People are putting more sensitive personal information online and with the growing use of mobile devices, there’s more risk than ever.
“We leave data footprints everywhere we go,” says Bruce Schneier, chief security technology officer of BT.
That data can be used against you – to steal your money or even your identity. While many people are aware of the high-tech threats, they may not be aware of how—and how much—they’re exposed.
Phishing For Victims
Security experts says phishing, in which fraudsters impersonate a legitimate organization or individual to lure you into divulging sensitive information, is the most common method for getting access to your personal data. A common phishing scam involves receiving e-mail that appears to be from your bank that asks you to provide information such as your ATM PIN or Social Security number.
Phishing is often used to lead computer users to Trojan horse viruses. Also known as malware, these applications are unwittingly installed on computers by their users.
The message may entice you to click a Web link that leads to a fake but legitimate-looking site. The site will then ask you to download a special application to view its contents, but that application is actually a Trojan horse, which can sit undetected on your machine for years and collect information from your computer, including every account you maintain on your computer.
Beware of the seemingly innocuous, everyday activities people you engage in because for the identity thief, information is everything.
Sites such as Facebook, MySpace, and LinkedIn are convenient destinations for people looking to connect with friends and business associates, but the information you disclose are also fodder for phishing scams and malware.
“One of the things that surprises people is how many little pieces of information you can leave about yourself all over the Web,” says Alfred Huger, vice president of development at Symantec’s Security Response unit. “In and of themselves, it doesn’t look like you’re losing much by way of privacy, but when you take all that information from all those sites and combine them in one place, it becomes pretty alarming.”
Divulging such information as educational and employment history, places of residence and lists of family, friends, and associates, helps fraudsters paint a picture of you, making it easier to impersonate you as part of an identity theft scam.
Fraudsters can use this information to perpetrate phishing scams by sending e-mail messages that appear to come from someone you know.
Similarly, people who participate in multiplayer online gaming sites often exchange personal information to download such things as new characters, extra capabilities, or virtual money. This information can be also be used for phishing scams that lead to malware-infected sites.
“If you get an e-mail, even if it’s from your friend, asking you to go to a site, check the URL to see if it’s legitimate,” says Uri Rivner, head of new technologies at RSA, the security division of EMC. “If the Website asks you to download something, don’t. Be suspicious, be vigilant.”
If losing your wallet was once cause for concern, think about how much information you’re carrying around on your cell phone or mobile device.
“Losing your cell phone has a lot of information on it that can be used to execute identity theft, buy goods and services,” says Marty Lindner, a senior technical staff member at CERT.
“Take your address book,” explains Lindner. “It’s great for all sorts of information: phone numbers of doctors, people you do business with. You can call one of those contacts and if they recognize your phone number, that’s the first step to identity theft. I know people who store their credit card numbers, passwords, the PIN to their ATM card. They don’t admit their doing it, but evidence has proven they are doing it.”
And the increasing popularity of smart phones, which provide mobile Web and e-mail access, only increases the amount of sensitive information readily available to fraudsters.
Christopher Young, senior vice president at RSA, suggests using a password to protect your mobile phone.
“That’s a quick way of making sure if you lose it, someone else can’t access the information that’s on there too easily,” he says.
Banking On Your Mistakes
Most users who keep their security software up to date feel confident, but, as always, fraudsters have found ways to circumvent such roadblocks. Rivner says a type of malware called Limbo is gaining popularity among hackers.
Here’s how it works. As users visit a legitimate site, such as an online bank, the Limbo malware that infected your computer—often via a phishing attack—integrates itself into a Web browser through a process called HTML injection, which can alter a Web site’s layout. With an online bank, it can automatically trigger a command that will ask you for additional information, which is collected by the hacker to gain access to your account.
“If your bank all of a sudden is asking you for a lot of sensitive data rather than just your username and password to access the site, that’s a sign you have a Trojan on your machine,” says Rivner. “If they’re asking for your ATM card number, PIN number, Social Security number, that should raise some suspicion.”
If this happens, Rivner suggests calling the bank to make sure divulging that additional information is necessary. “The bank could be tweaking its security from time to time, but it will never ask for this kind of information.”
Security experts say you can also protect yourself by following a few basic rules.
Lindner suggests setting up separate accounts on your computer (both Windows and Mac OS allow you to do this). While most people use the default administrator accounts, Lindner says it increases your risk of data theft because most malware requires administrator privileges in order to install. Hackers can gain access to it more easily, so keep sensitive information on a secondary “user” account.
Be vigilant about monitoring your accounts, check your credit reports regularly and keep your security software and operating system up to date.
“The more hygienic your computer, the chances of getting infected are reduced dramatically,” Rivner says.