|
The Concept From that box of files left outside an office to an unencrypted thumb drive that snaps off a key ring, we can literally stumble over others’ Personal Identifying Information (PII) every day. Most people are not actively seeking such information – nor would they actually use it if fell in their laps – but there are, of course, those malicious few who would use others’ information for their own financial gain. Unfortunately, many people have no idea just how easy it is for others to find and misuse their PII, nor do they understand the incredible amount of time and money this can cost them.
The Quest Over the next months we will be opening up our eyes to the PII that surrounds us in our everyday lives, categorizing what we find, and then securely destroying this information that might have otherwise fallen into the wrong hands. Our hopes for this are twofold: first and foremost, we want to help others keep their PII safe and secure; if we come across someone’s PII in our normal, daily lives, we want to ensure that person’s identity remains uncompromised by quickly and properly destroying this sensitive data. Secondly, by posting a few visual statistics regarding the PII we find, we hope to tangibly illustrate how “out there” many Americans’ PII is, and why everyone should be taking simple, proactive steps to verify that their private information, and identity, is secure. The PII Quest will be made up of the following two components: 1. The PII Chart – A running, graphical, theoretical total of the types of malicious actions that could have occurred if the PII we have discovered and securely destroyed had instead fallen into the wrong hands. All of the PII that we find will be represented in the PII Chart. 2. The Exact Value of PII – A running, numeric, theoretical total of the non-recoverable monetary and hourly loss that victims would incur if someone was to maliciously use the PII that we have discovered and securely destroyed. In order for PII to be considered for our calculation of The Exact Value of PII, statistics that enable us to calculate such a total must be available; therefore, only some of the PII we come across will affect The Exact Value of PII. (See “Scoring Summary and Loss Calculations” below for more information.) While our intentions for this project are to secure loose PII and to educate everyone about the importance of properly handling their and others’ information, we understand that The PII Quest could be considered controversial, and so requires an articulated, concrete set of ground rules. Click on the buttons below to read more. 1. Stray Not from the Straight and Narrow a. We must have a legal right to be at the location where the PII is discovered. b. We will not deviate from the everyday environmental manipulations performed by normal, law-abiding citizens (e.g. lifting up the lid of a copy machine is allowable; taking apart the copy machine is not). 2. Plain View a. All items in plain view may be counted. b. If we find an item that we reasonably believe will contain PII, and the discovery of this item exposes another item to plain view, the new item may also be counted. 3. Categorization, Sans-Content a. If PII is discovered on a document or device, only the type of PII we find (i.e., one social security number (SSN), three health insurance policy numbers, etc.) will be published. b. PII content (e.g., the SSN itself) will never be published or released in any way. 4. Leave It Better Than You Found It a. After our finds has been scored, we will securely destroy the PII so that it can never be maliciously used. i. Documents – all documents will be cross-cut shredded. ii. Magnetic media – all addressable locations will be multi-pass overwritten. iii. Optical media (e.g., CDs, DVDs) – all discs will be cross-cut shredded. iv. Plastic cards (i.e., IDs, credit cards, health insurance cards, etc.) – all cards will be cross-cut shredded. Imagine picking up a lone, unmarked car key in a large parking lot. The key will probably start one of the cars in the lot, but with no additional information, you would have a pretty hard time “resolving” that unmarked key to one of the thousands of cars you’re surrounded by. However, with one more piece of information (a make, for instance) your chances of finding the car with which the key will work increases. Additional information (model, year, color) leads to an even smaller group of possible cars until, eventually, only one final car fits the description. With enough information at the outset, you can drive away, a satisfied customer, in mere moments. (Of course, at this point, you’re also a felon.) PII works the same way. Let’s assume we find a document with a credit card number on it. Without more information, what we find is no better than a randomly generated number. Finding a first initial and last name tied to a CC certainly increases our chances of tying it to a person (as did the car’s make), but few first initial and last name combinations are so unique that this alone would narrow it down to few enough possible candidates. Therefore, for all of our PII finds, we will only count pieces of PII that are both resolvable to a name or person (if this is necessary for its use) and useful from a malicious point of view. Scoring Summary If any of the following PII items (normal font) are found and conform to our previous rules, they will be categorized as the performable bolded actions under which they fall.
The Exact Value of PII: Loss Calculations Depending on the type of PII found, the financial and hourly loss with which a victim is burdened will vary. Therefore, in order to properly calculate The Exact Value of PII, we must categorize the different types of PII, and assign monetary and hourly values to the crimes associated with them. For the years 2005 through 2007, the Federal Trade Commission reported that an average of approximately 15% of all identity thieves opened new credit accounts with others’ PII; the highest percentage of all types.1 A survey conducted by the Identity Theft Resource Center similarly reported that opening a new line of credit was the most common avenue for identity thieves.2 So what’s to be lost by someone who is a victim of new account fraud? Keep in mind that the monetary loss is out-of-pocket loss; this money is never recovered. Also, just to put the hourly loss in perspective, 133 hours is equivalent to working a second part-time job (20 hours per week, in addition to your full-time job) for more than six weeks straight to resolve the issue. And lastly, remember that these figures do not take into account the well-documented and intense feelings of violation, sadness, anger and betrayal that one feels when an identity crime such as this one is committed against them.7, 8 Phishing Attempt A phishing attempt occurs when someone tries to gain PII from a victim by impersonating an institution or person (usually via email) that the victim would deem trustworthy. The victim is either duped into providing this information themselves, or they may click on a link or download a malicious program that collects the information automatically. Below are some phishing statistics gathered from multiple reporting groups over the past years. Note: In order to keep references concise, all Gartner statistics used in the charts above and below that do not include a reference are from endnote9. * These studies report whether study participants or respondents clicked a link in a phishing email, while those without asterisks report those who actually provided PII in response to a phishing email. Since drive-by downloads (forcing your computer to download malware by exploiting security flaws) after clicking a malicious link make the remote capture of PII entirely possible (and phishing emails many times contain these types of links), these statistics are included. Now that we know that the mean loss incurred by a person who falls for a phishing scam is \$264.40, and approximately 8% of people fall for phishing scams, we can multiply the mean victim loss by the percentage of recipients duped to find the loss per email address found. \$264.40 x 8% = \$21.15 Therefore, for each email address we find, we can assume an average theoretical victim loss of \$21.15.
Note: For our purposes, we will only count individual email addresses that we believe were not intended to be publicized in the manner through which they were found.
We’ve examined new accounts, but what’s to be lost by someone whose existing credit card, debit card, bank account, or medical insurance information falls into the wrong hands? So, each time we come across a document or device with enough PII to perform an existing account fraud, we can theorize that if this information had been use maliciously, a victim would have lost \$755.25 and spent 72 hours trying to repair the damage done. Given the widespread perception of powerlessness when it comes to the security of our PII, it’s easy to embrace inaction. With the right guidance, though, locking down a significant amount of your information and reducing your risk of becoming a victim doesn’t require endless hours or overly expensive products. The Federal Trade Commission (the government entity most responsible for handling identity-related crimes) has made a great deal of information available online, and we have included some of our own steps below to help get you on your way to a safer future. Physically Secure Your Information Physically Secure Your Information Safekeeping Keep all documents containing PII in an immobile safe and protect the safe combination. This not only prevents PII from being stolen during a break-in, but also secures it from those people who either live in or are given access to your home. According to a 2006 FTC survey on identity theft: “Sixteen percent of all victims said that they personally knew the thief: · Six percent of victims knew that a family member or relative was the thief. · Eight percent of victims knew that a friend, neighbor, or in-home employee was the thief. · Two percent of victims reported that someone known to the victim from the workplace was the thief.”1 According to the same survey, respondents also assumed they didn’t personally know the thief, “…regardless of whether they had information about the thief’s identity.”2 Another survey puts this figure even higher: “…in cases where the thief is found out, over half of the time the fraud operator turns out to be a coworker, neighbor, in-home employee, friend or family member.”3 Having someone you know steal your personal information is a distressing possibility, but it should not be overlooked. Shredding Assume that anything you throw away (bills, personal letters, old credit cards, statements, business communications, etc.) will be read by someone else. Instead of just hoping nobody goes through your garbage, put everything you consider sensitive through a cross-cut shredder. This includes the envelopes in which the sensitive information came; if an ID thief starts going through your trash and notices a few envelopes with the insignia of a lucrative business, credit company, or pre-screened offer, you could be quickly filed away in that criminal’s mind as someone with mail that would be worthwhile to steal. Simply put, there is no reason to carry around your social security card in your wallet. Memorize the number, and secure the card at home with your other personal documents. Take a few minutes to create an inventory list for your wallet (credit cards, IDs, etc.) with all the related contact information for each card or piece of information. Store this inventory in another location. This way, if your wallet is lost, you have the numbers of the credit cards you must cancel, the ways to reach the credit agencies, and any other information needed to report your information as lost and to assemble a new wallet relatively quickly. This also ensures that you don’t simply “forget” to cancel a card while the charges keep piling up. Some security professionals will suggest you get a security mailbox to defend against identity thieves who steal mail. Prices for the mailboxes that offer any sort of real security, however, after the purchase of all necessary parts and installation, cost approximately \$250 more than a regular mailbox. If you can afford it, this would certainly deter identity thieves from lifting information from your mailbox, but there are more economical steps that everyone should be taking to ensure that their information is secure. Opt out of pre-screened credit offers. Some credit companies will send out offers based upon information in your credit report. To stop this from happening, you merely need to call 1-888-5-OPT-OUT to opt out of pre-screened credit offers. (The Social Security Administration (SSA) notes that you will need to provide your SSN during this call in order to opt out.4) Receive statements online Most credit, bank, and utility statements can now be received online, and signing up for paperless statements is usually very simple. Just be sure to add the company’s email address to your contact list so the statements are not flagged as junk mail (companies will usually tell you from which email address the statements will be sent). Have a copy of each statement delivered to a webmail account (gmail, yahoo mail, hotmail, etc.) so that you have a non-locally stored record of your account activity, and retain a local copy by saving the email to an encrypted portion of your hard drive, or by printing it out and storing it securely with your personal documents. Use a USPS drop box for outgoing mail Instead of placing billing information or any other personal information in your mailbox, and advertising its presence with what is literally a red flag, use a post office or a blue USPS drop box for your outgoing mail. This will ensure that your mail does not get stolen or lost before it makes its way into the hands of the USPS. Some companies allow you to request that only certain types of information be used to identify you; if you do not want others with access to your basic information (name, address, DOB, mother’s maiden name, etc.) to be able to access your utility or other accounts, let that company know you’d prefer more robust security questions and identifiers. Malware Malicious software, installed on your computer without your knowledge, can capture and send out your PII. In order to prevent this, you should, at the very least, have one of each of the following types of products: 1. Antivirus software – Software that scans for and protects your computer from viruses and other malicious software. 2. A firewall – A program that acts as a filter and barrier between your computer and the other computers and networks to which it connects. 3. A link advisor – A program that visually alerts you to the safety of clicking on the links returned by a search engine. Ensure the products are up to date after you install them, and with a few clicks, you can have them set to download their updates automatically in the future so that you’re secure with less to remember. Encryption Encryption is a word a lot of everyday computer users hear, but a concept that very few actually use without it being forced upon them. For those unfamiliar with encryption, it is basically a way of scrambling information so that only a long password (a passphrase) can unscramble it. This way, if you lose your laptop, but your information was encrypted, the information is completely scrambled and useless to the thief unless they know the passphrase. TrueCrypt is a free program that not only performs encryption, but also has a good amount of documentation for those relatively new to the concept so that you can become comfortable with the idea before committing to full implementation. Secure Deletion Deleting a file does not make it unrecoverable; this action merely marks the space the file occupies as “available for use.” In order to securely delete files or folders from your hard drive, you must use a program that overwrites the data multiple times, such as Eraser. This program can be downloaded via SourceForge. On the other hand, if you’re getting rid of your hard drive (selling, recycling, or just plain throwing it out) you should use a bootable program like Darik’s Boot and Nuke (also downloadable via SourceForge, or can be created with Eraser’s “Create Nuke Boot Disk” feature) to overwrite all the information on your hard drive before it leaves your possession. Passwords Everyone knows how not to create a password; by using things like a real word, your pets’, friends’, or family’s names, your address or phone number, and so on. And many people know that a secure password requires a lengthy combination of seemingly-random lower and upper-case letters, numbers, and special characters. Very few of us, though, know how to create a secure password that we can actually remember without it being kept on a nearby sticky note. So, the next time you’re prompted to enter a password, try this out. Think of a favorite but obscure line or phrase; it can be an original, or maybe one from a book, song, or movie. Then, to create your password, repeat your phrase in your head, and follow these three rules: 1. As you repeat the phrase, type only the first letter of each word. 2. If a word is in the phrase is capitalized, hold the shift key. 3. If a word in the phrase is a number, use the actual digit instead of the first letter of the word (e.g., the word “three” becomes “3” instead of “t”). Take this, for example: Note: The @ symbol appears because the shift key was held while typing the “2,” since the word “Two” was capitalized. This looks complicated, but try it on your own! Typing your password will be slow at first, but all you need to do is apply this formula to any phrase of adequate length to create a relatively secure password. Also, it’s reversible; if you forget your password, all you need to remember is your phrase, and then you can apply the rules. Lastly, and most importantly, don’t forget to tweak the rules or add original ones (substituting certain letters for numbers, or adding numbers or letters at the end of the phrase, for instance) so that it truly becomes your own; a permanent, simple way to create secure, memorable passwords. Your social security number is a very powerful number; one that is extremely dangerous in the wrong hands. The following information comes directly from the FTC: “Give your Social Security number only when absolutely necessary, and ask to use other types of identifiers. If your state uses your Social Security number as your driver's license number, ask to substitute another number. Do the same if your health insurance company uses your Social Security number as your policy number. Your employer and financial institutions will need your Social Security number for wage and tax reporting purposes. Other businesses may ask you for your Social Security number to do a credit check if you are applying for a loan, renting an apartment, or signing up for utilities. Sometimes, however, they simply want your Social Security number for general record keeping. If someone asks for your Social Security number, ask: · Why do you need my Social Security number? · How will my Social Security number be used? · How do you protect my Social Security number from being stolen? · What will happen if I don't give you my Social Security number? If you don't provide your Social Security number, some businesses may not provide you with the service or benefit you want. Getting satisfactory answers to these questions will help you decide whether you want to share your Social Security number with the business. The decision to share is yours.”5 That final warning is valid across the board; if you do not feel comfortable sharing a piece of information, take a moment and think about whether the service is 1) legitimate, and 2) worthy of your information. Try to avoid writing personal checks whenever possible; they contain a large amount of PII which could be used to victimize you. Credit cards are a more secure way of paying bills owed to a company, and cash can be used to pay just about everything else; just ask for a signed receipt when you use cash, so you have a record of the payment (similar to what you would’ve had if you’d have paid with a check). You’re also aware of the obvious dangers of losing control over your credit or debit card. But what if you could lose that information without ever actually, well, losing it? A popular way in which thieves obtain card information is through the use of a “skimmer.” A skimmer is a device that can capture and store the information transmitted via a card’s magnetic strip. Skimming devices can be handheld, or they can be installed next to or over a place where you would usually insert a card, such as at an ATM or a self-checkout line. To mitigate the risk of your card being skimmed while in such a situation, be wary of any devices that seem improperly installed or out of place when using machines that require the insertion or swiping of your cards. Also, do your best to use machines that are well-lit, in high-traffic public places, or secured inside of a bank, as these have a lesser chance of having a skimming device installed on them. Report any suspicious devices to the business responsible for the machine in question, and try to find another machine that will serve your purpose until the problem is fixed. If you receive a call from the agent of a business or governmental entity asking for personal information, get the person’s name and the entity for which they work, and tell them you will call back the main number to update any personal information. Then, look up the number on your own, and call them back. You should never give out personal information if you did not initiate the call, and most callers who ask for personal information are merely trying to obtain your PII for malicious use. Also, get your phone numbers put on the National Do Not Call Registry. Registration is available online, is totally free, and will help reduce unwanted telephone solicitations. Email If you receive an email from an entity with which you do business (bank, business, utility company) and the email is requesting that you give personal information either through email or by clicking on a link to go to their website, do not follow these instructions. Many times, these emails are phishing attempts. Instead, go to a search engine (such as Yahoo! or Google) and search for the entity’s site, or type in the address you know to be correct. Once at the site, if you find need to update or send any information, feel free to do so. Domains and URLs Note: 1) The following information has been somewhat simplified so that it can be more easily understood. 2) eBay is used as an example company merely because it is a recognizable online merchant. You’re familiar with URLs; they’re located in the address bar at the top of your web browser. Given their ubiquity, a user should know the basics of how they’re structured, as this information can be useful in thwarting a phishing or spoofing attempt. If you arrive at a site and your address bar reads http://www.custservice.ebay.com, you are in the “customer service” department (the sub-domain) of the online marketplace known as “eBay” (the domain). And since this URL ends in .com, you are located in the .com top-level domain. Basically, this equates to http://www.<sub-domain>.<domain>.<top-level domain> Note: Not every URL has a sub-domain; “www.ebay.com,” for example, is just a domain and a top-level domain. Why is this important? Some websites will attempt to trick you into sending them information by displaying the exact same content (text, pictures, advertisements, etc) as the site of a reputable online entity. These spoofed sites will look just like the real thing, and may even display a similar URL, such as this one: http://www.ebay.custservice.com. However, unlike the previous, legitimate eBay site on which you were communicating with the custservice department of ebay, in the above example you would be communicating with the ebay department of custservice. It’s a small change, but when you consider that eBay is most likely not affiliated with this site, you can see where one can be duped. Basically, whatever immediately precedes the “top-level domain” (the .com, .org, .net, etc.) is the site you’re actually dealing with. Everything else is just “departments” within that “store.” To summarize: · custservice.ebay.com = The customer service department of the eBay store (legitimate) · ebay.custservice.com = The eBay department of the CustService store (most likely not legitimate; if you thought you were using eBay’s store, why are you dealing with the CustService store?) eBay is also unaffiliated with sites such as ebay.co, or ebay.cm. Though these URLs look similar, the top-level domains (the .co and .cm) likely resolve back to the countries of Columbia and Cameroon, respectively. Lastly, don’t believe you’re information is secure just because you can see the “little lock” in the bottom corner of your browser; this symbol merely represents that your information is being transmitted securely. Transmitting information securely to a malicious entity is like sending cash to a criminal in an armored truck; the money will be safe and sound on the ride over, but once it gets there, it’s the criminals to spend how they wish. Remember that the burden is on you to make sure that you’re actually communicating with the website that you think you are. Social Networks and Blogging An article at Scientific American called “How I Stole Someone’s Identity” chronicles the steps someone took (with permission) to attempt to take over an acquaintance’s online banking account. Knowing only the user name, he used information he primarily found in the acquaintance’s blog to correctly answer the questions that allow a user to reset both their banking and email account passwords, and was then easily able to gain access to their funds. Before you post any personal information online, think about whether giving that information would endanger your security, and if so, whether the risk is worth it. Transmitting Securely Email and Instant Messages (IMs) are not secure methods of sending information. Do your best to limit the amount of PII or other sensitive information sent via these communication methods. If using a wireless network, secure it by using WPA (Wi-Fi Protected Access) instead of WEP (Wired Equivalent Privacy). WEP is a weak method of protecting wireless information that can be cracked in minutes.6 WEP is used, however, as the default setup by most routers with easy-to-perform setups and companies that set up your home network for you, both of which promise a “secure” wireless connection. So, if you’re getting your wireless network set up by an outside entity, insist that they use WPA instead of WEP, if possible. If setting it up yourself, there are many online walkthroughs available; a quick online search for “WPA set up” will get you started. Also, note that having a secure wireless network only means your information is secure as it is transmitted wirelessly from, say, the laptop you’re using in your living room to the router or access point in the den, where it is sent out across the internet. Having a secure wireless connection does not supersede our previous warnings about knowing who you’re communicating with, or the method with which you’re communicating (for example, IM and email are still not a secure ways to send information). The FTC writes on their website: “A recent amendment to the federal Fair Credit Reporting Act requires each of the nationwide consumer reporting companies – Equifax, Experian, and TransUnion – to provide you with a free copy of your credit report, at your request, once every 12 months. But there’s only one online source authorized to do so. That’s annualcreditreport.com. Beware of other sites that may look and sound similar. …While consumers may be offered additional products or services while on the authorized website, they are not required to make a purchase to receive their free annual credit reports.”7 Ordering your free credit reports once yearly is strongly recommended, as detecting fraud early can save victims thousands of dollars8; unfortunately, a survey conducted in 2006 found that just 22% of people have taken advantage of this powerful resource since its inception on December 1st, 2005.9 Most financial institutions send out monthly statements to their members, only to have members discard them without taking a few minutes to ensure all the charges contained therein are legitimate. The next time you receive a statement, remember that a few minutes spent checking for fraudulent or out-of-place charges or withdrawals could potentially save you a huge amount of time, money, and frustration in the future. You may have heard about the extra layer of security a credit freeze can provide. “Many states have laws that let consumers “freeze” their credit – in other words, letting a consumer restrict access to his or her credit report. If you place a credit freeze, potential creditors and other third parties will not be able to get access to your credit report unless you temporarily lift the freeze. This means that it’s unlikely that an identity thief would be able to open a new account in your name.”10 If you’re interested, the FTC has a wealth of information about what they are, what they do, what they don’t do, and how they will affect you. Read more about credit freezes at the FTC’s ID theft consumer site. Then, check the policies, charges, and specific laws of your state regarding the implementation of a credit freeze at this site for consumers. From the FTC: “A fraud alert is a signal placed in your credit report or credit file to warn potential creditors that they must use what the law calls “reasonable policies and procedures” to verify your identity before they issue credit in your name. …You may ask a consumer reporting company to place an initial fraud alert on your credit report if you suspect you have been, or are about to be, a victim of identity theft.”11 This is a free service by law. Read more on fraud alerts here. Credit Monitoring / ID Theft Protection Services If you’re thinking about enrolling in a credit monitoring service or an identity theft protection service, be careful to find out exactly what you’re paying for; almost all services these companies perform are available, by law, for free. “Some allow you to “lock,” “flag,” or “freeze” your credit reports. Often, the companies advertising these services simply are offering to place a fraud alert or credit freeze on your report. These services also may renew or update your alerts or freezes automatically, as long as you continue to pay. Under the law, initial fraud alerts and renewals are available for free if you have reason to believe you have been — or are about to be — a victim of identity theft.”12 Check out everything the FTC has to say about such services here, under the heading “Identity Theft Protection Products and Services for Sale.” And If You’re Already a Victim… …visit this FTC site immediately for step-by-step instructions on exactly what to do.
|
Friday, 03 September 2010
