Slashdot Mirror
An 'Ethical Hacker' On Protecting Your Identity
qwqwss writes "Canada.com is running an article by Terry Cutler, a 'certified Ethical Hacker', who wants to get the word out to people on protecting their identities from a growing number of risks. The piece covers shopping online, keeping your personal information contained, and avenues of inquiry if your identity is stolen."
1-888-567-8688
Call this one number to opt out of all three bureaus. You can protect yourself from identity theft by taking your name off of the credit bureaus mailing lists. The credit bureaus are one of the biggest offender when it comes to selling your name and information to the credit card companies who in turn send you all those pre-approved applications. One call to the Opt Out Request Line (for Equifax, TransUnion, Experian and Consumer Credit Associates) is all it takes to permanently remove your name from all marketing lists that the credit agencies supply to direct marketers. You can also opt for a two-year period, renewing your request at any time in the future.
Identity theft certainly happens on the Internet, but it's the old-fashioned cons that usually get your SSN and such. Put your paranoia in the right place. Please.
Here in the backwater US, you can get your credit report for free three times a year at http://annualcreditreport.com/ - Check it every four months.
Minor methods like:
...
a. shredding the account numbers and names/address on your bills or mail.
b. taking out the recycling only on recycle day, and making sure none of it contains identifying materials, but that all those are shredded and then mixed.
c. not taking too much ID with you.
And realizing that you're being phished. I learned a lot of techniques in the Canadian Armed Forces, when they would try to get information out of our systems by trying to pretend they were from someplace that just needed info, or wanted to verify something.
Never trust email, don't trust phoners, and never action things that you didn't originate.
And keep your hand over the other one (shading it) when entering your PIN.
Canada.com is a website for daily newspapers in Canada, FYI. Always right-click to inspect any links and ensure they go to the correct location before clicking them - and always use URLs you made yourself to access your banking and credit info.
Now, I've got an underwater tunnel to sell you if you don't want to follow that advice, and I'm sure other people will tell you about all the lotteries you've won, and how a rich religious minister left you money in [NAME OF COUNTRY]
-- Tigger warning: This post may contain tiggers! --
It's shameless self-promotion, but I just wrote an article on computerworld about basic security and privacy issues for the homeless and/or other perennially wandering folks. There's a little coverage about identity establishment there too, along with general protection of information and resources.
-Jon
I think not...(*poof*)
Just don't ever allow your kids to shred anything, even once. If you do, you may find yourself re-filling your taxes, one piece of sellotape at a time.
Or have a bunch of fanatic Iranian students do it for you. I have a copy of Documents From the US Espionage Den, volume 5 [6 MB PDF] that is a quite good illustration of why US embassies have been incinerating and not shredding their paper waste since 1979.
Here in Argentina ATM fraud is common.
Saboteurs install a small keycard reader right next to the keycard reader at the ATM's door, so when you slide your car to enter, both readers get it. Recommendation: open the door with any other card, since the reader only checks for a magnetic strip and not for a valid card.
As for keypads, they usually install a different keypad over the regular one, which logs key presses and also activates the regular keys, so you notice nothing. The newspaper once showed one of this keyloggers, which had some sort of memory (flash perhaps) and ran on batteries.
As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
How does one get it every 4 months for free
One per year per agency. Get one from one agency every four months. If anything major happens, you can bet on it being in all three. Minor stuff, like addresses, etc are most likely what will differ from one agency to another and are not so urgent to get fixed.
I have been using such a service for about 3 years. Works great. One caveat though: the actual limit on the virtual card may be 10% higher than the one that you request. My bank adds it because it thinks that I will forget to add the shipping charge and the number will "bounce". Just something to keep in mind. I am not sure if all banks do it.
Came across one of these locally - I only noticed it because the adhesive had come loose.
The device was a little over a half inch thick, and had a slot through which the card went. This device was placed over the normal ATM card slot. When you put your card in, it got read by the device, and the ATM sucked it in and read it there.
I found out from the bank that the PIN was read through a hidden camera nearby. The "nice" thing about a setup like this is that no change is made to the ATM itself. To add insult to injury, even if you type in the wrong PIN first, they still got both on camera, and can pull the mag stripe data from the memory in the device.
I do security and compliance for a big corporation (100k+ employees). I am not aware of even one case of identity theft via the Internet. I am aware of many cases of fraud via the Internet, where a persons' credit card or bank account number was stolen and/or misused. I suspect that, as pointed out elsewhere, statistics for fraud and identity theft together. This may be because of legislative constraints that includes, and rightfully so, credit card account information as protected personal/financial information. But there's also no doubt that higher numbers makes for more sensational news stories and more compelling selling points for those $10/month protection services.
100% of the identity theft cases and about 30% of the fraud cases I've helped out with or heard of were not due to any use of the Internet (even though many of the unapproved charges were made to Internet resellers). Disgruntled/dishonest employees, ex-spouses and boyfriends/girlfriends, and neighbors/acquaintances are, in my experience, the top three perpetrators of identity theft. Then there are the randoms: the car salesman that puts through auto loans in other customers' names; the 'crew' that dumpster-dives tax preparation offices and then sells the identities to illegal immigrants.
If you are reasonably careful and avoid 'risky behavior' on the Internet you are fairly safe from fraud and identity theft. Never give your SSN or birthdate to anyone over the phone, and only the bare minimum as absolutely required on a face-to-face basis (i.e. banks, financial institutions, employers, medical as needed for insurance processing). For anyone else, just make up a SSN and birthdate: there's no point in arguing with people too stupid to understand that there's no legitimate use for that information.
Never pay for anything by check. ACH fraud is trivial and is probably the most common scam because of the lack of controls and authentication. It can also be the most damaging because, unlike credit-card fraud, the money is gone from your account and you have to convince the bank to put it back. Any organization with either an ACH merchant account with a bank or via one of hundreds of ACH 3rd-party processors can take money from any US bank account with nothing more than your bank's routing number (public information) and your account number (printed on every check). I have been hit with ACH fraud a few times and now order only a one-year supply of checks and then open a new account when the checks run out.
When paying on-line or over the phone always use your credit card company's 'temporary account number' service. These are time-limited and, optionally, amount-limited account numbers that do not reveal your permanent credit card number. You can set limits for how long they are valid (from one month to one year) and how much total can be charged. Most MasterCard and Visa providers offer this service. You have to be Internet-connected to generate a new number. (American Express pioneered this service but then discontinued it shortly before introducing their enhanced security service, for an extra fee). An added benefit is if someone does make fraudulent use of the temporary account number you know who is at fault for leaking your information.
If you have the ability, use a separate e-mail address for each financial institution and each vendor you use. If you have your own domain name you can usually configure "catch-all" email forwarding so any incoming email without a matching mailbox gets forwarded to a specific address. This helps identify phishing attempts because you will see email supposedly from, e.g., Citibank Security come into your "ebay@example.com" address instead of the proper "citibank@example.com" address. An added benefit here is being able to identify who is selling your email address (surprisingly, very few).
And if you deal with illegal, semi-legal, illicit or other fringe sites (porno, high-yield investing, paid-to-surf/email, Ponzi, pirate software/music/video/games, or an
--- A man with a briefcase can steal more money, than any man with a gun. [Don Henley]
Having had the inside scoop on identity fraud for a long while now I would just like to say that there is a lot that the media/banks and governments are not saying. The crux of it all is this The fraudsters already have your details and they have had them for a long while and when i say a long while i mean years!
Information security has only reached its peak in the last couple years. Prior to this, it was pretty lax especially during the height of companies outsourcing their call centers to foreign lands and not having a clue about data protection laws in said countries. There were multiple stories of fraudsters going to india with briefcases of cash and offering call center employees the equivalent of 1 years salary for them to pass on customer details. These people didnt pass on the names of one or two people, they passed on whole databases! http://news.bbc.co.uk/1/hi/uk/4121934.stm
Nowadays this is a lot more difficult to do, because information security is being taken a ot more seriously, and partly because thousands of people are getting stung.
IMHO, another reason why identity theft is so prevalent and will continue to be for the foreseeable future is that the weakest link will always be people. You cant bribe a computer system, but you can always bribe a call center employee or an equifax worker. I'll bet that no one reading this is more that 3 degree's of separation away from one of those two people. and besides, they say everyone has a price. If you can convince a couple of young men to blow themselves up, then personally i think it will be a peice of piss to get them to accept a bribe.
Just like everything else, fraud has and will continue to evolve. Initially it was stolen cheque books and credit cards, now you have elaborate schemes involving huge sums of money and lots of different people but using very little technology. For instance.
Nothing stops someone from spending a couple of grand putting ads in select newspapers offering loans etc. As soon as some unfortunate person bites, and say requests a loan for $5,000. The appropriate details are taken, and the sum of say $20000 is paid into the account. the recipient is called up a day later and told that themoney is in their account but they were overpaid and needs to send the excess of $15000 via money transfer or bank wire to X country/location ASAP. The "Mugu" at this point does so, and suddenly becomes liable for $20000 while the fraudsters vanish.
Now you may ask where did the initial $20K come from?? easy.
Well generally this comes from the account of someone with a lot of money in the bank. it is generally obtained by a frauduent person working in a bank. They will tend to get the details from accounts that they access as part of their job so as not to arouse suspicion. All that is done next is to match the details of this person with their credit report/ identity information obtained earlier, effect a wire transfer.. which can be done over the phone and voila, Robert is your father's brother!
They way we as humans do things, has to change. We want faster fast food, we open more fast food restaurants, and to cope with demand we pump the chicken full of hormones so that when it is slaughtered after 3 weeks its nice and fat. Then we start complaining about being obese, talking about being cruel to animals, worrying about what those hormones are doing to us. Yet we are the ones that demand faster fast food.
Its the same with banking, we want more convenience, we want to be able to bank online, but cant be bothered to secure our home computers against key loggers, we want lesser charges so banks operate call centers in far flung countries. Its all about what WE want. But we forget, that with the increases in our reliance on technology and our demands for "more" there are always risks that will have to be dealt with and until those risks are acknowledged there will always be victims. This goes for every facet of our existence.
Tis, brakes that allow cars go fast!
CEH is like an "i'm a newbie badge" for security. Think of it as one step below security+
m l
Anyone can pick up a book and learn how to run vuln scanners or use prepackaged exploits.
If people want to go to some real security training, I recommend http://www.immunitysec.com/education-overview.sht
Dave Aitel is both technically brilliant and incredibly funny - a rare combination.