It is personal and unique to each of us and we all use ours every day, and yet I can borrow it from you but you may never notice it missing; I can take it from you and yet you will still have it; I can use it to obtain something that will never be yours.
What is it?
Statistics from the UK indicate that 25% of Britons have been victim to some sort of identity crime. The ensuing loss totals some £1,200 on average per person and can take up to 200 hours to be adequately remediated.
Worse than the direct and indirect losses, however, is the sense of violation. Our identity represents our individuality; where that is borrowed or stolen it leaves the victim feeling impotent
The problem is that much of our personal data is regularly disclosed either by necessity, in dialogue with people and organisations where the establishment of our credentials is an essential part of our interaction, or by conscious or sub-conscious choice, in the information that we reveal on our social network profiles or through actual disclosure in our day-to-day dealings.
Criminals intent in securing adequate information to pass themselves off as a genuine person will set about harvesting data from as many sources as possible. They will even seek that information directly from the customer themselves, often through social engineering. This involves tricking a customer into divulging information or breaching protocols that exist for their protection, often by pretending to be someone in a position of authority or trust, such as a bank worker or member of the police.
Attempts to constrain personal data disclosure by the use of other references such as account or document numbers or unique but impersonal access cards have historically been met with resistance. And of course, even proxies for credentials have been repurposed by the criminals.
For example, criminals have “hacked” our trust in banks and card issuers with phony calls: “I am calling from your bank about your account with us ending 7247. Before progressing further, for identification and security reasons, can you please tell me your full name? And your full address? And your date of birth? OK, thank you for passing security.”
The basic rule of thumb when it comes to managing your identity is: Keep disclosure to a minimum and to only divulge information to trusted sources.
Where you have not initiated the contact personally, be on your guard even if you appear to be receiving contact from someone you know. Barely a week passes by without me receiving e-mails from former acquaintances suggesting that I should “click on this link” or “take a look at this picture” – and the vast majority of the time these are coming from others who have compromised and spoofed friends’ e-mail accounts and are trying to get me to download malicious software.
Watch out when you get unexpected phone calls. If the caller’s number is withheld or not recognised and the caller is asking for complete information from you such as an account or reference number or a full password or pass code then it is almost certainly not who they purport to be, even if they claim to be from the bank or similar. If you want to check, hang up and call the number you recognise for the bank based upon the number on the back of your card, cheque book or statement. They should be able to confirm if someone is legitimately trying to get hold of you; or if it is purely a scam.
Don’t be fooled into thinking that identity theft only happens as a result of technological-based scams such as malware or phishing e-mails. There is just as much exposure arising from intercepted physical mail or poorly managed waste or document destruction procedures. So be careful about what you put in your bin!
The UK’s “Not With My Name” initiative includes lots of useful and practical recommendations for avoiding identity scams. FICO and I continue to work in areas such as the MIDAS Alliance to perfect the next generation of identity confirmation software and prevent “the imitation game.”