Tips for Securing Your Identity
Though you may not realize it, you are constantly verifying your identity in order to access and make changes to information:
- Logging into a system with your username and password.
- Providing your social security number or birthdate on a form.
- Answering security questions or giving PIN numbers to customer service representatives over the phone.
This verification process not only authorizes you to view and modify data—it also leaves an audit trail that marks you as responsible for those actions.
This means that it is of the utmost importance that you keep information that can be used to verify your identity confidential: SSNs, passwords, birthdates, answers to security questions, etc. Email login credentials are particularly important, as they can be used to reset passwords to many of your other accounts.
Follow these tips to protect yourself from imposters:
Protect your devices from malware and theft.
Malicious software can create entry points into your system that allow hackers to extract your data, and can even allow them to log keystrokes to acquire passwords and other sensitive information as you type. In addition, physical theft can allow unauthorized individuals to access your personal information. Secure your devices with encryption, updates, and antivirus software to secure your identity.
Avoid social engineering attempts.
Never reply to an unexpected email, telephone call, popup message, or text that threatens or cajoles you into giving personal information. Be especially skeptical of fake shipment notifications around the holidays and supposed IRS calls during tax season to avoid getting phished. When in doubt about the veracity of a message or call, contact the institution or person directly using known good numbers or websites.
Use good password practices.
Create strong, unique passwords/passphrases, store them securely, and use Multi-factor Authentication where possible to reduce the risk of compromised credentials. If you have any reason to suspect that an account has been compromised, change your passwords immediately. Never use the same password for multiple accounts, especially important accounts such as email, ecommerce, or banking.
Be aware of what you’re sharing.
If your first car, the names of romantic partners, and your high school mascot are available on Facebook or via a Google search, you may want to choose different security questions or give fake but memorable answers.
Members of the Northwestern community may want to prevent viewing of their online directory information from off-campus to limit the amount of information that is available to the public.
Do not transmit personal information on public networks.
This includes login credentials for accounts containing personal information. VPNs, such as Northwestern VPN, encrypt traffic sent over a network, and should be used any time you connect to networks that are shared with strangers (e.g., airports, cafes, hotels, etc.).
Avoid sharing confidential personal information with organizations wherever possible.
If a company requests your personal information, understand how and why they are using it. By law, you have the right to refuse to disclose this information.
When you must share confidential personal information...
When you must share confidential personal information in order to receive services (e.g., with a bank or employer), never use email, SMS messages, or IMs to transmit it.
Avoid printing this information on shared printers, as well. Most of these methods result in your information remaining unencrypted, easily intercepted, and stored on devices whose security you cannot be assured of.
Insist on giving this information in person or over the phone, so that it can be entered directly into the centrally protected systems that the organization uses to permanently store the data—not in the personal inboxes or smart phones of employees.
Ensure that websites are using encryption.
Before entering your credentials, look for signs of an encrypted Web page: key identifiers include a URL for the website's login page that begins with "https" and a green padlock icon somewhere in or near your URL bar.
Dispose of confidential personal information properly.
Check your email, financial accounts, and credit reports regularly.
Check your email, financial accounts, and credit reports regularly for signs of fraudulent activity. It is often possible to configure alerts when certain types of unusual activity occur within these accounts, such as unusual login locations or withdrawals/transfers that meet a certain threshold.
In addition, the Fair and Accurate Credit Transactions Act (FACT Act) requires that each of the three consumer credit reporting companies (Experian, Trans Union, and Equifax) provide you with a free copy of your credit report once every 12 months for this purpose.
Take immediate action on suspected breaches of your identity.
Change passwords and security questions on any accounts that you believe have been compromised. Most organizations have a special hotline, mailing address, or form for reporting suspected abuse.
Where you believe your SSN may have been stolen and used to open accounts, the FTC's Identity Theft Web site provides information about contacting credit bureaus, closing accounts, and filing complaints in the case of identity theft, and reports can additionally be filed with your local police department.