Tuesday, October 7, 2014

One simple move can dramatically reduce the risk of identity theft

Identity theft is a common fear, one that is reinforced with each new headline. 40 million credit cards stolen from Target! Home Depot leaks 56 million payment cards! Hackers steal info on 145 million eBay customers! Giant data breach affects 152 million Adobe accounts! It seems each new breach is more "epic" than the last. A data visualizer known as "Information is Beautiful" has a frightening but fantastic visualization.

Most of these incidents involve theft of credit and debit card information - a form of identity theft that is damaging but generally not terribly difficult to unravel. Consumer protection laws generally limit one's liability, and many banks promise zero liability for fraudulent charges. Using credit cards instead of debit cards further separates the fraudulent activity from your actual cash.

There are several simple steps you can take to reduce the risk of identity theft: opt-out of pre-approved credit card offers; sign up for electronic delivery of account statements (thief's can't swipe statements from your mailbox if there are none there); don't share your actual birthdate or address in online profiles. Most importantly, pay attention to monthly bank and credit card statements (or better yet, check periodically during the month, and set up automated alerts for high-dollar or unusual transactions).

Far less common - but far more serious - are cases where the attacker collects enough personal information to pose as the victim, often to open new lines of credit. Fraud against a payment account you know about is easy to dispute ... fraud against your name using accounts you know nothing about is not. Think about it: what information does a bank, or retailer, or mortgage lender, or auto lender, ask for when opening a credit account in your name? In the US it is typically your name, social security number, birthdate, and address. Occasionally they will want your employer and a verification of income, or possibly a photo ID, but often the aforementioned information is enough. With the exception of SSN the other pieces of information are not hard for a fraudster to acquire. And with that information they can pretend to be you when opening credit accounts. Who do you think will be on the hook when the fraudster doesn't pay the bill?

Fortunately there is a very simple way to dramatically reduce the risk of identity theft. Under US law you have several rights with each of the four best-known credit bureaus (yes, there is a fourth). The first is the right to obtain a copy of your credit report, once a year, from each company. I schedule a reminder every three months, to request a copy of my credit report from a different bureau each quarter.

The second right is to place an Initial Fraud Alert on your record. Note that you DO NOT have to be the victim of identity theft to have this right. Even if you suspect that your identity might be at risk (in other words, if you are breathing), you have the right to place an initial fraud alert on your record. This alert tells potential creditors that they must take additional steps to verify your identity before issuing you credit. Often, this means the creditor will call you - at the phone number listed in your credit report (not a number provided by a fraudster) - to ensure you are in fact the one requesting a new credit account.

An initial fraud alert stays on your record for 90 days, and you can renew it as often as you like, at no cost. Do this. Put an initial fraud alert on your record at all four agencies (see the links below), then put a reminder on your calendar to renew it every 90 days. 15 minutes every 3 months is an easy investment to make in light of the headache you may avoid.

In the event that you already are the victim of fraud, you can then request an extended fraud alert - the same idea but it lasts for 7 years instead of 90 days. The credit agencies require a police report substantiating that you have been the victim of identity theft.

The third option is a "security freeze." The different between an alert and a freeze is, an alert simply warns potential creditors to verify your identity before issuing credit, whereas a freeze denies access altogether. Potential creditors cannot even access your credit report, and thus will not grant credit. This is generally not a free option though - depending on your state and on the agency, there may be a fee to place a freeze on your report, and there may be a fee to "thaw" your report (for instance, if you legitimately want to open a new credit line).

Below are links to the fraud alert request pages for the major credit reporting agencies:


Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen