identity theft | Jason Palmer, CPA, CITP

This is a test: Grab your nearest digital device that has your personal information on it. That would be your cell or Smartphone, iPad or Android Tablet, notebook or desktop computer or iPod/mp3 player. Touch the screen or tap the keyboard to wake it up.

Does it ask you for a Password to proceed before you can access it?

If “Yes”, congratulations, you passed and understand the importance of taking as many precautions as possible to keep prying eyes out of your personal data and digital world.

If “No”, then the next question to you is “Why does your digital device not have a Password set?” Would you leave your car unlocked on the Street? Would you leave the front door of your house or apartment open so that anyone could just walk in and look around? Well, would you?

If you secure every aspect of your physical world with locks, keys, and combinations, why would you not think to do the same for your digital world?

Password security is not just for your online web accounts. Password security should be engaged and used everywhere it is supported.

I am sure that some of you have lost your cell or Smartphone. Without a Password set on the device, whoever found it immediately had access to your entire address book: every name, every phone number, perhaps full addresses, possibly birthdates. In this address book list there are probably sensitive contacts like your Doctor’s, Financial Advisors, and Attorney’s. If you are like many people, in the NOTES section, some contacts may have Account Number and (hopefully not) Password and access information to these accounts. But we are just getting started as we are only considering the wealth of information in the Address Book/Contact List. In the wrong hands, this is an identity thief’s dream.

If you have a Smartphone, every text message sent and received and every email for approximately the past two weeks is fully visible. If the person who just found your phone is a criminal or identity thief, he or she might send an email or text message that appears to come from you fraudulently asking for “assistance” to one or more of your contacts. (A popular scam is to claim that “you” are in a bad cell zone and can only text, have lost your wallet, and can “your friend” please send $100 via a wire service or mobile payment service.)

Your Smartphone most likely connects to an App Store – either the iTunes store or the Google Play store. This person may now be able to obtain additional personal information about you from Apple or Google and possibly credit card information which can then be used to break in to other accounts at other web sites discovered from your Contact/Address Book list.

The above scenarios hold true for most iPads, Android Tablets, iPods, and mp3 Players that have a contact list, email capability, and connect to any kind of App Store.

With a Notebook Computer it only gets worse: Your portable computer has all of the above and plenty of bonus content for the person who finds it. The computer will most likely contain sensitive documents. If you only have a notebook computer and no desktop computer, then it will contain your entire body of digital knowledge: Every letter, proposal, memo, spreadsheet (i.e. Expense Report, Income Information), Business Plan, poem – just about every piece of digital content you have every created will be on this one device. But wait, there’s more: Every picture you have ever downloaded from your phone or camera: you, your family members, places you have been, all of your friends, and pets. This may seem innocuous but for professional thieves, the photos may reveal additional physical targets for burglaries. (Fluffy might become pet-napped and held for ransom.)

If you are a person who accesses a corporate network, which probably does use and require a Password, and that Password is stored in the access application, DING, DING, DING – it is the Mother of all Pay Days for the unscrupulous individual who is now in possession of your notebook. That person potentially has full, unrestricted access to all of your company’s sensitive information. This time it includes not only documents but may include corporate financial information and detailed personal information about clients of the company.

Finally for the Lightening round: I am virtually positive that many of you have your Apps set for “auto-login” where your User Name along with your Password are stored in the App. (If a web site, the user name and password are stored in the Web Browser.) You have just given the person in possession of your digital device the “Keys to the Kingdom” of your Digital World. He or she is now capable of viewing (and manipulating) your Social Media, WebMail, eCommerce accounts and any other web site that has stored access information.

As you can see, for lack of taking a few extra seconds to enter a Password every time you pick up one of your digital devices, you could be needlessly exposing your entire digital world and putting yourself and those around you at extreme risk.

You lock your physical world. Lock your digital world too.

Set a Password on every device that supports the use of a Password.

For some guidelines on setting strong passwords, read my articles, “Strengthening Common Passwords” and “A Complex Password may not be a Strong Password.”

Technical Tip: If your device supports the use of a Swipe Pattern instead of entering a combination of numbers and letters as a Password, definitely use a Swipe Pattern. (A Swipe Pattern allows you to use your finger to draw a series of lines across the screen in a specific order to unlock the device.) Hackers can use automated programs to guess at the number and letter combinations which make up a Password. As of this writing, similar programs do not yet exist to crack a Swipe Pattern on a digital device. Although if a program did exist, most phones would still lock out all further attempts after a certain number of failures. It was reported in March of 2012 that even the FBI could not get in to a phone that used a Swipe Pattern to lock it. See more on that story here.

Cybercrime is a little like the weather. Everyone reads and talks about it but nobody does anything about it. Congress like Mother Nature, has a will of its’ own and the likelihood of seeing any real legislation forcing Big Business to take care of our personal information is suspect.

However, the same way that we can prepare for a Hurricane there are things that we as individuals and business owners can do to prevent or minimize the effects of the Cybercrime storms that are upon us. We can use Transactional and Point in Time Alerts in the same manner as the National Weather Service alerts us that a Tornado is on the way.

All of us have heard the never ending mantras of “Use Strong Passwords”, “Change your Passwords periodically”, and “Be suspect of providing personal information unless you have verified the recipient.” That goes almost without saying and most articles on Cybercrime protection would probably end right here – but not this one.

The focus of this article is on behavior and transactional monitoring of your online and offline financial habits. This is similar to the spending profiles that the Credit Card companies create for you to monitor your purchase patterns for possible Fraud. At least once a quarter, I get a frantic phone call, email, and text from Citibank VISA asking for additional information on a recent purchase. In some cases, they hold the authorization (not letting the charge to my account go through) until they have positively verified that I am who I say I am and that I personally made or approved the transaction. I appreciate this minor inconvenience as it lets me know Citibank may actually care about my financial security after all.

In a perfect world, most Credit Card companies and to some degree Banks do this in the normal course of business to protect their customers. But we do not live in a perfect world so some personal responsibility needs to be taken. Fortunately, the tools to do so exist and are readily available – if you just take a few minutes to set them up.

As mentioned above, the Credit Card companies will flag things that look “out of the ordinary” to them based purely on statistical modeling and your spending patterns. Cybercriminals know this and therefore it makes it easier for them to match the pattern.

I will give a real world example: My American Express Corporate Card number was lifted by an unidentified group or person operating at a local restaurant in New York City near a particular client where I order in from frequently for lunch or dinner. To American Express, the pattern looked normal. No flag was raised. I use my Corporate Card for meals all across Manhattan. None of the amounts were particularly outside the normal range and it is not uncommon to see the same establishments appear multiple times in a month. I, like most, am a creature of habit. I tend to shop and eat at the same places on a regular basis.

What was out of the ordinary for me was two charges in one day from this particular restaurant and that caused me to check my Date Book and see that there were at least six additional charges at this Restaurant on days when I was not even in Manhattan.

Of course American Express, as will all Credit Card companies, held me completely harmless, gave me full credit for the fraudulent charges, and “promised to investigate the matter fully.” (Yes. I am sure…)

What could I have done and what can you do to protect yourself help uncover this type of fraud in a more timely manner? Signup for and enable Transactional Alerts on your credit card and bank accounts wherever they are available.

Chase exceeds my expectations in that within minutes of swiping my Chase Freedom Card at a Gas Station; I get an email alert telling me my credit card has been presented for authorization. After the sale is completed, I get another email telling me the exact amount of the charge.

Each Financial Institution varies with the level of Transactional and “Point in Time” alerting available but most seem to offer all or some of the following:

Transactional: Notice of Card Authorization; Notice of Charge to Card; Notice of Charge over a certain dollar amount; Notice of Receipt of Payment; Notice of Presentment of Check to Bank Account; Notice of ATM/Cash Machine withdrawal; Notice of Teller Activity (Bank Deposit/Withdrawal);

Point in Time: Daily Bank Account Balance or Amount Owed on Credit Card; Notice when Amount Owed exceeds a certain dollar amount; Notice when Checking/Savings balance goes below a certain dollar amount; Daily Summary of All Balances; Daily Summary of All Transactions;

Everyone who has online banking access, especially business owners, should make sure that alerts are in place for all transactions, where possible. Most importantly, if wire transfer or Bill Pay options are offered through your Bank, make sure that transactions over certain dollar limits above and beyond your normal activity range require “Secondary Verbal Approval” and/or additional authentication measures to allow them to proceed. Otherwise, if access to your Bank account is compromised, (a Cybercrimnal has your password or token), you could find a zero balance in your account with an almost insurmountable challenge ahead to try to retrieve the missing funds.

Using the combination of alerts mentioned above that is right for your personal financial spending habits and need can make all the difference between be “prepared” to catch a fraudulent event in near real time and prevent further Cybercrime vs. having a maxed out Credit Card, Zero Bank Balance, and spending months filing reports and signing affidavits that state, “No, you did not purchase that 60” Plasma Flat screen for $2,799 at Best Buy in Houston, TX” and having to prove that you were actually in New York at the time. Or worse, you now having to completely rebuild your credit file because you were a victim of Identity Theft and did not discover the damage until well after the fact.

Transactional and Point in Time Alerts are you best defense.

Securing your Digital World with Passwords

Preventing Cybercrime with Transactional and Point in Time Alerts