Preventing Identity Theft - Part I

Full Disclosure: This is an update to a blog I wrote almost seven years ago when I worked for PGP, then the largest provider of email and disk encryption products on earth. I was re-reading it a few days ago and was struck by how much of it still applies.

The U.S. Justice Department reports that for 2014 (most recent available data) about 7% or ~17 million Americans were victims of identity theft. Typically, your bank or credit card company will reimburse you if someone steals money after stealing your identity, but the real challenge is unwinding the all of the non-financial damage you will incur if your identity is successfully stolen by a cyber-criminal gang. If the miscreants start opening new credit card accounts or taking out loans in your name it can take months to regain control of your identity, correct your credit report, and repair the damage to your credit score.

There’s a common misperception that identity theft only occurs online. The reality is that offline identity theft is still incredibly common. The favored tactic is the “technically sophisticated” approach of dumpster diving in which the ethically challenged look for old utility or credit card bills that contain enough information to allow them to impersonate you. In addition to dumpster diving, identity thieves frequently simply lift bank or credit card statements out of victim’s mailboxes between the time of delivery and retrieval.

So, if you still get bills or bank/investment statements via physical mail, there are two pieces of hardware you need to prevent this type of identity theft. The first is a locking mailbox. While these are extremely common in large multi-tenant buildings, they are still relatively uncommon for those of us living in standalone houses in the suburbs. Locking mail boxes are cheap and incredibly effective at stopping email theft that results in identity theft. The other piece of hardware I recommend everyone use is a simple shredder. They’re available at any office supply store and utterly defeat the dumpster diver style of attack.

The other common type of offline attack typically involves petty theft. This type of attack starts when a crook steals either your wallet or laptop computer. The goal in this crime isn’t necessarily to steal your cash or to resell the computer. The goal is to get access to your credit card numbers or Social Security number. Now you’d think that the more valuable asset would be the credit cards and you’d be wrong. The credit card transaction processors now have sophisticated enough transaction screens that a crook can really only expect to gain a few hundred dollars before one of the fraud screens is tripped and the bank starts blocking the transactions until they’re sure it’s you trying to execute them.

However, if the crook can obtain your Social Security number he’s had a VERY good day. Because they are widely accepted as a unique identifier, the criminal can apply for other credit cards and bank accounts in your name, execute transactions for high dollar amounts and no one is the wiser until the bills go unpaid. At this point, the bank will contact you highlighting what’s been happening and then the real fun begins because all of those unpaid bills will very likely affect your credit score. You won’t be held liable for the transactions, but you can expect to spend 6-8 months unwinding the crime and correcting your credit report.

So, what can you do to prevent being victimized by THIS type of fraud. First, if you carry personal financial data on your laptop, use a strong password. How strong? If you want to start bar fight amongst a bunch of crypto-engineers, buy them each a beer and ask them how long they think a password should be (crypto-engineers tend to be lightweights, it will only take one round). Then ask them how long THEIR passwords are. Seriously, current conventional wisdom is that you want to use passwords of 12-14 characters in length…combination of upper case, lower case, numbers, and special characters like &, *, =, +. I’ll talk more about passwords in another piece.

Second, encrypt your hard drive. Why? Well, if someone really wants your data and you’ve used a strong system password, they’re likely to steal your laptop, remove the drive and put it in a device from which they can extract the data without needing your system password. Encrypting the hard drive on a Mac involves turning on FileVault. This Apple Support page (https://support.apple.com/en-us/HT204837) actually does a nice job of explaining how to do this. On a Windows laptop it’s a bit more complicated (isn’t everything), but doable. The guys over at How-to Geek ran a nice piece (https://www.howtogeek.com/234826/how-to-enable-full-disk-encryption-on-windows-10/) earlier this year on how this works. If you do all of your personal finances on your phone or tablet you have much less (though not nothing) to worry about.

What else can you do to protect yourself against the class of criminal that simply wants to steal your laptop or wallet? Well, you should DEFINITELY keep a list of the toll free numbers for every financial institution with which you do business both at home and at work. If you lose your wallet or even a single credit card, you’ll want to cancel it immediately. In a pinch most banks can send you a replacement card overnight. Finally, never, EVER carry anything with you that contains your Social Security number (SSN).

That’s pretty much it in terms offline attacks on your identity. In a few days, I’ll take up the precautions required to protect your identity from the increasing number of online attacks being perpetrated by global cyber-criminal gangs.