Tips for preventing identity theft - Digital Hygiene: Conclusion

By Don Gardner

This is the sixth and final installment of a series of articles by Don Gardner, Clearwater County Emergency Management Coordinator, about protecting your digital identity. 

Digital hygiene when traveling, especially abroad

Did you know that a U.S. judge ruled that Customs and Border Protection has a right, without a warrant, to search your laptop when you enter the United States, even if you are an American citizen?

Do you access your bank accounts, email accounts or mortgage accounts online? Do you pay your rent, medical bills, parking tickets, credit cards, etc., from your computer or mobile device? Consider that you are essentially carrying your identity with you in an easy-to-steal package that might as well be wrapped with a ribbon.

Here are some tips.

Take “burn” laptops, tablets, and smartphones that are “clean” (free of substantial amounts of information) and are disposable when the trip is concluded.

Remove your battery from your devices even if they’re “off” during important conversations.

Wait an hour after landing at the airport before turning on your smart phone, and turn off your phone an hour before your return.

Lock every device with a password.

Update your stored owner information to just a phone number.

Turning off Bluetooth is an absolute Must, and adjust your near field communications (NFC) settings.

Enable data storage encryption.

Don’t open attachments from, or link to unknown source.

Do not download any software during your trip.

Watch for “shoulder surfers” - they’re watching for your password and reading your monitor.

Use your cellular G3 or G4 network, not the free WiFi in airports, hotels, and coffee shops, if possible.

Assume that a misplaced device is lost or stolen and report this immediately.

Just watch out for your digital self when you travel. 

How to report identity theft

If you suspect, or become a victim of, identity theft, follow these steps:

Report it to your financial institution. Call the phone number on your account statement or on the back of your credit or debit card.

Report the fraud to your local police immediately. Keep a copy of the police report, which will make it easier to prove your case to creditors and retailers.

Contact the credit-reporting bureaus and ask them to flag your account with a fraud alert, which asks merchants not to grant new credit without your approval.

Credit-reporting bureaus: Equifax: 1-800-685-1111 - Experian: 1-888-397-3742 - TransUnion: 1-800-680-7289.

To request your credit report, go to www.annualcreditreport.com or call 1-877-322-8228.

Tips for preventing identity theft - Digital Hygiene: Part 5

By Don Gardner

This is the fifth in a series of articles by Don Gardner, Clearwater County Emergency Management Coordinator, about protecting your digital identity.

Wireless theft

Your credit card information could be stolen just by walking by someone in a store or a mall that has possession of an RFID scanner. An RFID tag is located in credit cards that are noted by a radio signal symbol on the back of the card. If you have this radio signal on the back of your credit card, you need to take some precautionary measures.

The RFID tag includes a tiny microchip that works with an antenna sending out a radio signal with your credit card information. While it makes it easier for customers during checkout, it also makes stealing easier for committing fraud.

How can you protect yourself against wireless identity theft?

Leave the RFID credit cards at home. Only use these cards for only online purchases, and have another credit card without the RFID tag for outside purchases, or simply use cash.

You could wrap the RFID cards in aluminum foil before putting them in your wallet and it would block the signal, but it’s not a great idea. Or you could use a protective sleeve to help block RFID scanners from reading your card.

If a separate protective shield is not desired, consider a special wallet, such as DataSafe wallet. These wallets are manufactured with materials that have been approved by the Government Services Administration to block RFID transactions.

Monitoring credit card statements on a regular basis for errors or unknown charges can help detect purchases you did not make. Credit card fraud and identity theft can occur even if precautions are taken, however; monitoring statements regularly can help mitigate this risk.

Helpful sites

There are a host of tools, sites, and practices that can improve your chances of avoiding catching that digital virus or risking your private information. Below is a list of links that is by no means inclusive. Just remember, practicing good hygiene in your digital life will help ensure your offline activities aren’t interrupted. 

Tor - Anonymous browsing on the Internet https://www.torproject.org/

Tails - Bootable operating system with lots of privacy and security tools baked in https://tails.boum.org/

Guardian Project - Mobile security tools https://guardianproject.info/

TrueCrypt - Enryption of your data at rest http://www.truecrypt.org/

Avast - Anti-virus software http://www.avast.com/en-us/index

Tactical Technology - Has lots of resources for good digital hygiene for activists https://www.tacticaltech.org/

Portable Apps - Easy-to-use bootable apps http://portableapps.com/

Google 2-Factor Authentication - Increases email security https://support.google.com/accounts/answer/180744?hl=en

RedPhone - Encrypts mobile calls https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone

TextSecure - Encrypts text messages https://whispersystems.org/

Facebook Privacy Settings - Change your Facebook Settings https://www.facebook.com/help/445588775451827

Increase the length and complexity of your passwords and use something like KeyPass for password management http://keepass.info/

Next week I will conclude this series, by providing tips to protect your information while traveling, and by describing how to report identity theft.

Tips for preventing identity theft - Digital Hygiene: Part 4

By Don Gardner

This is the fourth in a series of articles by Don Gardner, Clearwater County Emergency Management Coordinator, about protecting your digital identity.

This week I will continue discussing the Level 2 (more advanced) steps for protecting your digital identity.

Stay off Skype. No one should use Skype for secure communications. Earlier this year, Ars Technica found that Skype is not using end-to-end encryption and, more than likely, your conversations are being listened to. In fact, Skype’s privacy policy states that they have the right to scan and review your instant messages and SMS. Unfortunately, there is no good, trustable, encrypted voice or video infrastructure to replace Skype, so we recommend you simply don’t use it for sensitive discussions.

If you are going to use Skype, there are a few things you can do to at least protect yourself from Skype-targeted phishing, spam, and viruses. In your privacy settings, make sure that only people in your contact list can contact you either through IM or video.

Use HTTPS by default. When you see HTTPS at the beginning of a Web address, you know that communication between you and that page are encrypted. Even though many sites offer HTTPS, such as Wikipedia and Google, many still don’t default to it. You can use an HTTPS Everywhere type program to help keep you at HTTPS.

Don’t install unknown programs. This really means “don’t visit suspicious sites” (pornography sites, cracked software sites, torrent sites serving music and video); not because you’ll get in trouble, but because they tend to be crawling with pop-ups waiting to trick you into installing something you didn’t mean to.

The Web is littered with software that earns its keep by spying on users, and sometimes it’s even more malicious than that. If you don’t know who makes and distributes a program, it’s hard to know if that software is safe.

Never click on a pop-up that wants you to do something. Even clicking on the X to remove the pop-up can start a download you don’t want. One way to protect yourself is to close the browser and not visit that site again. Make it a habit to download programs directly from websites of trusted vendors or well-known open-source projects.

Password tips

Did you know that a simple PC can crack 100 million passwords a second, and that many passwords can be found through Facebook? Unfortunately, having a strong password that you routinely change is part of the cost of being online.

Avoid using the same password across multiple sites and services. That way, if Yahoo credentials are breached, hackers won’t be able to jump across into your Twitter, or online banking, and other accounts.

Choose a password that is not easy to guess. Words with a dictionary root followed by numerals are very common choices and predictable patterns that cyber criminals can use to crack your password very fast.

Set up password change/reset mechanisms properly–not obviously. Password reset forms on many services ask questions like “Where did you go to school?” or “Name of your first dog?” These questions are easy to answer and can typically be mined from social media sites. Why would hackers guess your password if they can just surf social media to find out where you went to school and how old you are? (You did, after all announce your birthday last year on Facebook didn’t you?)

Instead, I suggest lying on the Internet. Come up with a scheme of answers to these questions that you won’t forget. An answer to the inevitable “mother's maiden name” question could be Miss 7#BrE_r (mom will understand), but no one will ever guess your “secret questions.”

Bigger equals better! Short passwords might be guessed in second or minutes or hours (it depends on the implementation), where very long passwords could take years of work (and the cyber criminals are likely to go after someone else). Therefore, making your password 40-60 characters makes life much harder for the cyber criminals if they do manage to break into a service like Yahoo. This of course assumes the provider isn’t just storing your password in clear text.

Use a password manager. Password managers generate strong unique passwords for each of your services and then store them in an encrypted database which you can unlock with one good master password. It is a reasonable compromise for those that do not have an amazing memory. Only use a program like this from a company you trust, and don’t repeat similar passwords across multiple sites.

Next week I will begin the super advanced, Level 3 tips for protecting your digital identity.

Tips for preventing identity theft: Digital Hygiene: Part 3

By Don Gardner

This is the third in a series of articles by Don Gardner, Clearwater County Emergency Management Coordinator, about protecting your digital identity.

This week I will discuss more advanced steps for protecting your digital identity. These are Level 2 steps. 

Level 2

Your email is basically not secure. Regular email has no more security than a postcard in the mail. Regular email can be easily “sniffed” from any PC in a network, ISP, etc.

There are many way to safeguard your email. We won’t go into great details but I will give you some ideas you can research and then choose which system will work for you:

Create a strong email password. Never use simple or easy to guess passwords.

Do not click on email links or open attachments.

Phishing emails that contain links or attachments can lead to malware that can subvert your computer’s defenses or trick you into giving up your password. You can be targeted by phishing emails personally crafted to appear to be from people or businesses you know, so be very careful. Don’t open attachments or click links unless you’re expecting them. Never give out your password to anyone or download any software you are unfamiliar with and don’t use on a regular basis.

Scan all email attachments before downloading and opening them. This includes unexpected email attachments from people you know. Viruses and spyware easily spread through email attachments by emailing themselves to email addresses listed in contact lists and address books.

When downloading files and pictures beware of hidden file extensions. Windows, by default, hides the last name extension of a file, so that an innocuous-looking picture file, such as "susie.jpg,” might really be "susie.jpg.exe,” an executable Trojan or other malicious software. To avoid being tricked, unhide those pesky extensions, so you can see them.

Connect to the internet over secure internet connections. Avoid public open wireless connections.

If you need to email several people, consider using Blind Carbon Copy (BCC) to send to multiple recipients. You can help prevent the spread of known good email addresses by not giving other parties access to your contacts list.

Separate your email accounts. Keep several active email accounts open that you use for different purposes. This can include one or more personal email accounts that you use to email friends and family, a business email account, and some throwaway accounts that won't cause a problem for you if they get hacked or suspended.

You may want to give your throwaway email address to those within your friends and family circle who like to send email forwards, hoaxes, and always seem to be the ones who need help removing the latest spyware from their computer.

Use encryption secure e-mail. Some examples are:

PGP (Pretty Good Privacy). This type of software is used for both decryption and encryption of email messages. It also includes the ability to use digital signatures as a form of password protecting the content in an email.

S/MIME is another form of email encryption software. This form uses a certification key to encrypt the message. A private key is used by the receiving system to decipher the message. It is based on a combination both MIME and public key cryptography standards (PKCS).

Online web-based email account can provide some security. Hushmail is perhaps the best-known. It’s available for free, at least for some basic features, which is pretty nice. https://www.hushmail.com/

Countermail is a paid service which keeps its servers in Sweden. It uses OpenPGP, but also has advanced options like a hardware USB key, so nobody can even start the email process without inserting a USB drive into the computer https://countermail.com/

NeoMailbox is based in Switzerland, and is a traditional paid service like Countermail. It uses OpenPGP encryption, but also has some nice features, like the option to choose your own domain or use an unlimited amount of disposable email addresses. It also might be the easiest to use; it plugs into lots of existing mail services like Thunderbird, Outlook, and even has an Android app. http://www.neomailbox.com/

Enable two-step authentication. More and more online services are beginning to offer two-step authentication which adds an extra layer of security to the log-in process. This includes apps such as Twitter, Facebook, and DropBox. Today, however, I will discuss Google, since many of us are forced to use its services on a daily basis.

By adding the two-step verification process to your Google account, every time you log in, a verification code is sent to your phone, which you must input in addition to your username and password. This means that even if your password is stolen or cracked, an attacker cannot log into your account without your verification code. If you have a regular Gmail address, you can enable this feature yourself.

Encrypt your hard drive. If you lose your laptop, whoever ends up with your computer can access all your files even without knowing your log-in password. If your computer leaves your control (at a border crossing, for example), having your hard drive encrypted, and turning your computer off will keep the data inaccessible until you turn it on and enter the password.

FileVault on Macintosh and TrueCrypt on Windows are the usual recommended ways to encrypt stored data.

Update your browser. Considering the amount of time you spend surfing the web, this might be one of the most important things you do to improve your digital hygiene. Online criminals take advantage of security holes in browsers to infect your computer with a plethora of malicious code.

As browser developers discover these threats, they provide fixes via updates. Browsing the Web without an updated browser is like fishing with sharks without the proper gear — it’s extremely dangerous and leaves you open to a variety of attacks.

Be wary of free WiFi, because it also means that someone controls that network and can access your computer and smart phone. There are also programs that will allow anyone to see what you are doing on that WiFi system and can even look into your files. Use your cellular G3 or G4 network hotspot, not the free WiFi in airports, hotels, and coffee shops, if possible.

Mobile phones also serve as a type of individual locator, thanks to phone tracking - a method which determines your location by triangulating your position from mobile phone towers and wireless hotspots. To make matters worse, apps and games installed on your phone can reveal your location publicly or record your movement; at times without even asking if you want this information shared. The best solution is to disable your location settings on your mobile phone.

Next week I will describe more Level 2 tips on protecting your digital identity