Out there in the parallel internet world, someone wants to be you. Not for
long, of course: just long enough to clear out your bank account, take out a
large loan in your name and potentially ruin your financial life for years
to come.
The loss of 25 million sets of personal details by Revenue & Customs has
focused attention, as never before, on the vulnerability of personal data
and the dangers of identity theft. Security experts point out that the
problem has been steadily growing over recent years, requiring new laws and
new safeguards but above all a cultural shift in the way that individuals
regard and protect the numbers, letters and secrets that make up their
financial identity.
Identity fraud costs Britain £1.7 billion a year, with a thriving black market
in stolen identities in which credit card numbers and birth dates change
hands for as little as £7. Criminals are developing ever more sophisticated
ways to steal personal information, and security firms are developing ever
more complex (and expensive) ways to stop them.
The growth of online banking, the boom in internet sales and the spread of
social networking sites have all made personal financial details more
accessible. Last year alone, 178,000 people in Britain fell victim to
identity theft.
Individuals can take precautions, but what is really needed, security experts
say, is a change of attitude, a broader realisation that information on the
internet is in the public sphere. Because people work alone on a computer,
this often gives the false impression that they are operating in privacy,
when precisely the reverse is true. People who would not dream of revealing
personal details in the real world simply do not use the same safeguards in
the virtual world.
Garlik, a company specialising in online identity protection, recently
commissioned an in-depth survey of identity fraud that involved scores of
interviews with fraudsters. According to Tom Ilube, chief executive of
Garlik, the survey found that not only are online identity thieves becoming
more specialised and organised, but they are focusing their attentions on
the web, where all the information necessary to steal an identity is readily
available.
“One fraudster said to us, ‘The internet’s great. It used to take me two or
three weeks to gather the information I needed – now I can do it in a few
hours’,” Mr Ilube said. “You just need to know how to put together bits and
pieces from the web and make use of them. I say to people, ‘Don’t put
anything on your Facebook site you wouldn’t want to see on a billboard in
Piccadilly Circus’.”
Just as many still imagine the internet to be semi-private, so fraudsters
treat identity crime as if it were something less than illegal and immoral.
“People who would never dream of picking pockets or shoplifting will do
things like this online and not think they are behaving criminally,” Mr
Ilube said. “A new generation of young criminals is emerging that is
comfortable with cyber crime.”
Britain is a particularly tempting target given the availability of easy
credit. Instead of hitting individual bank accounts, fraudsters increasingly
use stolen identities to take out loans or apply for multiple credit cards.
There are about 60 different credit cards on offer in Britain, with online
application forms that take only minutes to fill in.
Toby Stevens, director of the Enterprise Privacy Group, a think-tank that
develops policy for privacy and identity issues, said: “The key to
protecting yourself is to remember that it’s impossible to have 100 per cent
security. But you are far more likely to be safe if you are a harder target
than others around you. Criminals always prefer to go for the easiest
victims.”
A password can give a false sense of security. The password-protected discs
lost by Revenue & Customs, for example, would be “utterly trivial to
break into and the password is likely to be more of an annoyance to the user
than an impediment for the criminals”, said Mr Stevens, who has drawn up ten
basic tips to protect identity.
Identity thieves work in a variety of ways, physically extracting personal
details by rummaging through household rubbish, sending out fraudulent
survey forms, “phishing” for information with bogus e-mails or scouring
sites such as Facebook and MySpace for individuals who have inadvertently
divulged personal information such as birthdays that may be correlated with
bank account details.
Death is not necessarily a defence against losing one’s financial identity.
“Jackal fraud” - named after the novel The Day of the Jackal, in which the
assassin assumes the identity of a dead child – involves stealing relevant
details from the recently deceased individual and using these to impersonate
a living person.
America has recently suffered identity thefts on a massive scale, with an
estimated 100 million individual records compromised in the past two years.
A laptop stolen from an employee of Boeing a year ago contained vital
personal information on 382,000 current and former employees. The University
of California in Los Angeles reported that 800,000 records of students,
alumni and teaching staff had been stolen after hackers penetrated the
university’s restricted database. The thefts were not discovered for more
than a year.
The worst case of identity theft was reported last January, when the huge US
discount retailer TJX announced that its computer system had been invaded
and 45 million customer records had been compromised. Hackers operating from
a car park outside a TJX store in Minnesota had apparently used directional
antennae and a laptop computer to break into a wireless network.
At least 300 separate incidents linked to the TJX theft have been reported so
far, with fraudulent purchases taking places as far away as Hong Kong and
Sweden.
New security measures to combat identity theft include biometric defences,
such as fingerprint readers, to supplement older methods involving passwords
and personal identification numbers. Some companies have adopted systems
that can delete data remotely, in case a laptop or hard disk is stolen or
lost.
But technological innovation is no substitute for the sort of cultural shift
that is needed. The only real security, Mr Ilube says, is a change of online
habits. “In this domain we have got used to a world where we leave the front
door open.”
Before changing the locks and buying new burglar alarms to protect our online
identities, we should first learn to shut the door.
Be on your guard
— Treat personal information as confidential. Do not give it out unless
absolutely necessary
— Destroy data thoroughly - burn or shred such personal documents as bank
statements and utility bills
— Use a dedicated credit card, never a debit card, for internet shopping. Use
sites that offer online payment protection
— Subscribe to a protective monitoring service such as those offered by
Garlik, Experian or Equifax. Check your profile regularly and act
immediately if anything unusual happens
— Choose your passwords and PINs carefully. Do not make them guessable, such
as birthday dates and family names, or use the same ones for many services
— Keep your PC secure: install antivirus and spyware protection, a firewall
and security patches. Know who uses your PC
— Keep critical personal documents such as passport, birth certificate or
driving licence safe
— Manage your post. If you receive letters about services you have not
ordered, or regular items such as bank statements go missing, take action.
Use registered post for your personal documents
— If an offer sounds too good to be true, it probably is. Nobody wants to give
you a 40 per cent cut for getting money out of Nigeria
— If you suspect any of these problems, act swiftly. Change passwords. Inform
authorities. Seek protective registration with credit-reference agencies;
this makes it harder for fraudsters to get credit, although it will slow
down your own credit applications
Copycats
— Last year the identities of 13,000 civil servants across Scotland and
England were used to claim £30 million in tax credits. It emerged that
ministers had known for months but had failed to close down the website
— In 2003 IBM lost a hard drive containing the records of 180,000 clients of
an insurance company. They included names, addresses, bank details,
beneficiaries, national insurance numbers, pension values, authorised
checking information and mothers’ maiden names
— In 2005 the social security numbers and other personal details of 600,000
current and former employees of the media company Time Warner fell off the
back of a lorry while being taken to a data storage facility
— In 2004 more than one million residents of California had their personal
information leaked after two laptops containing a database of names, birth
dates and social security numbers of blood donors and patients were stolen
from the University of California in Los Angeles
— Two thousand files containing bank details, names and addresses and credit
card security codes were found in a bin in a car park in Chelmsford, Essex,
after Fido Media went out of business. Also found were CDs with staff names
and addresses, tax codes and national insurance numbers
— Prize-winning poodle Afonwen Welch Fusilier’s pedigree details were stolen
by a conman attempting to sell a litter of puppies. Afonwen pups can fetch
£1,000. Suspicions were raised when a buyer searched for the dog’s name on
the Internet and found that he was male
Source: Times Database, theRegister.co.uk
Better to pay by Paypal, but keep the passwords to each different with letters and numbers. Be very aware of phishing when someone writes you that they paid for the item that you never sold and that they are going to ruin your Ebay reputation. NEVER answer one of those phises by logging into the site they want you to respond to, just report it as spoof to Ebay--let them go after the thief.
I change all of my passwords at least every three months.
Still, nothing is 100% secure, but better than a credit card at a store or restaurant.
joel, dallas, texas
I regularly buy things on Ebay, paying by cheque. By doing so, I'm divulging my bank details to the seller. Can anybody tell me how much danger I may be putting myself in by doing so?
Marian Korzeniowski, Morecambe, Lancashire