/ Money, Shopping, Technology

ID theft: how much info are you revealing online?

For years we’ve been told to shred paperwork revealing personal details – such as our address or date of birth – before throwing it away, lest an ID thief finds it. But are we revealing too much about ourselves online?

With ever more of our lives moving online, ID fraudsters may be able to get this info without ever getting their hands dirty.

In fact, in a recent investigation we found that some people are leaving so much information online that it would be possible for us to successfully apply for credit cards.

With permission, we were able to use the information we found, plus a few educated guesses, to successfully apply for credit cards in the name of three of our volunteers.

Details left online

We asked security experts to look at how much they could find out about 42 different volunteers using publicly available sources of information online, such as social media or the electoral register.

Many of them were revealing far more than they realised – even information such as their home address, telephone numbers and date of birth in some cases. Together with other details like job title and employer – easily findable on websites liked LinkedIn – they were vulnerable to ID thieves.

Even if you think you’ve taken precautions, like not publicly listing your date of birth on Facebook, for several of our volunteers there were posts thanking friends and family for their kind birthday wishes which allowed the security experts to pinpoint the date. In combination with other information such as the dates you attended school or university on LinkedIn this could be enough to confirm your full date of birth.

Targeted phishing or vishing scams

For some of our volunteers it was also possible for us to get a strong sense of their hobbies and interests. This information would clearly not be enough to commit fraud on its own, but with security experts telling us that ID thieves are upping their game, this kind of information could put you at risk of a targeted phishing email of vishing (voice phishing) phone call.

Fraudsters are becoming masters at jigsaw identification – so-called ‘social engineering’ – taking a small piece of information, combining it with others from elsewhere, and using this to trick you into revealing even more.

So how about you, do you think you’re taking enough precautions to protect your identity online?

Useful links:

How to avoid becoming a victim of a phishing email
Identity theft test yourself

Comments
Member

There is a trade off involved if you become a more public figure. For instance I think my profile is or rather was quite low despite having perhaps 20,000 + posts over a variety of forums in the last15 years.

However when I wrote to the 7000+ shareholders in the Consumers Association, the charity that 100% owns Which? I had to reveal all the relevant details like address and contact details because it was the right thing to do in the circumstances. The Consumer Association has serious governance issues.

Any subscriber can and should join. Simply promising to pay up to 50p for you share if the charity were to fold entitles you to to receive the Accounts and the Minutes of the AGM , and of course to reach other shareholders!

Member

It amazes me how much information people put about themselves on social media for the world to see. They are just asking for trouble. I do not belong to any social media website.

The only thing I fell down on in the Identify Theft Test was passwords.

You just need so darn many of them, it is impossible to keep changing them and having different ones for every site you visit. So I have a few I keep for different types of site and the financial ones get changed occasionally. But then different sites want different formats and lengths so I often manage to forget or lose them.

It doesn’t help when sites insist you log in before you can see anything on their website. I no longer use Trip Advisor as they won’t let you see reviews unless you log in? I can only assume they are collecting data about you.

We have always shredded anything with personal details or financial transactions on them.

But while it is legal to buy and sell personal data, we are all at risk when we have no control over where our personal details end up.

Member
MyIDisDI says:
17 January 2016

Credulity is wider than the Web.
Thanks for this article, reminding if not informing about privacy and one of its leading implications, that of ID theft, is essential and should be part of all sites’ systematic and repeated commitment to users’ education.
No, it is not possible (will it ever be?) to wander over the Web as it is to ballad in a field of grass and flowers thrilled by the beauty of human nature. The Net is a battlefield. Period.

Member

Directors are forced to reveal dates of birth when becoming a director and the date used to be shared publicly although now it’s just the month and year. However as soon as a director announces it’s their birthday you can combine the information to get their date of birth. You can also combine it with legacy versions of the voters roll. How is just revealing the month and year secure? Who protects the 2 million directors from ID theft? Why can’t the register of companies only be available to those with a legitimate interest such as credit reference agencies and banks – this works for private individuals. Now LinkedIn is doing the same. I of course don’t put my date of birth on my CV or online, but with companies house we have no choice. When is the government going to give us consistent advice – if we shouldn’t be putting our dates of birth online then this should apply to government departments too.

Oh and for organisations that seem to think it’s justifyable because they need to know your age to buy an age related product (such as an 18 rated DVD on Amazon) then a tickbox “I am over 18” is sufficient for this. Anything more is excessive data gathering and may be in breach of the 3rd principle of the data protection act. An organisation only needs to know I am old enough, not whether I was born in January or December or what day of the month.

Member

Spot on.

Member

I knew all this years ago so I intentionally put my real name down in all websites I post on ,as I am controversial and of coarse argumentative I received large numbers of emails etc all wanting more info . But the fact is I dont keep any personal details on my PC and I dont do Internet banking dont “inhabit ” any social network sites as I knew years ago thats how our “authorities ” collected data as well as the sites making revenue from selling your info (and still do ) . Having said that I am very open in my personal life , as I dont care what people think ,in that respect , as I try to help others and be a “voice ” for them . This gets you attacked and I have been,many times,over the years I dont care about that either if I can achieve my goal of making this world a better place . No more wars- killings for politics, tortures ,detentions illegally done and a lot more . As I never click on any emails that look dodgy ,check the URL etc I dont download viruses to take my data MS does that too well (and others ) the emails dropped down (took a few years ) but I only occasionally get a phishing email now like I got one today from an amateur asking me to check my bank through him as BT is cutting off my line ,well at least he must watch Which so is probably British.

Member

I would be interested to know what percentage of people have been victim of some crime related to identity theft. I have not been and I don’t know many who admit to have been a victim.

I always assume that unsolicited emails and phone calls could be risky and if I choose to act then I will contact the company or other organisation.

I should be more careful with passwords but am concerned that sites that purport to organise passwords could be hacked.

Member

Right on the money wavechange they have been hacked , one of my browsers – Yandex even advise you to change it regularly and its got virus protection and dont think the new buzz word app cloud is 100 % safe just ask all the businesses that dont trust it.