What Is Identity Theft?
Identity theft (aka, identity fraud) is the unlawful acquisition and fraudulent use of another's personal information. This can include an individual's name, Social Security Number, credit card information, or bank details.
Concerning Statistics:
The following information was provided by the Identity Theft Resource Center (ITRC) via identitytheft.org.
- Among the 5.7 million cases reported to the FTC (Federal Trade Commission) during 2022/23, 1.4 million (25%) were specific to identity theft. 1 million additional cases were reported year-on-year since 2019 in the US and recorded a ~1600% increase in cases reported since 2001 (0.33 million reported).
- There is an identity theft case every 22 seconds.
- 33% of Americans face some form of identity theft at some point in their lives.
- Credit card fraud is the most common type of ID theft which accounts for 40% of total reports.
Vulnerabilities:
Weak Passwords: Your password is the lock that protects your information from hackers and those who wish to access your account and take your data and/or money. Using a strong password is like placing your valuables in a secure safe. Relying on a weak password is like leaving your valuables on a table in view with a locked screen door. When members of the SLU community use of weak passwords, they create a critical vulnerability in university systems that makes sensitive data susceptible to cybercriminals.
Inadequately Secured Networks: ITS is constantly striving to update the security of the university's systems to ensure that our data is protected. However, this is just one of many flaws that hackers seek to exploit.
Fellow Users: Everyone at SLU has access to information. When we don't take that responsibility seriously, it can create a risk not only for ourselves, but for others. The actions of fellow students, faculty, and staff can create opportunities that cybercriminals can exploit. Hackers use social engineering techniques to create fake emails and text messages that appear official and impersonate people we trust. The human element of our security is our greatest vulnerability. However, it can be our greatest strength when we pay close attention for ourselves and others.
How To Prevent Identity Theft:
Like any form of theft, there is no way to 100% guarantee that you can prevent it, but there are a number of preventative measures you can take to greatly reduce the possibility. Consider the following:
Create Strong Passwords:
As stated above, your password is the lock that protects your account and information. The stronger the password, the more secure your data. These are the three most important elements of a strong password.
- Length - Longer passwords are more difficult to crack. For example, using brute force tools, a hacker can crack an 9-character password (even with a combination of numbers, uppercase and lowercase letters, and symbols) in six hours. Whereas a 13-character password using the same variety of characters would take 15,000 years.
- Complexity - A more complex password incorporates of a variety of character types. Instead of limiting a password to numbers only or lowercase letters, mixing it up and also including uppercase letters and symbols makes for a much more difficult password to crack. Complexity in combination with length make for very strong passwords.
- Uniqueness - There are two aspects to this element. First, a strong password isn't obvious. For example, "password" is a horrible password. Consecutive digits (e.g., 1234) are also easily guessed. Furthermore, don't use things that are common knowledge based on social media searches like favorite bands, pet or family names, or favorite foods or restaurants. The second aspect of uniqueness is that you shouldn't use the same password for multiple accounts. If a hacker figures out a password, that will be the first one they try for your other accounts. If you use the same password everywhere, hackers can have access to everything. Password reuse is like discount shopping for cybercriminals. It gives them access to important accounts with just one set of login credentials. If you have been reusing passwords frequently or don’t have an accurate list of your reused passwords, you may need to review and update all your accounts in the event of a data breach. Since there is always a chance that your password could be lost or stolen, having a unique password for each account is essential since it limits your exposure to just one account. If a hacker attempts to access several of your accounts at once, their failed login attempts might cause you to be locked out, and the account recovery process could be time-consuming. Even without hacking or data breaches, losing or forgetting the credentials you’re reusing for multiple accounts might force you to spend hours resetting passwords.
This chart shows the time it takes to brute force crack a password based on its length and complexity according to the Hive Systems report, 2023 (hivesystems.io).
Number of
Characters |
Numbers
Only |
Lowercase
Letters |
Upper and
Lowercase
Letters |
Numbers,
Upper and
Lowercase
Letters |
Numbers,
Upper and
Lowercase
Letters, and
Symbols |
| 4 |
INSTANTLY |
INSTANTLY |
INSTANTLY |
INSTANTLY |
INSTANTLY |
| 5 |
INSTANTLY |
INSTANTLY |
INSTANTLY |
INSTANTLY |
INSTANTLY |
| 6 |
INSTANTLY |
INSTANTLY |
INSTANTLY |
INSTANTLY |
INSTANTLY |
| 7 |
INSTANTLY |
INSTANTLY |
1 SEC |
2 SECS |
4 SECS |
| 8 |
INSTANTLY |
INSTANTLY |
28 SECS |
2 MINS |
5 MINS |
| 9 |
INSTANTLY |
3 SECS |
24 MINS |
2 HOURS |
6 HOURS |
| 10 |
INSTANTLY |
1 MIN |
21 HOURS |
5 DAYS |
2 WEEKS |
| 11 |
INSTANTLY |
32 MINS |
1 MONTH |
10 MONTHS |
3 YEARS |
| 12 |
1 SEC |
14 HOURS |
6 YEARS |
53 YEARS |
226 YEARS |
| 13 |
5 SECS |
2 WEEKS |
332 YEARS |
3k YEARS |
15k YEARS |
| 14 |
52 SECS |
1 YEAR |
17k YEARS |
202k YEARS |
1m YEARS |
| 15 |
9 MINS |
27 YEARS |
898k YEARS |
12m YEARS |
77m YEARS |
| 16 |
1 HOUR |
713 YEARS |
46m YEARS |
779m YEARS |
5bn YEARS |
| 17 |
14 HOURS |
18k YEARS |
2bn YEARS |
48bn YEARS |
380bn YEARS |
| 18 |
6 DAYS |
481k YEARS |
126bn YEARS |
2tn YEARS |
26tn YEARS |
Be Aware of Data Breaches:
When a system has been hacked, the community needs to be notified. You can find out about such instances by paying attention to the news, updates, and direct communication from the university. We all must stay informed about these issues. For example:
- In 2022, 1802 cases of data breach were reported in the United States in which 422 million individuals were affected.
- Data breaches in the US massively increased from 1100 to 1800 in 2021.
Enabling Two-Factor Authentication (2FA):
Two-factor authentication requires two forms of identification during login to access one's account. The most common form is to get a phone call or a text message to your cell phone to confirm that you are the one attempting to log into your account. In spite of the security of this process, some hackers go so far as to swap SIMs from phones to bypass this process.
Secure Devices:
- Utilize strong authentication methods such as biometrics on supported devices. For example, many laptops include fingerprints scanners or incorporate facial recognition and/or voice recognition.
- Implement full-disk encryption with tools such as FileVault for Mac or device encryption in System Settings for Windows. This ensures that your data is protected if your laptop were lost or stolen.
Limit Sharing Personal Information:
- Protect your personal information online by questioning the need for sharing. For example, it makes sense to provide specific personal information if you're filling out an online form for your medical provider.
- When sharing information online:
- Always check to make sure that the web address includes an https:// at the beginning instead of http://. The "s" confirms that the connection with that site is secure.
- Always make sure that the site is authentic. Hackers can make any webpage look like what you expect to see. For example, if you're trying to access your account at Citibank, make sure the web address begins with https://www.citi.com/.
- Your Social Security Number is the most vulnerable aspect of your identity. Because of this, most authentication NEVER asks for it. They only require the last four digits. Only provide your complete SSN if it's appropriate and necessary. Social Security Numbers can be tracked for the Social Security Benefits and the credit history of an individual (Consumer Finance Gov, 2022).
Be Wary Of Public Networks:
- Avoid conducting sensitive transactions (e.g., online banking or shopping) on public Wi-Fi networks (e.g., public places, coffee shops, and airports) to minimize risks from hackers who are trying to capture your credit card information or other sensitive data.
- If you must use a public or unprotected Wi-Fi network to share sensitive information, use a VPN (Virtual Private Network) to encrypt your communication on your Internet connection.
Credit Freeze:
If you believe that your identity has been stolen or may be at risk of being used by someone, a credit freeze is a powerful tool to safeguard against fraudsters opening new financial accounts using your identity. Initiate a credit freeze by placing a request with the main credit bureaus: Experian, TransUnion, and Equifax. This process will require that you provide personal details during the request (e.g., name, address, date of birth, and Social Security Number). Be sure to protect the Personal Identification Number (PIN) they provide for future credit unfreezing.
Shred Sensitive Documents:
When disposing physical documents containing personal information, be sure to shred them to prevent dumpster divers from gaining access to your sensitive data. Identity theft does not require complicated hacking skills. If someone is targeting you, searching your trash is an easy way to get information about you. Don't be careless with your personal information.
Watch Out For Phishing:
- Stay vigilant! Phishing attempts and impostor scams through email, over the phone, and via texts are everywhere.
- Never click on unrecognized email or text links.
- Avoid sharing personal information.
- If you get an email saying that your account is going to be deactivated unless you provide your information, DON'T! Report it to SLUAware.
- Remember, the SLU IT Service Desk will NEVER ask you for your password.
Glossary:
| Term |
Definition |
| Brute Force |
A hacking method that uses trial and error to crack passwords, login credentials,
and encryption keys. It is a simple yet reliable tactic for gaining unauthorized
access to individual accounts and organizations’ systems and networks.
The hacker tries multiple usernames and passwords, often using a computer
to test a wide range of combinations, until they find the correct login information. |
| Data Breach |
An incident that involves sensitive, protected, or confidential information being
copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so. |
| Phishing |
The fraudulent practice of sending emails or other messages purporting to be
from reputable companies in order to induce individuals to reveal personal
information, such as passwords and credit card numbers. |
| SIM Swapping |
A social engineering attack in which a malicious actor persuades or tricks a
mobile service provider to transfer a victim's phone number to a new SIM card
under the attacker's control. |
| Vulnerability |
A weakness in a system, application, or network that is subject to exploitation or misuse. |