Discussion on:

How to steal an identity in seven easy steps

Time to redefine myself.

Sometimes you can reveal information that may seem of no help to a person seeking to get control of your life. An example: once I received a telephone call from an insurance agent (? )who quoted my birthdate month and year. He wanted the name of the town where I was born. I told him he had no need for that for insurance purposes and hung up. The risk: he writes to the county seat offices, quoting the birthdate information, and requests a birth certificate. He no doubt would have received it and away goes my identity.

One way to stop this line of attack is to treat security questions as just another password prompt. You can put any data into these fields, and it can be completely random. That way nobody can guess the answer from online info.

Of course, this is a bit of a problem when you're trying to remember one password by entering another. But you can use the same one or two passwords for all security questions. You will be no worse off than if the information can be obtained by anybody on the internet, and in most cases better off. Or you can store the info on USB keys, protected via Lastpass or similar online database which can be opened using a Yubico Yubikey, or even written down somewhere if that location is secure. Remember, this is a backup system for when you've forgotten a password, it doesn't have to be as convenient or easy as normal password entry.

hi
i agree with the first point, but using a password manager for those details can be helpful

I agree that using an obscure answer and question (not always allowed) is a great approach. It also makes sense to use a deadend email that is not setup for reset. Eventually you might need to send a letter and proof but all s protected. Plus you can create one that can be very specific and also use a local doc store to hold it's value with a reverse obscure reference.

This should serve as a wake-up call to the multitudes of people who have laid themselves bare in the internet. I'm no Luddite, but aside from being a huge time suck, typical social media encourages posting way too much personal data. People are fools to post ANY details. If you want to promote a career stick to some high points and explain that details are available to qualified requestors.

Google provides it with GAuthenticator for free. It would have rendered this type of attack completely useless.

please enlighten us because i have looked for such an item and come up with nothing...how/where/ do we get said item?

http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447

...also use cell phone password reset. It's easy to hack someone's cell and hijack text messages specially if it's on a smartphone

one will need physical access or a clone of the phone/sim to access sms.

Honestly this is just the tip of the iceberg.
Lock your cell phones there is a ton of information in there that someone could use against you.
Limit the information you have online. Yes facebook and google + allow you to put in all types of information but unless you lock your account then anyone can see it.
Have some idea of what information about you is out there. Do some searching yourself. If you find a site or page that has information you might not want to share find out how to remove it.

I never give my real birth date to anyone that doesn't really need it. Especially not any social media site. I put in a fake date that still keeps my age over 18. There are a lot of bad guys out there that will use all the information you make public.

That's why your registration data should be minimum or fake (birthday, address, answer to secret question). The only true data you should give is your name, and that's it.

Not so with Google. I know somebody who gave a fake birthday for the Google phone number offer, and Google shut that person down until a birth certificate is produced to prove real age. That person refuses as Google is asking for information that is not necessary for the kind of service they are providing. It could be used for identity theft - after all - Google is not a totally secure service either!

Whenever I seek a password from my various bank accounts, I get an email admonishing me to confirm that it was *I* who sought the information. Kim fell down on the job when she didn't reply to the emails sent by her bank or other financial branch acknowledging that she requested the information. The hacker could have been shut down completely if she had responded to the bank queries to assure that it was she who requested the information. That said, I have changed my challenge information to make sure that a hacker could not figure out what my password response was. Even my wife doesn't have a clue what the answer is. Nowhere on any site is the answer to my challenge question. Thanks for the insight to make my information less accessible to a knowledgeable hacker.

Once the hacker gets into your email accounts, he can delete the emails that the bank sent. I don't know about you, but most students are not checking their email every few minutes. Now, if she had a smartphone (he could have determined that from the blog, maybe), she might hve had a chance.

Most Banks nowa days use OTP. So the password will be sent via sms than email.

If some one needs to access some else's bank account, some bank accounts are easy to get. Mostly only the account number is needed for telephonic interactions. One bank asks me the following details for 'security' reasons:
email Id: easy to get
mobile number: again not too difficult
dob: may be a bit difficult if the target is a bit security conscious, else all details from facebook.

Hi:
Thanks for this, "How to steal an identity"
This can get some evil guys rich; stealing homeowner's houses.
Thanks Sir,
Mr Innocenti.

One of the tricks I learned, and taught, as an IT specialist was quite simple. When creating answers to security questions, LIE! i emphasize this only to be funny, but the procedure works. As long as you remember or safely record the answers, you can say your father's middle name is anything! Your elementary school could suddenly be in Bangkok! People who can find real answers aren't helped unless you do something too routine or obvious when you create the fictitious answers. You can't fake some things, but most of you will know what you CAN alter.

Try to open a Hotmail e-mail account and then, without knowledge of secondary account or computer with Vista or Windows 7 that may have been used (the only computer allowed to make changes btw), try to change the password and get access. As a tech savy user, I tried to help a friend who could not get access to her account. We even knew that other e-mail addy but since it was also a hotmail account and hadn't been used in some time, could not get access to it. At least Gmail has a way to call someone, but not sure how well that works, just saw the phone number which Microsoft does not have. Best solution is to have a local ISP and e-mail. You cannot change password without contacting them directly and you have people to talk with instead of a computer. Better security and less hassle for those in real need of changing information. Don't have too many passwords either. For the average user, they will forget passwords unless they are written down either in a file or on paper. This makes information less secure right off the top. If requirements were the same on all sensitive accounts it would be a blessing, but some require you to reset your password or access account within a certain time period. Some require letters and numbers, at least 8 while others require at least one upper case and one lower case as well as a number and some kind of symbol. Why not make it universal? I'm sure the government could simply tell people their url will be removed from the DNS unless they comply and have it happen. Pretty easy to force companies to stop being so lazy.

this sux

Why don't I at least get some kind of error message when a well thought out response is posted but does not appear. All I can make are stupid little posts like this.

Am I crazy? Why do you print a blue print of this for all to see and learn?

I have over 50 passwords in my Chrome password list! The problem is you really need to use different passwords for each site. These passwords need to be unpredictable to a hacker if he happens to know one of them (so he can't guess the others). At the same time, we need to be able to remember or have a note of these passwords so we can use them from any other computer. Keeping them in the cloud is a solution, but we then put all our eggs in someone else's basket. What can/do you do?

The idea is that the bad guys know all of this already - at least let their potential vicitms in on it too...

baby talk words for pets as passwords works for me, because there so damn goofy and personal, and there easy to remember.

Eon are the power source of the Olympics so if the withdraw from the deal at the last minute they will be no power at the Olympics.
http://www.ultraseksy.com

Great article actually! Somebody brave and smart enough to show people tangible evidence that stealing one's identity is very easy to do. There is no information being offered here that identity thieves don't already know about I'm sure. This article is a great illustration that we need to make protecting our identities a top priority. Thanks. Here is some other good info: http://topcreditmonitoringservices.com/