Protect Your Personal Information
By Tony Bradley, CISSP-ISSAP, About.com
How much information does someone really need to know in order to impersonate you to a 3rd-party? Your name? Birth date? Address? Armed with easily found information such as this, and maybe a couple other key pieces of information such as the high school you went to, your dog’s name or your mother’s maiden name, an individual might be able to access your existing accounts or establish new loans or credit in your name.
Recently, reports of security breaches in which customer data and personally identifiable information (PII) were somehow compromised seem to appear almost daily. Choicepoint, Lexis Nexis, DSW Shoe Warehouse, Ralph Lauren / HSBC, Bank of America and more have all reported massive amounts of compromised or ill-gotten customer information just in the past couple of months.
However, most identity theft or compromises of PII, including a couple of the major breaches mentioned above, have nothing to do with the Internet or lax computer or network security. Unpatched operating system vulnerabilities or hacking wizardy are involved in a relatively small number of the total cases. The Choicepoint breach resulted from poor processes to identify that the business asking for consumer information had a legitimate reason. The Bank of America breach resulted from a data backup tape being lost in transit.
Information can be pulled from your trash can. Waiters can swipe or simply write down your credit card number when you make a purchase at a restaurant. There are a variety of laws related to securing customer information including Sarbanes-Oxley, HIPAA, GLBA and others. Congress is currently investigating the breaches at Choicepoint and Lexis Nexis and considering further legislation aimed at allegedly protecting customer data. But, social engineering and good, old-fashioned theft still pose a larger threat than network security and it is up to you to monitor and protect your personal information and your credit.
Below are some tips you can follow to help secure and protect your personally identifiable information and ensure that your identity or your credit have not been compromised.
1. Watch for shoulder-surfers. When entering a PIN number or a credit card number in an ATM machine, at a phone booth, or even on a computer at work, be aware of who is nearby and make sure nobody is peering over your shoulder to make a note of the keys you’re pressing.
2. Require photo ID verification. Rather than signing the backs of your credit cards, you can write “See Photo ID”. In many cases, store clerks don’t even look at the signature block on the credit card, and a thief could just as easily use your credit card to make online or telephone purchases which don’t require signature verification, but for those rare cases where they do actually verify the signature, you may get some added security by directing them to also make sure you match the picture on the photo ID.
3. Shred everything. One of the ways that would-be identity thieves acquire information is through “dumpster-diving”, aka trash-picking. If you are throwing out bills and credit card statements, old credit card or ATM receipts, medical statements or even junk-mail solicitations for credit cards and mortgages, you may be leaving too much information laying about. Buy a personal shredder and shred all papers with PII on them before disposing of them.4. Destroy digital data. When you sell, trade or otherwise dispose of a computer system, or a hard drive, or even a recordable CD, DVD or backup tape, you need to take extra steps to ensure the data is completely, utterly and irrevocably destroyed. Simply deleting the data or reformatting the hard drive is nowhere near enough. Anyone with a little tech skill can undelete files or recover data from a formatted drive. Use a product like ShredXP to make sure that data on hard drives is completely destroyed. For CD, DVD or tape media you should physically destroy it by breaking or shattering it before disposing of it. There are shredders designed specifically to shred CD / DVD media.
5. Be diligent about checking statements. This actually has two benefits. First, if you are diligent about checking your bank and credit statements each month, you will be aware if one of them doesn’t arrive and that can alert you that perhaps someone stole it from your mailbox or while it was in transit. Second, you can ensure that the charges, purchases or other entries on the statement are legitimate and match up with your records so that you can quickly identify and address any suspicious activity.
6. Pay your bills at the post office. Never leave your paid bills in your mailbox to be sent out. A thief who raids your mailbox would be able to acquire a slew of critical information in one envelope- your name, address, credit account number, your bank information including the routing number and account number from the bottom of the check, and a copy of your signature from your check for forgery purposes just for starters. Drop your bills at the post office or at least in an official U.S. Postal Service drop box to ensure that doesn’t happen.
7. Limit the information on your checks. It may be convenient to have your drivers license number or social security number imprinted on your personal checks to save some time when you write one, but if it falls into the wrong hands it reveals too much information. In fact, some recommend that you only include your first initial in the name space of your check, such as “T. Bradley” rather than writing out “Tony Bradley” so that if someone did get one of your checks they would not know your full name.
8. Analyze your credit report annually. This has always been good advice, but it used to cost money, or you had to first be rejected from receiving credit so that you could get a free copy. Now it is possible to get a free look at your credit report once per year. The big three credit reporting agencies (Equifax, Experian and TransUnion) joined forces to provide free credit reports to consumers. The web site, annualcreditreport.com, is currently available for the Western and Mid-Western states, with the Southern and Eastern states being rolled out later this year. You should review it to make sure the information on it is accurate and also make sure that there aren’t any accounts on there that you aren’t aware of or any other suspicious entries or activity.