Let’s face it: The Internet is a great convenience, but all those user names and passwords can be a cumbersome pain in the caboose.
You’ve got work e-mail and home e-mail, then all the online accounts for the bank, a credit card or two, maybe a mortgage and the utilities. Maybe work offers online access to ever-changing medical, dental and vision benefits. Frequent travelers have accounts with airlines, car-rental firms and online travel-booking services.
Then, there are the chat groups and the eBays, PayPals, iTunes and Netflixes of the world. Not to mention subscription Web sites. It’s too much for anyone to remember.
That’s why, despite repeated recommendations not to do so, people typically write down their user names and passwords or recycle them from one site to the next. That means that if a thief gets hold of the list, or your core password, the Internet can become the world’s window into your computer, your finances and your identity.
Identity theft is a $55 billion-a-year concern, according to most leading estimates. Mail theft and dumpster-diving are still the tools of choice for identity thieves, but cybercrime is a growing problem, and poorly protected passwords are a key vulnerability.
“The proliferation of passwords is a big problem,” said David Jevans, chairman of the Anti-Phishing Working Group. “One problem with using the same password everywhere is that if a phisher gets one, he can log into all your accounts.”
Phishing is a form of spam, involving unsolicited e-mail to dupe the recipient into divulging personal data. The infamous Nigerian government e-mail and others offering winnings in a European lottery are well-known examples.
Phishing is the most common method of stealing identities online, but thieves are getting more sophisticated.
“There are numerous penetration tools available to hackers,” said Robert Siciliano, chief executive of IDTheftSecurity.com, an online-security consultancy.
- In one, hackers use software, trying different permutations of dictionary words and numbers to discover a password.
- Other hacker software analyzes social patterns from repeated names or interests, using those to find passwords.
- A form of software called malware steals saved passwords from the memory in Web browsers.
Still, Internet users base their password security on the amount of risk they perceive and can live with.
Russ Perry, a 24-year-old self-employed marketer from Tempe, Ariz., guessed he has hundreds of online accounts, which he clumps into three categories. For the most sensitive personal and financial information, he uses a 16-digit number by fusing fragments of commonly used numbers. For everything else, he uses variations of alphanumeric passwords.
“If you’ve been using the same number since 1986 and it’s the PIN number from your first ATM card, maybe you should change your password,” he said.
Julie Turko, a 38-year-old fundraising director at a Phoenix nonprofit, alters her one password only when forced by a Web site. She has about a dozen accounts. “The worst thing that can happen is they can get into a bank or credit-card account and make some transactions I think are reversible.”
Cybercrime is particularly difficult to trace. The nature of the Internet means that crooks are often overseas and always anonymous. Often, victims are completely unaware their computers have been hijacked. Other times, the losses are small or people are too embarrassed to report the theft.
The FBI helped establish the Internet Crime Complaint Center in 2000. Last year, the center received 207,000 complaints of cybercrime involving financial losses that totaled $198 million. The figures represent only a portion of all cases handled by law enforcement, the agency reported, noting that research shows that only one case in seven ever reaches regulators.
“Anyone who utilizes the Internet is susceptible, and IC3 has received complaints from both males and females ranging in age from 10 to 100 years old,” the agency reported.
“We choose convenience over privacy and security every time. We are a lazy society,” said Robert Siciliano, chief executive of IDTheftSecurity.com, an online-security consultancy. “Security is not convenient. Security is a hassle. That’s just the nature of doing business these days.”
Online security tips
Tips to keep your identity safe online:
• Don’t use log-ins that rely on words in the dictionary.
• Don’t use the same user name and password for more than one account.
• Don’t do online business on an unknown Web site. Research it first.
Internet-security experts and government investigators say there are some simple steps to protect passwords and online accounts from identity thieves.
• Mix up user names and passwords with capital and lower-case letters as well as numbers and keyboard symbols. Make logins at least eight characters long.
• Never respond to an e-mail asking you to divulge username, password, bank-account numbers, Social Security numbers or other personal or financial information.
• If you have a master list of all your passwords and user names, keep it in a locked place. If on your computer, keep the list protected or, better yet, encrypted.
• Set Internet-security options on your browser, such as Internet Explorer, on “high.”
• Use and routinely update spam blockers, spyware-detection software, pop-up blockers and anti-virus software. Keep firewalls up to date.
• Consider investing in password-management software or a password-protection device, which acts like a key to unlock a computer when plugged into a USB port.
• Routinely check your bank and credit card statements for unusual spending. Review your credit rating annually.
• If you suspect fraud, report it immediately to your financial institutions and contact the Internet Crime Complaint Center at www.ic3.gov.