October 27, 2009, 9:05 PM — Is it Christmas already? I'm beginning to receive informative e-mails about evil hackers who want to steal my identity during the dangerous (and ever lengthening) holiday season. As usual the advice ranges from lame to impossible.
[ 12 ways to visualize network security ]
I am advised to "avoid giving my credit card online" and to be "careful when banking online" and to use random, complex passwords that I never repeat and never write down. So, as long as I refrain from commerce, stay indoors and have a superhuman memory, I should be fine!
I worry about identity theft and take measures, throughout the year, to defend my identity. So here's some identify defense advice that's actually practical:
* Don't sign credit cards. I sign mine "See ID". Why give a card thief my signature too? It's easier to contest a charge if the person spoofing my signature has never seen it and can't come close to replicating it. It almost backfired once in a taxi in Tokyo. I had to sign the credit slip as Mr. "See ID" so that it matched the card – but hey!* Safeguard your passwords. Don't store passwords in documents or on paper. Use password "vault" software that implements strong encryption. An excellent, multi-platform and open source (free!) choice is KeePass. Store passwords, account numbers, credit card numbers etc. in the password vault. Use the secure clipboard (which clears itself after 10 seconds) to copy the password into your application, thus never typing it for a keylogger to catch. Use the built-in password generator to create truly unique, random and strong passwords. Install on iPhone or BlackBerry for mobility.* Remove Personally Identifiable Information (PII) from your computer. Now that you've safely stored all your sensitive tokens in the password vault above, remove any traces from your computer. The University of Texas has provided the Sensitive Number Finder (SENF) to help with this task. It's a cross-platform free java app that scans your hard drives for Social Security numbers, credit card numbers and such. I ran it for testing purposes, though as a security professional I was sure it wouldn't find anything. Oops! What's that Social Security numbers in a 5 year old tax return sitting there unencrypted?* Encrypt your hard drive. Use the built in OS encryption (on Windows or Mac), or a third-party solution such as the excellent TrueCrypt. This won't protect against Trojans or keyloggers but it will offer peace of mind if you leave your laptop in a taxi.* Freeze your credit report on all three agencies. You will have to unfreeze it before seeking new credit, but who said "convenience" should be the rule with credit? I'd rather have inconveniently secure credit. Equifax, Experian, TransUnion.* Buy a credit monitoring service. I prefer not to give more money to the credit agencies that created much of the identity theft problem in the first place. Identity Guard is a great choice for me.* Buy insurance and remediation for identity theft. Monitoring credit reports is not enough. Remediation is a pain and costly. Many services (including Identity Guard above) offer insurance against losses and assistance with repairing your credit file. A $1 million loss guarantee helps me sleep better.
Defending your identity does not mean hiding under a rock and shopping only by barter (a goat for my eight oranges). The practical solutions outlined here are not too expensive (about $150 a year). They are effective and can be implemented by anyone with just a bit of technical skill.
