AVOIDING IDENTITY THEFT
By JODY L. ROHLENA and LAUREN CAHN
IT’S SHOPPING SEASON, WHICH means you’ll be looking for a steal. Unfortunately, you’ll have lots of company. Pulling those credit and debit cards out of your wallet, entering your digits online—the holidays provide identity thieves with countless opportunities to swipe and swindle. That’s an especially big concern this year, after the Equifax security breach, which exposed the personal information— including birth dates, addresses, credit card numbers, and Social Security numbers—of more than 145
million Americans to potential crooks.
As bad as that may sound, let’s put the Equifax disaster in perspective. Truth be told, some of your information was probably compromised long before that. Yahoo now says that data breaches have likely affected every one of its users. Target has just begun to settle cases related to its 2013 credit card hack, involving some 40 million customers. All told, 15.4 million Americans fell prey to identity fraud in 2016.
The thieves may seem anonymous, but they do get caught. The Internal Revenue Service has prosecuted ringleaders who paid college students to file false tax returns, mail carriers who stole refund checks, and a Walmart cashier who knowingly cashed forged refund checks. The Department of Justice is on the case too; officials believe they know the culprits behind at least one of the Yahoo attacks: Russian intelligence agents.
As frightening as the enemies may seem, they can be stopped— and fairly easily. If you are someone who ignores all the advice on how to protect your identity, it’s time to act. While these high-tech thieves are certainly sophisticated, there are many monkey wrenches you can toss in their path. Here are five of the easiest—and most effective.
FIX NO. 1 Protect your Social Security number.
Your Social Security number is not as secure as you would hope. Of its nine digits, the first three are tied to where you lived when you applied for your number, the next two are a group number within that geographical location, and the last four are your serial number. Since it’s not that hard for a criminal to suss out where you were born, it’s really only those last four digits that stand between you and all the problems you’re trying to avoid. So guard your number with your life. Don’t use it anywhere you don’t have to—and you don’t have to use it as often as you might think.
Jen (not her real name, as her investigation is ongoing) believes that her number was stolen after she included it on a medical form, along with the rest of her personal information. “Unfortunately,” Jen told credit.com, “the police said people take those forms and sell them on the black market for others to use.” The numbers could be stolen by unscrupulous staffers or captured by hackers who tap into the computer system at the health-care provider or insurance company. That said, you aren’t required to give your doctor,
YOU DON’T HAVE TO USE YOUR SOCIAL SECURITY NUMBER AS OFTEN AS YOU MIGHT THINK.
or anyone else, your Social Security number. If you’re asked for yours on a form, simply write in, “Supplied upon request.” Then discuss with your doctor’s staff whether they really need to have it. The stealing of Social Security numbers has become such a concern that Medicare has introduced new ID cards for senior citizens that omit the numbers.
If you believe that your Social Security number has been compromised, you can change it, though you’ll need to provide the Social Security Administration with a valid reason and proof that your current number is being misused.
Unfortunately, Jen had plenty of evidence. At first, she didn’t know that her identity had been stolen—she found out when she got a rejection for a Macy’s credit card she hadn’t applied for. When she checked her credit reports, she discovered that thieves had taken out a $30,000 car loan and bought a used Lexus, then applied for and received an insurance policy for the vehicle. Experts say that one good way to safeguard yourself is to request a free report from one of the three major credit bureaus every four months and look for anything suspicious.
FIX NO. 2 Strengthen all your log-in information.
If your passwords and the answers to your reminder questions are easy enough for a thief to guess, then your bank accounts, e-mail, shopping log-ins, and other secure accounts aren’t secure at all. And yet cybersecurity firm Keeper Security reports that the most common
password—used by nearly one in six online account holders—is 123456. The word password itself is the eighth most common.
As unpleasant as it may sound, experts suggest that you have a unique password for every one of your online accounts. They should be as complicated as each site’s system can bear and never fewer than 12 characters, says Richard Roszko, a computer engineer and an IT consultant. Also make sure you use a mix of letters, numbers, and special characters. A good strategy is to use a long nonsense phrase you might actually remember: [email protected]$! as your bank password, for example.
To make managing your passwords easier, some experts recommend using a service such as 1Password, Dashlane, Keeper, Lastpass, or Apple’s icloud Keychain. All are free to download.
As for your password reminder questions, avoid using anything that could be answered with clues that thieves could dig up on social media or elsewhere online. So no high school mascot, no mother’s maiden name, no street you grew up on. In 2012, a hacker got into Mitt Romney’s personal email by figuring out the answer to the security question “What is your favorite pet?” His dog’s name, Seamus, had appeared in many news stories.
The safest question, according to Microsoft and Carnegie Mellon University, may be “What’s your father’s middle name?” It’s easy for you to remember, but it’s hard for a thief to guess and is unlikely to be floating out on the Internet. Other safer questions include “What was your first phone number?” and “Who was your favorite teacher?”
Some experts recommend answering with a non sequitur: “What is your mother’s maiden name?” Platypus. But any one-word answer is vulnerable, even a random one. Better to use a nonsense phrase here too.
FIX NO. 3 Lock up your phone.
Always keep your device locked and use a strong, long pass code. (You can customize its length in Settings.) Those annoying software updates often address new security issues, so don’t skip them. And don’t let apps save your passwords; they can provide entrée to your phone’s wealth of personal information. “If you take only one extra step, a hacker will pass you up and try elsewhere,” says Roger Entner, founder of Recon Analytics, a telecom research firm.
A good safeguard plan is to use twofactor authentication. Turn it on for your phone (via Settings) and for your various e-mail, bank, credit card, and other accounts you’d like to keep secure. Once it’s activated, you’ll need two “keys” to access those accounts— usually a password and a security code. You receive the code in a text, an e-mail, or a phone call from whatever company’s site or app you’re trying to access. So if you’re the one trying to access the account (on, say, your sister’s laptop), you’ll be fine. But if it’s a thief who doesn’t have your phone, he or she won’t receive the code and will be locked out.
Learn more about how to keep your specific phone safe by using the Federal Communications Commission’s Smartphone Security Checker, at fcc.gov/ smartphone-security.
FIX NO. 4 Don’t pay with a debit card.
Using debit cards for online shopping is a double serving of daring fate. You’re vulnerable not only because you’re shopping online but also because when a debit card is stolen, you may be out of luck. “If a credit card is hacked, you owe zero dollars on the fraud, but if your debit card gets hacked, the money is drained from your account,” Roszko explains. “You probably won’t even realize the money is gone until you get your statement, and by then, it’s gone
forever.” Banks will reimburse you if you notify them within 48 hours, so monitor bank-account activity closely.
After a credit card, the next-best option is to use Paypal, one payment site trusted by all the experts we spoke to. Most agree that the newer Apple Pay and Android Pay options are safe as well.
Also be careful to shop online only with reputable, secure websites. How do you know what’s secure? Look for a URL that starts with https—the s stands for “secure.” And never buy anything when you are on a public Wi-fi network, because thieves can grab your credit card number and home address. Turn off “connect automatically” settings so that your devices don’t join any public network they detect. While no Wi-fi is 100 percent safe, your home network has security settings that protect against hackers. Use a strong, long password here too.
FIX NO. 5 Get rid of those preapproved credit offers.
We’re not talking about shredding them, though you certainly should. In 2003, the Federal Trade Commission estimated that 400,000 Americans had their identities stolen via mail. In fact, mail theft is on the rise, according to the U.S. Postal Service. In one extreme case in June 2016, a postal carrier was robbed at gunpoint in Rancho Cordova, California. The robber, Juan Carlos Maldonado, was part of a ring that stole about 800 pieces of mail, which the thieves scoured for personal information they could use to access bank accounts and open credit cards. Maldonado pleaded guilty to bank fraud, identity theft, and armed robbery. He was sentenced to seven years in prison.
It’s easy to stop those credit card offers. Simply call 888-5-OPTOUT, and financial institutions will remove you from their mailing lists.
Then, if you aren’t planning to apply for new credit anytime soon, you should put a freeze on your credit report. A freeze will prevent anyone from taking out a loan or a credit card in your name. Of course, that includes you, which means when you’re actually applying for credit—say, a mortgage, a home equity line, or a store credit card—you’ll have to unfreeze your credit file. This can cost $5 to $10 per freeze and unfreeze through Experian and Transunion, two of the big three credit bureaus, but it’s free for life through Equifax, a concession made by the company after it admittedly bungled its response to its data breach.
Another precaution is setting up a fraud alert with one of the credit bureaus. This is a notice on your file that tells lenders to contact you before approving any applications for new credit. It’s free, and when you place it with one bureau, it will notify the others to do the same. For maximum protection, Consumer Reports recommends using both a credit freeze and a fraud alert.