/ Money, Shopping, Technology

ID theft: how much info are you revealing online?

For years we’ve been told to shred paperwork revealing personal details – such as our address or date of birth – before throwing it away, lest an ID thief finds it. But are we revealing too much about ourselves online?

With ever more of our lives moving online, ID fraudsters may be able to get this info without ever getting their hands dirty.

In fact, in a recent investigation we found that some people are leaving so much information online that it would be possible for us to successfully apply for credit cards.

With permission, we were able to use the information we found, plus a few educated guesses, to successfully apply for credit cards in the name of three of our volunteers.

Details left online

We asked security experts to look at how much they could find out about 42 different volunteers using publicly available sources of information online, such as social media or the electoral register.

Many of them were revealing far more than they realised – even information such as their home address, telephone numbers and date of birth in some cases. Together with other details like job title and employer – easily findable on websites liked LinkedIn – they were vulnerable to ID thieves.

Even if you think you’ve taken precautions, like not publicly listing your date of birth on Facebook, for several of our volunteers there were posts thanking friends and family for their kind birthday wishes which allowed the security experts to pinpoint the date. In combination with other information such as the dates you attended school or university on LinkedIn this could be enough to confirm your full date of birth.

Targeted phishing or vishing scams

For some of our volunteers it was also possible for us to get a strong sense of their hobbies and interests. This information would clearly not be enough to commit fraud on its own, but with security experts telling us that ID thieves are upping their game, this kind of information could put you at risk of a targeted phishing email of vishing (voice phishing) phone call.

Fraudsters are becoming masters at jigsaw identification – so-called ‘social engineering’ – taking a small piece of information, combining it with others from elsewhere, and using this to trick you into revealing even more.

So how about you, do you think you’re taking enough precautions to protect your identity online?

Useful links:

How to avoid becoming a victim of a phishing email
Identity theft test yourself


There is a trade off involved if you become a more public figure. For instance I think my profile is or rather was quite low despite having perhaps 20,000 + posts over a variety of forums in the last15 years.

However when I wrote to the 7000+ shareholders in the Consumers Association, the charity that 100% owns Which? I had to reveal all the relevant details like address and contact details because it was the right thing to do in the circumstances. The Consumer Association has serious governance issues.

Any subscriber can and should join. Simply promising to pay up to 50p for you share if the charity were to fold entitles you to to receive the Accounts and the Minutes of the AGM , and of course to reach other shareholders!

It amazes me how much information people put about themselves on social media for the world to see. They are just asking for trouble. I do not belong to any social media website.

The only thing I fell down on in the Identify Theft Test was passwords.

You just need so darn many of them, it is impossible to keep changing them and having different ones for every site you visit. So I have a few I keep for different types of site and the financial ones get changed occasionally. But then different sites want different formats and lengths so I often manage to forget or lose them.

It doesn’t help when sites insist you log in before you can see anything on their website. I no longer use Trip Advisor as they won’t let you see reviews unless you log in? I can only assume they are collecting data about you.

We have always shredded anything with personal details or financial transactions on them.

But while it is legal to buy and sell personal data, we are all at risk when we have no control over where our personal details end up.

MyIDisDI says:
17 January 2016

Credulity is wider than the Web.
Thanks for this article, reminding if not informing about privacy and one of its leading implications, that of ID theft, is essential and should be part of all sites’ systematic and repeated commitment to users’ education.
No, it is not possible (will it ever be?) to wander over the Web as it is to ballad in a field of grass and flowers thrilled by the beauty of human nature. The Net is a battlefield. Period.

Directors are forced to reveal dates of birth when becoming a director and the date used to be shared publicly although now it’s just the month and year. However as soon as a director announces it’s their birthday you can combine the information to get their date of birth. You can also combine it with legacy versions of the voters roll. How is just revealing the month and year secure? Who protects the 2 million directors from ID theft? Why can’t the register of companies only be available to those with a legitimate interest such as credit reference agencies and banks – this works for private individuals. Now LinkedIn is doing the same. I of course don’t put my date of birth on my CV or online, but with companies house we have no choice. When is the government going to give us consistent advice – if we shouldn’t be putting our dates of birth online then this should apply to government departments too.

Oh and for organisations that seem to think it’s justifyable because they need to know your age to buy an age related product (such as an 18 rated DVD on Amazon) then a tickbox “I am over 18” is sufficient for this. Anything more is excessive data gathering and may be in breach of the 3rd principle of the data protection act. An organisation only needs to know I am old enough, not whether I was born in January or December or what day of the month.

Spot on.

This comment was removed at the request of the user

I would be interested to know what percentage of people have been victim of some crime related to identity theft. I have not been and I don’t know many who admit to have been a victim.

I always assume that unsolicited emails and phone calls could be risky and if I choose to act then I will contact the company or other organisation.

I should be more careful with passwords but am concerned that sites that purport to organise passwords could be hacked.

This comment was removed at the request of the user

I’m amazed at just how gullible some people seem to be on social media. The number of times friends have liked and shared things like “This is the 1st time in facebook history we’re giving away 2 [insert name of an expensive car]”. or the type 6 and see what happens to this pic rubbish, FYI they’re like farming scams, fraudsters will be selling these “popular” pages to other fraudsters for money and as you’ve commented on it they’ll have access to your details. And only this morning I reported a sponsored ad to Rayban. The ad is obviously (to me) selling fakes. and within 2 hours Rayban have responded, Action Fraud or Trading Standards would take weeks to respond if at all.

And don’t forget Facebook is after all a scammers paradise.

The British public is to a large extent not aware how open the various products are to hacking and other actions which essentially make this world a mess. A judgement for $67m has just been awarded to Visa Banks because of the millions of customer details stolen from Target [!] in the US. The banks are claiming for all the extra checks and re-issued cards.

The Marriott and its subsidiary chains is also on the hook for a major hack attack.

The media is actually quite coy – other than the register -have a look at this weeks list of cracks, hacks and problems … pay particular attention to this : One Ring to pwn them all: IoT doorbell can reveal your Wi-Fi key as IoT is getting loads of column inches and it appears people selling the kit such as RING really are not capable of protecting customers.

Or : $30 webcam spun into persistent network backdoor
Or: UK NHS-backed health apps ‘riddled with security flaws’
not in this weks but last was Trend installing a major hole in its product to users computers

Debug code cracked case in hunt for mystery Silverlight zero day
Kaspersky reveals story behind nasty Patch Tuesday fix

Cisco admins gear up for a late night – hardcoded password in wireless
points nuked
Wi-Fi gear, WLAN controllers, ISE get security patches

Anonymous floods Thai gov websites to protest backpacker murder case
Murky allegations against local cops re-aired

Israeli security firms Check Point, CyberArk in talks – report
Possible ‘Cyber Googleplex’ in the making, says paper

Distil gets into a Scrape to boost bot defences
Buyout hopes to boost big firms’ infosec presence

As easy as ‘Citrix123’ – hacker claims he popped Citrix’s CMS
And once he was in, it became possible to pour malware onto all
customers, allegedly

UK NHS-backed health apps ‘riddled with security flaws’
Official approval seems to mean very little these days

Brazilian whacks: as economy tanks, cyber-crooks samba
Public boasting and n00b-friendly training colour underground forums

$30 webcam spun into persistent network backdoor
Bring on the Internet of dangerously hacked things

BlackBerry baffled by Dutch cops’ phone encryption cracked brag
Has Holland made a hash of it?

Windows 10 shattered Remote Desktop’s security defaults – so get
All users of Windows, Office, and Adobe software, should update ASAP

Fortinet tries to explain weird SSH ‘backdoor’ discovered in firewalls
Update your firmware or suffer the consequences

Sigh … c’est la vie: France mulls mandatory encryption backdoors
Europe at odds over secure comms

Cybercops cuff two in hunt for DDoS extortion masterminds
Zombie master suspects tracked to Bosnia

One Ring to pwn them all: IoT doorbell can reveal your Wi-Fi key
All you need is a screwdriver and a smartphone

Biz jabber tool Slack realises it needs a Chief Security Officer
New hire comes from CIA-funded document management firm

Asian cyber-spies fling Seven Pointed Dagger against Myanmar, NGOs
Ninja malware in multi-pronged attack

Open Web Application Security Project issues new secure coding bible
Independent security advice can keep you out of The Register’s security

Turkish carder scores record 332-year jail term
135-years for yanking 11 bank cards, on top of previous 199-year

Drupal uncrosses fingers, promises secured patching
Don’t worry too much about CSRF, security wonks chirp

FRITZ!Box home broadband routers’ security FRITZed
SOHOpeless vuln gives attackers free VoIP calls

Cisco forgot its own passwords for seven weeks
No, you’re not the worst sysadmin in the world if you can’t log on to a
new UCS box

Trend Micro AV gave any website command-line access to Windows PCs
Computers could be easily hijacked or trashed via security holes

Beware the terrorist drones! For they are coming! Pass new laws!
Research bods tear out hair, argue for new rules and lasers

200 experts line up to tell governments to get stuffed over encryption
No laws, policies or secret agreements with companies, urge

Data centre outfit Interxion admits to contact detail security breach
Chill, the ‘vulnerability’ has been fixed, people informed

Exploit kits throw Flash bash party, invite Crypt0l0cker, spam bots
Evilware rivals race to exploit the flaws stoopid folks don’t fix

I have recently amended my birthday date on Facebook. The date is close to the real one – but not accurate. When I tried to delete my birthday, it would not allow it and reverted to 1 January 1904. I’m in pretty good shape for 112!

I have no on line services that have my correct date of birth and if possible even my correct name. I even receive parcels address to DeeKay but that’s not my name despite being card payment
I for some reason seen this coming years ago. People put a hell of a faith in systems that are proving to be a bigger con than anything near honest
I have tormented my wife to play a “little more secretly” but Oh No FB and so on protect us all. What a load of baloney just like free app’s where you have to put in all your details to get them. Thats the payment. Your details. The amount of cold calls says it all. Dee Zero Wifey several per night

I appreciate that the growth in social media and the internet has put at risk the sharing of information and being ‘sociable’. Are we expected to not be interesting, not get involved in activities that may get published or at all have any kind of shared life? Surely more should be done by the companies who want our custom to protect our information and more should be done by the legal professionals to stop scammers etc when they get found out. There is too much money made by business using us as customers without protecting us. There is not enough done to stop the telephone and mail scammers from outside the UK. Lets put proper punishhments and penalties in place to discourage people. No more slaps on the wrist!!

I have noticed recently that I suddenly have a lot of new “best friends” round cash points and checkouts (are there cloned copies of my cards out there?). Stores and financial institutions need to do a lot more to make cash points and checkouts secure. It is not always possible to fully cover a key pad when entering your pin (you need to see it yourself and you cannot monitor everyone else in the vicinity); and, you do need to take your card out of its protective case to use it to pay contactless.

My laptop was upgraded to Windows10 by a local PCtrader. The day that it was returned, Amazon closed my account because somebody tried to get a refund from my account. Four weeks later, my wife`s laptop was repaired by the same man; the day it was returned, M&S cancelled my credit card because someone tried to use it illegally. It might all have been a coincidence. Should I do something, and what? Help, please.

This comment was removed at the request of the user

For some reason Nationwide credit card statements come through the post showing the full credit card number.
Due to a change of address one of my statements went astray.
Subsequently several items, that I knew nothing about,had been included on a later statement.
To the credit of Nationwide,when I reported this, they had the items credited.
But why do they need to show the full card number?

For some time I have been slightly amused by all the exhortations to keep my ID details confidential. My name and date of birth is published annually in the newspapers. My address is readily available. Everywhere when I shop and asked for my date of birth as proof of identity (even when buying dog biscuits!). My wife recently in annoyance gave a false date of birth – this was rejected as being incompatible with the information already known about her. These requests are as far as I know all from perfectly reputable shops and suppliers but the data is very well known and we cannot remove it from the public domain. My career has been public but I’m certainly not alone in this. Is it possible to assume a completely novel identity – a banking alter ego – for the purposes of security? You might like to investigate.

This comment was removed at the request of the user

I suspect Duncan you are referring to the Italian security [?] firm that got hacked. It had/has contracts with dubious regimes. When I say “security” that means they were aiding governments spy on people.

As to using your full name I think it very unwise. I have noted that some have been allowed to post using their email address.

Whilst dates of birth are not easily hidden you certainly increase the chances or ease by giving the details online. Unfortunately there are also idiots who are happy to give away other peoples details by announcing grand-daughters 18th on some site they visit.

Nobody can be assured that they can retain anonymity but they can certainly make it harder for the bad guys by not broadcasting details. Mentioning holidays or family matters online are all aids to the villains if they are contemplating anything.

Still whilst people still use Twit and Facebook to reveal all then that lowers the risk for the rest of us. Just avoid letting them post your plans.

This comment was removed at the request of the user

Sir Martin Evans… Not the Nobel prizewinner, perchance?

This comment was removed at the request of the user

This comment was removed at the request of the user