Posts

Mobile Phone Numbers Are as Sensitive as Your Social Security Number

All of us have cell phones these days, and if you are like the vast majority of the population, you access everything from social media to banking information right from your mobile phone. However, if you do this, which everyone does, you are putting yourself in the position to get hacked. With only your mobile phone number and a couple other pieces of information, a hacker can get into these accounts and your life could drastically change.

How does this work? If a hacker already has your mobile phone number, they can get other information, such as you address, birthday, or even the last four digits of your Social Security number, through social engineering schemes via email or on social. Once they have this information, it’s like handing your phone over to them and letting them do as they please, including accessing your accounts.

The scam may not even begin with you, it may begin with the mobile phone companies themselves. There have been many incidents where the carriers are scammed into handing over troves of personal identifying information to scammers posing as the victim. In many cases the phone companies are even allowing the scammers to get phones with the actual victims phone number by transferring everything to a new phone the perpetrator charges to the victims account.

Here are some things that you can do to keep your mobile phone number safe:

Use Your Passcode – You can and should put a passcode on your phone, you should definitely do it. This isn’t totally foolproof, but does give you an extra level of protection.

Add a Passcode – Your mobile carriers online account should have an additional second passcode to make any changes to your account. This additional passcodes works with both the web and calling customer service. Nothing happens unless this additional passcode is presented.

Disable Online Access to Any Mobile Phone Account – This is frustrating, of course, but it certainly can protect you. If you need to change your account, you should go to the store or call your provider.

Use Google Voice – Google Voice is an excellent choice for many, and you can even forward your current number to your Google Voice number. This helps to mask any call you make, which means no one can have access to your real number.

Access Your Cell Phone Account with a Carrier-Specific Email Address – Most of us use our email addresses and phone numbers to access our online accounts. However, you should really have three separate emails. One should be your primary email address, one should be only for sensitive accounts, like your bank or social media accounts, and one for your mobile phone carrier. This means, even if your main email is hacked, the hackers cannot get into your other accounts.

Talk to Your Carrier – Consider asking your carrier to make a note in your account to require a photo ID and special passcode before any changes are made. Though it’s possible that a hacker could pose as you with a fake ID, the chances are quite low that this would happen.

Use Complex Passwords – One of the best ways to protect online accounts is to use complex passwords. Or at least a different password for every account. You should also use a password manager. If you don’t, make sure your passwords are very random and very difficult to guess like “58&hg#Sr4.”

Do Not Be Truthful – You also might want to lie when answering your security questions. These are easy to guess or discover. For instance, it’s probably easy to find out your mother’s maiden name. So, make it up…just make sure you remember it!

Don’t Use Your Phone Number for Important Accounts – Also, make sure that you aren’t using your phone number for any important account. Instead, use that Google Voice number. 

Use a Password Generator – This is part of two factor authentication. Protect yourself by using a one time password generator, as part of a two-factor authentication process. It may be your mobile or they look like keyfobs and produce a new password very frequently. The only way to get the password is to access the generator or your mobile.

Use a Physical Security Key – You should also think about using a physical security key. To use one, you must enter your password into the computer, and then enter a device into the computer’s USB port. This proves that you are the account owner. So, even if a hacker gets your password, they must also have the physical security key to access the account.

Think About Biometrics – Finally, to really protect your accounts, when available, use biometrics. You can buy biometric scanners that read your fingerprints, your iris, or even recognize your voice. When you use these, you cannot access any account until you scan your finger, eye, or speak.

Yes, it’s true that some of these seem time consuming, it is much more time consuming to have to deal with getting hacked or a stolen identity. So, take these steps to remain as safe as possible.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Your Social Security Card Gets Stolen: Now What?

You might be shocked to know that when Social Security numbers were first given in the 1930s, the intention was never to use them as a form of identification. However, most of us use our Social Security numbers all of the time, from doing transactions at the bank to visiting our doctor’s office.

You need your SSN to apply for jobs, to open credit cards, and even to marry the love of your life. Since we use this number of often, what happens if you lose your card, it gets stolen or it’s leaked in a big data breach? Here’s what to do:

Contact the 3 Credit Bureaus – The first thing you should do is to contact one of the three major credit monitoring bureaus. You have to put a fraud alert on your credit report. By doing this, a lender or creditor uses much stricter guidelines when they receive an application for credit. These alerts only last for 90 days, but you can also get an extension when that 90 days passes.  But there’s better:

Freeze Your Credit – Another step that is even more secure is to freeze your credit. When this happens, you can’t use your credit to open a line of credit or refinance until you go through a simple “thaw” or unfreeze process. Keep your credit frozen for the remainder of your life and thaw when needed.

Get Identity Theft Protection – Also, consider getting identity theft protection. This might be a bit of an investment for some people, but it also ensures that someone is monitoring your credit all day, every day. These experts can also quickly get you back on track if your identity is stolen.

Watch Your Credit – If 90 days has passed, and you don’t see anything strange on your credit report, that doesn’t mean that you are safe. Thieves can use your information in other ways, too, so you should continue to watch your credit report. You can get a free credit report each year at AnnualCreditReport.com

Use Caution When Online – Finally, make sure that you are being careful when browsing the internet. Cybercriminals are sneaky, and people fall for their tricks quite often. Here are some things to keep in mind:

  • Don’t click on any link you get in an email. This is the case even if you believe that it’s from someone you know. Unless you’ve just signed up for a website and you need to confirm your email address.
  • Don’t open any email that is in the spam folder.
  • Don’t open any email that has a subject line that is exaggerated or sensational.
  • If you can use two-factor authentication with your online accounts, you should.
  • Use an antivirus program, anti-malware software, and a firewall.
  • Create a different password for each account. Make sure they are difficult to remember and stay away from those containing your name, date of birth, or even 123456.
  • Use a password manager.
  • Shred your personal documents before throwing them in the garbage. This is especially important if the document contains information like your SSN or an account number.
  • Don’t give your SSN out to anyone unless it is totally necessary, such as on a job application or when applying for a loan or credit card.

I give out my SSN all the time. But, I omit it from applications often. And if the applications administrator says “we can’t process your request without the SSN”, I may briefly question them, but inevitably give them my SSN. I have a credit freeze and identity theft protection. I’m not worried.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

SSN and Its Afterlife

What’s one billion? That’s about the number of possible permutations of the Social Security number. Which begs the question: What happens to an SSN when someone kicks the bucket?

8DCurrently, SSN’s are never repeated when they’re issued by the Social Security Administration. As of June 2011, the SSA made the issuance entirely random (previously, for example, the first three numbers were determined by place of birth).

With nearly a billion permutations, there’s no point in any number surviving the holder’s death and being reissued. Now in theory, the combinations will eventually run out, because eventually, a billion people will have been born in the United States. But this isn’t exactly in the near future. Why worry?

Nevertheless, some people like to plan way ahead. Maybe this scenario can be mitigated with a 10-digit number. Maybe numbers will stay at nine but be recycled. But for now, your number is as unique as your DNA. But, unlike DNA, a SSN can be used fraudulently.

The three credit bureaus maintain a list of the deceased based on data from the Social Security Administration’s Death Master File Index. Sometimes it takes months for bureaus to update their databases with the Social Security Administration’s Death Master File Index.

Here’s how to avoid identity theft of the deceased:

  • Report the death yourself by calling the Social Security Administration at 1-800-772-1213.
  • Contact the credit bureaus directly to report a death and request the information to be recorded immediately.
  • Right now, before anyone perishes, get the person a credit freeze. Upon death (as in life), the person’s Social Security number will be useless to the thief.
  • Invest in identity theft protection. This is a layer of security that monitors one’s information, including Social Security number, in the wild. Have it activated for six months to a year after death.
  • The Identity Theft Resource Center suggests, “Immediately notify credit card companies, banks, stockbrokers, loan/lien holders and mortgage companies of the death. The executor or surviving spouse will need to discuss all outstanding debts. If you close the account, ask them to list it as: ‘Closed. Account holder is deceased.’ If there is a surviving spouse or other joint account holder, make sure to notify the company the account needs to be listed in that surviving person’s name alone. They may require a copy of the death certificate to do this, as well as permission from the survivor.”

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.

Private Identifiers Not Private

Today’s commerce occurs very much online, with products and services ranging from A to Z. Hence, these many online merchants have hundreds of millions of people around the globe registered with them for convenient purchases.

1PTo verify authentication as the true user of these services, the registrant must supply personal data. If cyber criminals get ahold of this data, much of it can be changed by the user after the breach, such as user name, password and even the address they’ve been using.

However, the Social Security Number and date of birth cannot be changed. When cyber crooks get personal data off of these online retailers and service providers, it invades the customer’s privacy.

Online enterprises must take full responsibility for stolen data. It’s a real serious issue when permanent (“static”) data like DOB and SSN is breached, as opposed to temporary data like a password or answer to a security question.

Of course, the registrants to these sites do bear some culpability when they post their personal data in the public domain. But business sites make posting personal data a requirement to use their site. Unique data like the SSN should not be a requirement.

The online commerce world should know that such a requirement destroys confidence in current and potential customers, and that their competitors who abandon this practice will have the upper hand in gaining and retaining business.

More and more users are realizing that the security systems of online enterprises are weak, putting users at risk for identity theft—a risk that they’re catching onto.

NSS Labs, Inc., a world leader in information security research and advisement, has the following recommendations:

  • Online businesses should limit requiring data that can be shared among other enterprises.
  • Online enterprises should be designed with the anticipation of possible data breaches; this way they’ll minimize risk and be more prepared to mitigate problems.
  • Third-party data breaches should be analyzed by online companies to protect users if data seeps out.
  • “At risk” users should be able to be re-authenticated.
  • Governments need to reassess the idea of using static data like DOB and SSN.
  • Online enterprises must embrace the possibility that legislation will eventually make it illegal to require SSNs from users.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures

Social Security Number: All-Purpose Identifier

Your Social Security number was never meant to serve the various functions it is used for today. Over the past 70 years, the Social Security number has become our de facto national ID. The numbers were originally issued in the 1930s, to track income for Social Security benefits. But “functionality creep,” which occurs when an item, process, or procedure ends up serving a purpose it was never intended to perform, soon took effect.

Banks, motor vehicle registries, doctors’ offices, insurance companies, and even utilities often require a Social Security number to do business. Why do they need it? Sometimes it’s because your Social Security number is attached to government records like taxes or criminal records, but most often it’s because the number is attached to your credit file.

The IRS adopted our Social Security numbers as identifiers for our tax files about 50 years or so ago. Around the same time, banks began using Social Security numbers to report interest payments, and so on.

All the while, Social Security numbers were required for all workers, so their Social Security benefits could be paid. Most people were assigned a number when they applied, sometime around the age of 16. This was until the 1980s, when the IRS began issuing Social Security numbers to track children and babies who were claimed as dependents. By the late ‘90s, it was standard for most hospitals to provide Social Security number application to new moms.

A federal law enacted in 1996 determined that Social Security numbers should be used for “any applicant for a professional license, driver’s license, occupational license, recreational license or marriage license.” The number can be used and recorded by creditors, the Department of Motor Vehicles, whenever a cash transaction exceeds $10,000, and in military matters.

All this leads up to the unfortunate realization that your Social Security number is out there in hundreds, or even thousands of places. It is most definitely not private, nor can it be adequately protected. It’s just like a credit card number. You give it out, you hope the person or company is responsible with it, you hope it’s not breached, but all you can do is monitor your identity’s health and, if your identity is ever stolen, take the appropriate steps in response.

Be sure you have active, comprehensive protection for all of your devices.  McAfee All Access is the only product that lets individuals and families protect a wide variety of Internet-enabled devices, including PCs, Macs, smartphones, tablets, and netbooks, for one low price.

Robert Siciliano is an Online Security Evangelist for McAfee.   See him discuss the use of Social Security numbers as national identification on Fox News. (Disclosures)