Locking down your identities: foolproof ways to protect every aspect from theft

A padlock resting on a keyboard.
(Image credit: Passwork)

For decades, people have been using lookalikes and forged documents to deceive others and gain access to resources they may not have had otherwise. However, with the advent of the internet and the widespread availability of online services, identity theft has become more prevalent and sophisticated than ever before. Cybercriminals can now easily obtain personal information online and use it to impersonate their victims, gain access to bank accounts, open credit cards, and even commit crimes in their names. 

This has turned identity theft into a lucrative industry, with criminals constantly finding new ways to exploit vulnerabilities and steal identities. As such, it is important for individuals to take steps to protect their personal information and be aware of the risks of identity theft when using online services.

One world, multiple identities

Understanding the basics of cybersecurity before taking any preventive measures is essential. The first step is to identify what needs to be protected and then determine the source of the threat to implement appropriate controls. 

To prevent identity theft, one must know what constitutes their identity in both the physical and cyber worlds. Once this is understood, the proper measures can be taken to safeguard the aspects that define one's identity.

In the physical world, a person's identity is defined by government-issued documents like passports, national insurance cards, driving licenses, and other essential documentation, which are vulnerable to theft or forgery. However, the government has implemented measures to make forgery difficult for criminals.

The cyber-world is different, as most people are not fully aware of what constitutes their online identity. This makes it easier for criminals to steal and misuse their identities, as protecting something they do not understand is difficult.

Unlike the physical world, where a person has a single identity, the cyber world has multiple identities associated with legitimate online activities. Compromising any of these identities can lead to significant problems that can transcend into the real world.

Think beyond your physical identity

To protect your identity, it's important to stick to the basics. First, minimize the amount of personal information you share. Keep this information in as few places as possible, and avoid sharing it with others. Remember to keep your identity to yourself and don't give it away, because the less information you share about yourself, the lower the risk of it falling into the wrong hands. It's widely known that personal information, such as your name, address, and date of birth, can be used to identify you.

How many people know your secrets?

If we think about the basic online identity, it is essentially a username and a “secret.” Of course, you could use the same identity on every website - but that becomes a risk because if that identity is stolen, the criminals have the key to unlock access to everything you use online.

Your credentials (username and password) are not always stolen from you directly. Instead, they are often stolen from the operators behind the systems you log on to or your password manager.

You only have to look at the volume of credentials leaked from breaches to realize that if you have been using the internet for even a few years, some of your credentials will likely be stolen and published online from some data breach.

Try not to be yourself

According to Moore’s Law, computing power doubles every 18 months – which means every 18 months, the time taken to deploy a brute force attack on a password will be half. This is why password length and complexity recommendations increase with time – a critical distance secure ten years ago will not be so safe now.

For best practice – when choosing and changing your password, the NCSC recommends three random words unrelated to each other and not those that relate to yourself. So, the name of your pet or hometown should be discarded as an option when making up your password.

Knowing something about someone is an excellent place to start when guessing their password. In today’s world, you don’t need to understand them physically – most people nowadays will happily share details of their loves and hates on social media, which can be harvested by those wishing to steal identities. It would not take a stroke of genius to realize that someone posting pictures of their pet may likely have related words as part of their password.

However, as we know, passwords frequently get stolen, so while it’s essential to change them regularly, online identities must be protected by more than just one set of credentials. This is where multi-factor authentication steps in.

The recommendations for verifying a person’s identity in the real world include using multiple documents. There are three primary factors in the cyber world:

  • Something you know - such as your mother's maiden name
  • Something you have - such as a security token or phone number
  • Something you are - biometric credentials

The same factor can be used multiple times, but this is not as strong as using various factors - and for accurate 2-factor authentication (2FA), it should be two independent factors. The second factor should not rely on the first - so using the same username and password for a system to open your email account and retrieve a security token is not true 2FA.

While biometrics are usually considered a reasonably vital factor, they can be bypassed by using fake fingerprints, voice recordings, or photographs – think of how many photos you have of yourself on social media platforms such as Instagram, Facebook, or LinkedIn, and remember that these can provide a rich source of imagery to fool facial recognition.

Has your identity been stolen?

Let’s go back to the original point on identity theft becoming an industrialized industry and not a cottage-run business in the internet age. The basic online identity of a username and password doesn’t fetch much on the dark web, but if it’s a password you use for multiple accounts, it can become a rewarding purchase if the person is prepared to do a little digging.

However, the portfolios that consist of identification numbers, addresses, birthdates, credentials, medical records, etc., attract the best prices. If someone is after your full physical and cyber identity and is prepared to do anything, they’ll likely be able to get it if you don’t act cautiously.

That aside, 99% of those involved in identity theft are after quick and easy money. They are also likely to be in a different country or continent from you, so they won’t be able to pick your pockets or break into your home to steal devices – they don’t state spies. However, these are the ones that will be hunting down your cyber identities, which are much easier to target, so you must educate yourself on the risks and not give away any crucial information that can be accessed remotely.

You can take several steps to limit the risk of identity theft both in the real world and online.

In the real world:

  • Securely store documents that carry personal information that can identify you - such as your name, address, etc.
  • Securely destroy these documents when they are no longer required
  • Monitor your bank accounts and credit rating for any suspicious activity
  • When you move to a new house, ensure all contacts are updated, and the mail is redirected
  • When disposing of electronic equipment, ensure it's wiped

In the cyber world:

  • If you're buying online, take the time to examine the website and ensure it's secure
  • Educate yourself so you can recognize online scams
  • Quizzes on social media very often mean of tracking those who respond - copy and paste the link instead of clicking directly
  • Secure your passwords and use different ones for different accounts
  • Don't secure your password vault with the same credentials you use online
  • Use multi-factor authentication where possible

Finally, in all circumstances, you should always disclose the minimum amount of information to ensure maximum security. Your identities are integral to you - so don’t lose control of them. Stay alert, and you won’t be disappointed.

More from TechRadar Pro

Geraint Williams is Chief Information Security Officer at IT Governance.