ADVERTISEMENT
	Pricing for teams & businesses | 1Password Review our team pricing and sign up for a Free Trial to get access to password manager, digital vault, password generator, digital wallet, and more.

ON SECURITY

By Susan Bradley • Comment about this article

Not a day goes by that I don’t receive some sort of notification that my name, address, email address, social-security number, credit card, or — well, you get the idea — has been stolen.

So what, if anything, should you do to ensure your identity is safe? Should you subscribe to a dark Web monitoring service? Sign up for credit monitoring, which is typically offered when such an event occurs?

My recommendation? Don’t bother with a service touting that it can scan the dark Web on your behalf. As nefarious as it may be, the dark Web is made up of overseas technology hackers and is a moving target, an ever-changing threat landscape. A commercial service claiming to be able to keep up with these criminal gangs is just kidding itself.

Although I’ve discussed this before, lately I’ve been getting many emails with the subject “What should I do to protect my identity?” Much of this email traffic was spurred by a recent rise of promotions for credit-watching services, so perhaps it’s time to revisit the topic. What can you do to protect your privacy?

Perhaps most importantly, don’t make it easy for the attackers. I’ve said this before, and I’ll say it again: Ensure any login you have with any service that is financial in nature has a long and strong passphrase, accompanied by a two-factor authentication method. That includes online access to your most important bank accounts. Even if you don’t wish to conduct business through those online portals, they can be invaluable for monitoring. Log in on a regular basis, review the most recent transactions posted to your account, and take the time to configure the account to provide the most useful alert notifications so you hear about possible problems at the earliest possible time.

For my firm, I have the business credit card configured to send both texts and emails to me for every transaction. That might seem like overkill, but I’ll know instantly if anything looks off.

One thing that sounds excessive but can be quite effective is “freezing” your accounts at the major credit-reporting agencies — the top three being Experian, Equifax, and TransUnion. This prevents all comers, legitimate or otherwise, from checking your credit, thus denying them access to all the personal information those reports contain and preventing a bad actor from, for example, setting up a credit-card account in your name. When you have an actual need to establish credit, you can lift the freeze for the duration of the credit checks and then lock them down again. The explanation How to place or lift a security freeze on your credit report at usa.gov may be specific to the United States, but similar advice exists for most other countries.

In addition, pull your own credit report and review which loans and credit cards are listed, to make sure you recognize everything. If any item listed on the report is something you don’t expect, follow up immediately. Many banks now provide your FICO score within their mobile apps, so you can see whether it changes whenever you log in. Created by the Fair Isaac Corporation (FICO), the score uses details on borrowers’ credit reports to assess credit risk and determine whether to extend credit.

In summary:

Even if you haven’t had an identity-theft alert and are in the US, review the recommendations at the Federal Trade Commission’s IdentityTheft.gov site. And to keep yourself informed in advance, take a look at the FTC’s Recovery Steps page. Then ask yourself, “Am I prepared to take all the actions listed there?”

If you live in the United States, you are probably deluged with ads from companies offering identity-theft protection and home-title protection. View all such offers with a healthy dose of skepticism. If you are thinking of investigating such an offer, prepare an extensive set of questions before calling.

Here’s something to keep in mind. Title protection does not “lock” anything. As noted by the FTC’s Home title lock insurance? Not a lock at all article:

If you’re a homeowner, you might remember buying title insurance when you first bought your house. It protects you against challenges to the title, like a lien you didn’t know about. But “title lock insurance” is different — and it’s not insurance at all. Instead, it’s a service that claims to monitor your deed to protect you against title fraud. You’d only find out AFTER your title got transferred to someone else without your authorization. So much for the lock.

One possible way to protect a title, at least in some states in the US, is homesteading. As defined in Homestead exemption at Wikipedia:

The homestead exemption is a legal regime to protect the value of the homes of residents from property taxes, creditors, and circumstances that arise from the death of the homeowner’s spouse.

This is a complicated matter that varies from state to state, and some have no such exemption. Should you wish to explore further, consult your attorney and accountant.

I’m not keen on artificial intelligence on my desktop, nor in search engines. (You may have noticed.) I’ve often seen where the information provided back to me through these AI engines is out-and-out wrong or at least mildly incorrect. Nevertheless, I confess to being interested (both personally and professionally) in whether AI can be harnessed to help us make smarter decisions about fraud alerts.

For a long time, a technique has been used to proactively identify fraud in accounting data. It’s called “Benford’s law.” As the Carnegie Mellon University SEI blog post by Emily Kessel points out, regarding accounting:

Benford’s law is widely used in accounting to examine data for anomalies that may indicate fraud. Accountancy data generally follows the four assumptions required for a valid conclusion on a Benford curve: general ledgers, income statements, and inventory listings can all be compared to the curve to determine genuineness.

Cybersecurity systems use techniques to identify anomalous behaviors. But this can be complex and difficult, as you must first establish a baseline before you can identify the unusual activity.

Kessel also explains:

Benford’s law of anomalous numbers states that generally, in naturally occurring collections of numbers, the leading digit is likely to be small. This means that the numeral 1 will be the leading digit in a genuine dataset 30.1 percent of the time; the numeral 2 will be the leading digit 17.6 percent of the time; and each subsequent numeral, 3 through 9, will be the leading digit with decreasing frequency. The resulting downward-sloping curve can be used as a baseline for determining whether a dataset is genuine or fabricated. Accountants often compare the leading digits of financial transaction data, such as ledger entries, to a Benford curve to spot anomalies that may indicate fraud. The same technique can be used to detect irregular network activity and other data that may indicate malicious insider activity.

Identity theft often occurs when an attacker enters a network silently and then quietly exfiltrates data outside the network. Thus these techniques can be used to monitor for data theft as well. The 2017 Black Hat white paper PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond discussed the issue. Fast forward to 2024: Mastercard recently announced a $2.65 billion deal with the private firm Recorded Future to gather more intelligence on data thefts and cyberattacks.

Recorded Future will still sell its own technology independently and not simply be a subdivision of Mastercard. It plans to add more artificial intelligence in order to proactively alert to fraud.

Recorded Future offers some free tools as well as a subscription cyber newsletter to keep an eye on what happens, now that it’s under the Mastercard umbrella.

I’m willing to give AI some benefit of the doubt when it comes to tracking patterns, especially in massive databases. I see the potential — and hope that smart people will ensure that AI won’t “hallucinate” or “overthink,” resulting in improperly flagged transactions.

On a related note, the 1998 Presidential Decision Directive 63 said:

Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private. Many of the nation’s critical infrastructures have historically been physically and logically separate systems that had little interdependence. As a result of advances in information technology and the necessity of improved efficiency, however, these infrastructures have become increasingly automated and interlinked. These same advances have created new vulnerabilities to equipment failure, human error, weather and other natural causes, and physical and cyber attacks. Addressing these vulnerabilities will necessarily require flexible, evolutionary approaches that span both the public and private sectors, and protect both domestic and international security.

An interesting podcast recently discussed whether AI is critical infrastructure. I recommend you give it a listen.

Identity theft in businesses can occur as well. Just as with individuals, keep a close eye on loans and credit cards opened up in the name of the business. Use business reporting tools to keep an eye on your business’s financial status. In addition, depending on the type of business you own, ensure you take control of its social-media locations and review comments and posts about your services. Ensure you don’t get malicious comments on Yelp, Facebook, and other social-media sites. There are even services such as Brand24 that can be purchased to assist with tracking online mentions. You can use basic tools such as Google alerts to see whether your firm is listed in a news report.

Whether you are an individual or a business, take the time to review your options and learn which free tools can assist you in monitoring your identity online. More than anything else, it just takes locking down credit-report lookups, monitoring your credit score, and keeping an eye on what others report on you and your financial information.

Stay one step ahead of the bad guys with your intelligence.

Contribute your thoughts in this article’s forum!

Susan Bradley is the publisher of the AskWoody newsletters.

ADVERTISEMENT

Enjoying the newsletter? Become a PLUS member and get it all!
	Don’t miss any of our great content about Windows, Microsoft, Office, 365, PCs, hardware, software, privacy, security, safety, useful and safe freeware, important news, analysis, and Susan Bradley’s popular and sought-after patch advice. PLUS, these exclusive benefits: Every article, delivered to your inbox Four bonus issues per year, with original content MS-DEFCON Alerts, delivered to your inbox MS-DEFCON Alerts available via TEXT message Special Plus Alerts, delivered to your inbox Access to the complete archive of nearly two decades of newsletters Identification as a Plus member in our popular forums No ads We’re supported by donations — choose any amount of $6 or more for a one-year membership.