company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
2. Canadian Identity Theft Support Centre
Protecting Yourself from Online
Identity Theft – A Guide
• Introduction
• Protecting Your Computer
• Wireless Home Networks
• Public WiFi Hotspots
• Safe Online Habits
• Smartphones and Other Mobile Devices
• Social Networking, Blogging, and Online Dating
• Peer-to-Peer (P2P) File-sharing
• Online Shopping
• Glossary of Technical Terms
Page
1
1
4
4
5
7
8
10
10
11
Canadian Identity Theft Support Centre
1.866.436.5461
www.idtheftsupportcentre.org
entity
theft
3. Introduction
Protecting Your Computer
Many of us now use the Internet on
a daily basis. It is easy to forget that
our connection to the Internet is like a
window: just as we can see out, others
- with the right technology and knowhow- can see in. Not only can they
view our communications but they can
access the information we store in our
computers – unless we take measures to
stop criminals and others from accessing
our computers and to protect our online
communications.
Without adequate computer security, you
can take all the precautions you like to
keep your online communications private
but you will remain vulnerable to identity
thieves who could infiltrate your computer,
steal your personal information and then
sell or use it fraudulently. Protecting your
computer(s) is therefore the first step
to take in online security. The following
applies to all computers you use to
access the Internet.
This guide describes how best to protect
your computer and manage your online
activities to reduce your risk of becoming
a victim of identity theft. It provides more
extensive and detailed information on
computer security and online protection
than that provided in CITSC’s general
Guide to Preventing Identity Theft.
A glossary at the end of this publication
explains technical terms.
NOTE: Identity theft occurs both offline
and online. See CITSC’s general Guide
to Preventing Identity Theft for tips on
how to protect yourself offline.
Ensure that each of your
computers is protected by a
firewall
Whenever your computer is connected to
the Internet, thieves have relatively easy
access to it – and to information stored
on it - unless you have installed a firewall
to keep them out. Firewalls prevent
unauthorized access to your computer by
monitoring data entering and exiting your
computer and blocking data that comes
from unsecured, unknown or suspicious
locations, unless you configure the
firewall (or tell it) to allow that data.
Firewalls are sold with default settings
that are usually customizable by the user.
In order for your firewall to be effective,
it should be set to block everything as a
matter of course and it should allow you
to override the block but only on a caseby-case basis.
Firewalls can be software-based or
hardware-based.
Software-based
firewalls must be configured properly
and allowed to update regularly in order
to be effective. Operating systems such
as Windows and Mac come with builtin firewalls that are normally sufficient
1
4. protection. You can also purchase
software-based firewalls together with
anti-virus protection as part of a computer
security package. Such software-based
firewalls must be installed separately
on each computer or device that needs
protection.
Running more than one
software-based firewall on a computer
could cause conflicts - check what your
operating system recommends in this
respect before installing an additional
firewall program.
Hardware-based firewalls are physical
devices - typically provided as part of a
router -that protect all computers on a
network. They are standard for business
applications and recommended by many
computer experts given the high level of
protection they typically provide and the
fact that they don’t interfere with – and
can’t be compromised by – your computer.
If you have more than one computer on a
home network, a router-based hardware
firewall is recommended in addition to a
computer-specific software firewall.
NOTE: Firewalls cannot protect you from
viruses attached to e‑mail messages.
You need an anti-virus program for this
purpose.
Install anti-virus/anti-spyware
software on each of your
computers
In addition to a firewall, anti-virus software
is essential and should be installed on
every computer that you use to connect to
the Internet. Look for anti-virus software
that also protects you from spyware.
Good quality anti-virus/anti-spyware
software is continually updated in order to
keep up with the latest threats. Anti-virus
software will scan e-mail and delete (or
quarantine) suspicious attachments from
e-mail messages before you open the
messages. It will also scan your computer
at preset intervals to identify and deal
with any threats that have lodged in your
computer. Set your anti-virus software to
run a deep scan (as opposed to a regular
scan) at least weekly for this purpose.
There are a number of reputable providers
of anti-virus software (ask your local
computer shop what they recommend).
Subscriptions are typically offered for one,
two or three years, and for one or more
computers. Some anti-spam protection
is provided automatically by most Internet
service providers and/or e-mail programs.
Some Internet service providers may
also offer free anti-virus software, as it is
in their interest to prevent viruses from
spreading through their network. Check
to ensure that such free services meet
your needs before relying upon them.
NOTE: Even when you have an anti-virus
program, you should not open an e‑mail
attachment if you are at all unsure about
it.
Use an anti-spam program
A common technique of identity thieves
- called “phishing” – is to trick computer
users into revealing personal or financial
information, such as a bank account
password. The vehicle for this technique
is spam (an unsolicited e-mail message).
A typical phishing scam begins with an
e‑mail message that appears to come
from a trusted source, but actually
directs recipients to provide information
to a fraudulent website. Firewalls
can’t determine the contents of e‑mail
2
5. messages, so they can’t protect you
from this type of attack. Nor does antivirus protection help with this threat
because phishing e-mails do not contain
viruses or malware. Anti-spam programs
can, however, help to protect you from
phishing scams as long as they recognize
the phishing e-mail as spam.
Most ISPs and e-mail programs offer
some level of spam filtering. Anti-spam
programs are also available online (some
are free) and often come packaged with
anti-virus software. Anti-spam software
will block or quarantine messages that the
program recognizes as spam based on
the settings you have chosen. It will allow
you to review a list of blocked e-mails and
override the block if an e-mail is legitimate
and you wish to open it.
Keep your firewall and anti-virus
programs current
Make sure that your anti-virus and firewall
software are set to update frequently
(hourly for anti-virus) so that they are
keeping up with the latest threats.
Updates will occur when your computer is
turned on and connected to the Internet.
Anti-virus programs will check all e-mail
as it comes in, and will scan your
computer for viruses at intervals that you
specify. Set the anti-virus program to
scan your computer weekly. If you turn
your computer off at night (as suggested
below), these scans will happen the first
time you turn the computer on after the
scanning interval has been reached.
If you have a subscription for firewall or
anti-virus software, do not let it run out!
The company providing your software
3
will alert you in advance of the expiry
date. Do not ignore periodic messages
to update your security software. On the
other hand, be sure that the warning is
legitimate before you act on it.
No anti-virus program can protect
against all viruses at all times, even
when they are up-to-date. Good
anti-virus programs respond quickly
to new viruses as they emerge, but
there is always a gap between the
virus and the anti-virus protection.
The best protection is to have both
a firewall and continually updated
anti-virus software installed on your
computer.
Allow operating system updates
Software updates are designed to fix
problems in your computer’s operating
program. These problems can include
security vulnerabilities.
Operating
systems (e.g., Windows) and other
software programs need to be updated
frequently to keep up with new threats
posed by computer hackers. Your
operating system will let you know when
upgrades are ready to be installed –
don’t put off installing security-related
upgrades.
Turn off your computer when it is
not in use.
One of the simplest things you can
do to prevent online identity theft is to
disconnect computer from the Internet
when it is not in use. When your computer
is shut off it is also disconnected from the
Internet and therefore prevents access by
potential thieves.
6. Wireless Home Networks
Wireless networks are becoming the
norm in home environments especially
given the increasing popularity of laptops,
tablets, smartphones and other mobile
computing devices. But the risk of being
hacked is high if your wireless network
is not properly secured. In addition to
the basic protections of a firewall and
anti-virus program installed on each
computer, you should ensure that your
wireless router is configured to provide
maximum protection.
Choose a wireless router with
strong security protections
There are many different brands and
models of wireless routers. Choose a
router that you are confident will protect
your network.
You should be able
to download a PDF user manual for
the router that clearly and thoroughly
explains the security, encryption, and
firewall settings available to you to protect
your network. Ultimately, your network
security will depend upon the features
available in your wireless router and your
choice of appropriate settings to secure
the network.
Ensure that your router settings
are adequate
If you don’t want to rely upon the
manufacturer’s claims or the advice of
experts, you can take additional steps to
ensure that your router is configured to
provide maximum protection. The factory
default user name and password for
access to most routers is usually publicly
available and can be found by doing a web
search. So is the default SSID - the name
that is publicly broadcast by the wireless
transmitter to identify your network to
another computer that wishes to connect
to your network. Resetting a router to the
factory default settings is usually no more
than depressing a back panel switch with
a paper clip and rebooting the router.
Here are some suggestions for managing
your own wireless router:
1. Change the default administrator
password (and the administrator user
name, if possible).
Use a strong
password for the administrator password
(8+ characters, mixed text, numerals
and/or special characters). Do not use a
password that is related to the wireless
connection password that each user
needs to gain wireless access. Needless
to say, record the password somewhere
secure in case you forget it.
2. Disable remote management of the
router unless you need to change router
settings from a remote location.
3. Reset the default SSID (the identifier
for your home network) to a new name.
A default SSID such as “Linksys” begs
hackers to test your network, to see if
any of the default login information is also
being used for administrator access.
Choose a name for your home network
that does not identify your family or
business, since the SSID will (unless you
make other changes) be visible to any
wireless unit within range.
4. After setting a password for users to
gain access to your home network (ie: the
router “key”), protect it. This password
will allow anyone within range of your
wireless transmitter to join your network.
4
7. 5. Ensure that the router firewall is
enabled.
6. Ensure that wireless encryption is
enabled. All wireless devices that connect
to your network must use the same type
of encryption, such as WPA, WPA2, WEP,
etc. If possible, use one of the newer
standards, such as WPA2, or WPA, which
are harder to decrypt/hack than the earlier
WEP standard.
7. Ensure that a software firewall is running
on each computer in your network, both
those with wired and wireless access to
the network.
Public WiFi Hotspots
Wireless Internet access is becoming
increasingly available in public places
such as cafés, airports, libraries, hotels.
Even some municipalities are making it
available throughout their territory at low
or no cost. Such public Internet access
has great advantages but it also involves
risk to users if the connection is unsecured
(e.g., with a password available only to
trusted users).
When you use a laptop to connect to
the Internet via an unsecured wireless
network, the wireless adapter in your laptop
communicates with the network’s router
over regular radio waves. That means
that anyone around you can listen in on
all your Internet communication, simply
by tuning into the right radio channel.
Many people have had their credit card
or other account information stolen by
thieves who simply eavesdropped on
their unsecured wireless communications
at public hotspots.
5
The best protection is to avoid using
unsecured public wireless networks
altogether. But if you want to take
advantage of public wireless networks
that are not properly secured, the
following precautions (in addition to those
listed elsewhere in this document) will
help to minimize your risk:
1. Disconnect from the wireless
network when you stop using it.
Don’t leave the connection open while
you engage in other activities that don’t
require it.
2. Turn off shared folders. In some
circumstances, hackers can actually
reach into your computer and access
information in shared folders.
3. Limit your online activity to
browsing. Even seemingly innocuous
logins to webmail accounts could give
hackers access to your more important
data, since most of us use similar
passwords for almost all online activities.
If using webmail, ensure that the webmail
program uses HTTPS/SSL encryption for
e-mail access.
4. Use a Virtual Private Network (VPN),
which encrypts data moving to and from
your laptop. VPN encryption protects
your Internet communications from being
intercepted by others in WiFi hotspots.
Safe Online Habits
Do not respond to unsolicited
e-mails
One of the most effective techniques
of identity thieves is “phishing”: luring
unsuspecting e-mail users into providing
account or other personal information by
8. pretending to be a service provider. Some
phishing schemes are so sophisticated
(using the logo, typeface and other
hallmarks of the impersonated service
provider) that it is difficult to determine
whether they are legitimate or fake.
NEVER respond to an unsolicited e-mail
request for your account information,
password or other sensitive personal
information. Such requests are almost
always scams.
Do not open strange e-mails,
attachments or links
Don’t open e-mail messages or
attachments if you don’t recognize
the sender or if the message seems
suspicious. Even messages from people
you know can be dangerous if they are
caused by computer viruses. If the
message seems strange, do not respond
to it. Delete it immediately. Attachments
are most dangerous – they can carry
spyware that lodges in your computer
and sends your personal data back to the
criminal who can then use it to perpetrate
identity theft.
Be certain of the source and
content of each file you download
Before downloading a file, be certain that
the contents of the file are not harmful;
use your anti-virus program to scan
questionable files before you open them.
Computers of people you know and trust
can be infected such that that any file they
send you may infect your computer . Do
not simply download an “executable” file
without being certain that it is legitimate.
If it contains a virus, it will infect your
computer the first time it is run.
Be wary of “pop-ups”
“Pop-ups” are a common method of online
advertising but they can also be used to
deliver malware to your computer. This
malware could then be used to gather
your personal information without you
knowing. If a strange window pops up
on your computer, close it. Do not click
“OK” or “continue” unless you know that
it is legitimate.
Activate or install pop-up blockers
You can prevent pop-up windows from
appearing by using a pop-up blocker. Most
Internet browsers now come with pop-up
blocking tools. Open your browser and
look under “Tools” or “Options” to find the
pop-up blocker. There are also a variety
of pop-up blocking tools available online.
Beware of “.exe”, “.com” and
“.zip” files
Malware is typically delivered via
executable files. Executable files can
be identified by the filename extensions
“.exe” and “.com” . They may also come
in a “.zip” file that auto-installs once
clicked. Don’t allow an executable file to
run on your computer unless you know it
is safe.
Beware of hidden file extensions
Good anti-virus software should alert
you to this ploy. Malware can be hidden
by appearing to be a benign file while
hiding a “.exe” file extension name. For
example, you may receive a file “penguin.
jpg,” which promises to be a photo of a
penguin. But the real extension of the
file may be hidden and the file is actually
named “penguin.jpg.exe,” an executable
file that contains malware.
6
9. By default, Windows and Macs hide file
extensions. To show these extensions
for Windows, go to Tools/Folder Options/
View and select “Apply to all folders”. To
show these extensions for Macs, go to
Finder/Preferences/Advanced tab/ and
select “show all file extensions.”
Make sure that a website is safe
before you give it any personal
information
Many criminals use professional-looking
websites to mask their activities. Don’t
assume that a site is safe just because
it looks professional. Some sites may be
spoofed versions of legitimate business
websites. Check the website address
(URL) and make sure that it is valid and
what you would expect. Browse around
the site – does it look legitimate? Is there
a physical address and phone number?
Call the phone number and ask questions
to determine whether the site is legitimate.
Transact only with sites that indicate via
their URL that they are secure (https://).
If you play games online, do not
post your IP address
It is always best to log into another game
server rather than inviting others to log
into your server by providing them with
your IP address. Giving your IP address
to others is unnecessary and provides
thieves with information that they can use
to get beyond the barrier of your firewall.
Do not post your IP address on websites
or newsgroups unless you are certain that
your own computer is well protected.
Use strong passwords for online
services you register with
An effective password should be at least
8 characters long, use a mix of upperand lower-case letters, numbers, and
7
non-alphabetical characters. Do not use
easily-available information such as your
mother’s maiden name or your birth date.
Do not participate in contests,
quizzes or other online
promotions that require you to
divulge personal information.
Smartphones and other
mobile devices
Mobile devices that connect to the
Internet are valued for their convenience
and efficiency but they can make users
more vulnerable to identity theft. Along
with the increased computer capabilities
of mobile devices comes a higher risk of
exposing personal information to identity
thieves. Risks include loss or theft of
the device, user-specific information
stored on the device, frequent exposure
to unsecured wireless service areas, and
unsafe applications designed for mobile
devices. Smartphone users need to
take extra precautions to avoid becoming
victims of identity theft.
Password-protect your smartphone.
This is the simplest step you can take to
prevent your information on your device
from being accessed. Make sure it is a
strong password that is not similar to or
associated with personal information
such as your name, birth date, or other
information that a thief might know or
could easily obtain. Don’t share your
passcode with others, and don’t allow
your device to remember the password.
Treat your mobile device as you would
your home computer. Install security
(anti-virus) software specially designed
for mobile devices and configure it to scan
your device regularly. Allow security-
10. related operating system and software
updates.
start with https://. This means it is a
secured site.
Be cautious when using your
smartphone online. Use the same
precautions when on the Internet as you
would with any other computer. Limit
your activities while using public Wi-Fi.
(see above).
If your Smartphone is lost or stolen,
call your service provider and report your
phone as missing. If you have enrolled
Beware of applications.
Before
installing an application on your
smartphone, take the time to read the fine
print and review the application’s ratings.
Find out what personal information the
app requires access to, and consider if
this information is necessary for the app
to run successfully. If you cannot see a
reason for the app to have access to the
information, consider whether it’s worth
installing.
Install a backup/wiping program that
will back up the information on your
mobile device to your home computer and
“wipe” your phone if it is lost or stolen so
that no data remains on the device itself.
These services are available through
device manufacturers and wireless
service providers. iPhones have a builtin “wipe” feature that if turned on will wipe
the phone after 10 failed log-on attempts.
Do not “jail-break” or use a “jailbroken” phone. A jail-broken phone is
a phone that been reconfigured so as to
open its operating system to applications
which would otherwise not be compatible
with the operating system. Once jailbroken, the phone is vulnerable to
anything the user downloads.
Check URLs before making a purchase
using your Smartphone. Any page that
requires credit card information should
https://www.paypal.com
in a backup / wiping program, now is the
time to use it! Contact the administrator
of your program and have them “wipe”
your phone. If you have not enrolled in a
backup / wiping program, treat the loss of
your Smartphone as you would the loss of
a wallet or purse.
For more information on protecting your
Smartphone or other mobile device, see
the US-based Identity Theft Resource
Center (ITRC) Fact Sheets 144 – 147,
available online at www.idtheftcenter.org
under “Document Catalogue”.
Social Networking,
Blogging, and Online
Dating
Identity thieves don’t have to steal the
information they need to impersonate
you if you make such information readily
available to them. Personal websites,
blogs, social networking sites and
online dating sites are prime sources of
information for identity thieves. Because
8
11. these online activities are founded
on divulging at least some personal
information, using them will always entail
some risk. However, there are steps that
you can take to reduce your exposure to
identity thieves if you choose to use these
types of online services.
Read the site’s privacy and security
policies closely before you join it.
Understand what you are agreeing to and
be sure that you are comfortable with it.
Provide the least amount of personal
information possible when joining or
registering with a site. Make up a birth
date or other information if necessary.
Use the highest privacy settings that
the site offers. Do not simply accept
default settings – these are typically set
to share your information widely. Take the
time to examine and adjust your privacy
settings (if possible) so as to ensure that
you aren’t inadvertently sharing your
information with strangers.
Limit the information that you post
online. Think before you post: could this
information be used by an identity thief or
fraudster?
Never disclose particularly sensitive
personal information such as your full
name, birth date, home address, Social
Insurance Number, or ID numbers on your
profile or otherwise on the site. This kind
of information is gold for identity thieves.
Do not accept “invitations” to connect
with unfamiliar persons. Connect only
to people you know and trust (confirm
with the person offline to be sure it is
them), and even then be mindful of
9
the information you exchange, as it is
possible that they may inadvertently pass
it on to others.
Disconnect from your account before
you go on to other things. Never leave
your connection open, especially if you
are using a mobile device – if someone
else gets hold of your device and your
account is open, they can pretend to be
you on the site.
Do not give your user account details
or passwords to your friends.
Never post information that could be
useful to thieves, such as when you are
going away on holiday or directions to
your house.
Select a setting that does not display a
time stamp on your posts.
Be wary of applications, especially
free applications. Nothing is free; the
price is often your personal information.
Take the time to find out what information
about you the application requires and
then decide if it is worth downloading.
Do not activate links that lead you to
another website, even if the link was
sent to you by a known friend or posted
on their profile.
Do not respond to e-mails that ask you
to update your profile unless you know
them to be legitimate. Such e-mails may
be phishing scams designed to gather
your user name and password in order
to retrieve greater amounts of personal
information that can then be used in
identity fraud.
12. Peer-to-Peer (P2P) Filesharing
If you use a peer-to-peer (P2P) filesharing program such as Bit Torrent,
Morpheus or Kazaa to download and
upload music, movies, and files with
other users, you are exposing yourself
to greater risk of identity theft. With
P2P file-sharing, shared files are stored
on users’ computers where they can be
accessed by other users on the network.
If you do not carefully set up your shared
information or shared drives, you could
end up sharing more information than you
intended. Even with carefully restricted
file sharing, P2P users can inadvertently
allow malware to enter their computers.
The following precautions are strongly
recommended if you engage in P2P filesharing:
1. Download files only from trusted
sources. Scan all your files that you
receive during a file-transfer with effective
anti-virus software.
2. Run virus scans regularly to ensure
that no folders or drives are placed in a
share mode without your knowledge.
3. Periodically check the files you keep in
the shared folder.
4. Provide minimum (Read
privileges on the shared files.
Only)
5. Make sure that your shared folder is not
the default folder for any other application
or for downloads.
Online Shopping
Make purchases only from businesses
that you know are legitimate. Some
websites are designed for the sole
purpose of stealing your personal
information, especially credit card
numbers. If you are unsure about the
legitimacy of the business, research it via
the Internet (to see what others say about
it), call and ask questions to determine its
legitimacy, or contact the Better Business
Bureau to find out if it is a member.
Place orders only through secure
websites. Secure websites will have web
addresses that begin with “https://” and
the web browser should display a locked
padlock icon and no certificate warnings
or error messages.
Pay for online purchases only with a
credit card or secure online system
such as PayPal. Never pay with a
cheque as cheques are easily copied and
contain too much personal information.
Don’t store your credit card information
or other personal information on
shopping sites.
While this makes
future purchases from that site easier
(because you won’t have to enter the
same information each time), it puts your
information at risk of being stolen from the
site or exposed unintentionally through a
security breach.
Read the fine print. Confirm that the
business does not share your personal
information with other businesses, or
opt out of such sharing if necessary.
You are legally entitled to “opt-out” of all
non-essential use and sharing of your
personal information.
10
13. Glossary of Technical Terms
Blog: short for “weblog”, a personal journal published on the web, consisting of
discrete entries (“posts”) typically displayed in reverse chronological order so the
most recent post appears first.
Bot: short for “web robot”, a software application that runs automated tasks over the
Internet. Bots can be innocent or malicious. Malicious bots can be used to harvest
personal information from websites and send viruses and worms to other computers,
among other things.
Botnet: a collection of compromised computers connected to the Internet
Cracker: a person who breaks into a computer system, typically for an illegal purpose
(see “Hacker”)
DSL: Digital Subscriber Line - a technology for the high-speed transmission of digital
information over standard telephone lines.
Encrypted: converted into a code to prevent unauthorized access.
Executable: a type of file or program that performs specified tasks according to
encoded instructions. The file extension “.exe” indicates that a file is executable.
Non-executable (data) files (e.g., .doc, .pdf, .jpg), in contrast, must be read by a
computer program.
Hacker: a person who uses computers, often skillfully, to gain unauthorized access to
data.
Hardware: physical components of a computer.
IP Address: Internet Protocol address - a unique string of numbers that identifies a
computer’s address.
ISP: Internet Service Provider.
Malware: short for malicious software; includes viruses, worms, spyware, and trojans
among other programs
Newsgroup: a group of people who post messages about a single subject or topic
on a computer network.
Peer-to-peer (P2P): a type of networking in which each participant makes a portion
of their computer resources available to other participants (peers); these resources
may be processing power, storage, or bandwidth. This system replaces the need for a
central source of coordination, such as a server.
11