Everyone at a point might have been a target to online identity theft. We all know what identity theft is, it’s when someone impersonates individuals online, usually for financial gain. Identity theft is a crime and the percentage of people whose online identities have been stolen online has gone down steadily every year, but it’s always a good thing to know how to stay secure. I am going to walk you through different ways how people are targeted, what are the most common methods and how to stay secure online.
What are they after?
There are many ways someone can target you online, and at times there are some offline techniques that lead to online identity theft as well. I am going to go through some of the most popular methods people use to get your data online and offline. But before that, you may need to know what people are after and its sensitivity. Your full name, address, and phone numbers are some details which have a low sensitivity and there isn’t much you can do to protect them from unknown people. A simple Google search may show them too. The next set is the Date of Birth, Birthplace, Mothers Maiden Name and other similar fields. These carry a medium sensitivity and most online services collect parts of these while recovering you forgotten login details. Your Facebook account can be a real good resource for similar personal information, so be careful who you let into your Facebook or what information you have on Facebook. Your Social Security Number, Bank Account Number, Credit Card Number, PINs and passwords are highly sensitive and are not easily feasible, but people do lose them too.
How they target You
Forging an e-mail header to make it seem as if it came from somewhere or someone other than the real source. Most of the modern web mail clients such as Gmail should let you know if the headers of the email do not seem legitimate. Here’s an example of a spoofed email and how I originated it. I used the contact form on the Contact page of my website and put in my email and sent it. Gmail caught it under spam and flagged it as a suspicious email as in the screenshot below.
Some of the email clients won’t flag it but you can check the header’s of the email to verify the source. Here are the headers of the email in the screenshot below. Most email clients have an option to view the details and headers of the emails.
As the screenshot shows the Senders Address domain isn’t Gmail.com but is my servers’ mail server. This is the easiest way to track where the email originated from and even use the text above as evidence when filing an abuse report.
E-mail Spoofing is a popular method but the next one is the one people fall the most for.
Phishing per its definition is an activity of defrauding an online account holder of important information by posing as a legitimate company. Most common traps for phishing are setting up fake login pages to popular online services such as Google, Yahoo, Aol, etc. Even the most advanced users might have fallen for such pages and the only way to know you’re not being phished is to crosscheck the URL of the website and if your browser displays the SSL certificate, check it too. Here’s a screenshot of Facebook’s SSL Certificate in Firefox 6.
Some people are smart enough to use domain hacks so that the domain names look similar. Here are a few examples of domain hacks that people may use. (These may exist, do NOT visit.)
Some of the common offline methods for stealing your data include:
- Accessing your Computer/Laptop directly to steal data.
- Your mail box. It’s recommended to keep your mailbox secure and having a lock on it would be a good idea.
- Watch out for “shoulder surfers”. Always be aware of your surroundings. ID thieves can write your numbers down quickly if you leave your card out while completing a purchase. They can even take a picture of your information with their cell phone.
The methods above may need some work from the person trying to get your information and you may need to click-through a few things to have your data compromised. But there’s another way that someone can target you without even needing your help. That technique is called Social Engineering. As per the definition:
Social engineering is the art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.
Usually anyone trying to use this method may have to look up information about you. People can either Google search you and find out the required details if you’re socially active. Or try to get close to you via Social Networks such as Twitter and Facebook and get the details from them. In most cases they may directly ask you for something in a casual way that you won’t be suspicious. Here’s an example of the details needed to recover the password on some of the popular services.
Gmail asks for your username and a human verification test before it let’s you into the password recovery page which displays all the recovery options. The most vulnerable one is the Security Question. As you see I could easily first school by indirectly asking the person the question. Most recovery systems lock down recovery options after a few attempts such as the one below.
Yahoo has several steps depending on the users recovery settings. Most of the times it asks you for an alternate email and send the recovery link to it. Or it asks for the registered phone number. If the Yahoo account is old, it loads the security questions. If someone gets stuck at this part, they will most likely go after the alternate email first and open that up before trying to recover through here.
Aol has a pretty weak system too. They ask for the security question as well as the alternate email. (And they give you a hint for the alternate email too!)
Facebook has a really straight forward recovery page which uses your email addresses and phone as recovery options.
Based on the four examples above you should get an idea of what information you need to go back and re set so that it isn’t too obvious. To keep yourself secure from such threats, you should often checkup upon your recovery settings and keep them updated. Also be careful of the information you put out there.
Steps to take if you think you are being or have been targeted
- Do not panic and think before taking any other steps.
- If you still have access to the account, change your passwords. Go about changing passwords on the account importance. For example if I think I’ve been hacked, I would go to my Gmail first and update its password before going to any other accounts.
- If you do not have access to the account, initiate a password by following the forgot password links on the appropriate services.
- If you still have no luck, notify every one of your important contacts and friends about the situation and ask them to be careful because you do not want them to be compromised too.
- Then contact the support for the service your account has been compromised. And wait. You could try recovering while waiting.
- Consider reporting the attack to the police, and file a report with the Federal Trade Commission (http://www.ftc.gov/).
Linking your accounts to your phone can be risky. Most of the services above use your phone as a recovery option. If you have a phone linked, keep it with you and have a habit of having a pin lock on your phone so no one else can get in unsupervised.
Social Security Numbers
SSN may seem to be hard to get but the last 4 digits are easily available via public records and the rest can be acquired based on the algorithm they are made on. This article shows you how they are made and how easy it’s to get the number if someone dug enough.
It’s always good to have an Antivirus software installed. There are many good paid ones out there but one of the best Windows Antivirus software is provided by Microsoft itself. It’s called Security Essentials and it helps you detect suspicious emails in Outlook and other desktop email clients.
I hope this article gave helped you understand your security online. Having your identity compromised online can be a big deal if you work from home and rely upon it for work. It’s also good practice to change your password every thirty days. If you follow the tips above and be careful what you click and I guarantee that you won’t ever be hacked by anyone, no matter how skilled they claim to be.
I would love to hear you opinion and questions about the article, you may discuss them via commenting below.