Welcome to the Protecting Your Identity Training Module.

1

Does loss of control over your online identities bother you? If it doesn‟t, maybe you should think again.

It can be a cause of concern for any active internet user.

2

By the end of this module, you will be able to:

• Identify the challenges in protecting online identities and

• Recognize the ways in which you can protect your identity

3

Your identity has value, as does each of your online partial identities. Your identity is valuable not only to you but to others as well. It is of value to you the individual,because your identity reflects you and gives you access to the resources you desire.

Second, it is of value to the service provider who relies on your assertion of identity, for example the bank or a social networking site, such as Facebook or MySpace. They are the holders of the resources you want. Your identity is a business asset to those entities. When your partial identity is with your bank or a brokerage house, it may have direct monetary value. When it is with a social networking site, the value may be less tangible but equally important to you.

Lastly, your identity is of value to the thieves and other illegitimate users of your identity who want it to access resources they are not entitled to. As the value of your partial identities grows, the information becomes more attractive to thieves.

4

Identity theft, broadly, is the loss of control over one or more of your partial identities.

As any online partial identities may contain private data, it is important to manage and protect them appropriately.

Most identity theft is an ‘enabling step’ towards identity fraud; reflecting the direct monetary value of some partial identities.

5

Identity theft can happen in several ways. The types described here are

common and happen to someone, somewhere, every day:

1. You are deceived into disclosing important personal information to the

wrong person.

2. Someone (or some entity) is able to guess one or more of your passwords,

or reset a password by exploiting password-recovery procedures, thereby

unlocking your online identity.

3. Someone (or some entity) is able to eavesdrop on you electronically or

take control of your computer without your knowing.

4. Mass data compromise: usually the hacking or purchase of a whole file of

user details from a poorly-secured third party. There have been a number

of instances of this, for example, from retailers‟ sites and online gaming

systems.

5. Parallel lives when an attacker gathers enough personal data to set up a

new partial identity in your name, usually so as to get credit and then

default on the loan.

Let‟s learn about each of these types of theft in detail.

6

This form of theft is also called a „social engineering‟ attack. If a malicious website can persuade you that it is your bank or a trusted online merchant, you may be tricked into revealing sensitive data you would not otherwise have disclosed. Social engineering attacks play on the user‟s trust to trick them into

inappropriate actions.

7

A significant portion of the unsolicited email or “spam” sent to Internet users is

designed to steal personal information.

These “phishing” messages try to convince you to connect to a malicious

website designed to steal your identity, or disclose other data such as payment

details, in the mistaken belief that you are dealing with a trustworthy site.

8

This is a more sophisticated form of theft. It usually requires the ability to

combine social engineering with weaknesses in online systems. Unfortunately,

most people choose passwords that, with a little thought and some patience,

can too easily be guessed. Sometimes, guessing at a password isn‟t even

necessary if the system has an automated password-reset feature. In fact,

many online systems allow anyone to reset a password as long as a few facts

about the account holder are known.

If your password can easily be guessed, or it can easily be reset, you are at

risk of identity theft.

You should also insist on secure browser sessions by default, so that your password is protected in transit.

9

This is a more technologically sophisticated form of theft. It usually depends on

malware (such as a virus) taking control of a computer or a computer network

and then hunting for sensitive information, such as credit card numbers, online

usernames and passwords, and so on.

10

Mass data compromise occurs when hackers are able to get hold of the

password database from a service-provider‟s website, and/or retrieve other

data such as payment details, shipping address etc..

Such data, especially credit card details, is often then re-sold online through

an organized, international black market.

11

This form of identity theft happens when an attacker gathers enough data

about you to set up a bogus partial identity in your name. Usually this is a

precursor to identity fraud: the attacker uses your personal details to apply for

credit, and then leaves you with the debt. The first you come to know of it may

be when the lender starts to chase you for payment.

When a victim of “parallel lives” informs the lender of the fraud, the lender‟s

response is often “What? So, you‟re not Mr. Smith?”

“Yes, I am Mr. Smith, but the person who took out this loan wasn‟t me.”

This seems to be a hard concept for some defrauded lenders to deal with.

In some cases, when a victim of “parallel lives” tries to report the fraud, the police say that they cannot open an incident file based on the victim’s report, because according to the law the lender is the victim here and the police cannot do anything until and unless the lender files a complaint.

So the system is weighted against the person whose identity has been stolen.

12

However, identity theft through eavesdropping and mass data compromise is sometimes made possible by inadequate security on the part of the service provider. When passwords are stored at service-provider websites, you have to rely on the security measures of the service provider, and the level of responsibility they are prepared to take in case of a security breach. In the worst case, service providers transmit or store passwords (and even credit card details) in clear in their systems.

Poorly-managed databases can be attacked. Unfortunately, this is beyond the control of the user, but each time a service provider suffers an embarrassing data breach (or law-suit) in this area, it increases the pressure on others to adopt better practice.

You don't really have much direct control here beyond your ability to switch service providers, and sometimes that choice may not make much difference. If a company loses your personal data, the recourse that is open to you is likely to depend on your jurisdiction and whether you can show that you suffered as a result.

13

A little education and some common sense are the most important tools you

have to avoid divulging sensitive personal information to individuals or entities

that plan to exploit it.

There are some technologies that can help. Latest versions of most Web browsers

have the ability to check websites and alert you to ones that are known to be

malicious. Consider adding such plug-ins to your browser, but bear in mind

that merely adding the plug-in does not protect you: you have to act on the

warnings it gives you. Otherwise you will be no safer than before. At first, you

may find warning messages inconvenient — but use them as a way of training

yourself into more security-conscious habits. It will pay off in the long run.

14

Let‟s now learn about some of the ways in which you can protect your identity.

Protect your password. If a password is easy to guess, then it is easy to steal.

Select passwords that you can easily remember, but that aren‟t easy for other

people to guess.

Avoid using the same password for multiple websites, so if one website is

compromised, your stolen credentials can‟t be used at other sites.

If you want to select passwords that are related to make them easy to

remember, try customizing the password for each site by adding a few

characters (such as the site name). This won‟t fool a dedicated attacker but it will keep out anyone who tries your password on other websites. The key principle here is to keep things practical while protecting against the most likely attacks.

Be especially careful to choose different, hard-to-guess passwords for each of

the websites that are especially important to you, such as online financial

services. Many websites—especially those holding financial or health

information— employ various techniques to thwart thieves from trying to force

their way into your account. One defense automatically locks an account when

there have been too many login failures, which might indicate that someone is

trying to guess your password.

If your bank or other important service providers offer two-factor

authentication, you should consider using that - unless your bank agrees to

take all the liability in case your password is compromised. We will learn more

about two-factor authentication later in this module.

15

Password resets are meant to help you when you’ve lost a password (or have been locked out). Every website has a slightly different technique for resetting a password. Here are the most common steps that are followed for resetting passwords.

1. You ask for your password to be reset, often by answering some personal “security” questions you have previously answered.

2. You may receive an email with a link that enables the reset or a new password might simply be emailed to you.

For websites that use security questions to validate your identity, use factual information (which makes it easy to remember) in ways that are difficult to guess. For example, if the question asks for the name of the first school you attended or the name of the first street you lived on, answer with the second school you attended or the second street you lived on. That way, even someone who knows a lot about you will have trouble answering the questions.

Also, remember that you don’t have to give “logical” answers, as long as they make sense to you and are memorable to you. For instance, if the security question asks “What is your favorite color”, there is nothing to stop you giving “three”, or “Monica’s eyes” as the answer and it will be a lot harder for an attacker to guess.

16

With password resets, it is important that you protect your email because your email address is often critical to the reset process; in other words, anyone who has access to your email may be able to reset your passwords and gain access to your accounts.Protecting access to your email is one of the most important tools for

protecting your online identity.

In particular, if your primary email account offers two-factor authentication, it is

worth considering the extra layer of protection for this sensitive asset.

17

The three common techniques adopted by most Internet users for protecting themselves online are:

• Logging out of accounts when they’re done. • Using encrypted protocols (such as https or SSL protected email), and • Changing passwords periodically.

Some email services (e.g. fastmail.fm) also offer you the option of multiple passwords: one password is for use in un-trusted environments. It gives you access to your mail, but doesn’t allow you to delete mails, edit folders or change your account settings.

18

Here are some good practices you can adopt to help protect your email, which

helps protect your online identity.

1. Select email addresses wisely

2. Use reliable, secure email-forwarding services

3. Select different email addresses for each of your multiple online

personae

4. Use 2-factor authentication wherever available

Let‟s learn more about these techniques and why it is advisable to apply these

techniques.

19

As far as possible, choose email providers that have a good reputation for security and are established businesses likely to stay around: unlikely as it may seem, take a few minutes to think about how you could mitigate the risk that one of your email providers goes out of business overnight.

The Internet isn’t going away anytime soon so you want to create email accounts you can use for decades to come. A single master email address will make it easy for you to reset forgotten passwords and it will reduce the chances that someone will be able to steal your identity by logging into a long-forgotten account. However, bear in mind the principle set out by investment legend, Warren Buffett: “It may be OK to put all your eggs in one basket, provided youtake really good care of that basket”.

If you own your own domain, you may even be able to make up a different email address for each site that asks you for one - so you could give Google the address google@mydomain.com, and Amazon the address amazon@mydomain.com. As well as limiting an attacker’s ability to compromise your personal email account, this approach makes it easier to tell when service providers are sharing your email address with third parties, because it will be obvious if you start to receive email addressed to amazon@mydomain.com that did not originate from Amazon.

20

Use email-forwarding services, such as ones provided by professional

associations or alumni associations, or commercial forwarding providers.

Why use email-forwarding services?

Email-forwarding services ensure your email address can remain consistent,

even if you change where your email is delivered. There is an additional level

of security against someone guessing or resetting your password, because

your true email account is hidden.

However, you must also weigh this against the risk that the forwarding service

might become unavailable over time.

21

When you have multiple online personae, such as professional, personal, and academic, select a different email address for each.

Why use different email addresses?

Carefully choosing the right persona when someone asks for your email address can prevent problems later on. For example, your work or school email may not be very private if the company or institution claims the right to read or archive email on their servers.

22

Passwords alone cannot guarantee the safety of your online identity. If someone has access to your password, he or she can easily access your account: using 2-factor authentication can make it much more difficult.

2-factor authentication is a multi-layered security process. It combines different authentication techniques to make it more difficult for an attacker to compromise the whole authentication process. For instance, it may combine "something you know" (like a password) and "something you have" (such as a phone - which also means the authentication process can make use of two separate communication methods). This kind of 2-factor authentication would work as follows: you first enter your password. A second code is then sent to your phone. Only after you enter it you get access to your account. To subvert the authentication process, an attacker now has to not only know your password, but also be able to intercept a separate message, in real time, sent to your phone.

Though not all services offer two-factor authentication, a growing number of email and banking service providers do, and it is well worth adding this extra layer of protection if you have the option.

23

To learn more about identity theft and how you can avoid it you can visit the

following websites.

The U.S. Federal Trade Commission website at http://www.ftc.gov/idtheft

contains useful information in English and Spanish aimed at educating

consumers about avoiding identity theft.

The Online Trust Alliance website at https://otalliance.org/ has a resource list

to help you learn more about the technologies that can help protect your

identity on the Internet.

24

The technical and business communities supporting the Internet are working

hard to keep authentication and authorization up to the pace of evolving

internet usage. In particular, authentication and authorization, in today‟s

internet, are more likely to be „distributed‟ functions involving more than one

service provider, where before, they were neatly siloed. Many solutions are still

under development.

The model we are moving toward involves the creation of trusted identity

providers, certified to recognizable levels of assurance, and also towards an

increased reliance on third parties to assert a single attribute of a user, rather

than exchanging authentication details or a whole user profile. This will mean,

for example, that a relying party can simply be assured that you are over 18,

without having to know your whole personal profile.

In a well-designed identity model, a user maintains one username and

password (or another type of access credential, such as a hardware password

token) with a single provider and that password is only given to that provider—

never to any third party.

Federated identity protocols allow you to safely authenticate at one website

and then receive services from another - without having to share your

password or private information with it.

These technologies will be invisible to you but they will improve security by

working to keep your identity safe. Newer approaches involve the user

retaining more control over the flow of information to service providers, through

the user of “personal data brokers”:

25

Select all that apply.

In which of the following situations will your online identity be at risk of being

stolen?

26

State if the following statement is true or false.

Your online identity is not only valuable to you but also to your service

providers, such as your bank or a social networking site.

27

Which of the following you should remember while selecting passwords?

28

State if the following statement is true or false.

Anyone who has access to your email may be able to reset your passwords

and gain access to your accounts.

29

You have reached the end of the Protecting Your Identity

training module.

You can click on any of the links on the left to review any

section that you might like.

To learn more about this topic, click here.

30