Thu, October 23, 2008
How to Avoid Identity Theft - Part 2: Avoiding Online ID Theft
Only about 10 to 15% of identity thefts with known causes have been attributed to online data theft, but this statistic is not very reassuring. According to the Identity Theft Assistance Center, only 42% of ID theft victims are able to determine how their information was stolen. If the majority of victims don't know how their information was stolen, it may not be safe to assume that the 10-15% figure accurately represents all ID theft losses attributable to online sources. How can you avoid being victimized online?
There is some good news regarding ID theft crimes in general: the number of reported thefts has been declining in recent years, to fewer than nine million cases per year. According to a report released Tuesday by the President’s Identity Theft Task Force (link courtesy of Wired.com), Federal convictions for ID theft increased by 26% between 2006 and 2007, indicating improved enforcement, but also suggesting that there’s a wide gap between the huge number of thefts and the number of solved cases.
The size of the average online ID theft loss is on the rise. A recent study by Javelin Strategy and Research found that the average theft loss from paper mail fraud is about $4,200, while the average loss arising from viruses, spyware, and hacker-related thefts exceeded $7,000. The theft of 45.7 million credit and debit card numbers from TJX Companies’ central database demonstrates how attractive electronic ID theft has become to organized criminals. Sometimes even major financial institutions just misplace confidential data for millions of customers at a time.
Obviously, no one can be completely protected against losses resulting from an attack on a commercial database. But it is possible to make your own home computers less susceptible to online identity theft. Today I’ll discuss the means through which personal information can be lost online and offer some guidelines for protecting your information.
Forms of electronic identity theft
As financial institutions and other companies develop greater security for the information in their corporate databases, criminals will need to become more sophisticated in order to obtain data by attacking these sources. However, there are a number of simple schemes that thieves with more modest means can use to steal personal information electronically. There are reportedly websites that offer turnkey software packages to criminals who want to employ electronic theft techniques. Generally speaking, the most common forms of online theft either involve the use of e-mail “spam,” fraudulent websites, and/or unauthorized access to a computer made through an internet connection.
E-mail schemes
Fraudulent attacks using e-mail are almost invariably carried out using what is known as “social engineering,” which involves tricking someone into doing something that exposes them to a loss. In a less technological age, practitioners of social engineering were known as “con artists.” Presumably, everyone receives as many spam e-mails as I do purporting to be from lawyers/accountants/widows of high-level bureaucrats in Nigeria who are eager to give me millions if only I’ll help them out. This is one of the simplest forms of social engineering—yet it still works occasionally, because human nature hasn’t changed.
Trojan horses
Although most computer users know the risks of opening phony e-mail attachments, e-mail continues to be an effective medium for scam artists. The Trojan horse, a software incarnation of the Greek gift recounted in Virgil’s Aeneid, is a program that sneaks onto your computer by stealth and does unpleasant things, like recording your keystrokes as you log onto your bank account and sending the information to a thief. Your computer can become infected by a Trojan horse when you open an attached file in an e-mail or through a file downloaded from a website. Since Trojan programs often possess the capability to e-mail themselves to other addresses, be very cautious with e-mail attachments, even when they’re from people known to you, if they accompany messages that seem peculiar or terse. Keep in mind that your first line of defense against this kind of attack is not your antivirus software; your own decisions are critical. You should never download files from a web site unless you’re confident that it’s a legitimate site.
Phishing For Trouble
“Dear Amazon Customer, This is your final warning about the safety of your Amazon account. If you do not update your billing information your access to Amazon features will be restricted and the user deleted…”
So begins the text of an e-mail I received a while back, one of many similar messages that my spam filter catches weekly. Notice how the text is designed to provoke the recipient to follow its instructions; it warns that dire consequences will ensue if the instructions are not followed immediately.
Not long ago, e-mails of this genre that I received were obviously written by people whose spelling and composition skills were pretty weak. This one was an above-average fake; it even included some official-looking disclaimer language at the bottom and an “Amazon Inc.” copyright statement. Except for the fact that a genuine e-mail from Amazon would address me by name, there wasn’t anything about this message to show definitively that it was phony. Had I clicked on the link provided, in all likelihood I would’ve been taken to a fraudulent “Amazon” site where my login information would have been stolen and/or software that would have stolen other information could have been installed on my computer.
When you receive this kind of e-mail, examine it carefully. More and more of the spam that comes to me actually includes my full name, so the presence of one’s name is no longer a sure sign that a message is genuine. This is especially the case if your personal information is available at MySpace or other networking sites.
How should you respond to such an e-mail if you’re not sure it’s legitimate? In this case, it was easy to ignore the message, but if you’re uncertain, the best procedure is to log on to the relevant site in the way that you normally do, usually by selecting the address from your “favorites” list. Doing this, instead of clicking on a link in an e-mail of unknown origin, generally ensures that you are going to a legitimate site. If you regularly receive e-mails from your bank or another company with links in them, be sure that you’re familiar with the standard format of their messages. If you are expecting a message and have good evidence that it is legitimate, there’s no reason not to click on a link that is provided. Remember that reputable vendors, including Amazon, PayPal, eBay, and financial institutions will never e-mail or otherwise contact you asking you for sensitive information.
The best protection against these threats is to be cautious about any such contacts, via any medium. Caller ID systems can be hacked to display phone information, so don’t assume that a caller appearing to be from a legitimate source should be given your confidential information. Also, don’t assume that someone who calls or e-mails you and who already knows your account number is legitimate. In cases where an account number has been compromised by some other means, this type of contact is merely a ruse to obtain additional information, like a Social Security number or account password. Be careful not to disclose this kind of information if you are contacted unexpectedly. If the contact is genuine, you should be able to contact the institution at a number (or web address) that you know is valid because it’s printed on an account statement, the back of your credit card, or a phone book.
Finally, be aware that there is a variant of phishing, called “vishing,” in which an e-mail message directs you to call a phone number and provide your Social Security number, account number, or some other information. Occasionally the initial contact is made via an automated phone message instead of an e-mail. Because these scams are less dependent on the use of a specific technology than they are on manipulating human behavior, the possibilities are endless; new methods will evolve as new technologies arise. In a technique called ”SMiShing” (who comes up with these names?), would-be thieves send an SMS to a victim’s cellphone purporting to be from a social web site where the individual actually is registered, warning that the victim is about to be charged a fee and urging them to log into an address listed in the message. Doing so, the recipient unwittingly downloads software to the cellphone that will steal his or her personal information.
(to be continued)
RELATED POSTS:
How to Avoid Identity Theft - Part 1
How to Avoid Identity Theft - Part 3: Turn On, Tune In…Get Hacked?
How To Avoid Identity Theft - Part 4: Passwords, Online Shopping, etc.