“One of the things that surprises people is how many little pieces of information you can leave about yourself all over the Web,” says Alfred Huger, vice president of development at Symantec’s Security Response unit. “In and of themselves, it doesn’t look like you’re losing much by way of privacy, but when you take all that information from all those sites and combine them in one place, it becomes pretty alarming.”
Divulging such information as educational and employment history, places of residence and lists of family, friends, and associates, helps fraudsters paint a picture of you, making it easier to impersonate you as part of an identity theft scam.
Fraudsters can use this information to perpetrate phishing scams by sending e-mail messages that appear to come from someone you know.
Similarly, people who participate in multiplayer online gaming sites often exchange personal information to download such things as new characters, extra capabilities, or virtual money. This information can be also be used for phishing scams that lead to malware-infected sites.
“If you get an e-mail, even if it’s from your friend, asking you to go to a site, check the URL to see if it’s legitimate,” says Uri Rivner, head of new technologies at RSA, the security division of EMC. “If the Website asks you to download something, don’t. Be suspicious, be vigilant.”
If losing your wallet was once cause for concern, think about how much information you’re carrying around on your cell phone or mobile device.
“Losing your cell phone has a lot of information on it that can be used to execute identity theft, buy goods and services,” says Marty Lindner, a senior technical staff member at CERT.
“Take your address book,” explains Lindner. “It’s great for all sorts of information: phone numbers of doctors, people you do business with. You can call one of those contacts and if they recognize your phone number, that’s the first step to identity theft. I know people who store their credit card numbers, passwords, the PIN to their ATM card. They don’t admit their doing it, but evidence has proven they are doing it.”
And the increasing popularity of smart phones, which provide mobile Web and e-mail access, only increases the amount of sensitive information readily available to fraudsters.
Christopher Young, senior vice president at RSA, suggests using a password to protect your mobile phone.
“That’s a quick way of making sure if you lose it, someone else can’t access the information that’s on there too easily,” he says.
Banking On Your Mistakes
Most users who keep their security software up to date feel confident, but, as always, fraudsters have found ways to circumvent such roadblocks. Rivner says a type of malware called Limbo is gaining popularity among hackers.
Here’s how it works. As users visit a legitimate site, such as an online bank, the Limbo malware that infected your computer—often via a phishing attack—integrates itself into a Web browser through a process called HTML injection, which can alter a Web site’s layout. With an online bank, it can automatically trigger a command that will ask you for additional information, which is collected by the hacker to gain access to your account.
“If your bank all of a sudden is asking you for a lot of sensitive data rather than just your username and password to access the site, that’s a sign you have a Trojan on your machine,” says Rivner. “If they’re asking for your ATM card number, PIN number, Social Security number, that should raise some suspicion.”
If this happens, Rivner suggests calling the bank to make sure divulging that additional information is necessary. “The bank could be tweaking its security from time to time, but it will never ask for this kind of information.”
Security experts say you can also protect yourself by following a few basic rules.
Lindner suggests setting up separate accounts on your computer (both Windows and Mac OS allow you to do this). While most people use the default administrator accounts, Lindner says it increases your risk of data theft because most malware requires administrator privileges in order to install. Hackers can gain access to it more easily, so keep sensitive information on a secondary “user” account.
Be vigilant about monitoring your accounts, check your credit reports regularly and keep your security software and operating system up to date.
“The more hygienic your computer, the chances of getting infected are reduced dramatically,” Rivner says.