A run of ID thefts
April 6, 2012 7:24 PM   Subscribe

Help me fend off the cyber brigands (and persuade my family that they need help)!

I need realistic and if possible specific advice for an outbreak of ID thefts from our cyber-household, as follows, all in the last year. Do these form a pattern?

• A squatter on one household member's auction account, which had gone unused for some time. The squatter ran up a bill. This has been caught and deal with.
• Abuse of the household's big-box retailer account. This has also been caught and dealt with.
• Penetration of a subscription e-mail account maybe due to accidental response to a fake survey associated with relatives' 12 Days of Christmas e-cards. I notified the provider immediately and migrated my mail to another provider.
• Abuse of the credit card number associated with this e-mail account. The survey did not request the number. This case is still being dealt with, as it was disclosed earlier this week. The number has been canceled, which is screwing up billing payments for my website and other subscriptions.

I am also having some major anxiety and shame issues over the ID thefts. It's good practice to request a credit report after incidents like this, but I am terrified that it will reveal something worse. (I'm also furious, and if I had hacker superpowers I would track down the person or people responsible for the ID thefts and kill them.)

As for the shame, is it realistic to feel this way, as if you had a sexually transmitted disease? Most of the shame in this case stems from admission of ignorance. Everyone in the household works with computers daily for regular communications, web-surfing, purchases, etc., but we are not sysadmins, coders or security professionals.

I've decided to adopt better Internet use habits, including blocking ads, not bookmarking, disabling Java, and never "saving" a credit card number in an account. I have changed my passwords repeatedly.

I am considering taking down the website, which nobody ever visits because they prefer Facebook. I have a Facebook page but have turned the privacy up to maximum; I don't do Facebook, period. I'm thinking of closing the Facebook account. I am trying to close the e-mail account that was abused, and have discontinued the subscription.

But I am paranoid that we have been penetrated somewhere, maybe at the level of our notoriously incompetent and despised regional ISP.

I think we need a professional IT security consultant. None of us in the household are sufficiently IT-savvy to do it ourselves. But due to the cost, admission of ignorance, denial etc. I don't know how to persuade the family members that we should hire an IT security professional. I'm having trouble just persuading them that they should upgrade the OS of the main computer to the current one.

I can't disclose more special snowflake details about the specific ISP, the e-mail provider, the OS versions, etc. as I am feeling understandably paranoid. Suffice it to say that we have Macs and for that reason may have been too lax about security.
posted by bad grammar to Computers & Internet (7 answers total) 2 users marked this as a favorite
"I am also having some major anxiety and shame issues over the ID thefts. It's good practice to request a credit report after incidents like this, but I am terrified that it will reveal something worse."

This is very much worth getting over, the only thing worse than dealing with this stuff is not dealing with it.
posted by Blasdelb at 7:32 PM on April 6, 2012

Dunno if I'd liken getting hacked to catching an STD. If the comparison were apt, I think we'd have a complete pandemic of STD's out there. IOW, I'm not aware of anyone who hasn't been hacked at one time or another. Tighten up security, maybe ease up on reliance on the net for so many transactions and move on.
posted by telstar at 9:01 PM on April 6, 2012

Corry Doctorow had a great piece a while back about how he got phished. He put it like this:
But all the stars aligned for that one moment, and in that exact and precise moment of vulnerability, I was attacked by a phisher. This is eerily biological, this idea of parasites trying every conceivable variation, at all times, on every front, seeking a way to colonize a host organism. The net’s complex ecosystem is so crowded with parasites now that it is a sure bet that there will be a parasite lurking in the next vulnerable moment I experience, and the next. And I will have vulnerable moments. We all do.
Remember, this is Cory Doctorow, a man who all but rolls around in a big pile of recently invented high tech gadgets so he can better stalk his prey by smelling like the future. If it can happen to him, it can happen to anyone.

These sorts of things happen, and are likely to happen to you from time to time no matter what you do. I get a new debit card every year or so from my credit union because some third party has compromised my data. A less trustworthy bank might not bother with the added expense and let me take the risk. I also got hit by the $5 e-book credit card scam which led me to this eye-opening page.

A security consultant can clean up any current messes you might have, but at some point being secure is a matter of knowing what danger looks like and not sticking your hand in it. I've been a big fan of Bruce Schneier's blog for some time now. Some times his commentary is about the TSA, sometimes it's about forged subway passes and sometimes it's about specific threats to your computer but if you make a point of reading it for a while you'll start to see that security issues tend to have similar motifs. A man in the middle attack, for example can be done by a hacker who has himself somehow between you and a trusted web site, so you give him your credit card info and he passes it to Pay Pal (or whoever) but keeps a copy of the data for himself; or it can be done by a waiter who copies down your credit card number when he takes it up to the register to ring up your bill.
posted by Kid Charlemagne at 10:31 PM on April 6, 2012 [1 favorite]

If reformatting from scratch is not an option, you might want to give Rootkit Hunter and ClamAV a try on the macs. Malware is not as prevalant on macs as it is on pcs, but it still does exist and is on the rise. You'll want to make sure that none of your macs are compromised with a "man in the browser" exploit where your information is captured prior to encryption.

You may also want to install Web of Trust which is a community driven site advisor that can help you steer away from phishing or malicious websites via searches or e-mail.
posted by samsara at 6:29 AM on April 7, 2012

And of course you'll want to do the most basic thing, which is refusing to use any non-machine-generated random password with less than 100 bits of entropy for any purpose, and refusing to use any password for more than one purpose. KeePass is your friend.
posted by flabdablet at 10:08 AM on April 7, 2012

Response by poster: Thanks, people. I did request a free credit report from Equifax. It may not be up to the minute, but it is clean. Nobody has taken out a mortgage in my name (despite Equifax's alarming splash quiz which you must take to get to the report) or run up thousands of dollars in charges. If my credit card has been abused, it was so recent that it hasn't shown up; no other of my accounts have been abused.

I also confirmed that nobody else has been using my e-mail account ID.

I am working on the measures you have all suggested, and if I can't persuade my elderly parents to deal with it, I'll do it myself (starting with basic security stuff in OS and browsers, then anti-virus and anti-spyware). They are not Alzheimer's but my mother now has a health crisis that they need to deal with first. As to why I'm living with them, long story, but the health crisis now makes it necessary as I am doing housework and expect to do more.
posted by bad grammar at 6:06 PM on April 7, 2012

If the OS you're talking about is Windows XP, there's no need to put your folks through the pain of adapting to 7 (or - shudder - 8) for the sake of security. XP has perfectly adequate security; it's just a matter of turning it on. But it should certainly have all available Windows security updates applied, and Windows Firewall should be turned on to protect all network connections.

If you have multiple Windows boxes that are not already up to date via Automatic Updates, you can save time and bandwidth by centralizing your update downloads with this offline updater. You can put that on a USB stick and run its update downloader from there, then plug it into any Windows box you'd like to update and run its update installer. If you want it to collect updates for everything it can conceivably update, you will want a 32GB USB stick; for just Windows XP and Office, 8GB is plenty.

Least-hassle, most set-and-forget Windows antivirus product I'm aware of is Panda Cloud Antivirus (plus it even does a pretty good job at blocking viruses and assorted other malware). The installer comes with options to install a "security toolbar" and make Yahoo your default search provider; personally I turn off both of those but you might want to play with one or both and see if they offer you some value.

Between that and Malware Bytes Anti-Malware there's no reason I can think of to pay good money for an anti-malware suite.

For ad blocking, I like the Adblock Plus extension, available for both Firefox and Chrome. After installing that I will generally subscribe to EasyPrivacy+EasyList and disable the "allow some non-intrusive advertising" feature.

You can lock things down a little tighter browser-wise with NoScript; I do this on my own browsers, but I have found that when I install it on other people's browsers and come back a few months later, they have usually managed to flip it into blacklist mode instead of whitelist mode by accident, and there's nothing in the blacklist. If you have ineducable users, NoScript is basically going to be a useless annoyance for them.

There are various security products for Windows that offer "registry protection" and cause authorization pop-ups whenever something attempts to modify a potentially sensitive registry key (e.g. Spybot Search and Destroy's optional "Tea Timer" component). There are other products that do similar things for various kinds of network access (e.g. Zone Alarm firewall). In my experience, things that work this way usually cause more trouble than they prevent. Most people have no clue at all whether it's appropriate to click "Block" or "Allow" and revert to picking one or the other and doing that consistently. At best this makes the "security" product ineffective; at worst it breaks Windows in ways that are difficult to diagnose and fix.

Identity theft happens much more often via PC-based malware and end-user social engineering than via sketchy ISPs. But if you've done a reasonably thorough job of locking down your PCs and you're still worried about your ISP, you might care to buy a subscription to something like StrongVPN.

But the first thing you should do is get comfortable with KeePass and start using unique high-entropy machine-generated passwords for everything. This the single most effective step that anybody can take to protect their online identities.
posted by flabdablet at 9:25 PM on April 7, 2012 [1 favorite]

« Older Miss Hanigan would be so disappointed   |   If she keeps this up she will only have 8 lives. Newer »
This thread is closed to new comments.