/ Money, Shopping, Technology

ID theft: how much info are you revealing online?

For years we’ve been told to shred paperwork revealing personal details – such as our address or date of birth – before throwing it away, lest an ID thief finds it. But are we revealing too much about ourselves online?

With ever more of our lives moving online, ID fraudsters may be able to get this info without ever getting their hands dirty.

In fact, in a recent investigation we found that some people are leaving so much information online that it would be possible for us to successfully apply for credit cards.

With permission, we were able to use the information we found, plus a few educated guesses, to successfully apply for credit cards in the name of three of our volunteers.

Details left online

We asked security experts to look at how much they could find out about 42 different volunteers using publicly available sources of information online, such as social media or the electoral register.

Many of them were revealing far more than they realised – even information such as their home address, telephone numbers and date of birth in some cases. Together with other details like job title and employer – easily findable on websites liked LinkedIn – they were vulnerable to ID thieves.

Even if you think you’ve taken precautions, like not publicly listing your date of birth on Facebook, for several of our volunteers there were posts thanking friends and family for their kind birthday wishes which allowed the security experts to pinpoint the date. In combination with other information such as the dates you attended school or university on LinkedIn this could be enough to confirm your full date of birth.

Targeted phishing or vishing scams

For some of our volunteers it was also possible for us to get a strong sense of their hobbies and interests. This information would clearly not be enough to commit fraud on its own, but with security experts telling us that ID thieves are upping their game, this kind of information could put you at risk of a targeted phishing email of vishing (voice phishing) phone call.

Fraudsters are becoming masters at jigsaw identification – so-called ‘social engineering’ – taking a small piece of information, combining it with others from elsewhere, and using this to trick you into revealing even more.

So how about you, do you think you’re taking enough precautions to protect your identity online?

Useful links:

How to avoid becoming a victim of a phishing email
Identity theft test yourself

Comments
Member

There is a trade off involved if you become a more public figure. For instance I think my profile is or rather was quite low despite having perhaps 20,000 + posts over a variety of forums in the last15 years.

However when I wrote to the 7000+ shareholders in the Consumers Association, the charity that 100% owns Which? I had to reveal all the relevant details like address and contact details because it was the right thing to do in the circumstances. The Consumer Association has serious governance issues.

Any subscriber can and should join. Simply promising to pay up to 50p for you share if the charity were to fold entitles you to to receive the Accounts and the Minutes of the AGM , and of course to reach other shareholders!

Member

It amazes me how much information people put about themselves on social media for the world to see. They are just asking for trouble. I do not belong to any social media website.

The only thing I fell down on in the Identify Theft Test was passwords.

You just need so darn many of them, it is impossible to keep changing them and having different ones for every site you visit. So I have a few I keep for different types of site and the financial ones get changed occasionally. But then different sites want different formats and lengths so I often manage to forget or lose them.

It doesn’t help when sites insist you log in before you can see anything on their website. I no longer use Trip Advisor as they won’t let you see reviews unless you log in? I can only assume they are collecting data about you.

We have always shredded anything with personal details or financial transactions on them.

But while it is legal to buy and sell personal data, we are all at risk when we have no control over where our personal details end up.

Member
MyIDisDI says:
17 January 2016

Credulity is wider than the Web.
Thanks for this article, reminding if not informing about privacy and one of its leading implications, that of ID theft, is essential and should be part of all sites’ systematic and repeated commitment to users’ education.
No, it is not possible (will it ever be?) to wander over the Web as it is to ballad in a field of grass and flowers thrilled by the beauty of human nature. The Net is a battlefield. Period.

Member

Directors are forced to reveal dates of birth when becoming a director and the date used to be shared publicly although now it’s just the month and year. However as soon as a director announces it’s their birthday you can combine the information to get their date of birth. You can also combine it with legacy versions of the voters roll. How is just revealing the month and year secure? Who protects the 2 million directors from ID theft? Why can’t the register of companies only be available to those with a legitimate interest such as credit reference agencies and banks – this works for private individuals. Now LinkedIn is doing the same. I of course don’t put my date of birth on my CV or online, but with companies house we have no choice. When is the government going to give us consistent advice – if we shouldn’t be putting our dates of birth online then this should apply to government departments too.

Oh and for organisations that seem to think it’s justifyable because they need to know your age to buy an age related product (such as an 18 rated DVD on Amazon) then a tickbox “I am over 18” is sufficient for this. Anything more is excessive data gathering and may be in breach of the 3rd principle of the data protection act. An organisation only needs to know I am old enough, not whether I was born in January or December or what day of the month.

Member

Spot on.

Member

I knew all this years ago so I intentionally put my real name down in all websites I post on ,as I am controversial and of coarse argumentative I received large numbers of emails etc all wanting more info . But the fact is I dont keep any personal details on my PC and I dont do Internet banking dont “inhabit ” any social network sites as I knew years ago thats how our “authorities ” collected data as well as the sites making revenue from selling your info (and still do ) . Having said that I am very open in my personal life , as I dont care what people think ,in that respect , as I try to help others and be a “voice ” for them . This gets you attacked and I have been,many times,over the years I dont care about that either if I can achieve my goal of making this world a better place . No more wars- killings for politics, tortures ,detentions illegally done and a lot more . As I never click on any emails that look dodgy ,check the URL etc I dont download viruses to take my data MS does that too well (and others ) the emails dropped down (took a few years ) but I only occasionally get a phishing email now like I got one today from an amateur asking me to check my bank through him as BT is cutting off my line ,well at least he must watch Which so is probably British.

Member

I would be interested to know what percentage of people have been victim of some crime related to identity theft. I have not been and I don’t know many who admit to have been a victim.

I always assume that unsolicited emails and phone calls could be risky and if I choose to act then I will contact the company or other organisation.

I should be more careful with passwords but am concerned that sites that purport to organise passwords could be hacked.

Member

Right on the money wavechange they have been hacked , one of my browsers – Yandex even advise you to change it regularly and its got virus protection and dont think the new buzz word app cloud is 100 % safe just ask all the businesses that dont trust it.

Member

I’m amazed at just how gullible some people seem to be on social media. The number of times friends have liked and shared things like “This is the 1st time in facebook history we’re giving away 2 [insert name of an expensive car]”. or the type 6 and see what happens to this pic rubbish, FYI they’re like farming scams, fraudsters will be selling these “popular” pages to other fraudsters for money and as you’ve commented on it they’ll have access to your details. And only this morning I reported a sponsored ad to Rayban. The ad is obviously (to me) selling fakes. and within 2 hours Rayban have responded, Action Fraud or Trading Standards would take weeks to respond if at all.

And don’t forget Facebook is after all a scammers paradise.

Member

The British public is to a large extent not aware how open the various products are to hacking and other actions which essentially make this world a mess. A judgement for $67m has just been awarded to Visa Banks because of the millions of customer details stolen from Target [!] in the US. The banks are claiming for all the extra checks and re-issued cards.

The Marriott and its subsidiary chains is also on the hook for a major hack attack.

The media is actually quite coy – other than the register -have a look at this weeks list of cracks, hacks and problems … pay particular attention to this : One Ring to pwn them all: IoT doorbell can reveal your Wi-Fi key as IoT is getting loads of column inches and it appears people selling the kit such as RING really are not capable of protecting customers.

Or : $30 webcam spun into persistent network backdoor
Or: UK NHS-backed health apps ‘riddled with security flaws’
not in this weks but last was Trend installing a major hole in its product to users computers
theregister.co.uk/2016/01/11/trend_micro_antivirus/

Debug code cracked case in hunt for mystery Silverlight zero day
Kaspersky reveals story behind nasty Patch Tuesday fix
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jt8

Cisco admins gear up for a late night – hardcoded password in wireless
points nuked
Wi-Fi gear, WLAN controllers, ISE get security patches
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jsU

Anonymous floods Thai gov websites to protest backpacker murder case
Murky allegations against local cops re-aired
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jsK

Israeli security firms Check Point, CyberArk in talks – report
Possible ‘Cyber Googleplex’ in the making, says paper
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jsF

Distil gets into a Scrape to boost bot defences
Buyout hopes to boost big firms’ infosec presence
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jsD

As easy as ‘Citrix123’ – hacker claims he popped Citrix’s CMS
And once he was in, it became possible to pour malware onto all
customers, allegedly
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jsf

UK NHS-backed health apps ‘riddled with security flaws’
Official approval seems to mean very little these days
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jse

Brazilian whacks: as economy tanks, cyber-crooks samba
Public boasting and n00b-friendly training colour underground forums
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jsb

$30 webcam spun into persistent network backdoor
Bring on the Internet of dangerously hacked things
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2js8

BlackBerry baffled by Dutch cops’ phone encryption cracked brag
Has Holland made a hash of it?
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2js4

Windows 10 shattered Remote Desktop’s security defaults – so get
patching
All users of Windows, Office, and Adobe software, should update ASAP
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jrZ

Fortinet tries to explain weird SSH ‘backdoor’ discovered in firewalls
Update your firmware or suffer the consequences
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jrY

Sigh … c’est la vie: France mulls mandatory encryption backdoors
Europe at odds over secure comms
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jrU

Cybercops cuff two in hunt for DDoS extortion masterminds
Zombie master suspects tracked to Bosnia
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jrG

One Ring to pwn them all: IoT doorbell can reveal your Wi-Fi key
All you need is a screwdriver and a smartphone
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jrx

Biz jabber tool Slack realises it needs a Chief Security Officer
New hire comes from CIA-funded document management firm
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jrw

Asian cyber-spies fling Seven Pointed Dagger against Myanmar, NGOs
Ninja malware in multi-pronged attack
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jrk

Open Web Application Security Project issues new secure coding bible
Independent security advice can keep you out of The Register’s security
section
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jrh

Turkish carder scores record 332-year jail term
135-years for yanking 11 bank cards, on top of previous 199-year
stretch
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jrd

Drupal uncrosses fingers, promises secured patching
Don’t worry too much about CSRF, security wonks chirp
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jra

FRITZ!Box home broadband routers’ security FRITZed
SOHOpeless vuln gives attackers free VoIP calls
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jr9

Cisco forgot its own passwords for seven weeks
No, you’re not the worst sysadmin in the world if you can’t log on to a
new UCS box
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jr7

Trend Micro AV gave any website command-line access to Windows PCs
Computers could be easily hijacked or trashed via security holes
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jr1

Beware the terrorist drones! For they are coming! Pass new laws!
Research bods tear out hair, argue for new rules and lasers
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jr0

200 experts line up to tell governments to get stuffed over encryption
No laws, policies or secret agreements with companies, urge
crypto-eggheads
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jqY

Data centre outfit Interxion admits to contact detail security breach
Chill, the ‘vulnerability’ has been fixed, people informed
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jqN

Exploit kits throw Flash bash party, invite Crypt0l0cker, spam bots
Evilware rivals race to exploit the flaws stoopid folks don’t fix
go.reg.cx/ml/9fac8/56c5097f/adf7025d/2jqq

Member

I have recently amended my birthday date on Facebook. The date is close to the real one – but not accurate. When I tried to delete my birthday, it would not allow it and reverted to 1 January 1904. I’m in pretty good shape for 112!

Member

I have no on line services that have my correct date of birth and if possible even my correct name. I even receive parcels address to DeeKay but that’s not my name despite being card payment
I for some reason seen this coming years ago. People put a hell of a faith in systems that are proving to be a bigger con than anything near honest
I have tormented my wife to play a “little more secretly” but Oh No FB and so on protect us all. What a load of baloney just like free app’s where you have to put in all your details to get them. Thats the payment. Your details. The amount of cold calls says it all. Dee Zero Wifey several per night

Member

I appreciate that the growth in social media and the internet has put at risk the sharing of information and being ‘sociable’. Are we expected to not be interesting, not get involved in activities that may get published or at all have any kind of shared life? Surely more should be done by the companies who want our custom to protect our information and more should be done by the legal professionals to stop scammers etc when they get found out. There is too much money made by business using us as customers without protecting us. There is not enough done to stop the telephone and mail scammers from outside the UK. Lets put proper punishhments and penalties in place to discourage people. No more slaps on the wrist!!

Member

I have noticed recently that I suddenly have a lot of new “best friends” round cash points and checkouts (are there cloned copies of my cards out there?). Stores and financial institutions need to do a lot more to make cash points and checkouts secure. It is not always possible to fully cover a key pad when entering your pin (you need to see it yourself and you cannot monitor everyone else in the vicinity); and, you do need to take your card out of its protective case to use it to pay contactless.

Member

My laptop was upgraded to Windows10 by a local PCtrader. The day that it was returned, Amazon closed my account because somebody tried to get a refund from my account. Four weeks later, my wife`s laptop was repaired by the same man; the day it was returned, M&S cancelled my credit card because someone tried to use it illegally. It might all have been a coincidence. Should I do something, and what? Help, please.

Member

Roger -your darn tooting you should do something about it thats fraud as well as theft ! – First stop the police then the local Trading Standards / County Council to register a complaint. Dont delay this the longer you leave it the more people who will get ripped off and your case will drop in priority . Even if its someone in their employ or they make use of your computer in a manner likely to cause a financial loss to you they are still liable . If you can afford it get legal advice -Dont hesitate !!

Member

For some reason Nationwide credit card statements come through the post showing the full credit card number.
Due to a change of address one of my statements went astray.
Subsequently several items, that I knew nothing about,had been included on a later statement.
To the credit of Nationwide,when I reported this, they had the items credited.
But why do they need to show the full card number?
John

Member
Sir Martin Evans says:
29 March 2016

For some time I have been slightly amused by all the exhortations to keep my ID details confidential. My name and date of birth is published annually in the newspapers. My address is readily available. Everywhere when I shop and asked for my date of birth as proof of identity (even when buying dog biscuits!). My wife recently in annoyance gave a false date of birth – this was rejected as being incompatible with the information already known about her. These requests are as far as I know all from perfectly reputable shops and suppliers but the data is very well known and we cannot remove it from the public domain. My career has been public but I’m certainly not alone in this. Is it possible to assume a completely novel identity – a banking alter ego – for the purposes of security? You might like to investigate.

Member

Your right Sir Martin – thats why I gave my correct name from the start of using the Web. A lot of people are under the illusion that they can hide their identity on the Web even using false names to post —-Impossible — for a large number of technical reasons which I could go into. The government can very easily issue certain people with new identities ,as can the US , who have been doing it for at least 60 years. A banking “alter ego ” is just another means of security that could be used by a bank , but if the banks know your real name etc so would any hacker as the means that you would use it would be by using your computer to transmit it to the bank . When you use your Internet sending device a whole host of information is immediately transmitted over the Web about you , just ask GCHQ and the UK spy agencies what they do to keep secure. There is an Italian company who does commercial spying for world governments , I have seen what they can do ,and forget ALL your so called “Internet “protection ” —useless ! No names -no pack drills.

Member

I suspect Duncan you are referring to the Italian security [?] firm that got hacked. It had/has contracts with dubious regimes. When I say “security” that means they were aiding governments spy on people.

As to using your full name I think it very unwise. I have noted that some have been allowed to post using their email address.

Whilst dates of birth are not easily hidden you certainly increase the chances or ease by giving the details online. Unfortunately there are also idiots who are happy to give away other peoples details by announcing grand-daughters 18th on some site they visit.

Nobody can be assured that they can retain anonymity but they can certainly make it harder for the bad guys by not broadcasting details. Mentioning holidays or family matters online are all aids to the villains if they are contemplating anything.

Still whilst people still use Twit and Facebook to reveal all then that lowers the risk for the rest of us. Just avoid letting them post your plans.

Member

Sorry diesel ,I didnt get my info from the newspapers but a security high tech open info website, unless you call Australia “dubious ” and their security service .which I wont name and also the FBI and a part of UK security services (there,s more ) and various not so dubious countries in South America (i have long list ) then we are in agreement. I have also had access to their website info and have a long list of all the computer -so called –Internet protection services ALL big names showing their ability to overcome them in a colored graph — and they did. A lot wasnt published in the media to stop a massive uproar from the public as well as an undermining in International security Internet sellers of probably your own security programme , mine,s was rubbish ! You dont want me to name them ,I dont think the companies would be happy. Or the UK security services , they dont need the publicity –do they ? Your right they were “aiding ” governments to spy on people . If you keep up to speed with this type of thing diesel, do you remember around September -2015 – GCHQ encouraged users to SIMPLIFY their passwords -which-quote said – passwords should be short , and LESS confusing ( guess who to ) which would result in making online accounts + businesses secure —-YIKES !!!! their- Password Guidance :Simplifying Your Approach (ACTUAL WORD FOR WORD TITLE ) reveals that lengthy and COMPLEX passwords are not actually secure on online accounts the way they should be ( and they should know ,shouldnt they diesel ? ) nod-nod-wink-wink. As you say to yourself –oh no ! another Lucas conspiracy theory who wrote this -NOT me but Ciaran Martin -Director General for Government and Industry Security . I am thinking of posting this in the banking Convo it would certainly help Which,s figures rise substantially . Still dont believe me ?? the report was released by CESQ , Communications -Electronic Security Group which is the INFORMATIONAL arm of GCHQ . Diesel I wasnt lying when I said I had a wealth of info on the NSA/GCHQ /FBI . I have actually got an invite from years ago to join the FBI Internet USA “protection” unit as a trainee actually combating anti- US propaganda , I failed on the first step –I am not a US citizen – that was before they realized I wasnt on their side.

Member

Sir Martin Evans… Not the Nobel prizewinner, perchance?

Member

It sounds like him Ian –are we honored !! .Now if only he would register? The US info gathering website says Which has high intelligence posters.

Member

A bit worrying , not 10 minutes after posting on GCHQ here I got a return call from Milton Keynes from a highly intelligent sounding gentleman saying I had called him from my local post office —impossible – I dont have a cell-net phone and I wasn’t out and the post office is a quarter of a mile away. Its logged at my ISP on their website , I put in an official complaint , as it could only be from the exchange equipment ( if it was a fault ) . Now —if I was paranoid ?????

Member

I wouldn ‘t worry. It’s probably just Jones the Spy…

Member

………..or one of Moriaty’s agents 🙂

Member

…or a “ghost in the machine” from BP (Bletchley Park) days….