Thoughts on Identity Theft
As a security guy, I get asked about Identity Theft a lot, and what can be done about it. To understand the problem, we have to first do a little bit of root cause analysis. In the spirit of Socrates, let’s start by asking “What is it?” What is an Identity? In the United States, a personal identity consists for the most part of the information that is required to enter into a contract (such as taking out a loan) – your Name, Address, Date Of Birth, and Social Security Number. Social Security Numbers (SSN’s) were first issued to Americans in 1935 as part of FDR’s New Deal, and were never designed nor intended to become a de-facto national identity system. Unfortunately, our Social Security numbers have become the “master key” to our identities, and it is literally not possible to protect our SSN’s in a meaningful way.
Here is the crux of the ID Theft problem — is manifestly impossible to control custodianship of these four critical personal data points. You as an individual simply cannot control who has your PII (Personally Identifying Information) or what measures they actually take to protect it. While attempts to put a dent in this very serious (global) problem have been made in Europe with GDPR and more recently California’s Consumer Privacy Act, these are insufficient half-measures at best and lack any real technical sophistication.
The only real solution to ID Theft is blockchain (think Bitcoin). Using blockchain technology, your ID could be virtually “tokenized” and then custodianship could be tracked in a digital ledger, just like checking books in and out of a library. If a problem arises, we could then look back in the ledger and see who accessed your ID and when. However, while a block chain based ID is perfectly feasible from a strictly technical standpoint, there are major legal, political, ethical, social, and cultural barriers that would have to be addressed first.
To do this legally, the Constitution would need to be amended so as to give Congress the lawful authority to create a federal blockchain based ID. However, I think it goes without saying that in our current political climate, amending the Constitution just isn’t going to happen in the foreseeable future. Additionally, large swaths of Americans are for various reasons vehemently opposed to the creation of a federal ID, and their zeal is on par with the Second Amendment and abortion crowds. So, while a blockchain based federal ID is technically feasible, in my estimation it won’t ever happen — at least not in our own lifetimes.
Now that we understand the roots of the ID Theft problem a little better, what is the individual to do? Purchase Identity Theft Protection? Pray to the Persian Goddess Anahita (the immaculate one)? There are a few realities to consider here. Us security guys like to say that computer networks fall into two categories – those that have been breached, and those that are going to get breached. The same is true of your personal identity – it’s either been stolen or its going to get stolen…. period. Sadly, the ultimate burden lies on the individual to protect their own identity, and this takes time and effort. Protecting your own identity is like personal fitness – you can’t simply pay someone else to do the lifting for you and expect any real results. “No pain, no gain” is as true in security as it is in fitness.
There are multiple monthly paid service offerings such as LifeLock, Identity Guard, and Experian (hahahahhahahha) and I would personally describe these as “adequate” or “fine”, but not “great”. Other than the insurance they offer to cover the (potentially very high) financial impacts of a stolen ID and some of the DarkWeb monitoring features, these services don’t really do anything that you cannot actually do for yourself.
Now that we understand that your ID is going to eventually get stolen, and that it is your personal job to protect it, let’s talk about some of the things you can do to help prevent ID and other types of cyber-crimes that target individuals.
- Your Social Security Number is the “master key” to your Identity. Memorize it, and be a total jerk about giving it out. Leave it off of forms, even when there is a field for it. If someone needs it, make them ask for it. Keep any paper with your SSN in a secure place, and never in your wallet, purse, car, desk at work, etc.
- Password hygiene. This subject has been beaten into the ground by everyone including me. I’ve written two articles about passwords (intended for non-techies) here and here.
- Minimize your attack surface. Don’t create and maintain more accounts (online or otherwise) than you reasonably need. Delete disused accounts, and definitely follow my password hygiene suggestions from the previous bullet.
- When you visit any professional office for services (dentist, CPA, etc.) and they ask you to fill out forms, don’t provide them with any more information than they actually need. ASK them what they do with the forms and how they protect your information. This includes educational, governmental, and all other institutions. Never give them any more information than is actually required. Let them complain and then give the information to them. Play dumb and politely ask which fields they really have to have.
- Watch closely what you post on Social Media, and who has access to this information. Don’t advertise your birthday, and limit other details which could be used to compromise your personal security.
- Learn what phishing is, and how to detect it. The FTC has an article about this here.
- Use MFA (multifactor authentication) on important accounts whenever it is available. Protecting your financial accounts with a username and password alone is NOT enough. If your bank does not offer MFA, drop them.
- Smart phones are a veritable gold mine of information – don’t lose your phone! Make sure the entire phone (including any removable memory cards) is encrypted, and that biometric locking (via fingerprint) is enabled. Make sure the phone is kept current on all software/patches, and don’t install garbage apps that you don’t know anything about. Both IOS and Android have pretty good security right out of the box, it’s when people start installing garbage apps that puts these devices at risk. Install mobile anti-virus that includes the ability to remote wipe the phone. Avoid connecting to any public WiFi at all, just use your 4G. If you must use public WiFi, use VPN. Charge your smartphone using your own charger plugged into an electrical outlet – never plug your phone into any USB port that is not yours.
- Use credit cards instead of debit cards. Credit cards have better (legally mandated) protections than debit cards do. When your card gets stolen (which it will), it’s easier to recover your funds when a credit card was used instead of a debit card. However – only do this if you pay the full balance off every month!!!
- Wiggle credit card readers. Sophisticated credit card thieves are adept at putting false facades over card readers at gas pumps and oddball ATM’s, as well as POS (Point of Sale) systems. Don’t be shy about giving the card reader a gentle tug – it might just come off in your hands.
- If you do use debit cards, don’t maintain large balances in your checking account. Move extra funds into savings, where they are much harder to steal.
- If using a card that is both debit/credit, always choose credit. Avoid inputting your PIN as much as possible. Check your surroundings for hidden cameras, and cover the PIN pad with your hand.
- Go paperless. As long as you are using your smartphone and computer in safe and secure ways, electronic statements are less risky than snail mail. Shred all mail that you are finished with or no longer need/want.
- Don’t have a “George Costanza” wallet. Almost everyone will lose their wallet one or more times during their lives. Keep your wallet and/or purse as light as you reasonably can.
- Watch your bank and credit card accounts like a hawk. Log in and look for fraudulent/erroneous charges a few times every week.
- Many banks and other lenders such as credit cards offer free credit monitoring. Use it (but be sure to authorize it before taking the step in the next bullet).
- Freeze your credit. Unless you have any near future plans to apply for credit, freeze your credit with the 3 major agencies. Brian Krebs has an article on how to do this here.
- Order your free credit reports. You are legally entitled to one free credit report per year from each of the 3 major agencies. This can be done easily at this website, which was authorized expressly by Federal law.
- Use cash when you reasonably can. Yes, cards and Apple pay are convenient, but security wise cash is (still) king. Trust your instincts here – if you have to have that tchotchke from a strange back alley shop, pay in cash.
I normally write blogs intended for companies and their executives, as opposed to material that is directed at individuals. But sometimes I get the itch to write, so I just hit the keyboard and let something take shape on its own, as was the case with this post. In any case, if this particular subject matter interests you, Brian Krebs does really great work on this problem.
His website is here.