If you have a credit card, chances are you could one day get a notice that your information may have been stolen, and your bank will issue you a new card. If you have an email address, it’s likely you’ll occasionally receive a “phishing” message that looks as though it’s coming from a familiar store or merchant asking you to verify information.
As the recent Target breach shows, even people who rarely use computers can find themselves victimized by identity thieves. The good news, however, is that while it’s impossible to control how our information is stored and safeguarded by retailers, credit card companies, banks and the like, it’s possible to head off any problems by taking some precautions.
Debit or credit? Choose credit and monitor your accounts.
If you’re not using cash, use a credit card rather than a debit card, which connects directly into a bank account, says Bloomsburg Professor Mike Shapeero, who teaches accounting and fraud examination.
“There is no advantage to using a debit card,” Shapeero says. “I had a student here two years ago who was in the process of buying a house and had about $4,000 in her bank account. Someone stole her debit card and PIN and was in the process of transferring $3,000 from her account. Fortunately, she was able to get someone at the bank to stop the transfer before it went through.
“I understand that people use debit cards because they don’t want to overspend, but once that money is gone from the account, it’s gone.”
Under the Fair Credit Billing Act, if the credit card holder alerts the bank when a questionable charge is spotted, the card holder is liable for only $50 – and most banks will even waive that, Shapeero says.
Shapeero advises to regularly check credit card accounts online – not to wait until the end of the month – and to be on the lookout for small charges that you don’t remember making.
“Maybe it’ll be a charge for something like $9.84 and many people will say, ‘Maybe I spent it on Starbucks or something,’ ” he says. “Ten dollars may raise a flag, but there’s something in the human psyche that when there’s details and specifics, people tend to accept those numbers.”
Using the recent Target breach as an example, Shapeero says it’s not uncommon for identity thieves to sit on information for months before using it. Small charges spread over hundreds or thousands of cards can quickly add up to big money.
Vary your passwords and don’t make them too easy.
“There are a lot of common passwords people use, even something like ‘abc123’ or dictionary words,” says Joshua Shoemaker ’11, who works for Verizon RISK, where he investigates data breaches for the company’s clients.
Shoemaker says a quick Google search of common passwords will show hundreds to avoid. “You should also use different passwords – if you’re using the same passwords for everything and someone compromises one account it’s easy for them to access all your accounts,” Shoemaker says. It’s an especially bad idea to use the same password for your email address and a bank account where you’ve registered the address.
Shapeero says he uses four different passwords ranging from fairly simple to complex for his online and bank accounts. He also recommends adding a cell phone number to accounts, since many banks will send a text alert if there is a change in an account’s status.
That smartphone is a computer – so treat it like one.
Virtually every bank has an app allowing people to check balances easily and to make other account adjustments using smartphones; all the free Wi-Fi means you don’t even have to worry about running up charges on your data plan.
Mistake. Unless you’re running antivirus software on your phone and using a system that routes your information through an encrypted server, or a VPN (Virtual Private Network), it’s better to stay off public Wi-Fi for anything sensitive.
“People know that computers need antivirus software. But phones? The average person has no idea,” says Bloomsburg Professor Scott Inch, who helped to create the university’s nationally known digital forensics program. “People are forgetting that a phone at this point is a computer on the network.”
Inch says he uses a free app called Lookout Mobile Security and warns that viruses targeting smartphone systems, such as Android phones, are on the rise.
Shoemaker says he uses a VPN on his computers and generally avoids public Wi-Fi, since there’s no way to be sure that someone isn’t using readily available software to monitor the connection. Though most banking apps have their own encryption, Shoemaker does not recommend logging on through a public network.
Inch says companies that allow employees to use their own mobile devices at work also need to be careful, since a computer virus can easily go from a smartphone to a firm’s network via its Wi-Fi connection.
And though it’s still more common to see attacks on computers, Inch believes phone security will be a growing problem. “It’s not on anybody’s radar,” Inch says. “However, I think phones are the most vulnerable at this point.”
Be cautious with emails and snail mail.
So, what do you do with those credit card offers you receive in the mail? How about the cash advance checks that credit card companies sometimes send? If you’re tossing offers in the trash, you could be opening yourself up to identity thieves, Shapeero warns.
“People are careless with what they throw away,” he says. “My local bank used to mail blank cash advance checks to me. All someone would have to do is fill out the check and the bank would apply it to my credit card.”
In addition to shredding financial information, Shapeero recommends calling the credit reporting bureaus to opt out of information sharing. Since he made the request, Shapeero says he gets only one or two pre-approved credit card offers a year.
When it comes to emails, sometimes it’s easy to spot phony offers, which frequently come from overseas and are written by people clearly unfamiliar with the English language.
But sometimes an email can be a perfect forgery of a real site, says Sam Josuweit, Bloomsburg University’s manager of network services. Just how troublesome are phony emails? Josuweit says 78 percent of all the emails coming into the university’s computer servers are rejected as either spam or phishing attempts.
Even with a good forgery there are telltale clues, he says. If the email has a link to another site, does the domain name match the company’s name? Is the email asking you to provide passwords or other private information?
“When you look at an email, you have to think: Would you believe this if you got it on paper? Or if someone called and said, ‘Hey, can you give me your password or what about your bank account number?’ ” Josuweit says. “A lot of people are conditioned to protect themselves over the phone or in the mail, but for some reason they drop that protection with email and they really shouldn’t.”
Michael Schearer ’97, a computer security and network analyst for Booz Allen Hamilton, also cautions against opening any attachments that come with unfamiliar email. Usually just opening an email won’t cause a problem, but clicking on an attachment may upload malware into your computer.
Using caution with unfamiliar emails is Schearer’s No. 1 piece of advice for staying safe on the Internet. “If you have questions about what you’re clicking on, then maybe you shouldn’t do it.” •
Jack Sherzer is a professional writer and principal partner with Message Prose, a communications and public relations firm in Harrisburg.