How to Assess Your Risk For Identity Theft and Take 5 Immediate Prevention Steps

The voicemail came as a surprise during the busy holiday season several years ago: "This is the Fraud Department from American Express calling about questionable transactions on your account." Whoa. What?

As it turned out, my husband's corporate credit card had indeed been compromised. First, there was an innocuous $1 charge to see whether the card was valid. Quickly there followed $1,000 or so in charges for online merchandise.

An investigation revealed that it was an inside job at his workplace. Hundreds of other employees had already been affected.

What's worse is that between my husband and I, it was the fifth time our personal information had been stolen, lost, or accidentally shared by an organization we trusted. In 2005, our credit card information was compromised along with that of 40 million other Visa, MasterCard, American Express, and Discover account holders when an intruder gained access to a third-party credit card processor's payment database.¹ This massive breach exposed us and others to potential identity theft.

That same year, I was among 12,000 government employees whose names, addresses, phone numbers, salaries, and social security numbers (SSNs) were accidentally published on the Internet. Oops.

In 2006, my husband and I were among the thousands of Wells Fargo mortgagees whose confidential data went missing along with a bank computer.² Later that year, my personal and retirement data was exposed when five laptop computers were stolen from Towers Perrin (now named Willis Towers Watson), a firm that my employer had retained for HR Benefits projects.³ Ironically, Willis Towers Watson is an HR and risk management consulting firm.

Were we incredibly unlucky? I'd say! The upside, however, is that our experience has made us more cautious regarding what personal information we share, when, and with whom. The five data breaches we experienced involved organizations that had

• a false sense of invulnerability
• unchecked or unplanned for human error and
• a failure to maintain adequate safeguards.

As a smart consumer, recognize that no one is immune from identity hacking. No one. Ask the long list of celebrities who have had their identities compromised. Examples include Michelle Obama, Sarah Palin, Jay-Z, Beyonce, Kim Kardashian, Mel Gibson, and Christina Aguilera.⁴ If it can happen to them, can it happen to you? You bet.

Somewhere in Hackerland, whoever pulled off this computer coup is still high fiving his buddies. I'm so tired of the bad guys getting one up on the rest of us. But they are pretty smart.

Target announced in December 2013 that customer information had been stolen from 40 million credit and debit card users during the busiest shopping time of the year—from Black Friday to December 15. Compromised data included the card numbers, expiration dates, and the three-digit security code on the back of the card.⁷

Rather than immediately provide a complimentary one-year credit monitoring service, Target at first advised its consumers to monitor their own credit and immediately report any fraud. (They later came through with credit monitoring, but it took them way too long to respond to the crisis.) Credit card users are typically responsible for the first $50 in fraudulent charges but need to report the fraud in a timely manner.

So there we went again. No pun intended, but I felt like I had a target on my back.

Both my husband and I were among those 40 million shoppers, using two different credit cards! So that made our sixth (technically also our seventh, since two cards were involved) data breach since 2005.

We needed this data compromise like a third nipple, a unibrow, another ugly Christmas sweater, last year's fruitcake. You get the picture.

Identity theft is a form of fraud involving unauthorized access and use of personally identifiable information, such as passwords, user names, financial or medical data, and confidential employment or educational information.⁵ According to the non-profit Identity Theft Resource Center, there are five types of identity theft:⁶

1. Financial

using another person's SSN to obtain a loan, credit card, or utilities

2. Criminal

impersonating someone else when dealing with law enforcement. Typically, this involves using the victim's SSN, name, and address to acquire a driver's license. The thief uses the stolen identity when s/he is cited or arrested. Then guess who has a rap sheet?

3. Medical

using another person's medical benefits card, Medicare identification, SSN or insurance number to gain prescription drugs or expensive medical treatment. Once the thief receives medical care, s/he lets the insurance company and the victim deal with the bills. Mix-ups in medical records are also a serious risk.

4. Governmental

exploiting stolen personal data to get public welfare benefits, government grants and loans, and to intercept tax refunds. It may also involve obtaining employment under another person's identity, especially for those not legally authorized to work in the United States or for those without the necessary licenses (e.g., impersonators of health care professionals).

5. Cyber/Reputational

using someone's name, image, or associations to damage their reputation or infiltrate their email or contact list.

Identity theft is a $21 billion crime that affects more than 1 in 20 American adults at a rate of one incident every three seconds.⁸ Even children and the recently deceased are targets because in both situations the crime can often go undetected for extended periods of time.

Identity theft has increased as people bank and shop more online and rely more heavily on mobile devices—often without sufficient anti-virus/anti-malware or strong passwords. There is a 1 in 4 chance that if your personal information is breached, you will become a victim of identity theft. Odds are much higher if your SSN is compromised.

Still think you're immune? Unfortunately, both strangers, as well as people you know and trust, could be motivated to compromise your personal information for their own benefit. That includes co-workers, friends, and even family members.

Following are common methods that your personal information may be compromised, whether online, at home, in public, or in transacting business (see table below).

Even when your credit does not suffer, identity theft is not without costs. The disclosure of private information could be stressful or embarrassing, as when 1,000 private abortion records were discarded in a recycling bin, or when a national pharmacy chain's poorly designed smart phone app allowed access to other customers' identities and prescription histories.^9,10

Data breaches may violate your trust and leave you wondering whether the full damage of the security breach is yet known. Additionally, investigations and fraud resolutions require your time and sometimes money to report and see through.

When an identity thief is prosecuted, the offense is typically penalized with up to 15 years in prison, a fine, and criminal forfeiture of any property that the thief used or intended to use to commit the offense.¹¹

Oftentimes, there are other, related federal charges, depending on the nature of the fraud perpetrated. Examples include

• credit card fraud
• computer fraud
• mail fraud and
• wire fraud.

Prosecution is handled by federal prosecutors who work with the Federal Bureau of Investigation (FBI), United States Postal Inspection Service, United States Secret Service, and other federal agencies.

Given the prevalence of identity theft and the associated headaches, recognize what makes a great target for an identity thief. Are you a prime target?

Likely targets may have certain characteristics as well as behaviors that make them more vulnerable to such exploitation. Characteristics include having ^12,13

• an excellent credit history
• no criminal record
• personal or professional prominence (e.g., celebrities, corporate executives, people with access to key information)
• law enforcement background (see sidebar on "doxing")
• annual earnings exceeding $75,000; or
• being 18-29 years old, the most common age range for identity theft victims. College students frequently receive many credit card offers and fail to routinely review their financial records.¹⁴

Hackers may comb the Internet looking for documents that contain personally identifiable information. When these bits of information are combined, an individual's identity is revealed. This is called "doxing," short for "document tracing"

The technique has been used to harass celebrities and to retaliate against law enforcement personnel who seek to crack down on computer hacking rings. For example, hackers gained access to a database of 7,000 law enforcement personnel and published the list of names, addresses, SSNs, email address and passwords on the Internet.

Additionally, certain controllable actions can make you a likely target:

1. writing down your PIN number on your ATM cards. This provides instant access to your bank account before you even realize it is lost. (The same goes for keeping the PIN in your wallet.)
2. carrying too many credit cards, medical benefit cards, and your social security card with you in your wallet. When you leave the house, only carry what you will reasonably need. If you happen to lose your wallet, the chances of fraudulent charges will be lower if you have left extra credit and ATM cards at home. To facilitate reporting of a lost or stolen wallet, photocopy the backs and fronts of all important documents you may carry with you at any time, and keep them in a secure location. Your Social Security card belongs at home under lock and key.
3. neglecting to review itemized charges on your credit card bills. You may not have recourse if you do not dispute the charge promptly.
4. tossing credit card bills, receipts, medical bills, utility bills, and credit card offers directly in the trash or recycling bin. Instead, shred them first.
5. failing to monitor credit - obtain a free annual credit report from each of the three consumer credit reporting companies (Equifax, Experian, or TransUnion) through www.annualcreditreport.com or by calling the companies directly. You may request the three credit reports either all at one time so that you can compare them, or you may space them out (e.g., every four months). Contact numbers: Equifax (1-800-685-1111), Experian (1-888-397-3742), and Trans Union (1-800-916-8800). If you decide to pay for an identity monitoring service, make sure it includes a public records check in addition to credit monitoring.
6. responding to emails, texts, or phone calls requesting personal information - Never give out your private information over the phone unless you have initiated the call. Do not transmit personal data such as SSNs or credit card numbers through texts or email. If you receive suspicious communication requesting personal data (e.g., from your bank or credit card company), use established numbers that you already know. Beware of bogus job offers that seek to accumulate resumes and applications.
7. failing to erase your hard drive and electronic devices before tossing/recycling
8. placing your outgoing mail in unsecured mailboxes
9. overusing "plastic" because of its convenience - Rather than pay electronically, consider using cash, especially for small and frequent incidentals. (You may enjoy the side benefit of spending less, too.) If you must use plastic, compare the liability for fraudulent charges by reading the terms of service for your debit vs. credit cards. Credit cards are usually preferable.
10. regarding electronic security as too inconvenient - using weak or no passwords -- especially on a smartphone or tablet; not updating anti-virus/anti-malware; using public Wifi hotspots to transmit personal, financial, or medical information.
11. ignoring calls from collection agencies or bill collectors as mistakes - This is often how people discover they are victims of identity theft.

Personally identifiable information is any data about an you that either alone or in combination with other data could potentially be used to identify, locate, and contact you.

Examples: your name, street or email address, phone number, SSN, medical/genetic data, fingerprints, financial account numbers, date and place of birth.

Who has your personally identifiable information? Lots of organizations: government, your financial institutions, schools, your employer, doctors, merchants, and utility companies, just for starters. Here are examples of where such information occurs so you will know when you are at risk (and what needs to be shredded):

• Bank, credit card and brokerage statements
• Credit card receipts and both new and cancelled checks
• Driver's License
• Car rental agreement
• Tax returns and supporting documents
• Vehicle purchase documentation
• Mortgage records
• Employment records
• Health insurance records
• Prescription labels
• Social Security cards
• Marriage, birth, and death certificates
• Electronic hotel key

So now you're convinced that it can happen to you, and you want to ramp up your protection against identity theft. Where can you start? Here are five immediate action items to get you going:

1. Review the contents of your wallet to minimize the information you carry with you.

2. Purchase and faithfully use a shredder.

3. Opt out of prescreened offers of credit cards and insurance by mail. You can do this permanently or for a five-year period. The three national credit reporting companies operate the opt out service. To opt out, call 1-888-567-8688 or go to https://www.optoutprescreen.com.

4. Order your free credit report. Consider enrolling in a credit monitoring service. (I use Credit Karma which is free.)

5. Ensure that your passwords are strong and have been changed recently and make sure your anti-virus/anti-spy ware is current.

References

¹Finkle, J., & Skariachan, D. (2013, December 19). Target cyber breach hits 40 million payment cards at holiday peak. Retrieved from https://www.reuters.com/article/us-target-breach/target-cyber-breach-hits-40-million-payment-cards-at-holiday-peak-idUSBRE9BH1GX20131219.

²Vijayan, Jaikumar. "Deja vu for Wells Fargo: bank loses computer with confidential data." Computerworld. Last modified May 8, 2006. http://www.computerworld.com/s/article/9000293/Deja_vu_for_Wells_Fargo_bank_loses_computer.

³Sutherland, Ed. "Retiree Data Lost in Laptop Theft." InternetNews - Software, Storage, Security, Server, Networking News for IT Managers. Last modified January 9, 2007. http://www.internetnews.com/security/article.php/3652901/Retiree+Data+Lost+in+Laptop+Theft.htm.

⁴ The Huffington Post. "Celebrities Hacked: Jay-Z, Beyonce, Kim Kardashian And Others Victims Of 'Doxxing'." Last modified March 11, 2013. http://www.huffingtonpost.com/2013/03/11/celebrities-hacked_n_2854786.html.

⁵Microsoft. "What is Identity Theft?" Microsoft Corporation. Accessed April 15, 2013. http://www.microsoft.com/security/resources/identitytheft-whatis.aspx.

⁶ Davis, Matt. "Identity Theft Resource Center Blog: Classification to Mitigation - What You Need to Know about the Multiple Faces of Identity Theft." Identity Theft Resource. Last modified October 3, 2012. http://www.idtheftcenter.org/Privacy-Issues/classification-to-mitigation.html.

⁷http://www.usatoday.com/story/money/personalfinance/2013/12/19/target-credit-debit-card-data-breach/4125231/

⁸Javelin Strategy & Research. "How Consumers Can Protect Against Identity Fraudsters in 2013." Javelin Strategy & Research. Last modified February, 2013. https://www.javelinstrategy.com.

⁹Adler, Eric, and Judy L. Thomas. "Abortion files tossed into recycling bin - KansasCity.com." KansasCity.com. Last modified March 26, 2012. http://www.kansascity.com/2012/03/26/3516018/abortion-files-tossed-into-recycling.html.

¹⁰Protected Health Information Privacy. "Rite Aid mobile app left customer prescription history vulnerable – customer." Last modified September 27, 2012. http://www.phiprivacy.net/?p=10267.

¹¹Department of Justice. "Identity Theft and Fraud." The United States Department of Justice. Accessed April 15, 2013. http://www.justice.gov/criminal/fraud/websites/idtheft.html.

¹²Smith, Ph.D., Eva N. "New Study Profiles Credit Card Fraud Victims." Credit Card Help Topics. Accessed April 15, 2013. http://www.creditcardguide.com/creditcards/credit-cards-general/study-profiles-credit-card-fraud-victims-221/.

¹³Identity Theft Awareness and Solutions. "High Target Identity Theft." Identity Theft Awareness and Solutions. Accessed April 15, 2013. http://www.identity-theft-awareness.com/high-target-identity.html.

¹⁴Dakass, Brian. "College Students Prime Target For ID Theft." CBS News. Last modified April 22, 2009. http://www.cbsnews.com/2100-501103_162-3188716.html.