For the past year and a half, Jan Carico has kept her passwords written in a small notebook.
She’s not alone.
According to Pew Research Center, 84 percent of adults rely primarily on memorization or pen and paper to store passwords. But after attending a recent Learn IT @ Lunch workshop, “Protecting Yourself Against Identity Theft,” Carico will switch to LastPass, a free password generator and manager recommended by Duke.
“The aha moment was realizing that it’s very common for individuals to use the same password for multiple accounts,” said Carico, an administrative assistant for Duke Immunology. “If your password is compromised for an unimportant account, thieves know it probably works for more important websites, too.”
In addition to using a password manager, here are three ways to protect yourself against identity theft, courtesy of John Straffin, endpoint security liaison for the IT Security Office.
Between Dec. 4, 2017 and Jan. 22, 2018, more than 35,000 phishing messages were sent to duke.edu email addresses. Phishing is the practice of sending fraudulent emails that appear to be from reputable sources to trick people into revealing personal information.
One way to protect yourself is to scrutinize website addresses and subject lines. For example, a hacker might send you to duke.com instead of duke.edu. It’s also important to consider the context of the message. A subject line that says, “Ticket Number: 135863” looks and sounds fishy.
“You need you recognize that certain messages come via particular avenues,” Straffin said. “You aren’t going to find out about a salary raise in an email. That’s a conversation with your manager, likely with a document to sign. You aren’t going to receive an initial inquiry from the IRS in an email or over the phone. That’s going to come in a certified letter.”
Reduce your risk
Straffin recommends using a password manager and a virtual private network (VPN), enrolling in multi-factor authentication and updating your operating system.
Password managers, like LastPass, generate and store log-in and password information in an encrypted vault that is virtually impossible to crack.
“There are websites that I use on a daily basis where I don’t have a clue what the password is,” Straffin said. “LastPass handles that for me.”
A VPN connection, which Duke provides, allows you to create a secure connection from your computer to Duke over a public network while working remotely. And you can protect your Duke accounts with multi-factor authentication, which is already required to access certain systems, including personal work information. Staff and faculty can meet with their local tech support for help implementing these tools.
Finally, ensure your web browser and operating system software automatically update.
“You’re far more at risk of an attack or virus if your operating system isn’t updated,” Straffin said.
Protect your data
In 2017, 16.7 million U.S. consumers lost $16.8 billion to identity fraud scams, according to research firm Javelin. Straffin says there are a few proactive steps to take to prevent fraud.
To guard against tax identity fraud, register with the Internal Revenue Service to receive an identity protection pin number that you must provide when filing taxes. You can also sign up for an account with the IRS to register your identity with them before someone else does.
Placing a free security freeze on your credit reports blocks access to your credit unless you have given your permission. After the Equifax data breach in 2017, Jan Carico, Duke’s administrative assistant for Duke Immunology, froze her credit to prevent someone from opening a new account or getting credit in her name. You can “thaw” credit reports for a set number of days if you need access. They will automatically re-freeze after the allotted time. Credit freezes and thaws are free in North Carolina.
“Protecting your identity sometimes feels like a game of luck,” she said. “Will I or won’t I get hacked? Freezing my accounts gives me one less thing to worry about.”
Lastly, Straffin says to be careful with information like birth certificates and social security cards. Keep them in a locked safe.
“Do not carry those documents around,” he said. “Don’t give people an extra chance to steal your information.”
What should you do if you think your Duke account has been comprised? Write Duke’s IT Security Office at [email protected]. If you think your identity has been stolen, visit identitytheft.gov.