Lost Passwords and Identity Theft
When I worked in I.T., I always knew where to look for passwords.
I’d be stuck in someone’s office, trying to troubleshoot an issue. At some point, I’d need to log in as the end user, and that was when I’d start searching.
I was surprised at how often that password was hidden under the keyboard. Sometimes they were even posted on the keyboard tray on sticky notes, visible to anyone who entered the office.
In a few cases, the passwords were stuck to the monitor.
We, of course, discouraged all that, but it still came in handy when I really needed the password.
The problem was, it would also come in handy to anyone who entered that office. Our building was secure, but there were cleaning crews in and out of there at night. It wasn’t too out of the question that someone could log in as that user.
That’s when the real damage can be done.
What exactly can a scammer do with a lost or stolen password? Read on to find out.
How Are Passwords Lost?
Image by storyset
1. You Misplace a Written Copy
You may rarely write down a password, but it just takes one time.
Maybe you changed one of your account passwords and wrote it down to make sure you met the “at least one uppercase letter, lowercase letter, number, and special character” requirements. You planned to toss it in the trash after one use.
If you did toss such a note in the trash instead of shredding it, are you sure it didn’t end up in the wrong hands?
All those workers who “hide” their passwords somewhere in their offices can’t guarantee those passwords are safe. Someone can end up with that password without gaining access to that office. If it accidentally lands in the garbage or gets scooped up with a pile of papers, it could find its way to a scammer.
I know people with all their passwords written in a book, similar to the address books people kept back in the day. They keep this all-too-important book safely stored at home.
More than 38 percent of adults write passwords on paper.
Yet what about that technician who comes in to do work on your house? What about that friend or relative who comes to stay who might be less trustworthy than you think?
The problem with those books is that they hold so many passwords in one place. That book would be gold to someone who wanted to steal your money…or your identity.
2. You Forget Them
“Invalid password.”
Dread sets in whenever my username and/or password have been denied. Can I guess my password, or must I request a reset?
The reset process is usually pretty easy as long as you remember the answers to any questions you might have set up years ago.
Yet all that information can be guessed if a scammer hacks into your computer.
When you request that password reset, where does it go? To your email account. This can be hacked.
Usually, the site will send you a temporary password with a link. You’ll click on the link, and if you enter the temporary password correctly, you’ll be prompted to change it.
There are two ways password resets can work against you.
In one case, the site doesn’t do a good job of protecting members with password resets. Maybe the temporary password doesn’t expire, or the site sends your actual password in the message.
In both cases, if a hacker gains access to your email account at some point, that hacker can breeze right into those other accounts, assuming you haven’t changed that password.
In another case, a scammer sends you a password reset link, and you click.
The password reset is part of a phishing scam, and you either give away your information or unknowingly download malware.
Remember that password resets can be dangerous long after you’ve made the change. Unless you delete those messages, if a scammer manages to infiltrate your email account, your username and password could be easily accessed through a simple inbox search.
How Identity Thieves Use Passwords
With the right passwords, a scammer can break into your accounts and steal your money. Yet identity thieves are after long-term gains.
That means stealing your personally identifiable information (PII).
Identity thieves need some of the following:
In short, identity thieves are after information they can use to pose as you. If any of the above information resides on your computer, an identity thief can steal and use it. Here are some ways they can do that.
1. Sell It
Your information is worth money on the Dark Web. In many cases, the person who grabs your information won’t be the one to use it. They’ll sell it to someone who will. After all, hackers aren’t always identity thieves.
Therefore, your information might not even be used immediately after being stolen. You could start seeing applications in your name months or years after your password was initially compromised.
Another thing to note is that identity thieves don’t need every scrap of information on you to conduct fraud in your name.
Sometimes, information is combined with real or fictional data to create a new identity. This is called synthetic identity theft.
With synthetic identity theft, your Social Security number might be combined with someone else’s name and address (or vice versa). Someone might even use a deceased person’s Social and your name and birthdate on applications.
2. Take Over Your Accounts
A scammer could take over some of your accounts with a password and enough details about you. Here are a few types of accounts an identity thief might take over and control:
Once a fraudster gains access to those accounts, the real trouble begins. The person could transfer funds or rewards or scam your friends for money.
Worst of all, once in, the scammer could change your password and verification information to make it tough for you to regain control.
3. Apply for Loans
It’s easier than ever to apply for a loan. You can complete an application online and get an approval (or denial) in minutes.
But it’s also never been easier for someone to pose as you to complete such an application.
A fraudster must no longer enter a financial institution and apply in person. With your name and Social Security number, someone could apply for and gain access to the funds.
Many lenders have protections to verify identities, but not all do. That’s why identity theft victims deal with calls from creditors and negative credit report entries.
4. Apply for Credit Cards
I used to have a mailbox full of credit card offers. That hasn’t happened lately. Yet if you apply for credit, they seem to come in droves.
A credit card application is even easier than a bank account application. You just need to provide your Social Security number and contact information and answer some questions about your finances.
In most cases, they don’t even verify your ID.
It’s illegal to apply for credit in someone else’s name, but that doesn’t mean credit card companies have measures to prevent it.
You might not even know the credit card exists until you see it on your credit report or a credit card company calls you about late payments.
5. Rent a Home
If you’ve ever rented a place, you know the application can be involved. But how much does the landlord verify?
A commercial apartment complex with a professional property management team may do due diligence. But what if you’re renting a house from a tenant without those measures?
There will probably be a contract or application. The landlord may do a credit check. Maybe not. With the right setup, it’s possible that someone could rent a place in your name without even having your Social Security number.
If the fraudster has your Social Security number, passing a credit check might not be a problem.
Chances are, a scammer won’t be able to get a mortgage in your name. The process is too involved. But renting a house or apartment is a worry.
6. Open Utility Accounts
A home isn’t the only thing a scammer can grab in your name. Utility companies sometimes see fraudsters opening accounts in other people’s names, too.
The utilities might not even be connected to a place that’s in your name. Someone with bad credit or a history of missed payments could use your information to get gas, electric, or water turned on in their own home.
Similarly, a scammer could purchase a cell phone and set up a service in your name. You might have thousands of dollars in cell phone bills you didn’t know about.
7. File a Tax Return
When I heard about tax return fraud, I thought, “Why would someone want to file a tax return in my name?”
Then I remembered not everyone is self-employed. If you’re self-employed, you usually end up owing money! Filing a tax return will just get you a tax bill.
If you get your money back, you know exactly what thieves are after.
A fraudster can file a tax return and claim a refund in your name using your information. If a thief accesses a password for an account with your Social Security number and name, that person could fake the documentation to file a fraudulent tax return.
Where Identity Thieves Get Passwords
Image by Freepik
Identity thieves know how to get their hands on PII.
The identity thieves might not even be the ones who grabbed your password from you. That came from a hacker who accessed your device and/or account(s) and gathered as much information as possible.
That information has value on the Dark Web. They sell it and grab more information by hacking into devices and accounts.
Criminals purchase the information and use it to commit identity theft.
However, some identity thieves steal the information themselves. They might use password crackers that can guess thousands of logins in a short time.
Phishing is another way scammers get your account information.
A fraudster must convince you to click on a link, take you to a site that looks identical to the real thing, and wait for you to input your credentials.
A password reset email can also convince you to give away your password. It’s best to avoid clicking on email links unless you’re sure the sender is legitimate.
How to Keep Your Passwords Safe from Thieves
Image by storyset
Now that we’ve identified what can happen if an identity thief gets your password, it’s time to look at how to protect ourselves.
These simple steps can help keep your account safe.
1. Use Proper Password Protocols
You don’t just have to worry about thieves grabbing your password. Hackers can easily guess certain passwords.
To protect your devices and your accounts, here are some password-strengthening measures to take:
- Make unique passwords for every app and website
- Choose long passwords (15 characters or more)
- Include at least one uppercase, one lowercase, one number, and one special character in each password
- Never use easy-to-guess information like your name or birthdate
- Never use the word password (or a variation of it)
Additionally, change your passwords often. If you have trouble keeping up with passwords, solutions like Bitwarden, Dashlane, and 1Password can securely store your passwords and make it easier to log in.
2. Don’t Write It Down
Speaking of storage, it’s important to avoid jotting your passwords down on slips of paper or in password keeper books.
If you do choose to do that, lock it away and hide the key where only you can find it.
Don’t keep your passwords in a file on your computer labeled “Passwords.” You may as well label it, “Hackers, look here first.”
3. Keep Up with Data Breaches
You don’t even have to lose your password for it to be compromised. Data breaches happen throughout the year, and each of those breaches typically exposes thousands of customer passwords.
IT Governance has an ongoing list of recent data breaches. Check it occasionally to see if you have an account with compromised businesses.
Data breaches can expose more than your passwords. Your contact information, Social Security numbers, credit card or bank account numbers, and more could be exposed in a breach.
4. Protect Against Malware
Your device could have malware at this very moment.
Malware can either cause immediate destruction, can lurk for a little while and then do damage, or could never show itself on your device at all.
All three can lead to your passwords being stolen. But that malware lurking on your device now could be a keylogger virus.
Keylogger viruses hang out in the background of your device, capturing every keystroke. This means they can track the messages you send, the forms you complete, and even the usernames and passwords you input into various websites.
A malware prevention tool like Malwarebytes, AVG, or Norton can catch those malicious files before infecting your computer. They run in the background, too, and these companies stay on top of the latest threats to be able to protect you.
4. Invest in Identity Theft Protection
For a little extra peace of mind, consider identity theft protection. Services like Aura, LifeLock, and IdentityForce are insurance against an identity theft incident.
If you do suffer an incident, those services can help you recover and can even help with the cost of cleaning everything up.
Conclusion
Your passwords help keep everything secure. In the wrong hands, they can be devastating.
For best results, do everything you can to keep your passwords safe. And keep an eye on your accounts so that you’ll know as soon as possible if you’ve suffered a breach.
With caution, you can keep your accounts safe while enjoying all your favorite apps.