by Rachel James, Intake Specialist

A recent study found that nearly 50 percent of Facebook users put enough info — things like birth date, hometown, family information and more — to aid ID thieves.

Social networking is everywhere. There are literally millions of members who are sharing details about their lives, their jobs and their personal information. With that many users to choose from, social networking sites are ripe for harvest in the hands of a clever identity thief.

One of the most innocent-looking attacks is to start a “survey” that asks all about your favorite things in order to give you some label regarding your personality type, or even what cartoon character you resemble most. The instructions typically require you to post your results and then forward it amongst your friends. Among these questions are popular security questions for accounts such as “What is your favorite pastime?”, “What town did you grow up in?”, “What is your favorite movie?”

In fact, these questions- which are often the key to gaining access to your accounts in the event you forget your password- are often built into the social networking site’s profile to help better match people to you with similar interests. Most people do not consider the risk that answering these questions posses, because they have probably long forgotten which security questions they placed for their email or bank accounts.

These questions are just the tip of the iceberg. People using Twitter have updated their location as “on vacation” only to come back to a home that has been ransacked and robbed. A recent study in the UK by the Information Commissioners Office showed that 2/3 of social networking users post their date of birth, ¼ post their job title and 1/10 post their home address.

So what are the biggest vulnerabilities?

·        95% of Facebook users run at least one application on their profile. These applications, despite being available for download directly from a social networking site, are by far and large not reviewed by staff at the company and often contain viruses or other malicious code

·        Use your privacy settings and only allow people to view your posts if you trust them and have met them in real life to verify that account is actually owned by them. If you get a friend request you think you recognize, call that person to verify it was really them

·        Don’t post your full name

·        Don’t post your address, phone number or where you work

·        Don’t post your salary range

·        Don’t use status or location updates

·        Don’t post the town you grew up in, or the schools that you went to

·        Emails or posts that request too much information should be considered suspicious and probably ignored. The person forwarding it to you might not even be aware that they might be aiding an identity thief.

·        Be careful of the pictures that you post of yourself, family, friends and activities. These pictures could be used to gain valuable information, or altered in a manner against your will. Fake IDs, stalking, or damage to reputation could occur.

·        Remember that even if you delete the post later, it is still “out there”. Other users may have a copy of the information still on their computers, and it may have been picked up by the various internet archives. Treat everything you post on the internet as though you can never take it back.

·        Now with more social networking sites employing classifieds sections, you must be wary of job offers or other scams in advertising. Remember that if it sounds too good to be true, it probably is.

·        Be sure your security software such as your firewall, anti-virus, spyware protection and internet browser are up to date and running. Updates often include security patches to address known vulnerabilities, so it is important to update as often as possible.

·        Use complex passwords, vary them and change them often. The password to your email, social networking sites, or blog should NEVER be the same as the passwords for your financial or personal information

·        When setting up accounts, do not ever use the “real” answer to a question. When asked for your favorite movie, respond with a password like 00Bond7 to make it easy to remember but hard to guess

·        Speak with children about the dangers of revealing personal information

If you are a user of any of the popular social networks, like Facebook and Myspace, be aware of the risks inherent in sharing certain kinds of personal information in these forums. This bulletin was just released on the US-CERT’s website:

US-CERT is aware of public reports of malware spreading via popular social networking sites. The reports indicate that this malware is spreading through spam email messages appearing to come from Myspace.com, Facebook.com, and Classmates.com. The email contains a message indicating that there is a YouTube video available and instructs the user to follow the link to view the video. If users click on this link, they will be prompted to update Adobe Flash Player. This update is not a legitimate Adobe Flash Player update–it is malicious code.

US-CERT encourages users and administrators to do the following to help mitigate the risks:

• Install antivirus software and keep the virus signatures up to date.
• Do not follow unsolicited links.
• Use caution when downloading and installing applications.
• Obtain software applications and updates directly from the vendor’s website.
• Configure your web browser as described in the Securing Your Web Browser document.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Red tape and bureaucracy seem to be the leaders in the recently highlighted struggle between Medicare and the Social Security Administration over the display of social security numbers on members’ ID cards. While at least 31 states, various private entities and government agencies ceased using the PII (personally identifiable information) years ago, Medicare as recently as June claimed the suggested removal to protect affected consumers would be too costly and might startle or alarm beneficiaries.

Since the SSA’s founding in 1936, its numbering system has been relied upon as the identifier for such items as drivers’ licenses, employee records, bank and credit accounts and, as in the issue at hand, health records. However, in quite the impasse, most Americans are not legally required to give their SSNs in order to receive services, albeit there is no law prohibiting companies from requesting it and denying services unless it is provided.

In May, the inspector general for the Social Security Administration released a report urging Medicare to stop using Social Security numbers, especially on wallet-sized cards patients receive and are told to carry. Additionally, last year, the Office of Management and Budget sent a memo ordering federal agencies to stop the unnecessary use of Social Security numbers as identification.

Also, federal legislation is pending in the form of H.R. 3046 (Social Security Number Privacy and Identity Theft Prevention Act of 2007) which would limit the use of SSN as an identifier by government and business, and as recently as this summer New Hampshire congressman Paul Hodes introduced the Medicare Card Security Act (H.R. 6399) to protect seniors by amending the Social Security Act in this manner.

While this potentially dangerous nine digit sequence is still widely in use, actions are in effect at citizen and government levels to protect us from giving a free pass to identity thieves. We may still be at risk, but protection of our SSN by not carrying, displaying or providing it verbally unless absolutely required to do so should be at the heart of our defensive efforts.

by Doug Pollack

Angie’s List is a tremendously popular website that provides “unbiased reports and reviews about service companies”. In this month’s magazine, they publish an article about Lifelock, a very high profile ID theft protection service, that is coming under fire.

The article titled “Identity protection service LifeLock faces scrutiny” describes current litigation that LifeLock is current embroiled in, as well as issues that are being surfaced about the level of identity theft protection offered by the way LifeLock uses the fraud alert mechanism available to consumers from the credit bureaus.  Per this article:

“LifeLock also has come under fire from a number of directions. The company faces an investigation from the New York City Department of Consumer Affairs, a class-action lawsuit and a suit filed by Experian, one of the nation’s three major credit bureaus. Both Experian and the class-action suit allege that LifeLock is engaging in false advertising and deceptive trade practices and that its million-dollar guarantee to members is misleading and filled with loopholes. Furthermore, these critics — along with several credit and identity theft experts — point out that LifeLock charges its members $10 a month for services that consumers can mostly do themselves for free. They also say that LifeLock only protects against new account theft — in other words, when someone uses your credit information to obtain a loan without your knowledge. Javelin Strategy and Research, which tracks financial trends, says this form of identity theft accounted for less than one-third of the 8.1 million identity theft cases in 2007.”

I would think that any organization that is considering embracing LifeLock to address the serious threat posed by identity theft to their customers, members or employees, should make this “must” reading.