There are many ways to protect from identity theft. Some are practical, while others are more extreme.
Should a thief open new accounts using your identity and then fail to pay off the debts, your credit will be ruined, and unfortunately the mechanism for repairing the damage is spotty.
The FTC numbers and the reports of stolen information are staggering, and most people now know of someone who’s been a victim of identity theft. Take it seriously. Although nobody is fully immune to it, a little vigilance can greatly reduce your chances of becoming a victim.
Practical measures to prevent identity theft.
- Never leave the carbon copies of your credit card transactions lying around, and don’t throw them in the trash. Shred them and anything else with personal or account information on it (e.g., utility bills and any other bills or documents with personal data on them). A good shredder costs about $125 (I once bought one for $35, and it didn’t last very long).
- Don’t leave your automobile registration in your glove compartment. Place it in the trunk or carry it in your purse or wallet.
- If unauthorized charges appear on your billing statement(s), contact the creditor immediately.
- If billing statements stop reaching you, contact the creditor.
- Keep personal numbers (e.g., SSN) off your checks.
- If you have a local mailbox, place a lock on it. (Better yet, get a PO Box and file a change of address with the Post Office directing all mail to the PO Box.)
- Get an unlisted phone number.
- Credit card companies will often solicit you for pre-approved credit cards. If you can’t put a lock on your mailbox, you should opt out of these offers. You can do so by calling 888-567-8688. If you decide not to opt out and you do not respond to these offers, be sure to shred the applications.
- Check your credit reports at least every six months.
- If you use a computer, use a software firewall to provide some measure of intrusion protection. All operating systems have been shown to be vulnerable. The one I recommend right now is Comodo, available free for home users at www.comodo.com. For a fee, Bitdefender has a pretty good firewall, bitdefender.com. Both of these programs provide intrusion detection, and will also catch programs on your computer trying to call out! Hardware firewalls, basically just routers (some wireless) with firewalls built in, are also available and offer more reliable protection than software firewalls from inbound hackers. The good ones are made by D-Link (www.dlink.com), Linksys (www.linksys.com), and Netgear (www.netgear.com). (This is just anecdotal, but D-link products have always worked trouble-free for me, while Netgears' have always been a pain in the neck every single time.) They run about $50–$150, depending on features. If you run a wireless router, be sure to turn on encryption.
- For Windows users, I also recommend an active virus scanner. BitDefender is also pretty good at that, found at www.bitdefender.com. This program is very fast at scanning and has been trouble free for me, unlike Norton and others.
- Run spyware detection software on your computer at least once a month. Spyware programs are nefarious software programs installed without your knowledge. They can perform tasks on your computer without your consent. This may include feeding you advertising or collecting personal information about you. The free spyware detection programs I recommend are Spybot and Ad-Aware, available at www.safer-networking.de and www.lavasoft.de respectively. The only problem with using these programs is that they don’t prevent the installation of spyware; they can only detect (and delete) it when the programs are run. For those wishing to prevent the installation of spyware, a good free one is Spyware Blaster, available from Brightfort Software (formerly JavaCool, www.brightfort.com). Spyware Blaster doesn’t actually run in the background of Windows, since it stores information about nefarious sites and must be updated regularly. The free version doesn’t update automatically, but the paid version does and costs $9.95 as of this writing.
- For smartphone users, you'll definitely want to lock that down too. Start by setting a password to unlock the screen. For Android users, Password Delay ($1.49) can be found at the Google Play store. It allows users to set an idle time before initiating the lock. iPhone has this feature built in. Another must have for both OSs is Lookout Mobile's Security & Antivirus. It will not only scan the phone for nefarious programs, but also has a feature to locate the phone with GPS if it's lost. Google Play or iTunes.
- The abbreviation “https” should always precede any Web site address where you enter personal information. The “s” signifies that the transmission is encrypted for security. If you don’t see “https,” you’re not in a secure Web session.
- Password-protect or encrypt when using wireless routers to prevent those nearby from tapping into your network.
- Instead of using the Internet Explorer (IE) Web browser, consider using Mozilla Firefox (www.mozilla.org). Firefox is considered more secure than IE primarily because it doesn’t run ActiveX components or VB script. It’s a far better browser in my opinion, not just for security reasons but because of its speed and stability. It’s becoming very popular, to the point that Microsoft has reconstituted its IE development team to counter the commercial threat posed by Firefox. Google's Chrome is also quite good, www.chrome.com.
- When you have utilities installed, use an alias first name (middle name works as a substitute) and password protect the accounts. If you can get away with it, refuse to divulge your SSN. Sometimes companies won’t insist.
- When using a laptop in public places, use a privacy filter from 3M (www.3m.com), so that people next to you cannot see your computer screen.
- Create a startup password for your computer so that when it boots up you are prompted for it. This works well for nosy baby-sitters, maids, or anyone who may just happen to break into your home while you’re on vacation.
- Password-protect all your accounts. This means your credit card, bank, gas, electric, landline phone, cell phone, Internet service, cable, and satellite TV accounts, and any others you can think of. Make it clear to these companies that when anyone calls about your account, they are to ask for the password first thing. If they don’t prompt you for it every time you call, then make it clear that you want to be prompted.
- Never carry your Social Security card—or anything else with your number it on it. Many states will even give you a driver’s license without your SSN if you request it.
- Never give out your SSN to anyone unless absolutely necessary. Even rental car agencies request it, but I’ll often ramble off a fake one, since it’s none of their business. If a company such as a fitness club requires something for identity, then it often will accept a driver’s license number.
- Don’t give your SSN over the Internet for any reason, unless you’re on a bank site.
- If you use public computers (such as in libraries or internet cafes), assume they're not secure for typing in passwords for anything other than web-based e-mail.
- If you travel, be sure and take your receipts with you and/or destroy them. Don't leave them in your hotel room or in rental cars.
- Take steps to prevent people from getting a driver’s license under your name. The Driver’s Protection Act (DDPA) of 2000 required that all state DMVs close records to the public. This stemmed from several well publicized road rage incidents where people were gunned down after raging maniacs simply went to the DMV and, using the victims’ license plate numbers, obtained their addresses. This Act is a good start, but you can also provide a “request for verification letter” to the DMV, which requires that you be notified by phone or in writing before a driver’s license can be issued in your name. Contact your state DMV for more information.
- Beware of “phishing,” the latest scam used by ID thieves and account thieves. They will often send you phony e-mails that look like the real deal, posing as a bank, Paypal, or any other company to gain access to your personal data and/or money. Figure 11 shows a phishing example I just received as I was preparing this book:
Subject: PayPal eCare department. Unusual activity in your account ! From: email@example.com Add to Address Book Add to Address Book Date: Sun, 1 May 2005 15:10:03 +0800 (HKT)
PayPal, an eBay company Encrypted Key: wm-101g/mgxa4fhv54nmzl
Dear PayPal, Inc. member, PayPal, is committed to maintaining a safe environment for our customers. To protect the security of your account, PayPal, employs some of the most advanced security systems in the world and our anti-fraud teams regularly screen the PayPal payment system for unusual activity.
We are contacting you to remind you that on May 01, 2005 our Account Review Team identified some unusual activity in your account. In accordance with PayPal’s User Agreement and to ensure that your account has not been compromised, access to your account was limited. Your account access will remain limited until this issue has been resolved. We encourage you to log in and perform the steps necessary to restore your account access as soon as possible. Allowing your account access to remain limited for an extended period of time may result in further limitations on the use of your account and possible account closure. Visit the login page and perform verification process:
Log On for Online Services
Thank you for your prompt attention to this matter. Please understand that this is a security measure meant to help protect you and your account. We apologize for any inconvenience.
PayPal, Inc. Account Review Department Copyright ?1999-2005 PayPal. All rights reserved.
The hyperlink to “Log On for Online Services” actually points to http://www.paypalcs.com/cgi/webscr.php?cmd=LogIn.
As you can see by the URL, this isn’t PayPal.com. When people go to this fraudulent site, it is basically a clone of the real PayPal, and once the victim enters his or her user name and password onto the form, the scammer gains access to that account.
Keep in mind that many PayPal users have the service connected to several if not all their bank accounts and credit cards, which practically gives the scammer carte blanche power over financials.
Tip: Maintain a list of your credit card account numbers and issuing creditor phone numbers in a safe place, just in case you need to cancel them in a hurry.
I’ve seen even better phishing scams, where the links appear real and then redirect, among other things. And until Congress acts to do something about this, it will continue to be a major problem.
Although some high profile arrests and convictions will certainly help curb the problem, many of the scammers are overseas and are well disguised and insulated from U.S. justice. They set the computer servers up in a remote location (in Asia, for example), then spoof (hide) their IP address (using a false computer number that makes it harder to track), and then take the phishing server down after a short time. By the time the authorities are notified, the scammer’s Web site—and the ability to track the perpetrator—is long gone.
If you receive any e-mail from a company, be sure to check the URL to ensure that it is the correct company. Even www4.paypal.com can possibly be wrong, so it’s up to you to type in the URL as www.paypal.com. (Scammers also like to use a URL with a PayPal in it, such as www.paypal.payup.com; the URL is actually for payup.com, the last entry before .com.) If you receive an e-mail from a site that contains some kind of offer or request, the safe bet is to avoid clicking anything, open a new Web browser window and type in the URL of the site directly.
More extreme measures of ID Theft prevention.
Active Duty Alerts, Fraud Alerts and Security Freezes
Both Active Duty and Fraud Alerts are employed by notifying the credit bureaus that any business that pulls your credit report must absolutely verify your identity before issuing any credit.
An initial Fraud Alert can be placed on your credit report even if you haven't been a victim of identity theft. It's only good for 90 days, however. And when you contact one credit bureau, it's supposed to contact the others (a process known as a "one call" alert). But I recommend contacting all three just to be safe. The alert will be in place for three months and can be extended to seven years (known as an "Extended Fraud Alert"), but only if a police report has been filed and provided to the bureaus. After placing an Extended Fraud Alert, consumers can obtain two free reports in the 12 months that follow. There are two downsides to placing a fraud alert on your credit file:
- you will not be able to get credit approval as quickly as you would otherwise, making instant credit impossible, and
- you will not be able to get your online credit report.
Active Duty Alert
Military personnel on active duty can place an active duty alert with the Big Three. This has the same effect as a fraud alert, where any business that sees the alert on your credit report must absolutely verify your identity before issuing any credit. The service member need only contact the bureaus and place a statement that he or she is on active duty in the credit file. The alert will remain for 12 months and can be renewed. Another effect of the active duty alert is the temporary suspension of prescreened offers for two years.
When a security freeze is placed on a consumer's credit file, the credit bureaus will freeze credit reports. This prevents anyone from performing a new inquiry while the freeze is in place. The exception to this is if a consumer already has an existing relationship with a creditor, since follow up reports may be pulled. This includes collection agencies acting on behalf of an existing creditor. And in some cases, ID theft can occur not only with the addition of new accounts, but with existing accounts being taken over (known, surprisingly enough, as an account takeover).
For victims of identity theft and California residents, the freeze is provided at no charge. Otherwise, the fee is $10. Some states, such as Colorado, have no fee for the first freeze, so check your state laws. All states except two (Alabama & Michigan) require a security freeze be made available to consumers, but the bureaus offer it voluntarily. Four states limit the Security Freeze to ID theft victims only (Arkansas, Kansas, Mississippi, and South Dakota), but is still made available voluntarily by the Big Three. (Check http://www.consumersunion.org, as they seem to keep each state's information updated.)
Bureaus will provide the consumer with a security freeze PIN, which can be used to take the freeze off (usually five days). The PIN can remove the freeze temporarily for the purpose of obtaining credit, and it can even remove it “globally” for a specified period of time or a creditor-specific allowance. That is, the consumer will be given a unique code to provide the creditor, and the creditor will in turn provide it to the agency. The fee for a temporary lift of the freeze is $10, or free for identity theft victims and California residents.21
Something else to keep in mind is that some people report that when they lose the PIN provided by a credit bureau, this puts them into a misery-inducing back-and-forth with the credit reporting agency as they attempt to get a new one issued. It might be a good idea to store the PIN somewhere for easy retrieval.
Though this may slow the ability to obtain credit, it's a nearly ironclad way to prevent identity theft. But be aware that the file is truly frozen, and not even address information provided by creditors can be updated while the security freeze is imposed. The security freeze remains in place until the consumer cancels it.
Security Solutions: LifeLock and TrustedID
It's simple. Many people are either too intimidated by the whole process of contacting the credit bureaus, or too busy to address it. This is where LifeLock and TrustedID comes in. Lifelock uses Fraud Alerts exclusively, and since Fraud Alerts are only good for 90 days (without a police report), they'll simply renew the alert every 90 days so you don't have to. Trusted ID uses a combination of Fraud Alerts and Security Freezes, depending on the state.
LifeLock charges $10 per month or $110 annually for enrollment. Kids are charged only $2.50 per month or $25 annually. TrustedID charges are a bit more than LifeLock, charging $10.42 per month or $125 annually.
Personally, I believe both of these solutions are a complete waste of money. If you follow the prevention procedures, then you'll likely never be a victim.
Security Solutions: Credit Monitoring
Credit monitoring is not prevention of identity theft, but early warning. For more on this and to compare these offerings, see Compare Credit Monitoring Solutions.
21. Many states have freeze exemptions for some types of inquiries. In California, for example, the following are exempted from a security freeze in California: companies with which the account holder has a current financial relationship; a prospective assignee of a financial obligation that is reviewing the account for maintenance, monitoring, increasing credit lines, account upgrades and enhancements, or collecting the financial obligation; state or local agencies, law enforcement, trial court, child support agencies or private collection agencies acting on a court order, warrant, or subpoena; the California Franchise Tax Board, if it is investigating or collecting delinquent taxes or unpaid court orders or fulfilling any statutory responsibilities; the California State Department of Health Services or its agents or assignees if they are investigating Medi-Cal fraud; uses falling under FCRA Section 608—Disclosures to Governmental Agencies; uses falling under FCRA Section 625—Disclosure to FBI for Counterintelligence Purposes; FCRA defined prescreening; any person or entity for the purpose of administering a credit file monitoring subscription service to which the consumer has subscribed providing a consumer with a copy of his or her credit report upon the consumer’s request; any person or entity for the purpose of providing a consumer with a copy of his or her credit report upon the consumer’s request. Check your state laws.