Five ways to protect your data and prevent identity theft
So you've got that dreaded message saying your data's been leaked. Now what? Two UNSW experts explain how to avoid becoming a victim of identity theft
Identity theft can happen to anyone, anywhere. Such security breaches are common and costly for businesses. Australia’s average data breach cost is $3.35 million per breach.
But aside from costs, there are other issues and risks. For example, when an organisation is hacked, it creates trust, safety, and confidence issues for consumers who engage with the organisation. There could also be serious regulatory consequences depending on the type and amount of leaked data. Optus and Medibank are two recent examples of large-scale businesses that have dealt with major data breaches with implications such as identity theft for affected customers. Optus reported that up to 9.8 million people may have had their data breached, which led the company to set aside $140 million for cybercrime-related costs.
The big problem is that identity theft is something users can only sometimes prevent. For instance, it can happen because a service provider hosting personal information suffers a data breach (like last year’s Optus and Medibank data breaches). While organisations are responsible for protecting users’ data, there are additional measures a user can take to limit the risk of falling victim to, and the potential impact of, identity theft. These steps can help protect you and your business.
To find out more, we asked two leading cyber security experts at UNSW Sydney’s School of Computer Science and Engineering (CSE), Arash Shaghaghi, Senior Lecturer, and Sanjay Jha, Professor and Chief Scientist of the UNSW Institute for Cybersecurity (IFCYBER), to explain the crucial steps to take in order to avoid becoming a victim to identity theft online.
Does encrypting your phone really work to protect your data?
While some may believe encryption works to protect your data, this isn’t the only (or best) solution, though it is a good place to start. When end-to-end encryption is not enabled, attackers can access your data if the service provider systems are breached. These can then lead to identity theft attacks.
Dr Shaghaghi explains: “Our phones usually contain detailed information about our personal and professional life – e.g., photos, account details, credit cards, etc. Unfortunately, an unencrypted mobile phone is a golden source of information for identity theft attacks. In some cases, detailed profiles extracted from stolen phones were sold on the dark web, and a user’s identity was used for illegal purposes across different states and countries. Therefore, encryption is critical and should be a default.”
However, enabling encryption on your phone will not protect you against all threats. “For example, depending on permissions, third-party apps running on your devices can have unrestricted access to files kept on your devices. Hence, we must refrain from installing untrusted applications on your phones (e.g., from unverified third-party application stores),” explains Dr Shaghaghi.
Another helpful precaution is to use secure and encrypted storage apps to store sensitive information (e.g., passwords, identity documents, etc.) on your phones. These keep your information encrypted and inaccessible to potentially malicious apps installed on your devices.
But you should also follow good hygiene when deciding which apps to use and grant them authority to access our data. For example, data encryption on your phones is irrelevant when you upload files on a cloud service or exchange files over a messaging application that lacks end-to-end encryption.
So what else can users do to ensure they remain as protected as possible?
Five ways to protect your data and identity
1. Registering for a service? Think twice. There are a few essential considerations when registering for any new service, says Dr Shaghaghi. For example, users should check for `https’.
“If the website of a secure service like a bank or the registration page of a new account does not start with ‘https’ or has the ‘closed padlock’ symbol displayed, then it is best to avoid it and not enter any personal information,” says Dr Shaghaghi.
“It is very easy for attackers to steal all your information when using such websites, and also, it’s unlikely any reputable websites will not use `https’ these days,” he says.
And if it sounds too good to be true, it probably is. For example, if a website you’ve never heard about is selling your favourite shopping list item considerably cheaper than all the other choices, then be cautious and do not provide your personal and financial details without carefully checking the website reviews, explains Dr Shaghaghi.
“Besides the risk of not ever receiving the item you order and financial loss, it’s not uncommon for such websites to steal your personal information for identity theft,” he says.
Finally, he suggests using different passwords, usernames, and emails for different services. “Do not use the exact details across all websites. If you do this, once your account details are compromised (either on your side or after the service provider suffers from a breach), your accounts with other service providers will be at risk too.
“One option is to use password management software to generate random passwords for each service you use. Password management software also allows secure storage of your passwords in an encrypted format. This way, you only need to remember your master key password,” he says.
Read more: Australia should adopt 'gold standard' in data laws after Optus leak
2. Clicking on a link or opening a shared file? Be suspicious and prepared. Unless you trust the email’s source, do not click on links, suggests Dr Shaghaghi. “It’s easy for attackers to redirect you to a legitimate-looking website and prompt you to enter your details. If you receive an email asking for your personal information, be cautious and ensure you double-check the sender’s details. If an email has attachments, check the sender and do not open random attachments,” he says.
“They can contain malware designed to steal your information (e.g., monitoring all your activities on your laptop). One good measure to avoid the risk of malicious software on your laptop/phone is to use well-known and reputable security software – do your research on this.”
3. Posting an update on social media? Know the risks and check your settings. It’s also important to remember that cybercriminals can collect personal information about you from social networking websites and steal your identity, explains Professor Jha. To avoid this happening, he suggests that you check the settings of your social media profile (Facebook, Instagram, LinkedIn, Twitter, etc.) and consider your audience when you post any updates (public, private, friends, etc.).
“However, even then, consider that your content may be accessible to anyone through re-sharing, screenshots, etc. Hence, carefully review the content of your post and avoid posting content that makes you or your family vulnerable to identity theft (e.g., address, date of birth, holiday plans, children’s schools, etc.),” he says. For example, incidents have been reported where travelers’ flight plans changed or were cancelled after posting a photo of their boarding passes online.
Additionally, if you receive an unexpected message (gift offers, money transfer requests, survey links) from a friend, do some research and confirm its legitimacy, suggests Professor Jha.
“Often, survey links are used to collect your personal information, which may be used for identity theft. These links may even lead to hijacking your account and sending messages to your friends. These precautions also apply to online dating websites, where criminals trick users with fake profiles and collect personal information,” he explains.
Read more: Could decentralised identities stop cybersecurity breaches?
4. Privacy concerns don’t just impact adults. It is also worth remembering that children’s identities can be stolen too.
“Just like adults, children use many websites and applications, such as social networking websites. Criminals steal a child’s identity and apply for credit in the child’s name. These cases may go undetected for many years,” says Dr Shaghaghi.
“One warning sign for this is when a child receives a call about late payment or offers for credit cards. An excellent measure to protect a child against identity theft is to freeze their credit report through significant credit bureaus.”
Subscribe to BusinessThink for the latest research, analysis and insights from UNSW Business School
5. It’s not just digital. Finally, it is worth remembering that physical documents are still commonly used for identity theft. You can protect your identity by carrying only essential personal documents with you, destroying personal documents before putting them in the bin, and keeping copies of important documents stored safely.
For example, Dr Shaghaghi suggests that if you keep your account passwords written somewhere, ensure its safely kept. Check your mail frequently and empty your mailbox. Update your address for essential services (e.g., banks, tax, employer) as soon as you move so any correspondence with your records does not fall into the hands of criminals.
It is also essential to consider how you dispose of your mobile, laptop, and hard drives, says Dr Shaghaghi. Even if a device does not turn on, criminals can use it to restore your personal information after you dispose of it. Some companies offer secure recycling options.
“You should perform a factory reset and erase your data when possible. A data `destruction software’ can permanently delete records and is much safer than deleting files in the operating system,” he says.