Protecting Yourself from Identity Theft

I don't have a lot of good news for you. The truth is there's nothing we can do to protect our data from being stolen by cybercriminals and others.

Ten years ago, I could have given you all sorts of advice about using encryption, not sending information over email, securing your web connections, and a host of other things­ -- but most of that doesn't matter anymore. Today, your sensitive data is controlled by others, and there's nothing you can personally to do affect its security.

I could give you advice like don't stay at a hotel (the Marriott breach), don't get a government clearance (the Office of Personnel Management hack), don't store your photos online (Apple breach and others), don't use email (many, many different breaches), and don't have anything other than an anonymous cash-only relationship with anyone, ever (the Equifax breach). But that's all ridiculous advice for anyone trying to live a normal life in the 21st century.

The reality is that your sensitive data has likely already been stolen, multiple times. Cybercriminals have your credit card information. They have your social security number and your mother's maiden name. They have your address and phone number. They obtained the data by hacking any one of the hundreds of companies you entrust with the data­ -- and you have no visibility into those companies' security practices, and no recourse when they lose your data.

Given this, your best option is to turn your efforts toward trying to make sure that your data isn't used against you. Enable two-factor authentication for all important accounts whenever possible. Don't reuse passwords for anything important -- ­and get a password manager to remember them all.

Do your best to disable the "secret questions" and other backup authentication mechanisms companies use when you forget your password­ -- those are invariably insecure. Watch your credit reports and your bank accounts for suspicious activity. Set up credit freezes with the major credit bureaus. Be wary of email and phone calls you get from people purporting to be from companies you do business with.

Of course, it's unlikely you will do a lot of this. Pretty much no one does. That's because it's annoying and inconvenient. This is the reality, though. The companies you do business with have no real incentive to secure your data. The best way for you to protect yourself is to change that incentive, which means agitating for government oversight of this space. This includes proscriptive regulations, more flexible security standards, liabilities, certification, licensing, and meaningful labeling. Once that happens, the market will step in and provide companies with the technologies they can use to secure your data.

This essay previously appeared in the Rochester Review, as part of an alumni forum that asked: "How do you best protect yourself from identity theft?"

Posted on May 6, 2019 at 7:08 AM • 43 Comments

Comments

WinterMay 6, 2019 7:43 AM

There seems to be a principle in Law that the risks (costs) should be with the entity that can control them.

Which would mean that the ALL the costs, for all of eternity, resulting from a breach should be paid by the entity that has lost the data.

That would not help in itself, as companies would shield behind bankruptcy.

What might help is when every company collecting personal data would be required by law to insure against the costs to data subjects resulting from any breach. Then, the costs of lax security would be on the balance sheet immediately, this quarter.

JamesMay 6, 2019 8:40 AM

@Winter: Unfortunately that will never work. Those companies have really deep pockets and they use that to grease the wheels of politics in their favor. The management of a company that "loses" or outright sells customer's data without notice or consent (as the big four cellular providers selling location data) should go straight to prison. In reality all that happens is "oops, we're sorry, but you know, our customer's security and privacy is very important to us".

CoenMay 6, 2019 8:52 AM

@Winter,

In addition, I believe that companies must assume that data has been stolen. If someone opens up a loan in my name with information from the internet, and the bank comes knocking at my door because they want their money back, I think it should be their loss to swallow. After all, I didn't do anything wrong, but the bank gave credit to an impostor. That's not my fault, it's theirs.

Petre Peter May 6, 2019 8:56 AM

Wherever there is liability, insurance follows. Companies will continue to protect themselves from data breaches by buying insurance and do only the minimum required to get a lower premium. People have to get prison sentences for data breaches - something they won't be able to buy insurance for.

TimHMay 6, 2019 9:02 AM

@Coen
Per banks... if you visit Ross Anderson's site at https://www.lightbluetouchpaper.org/ you'll see that banks are very persistent in insisting that if someone pretending to be you had a transaction, then it was you. The forensic fraud with POS terminals faking that transactions are secure (chip n pin) when the backup mag strip is used is unbelievable, as an example.

Prof Anderson is the reason that I will only use a credit card, and my bank card is ATM only, not debit.

The big problem with consumers arguing "It weren't me, guv, I was somewhere else, innit) is the onus of proof. With credit cards, the bank (generally) has to show it was you. Other transactions are rarerly protected to that degree, and in the meanwhile the money is gone.

Bob EastonMay 6, 2019 9:03 AM

"...agitate for government oversight.."

REALLY? How many of us are saying "Yes please, give me more regulations!" Government has repeatedly shown us how they f--- up everything they touch. Who would ever want more?!

Instead, I would "agitate" for some shock-n-awe class action law suits that would make all corporations wary of lax security.

MattMay 6, 2019 9:08 AM

I'm curious why cybersecurity professionals are so well paid if everyone's info is already out there. Where's the demand coming from?

WinterMay 6, 2019 9:26 AM

All this naysaying about regulation is telling. But not all nation states are politically as dysfunctional as the USA (or UK).

In my country, the Netherlands, I have had no problems getting my money back when someone else withdrew it illegally. The same with my neighbor when it happened to him.

And yes, people who ask for more and better protections do ask for more and better regulation.

The last years the onus on banks wrt consumer protection have been going up with general popular approval.

BillMay 6, 2019 9:32 AM

Can you elaborate on just how "security questions" are invariably insecure? Is it that they store your answers insecurely, it's too easy for someone to find out the answer, or something else? I've considered ignoring the question and just giving a secondary general password which I have memorized. Or alternatively a secondary unique password stored as an additional record in a password manager. Would this be at all an improvement in security or just a waste of my time?

HJohnMay 6, 2019 9:41 AM

Years ago, I said that it was destined to fail, our tactic of trying to keep things that must be shared a secret. Most notably, using an unchanging identifier (SSN) as a unique authenticator (password), but also account numbers and birth dates, maiden names, ZIP Code, etc.

We will never be able to keep these a secret. The real problem is they are just too easy to use, and they are too easy to use because the parties that are actually in a position to provide security do not bear the cost of their misuse... therefore they are not willing to bear the cost of security, including the inconvenience on the user.

KronMay 6, 2019 9:55 AM

@Bill
The security questions are usually predefined knowledge-based questions like "What high school did you attend" or "What is the name of your first pet". Some questions are better than others and some places even allow you to set your own questions but they all are knowledge based; meaning that if someone else can learn what you know they too can answer the question and bypass your secure 32 character alphanumeric password that is randomly generated and stored in a password manager.
My advice is that if you encounter knowledge-based "security" (aka. "I forgot my password") questions that cannot be left blank just fat-finger the keyboard for a while without any attempt to remember or capture your "answer" and never, ever, forget or lose your password.

ChelloveckMay 6, 2019 10:06 AM

@Bill: Both the things you mention are true. The answers are stored insecurely and, if you've answered honestly, are too easy for someone to figure out through other means. They're stored insecurely partly because they're not considered as sensitive as passwords and partly because they may need a fuzzy matching algorithm. "What was your high school's mascot?" could be answered "Albatross" or "The Albatross" or "The Fighting Albatrosses" or "Albert the Fighting Albatross" or the user may not consistently spell "albertross" or, or...

I do what you've suggested. I generate answers to security questions the same way I generate my real passwords, and I store them in my password manager. If anyone ever questions whether or not my mother's maiden name was really "xC_Ld@9yEvgR?44*^9l~N" I just tell them that she was Norwegian.

Robert SicilianoMay 6, 2019 10:18 AM

OK, this will be an unpopular comment. And really no offense. This is a surprisingly inadequate response from Bruce. There are all kinds of identity theft. Some can be relatively prevented and others cant. Your data in the hands of criminals doesn't mean fraud will occur or that your identity has been stolen. It just means a criminal has it, and that's just a given. Pure identity theft is new account fraud and can be mitigated with a credit freeze and layered with identity theft protection services. This is how you protect kids too. Account takeover seems to be what this article is being all doom and gloom about. And the advice on password management is correct. Otherwise being diligent about device security and account monitoring is essential. Protecting from Tax identity theft means filling out form 14039. Medical identity theft is not preventable, but the risks are low.

Wilhelm TellMay 6, 2019 10:25 AM

In the very near future one needs multiple identities to survive through the life. The other alternative is to employ yourself in a life-long slavery.

DaveMay 6, 2019 11:10 AM

They do it for the likes ...

Facebook (and other social media) quizzes add to the problem of security questions these days. There are too many people out there willing to answer those to let their friends and followers know their favorite teacher, color, car, book, street they grew up on, favorite car, etc. all in the name of taking a quiz. I'm shocked how few realize that these quizzes are likely being developed to gather typical security question responses. No one seems to question WHAT is being done with the information gathered by the developers or WHO the developers are or WHERE they originate from. Also, those same quizzes usually grant the app access to all kinds of your social media information that could be used as well.

I look at those quizzes as a very successful social engineering campaign.

EvanMay 6, 2019 11:18 AM

@Coen:

"Identity theft" is a term banks invented for "fraud" that takes the onus off them and pushes it onto consumers. It's not their fault they made a loan to the wrong person; it's your fault for "your" Social Security Number or other identifying information being stolen (even if it wasn't stolen from you). There are some easy solutions - one of which is to formally make stolen identity a presumption in court so banks etc will have to have better proof beyond a scan of a scribble and a social security number.

David OftedalMay 6, 2019 12:20 PM

I think part of the solution may be to reframe the issue altogether, like Ross Anderson does in his "Security Engineering".

After all, while we tend to talk about "identity theft", noone really loses their identity in such a theft - Their identity still belongs to them, and noone else can claim the right to use that identity on account of it having been "stolen".

Consider an example where someone uses another person's identity to withdraw money from a bank, for instance. Certainly, a theft has taken place, and money is missing from the bank, but no money has actually been lost by the customer. Unless the customer has contributed to the theft purposely or through negligence, the bank still owes the customer the same amount of money as before.

Or consider another example where one person buys an expensive item while pretending to be someone else. Again, such an action constitutes a kind of theft, but nothing has been stolen from the person whose identity was used, and nothing is owed by them to anyone else.

In both of these cases, the victim of identity theft has no direct relation to the case at all, neither as perpetrator nor as victim. Framing it as "identity theft" makes it sound like the person whose identity was misused has a moral or legal obligation to involve themselves and take responsibility for the crime, despite having no actual part in it. But that makes no sense - It's not generally just to punish one person for another person's actions.

vas pupMay 6, 2019 12:28 PM

@Bruce:"This includes proscriptive regulations"
The most important is actual implementation/enforcement of those regulations.
At the time those regulations are adopted enforcement mechanism should be ready, be clear and available for practical usage.
Moreover, time and again, mandatory arbitration, class action prevention, allocation of burden of proof on customer - regular Jane/Joe - should be outlawed - just null and void by Law when such provisions in any bank/financial institution/privacy
policy are included by corporate lawyers because Jane/Joe does not have matching negotiating power, so Government should be sided by customer creating adequate legal framework to counterbalance ability of big business avoid real due process and responsibility.
Yeah, in my pipe dreams.

@Winter. You are absolutely right. Strong regulations of financial institutions prevent many troubles including artificial financial crisis on national (and if that is crisis in US - international level). Prove is absence of such problems in Canada.
As I stated more than once on this respectful blog: government itself is not a problem, dysfunctional government staffed with unprofessional or/and immoral folks is.

General observation: in Tax form of 2018 FINALLY IRS eliminate requirement of phone number of taxpayer. That prevent many fraudulent calls form scum bags claiming they are from IRS.
In reality, IRS never contact you by phone. So, what was the reason to ask phone number at the very beginning?

I guess kind of penetration tests - analysis of privacy weaknesses with attempt to defraud folks by experts with explanation thereafter to person be defrauded mistakes could be useful as inoculation.


Impending Stealth EpiphanyMay 6, 2019 12:53 PM

What are we on about ?

The term "Identity Theft" is an oxymoron in this DisInformation Age. Several millions of intel workers routinely are acquainted with most everyone's ID including their biometrics and their mannerisms and their social histories. Nobody can steal your ID if it's pretty much tracked and logged and scanned and studied and even stealthfully manipulated (along with you too!) on a regular quasicovert basis.

Let's please drop the veils and take a peek into the many mirrors beyond the many smokescreens.

P.S.-Thanks for this:

https://consortiumnews.com/2019/04/26/assanges-imprisonment-arguably-reveals-even-more-corruption-than-wikileaks-did/

parabarbarianMay 6, 2019 12:56 PM

One problem is the ubiquitous use of the Social Security Number as a personal identifier. It is just too easily discovered and almost impossible to change. That might be solved by replacing it with with a better designed national ID number for all but Social Security accounts. That would be strongly resisted because it could also be used as a voter ID and make e-verify more reliable. I know the ACLU has a fit every time any kind of national ID is proposed.

Personally, I am still undecided if the benefits outweigh the risks.

DDDMay 6, 2019 1:25 PM

@Bob Easton:

What kind of shock and awe lawsuits do you expect to file without the government putting laws into place that form the basis for said lawsuits? There is a reason there haven't been enough successful cases already to cause change. Do you think Experian would still exist if consumers actually had the power to do anything currently? Government regulation doesn't always have to come in the form of some sort of agency. Some law that put simple figures on such breaches would form a solid basis for what you want. $x per name and address leaked, $x per SSN leaked, etc.

VRKMay 6, 2019 2:03 PM


Thanks Bruce. (recommend "nothing you can personally doto affect its security").

IMO, "Agitating" ~= "subversion" ~= 10+ years of stalking by the bored royally loyal, in some countries. If mercy is in abundance. If you hear the hiss, its too late.

And, if you ARE being dragged under the bus, the only useful break you're going to get is by snagging your hoodie in the driveshaft. I've had my nose hair trimmed with a .50 cal rifle once too often, but it DOES seem SOME things are important enuf. Mostly: All small children, and little else.

Thanks again.

Bernie CosellMay 6, 2019 2:59 PM

I think the silly security questions are just fine and provide reasonable additional security... as long as you don't answer them truthfully nor do you repeat answers. My password manager [pwsafe] as well as most others can remember questions and answers as easily as passwords.

So I tend to be random as much as I can. If it asks about "what was your first pet" I might answer " a koala" or "a minotaur". Mother's maiden name? Tudor or Gwilliger, etc.

supersaurusMay 6, 2019 3:23 PM

@ several:

one more vote for subverting the "secret questions" crap: my mother's maiden name might be tyrannosaurus-rex...or it might not. good luck finding that in public information. and so forth. I've never had an answer refused, no matter how nonsensical.

1&1~=UmmMay 6, 2019 4:52 PM

@Bruce Schneier:

"The truth is there's nothing we can do to protect our data from being stolen by cybercriminals and others."

Actually there is a lot we can do about it, the real question is 'Will we be alowed to do anything about it?'

As has been pointed out by other people in the industry when we wish to process data we need four things,

1, Data.
2, Software.
3, Storage hardware.
4, Processing hardware.

The first two are both "information" and can be stored on storage hardware anywhere likewise the processing hardware can be anywhere.

Identity theft only becomes possible because second, third or more parties get to see private data moved from storage to processing.

To minimise the risk of identity theft personal private data should never have to move from your personal private storage hardware to anywhere other than your personal private processing hardware.

What can travel from other storage to your personal private processing hardware is software. Providing it is correctly designed then it will not leak any information other than that which you alow.

Apple tried doing this back a number of decades ago with 'Project Pink'. Since then just about everybody else has tried and mainly succeeded in forcing us to reveal way more private information. Not just by Web, but Cloud and applications.

If we want to reduce cyber-crime then we need to change things around such that software comes to us to process our data on our hardware, and we stop sending our data to their software on their processing and storage hardware.

It's something we need to do to try and avert ecological disaster. We should all of heard about BitCoin Mining consuming as much electrical power as a European Nation. Well BitCoin Mining is just a fraction of the power consumed by Data centers and Cloud Service centers and the other big Silicon Valley data 'stealing' centers.

The simple fact is whilst Silicon Valley's power consumption is increasing, most personal storage and procrssing hardware power consumption is dropping significantly.

Thus if we turned the idea that we have to send personal and private data to the data stealers, to they jave to send limited functionallity applets to us, not only would we be reducing cyber-crime, we would also be reducing the consumption of fossil fuels and non-renewable energy sources.

Oh and we would also starve those other personal and private data stealers that are the Government agencies including but not limited to the LEA and IC entities.

So three desirable wins if we can get the type of information communicated swapped around from personal and private data to standardized and properly validated security wise software.

JonMay 6, 2019 6:19 PM

@ Wilhelm Tell

You have touched upon one way.

When a credit card number (and cvv) becomes compromised, the bank(s) and yourself retire the card, cvv, and everything else.

So what you need to do is set up several fictitious business entities (corporations are one kind, but not the only kind) to do business. When one is compromised, you simply discard it and start another.

There are overhead costs - incorporating starts at $500ish and goes up from there in a big hurry - but for some, it's worth it.

J.

Jim WMay 6, 2019 6:20 PM

Aren't companies that are breached victims? How can they be punished for crimes committed against them. I'm sure I'm naive but it's one of my best qualities.

Mr. NaiveMay 6, 2019 7:57 PM

@ Jim W
I'm not an expert,but if I understand correctly,
most(all?)of the thefts were successful because customer info is not encrypted. The companies are victims too, but because of their own foolishness. Not wanting to spend money for proper security.
Someone here will clobber me if I'm wrong!

Denton ScratchMay 7, 2019 6:57 AM

@Bruce
"But that's all ridiculous advice for anyone trying to live a normal life in the 21st century."

Rilly?

I use my mobile only for text messages; if I want to talk to a far-away person, I use the landline. I do understand that their mobile might be subject to metadata surveillance; I don't care much, because I rarely use the phone for criminal or terrorist activities.

"Don't use email"
I make extensive use of email - it's my main communications channel. I operate my own mail server - I've been running it since about 2000. I have to dispose of a lot of spam - it's automated. I also get phished a few times a day (that can also be classed as spam). I do not care for seafood, and phishing has never worked on me.

Email combined with a good VPN and GPG seems pretty sound to me. The VPN should protect the metadata (who is talking to whom); GPG should protect the content. Of course, you have to work out for yourself whether the system you are using is really sound; and that means you have to have thought about it, and have some knowledge about email security. So it's not for everyone. But then, communications security isn't for everyone - most people fail, even using strongly-encrypted systems such as Telegram or WhatsApp.

I know that the big credit agencies know all about me - stuff like my mother's maiden name, and so on. I lie about these things; for example, I might say that my favorite color is "rutabaga", or that my mother's maiden name is "Montenegro". But I know that they (believe they) know the truth. I'd love to see those agencies torn down. The information they hold is stolen; I have no relationship with them, commercial or otherwise, and they have no right to store and use that kind of data.

Rach ElMay 7, 2019 3:08 PM

I haven't seen the obvious suggestion of

Get a non-smart phone. Use it exclusively for SMS authentication

the SIM should be exclusively for this purpose. Don't the internet to
provide the new number to the 'provider', bank, whoever.

go a step better by having SIM not registered in your name, providing
that can be acheived legally, for example your spouse

use an new, exclusive email address for each account. preferably, one less insecure like Protonmail

**

some of the issues discussed above seem to be US specific. For example, I've observed in various non-US places, debit cards in fact receive the full fraud protection available to credit cards,v ia their VISA or MASTERCARD brand

MikeMay 8, 2019 5:44 AM

@1+1~=Umm wrote,

"If we want to reduce cyber-crime then we need to change things around such that software comes to us to process our data on our hardware, and we stop sending our data to their software on their processing and storage hardware."

Our big brothers would love that wouldn't they? atleast as far as in taking the burden of processing cost away from them to make it a truly "by the people" surveillance apparatus. The sticking point of late appears to be who's tab.

Another missing point is while we are theoretically protected on our end, what of protection of the system from its users? Sending "software" to end-users is prone to alterations on the client side. I'm not educated enough to elaborate on how this can be mitigated.

VinnyGMay 9, 2019 1:42 PM

@Bernie Cosell re: fictitious answers - I agree. I put the answers (without the question context) in the "additional information" in PWSafe. I usually construct answers that are both (relatively) unguessable and pique my sense of humour. For example (I can divulge this because I am no longer a customer of the bank, and the question itself was fairly unusual) on one site the question was "your favorite place as a child" and my answer was the name of the bar (long since closed) where I was first served alcohol as an underage customer...

TazMay 9, 2019 11:43 PM

Why does every hotel need ID? They aren't competent enough to keep that information private.

While I don't wish to complicate things, why can't I hand them a 64character single use code from an "escrow identity company"? And that would be all they need to sign us in AND later pay for it?

I hate paypal. But some things they do right. Like keeping my credit card number out of the hands of online misfits.

These days, I rarely if ever use credit cards online. Would prefer to pay cash, but Paypal as escrow is acceptable. A third party enforcing the rules....

PLURMay 11, 2019 3:39 PM

Another set of obvious(?) implications of modern (and historical) ID thefts, with or without fancy technologies:

1) proof of concept of thievery
2) proof of concept of con-artist techniques
3) proof of concept of propaganda techniques

this DIYer video (with or without sound) shows where "we" (who is who? who the h*** are you?) have been for the past several years.

I hope this has been educational.
PLUR

pleuromaMay 11, 2019 3:41 PM

missing video link for previous post: https://www.youtube.com/watch?v=ohmajJTcpNk

Another set of obvious(?) implications of modern (and historical) ID thefts, with or without fancy technologies:

1) proof of concept of thievery
2) proof of concept of con-artist techniques
3) proof of concept of propaganda techniques

this DIYer video (with or without sound) shows where "we" (who is who? who the h*** are you?) have been for the past several years.

https://www.youtube.com/watch?v=ohmajJTcpNk

I hope this has been educational.
PLUR

Graig JasonMay 11, 2019 10:35 PM

Get connected to Lord Zakuza now! { doctorzakuzaspelltemple@hotmail.com and WhatsApp him on + 1 (740) 573–9483 } to get your ex lover back...

Chuck PergielMay 12, 2019 12:12 PM

A password manager sounds like a good way to lose all of your passwords at once.
And how many accounts do you have that really need to be secure? And who are these nimrods who require passwords that conform to 16 different requirements to gain access to a forum discussion about the price of beans in Bolivia?

If you have so many important accounts that you can't remember the passwords, maybe you have too many accounts.

HenryMay 12, 2019 1:42 PM

@ Bruce Schneier

Bruce, I'm quite disappointed. Do you really think there's nothing we can do except for a bit of two-factor authentication and pushing for more government regulation?

As far as we can see, you're traveling with a separate iPhone, right? Why don't you use the same iPhone while traveling as you do while at home?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.