Category Archives: Identity Theft

Don’t Compromise Your Security for the Sake of Nostalgia

Satirical image of old radio with "Do you remember your childhood Social Security Number?" superimposed.

Lately I’ve noticed a certain type of post circulating on social networks. I don’t know if they have a name, but they generally appeal to a sense of nostalgia. There will be an image of an old telephone with the question, “Do you remember your childhood telephone number?” Another one asks which movie you love that you’ve seen over and over. And people dutifully post their responses to these questions as comments on the post.

Now, here’s the issue: there is a thing called “Knowledge-Based Authentication” (KBA). It is a deeply flawed but still very common online security practice that asks the user to answer a series of multiple-choice questions that supposedly only he or she would know the answer to. Several of the major credit bureaus use it when you place a freeze on your credit through their websites. So you might get a question like:

Which of the following phone numbers have you been associated with?

a. 417-555-3456
b. 322-555-4632
c. 322-555-0989
d. 786-555-3674
e. None of the above

If you responded to a Facebook post about your phone number growing up, there is a small chance you have just put one of your KBA answers out on the public internet.

What about that “movie you’ve seen over and over” question? Have you ever logged into an online account and had to create answers to security questions? These are designed as a line of defense against unauthorized login attempts; if a login from a different computer or location is detected, it will trigger the security questions and prevent further access if they are answered incorrectly.

“What is your favorite movie?” is definitely the type of security question that could be used by a website, and if there’s a movie you’ve seen many times, chances are it’s your favorite. If you answered the post, you may have revealed the answer to one of your security questions to the world. Several celebrities have had their Twitter accounts hacked because they used real, easy-to-find-out answers for their security questions.

Of course, these tiny pieces of information are simply pieces, not the whole puzzle. But the more puzzle pieces are in place, the more you begin to see the whole picture. The less information you put out there, the better – you don’t owe the internet anything. Think before you post any personal information online, even if it seems innocuous or silly on the surface. Anything you reveal can be used against you.

How to Freeze Your Credit

The recent Equifax data breach exposed the personal identifying information of at least 143 million U.S. consumers, which has led to a wider interest in placing a “security freeze” on credit reports (a.k.a. “freezing your credit”).

A security freeze prevents new credit accounts from being opened using your personal information, unless you lift the freeze in advance of applying for credit. This is accomplished using a PIN that either you or the credit bureaus create when placing the original freeze. This means that a freeze can stop an identity thief from creating new lines of credit, even if they already have all of your information.

A credit freeze is an important tool in preventing one type of identity theft, but does not prevent existing accounts from being accessed with stolen credentials, fraudulent credit or debit card transactions, employment or medical identity theft, or the filing of fraudulent tax returns. In other words, even after you place a security freeze, you still have to remain aware of the risks of identity theft.

There are three major credit bureaus and one minor. Here is where to go for each one, as well as some notes (information is accurate as of 10/2/2017, but websites may be updated in the future):

TransUnion: https://www.transunion.com/credit-freeze/place-credit-freeze2

Notes: use the “Click to initiate freeze process” link (last item under the “How Do I Decide What to Do?” table). Note that a “lock” is different from a freeze; what you want is a freeze. TransUnion requires you to create an account with a password, then you can place the freeze and create your PIN. To temporarily lift the freeze, log in at https://freeze.transunion.com.

Experian: http://experian.com/freeze

Notes: Experian is probably the easiest of the four to use, with the “Add a security freeze” option prominently displayed. You can create your own PIN, or have the site generate one for you. You can also choose whether to print your receipt or have it emailed to you. Double-check that your email address is correct if you choose this option! Visit the same site to temporarily lift the freeze.

Equifax: https://www.freeze.equifax.com

Notes: creates a “one-time PDF” which contains your PIN (the site generates it for you). Make sure you’ve got a PDF reader installed beforehand so you can view the file (Adobe and Foxit are popular free choices). Visit the same site to lift a freeze.

Innovis: https://www.innovis.com/personal/securityFreeze

Notes: Innovis sends your PIN via postal mail around 10 business days after you place the freeze. To lift the freeze, visit the same website and follow the instructions.

Prevent tax identity theft with an Identity Protection PIN

UPDATE 3/8/16: Or don’t get a PIN. According to KrebsOnSecurity.com, and as seen on the IRS site linked below, there have been some major security issues with the Identity Protection PIN system, and for now the service has been suspended. Once again, it took identity thieves around four seconds to figure out how to abuse a feature designed to protect your personal information and prevent tax return fraud.

I’ve written plenty of times about not opening emails that appear to come from the IRS (because of malware and/or phishing), but there is another type of crime that ramps up during tax season: tax identity theft.

Basically, it works like this: an identity thief already has your information, files a fake tax return in your name (from which a large refund will be due), then has the money directly deposited into an account controlled by the thief.

Most people’s first warning sign is when the IRS rejects their actual tax return because, according to their records, they already submitted one.

One step you can take to prevent this form of identity theft is to get an Identity Protection PIN from the IRS. You’ll have to use this PIN any time you file taxes (it’s not the same as your e-file signature PIN). The IRS will send you a new one every December or early January. Once you’re signed up, you’ll have to use a PIN every year to file your taxes, and you can’t opt out.

I can’t find any information about how long it actually takes to get your PIN from the IRS. If you’re ready to file your taxes now, or if April 15th is approaching (depending on when you read this), it might be better to wait until after you’ve filed this year’s return.

For more information, and to request a PIN, visit the official IRS page at https://www.irs.gov/Individuals/Get-An-Identity-Protection-PIN

Security freeze information for Indiana residents

The Indiana Attorney General’s office has information about security freezes, which are free for residents of Indiana (and some other states—you’ll have to check your own state’s laws if you don’t live here).

You can download the information here, or visit the Indiana Consumer website. I’ll put a link on the Fraud Prevention Resources page as well.

A security freeze (or credit freeze) prevents new lines of credit from being opened in your name, even if an identity thief has your Social Security number and other information, by adding an extra step to the credit application process.

Yet another $1,000 Walmart Gift Card scam

I’ve already covered how you’re not getting a $1,000 Walmart Gift Card just for liking a page on Facebook.

Now there’s a text message version of the scam that directs victims to a website that asks for personal information.

At this point, I think we can call out a general identity theft and scam prevention tip, one you can keep in the back of your mind for all time:

You’re probably never going to get a free $1,000 Walmart gift card, ever.

Read that, then read it again. Remember it for the rest of your life. It doesn’t matter which communication channel the alleged offer shows up through, it’s a scam.

Facebook or Twitter? Scam.

Email? Scam.

Text message? Same deal.

Phone call? You guessed it.

Pony Express? Scam, but you’d have to admire their dedication, if nothing else.

I suppose there might be a scenario in which you could win a gift card, such as a raffle at your church or other reputable organization. But you have to actively enter to be eligible for those. People don’t just contact you out of the blue to give away massive gift cards. It would be nice if they did, but wishing something is true does nothing to alter the cold, hard facts.

Ten Tips for an Identity Theft-Free 2011

I haven’t been able to do much posting lately. They moved us to a different office here at the credit union, and it’s been a little nuts. However, everything is finally settling down, so I thought it might be good to do a little “top ten” sort of thing. Let’s start with what NOT to do:

1. Don’t click on links in unsolicited emails

If you get an email that looks like it’s from a bank, credit card company, PayPal or other financial service, think before you click any links. Are they saying your account or card has been deactivated, and they need you to login to “verify” your personal information? That’s a common scam called phishing. The link will take you to a rogue website that may look like a real login page, but is designed to hand over your account and personal information to thieves.

2. Don’t give out your information to just anyone

You need to provide your personal information when you’re applying for a job, applying for a loan or opening a new financial account. If someone else is asking for your information, find out why before you even consider handing it over. And never give your information out to a person who calls you on the telephone, no matter who they claim to be, which brings us to…

3. Don’t implicitly trust Caller ID

With modern digital phone services, Caller ID can be manipulated to say just about anything. If they’re calling you and asking for nonpublic personal information, you could be looking at a scam.

4. Don’t carry your Social Security card with you

Look in your wallet or purse right now. Is your Social Security card in there? Get it out and put it in a lockbox or other secure location right now. If you get robbed, it’s bad enough that a thief has your cash and credit cards—do you need to hand them your identity as well?

5. Don’t leave personal information unsecured

In a quarter of identity theft cases, the victims know the person who stole their identity. Don’t leave personal information lying around, at home or at work.

Now, we all know that being reactive is only part of the equation; you have to be proactive as well. Here are some things TO do:

6. Buy a small paper shredder

With all the attention given to high-tech forms of identity theft, it’s easy to forget that a lot of it begins with dumpster diving and trash picking. A small shredder costs under $25. Not having one could cost you thousands.

7. Get a credit freeze

If you’re an Indiana resident, you have the right to place a credit freeze on your credit reports. This makes it impossible for a theif to open new accounts in your name even if they have all your information. More information is at www.in.gov/attorneygeneral/2411.htm.

8. Check your credit report

Ignore the commercials with the silly songs. You don’t really need your credit score or to enroll in any high-priced credit monitoring services. What you do need is to check your credit report at each of the three major reporting agencies (Equifax, Experian and TransUnion). Go to annualcreditreport.com and follow the instructions. Since the reports should all have the same information, it’s a good idea to stagger them—get TransUnion in January, Experian in May and Equifax in September, for example. Report any errors immediately.

9. Install virus protection on your computer

Norton, Kaspersky, McAfee: they’re all good, so pick one and use it. They cost money to buy, and you will have to pay annually to keep your software updated. I know, money doesn’t grow on trees, but spyware, viruses and keyloggers apparently do—you can’t afford not to have up-to-date virus protection software.

10. Educate yourself

Pay attention to news articles about fraud and identity theft. If you’ve got a question about something, research it online. Sign up for email alerts from the Indiana Attorney General’s Office. And, naturally, keep checking right here for news, tips and other fraud prevention goodies. Have a secure and happy New Year.

Freeze your credit; if you live in Indiana, that is

Map of USA with Indiana highlighted
Image via Wikipedia

A credit freeze is a really nice tool in the fight against identity theft. Essentially, a freeze makes it impossible for anyone to open new credit accounts in your name even if they have all your personal information.

Of course, it adds a little extra work if you want to open a new line of credit, but I think it’s a fair trade. Besides, didn’t we all learn a little lesson in 2008 about what happens when it’s too easy to obtain credit?

At any rate, it turns out if you’re an Indiana resident you can request a credit freeze free of charge. It’s a right provided by Indiana law to Indiana residents. I don’t know if other states have this type of thing in place (after all, I can’t do research on 49 attorneys general in the time I’m taking to write this). If you ain’t from around here, check online with your state’s attorney general to find out.

You can request a freeze either by paper mail or online. More information is available at the Indiana AG’s website. Check it out today!

Child Identity Theft: How shady credit repair companies are stealing kids’ Social Security Numbers

Shady, fly-by-night credit repair companies that promise fast credit score improvements (700-800 in just a couple months!) may be sinking to a new low here. It seems they’re harvesting valid but inactive Social Security numbers, many from children too young to have opened financial accounts.

They sell the numbers as “CPNs,” or “Credit Profile Numbers” (sometimes the “P” is “privacy” or “protection”). They tell their customers how to piggyback their credit on the clean CPN, which has the effect of making them appear more creditworthy. Once they burn through the credit for that number, they just purchase another one (I wonder if they use a credit card).

There are several articles on the topic all over the Internet. The Sun News out of South Carolina has a good one that explains it very well. However, there are still a few questions I have about this crime:

  1. Am I to understand that simply calling it a “CPN” instead of a Social Security Number somehow makes this practice legal?
  2. How are they obtaining the SSNs of all these children? Are they using a logarithim to generate the numbers, or is your Social publicly available until you turn 18?
  3. If it is, do I have to personally go to Washington D.C. and rap my knuckles on every single noggin in Congress (and yell “Helloooo, McFly, anybody home?!” in every single ear) until this is remedied with Federal intervention?

In any case, it’s time to check your kids’ credit reports. Yes, today. You don’t want to wait until they get turned down for an auto loan fifteen years later for allegedly defaulting on $45,000 worth of credit card debt.

This has been a pretty big story in the fraud prevention world. Look for more information to surface over the next few weeks.

Toward a definition of identity theft.

The other day I heard a warning that having someone steal your checkbook is the “worst form of identity theft.”

Honestly, I’m not entirely sure that is identity theft.

I suppose I’m something of a purist in this case. To me, “identity theft” occurs when someone obtains your personal identifying information without your permission, and uses it to open new financial accounts, obtain credit, medical services or employment, or evade arrest.

To me, someone just swiping your checkbook and passing checks all over town falls under the umbrella of simple “theft.” I suppose on some level the thief is implying that he or she is you, but credit is not being obtained in your name in this case. It’s sort of like someone just stealing your cash. The thief doesn’t have your Social Security number or date of birth, all he has is your checkbook. Once those stop working, he’ll abandon them.

Not that having your checkbook stolen isn’t a massive headache. I’m not saying it’s something to take lightly at all. It’s just that I don’t think it constitutes identity theft per se.

I also don’t believe that simple credit card theft usually equals identity theft. Once again, the thief may be implying that he or she is an authorized user of your credit card, but that’s as far as the crook is taking things. They’re not changing your address so you don’t get the bills, they’re just burning through your card for a couple days until they max it out.

Once again, it’s a pain for the victim, but it’s not quite identity theft.

My parents were among the victims of the Heartland Payment Systems data breach back in 2008. Their credit card (which they had used once at a restaurant) suddenly showed two charges of $850 at an electronics store in California. One call to the credit card company was all it took—I don’t even think my dad had to finish his sentence before the customer service person said, “Yes, there was a data breach…aaaaaand you’re all fixed.” There was no need to place alerts on credit reports or anything. A crook had used their credit card numbers, they called the company, problem solved. In a case of true identity theft, it would have taken a lot more than one phone call to remedy the situation.

Again, I’m not saying this type of theft can’t be a hassle, because it can be. I guess I’ve just been seeing the term “identity theft” get thrown around a lot, and it seems useful to place a few limits on the term, if only for clarity.

One final point: you’ll never hear me use the phrase “ID theft” as shorthand for identity theft. Your ID is a card with your picture and information on it. Your identity is all the non-public personal information about you—date of birth, Social Security number, credit reports, etc.

To me, “ID theft” sounds like somebody just stole your driver’s license. Of course, identity theft could involve someone stealing your ID (and then manufacturing a new one with their picture and your information), but “ID theft” is a term that obscures rather than illuminates.