We’ve come to rely on online services for nearly every aspect of our lives: communicating with friends and family, filing taxes, shopping, ordering food, hailing a ride, and for those with smart homes, even turning on the lights. Those services we rely on, however, also leave a breadcrumb trail of information about ourselves online and expose us to cyber-criminals.
More than 16.7 million Americans became victims of fraud in 2017, losing a total of $16.8 billion, according to a report by advisory firm Javelin Strategy & Research. What’s especially frightening is that criminals obtained at least $5 billion of that amount through online identity theft, robbing their victims from the comfort of their desks, without the need to even get close to them.
As our lives become more connected, the threat of our personal information ending up on the dark web is becoming more rampant, and anyone can become a victim. In many cases, we can’t even quantify the damage of online identity theft.
Here’s what you need to know about online identity theft, the dark web, and how to protect yourself.
What is online identity theft?
Online identity theft happens when a malicious actor gains enough personal and sensitive information about you to impersonate you or hijack your online accounts and perform activities on your behalf.
The information required for an identity theft depends on the kind of action the hacker or group of hackers want to perform. For instance, in the case of online fraud, the criminals might be after your social security number or bank account number.
In other cases, such as social media account takeover, they might only need your password to start posting damaging and hateful content under your name.
- What is the dark web? A beginner’s guide
- How to protect yourself against email spoofing
- The best free VPN to maintain your privacy online
- How Experian can protect you from identity theft
How do we lose our online identities?
Users are mostly used to share their information online without thinking about the consequences. Unfortunately, the wealth of data available about each person makes it easier for hackers to target them.
“An estimated 90 percent of all cybercrime starts with social engineering,” says Gabriel Glusman, senior analyst at cyber intelligence company Sixgill.
Social engineering is attacks that involve tricking users into giving away their sensitive information or installing malware on their computer. Among the most prevalent type of social engineering attacks are phishing scams, in which attackers target you with emails that contain malware-infected attachments or links to malicious websites that steal your information.
“Most private systems will initially get infected for having fallen for a phishing email or an email delivering malware,” says Glusman. “Most trojans are delivered through spam, whether they contain the binary file itself, or they provide a malicious link.” Trojans are applications that look legitimate but contain malware.
Often users walk into traps without being prodded by hackers. “One of the biggest oversights is not checking for HTTPS before putting information into a website,” says Paul Bischoff, a privacy advocate at Comparitech. “The ‘https://’ that appears at the beginning of a URL, along with a padlock icon, is a simple way to ensure you’re communicating with whom you think you’re communicating. It also encrypts the data being sent to and from that website so no third parties can read it.”
When you browse an unencrypted website, hackers can easily stage man-in-the-middle attacks (MitM) against you, in which they intercept your communications to steal information you exchange, such as usernames, passwords, phone numbers, emails, etc. More sophisticated hackers might be able to redirect you to a fake, malicious version of the same unencrypted website without raising any security alarms in your device’s browser.
You’re especially at exposed to the threat of MitM attacks when you’re using public WiFi networks, where hackers can easily place themselves on the same local network as you and intercept your internet traffic.
The role of data breaches in online identity theft
One of the forms of online identity theft that we, as users, can do little about are cyberattacks against the online services we use. Even the most renowned internet companies fall victim to data breaches every once in a while, and when breaches happen, cybercriminals often obtain some of the most sensitive and valuable information of those users.
One notable example was the massive data breach of credit card reporting agency Equifax, which gave hackers access to names, social security numbers, birth dates, addresses, driver’s license numbers and in some cases credit card info of more than 140 million customers.
“Providing your data to 3rd parties is inevitable nowadays, and there is not much one can do in terms of protection,” says Gulsman, the analyst at Sixgill. “The high-profile breaches of the last few years have shown that even the biggest and most respectable companies in the world sometimes aren’t protecting their customer data as they should.” Testament to the fact: Yahoo’s 500-million account data breach (which later grew to 1 billion and 3 billion).
“Short of providing false information upon signup, there’s not much users can do to prevent their information being stolen in the event of a data breach,” Bischoff adds.
Gulsman also observes that problem with personally identifiable information is that it doesn’t expire like a credit card. “Once it’s out there, there is no way to know or control who gets their hands on it,” he says. “So you may find your personal information being exploited even years after it was stolen.”
Those security incidents sometimes affect people’s lives in very damaging ways. In 2015, a data breach at online adultery website Ashley Madison leaked the most intimate information of 32 million users. The incident allegedly led to the suicide of several victims.
What do cybercriminals do with your online identity?
In targeted campaigns such as spear-phishing attacks against high-profile individuals and organizations, the same hackers who steal your identity will use it for malicious purposes. In 2016, hackers managed to spear-phish their way into the email account of John Podesta, the chairman of presidential candidate Hillary Clinton and leaked his private communications to whistleblower website WikiLeaks.
In April, hackers took over the verified Twitter account of Vadim Lavrusik, a product manager at YouTube, and used it to spread fake news about a shooting that had taken place at the YouTube headquarters on the same day.
However, Glusman notes, “Often, the individuals stealing your data will not be the same ones using it for things like fraud, ID theft, and extortion.”
In the case of wholesale data breaches, attackers usually monetize them in other ways. “Data that’s obtained as a result of a large breach is typically sold on the black market,” Bischoff says. “From there, it could be used for theft, identity theft, fraud, or blackmail.”
The dark web, the obscure underbelly of the internet that can only be accessed through anonymizing tools such as the Tor browser, is where hackers usually sell the stolen information of users in online black markets. Valuable financial information is often sold individually at high prices, while username and passwords to ordinary social media accounts are sold in bulk. In 2016, for example, news emerged that someone was selling a stash of 33 million Twitter passwords on the dark web.
What should you do to avoid online identity theft?
For the most part, the best way to avoid identity theft is to stay true to the principles of digital hygiene. This means keeping your operating system, browser, antivirus, and other software up to date and staying on the lookout for news about scams and attacks.
It’s also important to avoid oversharing information about yourself on social media because every post and picture you put online can give hackers another piece of the puzzle to impersonate you or target you with social engineering attack. Be especially mindful of the sort of information typically used for password reset options, things like the name of your first elementary school.
“Don’t fall for phishing scams,” warns Bischoff. This basically means not opening attachments or clicking on links in emails unless you’re absolutely sure about the source. (Here’s the Daily Dot’s guide to protecting yourself against phishing.)
Bischoff also recommends to make sure you only visit websites that start with HTTPS and enable two-factor authentication (2FA) on online accounts whenever possible. Two-factor authentication prevents hackers from accessing your account even if they obtain your password. (Here’s everything you need to know for enabling 2FA for Twitter, Facebook and Gmail.)
Another layer of defense against online identity theft is encryption. The more of your data you encrypt, the harder you make it for malicious actors to access your sensitive information and use it against you (see Daily Dot’s guide to encrypting all your data).
In particular, when traveling and using public WiFi networks like in hotels and restaurants, make sure you’re connected to a virtual private network (VPN), which will prevent potential attackers from spying on you and stage MitM attacks against you (see Daily Dot’s guide on VPNs).
What to do if you become the target of online identity theft
The inevitable happens. After all, you have to win every battle against hackers—they only have to win once. When you become aware of large data breaches, one of the ways to find out if you’ve been affected is to go to “have I been pwned,” a web service created by security researcher Troy Hunt that tracks data breaches and tells you whether your email address is included in any of them. (The Daily Dot has a guide for this too.)
But Hunt’s service is far from a comprehensive database of all the information that exists on data breaches. “Attempting to monitor the dark web for an individual person without the proper tools and expertise is both risky and virtually pointless,” says Glusman. “The stolen data is being sold for profit, so you’re unlikely to find things like credit card data and social security numbers laying out in the open without having to pay for it.”
While you will find some examples being shared for free, they are an insignificant percentage of the amount of information that is actually traded, Glusman says, and it will most likely only be an email address. “So ‘a needle in a haystack’ would be a massive understatement,” he says.
That’s why you also have to monitor your accounts for potential signs of breaches, such as unusual login alerts, access from locations and devices you don’t recognize, and activities you don’t remember having done. In case you find out (or become suspicious) that you’ve fallen victim to online identity theft, the first thing you should do is to prevent the bad actors from making use of the information they’ve obtained.
“Change your password for that account and if you use the same password on any other accounts (you shouldn’t), change those as well,” Bischoff says.
If the breached service involves sensitive data, such as credit card information, call your credit card provider and put a freeze on your account to prevent the scammers from using it.
The convenience of connected life comes at a risk to security and privacy. We must recognize and embrace this reality and try our best to minimize the threats while benefiting from the advantages.