Identity Theft - Protect Your Information

Identity theft is the unauthorized acquisition of a person's personally identifiable information (PII). The unauthorized acquisition may occur if the individual does not safeguard their own personal information. It may also occur if an organization that stores the PII does not have sufficient or effective security controls.

How safe is your social security number? With your name and birth date, someone may be able to buy your Social Security number on a web site that sells numbers to businesses that conduct background checks. Since many individuals obtained their social security number when they started their first job, all an identity thief needs to do is ask the individual where they were first employed. On June 25, 2011, Social Security changed the Social Security Number assignment process. Prior to that date, an individual's social security number was based upon where they lived. For example, if the individual lived in Wyoming, the first three digits of the social security number were 520. If the person lived in North Carolina, the individual's social security number stared with 232. Bingo, simply by knowing where you first worked, the thief had three of your nine digits. How many times does someone ask for the last four digits of your Social Security Number? Now the thief has seven out of the nine digits. It won't take long to get (or guess) the remaining two digits.

Once your personal information is obtained, identity fraud can occur. Identity fraud examples include:

• Unauthorized use or attempted use of an existing account.
• Unauthorized use or attempted use of PII to open a new account.
• Misuse of personal information for a fraudulent purpose.

Identity Theft Protection For Individuals
By following some basic procedures individuals can help to minimize their risks and protect against identity theft and subsequent identity fraud.

Preparation

• Inventory. Prepare a list that includes account numbers, entity name, expiration date, contact information, etc. This list will come in handy should a wallet be stolen or the person becomes the victim of identity theft.
• Wallet. Only carry the minimum amount of cards and IDs in a wallet. Don't carry a Social Security card in a wallet.
• Credit. When applying for credit ask how the information will be used and with whom it will be shared. If possible, opt-out of the sharing process. Find out how they safeguard personal information.

Using electronic equipment

• Computers. Ensure computers have updated anti-virus (anti-malware) software. Verify the firewall is turned on and active at all times. Make sure the e-mail service has good spam filters. Don't open an e-mail message unless the sender is known.
• Mobile devices. Make sure your smartphone or mobile device requires a password at start up. Follow these additional smartphone security tips.
• Passwords. Choose long and strong passwords that are not easy to guess. Use different passwords for financial accounts so even if one account gets compromised, a thief doesn't have access to other accounts. Do not save (remember) passwords on a computer or mobile device.
• Internet. Many public connections are not secure or do not access financial accounts when using public Wi-Fi hotspots. Or, make sure you have Virtual Private Network (VPN) software such as Nord VPN on your mobile device.
• Social media. Don't disclose a birth date, home address, or other personal information on social media sites.
• Text messages. Consider using software such as Cyber Dust that manages your risks related to text messages. The software can automatically deletes messages after they are read by the recipient, retract messages that were sent, and block recipients from making a screen capture of the message.
• Phone number. Consider software such as Burner that provides disposable phone numbers. The disposable phone number will ring on your phone and the temporary phone number can be discarded when no longer needed.
• Phone calls. Signal software encrypts phone calls so sensitive conversations cannot be heard by others even if they intercept or tap into the call.

Safe habits

• Authentication. Authentication is the processing of identifying yourself, typically via an ID and password, to allow access to a system. The system can be your computer or a web application such as on-line banking. Some systems allow two factor authentication, using two out of three of the following - something you know (e.g. a password), something you have (e.g. a token, card, or code), or something you are (e.g. biometric fingerprint, retina scan, voice). For example, a web site recognizes that you are using a new device (e.g. computer, phone) to access the application. The application then sends a text to your smartphone. You enter you logon credentials (ID and password) plus the code sent to your phone. In the future, the system will recognize the device and won't require the code to be entered. The combination of ID/password plus the code sent to your phone makes it harder for a thief to gain access to your information.
• Phone calls. Hang up if you receive an automated phone call. Don't respond by pushing buttons that may notify the caller that the phone is active. By responding to the automated system you may receive more phone calls or end up on more marketing lists.
• PIN number. Don't use birth dates, street addresses, or zip codes as a PIN number. The more information provided, the easier it is for the bad guys.
• Credit cards. Use one credit card for retail purchases and another for other expenses. This way if a retail credit card is compromised, it doesn't impact other activities. Use credit cards instead of debit cards since a fraudulent debit card transaction is withdrawn out of your account and may take time to be reimbursed.
• Data entry. Ensure someone can't see your PIN, zip code, or password as it is entered.
• Shred. Shred any hard copy materials that contain personally identifiable information. For example, shred pre-approved credit card applications.
• Disposal. Securely dispose of any electronic equipment (e.g. computer hard drives, flash drives, mobile devices, backup media) that has reached the end of its useful life.
• Mail. When away from home for an extended period of time either place a mail hold with the postal service or have a trusted person collect mail. Contact financial institutions and ask that statements not be mailed. Instead, obtain financial statements on-line.
• Social Security. Check Social Security Administration earnings statements on an annual basis to ensure it agrees with other records.

If You Are a Victim of Identity Theft
Take the following steps if you become a victim of identity theft:

• Accounts. Contact the organization that issued you the compromised account number. For example, if your Driver's License Number was obtained by a thief, notify your local Department of Motor Vehicles. Notify your financial institution if a credit card or bank account number was compromised. Close any accounts that were compromised or opened without your permission. Submit a letter to the institutions requesting that they furnish you and your investigating law enforcement agency with copies of documentation including fraudulent applications, transaction records, etc.. Federal law (FCRA § 609(e)) gives you the right to obtain these documents. Bank account information was compromised or set up fraudulently in your name, request your financial institution to report it to ChexSystems, a consumer reporting agency that compiles reports on checking accounts. Put stop payments on any checks not written by you. If your checks are rejected, contact the check verification company that the merchant uses.
• Brokerage accounts. Refer to your account agreement if the thief targeted your brokerage account. Report the compromise to your broker as well as the Securities and Exchange Commission.
• Police Report . Contact your local law enforcement and file a report. Make sure the police report lists the compromised or fraudulent accounts. Get a copy of the report.
• FBI.  File a complaint with the FBI's Internet Crime Complaint Center https://www.ic3.gov/default.aspx
• Identify Theft Resource Center.  The center is a non-profit organization dedicated to helping victims of identity theft.  Contact the center at (888) 400-5530 to receive a remediation plan.
• Identity Theft Report. Contact the Federal Trade Commission (FTC) to file an Identity Theft Affidavit and Identity Theft Report. You may file on-line http://www.consumer.ftc.gov/articles/0277-create-identity-theft-report, by phone 877-438-4338, or by mail to the Consumer Response Center, Federal Trade Commission, 600 Pennsylvania Avenue, Washington DC 20580. Together, the police report and the FTC Identity Theft Affidavit combine to create your Identity Theft Report.
• Credit Agencies. Notify a credit agency (Experian, Equifax, and TransUnion) to put a fraud alert on your account. A fraud alert requires lenders and creditors to take additional steps to verify your identity before extending credit. With a fraud alert you only need to notify one of the credit reporting agencies, they will then notify the other two agencies on your behalf. A stronger alternative is to put a security freeze on your account. A freeze prevents creditors from accessing your credit report. With a security freeze you will need to contact each of the three agencies. Note that you must have evidence of attempts to open fraudulent accounts and an Identity Theft Report to establish a seven-year alert. You may cancel the fraud alerts at any time.
• Specialty reporting agencies.  Banks, credit unions, and other financial institutions use ChexSystems to check on your credit.  You can get a free ChexSystems report once a year at www.chexsystems.com.  The report generally only includes negative information associated with your accounts.  A clean report indicates you have a good record.  In addition to checking your report, you may set up a security freeze which blocks new institutions from obtaining information about you.  Other bank screening agencies include www.earlywarning.com, www.firstdata.com, and www.askcertegy.com. 
• Social Security. If your social security number has been compromised you should contact the Social Security Administration (800) 269-0271. Notify the Social Security Administration Inspector General if you are a victim of Social Security benefit fraud, employment fraud, or welfare fraud.  Create an on-line account at www.ssa.gov even if you are not close to retirement.  This way the bad guys won't be able to create a fraudulent account in your name and use it to apply for benefits.
• Internal Revenue Service. Contact the Internal Revenue Service (800-829-0433) if you believe the thief used your information that resulted in a tax violation. For example, the thief used your social security number to file a tax return and obtain a fraudulent refund. Complete IRS Form 14039, Identity Theft Affidavit.
• Postal Service. Contact the Postal Inspection Service if you believe the thief used U.S. mail to perform identity theft. Also contact the Postal Inspection Service if you believe the thief submitted a false change of address form.
• Debt collectors. Debt collectors may contact you regarding unpaid bills on fraudulent accounts. Obtain the collection company's name, name of the person contacting you, their phone number, and address. Notify the collector that you are a victim of identity fraud and are not responsible for the debt. Ask the collector for the name and contact information of the referring creditor, the amount of the debt, account number, dates of charges, and any additional information. Ask if they will accept the FTC Identity Theft Affidavit. Write a letter to the debt collector firm summarizing the events, actions taken, and confirm that any amounts are not owed by you and that the account has been closed.
• Passwords. Change your passwords for any accounts that have been compromised.
• Documentation. Create a log of all telephone calls, letters written, and action taken. Create a file of all communications and documents. Prepare a list of important dates including deadlines, action items, and follow-up needed.
• Statements. Check your monthly statements to ensure no unauthorized charges were applied to your account.
• Credit Report. Check your credit report on a regular basis.
• Medical records.  The Office for Civil Rights (OCR) portal helps individuals better identify recent breaches of health information.  Visit https://OCRPortal.hhs.gov/ocr/breach for a list of breaches of unsecured protected health information affecting 500 or more individuals.

Report Fraud
A variety of resources are available to you to report fraudulent activities.

• Attorney General.  File a complain with your state Attorney General's office.  You may also want to file a complaint with local law enforcement.
• Consumer Financial Protection Bureau www.consumerfinance.gov/complaint allows complaints to be filed when you have been a victim of ID theft, questionable business practices, loans, banking services, etc.
• Do not Call Registry www.donotcall.gov.  Register up to three phone numbers per e-mail address.  Once you have been registered for 31 days, you can file a complaint on this same site if you receive unwanted phone calls.
• Federal Trade Commission (FTC) report fraud https://reportfraud.ftc.gov. Report identity theft and most types of fraud.  When you file a complaint, keep the reference number they provide you in case you need to contact the FTC with future updates.
• Internet Crime Complaint Center www.ic3.gov/complaint allows you to file complaints regarding Internet based activities including hacking, social engineering (phishing), false e-mails.
• United States Postal Inspection Service postalinspectors.uspis.gov can be used to report mail crimes, theft, vandalism, and identity theft.

Reduce Future Risks
The bad guys will try and find out information about you before they perform identity theft. By reducing the amount of information available, you reduce the likelihood of a future attack.

• Mail fraud. Opt out of unsolicited mail at www.dmachoice.org.
• Credit cards.  Opt out of credit card offers at www.optoutprescreen.com. 
• Internet sites. Sites such as www.familytreenow.com/optout allow you to remove your information.
• E-mail. A national e-mail preference list eMPS allows individuals to remove their e-mail address from national lists. Note, this list is for individuals, not business e-mail addresses. Also, You will continue to receive email from groups or advertisers who do not use eMPS to clean their lists.

Summary
Individuals and organizations need a proactive approach to managing threats related to identity theft, identity fraud, and data breaches. We also offer suggestions on how to protect your business from a security breach that can lead to identity theft.