Yale University

ITS Office of Information Security

Yale ITS Home Information Security

Gateways for:

Help Desk
203.432.9000
203.785.3200

ITS Office
Yale University
175 Whitney Avenue
P.O. Box 208276
New Haven, CT
06520-8276
USA

Yale logo.

Identity theft

What is identity theft?

Identity theft and identity fraud refer to crime in which someone wrongfully obtains and uses another person’s confidential information to obtain goods and services. For example, someone could obtain confidential information (name, address, social security number, mother's maiden name, password) and use it to establish unauthorized credit.

Confidential information is facts about you that are not publicly available, such as:

  • social security number, alien registration number
  • credit card numbers
  • medical information
  • unlisted telephone numbers
  • user ids and passwords (including Yale NetID password), PIN numbers
  • account numbers at banks/institutions
  • motor vehicle license and/or registration number
  • biometric information (Biometrics is the science and technology of authentication -- establishing the identity of an individual) by measuring the subject person's physiological or behavioral features.)

NOTE: The information that can be obtained in telephone directories, for example, is not private information; neither is membership in a public group, club or congregation.

Information is often obtained by using social engineering techniques. The term ‘social engineering’ refers to techniques that rely on weaknesses in people rather than weaknesses in software; the aim is to trick people into revealing passwords or other useful information. This is accomplished by various methods including in person, over the phone, via email or via web sites. Social engineering relies on a person’s inability to keep up with a culture that relies heavily on information technology. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it.

Online people-finder services such as Any Who or US Search have made it very easy to obtain personal information. Once an identity thief has a name and address, they can go to an ‘online detective’, pay a small fee and get additional information about an individual. Some sites even offer to find Social Security Numbers based solely on name and address.

Account theft is a variation of identity theft and occurs when a person attempts to take control of a user ID and/or password (log-in/sign-in information) that is used for online commerce.

With the advent of the Internet commerce, the increased flow of confidential information and its aggregation and harvesting has increased the risk of identity theft. Any purchase at a web site or similar online transaction, such as online banking, increases your risk of identity theft. Since the business of identity theft has proven to be relatively easy and very lucrative, you need to take precautions whenever possible to ensure the confidentiality of your private information. You are not immune from identity theft if you avoid online purchases. Most of the information about you is kept in large databases in government, financial and marketing firms; this data can be used by thieves when data is stolen from mailboxes, the trash, or hacked by internet-savvy people anywhere. You should review your credit records regularly and follow up on any discrepancies.

What is being done to protect my personal information?

The Identity Theft and Assumption Deterrence Act of 1998 (Title 18 United States Code - Section 1028) legally defines both identity theft (knowingly possessing an identification document other than one issued lawfully for the use of the possessor) and identity fraud (knowingly possessing a false identification document) and sets punishments for both. Most criminal cases force prosecutors to show, beyond a reasonable doubt, that the defendant committed the crime in question, but identity theft cases force the victim to prove their innocence by proving their identity. Once that battle is won, the person must also clear their name of all the bad-credit ties. Unlike most crimes, if a thief steals an identity, it is the individual whose identity has been stolen who is responsible for recovering it.

What can I do to protect myself?

  • Do not share any personally identifying information unless you find out how it will be used and whether it will be shared with others. Ask if you have a choice about the use of your information. Can you choose to have it kept confidential?
  • Do not give out personal information on the phone, through the US mail, through email or over the Internet unless you have initiated the contact or know who you're dealing with. Identity thieves may pose as representatives of banks, Internet service providers and even government agencies to get you to reveal your SSN (Social Security Number) , mother's maiden name, financial account numbers, passwords and other identifying information. Legitimate organizations have the information they need and will not ask you for it. There have been many reported attempts to gain access to personal information through email solicitations that are made to appear as having come from a valid source (e.g., eBay, PayPal) but in reality are spoofed email messages.
  • Give your SSN only when absolutely necessary. Ask to use other types of identifiers when possible. Don't carry your SSN card.
  • Order a copy of your credit report from each of the three major credit reporting agencies every year (see access to free credit reports). Make sure it is accurate and includes only those activities you've authorized. Checking your report on a regular basis can help you catch mistakes and fraud before they wreak havoc on your personal finances.

Web safeguards

  1. When surfing the web, installing shareware or using commercial IRC (Internet Relay Chat), be wary. Creating online profiles at Web sites and/or storing personal information on your computer eliminates one of the original security features of the Inte rnet, anonymity. See anti-spyware tools.
  2. To avoid account theft, use different passwords (see: Selecting good passwords) for the different commercial online accounts you use (e.g., eBay, PayPal, Amazon). Sign in using a secure server (https). Don’t type your login information on an insecure Web page (http). On many sites (e.g., Amazon) the default sign in page is insecure and you must choose to go to an alternate secure page. Look for the ‘https’ in the URL and the locked padlock icon that appears in both Netscape Navigator and IE browsers when you are connected to a secure web page. To b e sure that you are signing in on the genuine/real Web site, look closely at the Address/Location area of your browser.
  3. Investigate your vendor before processing your first online transaction. Do they have a Privacy Policy? Do they share data with other vendors or affiliates? Has their site been audited and certified by an organization like TruSecure or Verisign? When you connect to their https page view the certificate to ensure it is valid? Do you receive any errors messsages during the transaction?
  4. After you’ve completed an online transaction, Exit your browser application, so that you destroy any authentication or transaction-related site cookies (message given to a Web browser by a Web server) that may have been put into your temporary cache (memory area where frequently accessed data can be stored for rapid access). These are ephemeral cookies that do not get stored as files and are wiped from the computer memory when the browser application (IE/Netscape) is exited. You can view your persistent cookies (remain on the user's system until the expiration date defined within the cookie) by looking in the Advanced section of the Tools or Preferences menus in Netscape and Explorer.
  5. Do not choose the yes option (button or check box) when your browser asks you whether to remember the password. Do not enable the AutoFill (Internet Explorer Form Filler extension).

Email safeguards

  1. NEVER send or allow the receipt of private information in an email message. Email is sent in the clear. Email can be sniffed by hackers, read by administrators at ISPs and otherwise intercepted. It is less private than a postcard. Do not respond to any message that requires you to provide private information. Do not send email messages to your doctor (see Electronic Communication of Health Related Information - http://www.yale.edu/ppdev/policy/5123/5123.pdf), your insurance company , your bank or any financial institution where you have an account, unless you are posting a message directly onto a secured site (see Web browsing safeguards).
  2. Spammers often forge emails to collect private information (e.g. the PayPal scam, the Nigerian scams) or to socially engineer some kind of denial that yields private information. Treat this as spam, and do not reply. Most email programs come with filt ering features these days, so use them. Filtering and spam management tools are available for Yale users.
  3. If you subscribe to any web-based service or establish an online account, always change your password immediately if you receive an email confirmation of your account or your password. Discourage the vendor from sending user/password information in em ail.
  4. It's better not to give your email address when asked by a vendor/restaurant/service company or when you buy a product (in realtime, not online), especially if that entity already has your credit card number. You won’t be able to prevent them from sending you insecure messages with your private information. Once you've given your email address, you have no control over how it’s redistributed.
  5. If you are sent an email from a service or source that you do not know, and the message contains a link that instructs you to click here to unsubscribe,DO NOT CLICK. These URLs are often malicious redirects to sites with trojans, pornography, or tools for the spammers to verify that your address is valid. It will not unsubscribe you. If it's possible to do so, blocklist this sender via an email filtering.
  6. phishing is a high-tech scam using email or web pop-up messages to deceive you into disclosing sensitive information (credit card numbers, bank account information, Social Security number, passwords etc.). An email message may purport to be from ebay, a financial institution or a vendor or (e.g., Microsoft.com) and most likely tried to get you to do one of the following things: a) go to a web site to put in your old password; 2) provide personal information connected with your account; 3) update your computer imm ediately with the following link; and/or 4) some other request that exposes confidential information or compromises your computer. See more ..
  7. Messaging portals(e.g., YUHS and YMG POL (Patient Online) that sit behind SSL (Secure Socket layer) encryption are a viable alternative to plaintext email. If your doctor or bank provides this kind of site, then you can use this for some limite d communication.

Home/remote Computing safeguards

  1. Privacy and security requirements apply to ALL locations, including your home. Access to sensitive data must be limited to those users with a legitimate business need to access the information. Appropriate safeguards must be in place to prevent unauthorized exposure of sensitive information to anyone, including family members, friends, and others.
  2. Use encryption technology (e.g. VPN and SSL) when accessing Yale systems remotely or over wireless networks.
  3. Install and use a hardware firewall at home. The current recommended hardware firewall is the Linksys BEF series. NOTE: hardware firewalls are recommended over software firewalls, but in some cases software firewalls such as ZoneAlarm, are adequate, p lease consult your IT support provider or ISO with questions.
  4. If you are a knowledgeable linux/unix user, you can implement iptables (recommmended), ipchains or ipfilter for protection.
  • Use a shredder for all paper based personal information (bank statements, bills, receipts, etc.,).
  • Don’t carry a fully stacked wallet. Make a photocopy of all wallet card contents. List all contact numbers to call if cards are stolen on the sheet.
  • Make a photocopy of your passport when traveling and keep it separate from the original.
  • When ordering checks use initials for first name and middle name. This way only your bank knows how you sign your checks.
  • When paying credit card bills only put last 4 numbers of account number on the memo line.
  • Call credit card companies if you have not received your bill. Identity thieves change the billing address and charge without your awareness because you haven’t received your bill.

My identity or account has been stolen. What do I do now?

  • Change any PINs or passwords associated with the stolen account(s).
  • Call the police and file a report. Make sure to get a copy of that report, as you’ll need it in dealing with banks, credit card companies and credit bureaus.
  • Call the fraud departments of all three major credit bureaus:
  • Make sure to ask that your account be flagged with a fraud or security alert. This flag only lasts for 90 days, so you may have to keep renewing its status while you track down the exposure.
  • Opt out of pre-approved credit offers. You can do this with the credit bureaus, but you'll have to call different toll-free numbers:
  • If your driver’s license number has been compromised, you should contact your local Department of Motor Vehicles. They will need a copy of your police report to change the number.
  • If your Social Security number has been used, you can request a new one from your local Social Security Administration office.
  • If you believe your online account has been stolen, most commercial sites have contact information for security or fraud issues.
  • If you detect fraudulent use of your account, fill out an ID Theft Affidavit to help you dispute the charges

Additional resources

 

Jump to top.

Last modified: Tuesday, 04-Mar-2008 16:37:35 EST. (jj)