NCSAM: Personal information and how to protect it

by Steve Ragan - Oct 2 2008, 14:57

Protecting your personal information is important these days. There are hundreds of ways for a criminal to get their grubby little hands on your important information and use it for nefarious means. The Tech Herald offers you some steps to prevent this as part of an ongoing series spanning the month of October, in support of the NCSAM initiative.

Information is gold. Digital or ink, paper or pixel, the information that surrounds us these days is pure money in the eyes of some. While there is lots of information on protecting your personal information online, it is (always) worth repeating.

Know what information is being collected. Know how it will be used:

This is important. When signing up for things in person, say at a department store or other business, if personal information is collected, ask why. Why does the business need your Social Security Number? Why does it need your Driver's License Number?

Department stores and other businesses might collect this information for their own records. However, do they sell this information to others? Will they share it with business partners? How many times have you had to fill out information to get a discount card at a grocery store or drug store and needed to offer up your home address, name and e-mail address? Why do they need this?

The big one is, of course, your Social Security Number (SSN). This can be used to obtain entirely too much information on a person. Credit applications, finance-related business, and medical information require a SSN. You want to use caution when handing out this information.

Other bits of information, such as your home phone number and birthday can also be valuable to criminals.

If a business has a privacy policy, then read it. See what information it has to collect, and how the business plans to use it. Often, the fine print in these documents includes an opt-out option for the sale of information, and sometimes there are clauses that define the minimum information needed, so you can skip the other optional information requested.

Keep a sharp eye out for Phishing or other email scams:

Phishing is a form of social engineering that takes advantage of people by asking them for information, and doing so in such a way that it appears harmless to hand such requested information over.

Have you ever received an e-mail asking for updated security information on an account at a bank that you don’t even belong to? If you're currently nodding (and many of you will be) this is a Phishing e-mail. However, while you might not have a Bank of America account, someone, somewhere does. Moreover, if those people are not informed, they will likely see the e-mail, think it is authentic, and duly hand over information to criminals.

Phishing attacks play on one rule, namely the hope that no one will notice before it is too late. Let’s say you are a Bank of America customer, and you get an e-mail from the bank that, for all intents and purposes, looks real. You visit the online security page and enter everything asked for on the form. By the time it sinks in that you might have been 'phished', your information has been submitted, and you now get to start tracking your credit history and worry about Identity Theft.

Think about it, shouldn’t your bank already know your name, address, birthday, SSN, and other related personal information such as account and routing numbers? Why therefore would it ask for them again in an online form?

Never follow links from an e-mail. If you need to update information for online banking do one of two things. Either call the bank directly over the phone, or type the bank URL on your own -- not what you find in the e-mail, but the normal URL of the bank. From this point, log-in, and if there is a need for information you will more than likely be alerted to this in your account area.

No, there is no Lotto, and you did not win it. No, there is no little old woman in the United Arab Emirates who wants to perform one last gesture of goodwill. The second you send your bank information to collect your award or to allow a transfer of the remaining 80 percent of the little old woman’s estate, your account will be sucked dry by the scammers.

Pay attention to things when shopping or conducting business online:

Another thing worth remembering is this: just because it looks like your bank, does not mean it is. There is a huge difference to be seen in a URL if it starts with HTTP instead of HTTPS. Specifically, without the S, there is no secure connection (the 'S' in HTTPS literally means 'secure'). Most Phishing attacks contain URLs to fake banking sites that do not use HTTPS in their URL. This is a clear sign the e-mail is not authentic and should be avoided.

When online, some Web sites can forge the security icon shown in a browser (the locked padlock icon), so this is not a solid guarantee that the site you're visiting is safe. If it looks shady, don’t trust the online form, call the business directly and talk to a real-world person, but only if you trust the business and its agents.

Extended Validation SSL (EV SSL) is relatively new; this makes the address bar turn green in color. While EV SSL is great, this is not a single point of security. All EV SSL does is assure the identity of the Web site.

For example, the EV SSL used on https://www.paypal.com proves that the domain is owned by PayPal, it does not assure you that the PayPal website is free from security risks or other potential dangers.

(PayPal was used as an example here. Presently the site is quite secure, despite being one of the top domains used in Phishing attacks.)

Personal information protection offline:

While a lot of information advice deals with online protection, offline protection is just as important. Pre-screened credit offers, or those “You’re Pre-Approved” letters are junk. Rip them to shreds and make sure no one can use them if you toss them in the bin. While you don’t see it in the news all-too often, criminals will pick through your trash, take these offers, and attempt to open credit accounts.

Likewise, old bank statements should be shredded. If you are throwing out anything that has personal information on it, never leave it whole. Tax returns and old paystubs are included here as well.

Ultimately, protecting your personal information requires just one thing, and that's simple common sense. Ask why, and remember it is your information, so you do not have to share it. Also, if it seems too good to be true, then it more than likely is.

If you think you have been a victim of Identity Theft, check out these helpful links:

U.S.: http://www.ftc.gov/bcp/edu/microsites/idtheft/
U.K.: http://www.identity-theft.org.uk/

Around the Web