Top 5 Ways of Preventing Online Fraud and Identity Theft and Why They Don’t Work
Let’s face it. Almost every day there’s a new case of identity theft or online fraud despite there being countless recommendations on how to prevent it.
Cybersecurity experts have been playing a cops and robbers game with cybercriminals for the longest time. If the constant stream of reports of security breaches and identity theft is anything to go by, it’s difficult to dispute that cybercriminals are always one step ahead. In other words, the numerous prevention measures recommended by all kinds of cybersecurity experts are not effective in any way.
Is there any hope? Absolutely yes!
But it calls for a different view of online security, privacy, and anonymity.
Top 5 Recommendations of How to Prevent Online Fraud and Identity Theft
1. Use Strong Passwords
You’ve probably heard this one more times than you can count. Sites nowadays even have systems that gauge how strong your password is, and they’ll always warn you about using a password you’ve used somewhere else. We can all agree having a different and complicated password for every site you sign up to is tedious. Some will most likely say, “but there are password managers in which I can store all my passwords and retrieve each one of them whenever I need it.” Well, what makes you think your password management site is safe if the best of silicon valley’s sites fall prey to hackers? In fact, you are putting yourself at enormous risk if you are storing all your login information in one place.
A lot of the identity theft occurring is because we’ve allowed big tech to create centralized databases of our identity information. If one malicious person gets access to such a database, they walk away with loads of people’s identity information. We’ve all been held captive by silicon valley.
2. Isolate Your Financial Data to One Work Station
Cybersecurity experts will often ask you to use only one workstation or device when putting up your financial information online. They’ll advise you to use an internet connection that’s under your control. That’s sound advice and I’m by no means brushing it off. Has that completely prevented users from losing their hard-earned money to online fraudsters though? I don’t think so.
As mentioned earlier, any information you submit to a centralized database is prone to theft. You can take all these precautions and your credit/debit card numbers still end up floating somewhere in some online black market. Again, once you submit your information to a particular site, you trust them to keep it safe. The unending cases of breaches do not leave any consolation that your information is safe regardless of where you’ve put it up.
3. Continuous User Education
User education is a measure that is constantly recommended to companies. They are advised to continuously sensitize their employees about phishing attempts. I’m not saying that’s bad advice, but it’s always a matter of time before one employee falls prey to a phishing email/link and the whole company's systems are compromised. The fact is, no one can be vigilant or sceptical enough. Sooner or later some email or link will appear like it’s the real deal and you’ll click on it not knowing you are granting access to your entire system.
The bottom line is, there must be a trust anchor through which users decide who they can trust online and who they can. Being on the lookout for something suspicious will not cut it. In fact, most people often fall for the simplest trick. An omission of one letter in an email domain is enough to have you falling hook, line, and sinker for a simple phishing trick.
4. Anti-Virus and Anti-Spam Software
You’ll often be told to always have up-to-date anti-virus and anti-spam software. It’s, without a doubt, important to have such software in your systems. That being said, ask yourself why the software needs to be updated every now and then. It’s because cybercriminals are always finding new vulnerabilities to exploit in such software. Cyber security experts have to then go in and patch the newly found vulnerabilities. As mentioned in the beginning, this practice degenerates into a cops and robbers game where the bad guys are always a step ahead.
Some of the biggest silicon valley companies and government agencies have had their systems breached and taken captive. These are companies and institutions that can develop and deploy the most sophisticated and advanced anti-virus and anti-spam software, yet they couldn’t guarantee the safety of their systems.
5. Set Up Two Factor Authentication
The most common form of two-factor authentication involves a text message with a code that’s sent to your phone. You are then required to enter the code to verify that you are indeed the one trying to log in.
According to Twilio,
“Security professionals agree: SMS-based Two-factor Authentication (2FA) is insecure, yet thousands of companies still employ this method to secure their customer-facing applications. “
And guess who sold everyone on the 2FA solution? Twilio! The same company that sold everyone on what has always been thought to be a secure way of protecting data and privacy, is the same one coming back to say it doesn’t work.
In this YouTube video,
https://www.youtube.com/watch?v=xaOX8DS-Cto
Kevin Mitnick presents a demo developed by Kuba Gretzky that shows just how easy it is for an attacker to phish you even if you’ve enabled two-factor authentication.
2FA can be exploited using many other techniques such as sim swap, SMS air intercept, and brute force attacks.
Authentication needs to happen locally in your device to avoid interception. The transmission involved in the current two-factor authentication systems provides multiple avenues for attackers to hijack the information being transmitted back and forth.
Learn About PKIDR (PKI Done Right)
PKI (Puzzle Kit Infrastructure) has always been explained in the language of mathematics and cryptography. It shouldn’t always be that complicated.
In PKI, your device generates two large numbers. One is private and the other one is public. The private number never leaves your device. If you need to log into a platform, you won’t need passwords. Your username accompanies your public number. The server uses your public number to create a puzzle that can only be solved by your private number. The puzzle is then sent to your device, your private key solves it, and then sends it back to the server thus proving your identity claim.
There’s nothing of value to an attacker that’s being transmitted between your device and the server.
Check out https://www.whatisauthenticity.com/ for more on PKIDR.