Before Facebook, before Twitter, before Ebay, identity theft required a bit more work. Every once in a while you'd hear a nightly news special on how someone could sift through your garbage, finding bits of pieces to your life, leading up to a nasty case of identity theft. The fix was simple: shred your personal data, and don't give it out to just anyone who asked.
Jumping back to now, our personal data is flying high above us in the imaginary "cloud." Every time you surrender some portion of your personal data to a social service (Twitter, Facebook) or trust it to an internet connected device (computer, iPhone), a hacker could very well get in and ruin your day.
The good news is the fix is the same as for the Luddites... the bad news is it's all your fault. Jump through for a lesson in "Safe Nerdin' 101."
Alright, you have an iPhone and your best bud told you that if you jailbroke it you could
pirate install any app you wanted (or something like that). Jailbreaking an iPhone is nearly painless these days, but there's one step that certain people have been skipping, namely the people who have been getting the iPhone worms that popped up in early November... when you jailbreak your iPhone (and only if you install OpenSSH from Cydia) you need to change the passwords for the "root" and "mobile" accounts.
Why? Because the password for your iPhone and nearly every other iPhone is the world is set by default to "alpine." Right now, the hacks are mostly harmless, and isolated to countries outside of the US with a higher percentage of jailbroken phones, but there is nothing to stop a seriously malicious data mining attack to emerge from all of this. It's ok, it's ok, the fix is really simple, but I must stress that most Jailbreak apps alert this security hole to you; if you neglect this step you deserve to have you data stolen. On the other hand, if your iPhone's firmware is intact and straight from Cupertino, you are safe from this type of exploit... but your password is still "alpine."
If I had my way, I'd order that those free 3-month subscriptions to security suites like Norton or McAfee that come bundled with your new PC be outlawed. From my experience, I've notice that users will sign up for the trial, let it lapse, and continue without a subscription thinking they are still protected.
Don't get me wrong, Norton Antivirus is a great security tool, but any subscription based security tool becomes nearly useless once you lapse your account. The reason is that spyware, virii, and other exploits are constantly evolving, and security tools need to be able to get regular updates on the nasty buggers that will foul up your system. Sure, Norton will technically work without a live subscription, but will only be as effective as its last update, and some suites stop working all together after their trial lapses.
I used to tout AVG as the best anti-virus tool for no money (read: free). I still like it, and you can download it from free.avg.com, but I have to say that Microsoft recently released their own tool... and it works. Microsoft Security Essentials works just like the rest of them, scanning through your files and resources, looking for exploits and zapping them to oblivion.
I wasn't a fan of previous Microsoft security tools, but this one finally has everything you need, and none of the fluff. It's free, there is no "upgrade to a paid version" drama, and there isn't a lot to distract or confuse. It's now part of my post-viral-meltdown-security-reboot-pack. One does have to ensure that their copy of Windows XP/Vista/7 is legit however, or Windows Security Essentials won't install.
The Internet, All of it.
I tagged my gay geek of a boyfriend to write this part for me. He's been a security risk analyst for a big global bank for some time, and I felt he could lend some professional advice
Phishing is Social Engineering at it's best: to pose as someone other than yourself and present a plausible scenario to gather the information needed for whatever nefarious purpose one might have.
A good example is those emails we all get from our favorite bank, big box store or auction site saying our account information is invalid and should log in with our personal data via the handy link they provided. We've all seen them, we all hate them, but how many of us can honestly say we've never gone to the site and tried to log in? Uhuh, right. If you ever find yourself in this situation, here's what you can do recover (hint: you might wanna start this process right after you realized you just gave all your bank info away, don't wait a week):
- Change your password - I can't stress the importance of this one enough. If you use the same login/password for multiple services, change them all. Every one of them. We all know it's a bad idea to use the same password for everything but we all do it for convenience. The bad guys know this and therefore will try it out on everything else they have on you, so change them all.
- Contact your bank, and let them know what happened. They can reissue a bank card, change your account number, and will watch your account for suspicious activity.
- Check your credit card statements closely. We should be doing this all the time but we don't. If you see any anomalous charges look into where they came from.
- Check your credit report from all 3 credit bureaus. It's free once a year, or about $10 per bureau if you've already looked this year. The peace of mind is well worth the $30 and contrary to popular belief checking on your own credit does not affect your credit score.
If someone does get your banking or credit info and fraudulently uses your accounts you are not liable for the charges, however it's a pain in the ass and it will affect your credit score.
Banks spend millions and have teams of people whose job it is to ensure nobody gets into their systems to steal your identity, but it's your own responsibility to keep it secure when it's in your hands. There are some simple steps you can take to help prevent yourself from becoming the victim of identity theft:
- If you wouldn't tell a stranger on the street don't tell the internet! Don't post your phone number on MySpace. Don't post your maiden name on Facebook. It may make it easier to be found by friends but it makes it easier for the bad guys to know where your neighborhood is.
- Always look for the little lock icon on websites where you put any personal information (even your name). If you click on the lock icon it will tell you information about the website you are viewing, including who actually operates it. As long as that certificate matches the company you are expecting to find you are pretty safe (nothing is 100% of course).
- Use strong passwords. No names, no pets names, no birth dates, a season with a year after it is just as secure as no password at all. Use seemingly random strings of letters and numbers. Anagrams work well. There are plenty of password generator websites out there, use one of those.
- Watch out for Twitter/Facebook traps. Twitter's API allows websites to connect with the social network, allowing some pretty cool services like TweetStats and the game Spymaster but be careful about sites asking you to log in. If you need to give a site permission to play with your tweets, they will redirect you to twitter.com to give access. Make sure you see the lock icon, and the URL really is twitter.com. Same goes with Facebook.
- Don't write your passwords down! If you must keep your passwords in one place there are utilities to securely keep track of all your account login data
Ultimately your online presence and security is your own responsibility. Do with it what you will, but do so with the understanding that nobody cares as much about your identity as you do.