Look, I am not trying to sensationalize or over-hype this episode or the information I am about to share with you but I do think this may be the most important podcast we have done. Today we are talking about identity theft.
I think it seems quite hopeless to many people lately the idea of keeping your private data out of the hands of hackers and thiefs. But it is not. It is certainly a daunting task but not hopeless. As I have said many times, the success you will have protecting yourself depends directly on how important you think it is. One of the first podcasts we ever did (in fact I think it may have been the first one……let me check….hold on a minute okay?
It Can’t Happen Here Syndrome
Yep, it was the first podcast we ever did… “You’ve Lost Your Data – THDP1”. We talked about something called the “It Can’t Happen Here Syndrome”. Now, if you recall, this is where somebody thinks: ”I don’t have to worry about identity theft. That happens to other people. It would never happen to me.” This is something called “Normalcy Bias.” This a mental state that “causes people to underestimate both the possibility of a disaster occurring and its possible effects.” The assumption is that since a particular disaster has never occurred before, it never will. So the drift here is if we don’t assign any importance to this danger then we get what we get I guess.
Now I am going to assume that there is nobody out there listening …….oh that’s an ugly thought…..anyway, there is nobody out there listening that suffers such a thing. We all care about protecting our identity but we feel overwhelmed by the tenacity of the criminals and the frequency of the thefts and hacks.
So let’s get a handle on the problem. Identity theft. It is so widespread…..there are millions of victims every year. There are all types of thieves and so there are many different reasons for their crime. It could be literally the kid next door messing with you, it could be college kids having fun, it could be a professional hacker, it could be organized crime ( as in Russia), it could even be state sponsored as in China, North Korea or Russia to name three. Because it could be any one of these people, there are also many different motives that are in play. Everybody is a target. Rich, poor, technically sound people and online newbies. The thing about identity theft is that you may not even know you have become a victim. You might not know it for days, or weeks, or even months. All of a sudden you get a bill in the mail or a collection agency is hounding you for payment.
Types of attacks
- Dumpster diving: this is pretty self explanatory. If you don’t use a shredder, and by that I mean a cross-cut shredder then your old bills, receipts or mail become a fountain of information about you.
- Phishing: criminals will send you an email that will appear to be from your bank or some other organization you trust and ask you for some information. They ask you to click on a live link (which is the biggest no-no online btw) and when you respond they will have the info you supply and they probably will also install some malware on your computer to use it (you) sometime in the future.
- Hacking: Technology is constantly advancing and nowhere is this more obvious than in the world of hacking. I’ve known of hackers creating a breach of security and then offer to help the victim company for a price.
- Data Breach: I don’t know about you but it is here that I feel the most vulnerable. This method is the reason for this podcast.
Time and time again organizations are getting breached and we find out later that they didn’t even encrypt our data. Obviously these organizations believe that it is not cost-effective to protect our information. It’s not worth the cost of a security department. Look at the IRS breach recently. Taxpayer returns were not encrypted but the IRS data that they collect on us all was protected. I guess that lets you know what is important and what isn’t. The Target breach was allowed to happen because they didn’t think it was worth the cost to encrypt our data. Anthem Insurance Company not only did not encrypt anything, they left it not secure to boot. As a matter of fact the Anthem breach in a large part supplied the data the hackers needed to breach the Federal Employee database.
How Do We Protect Ourselves?
- I mentioned before the cross-cut shredder. Don’t leave ANY information out there for anyone to find. And don’t think they aren’t walking the dumps looking for information. Remember how you used to think when you saw your parents or grandparents ripping off information from their prescription bottles? How silly is that now?
- Password protect all of your devices. I can’t tell you how many times I have heard people within large organizations complain because they were required to change their passwords every year or so. Well, I think requiring the changing of your passwords that infrequently is malpractice. It should be a minimum of every three months. Depending on the importance of the data you are responsible for within your enterprise it should be correspondingly more frequent than even that.
- Always use a secure network. Make sure your home WiFi is secure. Use a VPN if necessary and never, never access your private data on a public network like a hotspot at the airport, or Barnes and Noble Bookstore, or your local coffee shop.
- Monitor your accounts. Many credit card companies now will offer to notify you every time your credit card number is used. Use the free credit check offers (only the truly free ones) annually (at a minimum).
- There are now services that offer identity theft protection (and insurance). If you are victimized they assist in restoring your identity.
Let’s take a minute to discuss passwords. Do you know what the most popular password is? 12345. The number two most popular? Password. Don’t use your name, your girlfriend’s name or your dog’s name. Any hacker can use easy social engineering (see our podcast THDP8 Social Engineering 101 by clicking here) to come up with variations of your name pretty quickly.
Better passwords are seven to 11 digits and should include both upper and lower cased letters, numbers and symbols like the exclamation point, the ampersand, dollar sign… I know that a random password would be a pain to remember and I also know you won’t be that person that writes down a list of all their passwords and keeps it under your computer. Don’t worry there are services or apps (such as PasswordBox) that will give you a random password or help you to keep track of the ones you dream up.
Google offers “two-step authentication”. They require you to enter your username and password and then enter a special code they give you via a text or an app.
So What Can We Do About It?
Ed and I had a discussion about this the other day and this is how that discussion went.
Other Links to Related Podcasts