Here's Why Identity Theft Can Be Far Worse Than You Might Imagine
The following is an excerpt from the new book Swiped by Adam Levin (Public Affairs, 2015):
No one ever thinks they are going to be targeted by hackers looking for that big score. I call it “The Other Guy” syndrome. But, of course, to everyone in the world except you, you’re The Other Guy.
So what should you do?
I call my strategy the Three Ms:
1. Minimize your exposure
2. Monitor your accounts
3. Manage the damage
It sounds simple, but I promise if you do these three things, your life will be a lot less painful when the inevitable happens and you get got.
Minimize Your Exposure
This is probably the most familiar of the Three Ms. Don’t share too much information with folks you don’t know—whether in person, on the phone, or online via social media. Make sure that you set long and strong passwords; properly secure all computers, smartphones, and tablets used by you and your family; use two-factor authentication where possible; and shred sensitive documents. This is a good start.
In fact, my friends at the nonproï¬t Identity Theft Resource Center (ITRC) in San Diego, California, a wonderful volunteer organization that has helped tens of thousands of victims deal with the nightmare of identity theft and educated millions more, start with a similar set of protocols. They call it SHRED:
• Strengthen passwords
• Handle PII with care
• Read credit reports annually
• Empty your purse/wallet
• Discuss these tips with friends
I encourage you to do all of these things. But you also need to see the big picture. So here’s the task entire: Change the way you think about identity theft and your personally identiï¬able information. Minimizing your exposure to identity theft in large part is a matter of educating yourself about the many dangers out there.
The result will be gradual but unmistakable.
You will naturally become inï¬nitely more vigilant. You will learn what happens when you overshare on social media. You will be careful about who you tell what and why. You will think in terms of what could happen before you dive for what you want to have happen in the moment. You will not let down your guard.
There are of course a number of companies out there that say they can protect you, but if you listen closely, none of them say they can prevent identity theft. Over the years, several have tried to persuade consumers that they can prevent it altogether. But the Federal Trade Commission (FTC) wasn’t buying any of that. Nor was the Consumer Federation of America (CFA). Because the fact of the matter is that they can’t. If you ï¬nd yourself tempted by an oï¬€er from a company that promises to prevent identity theft from happening to you, don’t take the plunge. No reputable company will ever make such representations. For a treasure trove of information about how to intelligently choose an identity theft services provider, go to the CFA-sponsored site: www.idtheftinfo.org.
Monitor Your Accounts
Once you’re in the habit of minimizing your exposure, the name of the game is vigilance. First, you need to check your credit. Once a year, you can get a copy of your credit reports from each of the three major credit reporting agencies, for no fee, at www.AnnualCreditReport.com.
Next, enroll in transactional notiï¬cation programs. You will ï¬nd that they may be oï¬€ered for free through your bank, credit union, and credit card issuers. Alternately, you can subscribe to various credit and fraud monitoring services that will inform you of any changes to your credit report—like new accounts or inquiries that might indicate someone is trying to open a fraudulent account in your name. Depending on the service you select, you can set your security protocols so tightly that a new line of credit cannot be opened at all because no one, including you, can gain access, or you can set it up so there can be no green light until you receive and respond to an instant or slightly delayed alert that someone has tried to create a new account. Alternately, you can set the alert loosely so that you simply receive notice when activity in excess of a preset dollar amount occurs in any of your existing ï¬nancial accounts.
It may seem like a nuisance to ï¬eld an email or text or app notiï¬cation every time you buy something with your credit or debit card, but you’ll be glad you activated those notiï¬cations the day you get one about a purchase you didn’t make or the creation of an account for which you never applied.
Fraud alerts are another option to consider.
The three reporting agencies oï¬€er initial fraud alert services, extended fraud alerts, and active duty military alerts. If you already subscribe to a credit monitoring service, fraud alerts may be an inexpensive add-on. There are also services that allow you to monitor your children’s Social Security numbers for signs of identity theft.
A credit freeze is a more comprehensive shield, but it is more cumbersome than a fraud alert, and it’s still not fail-safe. Once activated, no one—including you—can access your credit for the purpose of opening new accounts. To allow access, you must use a special PIN (or password) to thaw the freeze. To initiate a freeze, you must sign up with all three bureaus individually, and there are costs associated with both freezing and thawing accounts unless you are a senior citizen or an identity theft victim. Unfortunately, the freeze doesn’t stop people from taking over your existing accounts. It doesn’t prevent criminals from committing tax fraud, child identity theft, medical identity theft, or criminal identity theft. And it can be worked around by presenting two forms of ID and a utility bill, as well as completely eliminated by an identity thief who has gained access to all of your PII and the ability to decipher your PIN or password.
Manage the Damage
So, how bad will it be if or when your identity is stolen? In many cases, far worse than you can imagine, because identity thieves do the unimaginable. This is why it is very important to pick a reputable company that oï¬€ers a range of high-touch services. The good news here is that you may discover that an organization with which you already have a relationship—perhaps your insurance carrier, ï¬nancial services provider, or employer—oï¬€ers a product or provides access to a professional service that will help you navigate the rocky shoals of whatever identity-related issue you are facing. Check to see if any company or institution with which you are doing business can provide you with identity theft resolution or identity management products and services, since it may cost you little or nothing, and you may even ï¬nd out that you are already under their protection. While peace of mind is worth a great deal, it’s even nicer when it comes free of charge.
The key to properly practicing the Three Ms is engagement. Your only hope of quickly detecting victimization and effectively containing the nightmare of identity theft is to stay engaged and invested in the process. And, beyond question, it is a process that must be practiced daily. (That means you really have to do it.) The goal of a shred-a-thon is peace of mind, but a false sense of security is in no one’s best interest. Real peace of mind comes with real knowledge and concrete action.
Here are a few practical steps you can take to make each of the Three Ms happen for yourself.
Minimize Your Exposure
The most important step you can take is to be proactive about your own security, rather than waiting until it’s breached. Some speciï¬c steps include the following:
• Never carry your Social Security card, or those of your children, in your purse or your wallet.
• Never carry your Medicare card if you can avoid it. If you must, make a copy, redact all numbers but the last four, and black out the letter. If the medical provider asks for your number, provide it.
• Limit the amount of credit and debit cards you carry and keep a list of all payment cards and toll-free numbers for the issuers in a safe place. Also, always have at least one credit and one debit card in reserve so that you can use them while waiting for replacements to arrive.
• Make sure all the computers in your home have the latest antivirus and malware protection programs and that the security software is updated regularly. (It is best if they do automatic updates.)
• Secure your smart phones with PINs that are not easily decipherable, use long and strong passwords on every account, and never save a user ID or password in any app on any device.
• Never share user IDs or passwords over email, social networks, or other digital accounts.
• Create a special email account for online shopping and the aggregation of receipts.
• Talk to your family about the need for security. Make sure everyone is acquainted with common modes of attack: phishing and spearphishing emails, vishing and smishing (all of these terms are explained in Appendix 2 at the end of this book), plus the various kinds of malware out there and the perils of oversharing on social media sites. Get them in the habit of securing or turning oï¬€ devices that aren’t being used.
• Limit access to sensitive information and accounts to the adults who handle them, and, if at all possible, only access these ï¬les and accounts on a computer that is password protected and “oï¬€-limits” to the rest of the household.
• Never authenticate yourself to anyone who contacts you in person, by phone, or online and asks you to conï¬rm that you are you. Only provide authentication information if you have initiated the contact and they need to verify your identity for your protection.
• When dealing with a social networking environment, set privacy controls tightly and be aware that privacy policies change frequently, requiring you to constantly review terms and conditions and adjust your privacy settings accordingly. Never take quizzes online, because the customary information gathered could well be answers to security questions that prove who you are. Do not overshare information with people who may well not be your friends but rather cyber cat burglars who are looking to steal your PII and then exploit it for their gain.
• Every time you buy an electronic device or appliance for your home that will be connected by router or Wi-Fi to the Internet, read the disclosures, follow the instructions, and change the default password to a long and strong one of your choosing.
• Enroll in, or activate, two-factor authentication everywhere you can.
• Make sure you have the right physical security for your home or business.
• Securely store all documents containing personal identifying information and shred them when you no longer need them.
• Always make sure to destroy any documents or hard drives you no longer use.
• Check yourself. Are you are as safe as you think you are? Security measures that were good enough last week may no longer do the trick.
Monitor Your Security
• Sign up for transactional monitoring programs oï¬€ered by your bank, credit union, and credit card company.
• Check to see if any of the insurance carrier or ï¬nancial services institutions you do business with oï¬€ers free or discounted access to monitoring services, and if so, use them.
• Check your credit report at least once a year. At www.annualcreditreport.com you are entitled to one free copy from each of the three national credit reporting agencies (Experian, Equifax, and TransUnion). While many people get all three at once, others get one every four months so that they can see three diï¬€erent snapshots of their credit during the year. Consider paying for access to a monthly (or more frequently updated) report from one or all three of the credit reporting agencies.
• Enroll in programs that allow you to access your credit scores at least every thirty days.
• Consider purchasing more sophisticated and robust credit and fraud monitoring services. You should look in particular for those organizations that oï¬€er identity theft recovery services as well as monitoring. Always read the details of any monitoring oï¬€er to make sure you fully understand what you are buying.
• Check your bank accounts daily.
• Check your credit accounts daily.
Manage the Damage
Have a plan before you have an issue. This may include the following:
• Keep a list of companies, credit accounts, bank accounts, and other places you do business with so that if you are victimized you have a reference sheet to use.
• Contact your insurance agent or ï¬nancial institution to see if they oï¬€er cyber liability or identity protection coverage, or an identity theft damage control program. You may be pleasantly surprised to learn that you are already protected. If not, ï¬nd out what, if anything, they oï¬€er; what you need to do to enroll; whether it is free; and, if not, what the cost is.
• The alternative is to do everything yourself. It requires enormous discipline and nerves of steel. It is time consuming, emotionally draining, and may not yield the desired result. The practical issue is that with identity theft, even in our more enlightened state, the victim quickly discovers that he or she is guilty until proven innocent.