Experience the hassles of being defrauded firsthand! If you love bureaucracy and the thrill of waiting in line to talk to government and bank employees again and again, becoming an identity theft victim might be right for you.
- Practice unsafe surfing
- Skimp on antivirus protection
- Open attachments from strangers
- Stuff your wallet with juicy tidbits
- Pay all your bills by check
- Opt out? Opt in!
- Nothing is too good to be true
Practice unsafe surfing
Want to be vulnerable to identity theft? When you purchase a new computer, go online naked — without activating a firewall, or purchasing protective software.
Further expose yourself digitally by sharing a wireless connection with the entire neighborhood. Without digital encryption you can share the contents of your hard drive with anyone on the street.
For maximum risk, commit the computing equivalent of licking a handrail in a New York City subway station and do some online banking on a public computer — like the one at the library or a public cafe. Bonus points are added if your Social Security number is your user ID for any transactions.
A keyword logger or tracking device installed by a ne’er-do-well can capture any information you type, such as your user name and password, and cause havoc in your financial life
In fact, the easiest way to become a victim is just to let your guard down completely and trust in the basic good nature of humanity. If someone empties your account — well, maybe they needed the money more than you did!
Safe surfing is really the only way to protect yourself — using common sense more than jumping through technological hoops — which basically entails being careful about what information you divulge and how.
Because the presence of an infiltrator often remains undetected, current measures of identity theft and fraud aren’t completely accurate. Some people have no clue how they were victimized, so the proportion of crimes that occur due to key loggers and viruses just isn’t known.
“It’s the type of attack that would be pretty hard to detect, and the way that we measure attacks is usually by asking people, ‘Have you been a victim of this kind of attack?’ It doesn’t show up very often,” says Fred H. Cate, University of Indiana law professor and director of the Center for Applied Cybersecurity Research.
The impact of threats lurking online is more apparent from the view at the frontlines of information technology.
Jon Ramsey, chief technology officer of SecureWorks, an information security company, says protecting corporations from hackers means thinking like one to identify any holes in security.
“We’ve seen posts from hackers on blogs that they have so much information it will take them years to go through it all,” he says.
Ramsey says someone’s full identity sells for $100 to $200, which would include their name, e-mail address, Social Security number, credit card numbers with the card security code and the credit limit.
“Unfortunately they’ve been so successful at getting bank account numbers and socials — that stuff goes for $10,” he says.
Skimp on antivirus, antispyware protection
Courting disaster online is easy. Invite malicious code to attack your computer simply by doing nothing.
Antivirus programs can be pricey, and the maintenance of constantly downloading updates is time-consuming. Combine that with the security updates from Microsoft or Apple and it’s enough to seriously annoy anyone.
“If you want to be a victim, don’t use virus software on your computer,” says Fred Cate, Indiana University law professor. “That is about the easiest thing that most people can do to make sure that they are going to become a victim.”
That being said, antivirus software only works if the viruses are known. “They’re reactive. The virus has to exist before you can do anything about it,” says Jon Ramsey of SecureWorks. “We see there is so much malware out there that antivirus (software) has a very difficult time keeping up with it. It may be out there for several weeks before it’s added to the list of known problems.”
SecureWorks unearthed a particularly successful scam recently in which e-mails, disguised as messages from the Better Business Bureau, were sent to executives and business owners. The perpetrator of the scam got enough specific information on his targets to tailor missives with their name, title and place of work — easily gathered from social networking sites.
“If you’re the vice president of sales and you get something from the Better Business Bureau, you can bet you’re going to click on it. And that particular scam is still going on.”
By following the link in the e-mail, victims’ computers were infected with a virus that recorded and sent everything they typed into a browser back to the hacker.
Getting antispyware software is important to thwart such attacks. Spyware, which is installed without a computer owner’s knowledge, can do any number of things, from hijacking the Web browser to stealing personal information such as credit card numbers and bank account information.
Open attachments from strangers
Secret crushes, long lost friends saying “what’s up” or strangers hawking cheap drugs — you’ll never know unless you peek at that e-mail.
“We’ve seen a rash of people infecting video files, pictures, everything,” says Jon Ramsey of SecureWorks. “Never click on an executable attachment. There’s just no purpose. You have to go through a risk assessment and you have to gauge it.”
Some of the fun things that can happen from opening an executable file include infecting your computer with a Trojan horse or virus, which can easily lead to identity theft.
“Whether it’s a link to a Web site where something is downloaded or an actual download from the attachment, the first thing that will happen is that they try to take over control of the computer,” says Ramsey.
“Then they hide themselves, so if you were to look for the file or applications running, you wouldn’t see it. Then they take all of the information on the computer, for instance, in Windows protected storage, and they send it back to the hacker. Whether you type to someone, go to a bank account, click on a button — all of this can be taken back to the hacker and they can look at everything that you type.”
Social networking sites, such as MySpace.com and LinkedIn.com, present special risks. These playgrounds of the computing hoi polloi are generally eschewed by savvier users due to the insecurity of user-made pages.
For instance, “Myspace doesn’t actually create its content; it’s created by the Internet, so it’s possible that someone could make a page that is populated by malicious stuff that people could browse to,” says Ramsey.
Stuff your wallet with juicy identifying tidbits
Wallets and purses are more than just handy cash-carrying devices. They often have credit cards, identification, insurance information and even Social Security cards. Obviously, more is better if you’d like to become the prey of fraudsters. Losing or misplacing a wallet or purse can cause more problems than just the hassle of replacing all those cards and buying a new bag.
Armed with your date of birth, Social Security number and mailing address, there’s no limit to the damage thieves could cause.
Surprisingly though, it’s not always a masked stranger behind identity fraud. The perpetrators are often someone the victim knows.
“Most commonly, someone you know uses your bank account or your credit card without your consent,” says Fred Cate, director of the Center for Applied Cybersecurity Research. “So that could be someone like a family member, which is very, very common — a teenage son or daughter or maybe a stepparent who’s living with you.”
You might say, “But my family and friends aren’t criminals! We’re all upstanding pillars of the community.” Actually, you can never be too sure.
“It’s funny, if you think about Gov. Spitzer. He used the name of a friend of his when he checked into the Mayflower. Many people do that when they commit ID fraud. It’s just a name that comes to mind or it’s someone that they know enough about that they can answer the questions like the address, mother’s maiden name, birth date,” says Cate.
“Why go to strangers when you can use someone’s info that you already know?” he says.
Make your checks payable to criminals
If you’re like most people, you wouldn’t post your checking account information on your front door, though you should if you’d like to be a victim of fraud. Similarly, checks reflecting the same information can be dropped casually into unsecured mailboxes.
Statistically the chances of your mailbox being targeted by criminal elements are low, but not that low. According to the 2008 Identity Fraud Survey Report from Javelin Strategy and Research, almost 1 in 10 victims of identity theft who can pinpoint the scene of the crime say that it happened at the mailbox.
“That’s checks, credit card statements, bank statements … all neatly folded up for them in the mail,” says James Van Dyke, president and founder of Javelin Strategy and Research. “Outgoing checks are right there, too, just like Frank Abagnale said in his books on crime and in the movie, “Catch Me If You Can.” It’s all about getting the paper check — and then bleaching over the writing on the check.”
Despite everything that can go wrong, in general, shopping and bill paying on the Internet can be the safest, most secure way to do business. To be really safe, Jon Ramsey of SecureWorks recommends keeping a separate computer for online banking. “If you don’t have e-mail coming in on that computer, you’re one step closer to being safer,” he says.
While you’re mailing checks from the unlocked mailbox, go ahead and get credit card companies to send you all the preapproved offers that the postman can cram into the box.
Similarly, don’t get credit card statements online; leave them on the side of the road so that they’re more convenient for fraudsters without the technical knowledge or follow-through to launch complicated hacking schemes.
“The U.S. Postal Service reports that criminals will go to one of those condo-style mailboxes where there are 15 or 20 mailboxes right there in one spot and they will just rip the back of it off with a crowbar,” says Fred Cate, University of Indiana law professor. “It’s really good that they’re centralized so they can get to them really fast.”
Nothing is too good to be true
Everyone wants to feel special and maybe more importantly, filthy rich. When reading an e-mailed proposition from an African business tycoon, an imperiled prince or downtrodden heiress offerings millions of dollars in exchange for some small measure of assistance, it’s difficult not to wish it were true. Falling for the story will undoubtedly lead to unpleasantness, however.
But the obsequious appeal of Nigerian scams isn’t always directed to the lowest common denominator. Many target victims of natural disasters, as well as taxpayers and sellers trying to unload some junk on eBay. Further, though there are ways for people to be scammed online, much more bamboozling happens in the real world by telephone or even in person.
Honest sales people may be the hardest hit from these scams. Who in their right mind will ever again buy anything from a random guy peddling magazine subscriptions?
These days one has to assume that any communication with a business or government entity that hasn’t been specifically initiated by the consumer with the appropriate authentication process is a complete swindle.
“The best defense is good common sense. It’s often overlooked, and it’s a good approach,” says SecureWorks’ Jon Ramsey.