Identity protection is one of the most important considerations in today’s society. At every corner, you are asked to give your email, mailing, web site address, or even more personal information. According to the Javelin Strategy and Research February 2007 Identity Fraud Report, 8.4 million people had their identity stolen in 2007. This is big business that the study shows costs each victim an average of $5,720.

Understand how phishing works by reading this example story of a phisher.

Phish – (MSN Encarta - commit fraud to get financial information: to trick somebody into providing bank or credit-card information by sending a fraudulent e-mail purporting to be from a bank, Internet provider, etc. asking for verification of an account number or password)

A day in the life of a Phisher

Evil Ed sits in his easy chair with his laptop, watching TV. He’s doing web searches on names that he found from various Internet forums and chat rooms.  Ed has written a computer program to read these sites and gather names and email addresses. The program puts these names into a file on his computer.

Ed loves his house. Everything in it was bought and paid for by someone else. He grins as he begins the day’s work.  First, he calls a contact that is looking for email addresses.  Ed has just finished creating the list of new emails his program found that week.  His database now has over 40 million unique addresses.

After agreeing on a price for the complete list, Ed hangs up the phone and begins his real money maker; stealing people’s identity. Ed has another computer program that takes all the names it found with the email addresses and sends them through all the search engines he can find. When the search returns numbers or words like “street”, “avenue”, or a city, it catalogs those to a smaller file.

It’s here that the work begins. First, Ed cross references the information he finds in Internet white pages with any public records that are available, such as deeds, death notices, or marriage licenses. When he finds connections, those people can expect to have their cell phone companies, Internet Service Providers, and any other discoverable business relationship phished.

Ed calls a dating site he found and presents himself as innocent@somedomain.com. “Here’s my address I used to sign up for an account. What are the last four digits of my credit card? Hmmm, well I know I used a few different ones during that time, I think it was a Visa®?” The agent, trying to be helpful answers yes, no, or provides a helpful hint, “No, it was a MasterCard®.” Ed hangs up the phone.

He immediately calls back and now phishes for the last four digits of the MasterCard®. This is called social engineering and you can see where this goes.  How about the people that didn’t have any connections to  accounts or other information?  Well, Ed still has the email address and the web site it was found on, as well as the email provider (e.g. Hotmail, Yahoo, Gmail, etc). Ed now creates an email that looks exactly like it is from that provider. The email tells the user that their account is expiring, in violation, or needs more information. Click this link now to save this account! Each person that clicks that link, and enters that information, has now been caught in the phishing net.

Ed ends his day by heading out to the mailbox. It’s about 3:30 in the afternoon now. He hopes that the letter from his cousin Andy has arrived. Andy works in a refreshment booth at one of the many tourist attractions in his area. Every month, Andy mails Ed a list of credit card numbers and names that he has copied into his notebook. He gets these numbers from people paying for their food and drinks.

Ed chuckles to himself; just because the Internet Age is here, why ignore the original methods of identity theft?

You can protect yourself – here’s how:

Never post any personal information in an Internet forum, chat room, or blog. Doing this allows programs like the one described above to harvest and use it for other reasons. This can be anywhere from full blown identity theft to using your email address as the “From” address in their spam; most likely getting your account closed by your email provider in the process.

Search on yourself. Go out to search engines like Microsoft Live Search and enter your name in the search box. You may be surprised by the results. Something as innocent as being listed in the phone book can get you listed on the Internet. Each data provider has different methods that you must take to remove the information, if you choose to do so.

Enroll in an identity protection program. Today, every credit card, mortgage, or other lender offers some type of identity protection program. Do your homework and find the one that monitors all three major credit reporting agencies: Experian, Equifax, and TransUnion, and which fits in your budget. A good service will send you a proactive report each quarter. The higher-end services offer real time alerts to your phone or email. You should only need one program for all of your accounts.

Change your account information. Changing your password is not enough. You must also change your secret questions and it is recommended that you also change other information. Maybe change your house phone to your cell phone or your house address to your mother’s address. Not every account warrants the same change, but your critical ones do. Put up as many barriers to social engineering phishes as possible.

Ensure you are running virus protection, malware protection, and a firewall. Ensure that they are all current with updates. Although this is now becoming a truth along the lines of you should look both ways before crossing a street, I cannot stress enough the importance of this item. In my days as an independent consultant, I worked with many clients and businesses that could have saved both time and money, in the case of my bill and their lost work, if they had only installed and turned on their security software. Microsoft offers products like Windows Defender and Windows Live OneCare that together offer a unified platform for users wanting to protect their personal information and computer systems.

Don’t let your ATM/credit card out of your sight. This one isn’t easy sometimes, especially in restaurants, but do you best to maintain visual contact with your ATM/credit card at all times. The news of the day is all the online identity theft. That is because the traditional method of manually stealing names and numbers through garbage sifting and unethical service employees is old hat. If your card leaves your sight, be diligent about reviewing your statement. Shred all personal documents, such as account statements, pill bottle labels, and even the pre-approved credit offers, when you discard them.

Own your information. Many people do not realize that they own their personal information. Even more people do not exercise that right. Each pre-approved credit offer is a check on your credit score. Each time you list in your local phonebook’s white pages, you also list in their online directories. The way to maintain and control this information is different in each case. Some are tedious, like removing yourself from all pre-approval lists after buying a new home, to others which are much simpler, like merely submitting a request to the company. At Microsoft, privacy is one of our top concerns and we have a very strict privacy policy. Every employee at Microsoft must complete a privacy training course annually.

In closing…

The scope and prevalence of this crime is that we must protect ourselves and our family. Law enforcement agencies the world over are understaffed and overworked in trying to shut down identity theft rings. Be safe and be sure.  Be the one who is protecting your identity.

Until the next time…

-s

Resources

·         Microsoft Security at Home – Ways to keep your family's online experience safe and enjoyable: http://www.microsoft.com/protect/default.mspx

·         Federal Trade Commission – Latest regulatory information, studies, and legislation: http://www.ftc.gov

·         Snopes.com – Debunking of urban legends: http://www.snopes.com

·         Authentication and Online Trust Alliance – Consortium of email senders, providers, and support leaders committed to the Internet trust ecosystem: http://www.aotalliance.org

·         Messaging Anti-Abuse Working Group – Global organization focusing on preserving electronic messaging from online exploits and abuse with the goal of enhancing user trust and confidence, while ensuring the deliverability of legitimate messages: http://www.maawg.org/home/