How to protect every single one of your identities from theft

(Image credit: Shutterstock / GoodStudio)
Audio player loading…

Using lookalikes and forged documents to fool people is not new. Still, the introduction of the internet and easy-access online services has meant that identity theft (opens in new tab) has become an industry in itself.

One world, multiple identities

The basics of cybersecurity firstly, understand what you are trying to protect and then what you are watching it from - so you can put the appropriate controls in place. So, to prevent identity theft, you need to know what your identity is defined by - both in the physical and cyber worlds. Once this is understood, you can ensure you have the proper controls to protect those aspects that define your whole identity.

In the physical world, your identity is defined by Government IDs such as passports, national insurance cards, driving licenses, and other necessary documentation, all of which can be forged or stolen. However, most people are aware of the risks from a stolen passport or driving license, and the government deploys measures embedded within the document to make forgery much harder for criminals.

This is very different from the cyber world - where most people are not fully aware of what identifies us online. But, unfortunately, this makes it much easier for criminals to steal and abuse those identities - because if you don’t know what needs protecting, how can you protect it?

In the physical world, we essentially have a singular identity. However, in the cyber world, we have many identities as part of legitimate online activities - and compromising any of these identities can begin to cause huge problems that transcend into the real world.

Think beyond your physical identity

Protecting your identity starts with the basics: keep what identifies you to a minimum, keep this information in as few places as possible, and do not share it with anyone. Keep your identity to yourself and do not give it away – because the less you give out about yourself, the lower the risk of that information falling into the wrong hands.

It’s commonly known that this is information that can be used to identify a person:

  • National Insurance number
  • Address
  • Email
  • Phone number
  • Login ID
  • Social media posts
  • Biometric data
  • Digital images

However, there's also:

  • Geolocation
  • Behavioral data
  • IP address

How many people know your secrets?

If we think about the basic online identity, it is essentially a username and a “secret.” Of course, you could use the same identity on every website - but that becomes a risk because if that identity is stolen, the criminals have the key to unlock access to everything you use online.

Your credentials (username and password) are not always stolen from you directly. Instead, they are often stolen from the operators behind the systems you log on to or your password manager.

You only have to look at the volume of credentials leaked from breaches to realize that if you have been using the internet for even a few years, some of your credentials are likely to have been stolen and published online from some data breach.

Try not to be yourself

According to Moore’s Law, computing power doubles every 18 months – which means every 18 months; the time taken to deploy a brute force attack on a password will be half. This is why recommendations for password length and complexity increase with time – a critical distance that was secure 10 years ago will not be so secure now.

For best practice – when choosing and changing your password, the NCSC recommends three random words that are unrelated to each other and are also not ones that relate to yourself. So, the name of your pet or hometown should be discarded as options when making up your password.

Knowing something about someone is an excellent place to start when guessing their password. In today’s world, you don’t need to know them physically – most people nowadays will happily share details of their loves and hates on social media, which can be harvested by those wishing to steal identities. It would not take a stroke of genius to realize that someone posting pictures of their pet may likely have related words as part of their password.

However, as we know, passwords frequently get stolen, so while it’s essential to change them regularly - it’s also vital that online identities are protected by more than just one set of credentials. This is where multi-factor authentication steps in.

The recommendations for verifying a person’s identity in the real world include using multiple documents. There are three basic factors in the cyber world:

  • Something you know - such as your mother's maiden name
  • Something you have - such as a security token or phone number
  • Something you are - biometric credentials

The same factor can be used multiple times, but this is not as strong as using various factors - and for accurate 2-factor authentication (2FA), it should be two independent factors. The second factor should not rely on the first - so using the same username and password for a system to open your email account and retrieve a security token is not true 2FA.

While biometrics are usually considered a reasonably strong factor, they can be bypassed by using fake fingerprints, voice recording, or photographs – think of how many photos you have of yourself on social media platforms such as Instagram, Facebook, or LinkedIn, and remember that these can provide a rich source of imagery to fool facial recognition.

Has your identity been stolen?

Let’s go back to the original point on identity theft becoming an industrialized industry and not a cottage-run business in the internet age. The basic online identity of a username and password doesn’t fetch much on the dark web, but if it’s a password you use for multiple accounts, it can become a rewarding purchase if the person is prepared to do a little digging.

However, the portfolios that consist of identification numbers, addresses, birthdates, credentials, medical records, etc., attract the best prices. If someone is after your full physical and cyber identity and is prepared to do anything, they’ll likely be able to get it if you don’t act cautiously.

That aside, 99% of those involved in identity theft are after quick and easy money. They are also likely to be in a different country or continent from you, so they won’t be able to pick your pockets or break into your home to steal devices – they don’t state spies. However, these are the ones that will be hunting down your cyber identities, which are much easier to target, so you must educate yourself on the risks and not give away any crucial information that can be accessed remotely.

You can take several steps to limit the risk of identity theft both in the real world and online.

In the real world:

  • Securely store documents that carry personal information that can identify you - such as your name, address, etc.
  • Securely destroy these documents when they are no longer required
  • Monitor your bank accounts and credit rating for any suspicious activity
  • When you move to a new house, ensure all contacts are updated, and the mail is redirected
  • When disposing of electronic equipment, ensure it's wiped

In the cyber world:

  • If you're buying online, take the time to examine the website and ensure it's secure
  • Educate yourself so you can recognize online scams
  • Quizzes on social media very often mean of tracking those who respond - copy and paste the link instead of clicking directly
  • Secure your passwords and use different ones for different accounts
  • Don't secure your password vault with the same credentials you use online
  • Use multi-factor authentication where possible

Finally, in all circumstances, you should always disclose the minimum amount of information to ensure maximum security. Your identities are integral to you - so don’t lose control of them. Stay alert, and you won’t be disappointed.

Geraint Williams is Chief Information Security Officer at IT Governance.