Identity theft is one of the biggest security concerns in India and worldwide. The Cyberworld is becoming more and more sophisticated – They’re using advanced machine learning and artificial intelligence to steal your identity.
Identity theft could land you in serious social/financial trouble e.g. someone could hack your Facebook account and demand money from your friends or may start misusing it to such an extent that will ruin your image. They may collate information to hack your other accounts including high valued.
According to Unisys’ Global Security Index 2020. Nearly four in 10 Indian adults have experienced some sort of identity theft in their lifetime. The good news is that there is much awareness in India, India actually rates second-highest on the scale with a score of 223 on average. The Indian consumers are now concerned about security in Covid-19 circumstances because everybody’s working from home.
Let’s look at how identity theft can affect you and what are the ways to protect your identity. Though nothing can provide 100% security, the advice here can certainly enhance it.
How Identity theft happens?
- Dumped/stolen documents: through bank statements, credit card offers, and other papers stolen/dumped in garbage. This let them apply for accounts in your name.
- Phishing: When an attacker disguised as a trusted entity dupes a victim into opening emails/instant message/text message which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the robbing of sensitive information. This can result in unauthorized purchases, the stealing of funds, or identify theft.
- Phone scams: Over phone by pretending to be an authorized entity e.g. bank, to convince individuals to give up their personal and financial information.
- Data dumps: Sophisticated hackers can access customer data of retail stores, medical facilities, bank, and other organizations.
- Dictionary attack: If you use common dictionary words as password, it’s highly vulnerable as hackers can run a program which tries all dictionary words as possible passwords. See most commonly used passwords.
- Brute force attack: The attacker automates software to try as many combinations as possible It could be around 350 billion guesses per second. Anything under 9-12 characters is vulnerable to being cracked.
- Website Breaches: The website storing your login information can be hacked. Some hackers try to log into other websites using these credentials.
- Credential recycling: If you’ve recycled your credentials (i.e., used that same username and password elsewhere), you’re at great risk when one of those account gets hacked.
- Social media: If you share too much sensitive information, you’re at greater risk as hackers can misuse that to get further information about you from elsewhere.
- Ad-Campaign: People collect personal information by luring people with some offers. Usually the information is sold which could be misused.
How to protect yourself from identity theft?
These 4 tips for being more secure in your online life will help keep you safer.
1. Enable Two-Factor authentication (2FA)
Two-factor authentication verifies your identity by another factor, which is typically one of these three things:
- Something you know: e.g. ATM Pin, Security questions set up during registration.
- Something you have: e.g. mobile (receives an authentication code via SMS/Authenticator App), or ATM (which you can verify using the CVV code on the back).
- Something you are: e.g. fingerprint or IRIS scan
- When you withdraw money using ATM (1st factor) and PIN (2nd factor).
- When you operate your mobile (1st factor) using your PIN/fingerprint/face-unlock (2nd factor).
- When you perform online transaction using your credentials (1st factor) and OTP (2nd factor) received on your mobile/ in an email.
- Login to your social media account using your credentials (1st factor) and one-time-use codes (2nd factor) or OTP (2nd factor) in a separate Authenticator app e.g. Google authenticator or Authy.
Advantage: Extra layer of security
Disadvantage: Inconvenience on first time login on a new device – for subsequent logins you may choose to ‘remember me on this device’.
Curious to know which websites provide 2FA? Check this out 2FA Providers
Caution: SMS based OTP are unsafe so better opt for alternatives (one-time-use codes or App based). For details visit SMS based OTP are unsafe
2. Don’t reuse passwords
If you reuse your passwords across every single online account, you’re at greater risk as hackers can easily hack all your accounts if they manage to hack one. Separate passwords are difficult to memorise so one may consider following options:
Use password manager – dedicated software to store all your passwords and get them filled automatically when you visit a site afterwards. Most browsers have their own but those aren’t as matured and secured as dedicated ones. These are cloud based or offline (more secured but less convenient) and let you generate random passwords up to 40 characters which are very difficult to crack.
As it’s advisable to frequently change your passwords, password managers are handy as you can easily generate and store a new password whenever you need. All you have to remember is a master password which isn’t stored by password managers while your store(vault) is encrypted. So, make sure you choose a strong master password which you can remember and also set up backup security questions if available.
You may compareand choose the one which suits best to your needs. Start with less valued accounts and then consider storing high valued ones after getting comfortable with password managers. Some antivirus software suites also offer password managers(vaults). Those may not be as good as dedicated password managers but are a bit economical and just suffice the need. These also allow users to store other sensitive information like ATM number in a secured way.
The password managers are of 2 types – offline and cloud-based. Offline are more secured but a bit less convenient. However, before you start using a password manager look at these suggestions.
Use passphrase/sentence – If you don’t want to use a password manager, create a passphrase (should be random and only known to you) for critical accounts and add modifiers to distinguish between them e.g. if your passphrase is ‘2 be or not 2 be, that is the ?’, you could use ‘2 be or not @sbi 2 be, that is the?’ as passphrase for you SBI account. In case there’s a limit on number of characters you could choose first/last or first/last 2 characters of every word in your passphrase to generate a password for you e.g. ‘Axis#2bon2b,tit?’.
Choose a second passphrase for all non-critical accounts. The idea is to use unique random passwords which are easy to memorize. However, if that’s getting difficult consider using a password manager so that you just have to remember one password/passphrase. Here’re few passphrases tips.
3. Use email Aliases/disposable emails
This is to be safe from phishing attacks. If you use email aliases/different email addresses to register in every online account, it becomes easier to spot phishing emails.
E.g. if you used firstname.lastname@example.org register on Facebook and you start receiving email from SBI using this email/alias, it’s a phishing attack. This may happen when either Facebook sells your email addresses or it’s involved in a data breach. Check if your email address is ever involved in any. Consider below options to be safe from phishing attacks:
Use Aliases – Every email provider provides certain number of aliases for your main account e.g. if your email account is email@example.com, you can use aliases like firstname.lastname@example.org or email@example.com etc to register to an online account and your emails will be delivered to your mail account. However, aliases provided by email providers aren’t as effective as a dedicated aliasing provider like Anonaddy.
These providers have features like email forwarding and UUID aliases as well which makes your email ids hard to guess. If you are looking for a fresh start and would like to create a new email address and keep it free from spam you can use a service such as Tutanota, Protonmail or Posteo.
These are end-to-end encrypted emails providers which makes sure no one (not even provider) can access your emails. In the absence of end-to-end encryption, you’re at greater risk – not just during over-the-wire transfer but while your email is in inbox – the provider can snoop on it in the absence of end-to-end encryption.
Use disposable emails – You can use temporary/disposable emails during testing/trial of some temporary accounts which you’ll never come back to. Providers like Guerrillamailprovide you temporary emails to help you protect your privacy in such cases if not blocked by the service you want to sign-up for.
Aliases/disposable emails help you:
- Avoid spam in your inbox
- Identify who has sold your data or is involved in a data breach
- Protect your identity
- Quickly update where emails are forwarded in case of data breach
- Protect yourself from phishing attacks
In case you’re interested in how many times your email address is already involved in a data breach visit haveibeenpwned
4. Stay informed and be careful who you trust
One of the easiest but most effective ways of keeping your accounts secure is just to keep up with the tech news. If you know about the latest threats and breaches, and how to deal with them, you won’t fall prey to those. Also avoid sharing sensitive information with website which don’t’ support HTTPS and password hashing. If a website supports HTTPS you see a lock icon in address bar as shown in this image
Additional tips to keep your PC safer
- Do Install anti-virus software if using windows OS – many are bundled with password managers though not as good as dedicated ones.
- Keep your software updated – Many a vulnerability comes through outdated software.
- Turn off when not in use – don’t’ give hackers 24/7 window to somehow gain access and install malware.
- Regularly Clear Your Browser Cache – Saved cookies, saved searches, and Web history could point to sensitive personal data.
- Turn Off ‘Save Password’ Feature in Browsers – it’s best to leave password protection to the experts who make password managers.
- Be vary of phishing attacks and don’t click any unverified link.
- Use incognito mode of browser or safe browser for financial transactions. Many anti-virus software come with safe browsers as well.
Useful browser extensions for safe browsing
- HTTPS Everywhere: This extension tries to open the most secure version of web pages.
- ublock Origin: Ads can lead to shady websites with malware, and ads are also annoying and slow down web pages.
- Bitdefender TrafficLight: This add-on/extension warns you about dangerous websites, so you do not visit them.
- Password Manager: Most online-based password managers have browser extensions, and if you use a password manager, I highly suggest using this as well.
Additional tips to keep your Mobile safer
- Install anti-virus software if the OS isn’t that secured.
- Keep your software updated
- Don’t give unnecessary access to any app during installation e.g. if Grofers asks for photos permission which is absolutely not required for its operation.
- Never install a software by clicking on a link provided as part of an SMS/Instant message – Always visit App store to install one.
- Consciously check and configure app privacy settings.
- Enable remote location and device-wiping.
- Lock your smartphone and tablet devices – use strong passcodes rather than less secure 4-digit pin if possible. While Iris/face/biometric are there for convenience, and are more secured, these can be bypassed.
- Hide/Lock apps especially sensitive ones.
- Disable Bluetooth when you’re not using it – it leaves data vulnerable to interception – to spread malicious files and viruses
- Be overly cautious when sharing personal information
- Watch out for impersonators – Don’t give out personal information on the phone/email.
- Regularly Clear Your Browser Cache
- Turn Off ‘Save Password’ Feature in Browsers
Useful tips for online accounts
- Consider using virtual credit/debit cards for online transactions – Almost all major banks provide virtual cards which get unique 16-digit number on every request. The validity is single transaction or up to 48 hours, whichever is earlier.
- Limit social media sharing and never reveal your real identity e.g. if you create email id with your real name and date of birth, you’re already giving away these 2 information to hackers to be able to search rest related to you.
- Use 2FA – Google, Facebook, Twitter, LinkedIn, Amazon, Github and most bank support 2FA.
- Keep changing your password on regular basis even if it’s not enforced.
- Always set up recovery email/phone numbers/security questions/codes to help you recover your account when it’s hacked.
- In case your account is hacked, immediately change password.
- Always turn on notifications, if available, to notify you of any suspicious activity in your account e.g. Netflix sends you notification for every new login. Also keep checking your online activity – many websites provide activity log as part of your profile setting. Using this you can even log out of all devices except current one.
- Avoid public Wi-fi or use VPN as some rogue actor might be snooping and may steel your sensitive data.
- Close unused accounts and log out of active accounts as soon as your work is done.
- Remove unused social media login connections – if you had chosen to login though Google, Facebook or twitter in the past, keep checking for connected apps by visiting ‘Apps’ section of corresponding provider and remove unused accounts.
- Specify trusted contacts for Facebook – in case your account is still hacked you can still recover it by using the one-off codes sent to your trusted contacts.
- Use secret email – don’t create email addresses with any sort of personal identity in it. Hackers find it easy to get additional information about you by using the information in mail.
Identity theft may not seem too big an issue to bother about affront but may ruin your life in case you’re not aware of its consequences and the ways to prevent it. So, be proactive to prevent it and spread the awareness so that others can be protected as well. Let me know if this helped you secure your identity and how we can further secure it. You may leave your comments here or mail me.