The concept of using lookalikes and forged documents to fool people is not new, but the introduction of the internet and easy-access online services has meant that identity theft has become an industry in itself.
Geraint Williams is CISO at IT Governance
- Here's our list of the best secure router on the market
- We've built a list of the best ransomware protection around
- Check out our list of the best malware removal services on the market
One world, multiple identities
The basics of cybersecurity are firstly understanding what you are trying to protect, and then what you are protecting it from - so you can put the appropriate controls in place. So, in order to prevent identity theft, you need to know what your identity is defined by - both in the physical and cyber worlds. Once this is understood, you can ensure you have the right controls in place to protect those aspects that define your full identity.
In the physical world, your identity is defined by Government IDs such as passports, national insurance cards, driving licences and other important documentation, all of which can be forged or stolen. However, most people are aware of the risks from a stolen passport or driving licence, and the government deploys measures embedded within the document to make forgery much harder for criminals.
This is very different to the cyber world - where the majority of people are not fully aware of what actually identifies us online. This makes it much easier for criminals to steal and abuse those identities - because if you don’t know what needs protecting, how can you protect it?
In the physical world we essentially have a singular identity. In the cyber world, we have many identities as part of legitimate online activities - and compromising any of these identities can begin to cause huge problems that transcend into the real world.
Think beyond your physical identity
The protection of your identity starts with the basics: keep what identifies you to a minimum, keep this information in as few places as possible and do not share it with anyone. Keep your identity to yourself and do not give it away – because the less you give away about yourself, the lower the risk of that information falling into the wrong hands.
It’s commonly known that this is information that can be used to identify a person:
- National Insurance number
- Phone number
- Login ID
- Social media posts
- Biometric data
- Digital images
However, there's also:
- Behavioural data
- IP address
How many people know your secrets?
If we think about the basic online identity, it is essentially a username and a “secret”. You could use the same identity on every website - but that becomes a risk, because if that identity is stolen the criminals have the key to unlock access to everything you use online.
Your credentials (such as a username and password) are not always stolen from you directly, more often they are stolen from the operators behind the systems you log on to or even your password manager.
You only have to look at the volume of credentials that have been leaked from breaches to realise that if you have been using the internet for even just a few years, some of your credentials are likely to of been stolen and published online from some kind of data breach.
Try not to be yourself
According to Moore’s Law, computing power doubles every 18 months – which means every 18 months the time taken to deploy a brute force attack on a password will half. This is the reason why recommendations for password length and complexity increase with time – because a key length that was secure 10 years ago will not be so secure now.
For best practice – when choosing and changing your password, the NCSC recommends three random words that are unrelated to each other, and are also not ones that relate to yourself. So, the name of your pet or hometown should be discarded as options when making up your password.
This is because knowing something about someone is good place to start when guessing their password, and in today’s world you really don’t need to know them physically – the majority of people nowadays will happily share details of their loves and hates on social media, which can be harvested by those wishing to steal identities. It would not take a stroke of genius to realise that someone posting pictures of their pet may likely have related words as part of their password.
However, as we know passwords frequently get stolen, so whilst it’s important to change them regularly - it’s also important that online identities are protected by more than just one set of credentials. This is where multifactor authentication steps in.
The recommendations for verifying a person’s identity in the real world include using multiple documents. There are three basic factors in the cyber world:
- Something you know - such as your mother's maiden name
- Something you have - such as a security token or phone number
- Something you are - biometric credentials
The same factor can be used multiple times, but this is not as strong as using multiple factors - and for true 2-factor authentication (2FA) it should be two independent factors. The second factor should not rely on the first - so using the same username and password for a system to open your email account and retrieve a security token is not true 2FA.
Whilst biometrics are usually considered as a reasonably strong factor, they can bypassed by using fake fingerprints, voice recording or photographs – think of how many photos you have of yourself on social media platforms such as Instagram, Facebook or LinkedIn, and remember that these can provide a rich source of imagery to fool facial recognition.
Has your identity been stolen?
Let’s go back to the original point on identity theft becoming an industrialised industry and not a cottage-run business in the age of the internet. The basic online identity of a username and password doesn’t fetch for much on the dark web, but if it’s a password you use for multiple accounts it can become a rewarding purchase if the person is prepared to do a little digging.
However, it is the portfolios that consist of identification numbers, addresses, birthdates, credentials, medical records etc, that attract the best prices. If someone is after your full physical and cyber identity and is prepared to do anything, it’s likely that they’ll be able to get it if you don’t act with caution.
That aside, 99% of those involved in identity theft are after quick and easy money. They are also likely to be in a different country or continent to you, so won’t be able to pick your pockets or break into your home to steal devices – they aren’t state spies. However, these are the ones that will be hunting down your cyber identities which are much easier to target, so it’s important you educate yourself on the risks and not give away any crucial information that can be accessed remotely.
There are several steps you can take to limit the risk of identity theft both in the real world and online.
In the real world:
- Securely store documents that carry personal information that can identify you - such as your name, address etc.
- Securely destroy these documents when they are no longer required
- Monitor your bank accounts and credit rating for any suspicious activity
- When you move to a new house, ensure all contacts are updated and the mail is redirected
- When disposing of electronic equipment, ensure it's wiped
In the cyber world:
- If you're buying online, take the time to examine the website and ensure it's secure
- Educate yourself so you can recognize online scams
- Quizzes on social media are very often means of tracking those who respond - copy and paste the link instead of clicking directly
- Secure your passwords and use different ones for different accounts
- Don't secure your password vault with the same credentials you use online
- Use multi-factor authentication where possible
Finally, in all circumstances you should always disclose the minimum amount of information to ensure the maximum amount of security. At the end of the day, your identities are an integral part of you - so don’t lose control of them. Stay alert, and you won’t be disappointed.
- Check out our list of the best encrypted messaging services around