Identity Theft is a growing concern. As recently as 10 years ago, obtaining the information you needed to take out loans or i.d. in someone else’s name was complicated. It required specific targeting, and more often than not physical access to the person, their home, or their rubbish to get key pieces of information necessary to build up a profile you could use.
All of that has changed though, with the advent of email, social media, and the more sophisticated techniques of hackers using spam and phishing scams to acquire information. Equally, they don’t need to be targeted – a scatter gun phishing approach can be employed, and fraudsters can then focus on getting more information from those that fall prey to the initial scam.
Our own security practices make it even easier. Often information like mothers maiden name, and date of birth are easily found via a Facebook or Twitter search. Weak and common passwords are frequently an issue. Compromising one account can often yield the same credentials for several others. Sophos recently reported that 41% of organisations see a phishing attack on a daily basis. Identity theft data is sold in three categories; login credentials, personal information, and financial information.
Even your own security isn’t always the answer. Much larger sites like LinkedIn, Dropbox and Adobe have all been hacked, allowing varying degrees of access to your details. Sites like haveibeenpwned.com have sprung up to start documenting compromised details found available on the dark web.
As this information is collated, it is sold to larger organisations or more sophisticated hackers on the “dark web“. The dark web is a term for content that exists online, but requires special access or tools to reach. Its hidden from everyday users, and not indexed by search engines. Due to the complexity and layers of security, a high degree of anonymity is provided and it is a natural haven for traders of illegal material and information such as stolen identities used for identity theft. One such site was, the Silk Road, made mainstream news when it was eventually shut down by the FBI in 2013 and its founder arrested.
Virtual Private Network comparison site Top10VPN.com conducted research into fraud-related listings on three of the largest dark web markets, Dream, Point and Wall Street Market to see what information was being sold and at what sort of prices.
Bank account logins, passport details and even access to your Netflix account are worth money to bidders on dark web markets – but the low price point of this information will spark concerns that valuable personal details are all too readily available to would-be swindlers online.
The research found that while bank details will fetch in the region of £168, and PayPal logins around £280, many important personal details are being sold for far less. An eBay login goes for around £26.00, Netflix for £6.00, and social media / dating site logins range from £1.00-£4.00.
GDPR ironically is helping this situation. Many breaches are ‘hacks of opportunity’ based on someone finding paperwork with valuable information on it left lying around an office. A report from Work Mobile has found that 12% of employees in the IT sector have seen extremely important documents lost or misplaced, which has resulted in legal disputes or compliancy issues.
GDPR with its stronger punishments for data leaks has encouraged many employers to be much stricter with who has access to data, where it is stored and how securely. The result is, or at least will be, much less printing of sensitive information.
How to avoid Identity Theft
I’ve put together some tips on how to minimise your exposure to identity theft, from both online and real world vulnerabilities. There are a new wave of Dark Web Monitoring service various companies are now offering too.
- Securely store any important identification documents in a home safe
- Before throwing away any important containing PII (Personally Identifiable Information) shred them
This includes utility bills, council tax staements and anything from the Inland Revenue for tax or benefits.
- When posting anything with PII on it – passport forms, tax forms etc. send them via Special Delivery or Recorded Delivery
- Never give anyone remote or physical access to your computer that you don’t know and trust.
- Make sure your mobile devices have strong passwords in case they get lost or stolen
- Never give over any sensitive / PII information to a cold caller
- Check your credit rating periodically, and make sure you recognise all the activity on it
- Consider Identity Theft assistance – its also included with many credit cards and packaged bank accounts now
- Sign up to a Dark Web Monitoring service – really only consider this if you’re extremely paranoid, or can justify the expense.
The services vary but Experian has had positive reviews, and offers a free scan. LifeLock is also supposed to be good.
If you have any advice or question on anything mentioned here, leave a comment below.