How to keep your identity private
The only thing an identity thief needs is your Social Security Number, your birth date or, sometimes, identifying information as basic as your address, driver’s license number and phone number.
Some of the places identity thieves get this information include:
- Personal information kept in your car (especially your glove box).
- Receipts tossed in the trash.
- Information stolen from your mailbox.
- Diverting your mail to another location by filling out a “change of address form”.
- Rummaging through rubbish for personal information (dumpster diving).
- Stealing bank or credit cards, identification cards, passports, authentication tokens ... typically by pickpocketing, housebreaking or mail theft.
- Stealing checks to acquire banking information, including account numbers and bank routing numbers.
- Hack into your computer or the computer of a company that does business with you.
- Access information you enter online or send by e-mail.
- Pose as a legitimate company or government agency and request personal information via phone (“vishing”), email (“phishing”), or text message (“smishing”).
- Attach a skimmer to an ATM to capture the card number and PIN.
- Take advantage of a personal relationship with you. (For example, a “friend or family member" may take a statement from your home when you aren't watching.)
Spying & Eavesdropping
- Overhearing conversations you have in public.
- Looking over your shoulder when you use your credit cards or the ATM.
- Observing users typing their login credentials, credit/calling card numbers etc. into IT equipment located in public places.
- Retrieving personal data from redundant IT equipment and storage media including PCs, servers, PDAs, mobile phones, USB memory sticks and hard drives that have been disposed of carelessly at public dump sites, given away or sold on without having been properly sanitized.
- Using public records about individual citizens, published in official registers such as electoral rolls.
- Common-knowledge questioning schemes that offer account verification and compromise: "What's your mother's maiden name?", "what was your first car model?", or "What was your first pet's name?", etc.
- Skimming information from bank or credit cards using compromised or hand-held card readers, and creating clone cards.
- Using 'contactless' credit card readers to acquire data wirelessly from RFID-enabled passports.
- Stealing personal information from computers using breaches in browser security or malware such as Trojan horse keystroke logging programs or other forms of spyware.
- Hacking computer networks, systems and databases to obtain personal data, often in large quantities.
- Misrepresent themselves to a company that does business with you or otherwise has information about you (e.g. access your credit report by posing as a landlord).
- Exploiting insider access and abusing the rights of privileged IT users to access personal data on their employers' systems.
- Infiltrating organizations that store and process large amounts or particularly valuable personal information.
- Brute-force attacking weak passwords and using inspired guesswork to compromise weak password reset questions.
- Obtaining castings of fingers for falsifying fingerprint identification.
- Diverting victims' email or post in order to obtain personal information and credentials such as credit cards, billing and bank/credit card statements, or to delay the discovery of new accounts and credit agreements opened by the identity thieves in the victims' names.
- Impersonating trusted organizations in emails, SMS text messages, phone calls or other forms of communication in order to dupe victims into disclosing their personal information or login credentials, typically on a fake corporate website or data collection form (phishing).
- Exploiting breaches that result in the publication or more limited disclosure of personal information such as names, addresses, Social Security number or credit card numbers.
- Advertising bogus job offers in order to accumulate resumes and applications typically disclosing applicants' names, home and email addresses, telephone numbers and sometimes their banking details.
- Browsing social networking websites for personal details published by users, often using this information to appear more credible in subsequent social engineering activities.
- Using false pretenses to trick individuals, customer service representatives and help desk workers into disclosing personal information and login details or changing user passwords/access rights (pretexting).
- Guessing Social Security numbers by using information found on Internet social
- Befriending strangers on social networks and taking advantage of their trust until private information are given.