Internet Security Zone Blog

Because of my identity theft, I'd frozen my credit reports at all three bureaus so no one could apply for credit in my name without unfreezing them.

If you lose the PIN number they give you when you freeze your credit you are in BIG trouble in terms of hassle and wasted time.

It turns out credit card companies do not know in advance, or won't tell you, which bureau they will check your credit on. Or perhaps they check all three. In any event you will need to individually unfreeze your credit lock temporarily at Experian, Equifax, and TransUnion if you need to have your credit checked.

I easily unfroze my credit reports at 2 of the bureaus, using a PIN they had given me. But for the third bureau I could not find my letter with the PIN.

Of course that was the one that the credit card company wanted to check.

This particular bureau has no way to reach humans. I finally was owning up to the fact that I'd have to mail them a certified letter with all the proof that I'm me - when their recording said "include your PIN."

They had no instructions if you don't know your PIN.

Thankfully the letter from them finally appeared stuck in my 3" high stack of identity theft papers.

I gleefully called the credit card company back to say I'd gotten the credit freeze lifted. "Has it been 5 business days since the lift?" the guy asked.

"No 5 minutes." I said.

Call back in 5 days he told me. And so it goes on.

So follow their advice to plan ahead if you're going to need your credit checked. I learned the hard way that YES this is true.

Back in the olden days (a year ago), I would have easily thrown out old non-confidential school documents and work records with ancient addresses on them, instead of shredding them.

However now I know that when you're a victim one identity theft, credit reporting agencies authenticate you by you confirming several old addresses.  Yesterday I bit the bullet and decided to shred a foot high stack of documents.

How do you shred 10 years worth of documents?
Curious if there are shredding services for consumers needing massive amounts of documents destroyed, I searched for "document shredding" and my city. There do seem to be such services around the country.

Some other ideas:

1) If you live in cold climates, there's always the option of making "paper logs" if you have someone to roll up your paper to burn - in your fireplace that is.

2) A company called Shred It had a COMMUNITY SHRED event last year with WalMart, offering free shredding.  They say to contact your local  Shred It to see if this will be going on again.

3) While I would never advocate using your employer's confidential shredding bins to dump your personal files, you might decide that's an option.  :)

What else do you need to shred?
The FTC has a comprehensive laundry list of the kinds of documents you should shred:

"When you discard receipts, copies of credit applications, insurance forms, physician statements, bank checks and statements, expired charge cards, credit offers you get in the mail and mailing labels from magazines, tear or shred them."

The mailing labels from magazines are particularly important to shred, and some magazine websites do not require authentication to change the address. (Yes, believe it or not it's true.)

Recently a friend threw out some checks from a bank account he had closed 10 years earlier. Somehow a dumpster diver found them and ended up using his identity to throw a party in a nearby hotel. Amazingly the police found and arrested the thief.

The bottom line is if someone could find mail and call up the sender to say "Oh I've changed my address. It's XYZ" that could be the start of your identity being stolen. Rather than worry, it's simpler to remove yourself from as many mailing lists as possible then shred all instances of your address. Or to me it is anyway!

I just came across a Washington Post story on the "ID Theft Cycle," which delves into the underworld of online data theft and fraud. It's a useful reminder to beware of websites that you don't know enough about, as far as their data security.

The Post also has a transcript of an online chat with an Associate Director of the Federal Trade Commission, themed Protect Your Identity. A question I hadn't thought about caught my eye:

"What about notifying a company after you've applied for credit that you want them to remove/delete your SSN from their files? Is there any legal basis for forcing them to do this?"

The answer was no.

This is a topic that makes sense for the governmental Identity Theft Task force to address, in addition to the others I wrote about.

Today I was on a website that offers deals for various consumer services. I noticed one related to identity theft so decide to check into the company. The site had was almost no information on who they are. I dug further. While I found out some info, such as that the company is based abroad, I saw no real assurances, track record, or details about how your information would be secured.

Their site says something like:

When you register all your important information with [us], it's safe and secure – and all in one place - your account numbers for insurance policies, investment accounts and bank accounts, and serial numbers of stocks and bonds you own."

When you see that statement by itself, it's a little scary eh? Basically you're storing your crown jewels in their safe.

It's a nice idea. But before you entrust a company:

• Dig into the details and confirm they have a solid track record and testimonials to back up claims of security and service.
• Read the privacy policy. See if the site talks about the actual individuals who manage the company. How do you know it's not a fly by night if no people are named?
• In my view, the more publicly a company operates and exposes their inner workings, the more you can trust them.

A friend told me her credit card bill had more than $10,000 in charges from Google AdWords.

What I'm guessing happened is:

• Someone got her credit card number somehow.
• Set up an AdWords account using her number and name.
• Created ad campaigns and offered to pay extremely high amounts of money for click throughs.
• Set up "dummy" pages with Google AdSense and content that would display their ads.
• Got to work getting those ads clicked numerous times.

It's all theorizing but it seems like the only explanation why credit card thieves would do this - to reliably be able to profit from ads without a third-party advertiser crying click fraud.

Now, how do they expect to collect that money without Google busting them?

ZoneAlarm Internet Security Suite and Pro 6.5 users - make sure you've signed up for your free Card Theft services!

The national task force on identity theft, formed this May, has announced some interim recommendations to help combat identity theft and help victims recover. (Here's the full enchilada in PDF form.)

The final recommendations are scheduled for November.

My Thoughts

As an identity theft victim, I think the promising recommendations include

• issuing to all federal agencies a Task Force memorandum, which covers the factors that should govern whether and how to give notice to affected individuals in the event of a government agency data breach, and the factors that should be considered in deciding whether to offer services such as free credit monitoring
• development of a “universal police report” that an identity theft victim can complete online, print and take to a local law enforcement agency, that also submits to the FTC's identity theft database.
• that Congress...require that defendants pay identity theft victims for the value of their lost time.
  
  Q: Will this include the government paying victims if their laptops are stolen with unencrypted data and/or people who are responsible for systems that are breached - that can result in identity fraud?

It has been interesting thinking what I'd like to see in the final report. I'm noticing my thoughts skew toward federal level legislation. (Well it's interesting to me since I try to avoid thinking about law making as much as possible!)

• Rules governing information that gets changed by credit bureaus without notifying the consumer. Here I go harping again: It should take a Herculean effort for a consumer to change his or her birth date on a credit report.
• Laws related to the post office - such as requiring keeping changed addresses on file longer, so as not to deliver offers of credit to an old address.
• Laws regarding whether states can post people's SSNs on websites instead of letting individuals at the state department levels decide. (If you disagree I'm guessing you haven't been an identity theft victim yet!)
• Laws regarding allowing consumers to freeze credit. Right now only a few states allow this. If the credit reports develop an automated system for temorarily removing the freezes - such as if you need to have your credit score checked - this could eliminate some concerns. OK it wouldn't eliminate the concerns of entities wanting to extend offers of credit, but at this point, I'm thinking of consumer protection.

Concepts on which I'm unclear:

• "Improving Agencies’ Ability to Respond to Data Breaches in the Government: In order to allow agencies to quickly respond to any data breaches, including by sharing information about those who may be affected with other agencies and entities that can assist in the response to the breach, all federal agencies should publish a “routine use” for their systems of records under the Privacy Act that would allow for the disclosure of such information in the course of responding to a breach of federal data."
  
  What?

It will be interesting to see how this all turns out but it is refreshing that identity theft is getting such attention.

If you've ever donated or sold one of your cell phones or smartphones, the TechNewsWorld article "Used Cell Phones May Reveal First Owners' Personal Data" may make you gulp.

"Selling your old phone once you upgrade to a fancier model can be like handing over your diaries. All sorts of sensitive information pile up inside our cell phones, and deleting it may be more difficult than you think."

Reference this useful article with links on Wiping Your Cellphone Clean of Personal Data for Blackberries, Treos and more.

I'm sitting in my favorite cafe, and a guy asks if he can plug in his cell phone.

He asks my first name. I tell him.
He asks my birthday. I tell him the month.
He asks the day. I asked why but for some reason told him.

He tells me he's an artist, had been traveling and said I was the first person he'd met upon his return. Based on my birthday, he interpreted what his day would be like. (We ARE in California after all.)

He then asks my last name. I declined to tell him, stating that I'm in the witness protection program. I always find that line gets people to stop asking too-personal questions.

First name, last name, birthdate?

Be careful what you tell strangers. The search for much more personal information on you is only a web search away. :(