|
|
White Paper on Identity
Theft Prevention
© 2005-2006 by D. Scott
Secor
Click here to add Identity Theft Prevention to your Favorites!
We urge
everyone to protect themselves against identity theft.
It has become a genuine menace to society and is steadily
growing in scope. The Federal
Trade Commission reported that 635,000 confirmed complaints were
received in 2004 from victims of identity theft and fraud.
Even the least significant incident will cost you at least
$500 and thirty hours of your time to correct -- and it can
haunt your credit history for several years. Malicious
software (malware) is the fastest growing component of identity theft.
-
Criminality of malware is
on the rise
-
What to do to deter identity theft
-
Gone Phishing
-
Report Phishing & Pharming Scams
-
Threat suppression kit
-
If you fall victim
As many as 35.9 million credit card numbers
were compromised when a hacker breeched security at CardSystems
in Tucson, AZ in early 2005. Was one of your credit cards among
them? Identity theft occurs whenever someone obtains key
pieces of another individual's personal identifying information
to use for economic gain.
This stolen information can then be sold on the black market or
it may be used to purchase merchandise or open new credit
accounts in the victim's name. A clever thief can easily gain
further access to investments, savings, or checking accounts
-- this could wipe you out financially!
The imposter can also create false credentials for which the victim may be
held responsible -- even landing a few innocents in jail
before the mistaken identity is discovered. Identity
theft can make the victim's life a living hell for many years --
and it will destroy their credit to the point that it will
take years to correct.
Interestingly, your identity is almost as likely to be
stolen by a close acquaintance or relative than by a complete stranger.
That, of course, does not diminish the severity of damage, nor will it
shorten the amount of time required to regain your creditworthiness.
If you want to cut in half your chances of becoming a victim of identity
theft follow these simple rules: NEVER divulge personal information to
a friend or relative. NEVER allow a friend or relative to use your
credit cards. NEVER co-sign for a friend or relative.
And if you think for one nanosecond that the credit card
companies absorb any financial losses, you are sadly
mistaken my friend! Credit card companies simply
reverse the fraudulent transaction and the unsuspecting
merchant (co-victims of identity theft) will sustain the full
financial impact of the loss.
Until credit card companies bear substantial responsibility
for their poor security policies, identity theft will remain
a serious threat to everyone!
Please consult our comprehensive
Internet Security page for
additional tools to secure your computer systems
against stealthful intruders and cyber-criminal elements.
Common sense "rules" apply.
Seventy percent (70%) of all malware
detected during the first quarter of 2006 was directly related to
cybercrime. Specifically, malicious software can compromise identities
in such a way as to generate massive financial returns to the criminal
enterprise using it. This is amongst startling conclusions in a new report
from Panda Labs. The report provides global insight into malware
activity during the first three months of 2006. The report also offers a
day-by-day analysis of the most significant threats. This free report can be
downloaded from
Panda Software.
The report confirms the latest malware
dynamic, in which financial profit is a high priority and motivating factor
behind its development and distribution. Of all malware detected by the
Panda ActiveScan online threat scanner between January and March 2006, forty
percent (40%) was "spyware", which includes malicious code used for
financial gain. An additional seventeen percent (17%) is attributed to
Trojans, which includes Banker Trojans that are designed to steal
confidential banking data, and Droppers (downloaders) that upload all sorts
of malicious applications onto Internet-connected systems. Dialers,
malicious programs that dial up premium-rate telephone numbers without the
user's knowledge, were responsible for eight percent (8%) of the total.
Bots, a variety of malware used in an elaborate business model involving the
sale or rental of networks of infected computers, accounted for another four
percent (4%) of the overall total.
Another statistic that confirms this new
dynamic is that the traditional e-mail worm, until recently the major player
on the Internet threat scene, made up only four percent (4%) of the total.
Epidemics caused by e-mail worms stir up too much publicity and are
therefore no use when it comes to generating profits. The types of malware
currently seen is more spyware, Trojans, and bots, which can be installed
silently and remain hidden on systems while they operate maliciously.
The report also looks into a series of
equally important events that occurred during the first quarter. It offers a
complete report on the WMF vulnerability in Windows, which has been widely
used by malware writers to distribute their creations, or the appearance of
the Sober.AH and Kamasutra worms.
 |
Become a cyber-chondriac and practice good
computer hygiene. ALWAYS run anti-virus and anti-spyware scanners.
ALWAYS update this software regularly and install the latest
security patches for your operating system. Firewalls and privacy protection software are
also great ideas. |
|
|
Configure your email reader to display all mail only as
TEXT. Do it now! |
|
|
ALWAYS be wary of ALL e-mail -- not just unsolicited
email -- especially when it requests your immediate
response. Never click on any hypertext link within
the body of an email or popup, even when it purports to be
from a bank, credit card company, auction website, or
legitimate merchant known to you. BEWARE: the visible portion of any hypertext link may
disguise the fact that a different address or malicious script
may lurk beneath! Instead, open a separate
browser session and re-type the URL into the address bar. Do not simply
open a new window in the current browser session.
Keep in mind that many viruses and worms use the address
book of a compromised system to replicate itself by
e-mailing its lethal package to everyone in the
address book. Thus, it may not even be safe to open
attachments or click links within emails from your
closest friends and business associates! |
|
|
When requested to call a particular telephone number,
call the institution or company using
a phone number listed in a published telephone directory.
NEVER trust any telephone number provided in a
suspect e-mail or through an associated link. A
false phone number may be an integral part of a criminal
deception, just as it would in any other case. |
|
|
Only provide personal information when YOU initiate
the transaction, whether online or over the telephone.
Nobody ever needs to "verify"
your passwords or PIN numbers -- EVER! |
|
|
"Jury Duty" Scam: Identity thieves are
contacting individuals regarding "missed jury duty" and threatening
the intended victim with arrest. Threats of arrest will
unsettle even the most security conscious individual, causing them to drop
their guard. The thief will ask for the victim's SSN and other
personal information for purposes of "verification". To be
clear, the court system would ordinarily follow up a missed term of
jury duty via the mail, and would never need to "verify" your
personal information either! |
|
|
NEVER provide or offer unnecessary information,
such as your mother's maiden name, your birth date, place of birth,
etc. First ask yourself, "Why do these people need
this information?" If the person is persistent,
there is certainly nothing to stop you from telling a
little fib to
protect yourself. |
|
|
ALWAYS encrypt it or shred it! Use a cross-cut
shredder or burn documents which contain any personal
information, including unsolicited credit card offers, convenience checks, billing statements,
and even your receipts (after comparing to your statements).
NEVER store personal data, passwords, or PINs on your
computer. Lock them up or encrypt them.
|
|
|
ALWAYS closely guard all debit and credit card PIN numbers
-- and all receipts.
Lock them up! |
|
|
NEVER use the new "touchless" (pay-pass) credit cards until
adequate security measures (such as biometrics) are incorporated.
These devices are a very bad idea in their present form! "Touchless"
credit cards essentially broadcast your vital information to a distance of six or
eight feet to any high-tech pickpocket with a receiver in their pocket.
|
|
|
ALWAYS report lost or stolen checks and debit or credit cards to
your
bank immediately! And when you re-order your check
blanks make certain that you do not have your Social Security or
Driver's License Number printed within the address block. Some
find it useful to use only your first initial and last name to further
frustrate any potential thief (because your bank knows your first
name, but a thief may not). |
|
|
ALWAYS watch your credit card and bank statements for small
purchases or withdrawals. Check all statements for
any questionable charges. A small sum (one or two dollars) charged
at a gas station is a common method to "test" a freshly stolen or fraudulent
credit card. Furthermore, tiny sums (10 to 50 cents) from
millions of different accounts adds up to some serious money
to a clever thief. Report any such activity immediately! |
|
|
ALWAYS watch for unusual unpaid bills, Notices of
Default (mortgage foreclosure), and other
indications that credit may have been taken out in your name without
your prior knowledge. |
|
|
Some credit card users are not signing the backs of their cards.
Instead they print "Photo ID Required" to confound any crooks. Please
contact your credit card company before using this strategy, to see
whether they approve of this strategy. |
|
|
Mail theft is on the rise. Know precisely when your
monthly statements should arrive. Contact your creditors whenever your bills
fail to arrive
on time. Criminals may have stolen your mail with
the intent of compromising your identity. |
|
|
ALWAYS deposit all outgoing mail in genuine USPS facilities.
NEVER use
your home mailbox to send outgoing mail!
Identity thieves routinely steal mail to obtain personal
information. |
|
|
Protect your garbage, as odd as that may sound. Identity thieves
often search through
your trash to obtain personal, bank account, and credit card
information.
Remember to shred any credit card solicitations, bank
statements, medical bills, and other documents that could contain
personal information. If you do not have a shredder, tear them
up and place the pieces of each document in two or more trash bags.
|
|
|
Most importantly, run a photocopy of the fronts and backs of all
credit cards, debit cards, social security card, passports, and other
important documents such as insurance cards. Keep these copies and
any additional documentation that contains toll-free contact information
in a secure location that you can reach if your purse or wallet is
stolen. This will streamline your ability to contact all
appropriate parties in the most efficient manner. |
|
|
If you have a Passport (or a Visa), keep it in a secure location.
A fire safe that is cleverly hidden in a secure location within your
home or a bank's safe deposit box are best for safekeeping of all of your
important documents, blank checks, photocopies of your credit cards, and other valuables. |
|
|
Monitor your credit profile closely -- at least once
or twice a year. Obtain your free
Annual
"Credit Report" (consumer disclosure) by clicking
here, or by contacting my office. I provide
insight into your
credit report along with some sage advice on maintaining
good credit as an integral part of
your loan application process. |
|
|
In the eleven States which currently allow it (CA, CO, CT, IL,
LA, MA, NV, NJ, TX, VT, and WA), you may place a credit
freeze on your name. Please contact
your State's
Attorney General for further
details (and avoid costly third-party services). This will make it virtually impossible for anyone to open
a new account in your name. Of course, it will complicate your
ability to open new accounts in a timely fashion, but that is the price
you will pay for added
security. If you have had your identity stolen and a police report
has been filed, you may still request a seven-year freeze through the
three major credit bureaus, regardless of the State in which you live.
Ordinary Fraud Alerts only
last for 60 to 90 days. So if your identity has been stolen once,
the chances are excellent that it may happen again! |
Gone Phishing
Phishing (pronounced "fishing") has
been growing at the alarming rate of 30% per month since October 2004.
Phishing is the act of sending spoofed email messages that mimic messages
from legitimate organizations, in order to lure the recipient into
divulging confidential information. Phishing is difficult to halt
due in part to brand spoofing and social engineering techniques that
convince customers, employees, and business partners that the messages are
genuine.
Spoof
messages are often broadcast from compromised "zombie
networks" controlled by hacker and criminal elements. Cleverly
deceptive spoofed messages encourage the recipient to deliver
confidential personal,
financial, or medical information directly to resources
under the control of the identity thief. When the victim clicks a
hypertext link within the email, it connects the victim to a
fake data collection website designed to look exactly like the
authentic website of
the organization with whom they may regularly do business.
The appearance is very convincing. The stolen logos are
absolutely authentic. The security icon (padlock) displayed in the
lower border of your browser provides a false reassurance that all
is well. And if the crooks are really talented, they can
change the address bar to display the organization's true web address. Yes,
criminals have gotten that
good!
Banks, credit unions, credit card companies, medical data repositories,
auction websites, and other businesses
are frequently misrepresented in this fashion. Victims may
be asked to enter their username, password, credit card
number, account number, social security number, PIN, date of
birth, driver's license number, or other
confidential information. The identity
thief then uses this information to commit
identity fraud at the victim's expense.
Be extremely suspicious of ALL unsolicited email, instant
messages, or
pop-ups that ask for personal information, financial data, user names,
account numbers, passwords, etc. -- especially when it
is purportedly from an organization with whom you normally conduct
business! Call the organization directly, using a
telephone number listed in a published telephone directory, if
ever you feel
compelled to contact the organization. Never call
telephone numbers indicated in a suspect email -- they are
usually associated with the fraud.
Here are a couple of other facts that you should know. Between
150 and 2,000 websites are compromised by hackers, criminals, and
political activists on any given day. A high percentage of these
compromised websites are used to perpetrate identity theft or fraud
campaigns. Enterprise phishing is the latest criminal phenomenon.
Enterprise phishing involves spoofed email messages sent to employees
within a given company network. Some employees will be tricked into
believing that the message came from their internal IT staff, promptly
"verifying" their account names and passwords. This results in major
security breaches and the theft of massive amounts of confidential
information.
Be suspicious. Be very suspicious!
It is very disturbing to us that it is relatively difficult
for many computer users to report phishing and pharming to the proper
authorities. In spite of all of the hullabaloo over the dangers that
phishing and pharming pose there is no truly simple method to report
suspicious emails. Do you hear that Microsoft, et al.?
Bank & Credit Card Phishes & Frauds
Other Phishing Expeditions
Stock Fraud, Securities Fraud, & Investment-related Spam
Pyramid Schemes & Chain Letters
Spam Reporting
Unfortunate though it may be, the dangers presented by
unprotected use of the Internet are very real, and they are growing every
day. Indicated below are a few sensible precautions that all Microsoft
Windows users can take to avoid becoming infected or infested by malware. Much of
the software indicated herein is freeware for personal use, so you have no
valid excuse regarding the high cost of security! Our modest list is,
however, decidedly Windows-centric. We make no apologies for that fact.
UNIX,
Linux,
RedHat, and
Apple
users -- under ever-increasing attacks -- will have to research
competent sources of reliable security tools for themselves, although we
have elected to include a few in the matrix above. These particular environments are not our primary focus,
although we do have a modicum of experience with each.
Here are a few precautions you all may wish to take:
|
|
NEVER insert a "thumb drive", floppy diskette, CD
or DVD into your computer unless it has first been thoroughly scanned for malware
by an up-to-date service on which you can stake your system's safety,
your wealth, and your identity. Otherwise, a tempting caress may
soon lead to a fatal embrace! |
|
|
Install
SiteAdvisor for IE or FireFox (other browsers will be added in due
time) in order to help make prudent choices when traveling the far
corners of the web. Be advised that even websites with favorable
(green)
reviews still may carry potentially lethal sponsor ad links!
Click with care. |
|
|
Disable Windows Universal Plug and Play (UPnP) using GRC's
"UnPlug 'n Pray". Advanced users (bona fide
geeks) may prefer using features of XQDC's
X-Setup Pro
to selectively disable all but the SSDP portions of UPnP. |
|
|
Disable Windows Messenger Service using GRC's
"Shoot-the-messenger". This too may be disabled with
other tools for advanced users such as
X-Setup Pro. |
|
|
Disable Windows Distributed Component Object Model using
GRC's
"DCOMbobulator".
If you have XP SP2 installed, this is unnecessary.
(here is the Gibson Research Corp.
Freeware page
for other popular utilities) |
|
|
Disable all other non-essential services (e.g., file and
printer sharing, telnet, SNMP, etc. and those listed previously) which
afford easy access to gain your computer by criminal elements. A
more complete list is a couple of bullet points lower. "Hardening"
your system can also be accomplished with a little extra work,
but should be performed with assistance from an advanced user to ensure
success. |
|
|
It is always best to place your system behind a NAT-enabled
hardware firewall or router. These are inexpensive safeguards
(<$50) that further isolate your system from the outside world.
Even when no hardware firewall is present, you must enable a software firewall, such as that included with
Windows XP and many anti-threat software bundles. Test the
firewall using
Sygate SOS.
All ports tested must be identified as either STEALTH or BLOCKED to
ensure safety. |
|
|
Scan your system for open ports using GRC's
"Shields
Up" port scanner or Symantec's
Security Check. If you have an
inexpensive hardware firewall, please verify that port 137 has been
Blocked or Stealthed.
If you used the GRC scan, we recommend that you also run the Symantec
Security Check or
Sygate SOS to check
several of the vulnerable upper
ports. Unless your ports are reported as "Stealth", you may soon
discover that even "closed" ports may leave you vulnerable to attack. |
|
|
Install the
Belarc Advisor
to profile your computer's security and installed hardware / software.
This provides a
CIS Security Benchmark Audit, and it is useful in conducting an
inventory of software licenses and installed hardware. If your CIS
Benchmark is less than 7 out of 10, you need to perform some serious
"heavy lifting" in order to slam the door on unwanted intruders.
You may also consult our Security Benchmark
page
If you are not technically inclined, do not attempt changing permissions, registry entries,
or services without competent supervision. You may do more damage
than good or even lock yourself out of your system permanently! |
|
|
If you have not yet installed a threat scanning tool and firewall on
your PC, please install
avast!,
AVG,
BitDefender,
Ewido,
OneCare
Live, or other resident threat scanner immediately. Perform a full
system scan followed by two or more additional full system scans using
different over-the-web threat scanners, as indicated at the top of our
Internet
Security page! |
|
|
It you have not installed an anti-"spyware" tool on your PC,
please install
Windows Defender or
Spybot now! Perform a full system scan followed by two
additional full system scans using two different over-the-web threat
scanners indicated at the top of our
Internet
Security page! Additionally, you must run the
Spy-Zero
or X-cleaner
scans often to validate your findings. |
|
|
Advanced users can further assess their
workstation and network vulnerabilities using the
Microsoft Baseline Security Analyzer. |
|
|
Advanced users are encouraged to disable all potentially risky and unnecessary
services such as:
-
File & Printer Sharing
-
Internet Connection Sharing
-
Alerter service
-
ClipBook service
-
Computer browser service (not associated with
web browser)
-
FAX service
-
FTP publishing service
-
IIS admin service
-
Indexing service
-
Messenger service (not associated with IM)
-
Net logon service
-
Net-meeting Remote Desktop service
-
Network DDE
service
-
Network DDE DSDM service
-
Remote desktop help session
-
Remote desktop service
-
Remote
Registry service
-
Routing & Remote Access service
-
Simple Mail Transfer Protocol (SMTP)
-
Simple Network Management Protocol (SNMP) service
-
Simple Network Management Protocol (SNMP) trap service
-
Task Scheduler service
-
Telnet service
-
Terminal services
-
Universal Plug & Play Host service
-
World Wide Web publishing service
-
... and all other potential areas of compromise
A few of these services may have been disabled through the
use of utility programs mentioned above. Re-enable only those services
you find absolutely indispensable. However, you may verify or
alter the status of your service settings through Control Panel | Administrative Tools | Services.
You may also find our Security Benchmark
page useful.
Please consult your network administrator before
disabling any services, as some of these services may be required in a
network environment. |
|
|
For businesses of fifty employees or more, we also recommend
spending some quality time with the
Microsoft
Security Risk Self-Assessment. This tool may prove helpful even
when
you work in a non-Windows environment. |
|
|
Enable automatic updates or visit
Windows Update often for the latest operating system security patches and
product upgrades. |
|
|
Visit
Microsoft Office Update often for the very latest Office patches,
upgrades, templates, etc. (now integrated into
Windows Update) |
|
|
Configure your email reader to display messages only in
PLAIN TEXT. (e.g., Tools | Options | Mail Format). Do this because "pretty" HTML messages too easily disguise lethal malicious scripts and
fraudulent links that can transport you to hostile websites. |
|
|
NEVER click on any hypertext links provided in any email messages,
instant messages, or pop-ups. Period.
This should include
spoofed (fake)
"critical security update" emails from companies such as Microsoft,
advisories from your bank or favorite auction site,
and bogus threat scan solicitations that were developed to extort money
from unwary individuals to pay for equally bogus "cures". |
|
|
Be especially cautious of all emails containing
misspellings or poor grammar. This is a common trait of most off-shore phishers,
pharmers, "4-1-9"
fraudsters, and other unscrupulous scammers who may not speak English
as their primary language. Just delete these
messages and go about your routine. There is no pot-of-gold
waiting at the other end of these particular rainbows, no matter how
tempting they may appear. |
|
|
Speaking of spelling ... be very careful when
typing the name of popular websites such as
google.com or anti-virus vendors. Cyber-squatters and
cyber-criminals are registering misspelled domain names to
capitalize on bad spellers and clumsy typists. In some instances, the misspelled
web address may contain malicious scripts that will attempt to install malware or
key loggers used to capture your passwords and personal information. |
|
|
Avoid using instant messaging services, ICQ, chat rooms, and
music or file sharing websites whenever possible. All of these
venues have been involved in
the widespread distribution of malware and identity theft schemes.
If you must, there are special anti-malware tools designed specifically
for use with IMs, P2Ps, etc. Please use them! |
|
|
If you feel compelled to visit a website indicated in
an email, instant message, or pop-up, please RE-TYPE the website address into a
separate browser window, or use a Bookmark or Favorite that you know is
safe.
|
|
|
NEVER reply to any email, instant message, or a popup
message that asks for personal or financial information. Keep in
mind that your bank or credit card company would NEVER ask for personal
or financial information via email in the normal course of business.
Several clever pop-ups also appear to mimic threat scanning tools.
Close these pop-up windows by using Task Manager (best) or clicking on the big red "X" in the upper right
corner (still risky) ... otherwise you may suffer the consequences. |
|
|
Be wary of downloading files or opening
attachments from any email or instant message you may receive, regardless
of who may have sent them!
NOTE: Worms and viruses routinely deliver
their destructive payloads through email reader vulnerabilities, such as
those in
Outlook
and
Thunderbird. The compromised email reader than forwards the
deadly payload to all contacts in the victim's address book. Remember that
fact the next time you receive unexpected email from close friends or
business partners -- it may contain unwelcome surprises. Are you
sufficiently paranoid yet? |
|
|
Check for new warnings about the latest malware threats
and phishing scams by visiting such websites as
Symantec,
McAfee,
Trend Micro,
Panda Software,
CERT,
ISCA Labs, etc. and visit the
VeriSign anti-phishing & ID theft webpage for further information
and statistics. More links are in the right margin of the
Internet Security page. |
|
|
If ever you need to remove an application that is
behaving badly or is otherwise corrupt, may we suggest the
Microsoft Installer Clean Up tool?
Ccleaner is another useful tool
that performs a plethora of useful housekeeping tasks including registry
cleanup. These tools will cure many ills if your system requires a little
house cleaning. |
Also consult our
Internet Security
page for
additional tools to keep from having your system
compromised. Use common sense and the proper tools to
avoid disaster. If you wish to educate yourself
on other topics of security, disaster preparedness, and business continuity
planning (another specialty of ours) you may begin with
the Department of Homeland Security. There is even a Kids
Section. For a change of pace, may we suggest the
Department of Homeland Stupidity?
Kool-Aid drinkers
everywhere will delight in knowing that September is
National Preparedness
Month. If you think that government is the answer, you
obviously misunderstood the question! Remember Katrina. But
enough socio-political commentary ... now for the latest news.
|
|
Contact local law enforcement immediately and file a
police report.
|
|
|
If your credit card or bank account information has been
compromised or your confidential information has been
disclosed, contact your credit card companies and bank immediately to protect your
accounts! |
|
|
File a complaint with the Federal Trade Commission
at www.ftc.gov
or call 877.438.4338 |
|
|
Contact the FBI's Internet Fraud Complaint Center at
www.ifccfbi.gov |
|
|
Contact the IC3 (Internet Crime Complaint Center) at
www.ic3.gov |
Contact the three major credit
bureaus (Equifax,
Experian, or
Trans Union) and request that a Fraud Alert be placed in your credit
profile so that no further credit can be obtained without your express
permission for the next 60 to 90 days. There are currently several
States which allow a more permanent freeze: CA, CO, CT, IL, LA, MA, MN, NV,
NJ, TX, VT, and WA. Please contact your State's
Attorney General for further details (and avoid costly third-party
services). Alternately, if you have had your identity stolen and you have filed a
police report, you may request a seven-year freeze directly through the three major credit
bureaus (indicated below). Again, we must remind everyone that if you have been the
victim of identity theft in the past, your chances of being
re-victimized is quite substantial. Victims of Identity Theft must
NEVER settle for
a simple 60-90 day Fraud Alert!
You may obtain additional information about fraud and identity theft
at the following websites:
Also consult our
Internet Security
page for
a variety of threat detection tools to keep your
computer systems secure and to remove malware threats. Use common sense and the proper tools to
avoid disaster.
|
|
THREAT SCANS
|
 |
|
