Friday, July 11, 2008


“Identity theft”

I see and hear a lot about “identity theft”. It’s a nasty business, and it can take a great deal of time and trouble to dig yourself out from under it, if it happens to you.

But I also see the term tossed around a lot incorrectly. It’s often used to describe fraud or plain, old, traditional theft.

If someone gets your credit card or card number and charges things to it, that’s not identity theft. If someone snags your bank account number and transfers all the money out, that’s not identity theft. If someone phones a business and claims to be you, and the staff believes him, that’s not (by itself) identity theft.

Those things are annoying, but they’re easy to deal with, easy to get yourself out of. You cancel the affected account and you open a new one. Even if your wallet is stolen and several accounts are compromised, the solution is the same.

Fraudulent use of a credit card is usually easy to fix. Identity theft is much more insidious than that.

Identity theft happens when someone gets enough information to open new accounts on your behalf. That can get really nasty, because it can be a long time before you even know about the problem (especially if they get the bills sent to a bogus address), it can be hard to convince the creditors that you didn’t authorize the activity, and it can result in stuff in your credit record that’s hard to get out.

And the thing is that obtaining account numbers, as above, can be the first step to enabling identify theft. Identity thieves collect as much personal information about you as they can. When they have enough, including some key bits, they’re ready. The key bits? Name, address, date of birth, Social Security number. A couple of account numbers help too — a bank account and a credit card fill things out nicely. If they also know where you work, that’s good too, though it’s not necessary. Mother’s maiden name, place of birth, and that sort of thing are icing on the cake, giving them more options to get more information from more sources.

Because that’s the real key point here: the more information one has on someone, the more new information one can get. Information, however insignificant it may seem, provides access to more information. The other side of that is that protecting information helps protect other information.

Your first line of defense, then, is to keep a lid on the key bits of information. Note that your driver’s license has three of the four primary ones in one place: name, address, date of birth. Don’t lose your driver’s license! It’s more than just an inconvenience. Never keep anything with your Social Security number on it in your wallet, and don’t give your SSN out freely. You should only have to use your SSN to open bank or credit card accounts, and to get employment — things that have to deal with taxes or credit checks. For anything else (someone recently said that her doctor asked for her SSN), insist that they use something else (and see below for places that use the last four digits of your SSN).

It’s also popular to put your date of birth into social networking sites, purchasing wish lists, and such, for all to see. Avoid that.

Shred any old mail that has your account numbers on it. Someone picking your old account statements out of the trash gets a free ride on some important information.

That should mostly protect you. If you want to go a little extra, remember what I’ve said here before: the “mother’s maiden name” sort of thing is bad news... it’s asking you to give a weak, easily discovered password that then provides access to much more sensitive information. Don’t use your mother’s maiden name, and don’t use the last four digits of your SSN. Make up something on your own, so it’s not something that doesn’t change and can be looked up. If you really want to limit exposure, use different variations at different times. Only, either make sure you’ll never forget it, or make sure you’ll never forget your primary passwords. I’ve been tripped up a few times, when I used random garbage for “mother’s maiden name”, thinking that I’d never have to produce it, and then ran into a situation where I did, and, of course, couldn’t.

And, of course, there’s also the other standard, offline advice: opt out of financial junk mail (so thieves can’t steal your “pre-approved” credit-card solicitations from your mailbox or garbage), and order free copies of your credit reports regularly — you can get one free per year from each of the three major credit-reporting companies, so get one every four months, cycling through the three.

What makes true identity theft so nasty is that much of what makes up your “identity” in this sense is immutable information, and immutable information can’t be changed if it’s compromised. You can cancel accounts and get new ones with new numbers, of course. But your name, date of birth, and SSN are things your mostly stuck with, and it’s more or less inconvenient to change your address.

Don’t make it easy on the thieves: keep your Social Security number and other account numbers close to your chest.


Charles said...

Unfortunately, folks on Medicare have to carry their Medicare with them in order to receive medical services (and that is very often).
The Medicare card displays your Social Security number very prominently.

Charles Young

high security shredder said...

Very nice tips on preventing identity theft. If someone does a good job in keeping their information safe they probably won't have to go through any of the non-identity-theft scenarios you described either. But also, everyone make sure to shred (and promptly recycle) anything with personal information that you don't need.

kathy mckee said...

Excerpt from our Prepaid Legal Services coverage plan (we help with the 5 forms of identity theft: motor vehicle, social security, medical, criminal / character and financial id theft):

Identity Restoration Services
In the event a member’s identity is stolen, a trained expert will take the steps to restore his or her name and credit through the following Restoration Services:
• Members can reduce their out-of-pocket expenses and time spent away from work with valuable services from detection to resolution
• Fraud alert notifications will be sent on the member's behalf and applicable fallow up will be done with affected agencies and institutions, including: credit card companies, financial institutions, all three credit repositories, Social Security Administration, Federal Trade Commission, Department of Motor Vehicles, law enforcement personnel, and the U.S. Postal Service
• Proactive searches of applicable local and national data bases will be made on the member's behalf to look for information he or she may not be aware of, including criminal activity in the member's name in his}her county records and certain federal watch lists, Department of Motor Vehicle records in his/her state, unknown addresses affiliated with his{her name, and banking activity in his or her name reported as fraudulent.

Barry Leiba said...

I thought about whether to approve the previous comment, because it's just an advertisement. But in the end I decided that since it's targeted to this post, and is entirely on topic, I'd allow it. Of course, I know nothing about the service that Kathy is offering, so just accept it as an advertisement posted by a commenter, and nothing more.