Another Phine Kettle of Phish: Identity Theft Prevention

By Carol Ebbinghouse,
Law Librarian California, Second District Court of Appeal
Los Angeles, Ca
Published: November 19, 2005

And the stories keep coming about the growing number of large-scale security breaches: UPS loses CitiGroup’s 1 CitiFinancial records on 3.9 million people and data files on millions of consumers; LexisNexis and ChoicePoint sell information to identity thieves; Wachovia and Bank of America customer records are stolen by employees and sold to collection agencies; CardSystems alone has exposed 40 million Visa, MasterCard, and other company cardholders to ID theft, resulting in the first class action lawsuit 2 in this area. Even more headlines on identity theft will probably have emerged between the time I am writing this article and when you read it.

The Better Business Bureau of Metropolitan New York defines identity theft as “… when someone uses your name, Social Security number, credit card number or some other piece of your personal information to apply for a credit card, make unauthorized purchases, gain access to your bank accounts or obtain loans under your name.”3

An article about Internet scams4 written by Riva Richmond in the Wall Street Journal Online [http://online.wsj.com/article/
0,,SB111948675776567145,00.html] discusses the latest Gartner Inc. research on electronic commerce:

In a disturbing message for online retailers and bankers, more than 42 percent of online shoppers and 28 percent of people who bank online are cutting back on their activity because of “phishing” attacks and other assaults on sensitive data, according to a May survey of 5,000 U.S. online consumers. … Some 2.4 million online users have lost money to Internet scams, with total losses amounting to about 929 million in the 12 months ended in May. … Indeed, almost 46 percent of online consumers surveyed reported having found malicious software on their computers. More than 83 percent said they had anti-spyware programs running on their PCs to help them stay safe. … According to the survey, 33 percent of online shoppers concerned with Internet fraud are spending less money than they would if they weren’t concerned. And 77 percent of concerned online-banking customers said they are using online banking services less frequently. More than 4 percent of those Internet banking customers concerned with fraud have abandoned online banking altogether.

It’s not just online vulnerability that concerns us. Paper statements and bills in unsecured mailboxes can be stolen and used to steal identity. The California Public Interest Research Group [http://www.CalPIRG.org] interviewed law enforcement officials; 68 percent identified theft of snail mail as the leading threat — with dumpster diving, stolen wallets, and unscrupulous employees at banks and other lenders next in line. Even giving a credit card to an unscrupulous salesperson or waiter is a risk. They can make multiple runs on your card or use a device called a skimmer to duplicate information on the magnetic strip.

My ID has been stolen several times. The first time was at a home show I attended with a friend. Two weeks after registration, we both received calls from our bank because of “unusual activity” on our Visa cards. The thieves did not have our correct expiration dates, but they spent thousands of dollars at stores on the East Coast before the credit card company noticed.

The second time, I received a letter from UCLA — thanks to the notification law in California — that was sent to all 145,000 people who donated blood through blood drives in the last 15 years. I had donated blood at work, where everyone’s name, date of birth, and Social Security number — yeah, just about everything someone would need for identity theft — was added to a database on a laptop. Weeks later, the laptop was stolen from an unlocked van at another mobile blood drive. The police classified it as an “opportunity theft,” and no one thought the thief was after the password-protected data. The letter notifying me of the theft mentioned the steps that the university planned to take in the future to protect identities, such as data encryption, etc.

But imagine my surprise a few months later, when I received another letter from UCLA! In this case, someone had the names and Social Security numbers of 63,000 people admitted to UCLA Medical Center, information stored on — you guessed it — a laptop that was stolen. Again, although the laptop was password-protected, there had been no data encryption and no evidence that anyone at UCLA had followed steps to protect data since the earlier laptop theft.

Fortunately, I live in California. Here — and in a handful of other states (for a list of states and their privacy laws, go to http://www.consumersunion.org/ and http://www.pirg.org/consumer/credit/statelaws.htm 5) — you are notified by letter when your information has been exposed to risk. If you don’t live in these states, you’ll discover that you’re a victim of identify theft only when a bill collector contacts you about delinquent payments on a credit card account or car loan you never heard of, or when you are arrested because someone assumed your identity and failed to appear in court after getting a traffic ticket (in your name). California leads other states in handling online privacy.

Thieves will grab laptops. And you can’t verify that every organization holding data about you implements password protection and encryption; meets government banking, financial, and security audit requirements; makes vulnerability assessments and scans; maintains and updates firewalls; or takes other security measures such as destroying6 (more than just shredding) paper or electronic media consumer information. You also can’t protect yourself from an unscrupulous employee (with legitimate access to your personal and credit information) from stealing it to use or sell to the highest bidder. Although your personal and credit information exists in many places, and all of them vulnerable, you can, however, take steps to protect yourself online and offline.

What actions can you take and advise friends, colleagues, and clients to do as well to protect themselves?

Ten Things to Do Today

1. Credit Report. Go to http://www.annualcreditreport.com, or (877) 322-8228, to request a credit report by phone. You will go through a simple verification process and receive a report by mail. You can also print out a form requesting your Credit Report by Mail and send it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281 for a report from one of the three leading credit reporting companies. Put reminders on your calendar to request another free report from a different credit reporting company every 4 months. If you request the credit report, make sure it isn’t reported as an “inquiry,” which could adversely affect your credit score.

2. Fraud Alert. If you think you may have been a victim of identity theft, put a “fraud alert” on your credit with any one of the credit reporting services; this service will then contact the others. With this one call, you will get free credit reports and be contacted for permission before any new credit is established in your name for 90 days. If you are deployed in the military, place an active duty alert with the credit bureaus. Though renewable, these alerts do not impose a penalty if a creditor doesn’t contact you to verify the person applying for credit in your name is really you. The alert notifies creditors about possible fraud and asks them to call you before issuing any credit in your name. If you are a victim of ID fraud, you can get the alert extended for 7 years — but you need to prove it with a police report (or, in my case, the letter notifying me, per California law, that my information had been compromised).

3. Freeze Credit. In California,7 Louisiana, Texas, Vermont, and a few other states (for a current list, go to http://www.ncsl.org/programs/
banking/SecurityFreeze_2005.htm), you can have a “freeze” put on your credit reports to prevent credit reporting agencies from sharing your information without your permission. In other states you must become a victim of identity theft before you can do this. Placing a credit freeze on my information cost me $10 for each credit service, but it was cheaper than the cost of credit monitoring services — even if the freeze is lifted to apply for a car loan or mortgage once a year. If you thaw your credit for a big-ticket item, don’t forget to re-freeze it. Remember, if you report an ID theft to the credit bureaus, the credit- or fraud- “alert” initiated only lasts 90 days and only notifies companies inquiring about your credit. A freeze literally freezes your credit report at that bureau for years. Only you can unlock it with a PIN.

4. ChoicePoint Check. If your state doesn’t have a law requiring a citizen to be notified when information is compromised, check out the information ChoicePoint [http://www.choicetrust.com] has on you. Go to the consumer division to print out the application. Mail it in to find out what information is in your files from public records, criminal files, property owned, cars and boats, professional licenses held, even business sanctions. Allow several weeks for delivery.

5. P.O. Box. If you don’t have a locked mailbox or someone trustworthy to receive packages at home, get a postal box at a nearby center. Otherwise, you could find your new checks lying on your porch or in a mail bin for anyone to snag. There are account numbers on the checks and perhaps credit card information in the enclosed billing statement! Be sure to mail payments from locked mailboxes. Mail them from a post office or locked mail box on the street. Having a postal box helps in other ways, too. You won’t need to send change of address cards when you move. For personal security, the only thing anyone knows about you (from bills, checks, etc.) is your P.O. address.

6. Temporary Credit Card Numbers. Ask your credit card issuers for substitute or temporary credit card numbers for Internet purchases. You will first have to register with the credit card provider, but it is very safe procedure. Since this number isn’t your real credit card number, no one else can use it. My bank doesn’t offer this yet, but MBNA, a leading international credit company, calls its service “ShopSafe”; others may use different names. You can leave these numbers with Internet vendors for re-use without putting your own credit card number at risk. AOL has AOL secured transaction numbers with a limited number of providers. Expect to hear more about this and other new security measures, because banks are liable for use of the credit they issue. While your liability may not extend beyond $50 or even nothing, a bank’s liability is nearly unlimited.

7. Browser Alerts. Download a free Web browser toolbar to alert you if you access a known phishing Web site. The Anti-Phishing Working Group recommends Earthlink’s ScamBlocker. Download it for free at http://www.earthlink.net/earthlinktoolbar. Also consider FraudEliminator (the basic version is free, the FraudEliminatorPro costs $19.99) at http://www.fraudeliminator.com. For more information, go to http://www.bbbonline.org/idtheft/virtual.asp. Just be sure to get some protective measure set up.

8. Computer Security. Make sure your computer has the latest security patches and updates. If you need to learn how to do this, the GetNetWise video tutorial [http://security.getnetwise.org/tips/autoupdate] can teach you how to check and update your system preferences for both Microsoft and Apple computers. If your computer runs Windows XP or Mac’s OS X, check http://security.getnetwise.org/tools/firewall on how to install the built-in firewall. If you run or use wireless (Wi-Fi), use a privacy shield. GetNetWise can also help you protect your network and wireless transmissions [http://security.getnetwise.org/tips/wifi]. Finally, if you share files (peer-to-peer), you should also check GetNetWise concerning sharing procedures. Its information is available in video; broadband [http://base.getnetwise.org/gnwtv/bb-filesharing2.ram]; and modem access [http://base.getnetwise.org/gnwtv/modemfilesharing2.ram]. The GetNetWise links are available courtesy of the Better Business Bureau’s site [http://www.bbbonline.org/idtheft/virtual.asp].

9. Social Security Checks. Check the Social Security Earning Statements that came in the mail before your most recent birthday to make sure the earnings for last year were correct. If the statement reflects more income than you made, someone else is probably using your number! Don’t forget to also check your children’s statements. The theft of a child’s ID can go undetected for years.

10. Photo ID. Inquire whether your bank can add a photo ID to your credit card and/or debit card. If so, get one. On the back of every card (in permanent ink) write in the signature block, “PHOTO ID REQUIRED” or “CHECK PHOTO ID.” While your cards are in hand, make a list: Note the card issuer, the 800 number for reporting lost or stolen cards, the account number, the expiration date, and the time of month the statements usually arrive. Think about canceling some of the newest cards. Reducing the credit available to you will likely improve your credit score.8 This will not affect your oldest cards with the longest payment history; these card you will want to keep. Put the list in a safe; do not store this information on your computer (you should have a password by now) unless you have complete faith in your Internet security software (updated each time you open a browser). Cut up any cards you don’t use but don’t want to cancel. Throw the pieces into different garbage bins. Every little bit helps!

Seven Things to Do By Next Week

1. Monitor Accounts. I have created an instant “peek” at all my bank accounts online. I can update each account in 2–3 minutes or less. I have linked my retirement accounts, credit union accounts, bank savings and checking accounts, 401(k) accounts, brokerage account, and even credit card balances. If money disappears, I’ll notice it. If credit card balances go up unexpectedly, I can check the charges online and detect a problem right away. After almost a quarter-century of home-banking, I have never had a problem with accuracy or security. According to the FTC9 and the BBBOnline/Javelin10 surveys, people who monitor their accounts online discover identity fraud weeks before their paper-statement-only counterparts.

2. Get Online Bills and Statements via E-Mail. Sign up for e-mail or online bills and statements. Identifying information is stolen most often through unlocked mailboxes or leaving bill payments in “outgoing” boxes.11 Each statement, if diverted, leaves you vulnerable to fraud, since it contains your name, address, account numbers, balances, and other personal financial data. If you prefer paper statements and bills, get a mailbox with a lock and deposit all your mail into secure postal boxes. Buy a shredder (cross-cut is best) so precious paper documents can’t fall into the hands of a dumpster diver. If your information is on a CD-ROM, be sure to smash it to pieces and toss the pieces into separate trash containers. Pay bills online and you will never need a paper trail. Want to keep your statement? Download the information to a floppy, CD-ROM, or DVD disk and you can sort by date, creditor, etc.

3. Opt-Out. Call (888) 567-8688 (888-5-OPT-OUT) to prevent preapproved credit offers from being sent out to you. If stolen from your mailbox, these preapproved cards can become carte blanche for ID thieves, giving them the perfect opportunity to run up items on a new account billed to another address, one that you can’t possibly know about until the collections agency calls after the defaults have been duly noted on your credit report. Read any and all privacy statements, which tell you how to opt-out of getting solicitations from “partners” and other third parties to prevent your information from being distributed. Privacy notices can be found on the Web. Contact the national Do-Not-Call registry at (888) 382-1222 from your home phone or online [http://www.donotcall.gov]. It is free. If telemarketers still call, ask to have your number added to the company’s do-not-call list. Get the telemarketer’s name, keep a record, and note the date. If the telemarketer calls again, you have the right to sue them in small claims court. Finally, the Direct Marketing Association (P.O. Box 643, Carmel, NY 10512) will also put your name on a do-not-mail list, which should limit junk mail [http://www.dmaconsumers.org/consumerassistance.html].

4. Test Yourself. Take the Better Business Bureau quiz on your risk level for ID theft [http://www.bbbonline.org/idtheft]. You will find out if you are doing enough to fight ID theft and find out about more recommendations to protect yourself.

5. Reconsider Storing Credit Information with E-Commerce Providers. Hackers have broken into Amazon.com’s subsidiary Bibliofind.com. Some Web companies may not even encrypt data files. Think twice about such conveniences. The site may not be as scrupulous about your privacy and security as you are. What about the scrupulosity of the next owner of a fly-by-night dot-com? Is using more than one click to make a purchase and entering your credit card number each time so onerous that you are willing to risk ID theft?

6. Back Up Your Computer. Load anti-spyware software12 to avoid your computer being hijacked, your keyboard sniffed for credit card and other accounts, or your keystrokes of bank URLs, passwords, login IDs, etc., tracked.

7. Alphanumeric Passwords. If you use any passwords or PINs with easy-to-learn information (such as kids’ or pets’ names, mother’s maiden name, nicknames, etc.), replace them with alphanumeric passwords immediately. Change your login information if you’ve had the same one at a site for years.

Feeling Vulnerable?

Alert/Credit Monitoring Subscriptions. Services such as myFICO Identity Theft Security Deluxe [http://www.myfico.com/Products/
IDF/Description.aspx?LPID=FICO122], Privacy Guard, Privista, TrueCredit, Equifax Credit Watch Gold, TransUnion’s “ID-Fraud Watch,” or some such service from a credit reporting agency will alert you to any inquiry about your personal information. It won’t prevent intruders, but it will alert you to changes on your credit report.

ID Theft Insurance. This insurance may cover the time and money it costs to recover your good credit, but the charges that the ID thief incurred are not covered. These charges are between you and your bank to resolve. All policies are not the same, but look for a low (or no) deductible; coverage for postage on certified letters, FedEx, phone charges, and lost wages; coverage for notaries public and civil and criminal defense attorney fees that can easily run to thousands of dollars; and costs of denied credit, of reapplying for a loan, and of removing negative items from your credit report. Note: If you have a prepaid legal plan through your employer or professional association, you may not need ID theft insurance. Check your policy or ask the sponsoring organization. Also, check your homeowners or renter’s insurance policy, which may provide coverage as well. This may be available as an add-on for about $25 a year vs. $60–$180 for a stand-alone policy. One call to your insurance carrier may save you money. Some companies, such as Washington Mutual and PMC Bank in Pittsburgh, offer customers a basic plan for free and a higher version for a monthly fee. Check with your bank or credit card company or go to http://www.BankRate.com (search for “ID theft insurance”). The Insurance Information Institute’s Web site also links to companies offering coverage. Check each insurance company with the Better Business Bureau [http://www.bbbonline.org] before making a final decision.

Worst-Case Scenario: Your Identity Is Stolen

If your identity is stolen, alert one of the following credit bureaus immediately and the bureau will contact the others to put a 90-day fraud alert on your accounts and supply current copies of your credit reports. These credit reports will help you identify accounts you didn’t open and will notify you about high balances that might indicate fraud. The Fraud Alert asks creditors to contact you before extending credit in your name. These are the credit agencies:

Equifax ‑ http://www.equifax.com; (800) 685-1111 or (800) 525-6285

Experian ‑ http://www.experian.com; (800) 397-3742

TransUnion ‑ http://www.tuc.com; (800) 888-4213 or (800) 680-7289

Innovis ‑ http://www.cbcinnovis.com; (800) 540-2505

On each credit report, check the personal information for any address changes. Check credit inquiries from unfamiliar lenders (not PRM, or promotional inquiries, the source of those preapproved offers or inquiries from your current creditors that don’t affect your credit score). Hard inquiries are in response to an application for credit or a loan and these will impact your FICO score. Each type of credit inquiry is clearly identified in each bureau’s credit report. Note the date each account was opened, look for new, unfamiliar entries or a suspiciously high balance. Finally, check the public record section for unknown liens or judgments. Notify each creditor with a fraudulent account and ask what you need to do and what can be done for you. Finally, when resolved, request a document stating that you are not responsible for the debt.

Report the crime to your local police department. Get a copy of the police report and the number because you will need it for your files. In most states, you cannot get more than a 90-day fraud alert without a police report.

Contact your bank or go directly to its Web site. National banks, such as Bank of America and Citibank, have ID Theft Tool Kits and “theft solutions” (with downloadable ID theft worksheets and information, as well as 800 numbers of ID theft specialists to assist you “every step of the way”).

Start a pocket file or notebook with partitions for 1, the police report; 2, credit bureau statements; 3,  telephone call logs (one for each creditor/store/bank) noting institution, department, and individual you spoke with; date, time, and topic of the call; and follow-up dates and information (who is to do what); 4, correspondence, copies of e-mails (download the FTC sample letters for a start [http://www.ftc.gov or http://www.consumer.gov/idtheft]; review the correspondence to make sure that the creditors have followed up; 5, affidavits (federal forms available from the FTC [http://www.consumer.gov/idtheft]; 6, clearance letters showing accounts cleared; plan to save these for several years (or forever) to make sure that the wrong information doesn’t resurface or errors remain uncorrected.

Keep track of the time and money spent on phone calls, fax, FedEx, postage, and other expenses (including time off from work) because fraud losses and out-of-pocket costs may be tax-deductible. See IRC 165(c) and ask your tax advisor. If you have ID theft insurance, these items are the basis of your claim.

If you detect misinformation on your credit report, call the security/fraud departments of the fraudulently opened accounts and have the accounts “closed at customer’s request.” Be sure to request that you not be held responsible for accounts you did not open. Ask that these accounts be “permanently removed, not just closed,” according to Mari Frank, attorney, author13 and ID theft victim. You will need to supply a copy of the police report before the fraudulent account can be closed. Do not close any account not affected by the fraud or you will lose your long-standing credit history, which could jeopardize your credit score. Ms. Frank also recommends that you “report the theft to the major check guarantee/verification companies … [because] merchants use these databases to learn whether you have a history of writing bad checks. Your bank may not update this information right away.” She also recommends checking for civil and criminal court records “to make sure the thief hasn’t incurred any lawsuits, civil judgments or criminal charges in your name.”

Do not pay any bill based on fraud, no matter how creditors or collection agencies hound you. Send a copy of the ID theft report from your police report to the agencies with a note telling them that if they continue to call, they are violating federal law and you will take legal action.

Check with the Department of Motor Vehicle (DMV) in your state to see whether any fraudulent ID or driver’s licenses have been issued in your name. If so, request a fraud alert be placed on the national computer to have the person arrested.

Get new PIN numbers and/or passwords on debit cards and other online services (which should be done on a regular basis).

Finally, if possible, prosecute the ID thief and use expense records to seek restitution and damages. If the mails were used in the fraud, then contact the U.S. Postal Service [http://www.usps.com], or your local postmaster. This can happen when a thief fraudulently uses the mail to change the billing address on a credit card or hijacks a preapproved credit card notice in the mail. If your Social Security number has been fraudulently used, report it to the Social Security Administration, and find out how to correct your earnings record [http://www.ssa.gov/pubs/idtheft.htm]. Some ID theft victims have become so desperate to end the nightmare that they have considered changing their Social Security number. According to the experts, it is extremely difficult to get permission to do this. Unless you want to find yourself stripped of all credit history, you will need to link to your old number anyway. One can’t seem to escape one’s past. If the perpetrator stole information by claiming to be from the IRS, notify the Inspector General for Tax Administration at (800) 366-4484. The FBI has an Internet Fraud Complaint Center at http://www.ifccfbi.gov/strategy/howtofile.asp.

Some thieves may try to use your safeguards to their advantage. For example, in the case of mass public announcements about compromised data, dishonest people might contact victims to “help.” Do not release more of your private information, whether by phone, e-mail, or Web site link. If you think the callers are legitimate, get their number and call them back via the phone number given on the official Web site. Keep a record of such contacts and numbers.

Your Attorney General’s Office probably maintains an identity theft registry and has information on your state’s services related to identity theft. A listing of all state attorneys general is available at http://www.naag.org or http://www.naag.org/ag/full_ag_table.php. Your state may have an Office of Privacy Protection offering a variety of information and services about identity theft. Go to the Identity Theft Resource Center [http://www.idtheftcenter.org] and look at “Victim Resources.” The Privacy Rights Clearinghouse has statistics, fact sheets, and more information about identity theft [http://www.privacyrights.org/identity.htm].

Finally, if a legitimate business won’t correct your records after an identity theft, contact the Better Business Bureau to file a complaint and get the matter resolved [http://www.bbbonline.org/idtheft/complaint.asp]. You can also file a complaint with the FTC [https://rn.ftc.gov/pls/dod/
widtpubl$.startup?Z_ORG_CODE=PU03].

Conclusion

While you cannot prevent the theft of your identity from banks, credit bureaus, alumni offices, swiped laptops without encryption, unscrupulous employees, etc, you can take precautions to limit the odds of identity theft. Just as using seat belts, yielding to rights of way, and reading road signs may not prevent all accidents, these precautions do eliminate many risks. Using these suggestions will reduce the opportunities for would-be ID thieves to make you his or her next victim.

A friend shared a New York Times article (July 2, 2005) by M. P. Dunleavey, titled “Don’t Let Data Theft Happen to You.” It notes that “what will stop identity theft are stronger notification laws and stronger penalties, which we don’t have now.”

Learn about laws proposed in your state to make sure that these laws are as strong as California’s and make sure Congress does not water down any existing laws on consumer notices, credit freeze, and other protection for citizen credit. The credit bureaus have been lobbying to eliminate such protections, which make it harder to sell your credit information (a very lucrative part of their business) to their real customers. Lobby your state and federal representatives!15 Fight on, especially at the local level. Representatives at the state level can be more creative,16 responsive, and even proactive than Congress.              

Worried?

You should be. Identity thieves get bolder ever day. John A. Clarke, the executive officer/clerk of the Superior Court of California, County of Los Angeles, posted an urgent “Alert to the Public” on the court’s Web site [http://www.lasuperiorcourt.org], announcing that the “Court does not — and will not — telephone jurors or potential jurors and ask them to disclose personal financial information.”

The notice links to an Aug. 26, 2005, “Warning to the Public Regarding Identity Theft” announcing that “The Los Angeles Superior Court has become aware of telephone scams by identity thieves targeting members of the public. They call, claiming to be court employees needing social security numbers for jury service. Court and jury employees never contact potential jurors by telephone and would never, under any circumstances request any personal or financial information over the telephone.” The warning alerts readers that “[s]imilar scams have been reported recently in Riverside and San Bernardino counties as well as other states. We urge all members of the public to be aware of such scams and be careful whenever you reveal confidential information over the telephone.”

Want to assess your risk? To take the Identity Theft Test, visit http://www.idtheftcenter.org/idthefttest.shtml. Is snail mail the threat? Take the U.S. Postal Inspection Service’s “Mailbox Security Quiz”
[http://www.usps.com/postalinspectors/thftquiz.htm].

Never, Ever

•   ‑Never, ever carry your Social Security card in your wallet, glove compartment, or purse. Don’t automatically print it on forms that request it. I don’t and I am surprised how rarely people notice it, much less insist on having it. It really isn’t “necessary,” except for tax, Medicare, or other federal purposes. Requestors will often happily accept another form of ID if you don’t want to provide your Social Security number or are satisfied with the last four digits. If you carry a Medicare or insurance or other card with your Social Security number on it, a friend recommends copying it and carrying the copy with all but the last four digits inked out. Give it a try.

•   ‑Never, ever throw out bills or statements before shredding them.

•   ‑Never, ever use “remember my password” on any service. It will only help a thief who gains access to your home or work computer, your laptop, or cell phone (especially with Internet access).

•   ‑Never, ever use public access terminals or friends’ computers to access any site requiring a password or ID. Software that someone might have loaded could capture all your keystrokes and use it to log on to your accounts, get your essential financial data, account numbers, etc.

•   ‑Never, ever give personal information over the phone to someone who calls you. If the caller seems reputable, ask for their name and phone number and call them back using the public phone number in the yellow pages or on their home page. If someone requests your Social Security or credit card number, just give them the last four digits. Legitimate companies don’t call to get information they already have in their files.

•   ‑Never, ever respond to e-mails from the IRS about electronic audits. The IRS doesn’t use e-mail. Such requests are always phishing expeditions. Beware of “spoofing,” which occurs when a hacker redirects customers of a legitimate financial or shopping Web site to a look-alike site in order to get your IDs and passwords, as well as credit card numbers. Report phishing and spoofing to spam@uce.gov and reportphishing@antiphishing.org, as well as to the company being spoofed, so customers can be protected.

•   ‑Never, ever respond to requests for personal information in an e-mail — this is classic phishing — whether by replying directly or linking to the company’s alleged Web site. If you give your credit card numbers and personal data to strangers posing as a company you know, then you have been “phished” or “spoofed!” Either way, you are in big
potential trouble. Report it immediately.

•   ‑Never, ever use a stand-alone or unfamiliar ATM machine. Go an extra block or two to use your own bank’s ATM machine. Some public ATM’s have been found to “capture” debit card numbers and PIN numbers to create new cards.

•   ‑Never, ever co-sign a loan for a friend or family member. It increases the risk of ID theft by the bank or car dealership employees, the friend, and others. Lend cash if you want, for that will limit your liability.

Always

Under no circumstances should you ever skip over any of these safety measures.

•   ‑Always check a Web site’s privacy policies before giving personally identifiable information or e-mail address. Find out if the policy requires you to opt-in or opt-out from receiving promotional offers, newsletters, etc. In California14 the privacy policy is required, on the first page, to list any information disclosed to third parties, the names and addresses of all third parties, and provide an opt-out mechanism for the consumer. If you don’t go to the privacy policy, you won’t be able to “opt-out” of the privilege of receiving direct marketing from these third parties.

•   ‑Always check your statements. Examine statements for the balances due, as well as wrong amounts, duplicate transactions, transactions in odd stores, or at odd times. Watch for statements that you normally receive regularly, which may have been intercepted by thieves.

•   ‑Always go direct to home pages. Don’t rely on a link from an e-mail to get to a company or organization’s Web site. Go directly to the Web site through the known Internet URL. If the real site does not ask for the information, then report the scam to the company so it can handle it and alert other customers. If you suspect a scam, contact the FTC at 888-FTC-HELP. Put your tax dollars to work.

•   ‑Always look for “https” in the URL whenever you give personal information. That means it is a secure site. Also look for a little yellow padlock on the bottom of your screen — and make sure it is locked. If it looks unlocked, don’t give any personal information. Look for the VeriSign shield and click on it to make sure it links to the VeriSign site and has not just been “pasted” in to look like a reliable site.

•   ‑Always keep firewalls and antivirus software current. Make sure that your firewalls and antivirus software are up-to-date every time you turn on your computer, before you open an online browser. Regularly verify that you have the latest version of your browsers. Check your computer for spyware with free programs such as Lavasoft’s Ad-aware and Spybot Search and Destroy. Download security patches. Check for Microsoft patches at http://www.microsoft.com/security/ or http://www.microsoft.com/athome/security and verify that you have 128-bit encryption (see  No. 8 of “Things to Do Today” on page 20). Change your passwords at occasional intervals.

•   ‑Always use a locked mail receptacle. Even if you have e-bills for all of your creditors, a pay stub or insurance statement can bear your Social Security number, employer, address, and more. Don’t let this information sit in an open or even unlocked mailbox. And always shred bills, statements, etc., before throwing them into the trash.

•   ‑ Always note each credit card usage. In your personal calendar, write down every time you use the card along with the location and amount of every charge so you can instantly verify a legitimate purchase from a potential fraudulent one. And check your bank and credit card statements for unauthorized purchases.

•   ‑Always use passwords on every machine: office and home computers, laptop, PDA — even your cell phone. If you can set up a password through software or hardware, do so. Consider changing passwords twice a year when you change your clocks. If you are like me and have many passwords for online accounts, database companies, Internet service providers, workstations, library cards, then keep a list of the name of the service and a personal clue to the password.

•   ‑Always verify, verify, verify. Telltale signs of a phishing e-mail include the following: looking as slick as the legitimate one; requesting information verification; not addressing e-mails to your name as listed on an existing account; playing on your fears relating to security using scare tactics; and, of course, requesting personal information to validate an account. Doing that may download a small program that logs your keystrokes when you enter your account number(s) and PINs.

Needed Legislation

Here’s what we need to protect our credit against theft:

•   ‑Require credit reporting agencies to verify all “adverse information” before reporting it to make sure it is not due to an ID theft.

•   ‑A national law requiring consumer notification of compromised personal data.

•   ‑An outside time limit on notification.

•   ‑An adequate definition of “personal information” that specifies links between credit information and  Social Security number, driver’s license, etc.

•   ‑Prison terms for those who use data fraudulently.

•   ‑The option of free credit freezes (with free thaws with use of the PIN established by the consumer).

•   ‑Forbidding use of Social Security numbers on healthcare or other ID cards (such as student ID cards, driver licenses).

•   ‑Requiring encryption and future state-of-the-art protections as well as password protection of all confidential personal consumer data (such as Social Security number, driver’s licenses; date of birth; account, credit and debit numbers; etc.).

Web Sites with More Information

Better Business Bureau

http://www.bbbonline.org

A wealth of information.

Check Guarantee Companies

Certegy                    (800) 770-3792

ChexSystems            (800) 428-9623

Cross Check             (800) 843-0760

Global Payments      (800) 560-2960

SCAN                      (800) 262-7771

TeleCheck                (800) 710-9898

Consumers Union

http://www.consumerreports.org

‑Publisher of Consumer Reports. Check out the September 2005 issue with its “Online Survival Guide,” a collection of ratings of programs fighting viruses, spyware, and spam, beginning on page 12.

Department of Justice

http://www.usdoj.gov/criminal/fraud/idtheft.html

‑The FBI has an Internet Fraud Complaint Center: http://www.ifccfbi.gov

Federal Trade Commission

http://www.ftc.gov

‑Your tax dollars at work. For a free pamphlet, “When Bad Things Happen to Your Good Credit,” go to http://www.consumer.gov/idtheft.

Financial Privacy Now

http://www.financialprivacynow.org

‑This group wants Congress to pass more financial privacy protections.

Identity Theft Prevention and Survival

http://www.identitytheft.org

‑Mari Frank’s organization. You can also call (800) 725-0807.

Identity Theft Resource Center

http://www.idtheftcenter.org

Privacy Rights Clearinghouse

http://www.privacyrights.org

Public Interest Research Group

http://www.pirg.org

‑An excellent organization on all kinds of consumer issues. There are also state groups such as California’s CalPIRG at http://www.calpirg.org.

Have They No Shame?

Even in the middle of a national catastrophe, some people see opportunity. Watch out! Charity scams are everywhere. Li Yuan described the rise of disaster parasites in The Wall Street Journal article, “Online Scams Solicit Katrina Donations, Risk Identity Theft” (Sept. 8, 2005, p. B1). For background on charity scams, you might check out an article I did for Searcher in the July/August 2000 issue, “Avoiding Charity Fraud and Misinformation from Non-Profits on the Internet,” or even the book edited by Anne Mintz and published by Information Today, Inc. entitled, Web of Deception: Misinformation on the Internet (2002, ISBN: 0-910965-60-9)

Endnotes

1 ‑Citibank and Bank of America have Web sites with a wealth of information on how customers can protect their data, passwords, etc.

2 ‑Harrington v. ChoicePoint, No. 2:05-CV-01294-SJO-JWJ (C.D. Calif).

3 ‑See http://www.bbbonline.org/idtheft/consumers.asp. This site has a wealth of information, including how to defend yourself online at http://www.bbbonline.org/idtheft/virtual.asp.

4 ‑For a list of the current Internet scams by categories, complete with alerts and examples, go to http://www.idtheftcenter.org/alerts.shtml For a list of the major credit security breaches, visit http://www.consumersunion.org/
campaigns//learn_more/002232indiv.html.

5 ‑See also the National Conference of State Legislatures: For breach notice legislation, http://www.ncls.org/programs/lis/CIP/priv/breach.htm and for security freeze legislation, http://www.ncsl.org/programs/banking/SecurityFreeze_2005.htm Another site to monitor state ID theft laws is http://www.ckfraud.org/idtheft.html.

6 ‑See the Fair And Accurate Credit Transactions (FACT) Act of 2003 and the Federal Trade Commission Rules effective June 1, 2005, 16 CFR Part 682. See also http://www.privacyrights.org/ar/FTC-DisposalRule.htm and http://www.ftc.gov/bcp/conline/
pubs/alerts/disposalalrt.htm.

7 ‑See Cal. Civil Code §1785.11.2through §1785.11.6.

8 ‑An excellent article on credit scores appears in the August 2005 issue of Consumer Reports. In addition, FICO (Fair Isaacs Company) itself has written on ID theft at http://partners.myfico.com/email/071205/?LPID=FICO122.

9 ‑The FTC survey can be found at http://www.ftc.gov/os/2003/09/synovatereport.pdf.

10 ‑The announcement of the most recent surveys appears at http://www.bbbonline.org/IDtheft/safetyQuiz.asp.

11 ‑See the Better Business Bureau ID theft statistics at http://www.bbbonline.org/update/issue.asp?id=48. Also check out the complete chronology of data breaches reported since the ChoicePoint Incident at the Privacy Rights Clearinghouse: http://www.privacyrights.org/ar/ChronDataBreaches.htm. The word “complete” is a misnomer because the financial institutions still don’t want us to know that any one of them has been victimized (along with their clients). For instance, L.A. Times columnist Michael Hiltzik reported that a laptop computer was stolen from Bank of America in northern California containing his Social Security number, name, address, phone number, and online banking ID on May 20. BA didn’t call him until 5 weeks later and, when he searched for “news clips to learn what BA had said publicly about the May 20 theft, it turned out that the bank had never disclosed the incident to the general public. It merely notified the 18,000 California customers whose privacy may have been threatened, as required by [California] law, and only after a month had elapsed”
[http://www.latimes.com/business/
la-fi-golden30jun30,1,63203.column].

12 ‑See the article by Ross Greenberg, “How Spyware Works,” for software information, steps to take on your computer right now, and antispyware Web sites at http://www.securitypipeline.com/shared/article/
printableArticleSrc.jhtml?articleId=60404103

13 ‑Mari Frank, “From Victim to Victor” from Porpoise press.

14 ‑See Cal. Civil Code §1798.83.

15 ‑For a sample e-mail to send your representatives, go to financialprivacynow.org.

16 ‑The Consumers Union and the Public Interest Research Group have an excellent 25+ page publication, “The CLEAN Credit and Identity theft Protection Act: Model State Laws: A Project of the Public Interest Research Groups and Consumers Union,” by Ed Mierzwinski, Kerry Smith, and Sarah Ackerstein of the state PIRGs and Gail Hillebrand, Senior Attorney of Consumers Union. Dated November 2004 in print, it is updated regularly on the Web. In addition, Gail Hillebrand’s, “After the FACT ACT: What States Can Still Do to Prevent Identity Theft” is available at http://www.consumersunion.org/
creditmatters/creditmattersupdates/001640.html. For a compilation of federal statutes and a bibliography of select resources on identity theft, please see www.llrx.com/features/idtheftguide.htm.