1.866.436.5461www.idtheftsupportcentre.org

Online Identity TheftProtection Guide

Canadian Identity Theft Support Centre Protecting Yourself from Online Identity Theft – A Guide

entitytheft

Canadian Identity Theft Support Centre

1.866.436.5461 www.idtheftsupportcentre.org

Page • Introduction 1• Protecting Your Computer 1• Wireless Home Networks 4• Public WiFi Hotspots 4 • Safe Online Habits 5• Smartphones and Other Mobile Devices 7• Social Networking, Blogging, and Online Dating 8• Peer-to-Peer (P2P) File-sharing 10• Online Shopping 10• Glossary of Technical Terms 11

1

IntroductionMany of us now use the Internet on a daily basis. It is easy to forget that our connection to the Internet is like a window: just as we can see out, others - with the right technology and know-how- can see in. Not only can they view our communications but they can access the information we store in our computers – unless we take measures to stop criminals and others from accessing our computers and to protect our online communications.

This guide describes how best to protect your computer and manage your online activities to reduce your risk of becoming a victim of identity theft. It provides more extensive and detailed information on computer security and online protection than that provided in CITSC’s general Guide to Preventing Identity Theft.

A glossary at the end of this publication explains technical terms.

NOTE: Identity theft occurs both offline and online. See CITSC’s general Guide to Preventing Identity Theft for tips on how to protect yourself offline.

Protecting Your ComputerWithout adequate computer security, you can take all the precautions you like to keep your online communications private but you will remain vulnerable to identity thieves who could infiltrate your computer, steal your personal information and then sell or use it fraudulently. Protecting your computer(s) is therefore the first step to take in online security. The following applies to all computers you use to access the Internet.

Ensure that each of your computers is protected by a firewallWhenever your computer is connected to the Internet, thieves have relatively easy access to it – and to information stored on it - unless you have installed a firewall to keep them out. Firewalls prevent unauthorized access to your computer by monitoring data entering and exiting your computer and blocking data that comes from unsecured, unknown or suspicious locations, unless you configure the firewall (or tell it) to allow that data. Firewalls are sold with default settings that are usually customizable by the user. In order for your firewall to be effective, it should be set to block everything as a matter of course and it should allow you to override the block but only on a case-by-case basis.

Firewalls can be software-based or hardware-based. Software-based firewalls must be configured properly and allowed to update regularly in order to be effective. Operating systems such as Windows and Mac come with built-in firewalls that are normally sufficient

2

protection. You can also purchase software-based firewalls together with anti-virus protection as part of a computer security package. Such software-based firewalls must be installed separately on each computer or device that needs protection. Running more than one software-based firewall on a computer could cause conflicts - check what your operating system recommends in this respect before installing an additional firewall program.

Hardware-based firewalls are physical devices - typically provided as part of a router -that protect all computers on a network. They are standard for business applications and recommended by many computer experts given the high level of protection they typically provide and the fact that they don’t interfere with – and can’t be compromised by – your computer. If you have more than one computer on a home network, a router-based hardware firewall is recommended in addition to a computer-specific software firewall.

NOTE: Firewalls cannot protect you from viruses attached to e-mail messages. You need an anti-virus program for this purpose.

Install anti-virus/anti-spyware software on each of your computersIn addition to a firewall, anti-virus software is essential and should be installed on every computer that you use to connect to the Internet. Look for anti-virus software that also protects you from spyware. Good quality anti-virus/anti-spyware software is continually updated in order to keep up with the latest threats. Anti-virus

software will scan e-mail and delete (or quarantine) suspicious attachments from e-mail messages before you open the messages. It will also scan your computer at preset intervals to identify and deal with any threats that have lodged in your computer. Set your anti-virus software to run a deep scan (as opposed to a regular scan) at least weekly for this purpose.

There are a number of reputable providers of anti-virus software (ask your local computer shop what they recommend). Subscriptions are typically offered for one, two or three years, and for one or more computers. Some anti-spam protection is provided automatically by most Internet service providers and/or e-mail programs. Some Internet service providers may also offer free anti-virus software, as it is in their interest to prevent viruses from spreading through their network. Check to ensure that such free services meet your needs before relying upon them.

NOTE: Even when you have an anti-virus program, you should not open an e-mail attachment if you are at all unsure about it.

Use an anti-spam programA common technique of identity thieves - called “phishing” – is to trick computer users into revealing personal or financial information, such as a bank account password. The vehicle for this technique is spam (an unsolicited e-mail message). A typical phishing scam begins with an e-mail message that appears to come from a trusted source, but actually directs recipients to provide information to a fraudulent website. Firewalls can’t determine the contents of e-mail

3

messages, so they can’t protect you from this type of attack. Nor does anti-virus protection help with this threat because phishing e-mails do not contain viruses or malware. Anti-spam programs can, however, help to protect you from phishing scams as long as they recognize the phishing e-mail as spam.

Most ISPs and e-mail programs offer some level of spam filtering. Anti-spam programs are also available online (some are free) and often come packaged with anti-virus software. Anti-spam software will block or quarantine messages that the program recognizes as spam based on the settings you have chosen. It will allow you to review a list of blocked e-mails and override the block if an e-mail is legitimate and you wish to open it.

Keep your firewall and anti-virus programs currentMake sure that your anti-virus and firewall software are set to update frequently (hourly for anti-virus) so that they are keeping up with the latest threats. Updates will occur when your computer is turned on and connected to the Internet.

Anti-virus programs will check all e-mail as it comes in, and will scan your computer for viruses at intervals that you specify. Set the anti-virus program to scan your computer weekly. If you turn your computer off at night (as suggested below), these scans will happen the first time you turn the computer on after the scanning interval has been reached.

If you have a subscription for firewall or anti-virus software, do not let it run out! The company providing your software

will alert you in advance of the expiry date. Do not ignore periodic messages to update your security software. On the other hand, be sure that the warning is legitimate before you act on it.

Allow operating system updates Software updates are designed to fix problems in your computer’s operating program. These problems can include security vulnerabilities. Operating systems (e.g., Windows) and other software programs need to be updated frequently to keep up with new threats posed by computer hackers. Your operating system will let you know when upgrades are ready to be installed – don’t put off installing security-related upgrades.

Turn off your computer when it is not in use.One of the simplest things you can do to prevent online identity theft is to disconnect computer from the Internet when it is not in use. When your computer is shut off it is also disconnected from the Internet and therefore prevents access by potential thieves.

No anti-virus program can protect against all viruses at all times, even when they are up-to-date. Good anti-virus programs respond quickly to new viruses as they emerge, but there is always a gap between the virus and the anti-virus protection. The best protection is to have both a firewall and continually updated anti-virus software installed on your computer.

4

that is publicly broadcast by the wireless transmitter to identify your network to another computer that wishes to connect to your network. Resetting a router to the factory default settings is usually no more than depressing a back panel switch with a paper clip and rebooting the router. Here are some suggestions for managing your own wireless router:

1. Change the default administrator password (and the administrator user name, if possible). Use a strong password for the administrator password (8+ characters, mixed text, numerals and/or special characters). Do not use a password that is related to the wireless connection password that each user needs to gain wireless access. Needless to say, record the password somewhere secure in case you forget it.

2. Disable remote management of the router unless you need to change router settings from a remote location.

3. Reset the default SSID (the identifier for your home network) to a new name. A default SSID such as “Linksys” begs hackers to test your network, to see if any of the default login information is also being used for administrator access. Choose a name for your home network that does not identify your family or business, since the SSID will (unless you make other changes) be visible to any wireless unit within range.

4. After setting a password for users to gain access to your home network (ie: the router “key”), protect it. This password will allow anyone within range of your wireless transmitter to join your network.

Wireless Home NetworksWireless networks are becoming the norm in home environments especially given the increasing popularity of laptops, tablets, smartphones and other mobile computing devices. But the risk of being hacked is high if your wireless network is not properly secured. In addition to the basic protections of a firewall and anti-virus program installed on each computer, you should ensure that your wireless router is configured to provide maximum protection.

Choose a wireless router with strong security protectionsThere are many different brands and models of wireless routers. Choose a router that you are confident will protect your network. You should be able to download a PDF user manual for the router that clearly and thoroughly explains the security, encryption, and firewall settings available to you to protect your network. Ultimately, your network security will depend upon the features available in your wireless router and your choice of appropriate settings to secure the network.

Ensure that your router settings are adequate If you don’t want to rely upon the manufacturer’s claims or the advice of experts, you can take additional steps to ensure that your router is configured to provide maximum protection. The factory default user name and password for access to most routers is usually publicly available and can be found by doing a web search. So is the default SSID - the name

5

5. Ensure that the router firewall is enabled.

6. Ensure that wireless encryption is enabled. All wireless devices that connect to your network must use the same type of encryption, such as WPA, WPA2, WEP, etc. If possible, use one of the newer standards, such as WPA2, or WPA, which are harder to decrypt/hack than the earlier WEP standard.

7. Ensure that a software firewall is running on each computer in your network, both those with wired and wireless access to the network.

Public WiFi HotspotsWireless Internet access is becoming increasingly available in public places such as cafés, airports, libraries, hotels. Even some municipalities are making it available throughout their territory at low or no cost. Such public Internet access has great advantages but it also involves risk to users if the connection is unsecured (e.g., with a password available only to trusted users).

When you use a laptop to connect to the Internet via an unsecured wireless network, the wireless adapter in your laptop communicates with the network’s router over regular radio waves. That means that anyone around you can listen in on all your Internet communication, simply by tuning into the right radio channel. Many people have had their credit card or other account information stolen by thieves who simply eavesdropped on their unsecured wireless communications at public hotspots.

The best protection is to avoid using unsecured public wireless networks altogether. But if you want to take advantage of public wireless networks that are not properly secured, the following precautions (in addition to those listed elsewhere in this document) will help to minimize your risk:

1. Disconnect from the wireless network when you stop using it. Don’t leave the connection open while you engage in other activities that don’t require it.

2. Turn off shared folders. In some circumstances, hackers can actually reach into your computer and access information in shared folders.

3. Limit your online activity to browsing. Even seemingly innocuous logins to webmail accounts could give hackers access to your more important data, since most of us use similar passwords for almost all online activities.

If using webmail, ensure that the webmail program uses HTTPS/SSL encryption for e-mail access.

4. Use a Virtual Private Network (VPN), which encrypts data moving to and from your laptop. VPN encryption protects your Internet communications from being intercepted by others in WiFi hotspots.

Safe Online HabitsDo not respond to unsolicited e-mailsOne of the most effective techniques of identity thieves is “phishing”: luring unsuspecting e-mail users into providing account or other personal information by

6

pretending to be a service provider. Some phishing schemes are so sophisticated (using the logo, typeface and other hallmarks of the impersonated service provider) that it is difficult to determine whether they are legitimate or fake. NEVER respond to an unsolicited e-mail request for your account information, password or other sensitive personal information. Such requests are almost always scams.

Do not open strange e-mails, attachments or linksDon’t open e-mail messages or attachments if you don’t recognize the sender or if the message seems suspicious. Even messages from people you know can be dangerous if they are caused by computer viruses. If the message seems strange, do not respond to it. Delete it immediately. Attachments are most dangerous – they can carry spyware that lodges in your computer and sends your personal data back to the criminal who can then use it to perpetrate identity theft.

Be certain of the source and content of each file you downloadBefore downloading a file, be certain that the contents of the file are not harmful; use your anti-virus program to scan questionable files before you open them. Computers of people you know and trust can be infected such that that any file they send you may infect your computer . Do not simply download an “executable” file without being certain that it is legitimate. If it contains a virus, it will infect your computer the first time it is run.

Be wary of “pop-ups”“Pop-ups” are a common method of online advertising but they can also be used to deliver malware to your computer. This malware could then be used to gather your personal information without you knowing. If a strange window pops up on your computer, close it. Do not click “OK” or “continue” unless you know that it is legitimate.

Activate or install pop-up blockers You can prevent pop-up windows from appearing by using a pop-up blocker. Most Internet browsers now come with pop-up blocking tools. Open your browser and look under “Tools” or “Options” to find the pop-up blocker. There are also a variety of pop-up blocking tools available online.

Beware of “.exe”, “.com” and “.zip” files Malware is typically delivered via executable files. Executable files can be identified by the filename extensions “.exe” and “.com” . They may also come in a “.zip” file that auto-installs once clicked. Don’t allow an executable file to run on your computer unless you know it is safe.

Beware of hidden file extensionsGood anti-virus software should alert you to this ploy. Malware can be hidden by appearing to be a benign file while hiding a “.exe” file extension name. For example, you may receive a file “penguin.jpg,” which promises to be a photo of a penguin. But the real extension of the file may be hidden and the file is actually named “penguin.jpg.exe,” an executable file that contains malware.

7

By default, Windows and Macs hide file extensions. To show these extensions for Windows, go to Tools/Folder Options/View and select “Apply to all folders”. To show these extensions for Macs, go to Finder/Preferences/Advanced tab/ and select “show all file extensions.”

Make sure that a website is safe before you give it any personal informationMany criminals use professional-looking websites to mask their activities. Don’t assume that a site is safe just because it looks professional. Some sites may be spoofed versions of legitimate business websites. Check the website address (URL) and make sure that it is valid and what you would expect. Browse around the site – does it look legitimate? Is there a physical address and phone number? Call the phone number and ask questions to determine whether the site is legitimate. Transact only with sites that indicate via their URL that they are secure (https://).

If you play games online, do not post your IP addressIt is always best to log into another game server rather than inviting others to log into your server by providing them with your IP address. Giving your IP address to others is unnecessary and provides thieves with information that they can use to get beyond the barrier of your firewall. Do not post your IP address on websites or newsgroups unless you are certain that your own computer is well protected.

Use strong passwords for online services you register withAn effective password should be at least 8 characters long, use a mix of upper- and lower-case letters, numbers, and

non-alphabetical characters. Do not use easily-available information such as your mother’s maiden name or your birth date.

Do not participate in contests, quizzes or other online promotions that require you to divulge personal information.

Smartphones and other mobile devicesMobile devices that connect to the Internet are valued for their convenience and efficiency but they can make users more vulnerable to identity theft. Along with the increased computer capabilities of mobile devices comes a higher risk of exposing personal information to identity thieves. Risks include loss or theft of the device, user-specific information stored on the device, frequent exposure to unsecured wireless service areas, and unsafe applications designed for mobile devices. Smartphone users need to take extra precautions to avoid becoming victims of identity theft.

Password-protect your smartphone. This is the simplest step you can take to prevent your information on your device from being accessed. Make sure it is a strong password that is not similar to or associated with personal information such as your name, birth date, or other information that a thief might know or could easily obtain. Don’t share your passcode with others, and don’t allow your device to remember the password.

Treat your mobile device as you would your home computer. Install security (anti-virus) software specially designed for mobile devices and configure it to scan your device regularly. Allow security-

8

related operating system and software updates.

Be cautious when using your smartphone online. Use the same precautions when on the Internet as you would with any other computer. Limit your activities while using public Wi-Fi. (see above).

Beware of applications. Before installing an application on your smartphone, take the time to read the fine print and review the application’s ratings. Find out what personal information the app requires access to, and consider if this information is necessary for the app to run successfully. If you cannot see a reason for the app to have access to the information, consider whether it’s worth installing.

Install a backup/wiping program that will back up the information on your mobile device to your home computer and “wipe” your phone if it is lost or stolen so that no data remains on the device itself. These services are available through device manufacturers and wireless service providers. iPhones have a built-in “wipe” feature that if turned on will wipe the phone after 10 failed log-on attempts.

Do not “jail-break” or use a “jail-broken” phone. A jail-broken phone is a phone that been reconfigured so as to open its operating system to applications which would otherwise not be compatible with the operating system. Once jail-broken, the phone is vulnerable to anything the user downloads.

Check URLs before making a purchase using your Smartphone. Any page that requires credit card information should

start with https://. This means it is a secured site.

If your Smartphone is lost or stolen, call your service provider and report your phone as missing. If you have enrolled

in a backup / wiping program, now is the time to use it! Contact the administrator of your program and have them “wipe” your phone. If you have not enrolled in a backup / wiping program, treat the loss of your Smartphone as you would the loss of a wallet or purse.

For more information on protecting your Smartphone or other mobile device, see the US-based Identity Theft Resource Center (ITRC) Fact Sheets 144 – 147, available online at www.idtheftcenter.org under “Document Catalogue”.

Social Networking, Blogging, and Online DatingIdentity thieves don’t have to steal the information they need to impersonate you if you make such information readily available to them. Personal websites, blogs, social networking sites and online dating sites are prime sources of information for identity thieves. Because

https://www.paypal.com

9

these online activities are founded on divulging at least some personal information, using them will always entail some risk. However, there are steps that you can take to reduce your exposure to identity thieves if you choose to use these types of online services.

Read the site’s privacy and security policies closely before you join it. Understand what you are agreeing to and be sure that you are comfortable with it.

Provide the least amount of personal information possible when joining or registering with a site. Make up a birth date or other information if necessary.

Use the highest privacy settings that the site offers. Do not simply accept default settings – these are typically set to share your information widely. Take the time to examine and adjust your privacy settings (if possible) so as to ensure that you aren’t inadvertently sharing your information with strangers.

Limit the information that you post online. Think before you post: could this information be used by an identity thief or fraudster?

Never disclose particularly sensitive personal information such as your full name, birth date, home address, Social Insurance Number, or ID numbers on your profile or otherwise on the site. This kind of information is gold for identity thieves.

Do not accept “invitations” to connect with unfamiliar persons. Connect only to people you know and trust (confirm with the person offline to be sure it is them), and even then be mindful of

the information you exchange, as it is possible that they may inadvertently pass it on to others.

Disconnect from your account before you go on to other things. Never leave your connection open, especially if you are using a mobile device – if someone else gets hold of your device and your account is open, they can pretend to be you on the site.

Do not give your user account details or passwords to your friends.

Never post information that could be useful to thieves, such as when you are going away on holiday or directions to your house.

Select a setting that does not display a time stamp on your posts.

Be wary of applications, especially free applications. Nothing is free; the price is often your personal information. Take the time to find out what information about you the application requires and then decide if it is worth downloading.

Do not activate links that lead you to another website, even if the link was sent to you by a known friend or posted on their profile.

Do not respond to e-mails that ask you to update your profile unless you know them to be legitimate. Such e-mails may be phishing scams designed to gather your user name and password in order to retrieve greater amounts of personal information that can then be used in identity fraud.

10

Peer-to-Peer (P2P) File-sharingIf you use a peer-to-peer (P2P) file-sharing program such as Bit Torrent, Morpheus or Kazaa to download and upload music, movies, and files with other users, you are exposing yourself to greater risk of identity theft. With P2P file-sharing, shared files are stored on users’ computers where they can be accessed by other users on the network. If you do not carefully set up your shared information or shared drives, you could end up sharing more information than you intended. Even with carefully restricted file sharing, P2P users can inadvertently allow malware to enter their computers. The following precautions are strongly recommended if you engage in P2P file-sharing:

1. Download files only from trusted sources. Scan all your files that you receive during a file-transfer with effective anti-virus software.

2. Run virus scans regularly to ensure that no folders or drives are placed in a share mode without your knowledge.

3. Periodically check the files you keep in the shared folder.

4. Provide minimum (Read Only) privileges on the shared files.

5. Make sure that your shared folder is not the default folder for any other application or for downloads.

Online ShoppingMake purchases only from businesses that you know are legitimate. Some websites are designed for the sole purpose of stealing your personal information, especially credit card numbers. If you are unsure about the legitimacy of the business, research it via the Internet (to see what others say about it), call and ask questions to determine its legitimacy, or contact the Better Business Bureau to find out if it is a member.

Place orders only through secure websites. Secure websites will have web addresses that begin with “https://” and the web browser should display a locked padlock icon and no certificate warnings or error messages.

Pay for online purchases only with a credit card or secure online system such as PayPal. Never pay with a cheque as cheques are easily copied and contain too much personal information.

Don’t store your credit card information or other personal information on shopping sites. While this makes future purchases from that site easier (because you won’t have to enter the same information each time), it puts your information at risk of being stolen from the site or exposed unintentionally through a security breach.

Read the fine print. Confirm that the business does not share your personal information with other businesses, or opt out of such sharing if necessary. You are legally entitled to “opt-out” of all non-essential use and sharing of your personal information.

11

Glossary of Technical TermsBlog: short for “weblog”, a personal journal published on the web, consisting of discrete entries (“posts”) typically displayed in reverse chronological order so the most recent post appears first.

Bot: short for “web robot”, a software application that runs automated tasks over the Internet. Bots can be innocent or malicious. Malicious bots can be used to harvest personal information from websites and send viruses and worms to other computers, among other things.

Botnet: a collection of compromised computers connected to the Internet

Cracker: a person who breaks into a computer system, typically for an illegal purpose

(see “Hacker”)

DSL: Digital Subscriber Line - a technology for the high-speed transmission of digital

information over standard telephone lines.

Encrypted: converted into a code to prevent unauthorized access.

Executable: a type of file or program that performs specified tasks according to encoded instructions. The file extension “.exe” indicates that a file is executable. Non-executable (data) files (e.g., .doc, .pdf, .jpg), in contrast, must be read by a computer program.

Hacker: a person who uses computers, often skillfully, to gain unauthorized access to data.

Hardware: physical components of a computer.

IP Address: Internet Protocol address - a unique string of numbers that identifies a computer’s address.

ISP: Internet Service Provider.

Malware: short for malicious software; includes viruses, worms, spyware, and trojans among other programs

Newsgroup: a group of people who post messages about a single subject or topic on a computer network.

Peer-to-peer (P2P): a type of networking in which each participant makes a portion of their computer resources available to other participants (peers); these resources may be processing power, storage, or bandwidth. This system replaces the need for a central source of coordination, such as a server.

entitytheft

1.866.436.5461www.idtheftsupportcentre.org