Fri, November 07, 2008
This completes the series of posts that I started during National Protect Your Identity Week. I'd like to finish by discussing several more ways to avoid becoming a victim of online ID theft.
Passwords and You
It’s virtually impossible to use the Internet without also using passwords. Consequently, we tire of creating and remembering new passwords. It’s tempting to just use the same trivially-easy-to-remember password over and over. The recent Sarah Palin Yahoo account break-in demonstrates the importance of taking password protection seriously. When setting passwords (or recovery words) for online banking and other important accounts, it’s extremely unwise to use easily-discovered passwords like your mother’s maiden name, your birthday, your pet’s/spouse’s/child’s name, or the ever-popular “123456.” Unfortunately, there are several websites (birthdatabase.com, zoominfo.com, and zabasearch.com) where a certain amount of your personal information is probably available right now to anyone who wants to use it as a starting point. Add to that the social networks where information about you may be available to people you don’t know well, and it’s clear that you need to use some creativity when picking passwords.
Avoid using overly simple passwords. If someone wants to hack into your computer or one of your accounts, there are plenty of tools (with odd names like “wwwhack” and “brutus") available online to help them try logging in repeatedly using random combinations of characters in order to discover your password. A 6-character password that uses only numbers or only lowercase letters can be cracked with one of these programs in a matter of minutes. The simple inclusion of uppercase characters, and special characters (like %, $, @, *, ^, etc.) makes a much stronger password. If you use names or words found in a dictionary, this makes an easily-compromised password, because a determined hacker has tools to test such words rapidly.
A good password should be fairly complex and should include at least eight characters. Here’s a suggestion for creating strong passwords that you have a decent chance of remembering: Start with two words that are memorable for you. For example, suppose your childhood pet was named “Trooper,” and your high school football team was called the Tigers. Change the letter “o” to the numeral “0,” the letter “i” to the numeral “1,” and the letter “s” to the character “$.” In each case, the substituted character resembles the original, so you have an easy mnemonic device for remembering the change. You’ve now transformed words which individually would have been terrible passwords into “Tr00perT1ger$,” which is a much stronger password.
Resist the urge to use the same password for multiple accounts. If a thief were deliberately stealing information from you and obtained a password that works on one account, his first assumption would be that it’s also used for your other accounts. This creates an obvious problem: how do you keep track of all those passwords? One solution is the use of a password management program like AccountLogon or Roboform. These programs store your passwords in a password-protected encrypted file, so that if someone hacks into your computer files, your passwords are not readily available to them. The management program will remember your other passwords for you (of course, if you forget the critical password, you’ve got a serious problem).
If you don’t want to use a password management program, I have a slightly unorthodox suggestion: write your passwords down. It’s better to keep a list of your passwords in a locked drawer than to use easy-to-crack passwords. If you can’t remember multiple passwords, this approach is also better than using weak ones. Online hackers can’t get into your desk drawer, but be careful: as noted previously, identity theft is often committed by people who know their victim personally. Never leave your passwords in an unsecured location, and don’t carry them in your wallet or purse.
Safe Shopping Online
Online purchases are not necessarily riskier than other transactions, provided you stick with reputable websites. Be sure that the online vendor uses encryption (look for the lock icon in your browser when you’re making a transaction). If something should go wrong, online shopping with a credit card (not a debit card) gives you considerable protection, since credit card companies are usually eager to waive your liabilities in the event of online fraud. Check with your credit card providers to see if they offer any special online protection services, such as the generation of random temporary credit card numbers for use in online transactions. In any case, credit card shopping at the encrypted site of a reputable vendor is safer than handing your credit card to a waiter at a restaurant , and you’d probably do that without a second thought. According to Visa USA, restaurants represent about 40% of the incidents in which credit-card information is compromised, and many restaurants don’t comply with credit card security rules.
Here are a few additional tips on protecting your confidential information from online theft:
1. Wireless Internet—If you install a wireless router or other network device with a password, change its default password after installation. There are websites that list the default passwords for all kinds of equipment, and hackers know to try these passwords first when they try to access your system. Be cautious when using unsecured public wireless networks. You take a considerable risk if you log into your bank or other financial accounts while using these systems. If you have a wireless home network, be sure to use its encryption features. There are unencrypted wireless networks in almost every neighborhood, and you’ll be a less attractive target if yours isn’t one of them. Further, although it’s extremely unlikely that anyone would attempt to break into your home’s encrypted wireless network, you should understand that if someone really wanted to do so, there are resources available that make it possible.
2. Common Computers—It’s a bad idea to log into financial or other sensitive accounts using computers that are publicly accessible. The possibility always exists that someone has installed key logging software on such a computer in order to harvest personal information from unsuspecting users.
3. Laptops—Don’t leave your laptop computer in your automobile. This simple precaution ensures that any sensitive information you have on the computer will not be lost in a car theft or a break-in. To provide further protection in the event of a theft, access to laptop computers should be secured with strong passwords. If you must keep confidential information on your laptop, you should secure it with one of several data encryption programs that are available.
4. Old computers—Prior to selling or disposing of an old computer, use an overwriting program to obliterate your hard disk’s information (reformatting is not enough), or remove and physically destroy the hard disk.
5. Smartphones — As cellphones become more and more powerful, we can expect to see viruses, trojan horses, and other forms of unwanted software make their way into the cellphone realm. In a recent report on emerging cyber threats, Georgia Tech’s Patrick Traynor predicted that botnet infections will start to become a problem for mobile devices as early as next year. It’s wise to exercise the same caution with a smartphone as one would with a regular computer (e.g. don’t download software from unknown web sites!). Security software manufacturer McAfee is reportedly already working on antivirus software for the iPhone.
Finally, here are several more resources to help you avoid online ID theft (or deal with it when it happens):