As I discussed in my last article, there are two major areas of concern when it comes to protecting your identity and preventing theft and fraud.
The first is your paper assets such as financial statements and the digital assets that you manage and control on your personal devices (computers, tablets, smartphones, etc.). The second is the personal information that you have shared with others (mainly online entities) that you do not directly manage or control.
I covered the first area in my last article. So, in this article, I am going to discuss the second: the digital assets that have shared with, and that are now being managed by others. “Others” in this case refers mainly to online entities that you do business with via their websites.
The big challenge
The big challenge with preventing identity theft of the digital assets you have shared with others is that they are basically out of your control because you don’t directly manage them on your own devices. These assets consist mainly of the account information and personal data you have shared with online entities such as E-Commerce sites, financial institutions, etc.
Take, for example, Amazon. I have Amazon Prime and use it a lot (mostly for books), so I share a lot of personal information with them. Here is what they say on their website about how they protect my information (comments in [brackets] are mine):
We work to protect the security of your information during transmission by using Secure Sockets Layer (SSL) software, which encrypts information you input. [This is what your web browser uses to connect to “secure” web sites.]
We reveal only the last four digits of your credit card numbers when confirming an order. Of course, we transmit the entire credit card number to the appropriate credit card company during order processing. [Which is presumably also encrypted.]
It is important for you to protect against unauthorized access to your password and to your computer. Be sure to sign off when finished using a shared computer. Click here for more information on how to sign off. [I discussed this in the last article.]
As you can see, they use basic things such as SSL encryption (the “lock” icon with https;// in your browser window), etc. That is good, but they don’t get into the details of how they secure the customer data they store on their internal database servers. I’m counting on them to take care of that for me and all their other customers. They’re a big company and have this security stuff figured out, right?
Well, probably not. Most large companies like Amazon do all they can to prevent intrusion and being hacked, but unfortunately, it happens anyway.
Once you set up an account online, even if you don’t use it for financial transactions of any kind, any personal information you provide, and possibly your browsing history as well, become a part of their databases. And as we all know, those databases can be hacked and your information can be stolen.
That’s especially true if the company has been lax in their own internal information security protection measures.
Wikipedia has an entry that attempts to list all documented data breaches. According to that article,
Most breaches occur in North America. It is estimated that the average cost of a data breach will be over $150 million by 2020, with the global annual cost forecast to be $2.1 trillion. It is estimated that in 2015 alone, 707 million records were exposed as a result of data breaches. Vigilante.pw lists over 1,600 websites which have had their databases breached, containing over 3 billion user entries in total.
The clear message here is that this is a big problem and it is getting bigger. So, the best thing you can do – and this may sound a little crazy – is to assume that a company you do business with will eventually be hacked. Assume that it’s not a matter of if, its a matter of when.
How good are their defenses?
For most of my career, I have worked as an IT professional in banking. I have seen first-hand the lengths banks go to to protect your account information. The complexity and costs are staggering. Fortunately, we rarely hear of a major data breach at a financial institution, but it has happened.
I once spoke with the head of information security for one of the banks I worked for. He told me that banks are under continual attack, typically by hackers using very sophisticated methods. Most are from overseas, and they are more capable than you might think.
The hacker’s goal, of course, is to gain access to a company’s data undetected. Fortunately, most attacks are unsuccessful. But sometimes they are and the company only realizes it after-the-fact. These are the worst kind.
Unless the company knows they’ve been hacked, and communicate that to you, you won’t necessarily know your information has been stolen until it’s too late. Perhaps you’ve received such a notification.
I was notified by letter about a year ago of a breach at a health insurance company that I used to be insured by when I worked for a former employer – a BIG insurance company with a lot of confidential data. There actually wasn’t much that I could do at the time other than remain vigilant and take the company up on their offer of a free credit monitoring service.
Of course, you could just decide not to conduct any activities online whatsoever, in which case your chances of having your information stolen will be much less. But in this day and age, that could make life a little more difficult.
And you still have the problem of paper documents, as I discussed in the last article.
So, if are going to do business online, you basically have to “trust” the companies you work with. And while you may not be able to prevent a data breach at a company that you do business with, you can be careful about how you do business online and you can be-be prepared in case something happens.
What you can do
Those interested in impersonating you or breaking into your financial accounts need to get access to personal information such as family names, birth dates, social security numbers, and other account information. So you need to be ever mindful of how you handle that kind of information when you are online. The Federal Trade Commission (FTC) provides a very helpful list of the most effective things you can do to prevent identity theft and/or to minimize the damage if it does happen:
1. Know who you are giving your information to.
The best thing you can do is to make sure you absolutely know who you sharing your information with online. To be safe, don’t give it out over the phone, through the mail or online unless you initiated the contact or absolutely know who you are dealing with. There are lots of imposters out there waiting to steal your information.
If someone contacts you and they claim that you have an account with them and send you an email asking you to take some action, usually to send them some personal information, DO NOT click on the link in the email as this is most likely a “phishing” attack.
Instead, type the company name into your web browser, go to their site, and contact them directly through customer service. Or, call the customer service number listed on your account statement and ask whether the company really sent such a request. Most reputable companies will never solicit detailed personal information in an email.
2. Keep your browser software updated and secure.
To guard your online financial transactions, make sure you use the built-in encryption capability in your browser to scramble the information you send over the internet. One way to do this for secure sites is to make sure the web address is prefaced with “https//.”
A “lock” icon on the status bar of your internet browser means your information will be safe when it’s transmitted. Look for the lock before you send personal or financial information online.
Keep your browser software at the latest version, which ensures you have the latest security features. If your current computer or operating system doesn’t support it, consider upgrading.
3. Consider putting a temporary “freeze” on your credit.
Remember, we’re going to assume that our identity will eventually be stolen. A thief who has stolen your personal information and attempts to use it to open a new credit account in your name can be prevented from doing do by simply freezing your credit report at the three major credit reporting agencies: Equifax, Experian, and TransUnion.
I recently did this myself directly online and it was very,very easy. (I even received a written confirmation in the mail from one of the agencies.)
This stops the identity thief cold because it makes it impossible to get credit in your name. When your credit report is frozen, no credit applications can be approved.
Admittedly, this can be a minor inconvenience if you need a new credit card or auto loan. But hopefully you Dave Ramsey fans out there who want to live debt free will find such needs to be few and far between.
If you need to, the agencies will give you a special number that will let you unlock your report for a short time.
Even if you freeze your credit report, you should monitor each of the three major credit reporting agencies regularly. You can do this annually for free at annualcreditreport.com. My current version of Quicken actually gives me my credit score.
4. Digitize your recurring bills and bill payments.
Another thing you can do – and I must confess that I’m not there yet – is to consider having all of your recurring bills delivered electronically and pay them on-line.
This can dramatically reduce the amount of paper you are dealing with that contains information about you and your financial affairs. It may seem a little counter-intuitive since the theft of digital assets is what we are focused on here, but it is actually much easier to steal confidential information from paper (from your mailbox or the trash) than it is online.
I don’t get any financial statements by mail, but I still get a few monthly bills that way and pay them online (with Quicken Bill Pay.) I write and mail almost no checks.
My goal is to get to 100% electronic, but I need to make sure I can manage everything in email and with online bill pay as I have found that it is easy to overlook a bill the comes only via email.
5. Regularly monitor all of your financial accounts.
Use your bank’s account altering services (most do). You can set up alerts for things such as any transaction over a certain amount, or when your balance falls below a certain amount.
If you set up an alert for, say, any transaction in excess of $100, you will be notified in minutes. If you don’t recognize the transaction immediately, you can investigate.
You can also receive daily and weekly account balance emails from our primary checking and savings accounts. If a balance looks suspiciously low, you can investigate it.
6. Opt-out of all prescreened credit card offers.
Consider opting out of prescreened offers of credit and insurance that you receive by mail. You can opt out for 5 years or permanently. To opt out, call 1-888-567-8688 or go to optoutprescreen.com. The 3 nationwide credit reporting companies operate the phone number and website.
I had done this several years ago, but in the last year or so, I started receiving numerous such offers addressed to my wife. So, I went back out and opted out for both of us.
7. Limit the amount of personal information you post on social media sites.
Many of us use various social media sites like Facebook, Twitter, Linkedin, etc. However, if you post too much information about yourself, an identity thief can find information about your life, use it to answer ‘challenge’ questions on your accounts, and possible get access to your money and personal information.
Consider limiting access to your networking page to a small group of people. Never post your full name, Social Security number, address, phone number, or account numbers in publicly accessible sites.
8. Closely guard your Social Security number.
One of the most important things you can do is to keep a tight hold on your Social Security number and ask questions before deciding to share it with anyone.
If someone asks you for it, ask if you can use a different kind of identification. Even if the request seems valid, ask them:
- why they need it
- how it will be used
- how they will protect it
- what happens if you don’t share the number
The decision to share is yours. A business may not provide you with a service or benefit if you don’t provide your number. Sometimes you will have to share your number. Your employer and financial institutions need your SSN for wage and tax reporting purposes. A business may ask for your SSN so they can check your credit when you apply for a loan, rent an apartment, or sign up for utility service.
9. Consider purchasing identity protection monitoring and/or theft insurance.
You may be able to purchase an “identity restoration coverage” rider on your homeowner’s insurance, and it tends to be relatively inexpensive. Be sure to look at the liability amounts as many are in the low end ($25,000 to $50,000) range.
Trust and pray
As with many other risks that we face day in and day out, we should do all we can to protect ourselves while recognizing that God is the one who is ultimately in control. So, we must trust him and pray that He will help us to be vigilant and will protect us from the evils of identity theft.