Tips for Protecting Yourself from Identity Theft

by Erich Cranor

Erich Cranor, CSD Pool Sr. Technology Programmer

Erich Cranor, CSD Pool Sr. Technology Programmer

Recently, a friend of mine got a phone call from his bank to alert him that they were freezing his account. The representative described to him a series of suspicious transactions which were indeed purchases he had not authorized. They began to discuss what he needed to do to resolve the situation, and the bank representative said she had to ask for some clarifying information to confirm his identity. They just needed the usual items – zip code, mother’s maiden name, account number, etc.

By now, you’re probably thinking that banks don’t call and ask for identifying information, and you’re right! My friend asked, “Shouldn’t you already know all that?” and then decided to call his bank back for himself. Sure enough, there were no actual suspicious transactions or any impending account freezes. If he had fallen for the ruse, he would have given up personal details allowing unscrupulous people to raid his account.

It seems that protecting yourself should be easy enough. Isn’t it a common sense matter of being careful with your data and being sure with whom you deal with? The widespread crime of identity theft (ID) is proof of how adept criminals  are at deceiving victims into moments of misplacing their trust. According to Javelin Strategy and Research, 8.9 million Americans were victims of Identity Fraud crimes in 2007 for a total of $49.3 billion in losses. This kind of money can fuel a lot of innovation.

On the Internet, common sense can be particularly hard to apply. If you went into a new branch of your bank and you noticed that the décor was strangely sparse, the only employee was a single teller, and there was no ATM, you would probably be suspicious (unless you use a particularly small credit union).

The good news is that some studies suggest that overall, identity theft has been declining over the past five years. Thanks to increased awareness and defensive tools, many potential victims have successfully safeguarded themselves. But even in decline, these crimes are pervasive. In fact, recent reports indicate that in response to effective countermeasures on the Internet, criminals have returned to old fashioned fraud techniques. Cheap Internet phone service has helped bring into existence international call centers dedicated to identity theft. Consequently, while mail and telephone were the means of just 3 percent of identity thefts in 2006, that number jumped to 40 percent in 2007.

Here are some tips on how to avoid Internet ID theft and save the 25 hours of work it took an average ID theft victim in 2007 to clean up the aftermath of his ordeal.

Recognize that you are at risk

This is a pretty basic but also the most important tip. Even if you have no sensitive information on your computer, consider the value of your time spent cleaning or rebuilding an infected system. Remember, even the most basic system is useful if it can be infected and hijacked.

Consider it assured that you will encounter schemes of one form or another

Besides the legions of passively malicious sites that seek to investigate and infect undefended “visitors”, the internet is full of aggressive attackers. If you install Windows XP from original disks and connect it to the Internet, it can be corrupted in less than one minute. Whether on or offline, the odds are very good that there will come a time when you will encounter a fraud attempt with only your own judgment to keep you safe.

Anti-virus, anti-spyware, and firewall software should be considered mandatory

There are many decent options, including some free packages. A few years ago, the free options were almost as good as commercial-ware, but now there does seem to be a benefit to paying for first-rate protection tools. Webroot’s Spy Sweeper is popular but it is by no means the only choice. Here’s a great place check out some alternatives.

Remember that automatic defenses are not perfect

Filters running on mail servers, firewalls, and antivirus software are good at excluding known threats, and can even use heuristics to detect new potential threats. The problem with proactive defenses is that they are more likely to interfere with legitimate software. Therefore, there are always going to be moments when the security of your computer system is going to depend on the decisions you make.

Be aware of ‘false alarm’ schemes

Everyone knows they should be suspicious of email attachments, but that certainly doesn’t mean that they actually practice caution. The possible risks when asked to install software or give bank account information over the Internet are even more obvious. A common means of defeating that caution is a false alarm – just like my friend’s phone call – concocted to make you think you are being careful even in the midst of letting your guard down. Sadly, not all attacks are conveniently labeled with improbable financial or anatomical opportunities. Hoax Virus warnings are a perfect example of this misdirection. False reports of new malware are one of the most common forms of ‘social viruses’ and such ‘warnings’ have again and again proved effective at tricking people into mass distributing messages that are time and resource wasters. They may also be used to scout email networks and reduce vigilance. In fact, virus writers have been known to capitalize on this by writing real viruses to appear as something that was hitherto only a hoax. In a nutshell, be suspicious of messages or phone calls that could be premeditated to cause alarm.

Reconsider your web browser

If you are a Windows users and Internet Explorer (IE) is your browser, consider picking a new default browser. As the most widely used browser, IE is the number one target for malicious hackers. In addition, Microsoft’s tight integration between IE and the Windows operating system has created additional vulnerabilities in the past and it would not be surprising to see even more. Firefox and Opera are both free and have very usable browser alternatives offering features which may even cause you to prefer them over IE. There are plenty of other browsers to consider. For the overachievers out there, don’t worry about uninstalling IE. You almost certainly need it for specific websites, for Windows Updates, and for automation tasks.

Be aware of ‘secure sessions’

Secure sessions provide a number of safeguards. They are recognizable by the “s” in the “https” at the beginning of a URL. In other words, if a website address beging with “http://www.,” the session is not a secure session, but if it begins with “https://www.,” then it is a secure session. Additionally, in Firefox, the address bar changes to a yellow background when the connection is secure. The danger highlighted here is that if you are doing something that involves transmitting personal information, you should be in a secure session. The absence of a secure session when it seems it would be appropriate is a serious red flag. The reason for this is because the process of setting up a bogus secure connection is more likely to arouse more suspicions than just leaving the session clear.

Certificate Holders

Another secure session consideration is the Certificate Holder. In most cases, you will not see any prompt regarding certificate information and the few times you do, it probably is not a problem. Unless you have set unusually restrictive settings, you should not see any warnings about expired or possibly invalid certificates before you do anything like online banking or credit transactions. Also, note that a self-signed certificate means exactly what it sounds like “Just take my word for who I am!” This is fine in some circumstances, but probably not when it comes to transmitting any potentially sensitive information.

Spoofed web pages

A “spoofed” web page will often contain a great deal of correct content copied from the page being faked. So just because the sidebar looks correct, it should not mean you can ignore the fact that your bank is suddenly on the .biz domain. If there is any uncertainty, use your own methods of contacting the party in question. Start a fresh browser session and navigate to your bank on your own – or even call them on the phone – if anything seems odd at their correct web address. There ARE also ways that your machine can be misdirected so that the correct address takes you to the wrong server, although this kind of attack is trickier and therefore less common.

False dialogue

In the presence of a suspicious web page, remember that system dialogues do not necessarily do what they say they are going to do. Clicking a button that says “Ok” may not function like you’d expect. For that matter, even clicking “Cancel” or X-ing out of a popup window could be a trick. The safest recourse against suspicious dialogue is using the Ctrl-Alt-Delete method, ending tasks on any browser instances, rebooting, and then running a full system scan (and be glad you paid attention to tip #3 above about anti-virus, anti-spyware, and firewall software being considered mandatory.

Fraud alerts versus credit freeze

If you suspect your information has been compromised, you should place a fraud alert on your credit report by contacting any of the three largest credit agencies. A fraud alert will not cost you anything and will assign identity verification before any future credit is issued in your name. A credit freeze is a more drastic measure that is only free if you also file a police report. Depending on the severity of the situation, it may also be a very good idea to complete this step.

The migration of fraud off the internet and back to the phones means that informed users can defend themselves. Just remember to be careful. Always stop before giving sensitive information and ask yourself a few key questions: Does the caller legitimately need this information? In this situation, do I really know who I am dealing with? Can this be done more safely in another venue? Asking yourself these simple questions will go a long way in protecting your identity online.




Both comments and trackbacks are currently closed.