Identity theft is the intentional use or theft of a person’s private information to obtain goods or services from another entity. “Private” information is the facts about you that are not listed in public directories, such as:

* social security number, alien registration number
* credit card numbers
* medical information
* unlisted telephone numbers
* user ids and passwords, PIN numbers
* account numbers at banks/institutions
* motor vehicle license and/or registration number
* biometric data

The information that can be obtained in telephone directories, for example, is not private information; neither is membership in a public group, club or congregation.

With the advent of the Internet and electronic commerce, the increased flow of such information and its aggregation and harvesting has increased the risk of identity theft. Any purchase at a web site or similar online transaction, such as online banking, increases your risk of identity theft. Since the business of identity theft has proven to be relatively easy and very lucrative, you need to take precautions whenever possible to ensure the confidentiality of your private information.

Note that you are not immune from identity theft if you avoid online purchases. Most of the information about you is kept in large databases in government, financial and marketing firms; this data can be used by thieves when data is stolen from mailboxes, the trash, or hacked by internet-savvy people anywhere. You should review your credit records regularly and follow up on any discrepancies. Also see the Miscellaneous section of this page.

E-mail:

1. NEVER send or allow the receipt of private information in an e-mail message. E-mail is sent in the clear. Even when you establish an SSL connection to Domain webmail, the contents of any message you send become public once the message leaves the server. E-mail can be sniffed by hackers, read by administrators at ISPs and otherwise intercepted. It is less private than a postcard. Do not respond to any message that requires you to provide private information. Do not send e-mail messages to your doctor, your insurance company, your bank or any financial institution where you have an account, unless you are posting a message directly onto a secured site (see “Web” below).
2. Spammers often forge e-mails to collect private information (e.g. the PayPal scam, the Nigerian scams) or to socially engineer some kind of denial that yields private information. Treat this as spam, and do not reply. Most e-mail programs come with filtering features these days; use them. Also see the filtering and spam management tools available for Domain users.
3. If you subscribe to any web-based service or establish an online account, always change your password immediately if you receive an e-mail confirmation of your account or your password. Discourage the vendor from sending user/password information in e-mail.
4. When you buy a product or you are asked for an e-mail address by a vendor/restaurant/service company, it’s better to say “no”, especially if that entity already has your credit card number. You won’t be able to prevent them from sending you insecure messages with your private information. Be suspicious of sites that require you to give them your e-mail address in order to make a purchase. Once you give your e-mail address away, you have no control over how it’s redistributed.

Web:

1. NEVER put credit card information in a site that does not first direct you to a secure socket connection (a connection is characterized by the “https” prefix). Pay attention when the browser says that it cannot verify the security of the connection.
2. Test your vendor before processing your first online transaction. Do they have a Privacy Policy? Do they share data with other vendors or affiliates? Has their site been audited and certified by an organization like TruSecure or Verisign? When you get to the https page, is the certificate valid (check for the tiny gold lock on the IE page, view the certificate)? Does the site send you to the SSL page (https) before you put in your password? Despite what your bank says, are they really doing any of these things? Do you get any errors during the transaction?
3. “Messaging portals” that sit behind SSL encryption are a viable alternative to plaintext e-mail. If your doctor or bank provides this kind of site (and it meets the criteria in #2, above), then you can use this for some limited communication. Strictly speaking, however, any computer that is attached to the Internet is going to be hacked at some time or another, and you’re better off not putting a lot of information on one site.
4. After you’ve processed an online transaction, quit your browser completely to destroy any authentication or transaction-related site cookies that may have been put into your temporary cache. There is a distinction between “ephemeral” and “persistent” cookies. “Ephemeral” cookies do not get stored as files, and are wiped from the memory when the application is exited. You can view your persistent cookies in the “Advanced” section of the Tools or Preferences menus in Netscape and Explorer.
5. Don’t allow Microsoft Explorer to remember your passwords. Never check the “yes” button when it asks you to remember the password for a site. Don’t fill out or enable the “AutoFill” option in Internet Explorer.
6. Some web sites will upload cookies to track your browsing activities. Others will alter settings in your computer or install software used for a number of benine or nafarious reasons. Use one, or both of the following utilities to remove “Ad-Ware and Spy-ware: Ad-Aware software, Spybot Search & Destroy software

Your Home Network:

1. If you have a high-speed cable or DSL connection, and you’re not using a firewall, your computer is wide open to anyone on that network segment. Buy a hardware or software firewall to protect yourself. Examples of software firewalls are ZoneAlarm, Black Ice, McAfee Firewall and Norton Internet Security. Hardware firewalls come in many forms, and are best for those home users who have multiple computers or devices they’d like to protect. Examples of hardware firewalls are the Linksys, Netgear, Xsense and Colubris products. Geeks running *nix at home can use iptables, ipchains or ipfilter to protect themselves, though iptables is now the best recommendation (if you know what you’re doing).
2. Be very careful about what you or your family downloads to your home computer. Many free softwares also contain what’s known as “spyware” – small executables that record your cookies, visits to other sites, and your computer’s configuration. Check the following site before you download anything at home: SpyChecker
3. At the Information Security Office, we see many computers that have been compromised because they downloaded music sharing software and didn’t protect the folder they designated for those shares. Sex sites are notorious for malware, bad security practices, spyware and other programs that are downloaded to your system while you browse. Often the downloads are disguised as banners that the user tries to click away, or are disguised as ActiveX controls that Microsoft Internet Explorer interprets as something it has to accept when the user clicks to view the “free pictures.”

Miscellaneous:

1. Buy a shredder. Shred all credit card receipts before putting them into the trash. Shred credit card statements, bank statements, resumes, utility/phone bills, family records (if you don’t want them) and any other materials that could give a dumpster diver the opportunity to pretend they’re you.
2. If your wallet is stolen, immediately cancel all your credit cards and notify your credit companies. Request that a “fraud alert” be placed in your file.
3. Cordless phones are essentially radios that communicate with your telephone base. There are newer versions that send your conversations over an encrypted channel to the base station, but they are not widely used. If you place an order or discuss something private using a cordless phone, you are sharing your information with anyone operating a nearby radio scanner.
4. When you apply for a job or fill out an application, avoid filling in your Social Security number. Most businesses still have this field on their application forms. Unless they’re planning to make you an offer, they shouldn’t have this information.
5. A new Connecticut law (Public Act No. 03-156 ) goes into effect on October 1, 2003 that defines Identity Theft and provides additional credit protections for consumers when they have been violated.
6. Get yourself on the “Do not call” list for telemarketers.
7. If you become a victim, file a Police Report. It may be useful to file a report with the The Federal Trade Commission (below), but don’t expect a quick response due to their backlog. Unfortunately, the burden of correcting problems related to Identity Theft falls to the victim