What is Identity Theft?
Identity theft is the wrongful taking of someone else’s “real world’ identity for the purpose of committing fraud. Typically the thief gets their hands on enough information to pretend to be someone else. The thief may open up fraudulent credit card accounts, apply for loans, or try to secure other property using the stolen identity. Some may even go as far as using your name to land a job and stick you with the taxes from the I.R.S. Perhaps the scariest aspect is that you could actually be arrested for a crime that someone else committed while using your identity.
The Federal Trade Commission released a survey in September of 2003 showing that 27.3 million Americans have been victims of identity theft in the last five years, including 9.9 million people in the last year alone. That equates to approximately 4.6% of the U.S. population! According to the FTC survey, 2002 identity theft losses to businesses and financial institutions totaled nearly $48 billion and consumer victims reported $5 billion in out-of-pocket expenses. This is a growing problem.
Real World Scenario
We talked to a victim of identify theft to get a first hand look at what happens when identify theft strikes. For purposes of anonymity we will refer to our interviewee as Kim Smith. Kim explains that a few years ago she and her spouse applied for a mortgage on a home the planned to use as a summer vacation property. The house was modestly priced and the Smith’s didn’t foresee any problems getting the mortgage. They had stellar credit, good paying jobs, plenty of money in the bank and the amount of the mortgage was relatively small. They were told by their banker that getting their mortgage should be easy but at closing time they ran into major problems.
“It was scary and embarrassing”, said Kim, “We went to close on the home when the mortgage officer asked if us if we had any outstanding loans or credit card payments. To the best of our knowledge we didn’t have a single outstanding balance. We always paid our bills on time and we had no credit card debt.”
The mortgage officer then began asking Kim about various credit card accounts that had outstanding balances, an account at a hunting supply store and many other miscellaneous accounts. The balances ranged from a few hundred dollars to several thousand on major credit cards.
“This thief had real gall. He actually applied for the credit cards using the name Kimball, a derivation of my own first name. To add insult to injury he actually paid the minimum balance of some of the accounts for a couple of months. At first this made the investigators skeptical, after all why would a thief pay anything on the balance?”
Fortunately the story has a happy ending. The Smith’s did manage to get their mortgage and immediately contacted authorities after learning of the identity fraud. The individual who had stolen her identity was later apprehended and received a prison term. According to authorities she was only one of more then a dozen identities they had assumed in order to open up fraudulent credit card accounts.
“It has certainly caused us a lot of time, effort and money to track down this thief and cleaning up our credit report has taken years. The most frightening thing about the incident was that it was going on for months and we had no idea. It made me feel violated.” According to the FTC it cost the average victim more than $1,000 to cope with the damage from identity theft.
Identity Theft and Spyware
Obviously one of the latest and most dangerous threats to privacy in the digital age lies at the doorstep of spyware. Spyware can be used to surreptitiously gather all types of confidential information and in most cases the user has no idea the information is being taken. This form of “snoopware” lets the spy access everything you do online including usernames, passwords, online shopping purchases and e-mail or chat correspondence. In the hands of an identity thief this type of information is a deadly treasure trove.
Many of today’s most popular spyware applications promise the ability to execute via “remote installation”. Remote installation is the ability to put a spyware program on a computer without having physical access to the machine. Obviously this is crossing a thin line into illegal behavior and this type of software should be classified as a Trojan horse. Nevertheless, these programs are sold every day to consumers who want to monitor their kids, employees, or spouse and perhaps to people that have more nefarious purposes in mind. While there are certainly legitimate uses for monitoring software we find it hard to believe there is any legitimate scenario where a parent or employer would need to use remote installation to install a monitoring program. Make no mistake that spyware can certainly be used to illegally obtain your personal information
Spyware vs. Adware- Know the Difference
It is also very important to understand the difference between spyware and adware (a.k.a. pestware). There has been a large outcry from consumers and privacy advocates over intrusive software and cookies that are in reality more of a nuisance than a security threat. This does not mean that adware is not a problem, but cookies and adware should not be treated on the same level as spyware. They are fundamentally different situations altogether and lumping them together dilutes the threat of real spyware.
Adware generally refers to software that installs a reminder service or spawns targeted ads as you surf. These advertisements are referred to in the advertising industry as interstitials or simply “pop-ups”. They might also profile your surfing habits, shopping habits and most gather information in aggregate.
In a recent decision in the case of U-Haul versus WhenU a judge determined that the use of adware was “legal”. In short it meant that WhenU was not violating trademarks by having their bundled software, SaveNow, display pop-up advertisements.
We do believe that more legal precedents will be handed down and legislation will be enacted to control the use of adware that uses drive-by downloads and deceptive installation techniques, but until that time comes we urge users to read the End User License Agreement for any software before they install it and to educate themselves on the use of adware.
Spyware, as we know it, is software used to monitor actual computer activity. As we mentioned before it can log your keystrokes which means whatever you do on your computer is open to the eyes of prying spies. This problem is greatly exacerbated in environments where different users have access to a single machine. For example, a local copy shop, a computer rental kiosk, a university or even a friend’s home machine. These are typical targets for a thief who wants to quickly grab information from unsuspecting users.
Public Terminals and Spyware
One particular case stands out as a red flag for using public terminals. For over a year, unknown to people who used Internet terminals at Kinko's stores in a New York store, Juju Jiang was logging everything users typed including their passwords to financial institutions. Jiang had covertly installed, in at least a dozen Kinko's stores, spyware that logged keystrokes. He captured more than four hundred user names and passwords, using them to access and even open bank accounts online. This is a real world example underscoring the dangers of how spyware can be used to steal someone’s identity. It is logical to conclude that more of this type of ID theft will occur because it is relatively easy to execute.
A thief doesn’t even have to be technically skilled to install a commercial keylogger and to retrieve your personal information. Once installation is deployed the thief can have information e-mailed back to them or the software will open up a “backdoor” where the spy can log into the machine and retrieve keystroke or snapshot logs. Consumers must exercise even more caution when using public computer systems and realize that in open computing environments there are situations that can leave them vulnerable.
Monitor Your Credit
It is absolutely critical that you monitor your credit report on a regular basis. If you find a change of address you did not initiate or financial accounts you did not apply for request a copy of your personal credit report. The credit report will include contact information for requesting an investigation of incorrect information. It's also important to watch your monthly billing statements for errors or unusual activity. In Kim Smith’s case using a credit monitoring service would have alerted her to far in advance to the activities of the thief and saved her some embarrassment at closing time. After applying for a loan, credit card, rental or anything else that requires a credit report, request that your Social Security number on the application be truncated (x’ing out key numbers) or completely deleted and your original credit report be shredded before your eyes or returned to you after a decision has been made. A lender needs to retain only your name and credit score to justify a decision. It is worthy to note that in the FTC study on identity theft fifty-two percent of all ID theft victims, approximately 5 million people, discovered that they were victims of identity theft by monitoring their accounts.
You can request credit reports at the sites below:
... other credit monitoring solutions ...
Periodically Request Your Social Security Statement
Along with checking out credit reports U.S. consumers should request their Social Security Earnings and Benefit Statement at least once a year to make sure there is no sign of fraud. You can do this online by surfing to here. The statement will come via snail mail and is not sent online. If you aren’t comfortable doing it online you can use Form SSA-7004 located here.
Use Cross-Cut Shredders
You should shred all old bank and credit statements, as well as pre-approved credit-card offers, before throwing them into the trash. Always use a crosscut shredder. Crosscut shredders cost more than regular shredders but do a better job. Although a cross cut shredder is more expensive and may need more maintenance, it offers some advantages that make it a better choice. A cross cut shredder cuts up waste paper in two directions: vertically and horizontally. This provides you more security for the shredded documents. The shredded paper is in tiny pieces instead of strips which make reconstruction of the documents a lot more difficult.
Example shredder products: Fellowes S70C, PS80C, ROYAL AG10X, Other shredders...
Secure Your Snail Mail
One way identity thieves grab information is simply by stealing it out of mailboxes. You can use a locking mailbox to prevent theft of mail sent to you. You also might consider dropping off your mail inside the post office whenever you send out bills to ensure mail is never intercepted. Thieves will go as far as to steal checks sent out by consumers and using chemical washes to remove ink. If you're planning to be away from home and can't pick up your mail, call the U.S. Postal Service to request a vacation hold on your mail.
Watch your Snail Mail
Be sure to tear up all pre-approved credit card offers and pay close attention to your credit card billing cycles. If a credit-card bill is more than a few days late, call the issuer and ask if there have been any inquiries or changes to your account. One of the most common tricks ID thieves use is to simply change the snail mail address of your accounts.
If you don't want to receive unsolicited credit card applications in the mail, by law you can demand that your name be removed from the marketing lists that credit bureaus sell to credit grantors looking for new customers.
Opt-Out of “Pre-Approved” Credit Card Offers
The Fair Credit Reporting Act gives U.S. consumers the right to "opt out" or stop credit bureaus from providing your name and address for marketing lists for credit or insurance offers. Call toll-free 1-888-5-OPT-OUT (1-888-567-8688), a special phone number set up by the nation's top three credit bureaus and another nationwide company called Innovis. When you call this number, you can opt out of these lists for two years or opt out permanently. We recommend the permanent opt-out route. Be advised that if you want to permanently opt out you will receive a form, usually within in five (5) business days that you will have to return. They will also ask for your social security number on the call. The entire process takes about five minutes and is time well spent.
Protect your Information
Never give your credit-card number or personal information over the phone unless you have initiated the call and trust the business. It is critical that you don’t reveal highly personal information, like social security numbers, on documents like bank checks. Nor should you let merchants write down your social security number as a form of identification on a check. The general rule of thumb about personal information is less is better.
Guard Your Cards
One easy way to protect yourself against identity theft is to limit the amount of confidential information you carry in your wallet or purse. You should not carry around bank account numbers; personal identification numbers (PINs), passwords, passports, birth certificates, and most importantly, Social Security cards. Leave them at home, preferably in a safe until they are needed.
Add a Password
Ask your financial institutions to add extra security protection to your financial accounts including your credit card, bank and phone accounts. Most will allow you to use an additional code or password (a number or word) when accessing your account. Do not use your mother's maiden name, Social Security Number, or date or birth, as these are easily obtained by identity thieves. See password safety below.
Avoid using easily available information like your mother's maiden name, your birth date, the last four digits of your SSN or your phone number, or a series of consecutive numbers or keyboard strokes.
If you use online banking or financial services never select a password that matches your username. This is the most common mistake- and the most easy to exploit.
Avoid using words that are in the dictionary. Hackers simply run a “dictionary-attack” where they rapidly scan through common words and attempt to brute force an account. Avoid adding a digit in front or at the end of a word or reversing a word (irish ->hsiri) are not good password choices. Crackers routinely try these combinations. Nor should you use the same password over and over. If a hacker should break one password, the rest of your information or files will be safe. If you have used the same password over and over- they will have no problem accessing more accounts. Never give your password to anyone and be sure to change passwords frequently.
If your store passwords locally on your machine be sure the software uses some type of strong encryption.
Watch For Spoofing Attacks
"Spoofing" frauds attempt to make surfers believe that they are receiving e-mail from a trusted source, or that they are securely connected to a trusted web site, when that is not the case. Spoofing is generally used as a means to convince individuals to give out personal or financial information by deception.
In "E-mail spoofing" the header of an e-mail appears to have originated from someone or somewhere other than the actual source. Spammers and criminals often use spoofing in an attempt to get recipients to open and possibly even respond to their mails.
"Page Spoofing" involves altering the return address in a web page so that it goes to the hacker’s site rather than the legitimate site. This is accomplished by adding the hacker's address before the actual address in any e-mail, or page that has a request going back to the original site, often with a form that looks identical to the legitimate site.
A page spoof might look something like this: http://email@example.com/index.html the domain will always resolve to the address AFTER the @ sign. If you were to surf to this web address and submit any information via a form it would go to the spy and not to PayPal. Try to get into the habit of visually inspecting addresses in your browser address location bar.
If you receive an e-mail requesting that you "click here to update" your account information, and then are redirected to a site that looks exactly like your ISP, or a site like EBay or PayPal, be on the alert. This is type of spoofing attack is increasingly more common and becoming more sophisticated. Don’t click on the links in the e-mail. The safest way to investigate your account is to type in the domain name you want to reach directly into the browser address location bar and hit enter.
Always Use Security Software
As an informed Internet user it is absolutely vital that you keep your operating system up to date with that the latest patches. We also recommend that you are running three types of security software. We recommend a solid firewall, an anti-virus package, and an anti-spyware package. Naturally it is important to not only use these products but to keep them up-to-date with the latest definitions and patches. Don’t be lulled into a false sense of safety though. Even with a strong defensive perimeter it is still possible to get hijacked or infected. Use caution and common sense. Above all: Don’t panic.
Do not pre-print your checks with your social security number or your driver’s license number. Never permit your credit card number to be written onto your checks. When you order new checks arrange to pick them up at the bank and not to be dropped off at your residence. If possible, never take more checks then you actually need when going out.
Hope on The Horizon
Starting in May of 2004, victims of identity theft will be able to alert banks, credit card companies and law enforcement with one call under a pilot program announced by the Financial Services Roundtable. The Financial Services Roundtable represents 100 institutions handling about 70 percent of the U.S. economy's financial transactions. They are creating an Identity Theft Assistance Center to help fight the rising incidence of the crime. The safest bet is to minimize your risks and practice good privacy.
Source: Spyware Guide