue in any Microsoft product puts your entire computer at risk.
One of my pet peeves is programs that directly call Internet Explorer rather than the system's default browser. One example is TurboTax, where queries about sensitive data is being handled via an obsolete and insecure browser (a feature that users cannot change).
Windows 10 includes IE along with Microsoft Edge, however it was not intended to be used as your primary browser:
"You see, Internet Explorer is a compatibility solution," wrote [Microsoft security chief] Jackson in the blog. "We're not supporting new web standards for it and, while many sites work fine, developers by and large just aren't testing for Internet Explorer these days. They're testing on modern browsers. — ZDNet
Google has paid free software vendors to automatically install Chrome as the user's default browser (few people check for the preselected options when installing this software). While replacing Internet Explorer as the dominant browser was a good thing, it was not so good when this practice replaced a browser like Firefox which protects your privacy.
Google Chrome has huge privacy risks, especially if you sign into your Google account while surfing (even if it is only for checking your Gmail). Google makes their money by exploiting information you provide and Google NEVER forgets.