Identity theft is big business! With the information sharing age upon us, should we take steps to start the information restriction age to protect our online identities from theft? More and more of our business and personal practices are online. We make payments online, transfer and recieve large quantities of money online. Our banks are online. Facebook, Linkedin, Bebo, Ecademy, Twitter users have much of their personalities online. Websites simply aren’t protecting our online identities the way they should be, and the law doesn’t want to know, so we have to take matters into our own hands!

This is by no means a definitive list so please do add ideas into the comments if there’s anything you feel should be added.

Basic steps to protect your identity online:

Passwords:

First and easiest route for online identity theft is the human element; passwords. I can access my business bank account with a single username and password and that scares me, but it doesn’t have to. To obtain this information, an identity thief can use 3 methods:

1. Know what I like and try to guess the password based on my interests, relationships, date of birth. (all of which can be obtained through facebook!)SOLUTION: Do not choose easily guessable passwords (and no S1m0n isn’t much more secure than Simon when using real words)
2. If I use the same password for more than one service, someone gets hold of the password for one system and can access another. This can happen by signing in to an untrusted website where they’re not asking for money but you do need to register. It can happen by a legitimate website being hacked or it could even be overheard or abused when you’re in a hotel foyer, calling home directing your friend or PA into your email to get your booking details.
   
   SOLUTION: Use a different password for different websites.Alternatively use one secure password for the secure sites and lesser passwords for lesser sites. i.e. my business and personal banks have the same password. My hotmail account (used for junk only) and facebook account use another.
3. The Brute Force or dictionary attack uses random characters or known words with and without numbers to keep guessing. This is done automatically and can guess around 10,000 possible combinations in an day. If your password happens to be in a dictionary with or without numbers no matter how obscure, the password will be guessed within a few hours. If you had a long random list of numbers and letters, it could take weeks or even months. Some websites lock out after a few guesses to try and prevent it, but most don’t.SOLUTION: Choose passwords as randomly as possible but it needs to be memorable!

   One tip I’ve heard for helping to keep passwords obscure for both computers and humans is to anacronym it. For example, I could have the password: MWCFMAICFMK based on the phrase: “My wife comes from Mauritius and I come from Milton Keynes” It makes it random but memorable for someone who knows this keyphrase. Add some numbers in there to increase randomness and you’re laughing. The common way is to change similar letters and numbers. (for example the letter i becomes the number one) This can help but don’t rely on it 100%.

   Finished Password: mwcfm41cfmk (12 characters)

Forgotten Passwords

Ok my password is secure. The second route into less secure sites is hitting the ‘Forgotten password’ button. Some ask simple information (mothers maiden name, date of birth etc.) before emailing them to the account in your profile, some just email, some will allow a complete password reset and only email to confirm giving immediate but limited access. You therefore need to protect your mother’s maiden name, and your date of birth. The trouble is that this information isn’t all that hard to get hold of!

Solutions? When you’re asked for your date of birth and mother’s maiden name on non-trusted sites and where lying isn’t going to be called fraud, lie. Use a date of birth and name which means nothing realistically to you but which only you know as being your backup details. This way people who know your real DOB won’t be able to gain access.  Obviously when applying for credit, insurance etc. you have a legal obligation to provide your real details but these tend to be more secure.

Post-it Notes

One of the biggest no-goes in the history of computers! Never, under any circumstances, at all, ever write down your passwords on a post-it note and stick it to your monitor! The back of your desk diary is the second most common place to write it. This can be as helpful as sending a mass email with all your passwords to your friends, IT repairman, next door neighbour’s son who helps you every time you get a virus etc etc etc…

If you need to write your access details down at any point, you need to keep this as secure as the original information. Don’t label it ‘Passwords’ don’t leave it within easy and obvious access from the PC. write the actual password element backwards. Anyone who tried it the normal way will assume it’s out of date and give up. My sheet with the password above would read:

Hotmail:
simon@hotmail.com
kmfc14mfcwm

The Computer :

While we’re working in the office, the next thing to keep secure is the computer. Make sure you have a good anti-virus. AVG is one of the best I’ve ever used in the last 10 years, and they do have a free version for domestic use (http://free.avg.com/) How will this help?

Some of the worse virus’ and programs you can have on your PC are the ones that don’t do anything visibly. Some can sit there logging everything you type (usernames, letters, passwords, emails, credit card numbers) and send them off to the originator to decode. A good virus scan should keep these out and keep you safe.

Some people also recommend lavasoft’s adaware too to run every so often. This helps catch things which aren’t specifically classed as virus’s but can be damaging. Don’t be alarmed when you see the number of things it will find, to be on the safe side, it removes everything which could track what you’re doing including internet cookies which are very limited and don’t really do anything bad besides help record that you’re logged into a site but doesn’t give away passwords. Their free version is here: http://lavasoft.com/products/ad_aware_free.php

The websites

The websites themselves can also be quite weak. When you sign up with a site or make a payment, it’s illegal for the website owner to store your credit card details and certain others without a minimum level of security… but who enforces laws on the internet? Only use trusted websites with a proven track record to give your more private details to.  If you don’t trust them or there’s doubt, signup for a free hotmail or yahoo email address and use that for these sites only. If you’re likely to get one email and nothing more, consider using Temporary Inbox

Facebook

Facebook and other social networking sites can cause a real threat. Just this week, a security threat lead to users details being exposed. (read about the latest facebook security hole here)

The truth is that most data handed out has to have been given in the first place. Try using your secondary date of birth, mother’s maiden name etc. and ONLY put information on the world wide web which you want everyone on the world wide web to see! It doesn’t matter that people can or can’t see your date of birth as all someone has to do is scan through your wall or public messages and look for the abundance of ‘Happy Birthday’ messages from your friends and family and look at the date of posting!

Scam and Spam

Occasionally you will probably receive notifications of account closures or emails requesting you to click a link and log in. DON’T! If there is a doubt, go to the website in question manually, do not use the links provided if you then have to insert your password details. This is known as Phishing. They can divert you to their own website made to look like your bank, paypal etc encouraging you to log in. If you get an email from Natwest requesting that you log in, open your browser, go to www.natwest.com and log in there. According to Sophos, only 1 in 28 emails are actually legitimite.

Making Payments

Many of my clients want to take payments online and always scoff at the idea of offering paypal payments. Paypal is a good system with the buyer in mind.They do have higher than average charges but personally I feel you get value for money. They are at the end of the day, just another website, but they are big enough and their whole purpose of being is around security. Without that, the whole business would collapse overnight!

As I said at the beginning, this is not a definitive list but contains all the most relevent and basic things to know about putting your information online. It’s a lawless society which is slowly dominating our lives and should be treated with care!

Taken from C|net Facebook Connect: For those who don’t like clicking… this is copied from the article:

Social network Facebook announced Friday the debut of Facebook Connect, a new technology for members to connect their profile data and authentication credentials to external Web sites. It makes the company the latest major Web site to embrace the concept of data portability.

The formal announcement was made through a post on Facebook’s developer blog by senior platform manager Dave Morin, who has been one of the company’s most visible evangelists in the developer community over the past year. Facebook Connect will launch within the next few weeks.

Through Facebook Connect, members will be able to use their Facebook identities across the Web–profile photos, names, photos, friends, groups, events, and other information. Facebook profile content, for example, could appear on other social sites, and Facebook event listings could theoretically connect with external event and invitation services.

Facebook will handle the authentication process, and while privacy controls have not been made clear, the company has stressed that user security will be a priority. And there’s reason to believe Facebook will be particularly careful: The company already partners with outside services to share data in its Beacon advertising program, and the PR missteps surrounding Beacon’s launch are something that Facebook likely does not want to repeat.

It’s a big move for the site. Until this point, Facebook has had a reputation for keeping its cards close to its chest–even banning the account of popular blogger Robert Scoble when he used a script to export his Facebook contact list to Plaxo. But Facebook has a representative in the Data Portability Workgroup, and executives have said that Facebook has wanted to bring its information outside the site eventually.

“These are just a few steps Facebook is taking to make the vision of data portability a reality for users worldwide,” Morin wrote in his blog post. “We believe the next evolution of data portability is about much more than data. It’s about giving users the ability to take their identity and friends with them around the Web, while being able to trust that their information is always up to date and always protected by their privacy settings.”

“We believe the next evolution of data portability is about much more than data. It’s about giving users the ability to take their identity and friends with them around the Web, while being able to trust that their information is always up to date and always protected by their privacy settings.”
–Dave Morin, Facebook senior platform manager

Last month, Facebook started partnering with other social sites to pull external data into Facebook’s “mini-feeds,” displaying user activity from the likes of Flickr and Yelp on Facebook profile pages.

No partner Web sites for Facebook Connect have been announced yet, but director of platform Ben Ling explained to CNET News.com that “there’s been a lot of partner interest.” One partner, however, was displayed in mockups on Facebook’s developer blog: social news site Digg.

The technical details also remain unannounced. “We’re not announcing the details of the partner integration today,” Ling said. “What we’re announcing at a high level is that we will have a program that’s built into partners large and small, and they will be able to access Facebook Connect.”

Facebook kick-started the social-networking developer platform craze when it launched the Facebook Platform a year ago. But on Thursday, bigger rival MySpace made a big move when it opened its own profile content to outside sites–in a sense the reverse of Facebook’s famous decision to welcome external developers onto its own site. Facebook representatives said Friday that there are now more than 350,000 developers from 225 countries developing for the platform, although one prominent programmer said earlier this week that he believes activity may be slowing.

Facebook has also held over 50 “developer garage” events in 10 countries, and Ling said that Facebook Connect will be discussed at future “garages.”

One Facebook insider, speaking on the condition of anonymity, said to CNET News.com that the project had been in the works for quite some time, and said the announcement wasn’t issued as a response to MySpace’s “Data Availability” project. “We actually think what they are up to is pretty cool.”

Representatives from MySpace were not immediately available for comment.

MySpace has partnered with the likes of eBay and Yahoo for Data Availability, which means that many of the Web’s biggest names are now warming up to the idea of social-network identity portability. It’s likely to be popular with users eager to quell the onset of “social fatigue” from too many logins and profiles, but privacy and security advocates may raise a red flag–as might advertisers, to whom Facebook’s walled-in user base was ideal for targeted marketing. Spreading that data across the Web could complicate matters on that front.