Protecting your identity in the age of insanity

Of course, we’re all suffering from “data breach fatigue.” But some breach announcements carry considerably more risk to the victim than others. For example, if I had received a letter saying a credit card of mine had been compromised, the end result would be simple: the bank would cancel that account and send me a new card. However, loss of a social security number should trigger a much more urgent response. That number can be used in a number of fraudulent ways that can cause endless headaches and expense.

The recent announcement of a data breach from Equifax includes an offer of credit and identity monitoring “services” for one year. Most breach announcements include this offer to the breach victims. What is the value of credit and identity “monitoring services?”

According to Avivah Litan, a fraud analyst with Gartner Inc.:

-Most won’t tell you if a new wireless or cable service has been taken out in your name.

-They do nothing to monitor your bank account transactions, credit card accounts (for fraudulent charges), retirement accounts, brokerage accounts, loyalty accounts and more. And these are all areas where consumers should be very concerned about account takeover.

-They do nothing to tell you if a bad guy has hijacked your identity for non-financial purposes, i.e. to get a new driver’s license, passport or other identity document. Of course a bad guy impersonating a consumer using a forged identity document can end up in prison, causing lots of problems for the victim whose identity was hijacked.

-They do nothing to stop tax fraud (typically tax refund fraud) against you. Same is true for other government benefit programs, i.e. Medicare fraud, Medicaid fraud, welfare fraud, and Social Security fraud.

Going forward, there is no expiration or time limit on when social security, DOB, or fingerprints can be used for fraudulent or illegal purposes. Brian Krebs characterizes credit monitoring as “Good PR for the company that has been hacked.”

So, what can you do to mitigate this risk? Here are ten things you can do to secure your social security number (with thanks to Brian Krebs, E.F.F., and many other sites) that you may find useful:

1. Secure your primary and secondary email addresses with 2-factor authentication. 
Two-factor authentication works with two separate security or validation mechanisms. Typically, one is a physical validation token, and one is a logical code or password. Both must be validated before accessing a secured service or product. Generally, an authenticating procedure requires a physical token or identity validation, followed by a logical password or personal identification number (PIN). The security procedure for an ATM machine is a common example of two-factor authentication, which requires that a user possess a valid ATM card and PIN. [1] This will involve setting up your phone to receive a text code when you log into your email account. On machines you use regularly, you can even disable the feature and just log in. Here’s where you can get more information:

• Yahoo

Why worry about email? Because your email address is the account online entities use to contact you for password resets and to notify you of security issues. If an attacker compromises your email account, he can use that to get into many other online systems you use. See Brian Krebs’ article here for a great explanation about how valuable your email account is.

2. Secure your online purchasing sites with two-factor authentication:
Amazon - Uses your phone or Google Authenticator app to send you a code (you’ll have to log in to get to the Account Settings page)
PayPal – Uses your phone to send you a code via SMS messaging
Apple – Uses your phone to send you a code via SMS messaging

And let’s not forget social media accounts, if we’re going to be really serious about this:
Facebook – They call it “Login Approvals” but it works
Twitter – Another name – “Login Verification” but it’s still two- factor authentication
Pinterest – They call it what it is!
Instagram – Two factor authentication only for your apple or android phone.

If you’d like to check what online services offer two-factor authentication, this site has a great list that is searchable by category. When you find the service, click on the “Docs” link to go right to the instruction page of the service.

3. Secure your mobile phone. If you are going to use it for 2-factor authentication, make sure you have installed a passcode and a tracking mechanism, so that you can locate it if you misplace it, and you can wipe it remotely if it’s obvious you can’t get it back. IPhones have a free application (FindMyiPhone) that allows you to physically locate the phone on a map, make the phone sound an alert, and finally, wipe it if you see it moving rapidly away from you! There are a number of products available for Androids, as well. You really don’t want to lose the 2 in your 2-factor!

Don’t forget to secure your mobile phone provider with a security code if you are using your phone to accept SMS messaging or use an authenticator app.

4. If you haven’t already, create your Social Security online account here. This is incredibly valuable. First, do it before the bad guys beat you to it. Next, you can use the reporting features to monitor income reported as yours. If money is being paid into your account from an unknown source, chances are someone is using your social security number fraudulently. Once you initiate creating an account, the SSA will send you a letter with an activation code. Here’s Brian Krebs again, with a great article on SS fraud.

5. Obtain your passport or ensure that it is current. You don’t want someone using your information to get a passport. It’s much harder to try that if one already exists.

6. Complete IRS Form 14039, an Identity Theft Affidavit. Use the fillable form at IRS.gov, print, provide copies of requested IDs then mail via registered mail according to instructions. The IRS used to provide you with a PIN, but that process is now on hold, due to problems with the IRS’ web site getting hacked (isn’t it ironic?). See: https://www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft and https://www.irs.gov/individuals/data-breach-information-for-taxpayers. What they will do is send you a PIN every year to submit with your tax return so that only YOU can submit your tax return.

NOTE: You should complete #4 and #6 prior to implementing credit freezes, as both the SSA and the IRS verify you via the credit bureaus.

7. Implement credit freezes. Unlike credit “monitoring,” a freeze will prevent credit accounts being opened using your identity. Fortunately, living in Maine means that we can freeze and unfreeze (when needed) our credit reports at no cost to us. The credit bureaus will provide a PIN from each bureau, which you can use to temporarily unfreeze your reports if you are applying for a mortgage, car loan, or other major purchase. Unlike a “fraud alert,” a freeze will prevent your account from being utilized to grant credit. Plus, fraud alerts have a limited time frame. A freeze has no end date except for the one you give it.

Credit bureaus make their money by providing credit reports, so naturally they are unhappy when they cannot sell your report. They certainly have a lot of verbiage about why it is a bad idea to freeze your account on their web pages. Fortunately, you can do it anyway.

Be prepared, if you are are going up for a major loan, such as a mortgage, tuition, or car loan. A freeze may also impact a job application, renting an apartment or signing up for cell-phone service. Explain to the potential creditor that you need to know which credit bureau they will use so that you can unfreeze or provide a temporary PIN to gain access to your report.

Needless to say, write down your PINs from the four agencies and store them securely (which means, in this case, not on your computer).

Freezes can be a pain to deal with, but dealing with the results of bad credit due to identity theft is a whole lot harder. An ounce of prevention makes you a difficult target and the bad guys will move to an easier name on their list.

There are seven states where freezes are free to all consumers, whether they are identity theft victims or not:
– Colorado (first freeze is free)
– Indiana
– Maine
– New Jersey
– New York (first freeze is free)
– North Carolina (free online only)
– South Carolina

Here are the websites for implementing a freeze:
Equifax – Can be done online or by phone
TransUnion - Requires that you create an account
Experian – Can be done online or by phone
Innovis – Can be done online or by phone
ChexSystems – Can be done online or by phone

(Why ChexSystems? Because it is a credit reporting agency where banks and credit union report negative activity from checking and savings accounts. So if someone is using checks and your identity to commit fraud, it would not necessarily appear in the other credit bureaus. Banks will close your accounts if an alert comes up in ChexSystems.)

Lifting freezes both temporarily and permanently is free to all consumers in: D.C., Delaware, Indiana, Maine, North Carolina, South Carolina, Tennessee, and Virginia.

8. Complete the freeze process for spouse and children. (See below)

9. Opt-out of pre-approved credit offers here. (This needs to be renewed every five years OR you can mail in a permanent form)

10. Notify your bank and brokerage accounts. Send the necessary documentation and ensure that the financial institution acknowledges receiving the notification. They should be paying special attention from now on.

What These Steps Do NOT Address

Your Family Members May Be Affected, Too!

Make sure to check if your spouse has been impacted whenever you have been notified of a loss of your social security number. Because families usually entwine their finances, a breach may include a spouse’s connecting information.

Did you know that one of the fastest growing areas of identity theft is that of children under 18? Children routinely receive social security numbers, but they lie fallow until the child applies for a loan and begins their own credit activities. There can be an enormous and horrible-to-deal-with identity theft years in the making. Who thinks to ask for a child’s credit report?

Your best bet is to place a credit freeze (#7) on all your children’s accounts. They can be safely removed (or not!) at age 18.

Actions to Take Going Forward

Stolen information is at risk of being used for the rest of your life. Implement these monitoring practices: