Pro­tect Your­self Against Iden­tity Theft

With cy­ber­se­cu­rity breaches at big com­pa­nies and a range of scams tar­get­ing un­know­ing con­sumers, your per­sonal in­for­ma­tion is more vul­ner­a­ble than ever

Reader's Digest (Canada) - - Front Page - BY ANNA-KAISA WALKER

The alarm­ing call came one win­try Fe­bru­ary day last year while Melissa*, an IT an­a­lyst, was at work. She didn’t rec­og­nize the num­ber, and when she an­swered, a sales as­so­ciate at a jew­ellery re­tailer in Mis­sis­sauga thanked her for join­ing the store’s credit card pro­gram. Con­fused, Melissa ex­plained that she hadn’t ap­plied for it. “So you weren’t just here in the store?” the as­so­ciate probed.

The 34-year-old wasn’t ex­pe­ri­enc­ing short-term mem­ory loss. As it turned out, a much younger woman in pos­ses­sion of Melissa’s so­cial in­sur­ance num­ber, ad­dress and birth­date was im­per­son­at­ing her. Over five days, armed also with fake photo iden­ti­fi­ca­tion, this mys­te­ri­ous fraud­ster used Melissa’s name to sign up for two cell­phone ac­counts, ap­ply for credit cards and take out a pay­day loan from Money Mart. She’d planned to walk out of the jew­ellery store with sev­eral ex­pen­sive baubles, but a shrewd em­ployee, sens­ing some­thing was off about the ner­vous young cus­tomer, re­fused to ini­ti­ate the ac­count and, af­ter the woman left, ob­tained Melissa’s phone num­ber from a credit bu­reau.

The thief dis­ap­peared with­out a trace, get­ting away with about $1,000 in mer­chan­dise and loans. It could have been worse had she not been dis­cov­ered be­fore the credit cards were mailed to her, but it was still a huge headache for Melissa. Though she wasn’t on the hook for any money, she had to call ev­ery re­tailer the fraud­ster vis­ited, sup­ply­ing proof of iden­tity in or­der to can­cel the ac­counts. “I’ve spent over 100 hours clear­ing my name, and my credit is still ter­ri­ble,” she says. “Why is this my fault?”

STO­RIES LIKE MELISSA’S are be­com­ing more com­mon. In 2016, ap­prox­i­mately 36,000 Cana­di­ans were vic­tims of iden­tity theft or iden­tity fraud—up over 20 per cent from the pre­vi­ous year. Ac­cord­ing to sta­tis­tics from the Cana­dian Anti-Fraud Cen­tre (CAFC)—our na­tional agency that col­lects and an­a­lyzes data from th­ese crimes—losses in 2016 to­talled al­most $14 mil­lion.

Mean­while, with se­cu­rity breaches reg­u­larly mak­ing head­lines, it can seem as if our per­sonal in­for­ma­tion is in con­stant dan­ger of be­ing stolen by thieves. Last Septem­ber, Equifax

dis­closed that 8,000 Cana­dian vic­tims were in­cluded in the high-pro­file hack that com­pro­mised the per­sonal in­for­ma­tion of more than 145 mil­lion Amer­i­cans. In May, Bell Canada an­nounced that hack­ers had threat­ened to ex­pose 1.9 mil­lion cus­tomer records, and the com­pany re­fused to pay to stop them (a por­tion of the data was sub­se­quently leaked on­line). Breaches have also af­fected WestJet, Uber, Loblaws and Cana­dian Tire— all in the past year.

While those large-scale thefts are out of your con­trol, and it’s im­pos­si­ble to track which in­di­vid­ual frauds come from them, there are ways to make your per­sonal in­for­ma­tion dif­fi­cult for thieves to get their hands on.

Pro­tect

#1: Your Dig­its

Your so­cial in­sur­ance num­ber (SIN) is the key to a king­dom of per­sonal records, from your credit re­port to your tax re­turn, so you’re wise to keep it se­cure. The nine-digit SIN was cre­ated in 1964 as a unique client iden­ti­fier for the Canada Pen­sion Plan and var­i­ous em­ploy­ment in­sur­ance pro­grams, but its use has ex­panded to vir­tu­ally all trans­ac­tions be­tween you and the gov­ern­ment. How­ever, with no le­gal re­stric­tions on who em­ploys it, your SIN may also be re­quested by pri­vate-sec­tor or­ga­ni­za­tions—and that’s where the prob­lems start.

Even if you’re asked for it, you don’t have to give your SIN to your land­lord, your doc­tor’s of­fice, your cell­phone provider or when fill­ing out a credit card or em­ploy­ment ap­pli­ca­tion. The more it’s float­ing around, the more likely it’ll be stolen and sold on the so-called “dark web.” (This sin­is­ter un­der­belly of the In­ter­net, which can only be ac­cessed with spe­cial soft­ware, hosts mar­ket­places and eBay-like auc­tion sites where iden­ti­ties are bought and sold.) So if you’re not sure whether it’s re­ally nec­es­sary to pro­vide your SIN, ask why it’s be­ing re­quested and if you can pro­vide an al­ter­nate form of iden­ti­fi­ca­tion.

Melissa still doesn’t know how her SIN got leaked, but the thief who tar­geted her used it to re­quest a credit re­port in her name and then pieced to­gether all the in­for­ma­tion they needed in or­der to im­per­son­ate her on credit ap­pli­ca­tions.

If you think your SIN has been stolen, file a com­plaint with po­lice and make sure you get a case ref­er­ence num­ber and the of­fi­cer’s name and tele­phone num­ber. Con­tact the CAFC for fur­ther ad­vice. Ev­ery few months, you’ll need to re­quest a copy of your credit re­port from one of Canada’s two na­tional credit bu­reaus, Equifax and Tran­sUnion, and re­view it for any sus­pi­cious ac­tiv­ity. Credit alerts can be placed on your file, re­quir­ing that you be con­tacted if any­one tries to open a new ac­count in your name.

Strengthen

#2: Your Log-ins

Cana­di­ans, like most of the world’s In­ter­net users, are abysmally poor at keep­ing their on­line pro­files se­cure. Three re­searchers from the Uni­ver­sity of On­tario In­sti­tute of Tech­nol­ogy—Dr. Christo­pher Collins, Rafael Veras and Dr. Julie Thorpe— an­a­lyzed 32 mil­lion pass­words leaked from a so­cial gam­ing com­pany, us­ing them as a large rep­re­sen­ta­tive sam­ple of North Amer­i­can so­cial me­dia users. Hi­lar­i­ously—or per­haps de­press­ingly—they found the most com­monly used pass­words in­volved strings of se­quen­tial num­bers (“123456”) and painfully ob­vi­ous word choices (“pass­word”).

They also parsed se­man­tic pat­terns and found com­mon themes, such as “I love” fol­lowed by a per­son’s name (male names were four times more com­mon than fe­male names). Ref­er­ences to food, money, sex, pro­fan­ity and roy­alty also cropped up most fre­quently, says Thorpe, an as­so­ciate pro­fes­sor of IT se­cu­rity. As for dig­its, peo­ple tend to favour dates, such as hol­i­days and no­to­ri­ous events (like 4/15/12, the day the Ti­tanic sank).

You might feel like the above op­tions are fairly air­tight, but us­ing any rec­og­niz­able words or strings of num­bers in­stantly makes your ac­counts vul­ner­a­ble to hack­ers, who em­ploy guess­ing soft­ware that can run through mil­lions of pos­si­ble pass­words per sec­ond. The most se­cure and mem­o­rable pass­word is one that uses a string of let­ters, num­bers and char­ac­ters de­rived from a phrase that’s been al­tered to in­clude some­thing per­sonal. For ex­am­ple, you might log into an air­line site with “1 lo ajpwK&S,dkwib ba ”— which stands for “I’m leavin’ on a jet plane with Kristof and Sven, don’t know when I’ll be back again.”

In the­ory, you’ll need to come up with dozens of th­ese. “As soon as you use the same one for mul­ti­ple sites, hacks can hap­pen,” Thorpe warns. But since re­mem­ber­ing them all isn’t re­al­is­tic, she sug­gests us­ing free pass­word man­agers like iCloud Key­chain, LastPass, Dash­lane, KeePass and 1Pass­word. Al­though th­ese tools can them­selves be hacked, Thorpe says you’re ul­ti­mately far more se­cure us­ing them than be­ing a lazy per­son with only one pass­word for ev­ery­thing.

Be­ware of

#3: Com­mon Scams

Ev­ery day, the CAFC gets calls from con­sumers who’ve been tar­geted by scam­mers, and about half of th­ese swin­dles in­volve trawl­ing for per­sonal in­for­ma­tion rather than sim­ply de­mand­ing cash, says act­ing team leader Al­lan Boomhour. “The data it­self is valu­able,” he says, ex­plain­ing that crim­i­nals not only use it to open

fi­nan­cial ac­counts in your name, but can sell it on that dark web.

Leah*, 36, was shop­ping at No Frills in Toronto’s east end one day when a well-dressed man with a clip­board ap­proached her, of­fer­ing to sign her up for a new PC Fi­nan­cial MasterCard. She filled out the ap­pli­ca­tion form, in­clud­ing her birth­date and SIN, but the card never ar­rived. Af­ter a while, she be­came cu­ri­ous, so she called the bank and was told that they had no record of her at all. “They said that they didn’t have any­body sign­ing peo­ple up in No Frills gro­cery stores any­where in the GTA,” she says.

Leah called her reg­u­lar bank and dis­cov­ered that some­one had man­aged to get ac­cess to her ac­count, most likely by hav­ing a du­pli­cate copy of her cur­rent credit card sent to a dif­fer­ent ad­dress, and was us­ing it to make a slew of small pur­chases.

An­other com­mon scheme, email phish­ing, has grown more so­phis­ti­cated than cor­dial en­treaties from Nige­rian princes seek­ing your help to trans­fer vast sums of money. Typ­i­cally, you’ll get an email from what ap­pears to be your bank or the Canada Rev­enue Agency (CRA) ask­ing you to “au­then­ti­cate” your ac­count or re­ceive a tax re­fund by click­ing on a link. You’ll be asked to en­ter your in­for­ma­tion in a fake web­site that of­ten looks very con­vinc­ing. “It’s al­most a mir­ror copy of the orig­i­nal, but when you try some of the links on the page, like the ‘Con­tact Us,’ they don’t work,” Boomhour says.

Re­mem­ber that rep­utable in­sti­tu­tions will never ask for per­sonal in­for­ma­tion of any kind via email. For its part, the CRA doesn’t send tax re­funds by e-trans­fer— only by cheque or di­rect de­posit.

Se­cure

#4: Your Mail

In May 2017, Toronto Po­lice an­nounced that they’d ar­rested the leader of a $10-mil­lion iden­tity theft ring in a mas­sive in­ves­ti­ga­tion dubbed Project Royal. The enig­matic Toron­to­nian, who called him­self John­son Chrome, flaunted his lav­ish life­style at night­clubs, dis­play­ing a predilec­tion for glit­ter-en­crusted

de­signer shoes and fine wines. But his mo­dus operandi was sur­pris­ingly sim­ple—he and his as­so­ci­ates would steal mail from condo build­ings, painstak­ingly piec­ing to­gether their vic­tims’ iden­ti­ties un­til they had enough in­for­ma­tion to ap­ply for credit. For 10 years, Chrome had evaded de­tec­tion by only steal­ing small amounts at a time—mostly be­tween $100 and $5,000.

In­deed, in­ter­cept­ing snail mail is a fairly easy way to steal an iden­tity, es­pe­cially if your vic­tim re­ceives paper fi­nan­cial state­ments. Tac­tics can in­clude Dump­ster div­ing, but also the slightly more so­phis­ti­cated mail-for­ward­ing fraud—for this, all a thief has to do is in­put your ad­dress, a new one and a credit card num­ber at Canada Post’s web­site in or­der to reroute your mail to a va­cant, aban­doned or for-sale prop­erty.

Switch­ing to e-billing and on­line pay­ments can elim­i­nate this risk, as can rent­ing a PO box where you can re­trieve let­ters and pack­ages at your con­ve­nience.

#5: Watch Your Ac­counts

Too many Cana­di­ans don’t check their bank and credit card state­ments thor­oughly ev­ery month, says per­sonal fi­nance ed­u­ca­tor Kel­ley Keehn, au­thor of Pro­tect­ing You and Your Money: A Cana­dian’s Guide to Avoid­ing Iden­tity Theft and Fraud. This is es­pe­cially true of se­niors, who tend to slow down their con­sumer spend­ing as they age and aren’t as likely to need loans. “If you don’t care what your credit score is, you’re not go­ing to be check­ing your credit file for fraud­u­lent ac­tiv­ity,” she says.

Keehn rec­om­mends a lit­tle-known trick for spot­ting sus­pi­cious trans­ac­tions: through your on­line bank­ing pro­file, you can opt to re­ceive an e-mail or text mes­sage ev­ery time your debit or credit card is used. If you see a pur­chase you don’t rec­og­nize, you’ll be able to re­port it right away and won’t be on the hook for any stolen money. (Most banks have a 30- to 60-day limit for re­port­ing fraud­u­lent trans­ac­tions.) There are also a range of phone apps, such as Credit Karma and LifeLock, that can help you mon­i­tor your ac­counts for sus­pi­cious ac­tiv­ity.

Of course, even if you put this safety mea­sure in place and fol­low all of the other ad­vice above, you’re still not im­mune to iden­tity theft. “The re­al­ity is, you can take ev­ery pre­cau­tion­ary step pos­si­ble and still be­come a vic­tim. It’s just that big of a prob­lem,” warns Boomhour, be­fore adding one wel­come note of re­as­sur­ance: “At the end of the day, though, you’re not re­spon­si­ble for any­thing the crim­i­nals do in your name.”

PHOTO-IL­LUS­TRA­TION BY C.J. BUR­TON

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.