Archive for the ‘ID Theft’ Category

You just received a breach disclosure letter. Their systems were "compromised". Now what? Do you call the police, close all your bank accounts and change your credit card numbers, file the letter and hope for the best?

The first thing is to take a deep breath. Breach disclosure letters can be intimidating but don’t panic. Take the time to figure out what, if anything, you should do. Read the disclosure letter itself very carefully. The disclosure letter should have some details about the breach. It may be enough to show that the breach didn’t apply to you. (I got a letter recently about my son’s medical information. Based on the dates in the letter, I knew that the breach couldn’t have affected him.) If you want more information, look on the internet. Check out the company’s website but also look for independent news reports. Be cautious about the blogs and other unverified sources, though. Look specifically to see what information is at risk. Also try to figure out whether the information was stolen or merely lost. If it was stolen, the odds are much higher that the information will be misused.

If you think it was stolen, start watching your accounts carefully, especially if the compromised information included bank or credit card numbers. Check those accounts online daily, looking for unauthorized transactions. If you see something suspicious, call your bank immediately.

If you haven’t done so recently, request a copy of your credit report. You should be in the habit of checking it regularly. Be extra vigilant for a cycle or two after receiving a breach disclosure letter. If the thief is going to abuse your account, it will probably only be for a few large transactions sometime within 3-6 months of the theft.

If your Social Security number has been compromised, strongly consider calling the three major credit bureaus to put a fraud alert on your records. When reviewing your credit report, look particularly for new accounts opened in your name. If you feel you’re at a particularly high risk, you can also implement security freeze, though the costs may outweigh the protections for most people.

If the breach disclosure letter says that you are eligible for credit monitoring, think about that. Personally, I don’t believe they will do anything for me that I’m not already doing for myself for free since I already monitor my credit report. I don’t want to put my personal information in the hands of yet another company just so they can do the same thing. Worse, some of these monitoring services put into the contract that they will automatically renew you (for fee) when the free period runs out. I don’t want to have to remember to turn off the monitoring in a year. But if monitoring will help you sleep better at night, consider it.

Finally, if you’re an actual victim of identity theft ( not just credit card fraud), you do want to call the police and file a police report according to Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse. Keep a copy of the police report for your records. You’ll need it to prove your innocence as you attempt to clean up your credit reports. Follow the instructions at the credit reporting agency’s website to dispute incorrect information.

It’s hard to believe that it’s almost Memorial Day and that people will start leaving for summer vacations soon. Please take appropriate precautions both before you leave and while you’re on your vacation to reduce your risk of fraud and identity theft.

Before you leave:

  1. Clean out your wallet.
    • Use traveler’s checks or credit cards for payment. Leave your checkbook at home.
    • Leave your debit card(s) at home. Under federal law, your liability is limited if your credit card is misused. If your debit card is stolen, you could lose all the money in your checking account.
    • Take an ATM card that does not have debit card privileges. Your bank should be able to issue you an "ATM only" card.
    • Never carry your Social Security card in your wallet.
    • Leave any unneeded credit cards and any other unnecessary documents at home.
  2. Photocopy your wallet and keep the copy in a safe place. If your wallet is stolen, the copies will tell you who to call to get your cards canceled. Note: If you will be gone for a long time, consider leaving a copy with someone you trust who can help you cancel the cards while you’re still on the road.
  3. Stop your newspaper delivery and have the Post Office hold your mail (or ask a trusted neighbor to collect them for you). The bills and account statements in your unlocked mailbox are a goldmine for an identity thief. And the packages and newspapers piling up on your front step are a sure sign to a burglar that you are away.

While on your vacation:

  • Don’t leave your wallet, passport or any identifying documents in your hotel room unattended. Use the hotel safe if it’s available.
  • Keep your identity document (passport or drivers license) separate from your wallet. Carry a photocopy of the first two pages of your passport in a third pocket whenever traveling abroad.
  • Guard your credit card receipts and rental car agreements, especially if they contain your full credit card number or driver’s license number.
  • Use ATMs at banks or credit unions and which are in well-lit areas.
  • If you are taking your laptop with you, be very careful when using it for on-line banking and other password-protected services, especially if you are connecting to a wireless hotspot.
  • Be equally cautious of cyber-cafes and other public-access internet facilities. Anyone could have left a keystroke logger on the machine in order to capture your ID and password.

By the way, there will be no InfoSec Tip next week. Have a safe holiday.

Most states have passed "credit freeze" laws, allowing individual consumers to lock their credit reports and, in theory, reducing their vulnerability to identity theft. While the credit freeze is in place, the credit reporting agency may not give out your credit report unless you explicitly grant permission and confirm your identity using a PIN or password. This makes it harder for the identity thief to open an new account or to get new credit in your name.

Even if your state does not have a credit freeze law, the three major credit reporting agencies now offer freezes voluntarily. To institute a credit freeze, you generally need to send a written request to each of the three major credit reporting agencies. The specific instructions vary from state to state. You can find links to each state’s instructions at The states allow the credit reporting agency to impose a fee to initiate the freeze (usually $5-10 per credit reporting agency but often free to confirmed victims of identity theft) .

If you do freeze your credit report, you will have to lift the freeze whenever you want credit. Under almost all the state laws, you’ll have to pay again each time you want the freeze lifted. This can make opening a new account or even changing your existing service more difficult and expensive. When you apply for the freeze, you will be given the instructions and PIN needed to lift the freeze. In some cases, you’ll have to lift the freeze yourself – in others, you might be able to authorize the merchant to do it for you. Either way, it will take some extra time. It will also make you ineligible for “instant credit” unless you lift the freeze before going to the store.

The credit freeze laws have implications for businesses that use credit reports for purposes other than lending (such as evaluating underwriting risk). Unless the state law has explicitly carved out that usage as allowed (and many but not all states did for underwriting), the business should expect extra paperwork and several extra steps in the process to get permission to view the consumer’s credit report. The law varies from state to state. Check with your corporate counsel for details.

As a consumer, you should also know that a credit freeze will not necessarily keep you safe from identity theft. While most reputable creditors will check your report before issuing credit, some don’t. Identity thieves can still exploit those situations, knowing that you will have to pay the consequences. A credit freeze also will not protect you from exploitation of existing accounts.

If you are at increased risk of identity theft and already have a house, car, phone service and the credit cards you need and you see no near-term need to refinance any of them, a credit freeze might be appropriate for you. If you have few risk factors or will need to legitimately seek credit for yourself soon, a credit freeze could be more trouble than it’s worth. Personally, I do not have a credit freeze on my account. I take normal precautions to make my identity hard to steal in the first place (I have a shredder and use it, I don’t leave financial documents like credit card bills on the kitchen counter, I don’t keep my SSN in my wallet, I use strong passwords, etc) and I check my credit report regularly. To me, the incremental protection of a credit freeze is not now worth the extra hassle and expense.

My brother-in-law had his wallet stolen over the weekend. In the interest of learning from the misfortunes of others, here are some things to think about.

  1. Never, never, never carry your Social Security card in your wallet.
  2. Photocopy your wallet about once a year. Lay the contents out on a copier (front and back) so you have a record of all the cards and contact numbers.
  3. Only carry the cards that you use on a regular basis. Leave the rest in a safe place at home. If you have bills set up to auto-pay by credit card, use a card that you leave home. Otherwise, you’ll have to change all those accounts when the card is cancelled.
  4. When your wallet is lost or stolen, immediately call the financial institutions and start canceling the cards that were lost.
  5. Call the three credit reporting agencies and put a fraud alert on your account. Consider putting a credit freeze on your account. (A fraud alert is free but must be renewed in 90 days. A credit freeze will typically cost $10 and requires extra effort to have lifted when you want to apply for credit legitimately but it provides somewhat better protection.)
  6. If you haven’t reviewed your credit report lately, do it now. Follow the instructions at

Police advise men to keep the wallet in their front trouser pocket, not a jacket pocket and definitely not a rear pocket. Police advise women to keep their purse with them and to carry it on their strong-hand side (if you’re right-handed, carry it on your right shoulder).

If you’re traveling, keep your identity document (passport or drivers license) separate from your wallet. Carry a photocopy of the first two pages of your passport in a third pocket whenever traveling abroad.

This Tip was first run in March 2007. This "encore tip" is an annual reminder to check your credit report.

This is your annual reminder to request your credit report. Under the Fair and Accurate Credit Transactions Act (FACTA), every consumer is eligible for a free copy of his/her credit report every 12 months. Follow the instructions at to request your credit report from each of the three major credit reporting agencies.

When reviewing the credit reports, look for:

  • adverse actions on your accounts that might indicate that you have been a victim of identity theft
  • accounts that have been opened in your name without your knowledge. Even if the identity thief is making the payments regularly, the account could still be in use for illegal activities.

If you find a discrepancy, follow the specific instructions on the website to dispute any incorrect information.

Don’t forget to check the credit reports of your immediate family members, especially minor children and dependent elders. Both of those groups are at elevated risk of identity theft.

Remember that you are also eligible for a report every 12 months from any of the specialty agencies which have information about you.

If you want more frequent feedback on your credit history, consider asking for your free copy from only one of the major credit reporting agencies at a time. Space the requests for the other two agencies out every four months. For example, you could ask for your free copy from Experian in March, your free copy from TransUnion in July and your free copy from Equifax in November. Once you start, you will have to keep the same rotating pattern. Schedule the requests on your calendar.