Tips and Tools for Avoiding Online Identity Theft

Contributor: Examination Specialist David M. Nelson, Cyber Fraud and Financial Crimes Section, Federal Deposit Insurance Corporation

Most experts agree that using “layers” of computer security is the best way to control your risks on the Internet. No safeguard is perfect every time, so you should have a few layers of protection when you are using the Internet. Take for example your own home security: as a prudent homeowner you protect your home and family in several ways.

You maintain the plumbing and electrical wiring to reduce hazards. You lock the doors and windows, and you have smoke detectors installed in the appropriate places. Perhaps you also have an alarm system. If things go wrong, you have a fire extinguisher, and the whole family has been taught to call 911 and flee to safety to a neighbor’s house. You have insurance as the final layer of security to help pick up the pieces after a mishap. Cyber security works the same way. Having only one security tool is not enough – you will need a few layers of security to protect yourself from becoming a victim of Internet fraud (don’t put all your eggs in one basket).

HOW COULD FRAUDSTERS GAIN ACCESS TO MY COMPUTER AND PERSONAL INFORMATION?

Internet criminals can steal your personal and banking information without you ever noticing – they can do it while you’re online shopping, playing games, reading email, or just browsing online. Phishing is when fraudsters send an email pretending to be a bank or other trusted source and ask you to confirm your personal information. A link in the email connects you to a phony site that looks just like the legitimate one. Pharming – an even sneakier way that fraudsters can gain access to your computer and personal information – uses malicious programs that can get installed on your computer when you simply click on a link in an email or view an image on a web page. When you type in the address of your banking, brokerage, or favorite shopping site, these programs redirect you to a counterfeit site that looks just like what you are used to seeing. Hackers can also find and use "vulnerable" applications on your PC, like music or video players, to access your data and take control. 

HOW DO I PROTECT MYSELF FROM THESE THREATS?

Anti-virus and anti-spyware software, surge protectors, firewalls, and email spam blockers are good basic tools that all home users should know about and use. There are also tools available online that can detect when you are being phished or pharmed, and prevent your information from being lost by automatically checking a website and visually alerting you if something is not right. Many of these tools are free and easy to use. They include anti-virus software, verification engines, security toolbars, anti-phishing toolbars, personal firewalls, and even Web browsers that have anti-fraud warnings built in.

Verification Engine 

One tool that is easy to use and provides an extra layer of protection is a verification engine, which double checks Web sites' digital certificates. These certificates (indicated by a padlock or key symbol on your screen) are supposed to show that the Web site uses approved security measures to protect sensitive information you provide, such as your account number, as it travels over the Internet. However, the security symbols can be faked, so it's important to ensure that the name that the certificate was issued to matches the name in the Web address. When installed on your computer, the verification engine can tell you if the site you’re visiting is the real site or someplace where you may want to use caution. You can find and download a free verification engine at www.comodogroup.com/products/free_products.html. Another kind of security tool, called a site advisor, checks Web sites that you visit against a list known for adware, spyware, spam, and phishing. For more information, go to http://www.siteadvisor.com/.

Stronger Authentication

Dual authentication is a way to verify that you are logging onto the correct Web site. As an example, Yahoo! offers a free “sign-in” seal or secret message that is displayed on the computer screen so users can verify that they are logging in to the Yahoo Web site to shop or read email instead of a pharming or phishing site. This works only on sites where you have an account set up. You'll need to choose a seal or message for each computer that you log in from, or you may need to answer some additional questions if you try to log on from a different location. Many financial institutions are adopting security seals along with security question to help consumers avoid pharming or phishing attacks. 

Two-factor authentication is now being used by financial institutions and online e-commerce sites.  Usernames and passwords alone are no longer strong enough to protect against Internet threats like key loggers. Most security experts agree that having an additional layer of authentication is the best way to protect your online financial accounts. One example of strong two-factor authentication is the one-time password token now being offered by PayPal, a popular online payment processor, for $5. The key chain-sized token generates a 6-digit number that is used in combination with a user ID and password to log on to the account, which makes it very difficult for phishers to gain access to an online account.

Security Toolbars

Another helpful layer of protection is offered by security toolbars that work as part of your Web browsers. Some security toolbars block fraudulent sites and allow users to easily report suspicious sites. Two examples of this type of toolbar can be found at http://securitybar.lycos.com/home.do and www.toolbar.netcraft.com.

Web Browsers with Built-In Anti-Fraud Functions

The Microsoft Internet Explorer 7.0 web browser has built-in anti-fraud functions that warn users that they may be visiting a fraudulent Web site. You can find out more at http://www.microsoft.com/windows/products/winfamily/ie/default.mspx.

Firefox 2 also has a “black list” default function like Internet Explorer that alerts users of known phishing sites, but unlike Internet Explorer 7.0 it does not scan Web pages or URL's looking for telltale signs of fraudulent sites. The Opera Web browser has added anti-phishing and anti-fraud features to its latest version, Opera 9.1. It can be downloaded for free at http://www.opera.com/.

Anti-Spyware and Anti-Rootkits

Since several layers of protection work best, consider anti-spyware protection. Spybot Search and Destroy is free software that identifies the most common kinds of software that track your online activity and helps you to remove them. Go to http://www.spybot.info/en/mirrors/index.html. Rootkits can also get on your computer, hide, and allow a remote hacker to control your machine. If you are considering a free anti-rootkit program, check out Sophos Anti-Rootkit at http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html. This program requires some expertise and may not be appropriate for many novice users.

One simple way to keep unwanted software from being installed on your computer is to restrict user access levels.  Set up one separate password-protected “Admin” account on your PC for adding and removing programs and other sensitive functions. For routine online activities, set up and use “limited” user accounts for all users who will be surfing on the Internet. Unwanted spyware, rootkits, and Trojan Horses can not be installed on your computer without the “Administrator’s” permission. You can set up admin and limited user accounts by using the “Control Panel” function on Windows and “System Preferences” on Apple Macintosh. 

WHAT DO I DO IF I DETECT A FRAUDULENT OR SUSPICIOUS SITE?

If you do detect a fraudulent or suspicious Web site, you can report it so that it will be investigated. 

Phish Tank, http://www.phishtank.com/index.php, can help you determine if a site is a known phishing place, and enables you to register and report questionable sites for investigation. 

Fried Phish, http://www.castlecops.com/pirt, is another Web site to which you can report suspicious URL's for investigation.

TIPS TO PROTECT YOURSELF ONLINE

In addition to installing tools on your computer to protect yourself, keep the following tips in mind:

         When entering sensitive information (bank account numbers, credit card information, social security number, mother's maiden name) online look for “shttp://” or "https://" in the address line of your browser. This means information is being sent securely.

         Never click on a link in an email directing you to a Web site. Manually type the Web site address into your browser to be sure you are not misdirected.

         To prevent pharming, use anti-virus and anti-spyware software and be sure to keep them up to date.

         Don't give out personal information unless you've initiated the contact or are sure with whom you are dealing.

         Look for Web site privacy policies. They should answer questions about maintaining accuracy, access, security, and control of personal information collected by the site, how the information will be used, and whether it will be provided to third parties. If you don't see a privacy policy – or if you can't understand it – consider doing business elsewhere.

         Learn more about cybersecurity. In addition to the National Consumers League’s www.phishinginfo.org Web site, there are many other resources. The Federal Deposit Insurance Corporation offers a free CD-ROM about how to keep your computer secure which you can order at http://www.fdic.gov/consumers/consumer/guard/index.html. The National Cyber Security Alliance, www.staysafeonline.org, the Federal Trade Commission, www.onguardonline.gov, and the Internet Education foundation, www.getnetwise.org, provide general advice about online safety and security. There are also commercial sites, such as www.pcworld.com/downloads/, that offer software reviews. Some security software is free or offers free trial periods.