Shostack + Friends Blog Archive


New Year's Resolution Dept. — Protecting Against Identity Theft

identity-theftIt’s the MLK Day holiday weekend. That means that one’s headache has subsided to the point that one can no longer hear one’s nose hair growing, and the cat is padding rather than stomping. It also means that it’s time for New Year’s Resolutions!

If yours is to get better control over your information privacy, particularly as it relates to identity theft, here are some effective steps you can take:

  1. Buy a shredder. Ninety percent of information theft is still low-tech and comes from dumpster-diving, etc. When we infosec people go on and on about breakins and disclosures, we are the equivalent of transportation safety wonks talking about airline safety. It’s an exciting spectator sport, but for real safety, just internalize that when that traffic light turns green, it means that someone in a hurry has floored it and is about to enter the intersection.
  2. Drop off your outgoing mail at the post office, not in your home mailbox. The reason is the same. The best way for someone to get valuable information about how to pretend to be you is to rob your outgoing bills.
  3. Consider on-line bill-paying. As I said above, worrying about on-line security as opposed to paper security is like worrying about aviation security as opposed to automotive security. On-line bill paying moves you to a lower risk activity that is perhaps scarier because it’s less in your control, but it is genuinely safer.
  4. Get rid of extra credit cards. It lowers your vulnerable profile.
  5. Don’t perform financial transactions on your mobile phone in a public place. I have never been fond of mobile phones, but I’ve adapted. I travel a lot and often hear what people say loudly into their phones. Don’t recite your credit card number loudly, or your brokerage account number. Keep an eye on who can see your laptop screen, too. As a wise man once said, there are vultures everywhere.
  6. Lastly, there’s the whole issue of password security. While this could start a whole debate by itself, don’t use the same password for junk sites as for financial ones.

Photo courtesy of motoed.

4 comments on "New Year's Resolution Dept. — Protecting Against Identity Theft"

  • Alex says:

    How about risk transference? Anyone heard anything (good/bad) about Identity Theft insurance?
    I can’t figure out if I like the idea because I’m too paranoid or because it’s a good idea.

  • Adam says:

    I’m deeply skeptical of the 90% number. The numbers I see say that only 50% of victims think they know how they were victimized. I expect that some substantial portion of that has the wrong answer.

  • Mordaxus says:

    The 90% is a number that went around late last year. It’s a number and “documented,” whatever that means. There are statistical techniques that let you estimate a population from a sample. No doubt that’s a simplification, because if they got it from tracking solved cases, then it would really only be of solved cases.
    Another thing that bears on this is that “identity theft” as a term has been corrupted by legislation. There are Federal laws that define it to be just about any misuse of credential. This means that any simple credit card suborning or even “pretexting” are all identity theft.

  • Adam says:

    Reliably estimating a whole from a sample requires some level of confidence that your sample is of the whole. I expect that a great many of the unsolved cases are unsolved precisely because they’re different–perhaps the unsolved 50% are from unreported breaches of databases.

Comments are closed.