Exactly Who Can You Trust With Your Identity? Hopefully the Government.

If you read my material, listen to me talk or see my comments on any number of the social networks out there you will clearly know that I have a strong belief that every single one of us on the planet has already had our personal identity information compromised, stolen or breached in some form. We are already ALL victims and it is only a matter of time before our “number is up” and someone takes a run and taking over our identity. Sorry to be the bearer of bad news there.

The Equifax breach in 2017 is really just the tip of the iceberg and I hope that it is a wakeup call for those that feel they are not at risk or have the belief that it will “happen to the other guy”. WRONG! You are the other guy, and so is the other guy, and the other guy, and the other guy ….

Feel free to email me when you find out one day someone has taken control of your life through identity theft. It’s going to happen, unless of course appropriate actions are taken by the organizations that have a chance of “helping” the situation. Not “fixing” but helping. There is no fix to the largest enemy and risk people face of falling victim to identity theft. That enemy of course is themselves!

In the absence of being able to reprogram peoples brains to do simple things like manage passwords properly and not share every detail about their lives on the social media, the governing bodies responsible for the foundational establishment of identity and the associated identity information of people need to step up and take control. This of course being GOVERNMENTS.

Today in the physical world government is on the hook to manage and protect the identities of individuals whom are in their jurisdictions. This is done from birth through death and is managed through “government issued identification”. There are mature and well understood procedures, standards and governance frameworks around the issuance and acceptance of government issued ID and although it is not foolproof it is at least something to build upon.

In the digital world everything is just a “click away” and every person, place and thing is wired (future post on the privacy issues of this, but let’s save that one) which amplifies the requirement. Governments worldwide need to move to protect their citizens in the digital context in the same way they have in the physical.

Hence we need priority on the development of “GOVERNMENT ISSUED DIGITAL ID”.

The foundation for this needs to be based on the fact and acceptance that we are all breached. We have been exposed. No information is sacred and we can expect that not to change in the future.

The simple question that governments need to answer is ” If everything is exposed and available for misuse, how do I know it’s actually you when you are legitimately representing yourself ?” (Hint: The question is simple, the answer is not).

We as a society need to assume that everything about us is completely opaque. I would even suggest that we could just go ahead and make everything available since it is already. Heck, it could even put a damper on the “dark web” where the identity information of a person can be bought and sold then used for fraud and identity theft. Of course I don’t really think we should do that, but you get the point.

How we electronically identify that it is the the actual individual presenting their information digitally should be top priority for national, state and provincial governments whom generally are the managers and governors of identity information of their citizens.

Technology, processes and governance needs to address this in the digital context just like in the physical context. The thing that is missing of course is that one thing that always seems to get in the way : COST. That is a difficult one to overcome because of the massive investments in legacy systems, processes and procedures that would need overhauling, but we do need to start somewhere.

I can tell you from experience having worked with governments to initiate these types of things that there is no where near enough resources being allocated to this problem. Some countries are addressing the problem with national initiatives but they are few and far between and are having mixed results.

The private sector can assist with this problem, but as we have seen it is within the private sector that the majority of the problems are actually occurring. The largest data breaches that have occurred in recent months have been non-government organizations. Private sector companies collect, retain and store identity information in the interest of delivering sought after goods and services to those very citizens we are discussing, thus they operate on a different playing field than governments. That of course is why  the governance and controls really need to be put in place.

Until such time that we have a ubiquitous digital government ID, I suggest 3 things:

1.) Do not share your personal information with any company unless you have to and when you do, share the minimum.

2.) Contact Equifax or TransUnion and get a copy of your credit file annually. You are generally entitled to a free one annually and don’t need to subsribe to their monthly service. You just may need to dig up the free application on their site. Search for something about “Consumer Disclosure”.  Links below to help.

3.) PLEASE CHANGE YOUR PASSWORDS regularly and if you hear about something called a “security key” or “second factor” or “two-step”login”, please do yourself a favour and learn how to use it. Email me at jglennon@glennon.ca if you want tips on that.

Jamie G

Click the follow to be taken to Consumer Credit Report access:

TransUnion Free Consumer Disclosure

Equifax Free Consumer Disclosure

 

 

Don’t Fall For Scammers Calling from “Equifax”.

The Equifax data breach may be one of the most harmful ever to citizens ever on a mass scale.  The amount of information that the hackers attained will provide them the ability to fully take over an identity and the personal information stolen will already be extremely prevalent and available for sale on the dark web.

People whom become victims of identity theft as the result of this data breach, or any other for that matter will spend YEARS trying to get their financial lives back in order.

This data breach, which was sustained without detection for several weeks  is a MAJOR deal that puts millions of people in harms way of identity theft. This includes Canadians.

Although the number of Canadian accounts breached are now reported to be only about 8,000 out of the 145.5 million overall, everyone in Canada should be on high alert.  This is a wakeup call. Get your act together people and recognize that we are all breached and your number just hasn’t come up yet.

If it isn’t bad enough that some Canadians are all potentially exposed to identity theft through this breach and the hundreds of others that go unreported annually, there is an entirely new opportunity for scammers to have a field day taking advantage of people’s fear about the Equifax breach. Uncertainty and the media hype over this will have many people feeling vulnerable.

If you receive a call, text or email from someone claiming to be from Equifax stating that you are a victim and that they are looking to “resolve” the problem, hang up or delete the message. It is very likely a scam. According to CBC “Equifax said it will mail written notices to all of the potentially affected Canadian citizens”

They (scammers) will likely want to “verify it’s you” and will ask you to provide personal information about yourself and some financial information, including your Social Insurance Number. Everything they ask for can then be subsequently used  to hijack your identity.

Unless YOU make the call to a trusted organization you will never be asked for information to prove it’s you when someone calls making a claim unless you are expecting the call. This holds true for any call you get from someone claiming to be from the bank, government or any other organization that holds personal information.

Since the breach was announced (two months after it was discovered), Equifax had their stock halted ahead of announcing that their CEO was stepping down. This was after both the Chief Information Officer and Chief Information Security Officer were forced out. This alone should provide evidence of the order of magnitude of the problem there.

Don’t get sucked in and become a victim. Email me at safeidentitycanada@gmail.com if you are unsure and as always please visit the RCMP Identity Theft and Identity Fraud website for details on these types of crimes.

 

 

Using Your Mother’s Maiden Name for that “secret” security question. Lie!

I regularly hear complaints from people about the hassle of having to answer those pesky security questions every time they setup “yet another” account on the internet. These questions can be referred to as any of the following:

  • Security Questions
  • Challenge Questions
  • Account Recovery Questions
  • Password Reset Questions

Regardless of how they are described they serve a common purpose. They are meant to help an individual provide some form of evidence that is them in the event that the service needs to verify that it is them. This is done for many purposes of which the most common for online services is to reset a forgotten password.

To call them “security questions” is almost an oxymoron based on my experience. The questions that are asked are often far from secure, and may in actual fact create opportunity to hack accounts far easier than password cracking.

To be clear about this, let me make a statement that people may not understand. On many websites, a “hacker” does not have to have your password to compromise your account if they can figure out your security question answers. They will actually use the security questions to change your password and let themselves in. If there isn’t a second step to do this (like sending a code to a cell phone) then you could be in for quite a surprise even if you have taken my advise and made a strong password.

This also becomes a problem if you have been hacked even if you have taken the steps to have secondary checks on login. For example, if it is set up with an account (let’s say an online banking account) that login from a new and/or unknown network requires a “security question” it isn’t very secure if it asks you what city you were born in, your high school name, your mothers maiden name or your favorite sport. The answers to those questions are likely publicly pasted all over the internet on your social media accounts or social media accounts of your friends. It is quite possible that the “hacker” may already be into your social media account if they have hacked a password (remember, don’t reuse passwords).

Because of this, it is paramount that the answers you give to these ‘pesky’ security questions not be overlooked and I am going to give you the best piece of advice I possibly can on this. For all of those questions you are asked for LIE!

If you were born in Toronto, make the answer London. If your mothers maiden name is Jones, answer Smith, etc. Of course, YOU need to know the answers the questions and that won’t be hard if you are consistent with the answering. Just make sure you keep it a ‘secret’.

Security questions are an important part of the verification process when conducting transactions online and you really need to take them seriously. You usually have the choice of questions, so as long as you LIE on the answers there is nothing wrong with picking easy questions like those noted above. Just make sure you remember the answers.

Picking easy questions with real answers because they are easy to remember for you means they are also easy for a hacker to figure out.

Stay safe.

Jamie G

Is “1q2w3e4r” Your Password ? Change It!

If you just recognized 1q2w3e4r  as your password and you are shocked that I called it out, you should be aware that you are not alone. Not only do I know this is your password but so does pretty much every hacker on the face of the earth. Your tricky keyboard pattern for a password isn’t as tricky as you thought after all.

It’s the beginning of 2017 which means all of the organizations that do research in the Information Technology security space are starting to release their statistics for 2016 and the lists of most common passwords found in data breaches.

For a person like me who talks a lot about these things and is working with government and industry to help fix the problem, this is where I gather a lot of my data. This information shows up in my blog posts, presentations, seminars and my rants to people that cross my path in person.

Let me start by saying what I have said so many times before, people are lazy. When I speak of this, I don’t mean in terms of a Netflix binge versus doing the dishes or leaving your grass to become a forest over the course of the summer. In this case I am specifically talking about the lack of effort people take to do the “simple” things that are required to protect themselves from identity theft and potential financial and personal hardship.

Yes, again I am talking about password management.If you don’t think it’s important, let me know how things are going after you have had your identity stolen.

Let’s review the four main points I always  like to focus on:

  1. Use ‘reasonably’ difficult passwords. Click here for some help on this. 
  2. Do not reuse passwords on multiple sites. If you are hacked on one site, you are hacked in them all. Ever notice your Amazon ID is your email ID? (hint hint)
  3. If you ignore item number 2, make sure that your primary email has it’s own unique password and not used anywhere else. Email is the doorway to your life. Same holds true for you online banking. Make those “special” and different from all others.
  4. If at all possible, enable some kind of two-step or second-factor login on your important accounts. Information on enabling this on your Google account can be found by clicking here

I am willing to be somewhat lenient on number 4 because it does take a bit (not a lot) of effort and a little bit of understanding of how to link your phone or a USB device to your account, but number 1 and number 2 should be mandatory and number 3 should be written in law. Not taking the time to do these is essentially welcoming identity theft into your life. I can assure you that the time it takes to do these actions is far less than the years of hardship you may suffer if you become a victim of identity theft.

Also of note, if you don’t know where the 1q2w3e4r password in the title of this post came from  have a look at your keyboard and type it out. Any form of simple pattern on the keyboard is right at the top of the list with hackers.  Same holds true for QWERTY, QZWXECRV , `1234567890-= and many others.

In this hyper connected world you are already on the identity theft attempt schedule. If you have been clear so far, your number just hasn’t come up yet. I suggest you don’t assist the people that are trying to make your life a living hell that could take years to recover from, if ever.

Jamie Glennon

www.safeidentitycanada.com

Please Don’t “Assist” Hackers Steal Your Identity! You Will Regret It For YEARS!

As a person who makes a living trying to help government and citizens protect themselves from hackers and criminals online, I spend A LOT of time talking about passwords. If you know me well, you are more than aware of my feelings in this area. See my other blog posts or chat with me in person sometime. 

Today after a couple of days away working with one of those “government” clients mentioned above I opened the Delta Optimist newspaper to find an article that lit me up like and over pressured flamethrower.

Password changed, but not easily remembered

I understand that lifestyle journalists (the column is called “Living Matters”) don’t spend all day thinking about IDENTITY THEFT and the protection of personal, financial and identity information, however I HIGHLY recommend not to do what this journalist did in the Delta Optimist by marginalizing the importance of strong passwords and actually looking like on the surface like she shared her new corporate password that was “forced upon her” with all readers. (She “must” be kidding or most definitely has changed it again by now after getting slapped by the companies Chief Information Security Officer).

WEAK passwords, REUSED passwords and OLD passwords are the feeding ground of “hackers”. Don’t think of a hacker as some “person” sitting behind a computer trying to guess your password for fun. We are well beyond that now. Identity Theft is operated and managed by ORGANIZED CRIME and syndicates operate worldwide that have very sophisticated mechanisms to essentially take over your identity and make your life a living hell.

This often starts simply by accessing your email because of lousy passwords. For a lot of people out there, their email opens up the window to their personal lives, thus the window of opportunity for organized crime.

There are databases bought and sold on the “dark web” with usernames and passwords which are only a problem for people who DON’T change there passwords from time-to-time and even more importantly REUSE PASSWORDS on all of the websites they use. With reuse, if  a hacker has access to your email and you use the same password for email as banking (a common problem), they now have access to your accounts and financial information. Now that they have your financial info, they can start applying for fraudulent credit cards, loans, bank accounts all your name.

Go to my website at www.safeidentitycanada.com and look at this post on creating strong passwords that are easy to remember. If you end up being the victim of identity theft because changing your password or having to remember a complex one with 8 characters* is inconvenient, don’t say I didn’t tell you as you spend YEARS trying to cleanup the mess of identity theft.

There is no way to completely be 100% protected, but please for the sake of your own sanity (and mine) don’t help the “hackers”.

Jamie G

(*you should make it longer than 8 characters. Even 9 or 10 is better)

 

 

Gift Cards Will NEVER Be Accepted As Payment by CRA!

It goes without saying that if something sounds fishy, it probably is. I have written before about scammers calling  being very aggressive and saying they are the CRA. There has also been calls to people and business owners in the same context saying that they are BC Hydro and are shutting off their power in 5 minutes unless they pay their bill with Visa Gift Cards. All scams.

The CRA nor any other reputable organization will ever ask you to pay a bill with gift cards. Nor will they ever phone you out of the blue demanding money. If you haven’t had several letters from the CRA looking for payment on taxes, you will not receive a call. Even if you do owe back taxes and they contact you, they will look for a payment in a calm and normal manner. Just make sure you are open and up front with them and you can easily work out a payment schedule. They will warn you not to miss a payment without contacting them first. If you don’t call them and you default on your committed schedule they still won’t call demanding payment. They will  go straight to your bank with the appropriate authority to garnish wages and withdraw from your assets. At that point you will get a call from your bank. 

The person in this article actually listened to the proclaimed CRA caller and purchased $20,000 in iTunes cards to pay their alleged taxes owing by giving the iTunes card number and activation code over the phone. I am hoping that people reading this would hear LOUD alarm bells going off all over the place with that one. 

Calgary CRA iTunes Payment Scam
If you actually do get a call from someone looking for payment and you aren’t sure about it, kindly tell them you are busy at the moment then follow up immediately with the “claimed” organization through a way that you know is legit. 

If you get a call from someone claiming to be from the CRA or other organization and they are being a completely aggressive jerk, hang up immediately! You can then call the CRA or whomever and report the incident. You can find more information on the RCMP

RCMP Canadian Anti-Fraud Centre

Jamie G

Online Password Strength Checker – A Great Tool To Use

As many know I am working with government and standards organizations to help the Digital World eliminate passwords through the use of easy to use alternatives that involve mobile phones and other wearable devices. In the not too distant future you will use your mobile phone (or smart watch perhaps) to login to your PC, MAC, email or bank account amongst other things. You will need the actual physical device (phone) in hand to access your account. No passwords floating around the Internet to be hacked and stolen. A hacker would need to actually steal your phone AND be able to unlock it. 

No sense it denying it though, it will be a while before that becomes ubiquitous across the Digital world. We are stuck with passwords for a little while still.

I found an online service that is really quite useful for the average person to check to see how strong their passwords are. If you have seen any of my past posts here or elsewhere you know I am an advocate of coming up with passwords that are meaningful only you, but to others look like a scramble of characters. 

http://www.passwordmeter.com

In review, here is an example of what I do for passwords that is secure and easy. I make up sentence and turn it into a password inclusive of some random special characters

Here is my sample sentence: “I run for seven kilometres per day”

Here is my derived password from that : Irun4:7Kmpd

As you can see from the password I have used only the word “run” which you could still just use an ‘r’ and still meet the usual minimum 8 character requirement for passwords, but I used the full word to make it 10 characters while keeping the sentence not too long. I use the first letter of words,  mix in some capital letters and thrown in a random character “:”. It really is a lot easier to remember this than some crazy random generated password for us normal humans with too many things on our mind creating all kinds of short term memory loss. It is also SIGNICANTLY more secure than what most people are using today.

So let’s test this with our password meter. 
  
Let’ s now contrast that to using your dogs name with a couple of numbers attached to it like most people do (you know who you are) to make up the usual 8 character requirement:  fluffy123

 

Note that fluffy123 is particularly weak because of the repeated characters and in actual fact a lot of applications may not even let you use this. You may be forced to do something like make at least one character a capital letter or add a special character. I did want to use it to make my point though. 

Passwordmeter is really quite easy to use and works well in conjunction with my sentence based method.  

With Internet crime being so prevalent it would seem that everyone should be doing this at minimum. However, most people tend not to react till they are hacked and even then, they may change fluffy123 to Fluffy321 thinking that they have fixed the problem. Nope. Wrong. Last year Russian Hackers gained access to about 1.2 Billion passwords a lot of which are just sitting in their databases waiting to be used. They are sold on the black market and have the potential to do a lot more than just look to see who you are friends with on Facebook or Snapchat. Most people use the same password on GMAIL and their bank account. And as it turns out, the hacker finds out who you bank with by looking at your email.

http://www.cbc.ca/news/world/password-hack-affects-1-2-billion-accounts-more-at-risk-1.2728865

In a future post I will talk about password management tools like LastPass and 1Password. But if you want to take a look now at home to manage the 100+ passwords you already have you can look now at these products. Google “Password Management Software” and you will get lots of information. I use 1Password for my 160 passwords. 

In the meantime, change your password and don’t use the same one on every site you access and make sure to use unique ones for the most sensitive sites like your online banking and email accounts. 

Jamie G
Info on Passwordless technology can be found at : https://fidoalliance.org/about/overview/

RCMP video on Identity Theft.

This is a pretty short video but it gets the point across. One thing that is in there that I can’t stress enough is not to give anyone your personal information unless you are absolutely sure who they are. Just because someone calls you and tells you and knows your name and some of your personal information does not mean they aren’t scamming you. A lot of standard information like name, address phone number and information on your wife and kids isn’t hard to find on the Internet.

A key thing to remember is that if someone  calls you and asks ‘you’ for your account number or something similar, that should be a red flag right there. If they are calling you, they should have that information.

Never hesitate to say you will “call back” or are busy and then turn around and call your bank or the CRA to verify that they are trying to get hold of you. And as I have said in the past, the CRA and most banks will always send a letter (or several) before ever calling you at home for any reason.

Be safe.

Jamie G – Safe Identity Canada

 

 

 

“Windows Tech Support” Scam lives on. Beware!

I have posted about this in various different forums in the past but thought I would do an actual blog post on what has been a long standing scam on the internet.

I got an unsolicited call today from a fellow with a really heavy Indian accent stating that my computer has downloaded some malicious code and he is going to help me with it. He claimed to be from the “Windows Technical Department”.

If you want to read another post from almost 5 years ago you will get the just of the call. The irony is that it is clearly the same person and even uses the same CSLID code. If you Google “CSLID” you will get all kinds of scam links come up.

http://www.infosecisland.com/blogview/15066-Cyber-Criminals-Just-Came-A-Callin-At-My-House.html

It goes without saying that you will never get a call from some random company that has information about your computer being infected. You will note that I started asking questions and he simply diverts them by changing the topic. I had exactly the same call last year and aggravated the caller (who may have been the same guy) to the point that he hung up.  He asked me the name of the computer and I told him it was “Wombat 37” which was a name I totally made up. He said that he thought that was the right computer. I asked him the IP address of the computer that was acting up and he told me it was ‘illegal’ for him to know the IP address. That is a funny one. He said that is why the CLSID is there because of that.

Today I just kept him hanging and optimistic perhaps that he had a ‘live one’ until I finally got bored and told him that the “Royal Canadian Mounted Police Cybersecurity website” kept popping up. At that point, he got suspicious and I ended the call.  Here listen to the audio if you want to hear what these calls sound like:

More information on the various cyber scams can be found on the RCMP Cyber Crime website:

http://www.rcmp-grc.gc.ca/scams-fraudes/index-eng.htm

Fraudulent Call From CRA? Jonathan Knight? Here have a listen!

Have you every had one of those calls that gets you all bent of of shape because you think your are in trouble but something just doesn’t sound quite right? Have a listen to this call below I received today from the “Canada Revenue Agency” stating I am under investigation. Note that the call doesn’t actually say who they are calling, and also doesn’t leave a call back number.

If the Canada Revenue Agency were to be contacting you about a problem they would do so via Canada Post (snail mail) several times before taking the action of calling you. They would also actually say who they were calling for and would leave the CRA Call Centre number.

The ‘scammers’ who are doing this (much like the “You have won a Westjet Holiday” calls) are harvesting for vulnerable people to take advantage of. In this case they will tell you aggressively that you owe money and have to pay now or there will be legal repercussions. They may even say that the fastest way to pay is with “prepaid” credit cards. THAT is definitely a sign of a scam no matter who you re talking to.

You will NEVER receive a call from CRA or a financial institution and have them ask you to verify who you are by giving them your personal information. You will receive a letter in the mail stating that you need to contact them (sometimes with a reference number) at which point they will be able to verify it is you who is calling.

Best thing to do is just hang up on these scammers. However, if you feel you have been scammed, call your local police and file a report and immediately contact your bank. They will likely provide you assistance. You will want to contact Equifax Canada and TransUnion Canada whom are the two national credit bureau’s and register a fraud alert with them.

Contact the Canadian Anti-Fraud Centre

The following is directly from the Canada Revenue Agency “Protect Yourself Against Fraud” web site.

Know how to recognize a scam

Examples of fraudulent communications

There are many fraud types, including new ones invented daily.

Taxpayers should be vigilant when they receive, either by telephone, mail, text message or email, a fraudulent communication that claims to be from the Canada Revenue Agency (CRA) requesting personal information such as a social insurance number, credit card number, bank account number, or passport number.

These scams may insist that this personal information is needed so that the taxpayer can receive a refund or a benefit payment. Cases of fraudulent communication could also involve threatening or coercive language to scare individuals into paying fictitious debt to the CRA. Other communications urge taxpayers to visit a fake CRA website where the taxpayer is then asked to verify their identity by entering personal information. These are scams and taxpayers should never respond to these fraudulent communications or click on any of the links provided.

%d bloggers like this: