I spent the last couple of weeks talking about steps a business can take to secure the personal information collected from consumers and how to prepare for the inevitable data breach. Businesses are only part of the risk, however, and consumers should take some steps to reduce their risk of identity theft:
1. Protect Social Security Number (“SSN”)
Your SSN is one of the most critical pieces of personal information that needs to be protected and it is the primary target of criminals. With it, an identify thief can open fraudulent accounts in your name, charge unlimited amounts to these accounts, and create a false identity in multiple locations. At a minimum, you should take the following steps to protect your SSN:
• Only release your SSN when absolutely necessary such as for tax forms, employment records, financial accounts, and property transactions. If a business requests your SSN, ask why it’s necessary and whether a different identification method can be used. Ask to see the company’s written policy on SSN’s and find out what the business will do with your SSN and the consequences if you refuse to provide it. Most businesses are now aware of the sensitivity of this number, and few ask for it any longer. If necessary, threaten to take you business elsewhere if the business won’t let you use a different form of identification.
• Do not carry your SSN in your wallet, except for situations when it is required, such as the first day on the job or when opening a financial account.
• Memorize your SSN and keep it in a safe place in your home.
• Do not provide you SSN over the phone unless it is to a trusted source. Try not to say your SSN out loud when in a public place. If you need to provide it to a merchant or health care provider, try to speak softly and make sure no one is listening.
2. Monitor Account Statements
Regularly monitor the following account statements for unusual activity and unauthorized transactions: bank, credit card, phone, cell phone, loyalty cards, investments, and other financial accounts. These types of accounts have been targeted by criminals in the past and are at risk for attacks in the future. Through regular monitoring, you can hopefully identify unusual activity quickly before too much damage is done. Report any suspicious to the appropriate account provider.
3. Clean out Your Wallet/Purse
Clean out your wallet or purse of all unused credit cards. Cancel these credit cards or put them in a safe place for emergencies. Take this opportunity to safely dispose of old receipts, bank withdrawal slips, and any other document that might have sensitive personal information. Proper disposal methods are discussed below at Step 8.
4. Order your Free Annual Credit Report
Federal law gives you the right to one free credit report from each of the three major credit bureaus: Equifax, Experian and TransUnion. For maximum security, stagger these requests by asking for a free credit report every 4 months from a different credit bureau. Your free credit report can be ordered in any one of the following ways:
• Phone: (877) 322-8228
• Internet: www.annualcreditreport.com
• Mail: Print out the order form here: http://www.consumer.ftc.gov/articles/pdf-0093-annual-report-request-form.pdf.
There are many websites that offer a “free credit report” but these are often an attempt to get you to sign up for some other service. Unless you need the service, do not waste your time or money.
When reviewing your credit report, look for the tell-tale signs of fraudulent activity: inquiries not generated by you and new credit accounts that you did not open. If you identify suspicious activity then you should follow the steps outlined here: https://www.annualcreditreport.com/protectYourIdentity.action
These steps include placing an initial fraud alert on your credit file, contacting the security or fraud department of each company where the account was opened, file a report with law enforcement officials, and others.
5. Protect your Internet Devices
Any time you connect to the internet through a computer, laptop, or mobile device (“Internet Devices”), you run the risk of downloading a virus, malware, or having your activity monitored by a hacker. To better protect yourself take these steps on all of your Internet Devices:
• Use a Firewall: A firewall blocks unauthorized access to your Internet Devices while allowing you to access to the Internet. Make sure that your Internet Devices have a firewall installed and activated.
• Use an Antivirus Program: Antivirus programs help you prevent, detect and remove viruses, Trojan horses, and other malware. Install and regularly update anti-virus programs on all Internet Devices.
• Use spyware blocking software: Spyware is a program that secretly collects info about you and can make your computer engage in unwanted activities. If not included with your Antivirus program, install and regularly update spyware blocking software on all Internet Devices.
• Install Updates: It is important to regularly install updates and patches on all of the programs, apps and operating systems on your Internet Devices. Many updates solve critical security flaws that can be taken advantage of by cyber criminals if not repaired. If available, set up automatic updates so that you don’t forget.
• Use Strong Passwords: Create strong unique passwords to access each of your Internet Devices. At a minimum your password should be at least 8 characters and include upper and lowercase letters, numbers and non-alphabetic characters (!, #, %, &, $, etc.). See Microsoft Tips for Creating a Strong Password. Do not use dictionary words or personal information for your passwords, and use a different password for each device and account. Change your password every 3-4 months.
Also, if your Internet Device support it, you should consider using two-factor authentication. Two-factor authentication involves using a password + something else to identify you such as a USB stick, fingerprint, mobile phone, or key. This is much more secure way to secure an Internet Device than regular passwords and is likely the wave of the future.
• Encryption: Encryption is the process of scrambling and encoding information in such a way that the information can only be properly viewed and understood with a key (or password). Several encryption programs are readily available for a reasonable prices. Also, File level and whole disk encryption is now also available by default on some versions of Microsoft Windows, OS X, and new iPhones and Google Android devices. Before encrypting anything, make sure you understand the process completely and store the key in a separate safe location. It would be a shame to encrypt a device or file and not be able to access it in the future!
• Avoid Public Wi-Fi Hotspots: Public Wi-Fi hotspots in coffee shops, libraries, trains, and other locations are convenient but usually not secure. Many don’t require a password to use and anything you send can be viewed by others on the network. Avoid using Public Wi-Fi when accessing any private online account information.
If you need to use Public Wi-Fi to access online accounts, there are protections you can put in place to secure your information. See OnGuard Online.gov Tips for Using Public Wi-Fi Networks. The most versatile and convenient way is to use a virtual private network (VPN). VPNs encrypt traffic between Internet Devices and the internet, even on an insecure network. VPN accounts can be obtained from a VPN service provider, such as Private Internet Access, TorGuard, and many others. These services can be used with most types of Internet Devices.
6. Secure your Home Network
Most of us now run Internet Devices and connect to the Internet through wireless home networks and a wireless router. These routers allow multiple Internet devices and users to access the internet from different parts of your home. Unless you secure your router, however, you’re vulnerable to other people accessing your network, using your bandwidth, gaining access to all of the Internet Devices on the network, or using your network to commit cyber crimes. Several steps can be taken to protect your home network, although these steps require you accessing your router over the internet. This is easily done and there are plenty of guides on the internet that will help. See e.g., http://compnetworking.about.com/od/wifihomenetworking/ht/access-routers.htm. After accessing your wireless router, do the following to make you router more secure:
• Change Default Name on Router: Your wireless router comes with a default SSID name that is assigned by the manufacturer. The default SSID is usually named “default” or is set as the brand name of the router (e.g. Linksys). The name should be changed to a name that is unique to you and won’t be easily guessed by others. That way, you will always be sure that you and your guests are always connecting to the correct Wireless network, even if there are multiple networks in the area. Important Tip: Don’t use your name, home address, or other personal information in the SSID name. Choose something you can remember, but others will not connect to you.
• Change Default Username and Password: Your wireless router also comes with a default username and password (often admin/password). These defaults are not secure! There is a publicly available database of default usernames and passwords for every wireless router manufacturer that can be accessed by anyone, including criminals. Follow the guidelines from No. 5 in order to create a more secure password for your router. Make sure to memorize this password and put it in a safe place. Otherwise, you will be locked out of your router, which is never a good thing!
• Upgrade Router’s Firmware: You should regularly check the router manufacturers’ website to make sure the router is running the latest firmware. Like every other piece of software and hardware, these usually need to be updated. Upgrade and update as needed.
• Enable Network Encryption: To prevent unwanted computers from using your internet connection, encrypt your wireless signals. There are several encryption methods for wireless settings such as WEP, WPA, and WPA-2. If you don’t see WPA-2 as an encryption option for your router, upgrade the firmware or buy a new wireless router as your current one is too old to support an upgrade to WPA-2.
Follow the guidelines from No.5 in order to create a secure password for encrypting you network. Do not use the same password as your router password. You want different and unique passwords for each purpose
• Filter Networking Access by MAC Addresses: Media Access Control addresses (“MAC Addresses) are unique ID’s assigned to every Internet Device. For an added layer of protection, you can add the MAC addresses of your Internet Devices to your router settings so that only those devices can access your network. This is a solid way to increase security, but not foolproof. Somebody can still sniff out your Wi-Fi traffic and then spoof the MAC addresses of their device to match one on your network. Filtering by MAC addresses can also be a hassle when guests come over and want to use your network. To let them, you have to log into your router and add their MAC address or temporarily turn off MAC filtering. So I leave it up to you whether you think this extra step is necessary.
7. Watch out for phishing scams
Phishing scams are an attempt to acquire your personal information by sending an email that purports to be from a trusted source. For example, you might receive an email that appears to come from your bank that says “We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below to confirm your identity.” If you click on the link, you will either download a virus/malware that captures your passwords or be taken to a spoofed website that resembles your banks website and gets you to divulge your private information.
To protect yourself from phishing scams, follow these suggestions:
• Be suspicious of any email or communication (including text messages, social media posts, phone calls, ads) with urgent requests for personal financial information.
• Avoid clicking on links. Instead go to the website by typing the web address directly into your browser or by searching for it in a search engine. When in doubt, independently verify the alleged problem with the trusted source by calling them at a phone number you know is accurate.
• Don’t send personal information such as passwords, account info, financial info, medical info or other sensitive information by email. Only provide personal or financial information through an organization’s website if you typed in the web address yourself and you can see that the website is secure.
• Use a secure website (indicated by a https:// and a security “lock” icon) when submitting credit card or other sensitive info online. Never use unsecured Wi-Fi for banking, shopping or entering personal information, even if the website is secure.
If you suspect that you have received a phishing e-mail, forward the email to firstname.lastname@example.org and to the company, bank or organization named in the email. You can also report it to email@example.com. This Anti-Phishing working Group is a group of internet service providers, security vendors, financial institutions, and law enforcement that uses these reports to fight phishing.
8. Safe Disposal
This step is often overlooked, but is critical. When you decide to get rid of old computers, mobile devices, or papers that contain personal information, make sure that the personal information is permanently destroyed. Crooks will dumpster dive or buy used computers to look for sensitive personal information.
There are different methods for permanently destroying personal information, depending on where the information was stored:
• Papers: Papers should be shredded or incinerated. When shredding, use a cross-cut shredder rather than a strip-cut shredder. Pieces from a strip-cut shredder can still potentially be put back together, whereas it’s nearly impossible to do so from a cross-cut shredder.
• Computers/Laptops: Before disposing of a computer or laptop, you need to get rid of all the personal information that is stored on the hard-drive. Deleting is not sufficient and you will need specialized software to wipe the hard drive clean. The other alternative is to physically destroy the hard drive.
After wiping or destroying the hard drive, take the device to one of the electronics recycling centers identified on the Massachusetts Office of Energy and Environmental Affairs website. Many of these centers are national and not just restricted to Massachusetts.
• Mobile Devices: Mobile devices store a lot of personal information like addresses, phone numbers, passwords, etc. and you want to make sure that this is done properly. Review your owner’s manual owners or check the website of your mobile provider for detailed information about what you need to do to wipe these devices clean. You can also check out these helpful tips from the FTC about how to dispose of your mobile device. After the device is wiped clean, dispose of the mobile device in the same fashion as with computers.
• The Cloud: Unfortunately, there is no way for you to control how your information is destroyed from the hard drives of your cloud provider. Contact your cloud provider and ask them about their data destruction policies.
• Portable Storage Devices: Flash drives should be wiped clean or destroyed in the same way as computers. CDs and DVDs can be physically destroyed by breaking into many pieces. If you still have floppy disks or tapes, cut into smaller pieces.
That’s it for this week. Hopefully you find these steps useful for protecting yourself from identity theft. Thanks for reading. Please let me know if you have any questions or want to talk about steps that you have taken to protect yourself from identity theft.