The Internet is a boon for communication and information sharing, but it’s also fertile territory for criminals who use it as a hunting ground with the intent to cause significant harm. In 2013, 18.5 million Californians became victims of identity theft, much of it involving computer use in one way or another. And all too often, it’s because we’re not careful enough.
Anyone who uses email has received bogus messages. It might be a call for help from a “friend” who’s stranded abroad, penniless and without documents after having her purse snatched. Or it could be the so-called Nigerian scam, wherein you receive a plea from a little old lady in Africa who urgently needs your banking information so she can transfer $20 million into your account. Maybe it’s a bank or credit card company that’s suspended your account until you update your security information—even though you don’t have an account. They’re all ploys to get your personal, private information so faceless perpetrators can exploit it and cash in, and to reach you, they already have their hands on someone else’s address book.
The Northern California Computer Crimes Task Force, based in Napa, investigates computer-related identity theft (as well as other computer-related crimes) and assists the area’s District Attorney’s offices with the prosecution of high-tech crime and the recovery of digital evidence. Supervising Inspector Carl Chapman reports that, in high-profile cases, thieves hack into the websites of banks or businesses to take information, as happened when Target experienced a breach in 2013 and thieves stole the credit and debit card numbers of millions of customers. That kind of massive theft requires sophisticated technological expertise, so thieves more often resort to an easier technique: stealing mail, especially when tax time is approaching and employers are sending 1099s. Once they have a victim’s information, they often sell it. Chapman explains that a lot of identity theft is the result of people buying credit card information and personal data from online criminal sites, which are frequently based in Eastern Bloc countries, making it difficult to find the source.
Sometimes, though, it’s more personal. Thieves get directly into your computer or device, such as a cell phone or tablet, while you’re using it. Chapman points out that many computer devices will identify open Wi-Fi networks and people will connect to the nearest open network, even if they don’t know the source is legitimate. “It could be someone setting up a counterfeit hotspot,” he says, explaining that a thief will use a name that’s similar to an existing network. In a hypothetical scenario, he describes your being in the airport wanting to check on a flight time, and your computer or device goes to a network with a name so close to the real one that it’s difficult to recognize it’s not legitimate.
Marin resident Tom Schiff suspects someone hacked into his phone and took the email addresses from the messages he received when he checked email using his iPhone in Zürich Kloten Airport, Switzerland’s busiest terminal. “Everybody whose email I received [while in Switzerland] got spam,” he says. He recalls having difficulty with his password when he was in the airport and thinks that’s when a thief accessed his phone. Schiff, who’s tech-savvy, discovered the problem fairly quickly and changed his password. Then, as a further precaution, he changed it again. He also made sure his phone was set so it would no longer automatically connect to an open network. For him, the lesson learned is never to use the Internet in public places. “It’s nice getting your email on the road, but it can be dangerous,” he says.
Another tactic that’s getting increasing attention is the use of wireless sniffers, which are small, easily concealed devices that take advantage of open networks to access people’s computers and take whatever information they can. A sniffer can grab an address book, giving a thief contacts for sending spam that will allow access to bank and credit card accounts if an individual responds, or it can take the user’s personal data, so the thief can sell the information or commit some other kind of fraud, such as opening a credit card account.
Consider this: You’re in your favorite café and people are quietly tapping on the keyboards of their laptops or texting on their smartphones. The establishment offers free Wi-Fi, and most people are connected to the Internet in some way. A woman next to the window might be sending an email to confirm an appointment, and a man in the far corner could be checking his bank balance. It’s a peaceful and relaxed scene, and no one knows what each individual is doing—except for one. A third person could have a small wireless sniffer concealed beneath a newspaper and be gathering crucial information belonging to the other customers—and nobody would have a clue.
If you’re using a public network, regardless of how safe it might seem, you’re in a situation with the potential for identity theft, so it’s a good idea to take precautions. “Don’t ever use your laptop or devices on free Wi-Fi hotspots to do anything that you need to keep private, and don’t log into anything that asks for your password,” advises Chapman, pointing out that thieves are searching for passwords. Checking the weather and flight times is relatively harmless, but he cautions against looking at bank accounts or paying bills.
Jeffrey Pettersen is a certified fraud examiner at Bank of Marin. He sees identity theft regularly and finds that many cases are the result of phishing attacks. In those cases, a person gets an email from what appears to be a reputable company, clicks to respond and unknowingly goes to the wrong place.“It’s going to route you to the fraudster’s server,” says Pettersen. The perpetrator will then try to take your login name, password and Social Security number. Once you enter the site and click OK, he or she has got your information and an opportunity to download malware onto your computer to track your activity. If that happens, someone in the background will be watching everything you do online, Pettersen explains.
He also describes “man in the middle” attacks, which occur when an attacker intercepts an email message and retransmits it while maintaining the appearance that the two original individuals are still connected. "The intent could be to either access a message or modify it,” he says.
Harvesting information is just the first step. With enough stolen address books, a person with ill intentions can amass thousands of email addresses to use in phishing expeditions, targeting potential victims with scam messages designed to make money for the thief. Inevitably, some people will bite. Pettersen points out that it only takes a handful of people to fall for a scheme for it to be lucrative.
People often find out they’re victims of identity theft because it affects them financially. Becky Frost, consumer education manager for Experian’s ProtectMyID, says it’s common for identity thieves to open a credit account in a victim’s name if they have enough information, and then not make any payments, thus affecting the victim’s credit rating. Frost explains that the transgression often goes unnoticed until the victim has credit cards declined or receives collection notices. She finds that people experience frustration when they can’t make a transaction, and they describe their feelings as being similar to those of a mugging victim.
Once an individual discovers a problem, it’s important to act quickly to prevent further damage. “They find out hopefully on the first transaction,” says Pettersen, but sometimes he’s the first one to spot suspicious activity. He explains that the bank has internal systems that let him see different transactions, and if something appears to be amiss, he or a customer service representative will reach out to a customer to find out if the activity is legitimate. If it isn’t, they’ll stop the transaction, lock down the account and review it.
The bank recommends customers close an affected account immediately. “We’ll open a new one. That way, it’s a clean transition,” says Pettersen. It also suggests victims contact credit bureaus and activate fraud alerts, and it’s important to file a police report even if there doesn’t appear to be a loss, because it provides documentation for insurance purposes should it become necessary to file a related claim. In addition, Pettersen recommends victims have their computers scanned; he recalls a customer who discovered during such a scan that malware from Nigeria had infected his computer. “It’s an arduous process,” he says, but “it can only benefit them—and the sooner they do it, the better.” Otherwise, months down the road, a victim might be responsible for a huge amount of debt because someone has opened a credit card in his or her name and not paid the bill.
Frost recommends identity theft protection, which goes beyond credit monitoring, and explains that Experian’s ProtectMyID offers members one-on-one assistance from a trained identity theft resolution agent, who will work with the member to remedy problems and get a victim back on track. “If [customers] suspect they've been victimized by an identity thief, they can put a fraud alert on their account as an initial step,” she says. She finds that when people discover a thief has accessed their information, they don’t know what to do, but if they have identity theft protection, an agent will help them get through it. “It’s nice to have that human touch,” she says.
Identity theft is stressful, expensive and time-consuming for victims, so a better strategy is to prevent it from happening in the first place. Pettersen says it’s preferable to be proactive before a breach than reactive after. To this end, he advises people to be vigilant. “The most valuable asset you have is your identity,” he says, pointing out that an identity thief doesn’t have the key to your house or car, “He has the key to your life.”
He suggests people go to Bank of Marin’s website to check out its tips for protecting your identity. He adds that the bank has free software available for its customers, which will make their sessions secure when they log onto online banking. He likens the connection from an individual’s computer to the banking site to a drainpipe with holes in it, allowing leaks. The free software effectively blocks the holes and locks down the computer so outsiders can’t get in.
Frost advises people to make sure they have strong passwords, change them regularly and refrain from posting their PII (personally identifiable information, such as birthdate and Social Security number) on social networks. She also tells them not to ignore small transactions, because they could be a test in preparation for something bigger. She recommends avoiding public hotspots and says, “Wi-Fi itself isn’t the problem. Using public Wi-Fi for confidential transactions is.” When people use it, “They’re potentially giving up their credentials,” she says.
Pettersen encourages people to ask questions about security. “Really understand what your bank is offering,” he says. He advises people to avoid any transactions or practices they feel uncomfortable with, and that extends to doing their banking online. As prevalent as the practice has become, it’s fine to use traditional channels and walk into your local branch to do business, and the personal interaction is a bonus, because the staff enjoys seeing customers face-to-face.
We’re living in an increasingly connected world, so it pays to be vigilant. Cyber thieves are difficult to find and are deviously clever at coming up with new ways to do harm. You’re the prey, and they’ll target anyone they can, so be cautious. Nobody wants to be a victim.
A survey to determine how well Californians are protecting themselves from identity theft and fraud produced results that are cause for concern. Percentages are based on the number of respondents to the survey.
Victims of identity theft in California, 2012 to 2014 31%
Use a password to unlock a laptop computer70%
Enable remote tracking and wiping capabilities on smart phones61%
Manage privacy setting on social networks regularly44%
Check credit reports regularly24%
Close browsers without signing off online accounts22%
Don’t worry about identity being stolen51%
Received a data breach notification letter40%
Keep a written record or passwords in a purse or wallet21%
Don't check to see if a website is secure when shopping online54%
Data breaches in California in 2014, up to the end of October90
Source: Edelman Berland online survey of 1,000 adults 18 and older between September 2 and September 5, 2014. Conducted on behalf of Experian.
Encryption: Encoding messages so only authorized users can access information
Hotspot: Internet access over a wireless local area network
Malware: Malicious software intended to gain access to a private computer for clandestine purposes
Man in the middle: An individual who hacks into a connection and masquerades as the users at each end to send emails as if he were them
Spam: Unsolicited bulk email
Spoof attack: A person uses a wireless sniffer to impersonate another device or user with the intent to lure people to his or her server to steal data, spread malware or do other harm
Strong password: A password with a combination of letters, numbers and symbols, so that it’s difficult for anyone else to guess what it might be
Trojan horse: A type of malware program that gives a hacker access to a victim’s computer
Virus: Malware that can affect the performance of a computer and cause system failure, corrupt data and result in maintenance costs
Wireless sniffer: A device or software designed to intercept and capture data transmitted over a wireless network; although they're often used legally for business purposes, identity thieves also use them in public places with free wireless networks, such as airports, hotel and cafés.
Find Out More
Bank of Marin
Tips for protecting your identity:bankofmarin.com. Click on Community, go to Customer Resources and select Fraud Center.
Measles, mumps, chicken pox and other childhood diseases of yesteryear are making headlines again in the United States. Formally prevalent viruses and bacterium affected thousands of lives before a sc...
Located at 1410 Neotomas Ave. in Santa Rosa,NorthBay biz magazine is a monthly business-to-business publication covering Napa, Sonoma and Marin counties. This year, the magazine is celebrating 43 years of continuous operation. It originally hit the stands in 1975, when it was called Sonoma Business, and only covered Sonoma County. Norm and Joni Rosinski and John Dennis, acquired it in 2000 and changed its name to cover an expanded market. Today, the magazine is part of Amaturo Sonoma Media Group. More here..