Keeping Your Accounts Offline Is Not More Secure

You think you are the clever one because you never use the Internet for online banking, online shopping, or managing accounts like your retirement account, gas and electric utilities, telephone, cell phone, and Internet.  Open a Facebook account?  Never!  You think you are safer from account hijacking and identity theft because you never set up any online accounts.  If you don’t have it, they can’t hack it – right?  Wrong!

If you have not set up online accounts for managing your services, this actually makes it easier for cyber-crooks and identity thieves to set up online accounts in your name by calling customer service and pretending to be you.  Using information that is easy to acquire online, such as names, addresses, phone numbers, Social Security numbers, and birth dates, imposters can set up accounts in your name and take over your services.  They use email addresses and phone numbers they control to communicate with the bank or vendor.  Often one account can be used as a springboard to creating other online accounts.

Unfortunately, the people who need to get this message are the least likely to be searching the blogs for information like this.  But you undoubtedly have a typically older relative, friend, or associate who fits my earlier description of a 21st century neo-luddite.  Please print (dead tree method) this article out and mail (postal, with a stamp) it to them, or better yet, bring it to them.  And print  out the article from Brian Krebs from the link below as well.  He has several specific incidents that may scare your potential victim out of their resistance or complacency.  Like the story about the victim whose bank account was slowly drained of $170,000 in small increments over a six month period.  You may need to make some calls with them to their bank and utility accounts to check for any unusual activity, and set up online accounts for them.

Account types that are the usual target of take-over attacks such as these include:

  • Banking, retirement savings, pension, credit card, and other financial accounts – because that’s where the money is, of course.
  • Electric and gas utilities – to set up service at another address that the victim pays for with his current bill.  Sometimes a utility bill can be used as a form of identification to set up other service accounts, like cell phone accounts.
  • Telephone and cell phone, cable TV, and Internet –  this allows the attacker to set up call forwarding to intercept confirmation phone calls, and order cell phone services, cable, and Internet in your name.  With access to your Internet account, they can hijack your email account and start learning more about you, and use that information to leverage other accounts.
  • Post Office – forwarding mail is another great way to intercept bills and take over other accounts.
  • IRS and state tax – taking over these accounts can allow the attacker to file tax forms on your behalf and intercept refund checks.  Often the information is totally false and provided to generate a large refund.  This can set you up for a tax investigation with the IRS.
  • Social Security and Medicare – with this access the attacker can reroute automatic deposits of SSA benefits and get medical care while pretending to be you.
  • Social networks – like Facebook, Twitter, Instagram, etc.  By impersonating you, they can trick friends and relatives into sending money or providing personal information.
  • Obituaries – Unfortunately, the death of a spouse or other family member can alert identity thieves and cyber-crooks to impersonation and account take-over opportunities.  The obituary notice usually contains a lot of personal information (name, age, maiden name, names of surviving spouse, parents, siblings, children and  their spouses, and even name of grandchildren.  This information can be useful to a thief.  A quick run at Ancestry.com and other public records databases with this information can provide a wealth of detail that would make account take-over much easier.

If you have an older parent, it is wise to help them set up (if necessary) and manage their online accounts.  Talking with an estate attorney would be a great idea, too.  Having joint access to accounts can make things simpler for both of you in the event of incapacitating illness or death.  You can set it up so both of you receive email alerts for unusual activity by setting up a special email account that forwards email alerts to your usual email addresses.

Other actions you can take to help secure your parents’ accounts:

  • Set up a credit freeze on the four main credit bureaus.
  • Create long passwords and set up two-factor authentication where available, or a customer service PIN.
  • Record all account details in a password manager, or if your parent resists, write them down in a spiral notebook that is kept in a secure place in their home.
  • If your parent is avoiding social networks like Facebook, let all their friends and relatives know that any request appearing to come from them would be fake.

This should help keep you or your parent safer from online account hijack attacks.

More information:

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.