An 'Ethical Hacker' On Protecting Your Identity

qwqwss writes "Canada.com is running an article by Terry Cutler, a 'certified Ethical Hacker', who wants to get the word out to people on protecting their identities from a growing number of risks. The piece covers shopping online, keeping your personal information contained, and avenues of inquiry if your identity is stolen."

Hiding your credit report

[Riding+Spinners]

1-888-567-8688

Call this one number to opt out of all three bureaus. You can protect yourself from identity theft by taking your name off of the credit bureaus mailing lists. The credit bureaus are one of the biggest offender when it comes to selling your name and information to the credit card companies who in turn send you all those pre-approved applications. One call to the Opt Out Request Line (for Equifax, TransUnion, Experian and Consumer Credit Associates) is all it takes to permanently remove your name from all marketing lists that the credit agencies supply to direct marketers. You can also opt for a two-year period, renewing your request at any time in the future.

Identity theft certainly happens on the Internet, but it's the old-fashioned cons that usually get your SSN and such. Put your paranoia in the right place. Please.

Re:Hiding your credit report

[Jah-Wren+Ryel]

One call to the Opt Out Request Line is all it takes to permanently remove your name from all marketing lists that the credit agencies supply to direct marketers.

And get your name on the "high-value" target list they sell to everyone else, and the "has something to hide" list they sell to the NSA.

Seriously, it is so bogus that in order to "opt out" you have to hand over your personal info -- SSN, address, full name - to the very same people who are abusing that info in the first place. Somehow I just don't trust them to keep it safe and never figure out a new way to abuse it for their own gain.

A real opt-out list would be maintained by a 3rd party with contractual and legal penalties for distributing your personal info. Then the agencies would be required send their lists to the 3rd who would filter out the people who have opted out. That way, even if the agencies were to reverse engineer the list by comparing before-and-afters, they would not know anything about the people whom they missed because they were never on the first list, nor would they get any sort of corrective information (like updated address, corrected spelling of names, etc).

Hell, while I am dreaming, these lists would be opt-in to start with and we wouldn't have these problems.

Re:Hiding your credit report

[stefanlasiewski]

That number will allow you to opt out of pre-approved offers of credit who follow the rules of the big credit bureaus (worked great for me).

However, it will not prevent the credit bureaus from selling your name and information to other companies for other reasons, and it will not hide your credit report from anyone.

Also, some credit companies don't use the big credit bureaus, and will instead compile information from other sources. If you have a home loan for example; your name, address and value of the loan are available at some county and state offices.

Re:Hiding your credit report

[mls]

Sign up for the Direct Marketing Association's (DMA), "Mail Preference Service" (MPS), it will reduce the amount of unwanted mail coming to you, including credit card offers, and it really works. Use option 2, and print and mail your form, it only costs the price of a stamp. Don't pay to do so online, it takes time to process anyhow.

However, a few notes on the service:
1) It can easily take 6 months for a mailing list to be updated removing your address from it. This has to do with the frequency that marketers update and certify their lists for the USPS.
2) Some of those catalogs that you have been getting for no apparent reason that you like getting, they may stop. If you are an existing customer of a company, or have specifically requested to get a certain mailing, then you may still get that mailing.
3) If there are multiple last names in your household, you may need to submit the form multiple times with those combinations (there are some stupid list maintainers out there).

Re:Hiding your credit report

[paeanblack]

The root of the problem:

A: Hi! I'd like to open a line of credit.
B: What's your name.
A: John Smith
B: There are alot of John Smith's, could you be more specific?
A: John Smith from New York, New York.
B: Sigh. That doesn't really help.
A: Well, how then?
B: Give us a publicly known number that refers to you and you alone.
A: My Social Security Number is 012-34-5678
B: Fine. Now I need to prove I'm actually talking to John Smith, 012-34-5678
A: How?
B: Tell us a number that only you know and would never, ever, tell anyone else.
A: My Social Security Number is 012-34-5678
B: Meh, I guess that's good enough. Have fun with your new credit card.

Re:Hiding your credit report

[Jah-Wren+Ryel]

the government is poisoning your cheerios....the government is poisning your cheerios

So that's why they float there, all lifeless in my milk!!!

Re:Hiding your credit report

[Eivind]

Thats pretty close to how it works in Norway. For marketing of any sort adressed directly to you. There is a single govnerment-maintained list where you can opt to not receive direct marketing.

Companies that do direct marketing send their lists in, and get them back without those persons who have opted out. They learn nothing new about you in the process, other than the fact that you've opted out.

For electronic marketing (email, sms, fax) it's opt-in rather than opt-out. In other words, they cannot legally do it unless you've given prior, informed consent to that. The logic is that this in this type of marketing, the recipient typically pays a large part of the cost. Marketers are less likely to abuse say paper-based marketing as that actually costs them to print and distribute. (compare the quality of the marketing in the average paper-based marketing and the average spam you receive to see what I mean..)

For unadressed "distributed to all" marketing there's a small sticker you can put on your mailbox, and you won't get any.

In short, you can eliminate receiving any marketing by following 3 simple steps:

• Register yourself to opt-out of direct marketing. (one phone-call or one visit to the opt-out list.
• Do not agree to receive direct marketing when companies ask.
• Get a small sticker and put it on your mailbox.

Re:Hiding your credit report

[Jah-Wren+Ryel]

People call BECAUSE those agencies have the information and have been selling it. So it is information they already have.

No, you are wrong.

I use a bogus name for my telephone directory listing (it is like getting an unlisted number, but better because it is free and it avoids having my real name on the "list of people with unlisted numbers"). I get tons of snail-mail marketing for this bogus person, I also get plenty of sales calls asking for this bogus person by name.

There is no way the credit marketing agencies are giving away this info because this person does not exist and the name was made up on the spot for the telephone listing - they certainly have no SSN and my real name is the one used for the bills so there isn't even any "credit history" to the name.

So you see, you are 100% demonstrably incorrect in saying that the sales contacts are due only to the credit marketing agencies. Even if this bogus person somehow did aqcuire an entry in their databases, there is no way for me to remove them because the person has no SSN to give them.

I don't even have to read the article...

The trick to not worrying about identity theft is to have horrible credit and just about $0 in the bank. I've never got to worry about somebody using my identity. Hell, my identity doesn't even do me any good.

Re:I don't even have to read the article...

[ConsumerOfMany]

This is also a great way to make sure you never have a girlfriend or not have the choice to be one of those old people greeting me at walmart when they should be playing golf...

Re:I don't even have to read the article...

[kfg]

Somebody stole my identity once, but a week later I found it lying on my doorstep with a note of sympathy pinned to its blanket.

KFG

This article is too Canada-centric

[Neil+Blender]

Here in the backwater US, you can get your credit report for free three times a year at http://annualcreditreport.com/ - Check it every four months.

This is pretty much what I do

[WillAffleckUW]

Minor methods like:

a. shredding the account numbers and names/address on your bills or mail.

b. taking out the recycling only on recycle day, and making sure none of it contains identifying materials, but that all those are shredded and then mixed.

c. not taking too much ID with you.

And realizing that you're being phished. I learned a lot of techniques in the Canadian Armed Forces, when they would try to get information out of our systems by trying to pretend they were from someplace that just needed info, or wanted to verify something.

Never trust email, don't trust phoners, and never action things that you didn't originate.

And keep your hand over the other one (shading it) when entering your PIN.

Canada.com is a website for daily newspapers in Canada, FYI. Always right-click to inspect any links and ensure they go to the correct location before clicking them - and always use URLs you made yourself to access your banking and credit info.

Now, I've got an underwater tunnel to sell you if you don't want to follow that advice, and I'm sure other people will tell you about all the lotteries you've won, and how a rich religious minister left you money in [NAME OF COUNTRY] ...

Get your CEH creditial now!

[Itninja]

Apparently, 'certifed ethical hacker' is an actual cert one can get. But I don't think I would the term 'hacker' to appear anywhere on my resume. Unless I was trying to get a job with some black hat pseudo legal firm...that'd been sweet.

Re:Get your CEH creditial now!

[Drathus]

Apparently, 'certifed ethical hacker' is an actual cert one can get. But I don't think I would the term 'hacker' to appear anywhere on my resume.

I've actually taken a CEH prep course, but that was because my boss had been pressuring me to take a class, and it was a week away from work paid. The information it covers is very basic, the vast majority of it is based on the "tools" used. They spend a bit of time covering how you're supposed to operate as a CEH, but there's so much material that even with five full day classes we were rushed when moving through it all.

Buy a shredder

[Colin+Smith]

Hey, it's fun to shred stuff...

Just don't ever allow your kids to shred anything, even once. If you do, you may find yourself re-filling your taxes, one piece of sellotape at a time.

Re:Buy a shredder

[Incadenza]

Just don't ever allow your kids to shred anything, even once. If you do, you may find yourself re-filling your taxes, one piece of sellotape at a time.

Or have a bunch of fanatic Iranian students do it for you. I have a copy of Documents From the US Espionage Den, volume 5 [6 MB PDF] that is a quite good illustration of why US embassies have been incinerating and not shredding their paper waste since 1979.

Online identity theft = FUD?

[porkmusket]

Does anyone else think that online identity theft is exaggerated? I mean, I have seen stats for identity theft in general, but not specifically for online identity theft. It strikes me as an insurance company/bank/credit card company ploy to make money. They take the internet, something a lot people don't understand, paint it as a major source of fraud, and ask you to pay $10/mo for their 'identity protection' services.

I have a feeling that the mjaority involvement of the internet in these crimes is as a vehicle for the transmission or cracking or databases made available by poor security practices.

Re:Online identity theft = FUD?

[EtherMonkey]

I do security and compliance for a big corporation (100k+ employees). I am not aware of even one case of identity theft via the Internet. I am aware of many cases of fraud via the Internet, where a persons' credit card or bank account number was stolen and/or misused. I suspect that, as pointed out elsewhere, statistics for fraud and identity theft together. This may be because of legislative constraints that includes, and rightfully so, credit card account information as protected personal/financial information. But there's also no doubt that higher numbers makes for more sensational news stories and more compelling selling points for those $10/month protection services.

100% of the identity theft cases and about 30% of the fraud cases I've helped out with or heard of were not due to any use of the Internet (even though many of the unapproved charges were made to Internet resellers). Disgruntled/dishonest employees, ex-spouses and boyfriends/girlfriends, and neighbors/acquaintances are, in my experience, the top three perpetrators of identity theft. Then there are the randoms: the car salesman that puts through auto loans in other customers' names; the 'crew' that dumpster-dives tax preparation offices and then sells the identities to illegal immigrants.

If you are reasonably careful and avoid 'risky behavior' on the Internet you are fairly safe from fraud and identity theft. Never give your SSN or birthdate to anyone over the phone, and only the bare minimum as absolutely required on a face-to-face basis (i.e. banks, financial institutions, employers, medical as needed for insurance processing). For anyone else, just make up a SSN and birthdate: there's no point in arguing with people too stupid to understand that there's no legitimate use for that information.

Never pay for anything by check. ACH fraud is trivial and is probably the most common scam because of the lack of controls and authentication. It can also be the most damaging because, unlike credit-card fraud, the money is gone from your account and you have to convince the bank to put it back. Any organization with either an ACH merchant account with a bank or via one of hundreds of ACH 3rd-party processors can take money from any US bank account with nothing more than your bank's routing number (public information) and your account number (printed on every check). I have been hit with ACH fraud a few times and now order only a one-year supply of checks and then open a new account when the checks run out.

When paying on-line or over the phone always use your credit card company's 'temporary account number' service. These are time-limited and, optionally, amount-limited account numbers that do not reveal your permanent credit card number. You can set limits for how long they are valid (from one month to one year) and how much total can be charged. Most MasterCard and Visa providers offer this service. You have to be Internet-connected to generate a new number. (American Express pioneered this service but then discontinued it shortly before introducing their enhanced security service, for an extra fee). An added benefit is if someone does make fraudulent use of the temporary account number you know who is at fault for leaking your information.

If you have the ability, use a separate e-mail address for each financial institution and each vendor you use. If you have your own domain name you can usually configure "catch-all" email forwarding so any incoming email without a matching mailbox gets forwarded to a specific address. This helps identify phishing attempts because you will see email supposedly from, e.g., Citibank Security come into your "ebay@example.com" address instead of the proper "citibank@example.com" address. An added benefit here is being able to identify who is selling your email address (surprisingly, very few).

And if you deal with illegal, semi-legal, illicit or other fringe sites (porno, high-yield investing, paid-to-surf/email, Ponzi, pirate software/music/video/games, or an

Get a Prepaid Master Card

[mfh]

That's what I did. Now if some joker gets my numbers, I can simply dump the card and get a new prepaid Master Card. Pfffft, eat that h4xx0rz! ;-)

Re:well..

[Pollardito]

how do i know you verified it on Google and aren't just a co-conspirator with the person that posted the first number?

Re:I don't want to be a killjoy, but...

[pseudorand]

Well, I'd never though of always typing in the wrong pin first to verify that the ATM is actually connected to the ATM network. But I'm also not sure I believe the keylogger keypad connected to wifi thing either. I imagined ATMs were tamper resistant such that the bank would be notified if anything was disconnected.

Simple: post AC!

[mangu]

I can't really understand why /. always has these news about protecting one's identity, but when someone wants to post a comment and remain anonymous they call him a "coward"...

Use Virtual Credit Card Numbers

[dakirw]

Some banks allow users to generate virtual credit card numbers (that can have dollar limits and specific expiration dates) for use with online purchases. Probably not a bad idea to buy things online with one of these generated online numbers (using the purchase amount as the limit).

Re:Use Virtual Credit Card Numbers

[holdenholden]

I have been using such a service for about 3 years. Works great. One caveat though: the actual limit on the virtual card may be 10% higher than the one that you request. My bank adds it because it thinks that I will forget to add the shipping charge and the number will "bounce". Just something to keep in mind. I am not sure if all banks do it.

Re:well..

[BaltikaTroika]

The phone number works. Some Nigerian guy answered the phone. After taking my personal information, he offered me this great deal where I just have to let him use my bank account and he'll give me 40% of some dead guy's 20 million dollar estate.

Re:I don't want to be a killjoy, but...

[ericlondaits]

Here in Argentina ATM fraud is common.

Saboteurs install a small keycard reader right next to the keycard reader at the ATM's door, so when you slide your car to enter, both readers get it. Recommendation: open the door with any other card, since the reader only checks for a magnetic strip and not for a valid card.

As for keypads, they usually install a different keypad over the regular one, which logs key presses and also activates the regular keys, so you notice nothing. The newspaper once showed one of this keyloggers, which had some sort of memory (flash perhaps) and ran on batteries.

Re:Annual Credit Report

[Neil+Blender]

How does one get it every 4 months for free

One per year per agency. Get one from one agency every four months. If anything major happens, you can bet on it being in all three. Minor stuff, like addresses, etc are most likely what will differ from one agency to another and are not so urgent to get fixed.

Re:well..

[holdenholden]

Did you mean you googled him or you Googled him?

Re:well..

[bcat24]

I looked him up on Google, I don't think he's in cahoots with him who's in cahoots with the phone number guy.