How fraud savvy are you?

Identity theft is on the rise, and the way we use the internet is changing. Are you a savvy surfer?

Man at cash machine

by the Glamlife Team, with thanks to Konstantinos Xynos

You keep your bank card PIN in your head, you never reply to emails by strangers who need your help (and bank details) to transfer a billion dollars from a recently deceased uncle’s estate to his deserving family, and the only lottery prize you’d ever try to cash is one where you actually entered the lottery in the first place. But does that alone make you safe from fraud and identity theft?

The biggest ingredient for identity fraud is personal details. There are some personal details which we have no control over – everytime a government or company loses a laptop or data CD or USB stick with citizen’s details on it, we’re put at some level of risk. However, most of the time, fraud is not the result of government data loss, but the result of regular people putting their data at some risk, often needlessly. Here are the very basic recommendations that you are hopefully already fully aware of:

On the computer

Wi-fi at home

If you use wi-fi at home, it is important that you do so through a secured connection. Otherwise, your data could be seen (see wi-fi hot spots for more information), and outsiders might be able to use your network connection to access the web (which could cause trouble for you if they access illegal websites).

If your default password given to you by your internet / wi-fi provider is not unique to you, it is also important to change the password, as some people may simply try using the default passwords for internet providers / wireless routers. For more information about passwords, please see below.

Anti-virus software

You need to protect your computer against viruses and trojans. Some viruses “just” cause havoc on your computer, but these days, many viruses exist to harvest data from your computer and pass it on to criminals. While it is true that some Operating Systems are safer than others, please be aware that you are recommended to have an anti-virus installed even if you do own a Mac or Linux based computer.

You can use Wikipedia to find a list of anti-viruses – some of which have free basic versions that you can use at home. Very importantly, keep your anti-virus software up-to-date in order to benefit from the best level of safety.

Firewall

A good firewall is important, to prevent others from accessing your computer through the internet without your consent. You can use Wikipedia to find a comparison of firewalls- some of which have free versions that you can use.

Anti-spyware software

Spyware is similar to viruses in that it tries to harvest data from your computer and pass it on to its originator – but unlike viruses, it won’t automatically spread from your computer to others. Spyware removers often comes as part of the package with your anti-virus or firewall, but you can also install some spyware removers separately. There is a caveat: some anti-spyware programmes will be incompatible with your anti-virus. If you have a good, up-to-date anti-virus and firewall, and your web browsing habits are security-conscious, then you may not need to install a third party anti-spyware programme.

One important warning: If you ever see a web banner telling you “your computer has been infected, please install (product name) to clean it”, or similar, the likelihood is that the banner is a trap, and trying to get you to install spyware that pretends to be an anti-virus or spyware remover. If you see such a banner on a website, either ignore it entirely, or, if you are unsure where the banner came from, close down your browser and the warning banner and find your already-installed anti-virus software, and run a system scan from that. Never click on “OK” or the banner itself if you are not sure where it came from.

Passwords

The University has published a quick guide of password dos and don’ts with some basic advice about creating individual passwords. It contains the basic advice, but there are a few additional pointers to consider:

You will be asked to create dozens of accounts, from shopping to social networks, banks and email addresses. The way you use passwords is crucial to your safety from fraud. Ideally, you’d create separate passwords for all of these, but this is not likely to be manageable. The most important thing is that you have more than one password you use – if you only use one password for all activities, then only one breach on a low-security site could cause all your accounts to become accessible to a criminal. Almost like falling dominoes, someone could get access to your Facebook, your Amazon orders, your emails, and your bank, all because of one breach of security.

It’s worthwhile keeping your bank passwords and answers to security questions separate and unique. It’s also worth keeping your email account passwords different from the passwords you use for other websites.

Finally, some advice about password reminders and security questions: The safest thing to do is to make sure your answer to the security questions never actually matches the question that is asked. Your mother’s maiden name could be found out (especially if she’s on Facebook or Friends Reunited, and entered it there to be able to find her friends from school!). Your favourite pet’s name may be known to quite a few people. So, if you want to be really safe, don’t answer the security question honestly, but using a mnemonic password that you can easily remember.

Out and about

There is the obvious advice you probably get from your bank: never keep your bank card PIN number on your person, watch out for suspicious devices on cash machines, etc. – make sure you follow that advice. However, if you access the internet through wi-fi networks or mobile broadband, there are other considerations you need to take into account:

Wi-fi hot spots

Most wi-fi hotspots and public access wireless broadband networks offer an unencrypted connection. This includes the glamstudent network on campus. Data that travels over an unencrypted network, and without going through secure servers, can be harvested. In other words, if you access a site like facebook on an unencrypted wireless network, everything you look at, and even your username and password, could be collected by third parties.

In the paragraph above, there is that “without going through secure servers” clause, which means websites that starts with http://. On the other hand, websites that start with https:// are likely to be safe from malicious data harvesting, provided the security certificate is current. One way to know whether you are on a website that you can browse reasonably safely, even through unsecured wi-fi hotspots, is that there should be a green icon in the address bar of your browser, with the image of a padlock. If you click on that icon, it should give you information about the level of security encryption, and about how current the certificate is.

A hint for facebook users: You can visit https://www.facebook.com to log in. That way, at least your password is safe from being stolen. Everything after the log in page is not over secure connections, so the photos and friends’ profiles you visit could theoretically be syphoned off by hackers. Most web email providers also offer a log-in page that starts with https:// – but you may need to enter the address manually, as the default might not be secure. Also, after logging in, you may find that your emails are displayed on an unsecure connection.

The best, most secure solution, of course, is to not log in to any websites while you are out and about, and use the mobile internet only for catching up with news and other information, but not for personal communication or online shopping.

Mobile antivirus

If you use a personal computer, notebook or netbook, you probably know about and use antivirus software. However, most people haven’t even thought about installing such software on their web enabled mobile phones. At the moment, the number of viruses and threats for phones is very small, but many experts believe this will grow over time – especially for smartphones. It’s therefore worth considering whether you think the effect an antivirus would have on your phone’s performance is a valid tradeoff for the added security, or whether the currently small risk is worth taking. You can find out more through technology forums and communities, such as this page on kioskea.net

Phishing text messages

Beware phishing text messages. Neither your bank nor your credit card company will ever send you a text requesting login or account information, so if you get a message asking you to verify your login, delete it. To be safe, call your mobile phone provider and opt-out of this marketing feature.

The mobile web

If you use mobile computers or mobile phones to access the internet, you need to treat them differently from home computers. They are at a higher risk of loss – and that does not just mean all the data on them, but also any stored passwords, log-in details, and web histories.

If you lose a phone or laptop that is permanently logged in to your favourite websites through cookies, whoever finds it gains access to these. There are two methods to reduce this risk: You could set your browsers not to store passwords. Alternatively, if you do ever lose a mobile internet enabled device, you will have to change all your passwords on the websites you use.

For laptops, you can also encrypt your hard drive. In combination with using passwords to restrict access to your laptop, this should offer you a reasonable level of protection. Some operating systems include this as a built-in feature you merely need to activate – others do not. Software like TrueCrypt can do the job for you if your computer does not have the feature pre-installed.

Social networks

Many of us use social networks, and Facebook in particular is popular on campus and beyond. It’s a lot of fun for many users, but it has also opened us up to some risks and vulnerabilities. Here is some advice about using social networks with your own data safety in mind:

  • Limit the amount of personal information you post. If they’re your friends, and they want to know your address and phone number, they can message you. No need to post it on the site – and if you do, make sure you restrict who can see these details to the highest privacy settings.
  • Use the privacy control mechanisms offered by your networking site. Don’t leave things to default settings, which may be more liberal with your information than is in your interest.
  • If you add companies to your “friends”, put them on a limited profile list, and restrict the things they can see. You can’t be sure who in the company has access to their profile (and therefore, yours)
  • Also use privacy controls to restrict what information applications can see about you.
  • Keep in mind that your name, your birthday, and your address may well be enough information for someone to defraud you, so try to avoid publishing these three details together anywhere. This includes professional networking and CV repository websites.

One of the biggest problems is that you may not be the only person determining the fate of your information: The way your friends use Facebook (or the social network of your choice) can have a big effect on you. For example, any applications they install on their profiles will be able to see some information about you – at the very least, your name, but if your own security settings are not very restrictive, the application could end up seeing almost as much information about you as the friend who installed it. If a malicious criminal is behind an application, they might be able to harvest that data and use it. On Facebook, for example, there is a page called “What your friends can share about you through applications and websites”, where you can decide what your friends’ applications can see about you. It is advisable to use these controls – why should an application quizzing your friend about their favourite species of caterpillar be able to access your name, address, and photos of your family?

For parents and those appearing in photos with children, there is an extra responsibility to be mindful of – it may not be in young children’s best interest for their photos to appear on the web. If photos are posted, the privacy settings should be used to offer appropriate protection.

In your home

Aside from everyday security measures (keeping your doors locked, and valuable, portable items like notebooks stored where they are not directly visible from ground floor windows), the most important step to protect yourself from fraud is to look after papers with your personal details on them. That means storing them adequately if you retain them, and destroying them (ideally, using cross-cut shredders) when you dispose of them. Your bank statements fall into this category, of course, but it is also advisable to treat any letter or paper that contains your name and address as personal information.

When you move house, it is important to notify your banks, utilities suppliers, university, and other regular sources of correspondence of your move, and to change your details on the electoral roll. If you live in a regular residential address, using a mail redirection service is highly recommended. Otherwise, a stream of letters containing your personal data might reach your old address. For students, moving house quite regularly is one of the biggest vulnerabilities in terms of identity fraud, and you need to be quite savvy about organising your life when you do move house.

Useful links