Monday, July 30, 2007

Answers About ID Theft

What is “Identity Theft?”

Identity theft is a slippery subject. The words conjure up images of body snatchers and zombies from old movies. The connotations are very negative.

The news media likes the term, because it is sensational. And so, they use it fairly indiscriminately. I saw a story recently titled, Laptop Thefts: The Latest Form Of Identity Theft. I've also seen purse snatching and dumpster diving described as Identity Theft.

Opportunistic business people have grabbed on to the term also. There are more than a few companies hyping the “problem,” and offering various products and services to deal with it. Ironically, or is it predictably, many of these products are regarded by the experts as being overpriced and unnecessary.

Identity theft occurs when a fraud or other crime is committed by a person masquerading as someone they are not. The person being masqueraded is the victim of identity theft, assuming they are not involved in the fraud.

It's a big problem, isn't it?

In one sense it is. For example, I bet many people listening to us have been or will be victims of Identity Theft. A couple of years ago, I was. Someone charged an expensive plasma TV at a store in the UK using a counterfeit copy of one of my credit cards.

On the other hand, I would much rather be the victim of identity theft than the victim of the fraud. All I had to do was call the credit card company and explain that the charge was not mine. The store was left holding the bag. They were out several thousand dollars after the credit card company reversed the credit.

In most cases the identity theft victim suffers no loss and no out-of-pocket expenses. However, in some cases, people are denied loans, miss out on promotions, and/or are falsely arrested for crimes. A large portion of all ID thefts are done by family members. And in many of those cases, the victim will pay the bills rather than have their family member arrested and prosecuted.

What are people doing to protect themselves from ID theft?

It varies. As I said, there are products and services available. Some people have bought ID theft insurance. Stand-alone ID theft insurance is relatively expensive. If you have homeowner's or renter's insurance, you can get an ID theft insurance rider for a fraction of the cost.

You can contact each of the credit bureaus and put an alert on your information requesting that no credit be extended to your name without contacting you. If you live in Texas or California, you can put a freeze on your credit report. But credit card companies are famous for sending out pre-approved credit cards to people in spite of these alerts. And these can be grabbed by family members or somebody looking in your mailbox. You can go to optoutprescreen.com to opt-out of such mailings. This is supposed to work like the “do not call” registry.

Some companies sell services designed to handle the work involved putting alerts on credit reports, opting out of pre-approved credit cards and requesting your annual free credit report.... On the one hand, these services are pricey. On the other hand, they make sure the right things get done.

Increasingly people are shredding their bills and papers before they throw them out.

Some people avoid online shopping and online banking. But, experts say that online shopping and banking is more secure than providing your credit cards, checks, deposit slips, etc. to clerks and tellers in the real world.

Most people don't do anything intentionally to avoid identity theft, except worry about it.

Fortunately, however, many of us are doing the right thing in terms of protecting our computers from hackers, viruses and malware. In doing so, we are also making it difficult for the bad guys to steal our usernames, passwords, account numbers, etc. Many of us know better than to open emails from people we do not know. Many of us know better than to click on browser pop-ups that tell us we've won a prize.

Do these steps work?

Under specific scenarios they work. Shredding your trash will protect you from dumpster divers. ID theft insurance does only what the fine print says it will, which is generally not much. Credit monitoring services remember for you and provide you with credit reports. But no anti-virus program will stop every virus. And none of these steps will protect you if your name and social security number are stolen or lost by an employee at your bank, your doctor's office, the government ...

What else should people do?

Protection is the best Prevention. Do what you can to protect your personal information from being discovered.

Use a firewall and antivirus software. Download and install security patches and upgrades for your computer software. Security patches can be downloaded and installed automatically. Upgrades usually are not automatic. For example, Internet Explorer 7.0 is something you have to choose to install, and you should. Browser security is a big problem nowadays.

Usernames and Passwords are the only security we have on most of our online identities. And most of us have not followed best practices in terms of selecting them, keeping them safe and changing them regularly. Most people choose usernames and passwords that are easy to remember easy, rather than secure. Most people choose a small number of usernames and passwords that they use for many different accounts and identities. Many people never change their passwords. Many people have their usernames and passwords written on paper beside their computers or in an unencrypted document on their computer.

I use a tool that generates long random passwords and stores them in an encrypted database. It is called KeePass. It is free software. You can get it at keepass.info. I have it on a USB flash drive that I always carry with me on my keychain, so I don't have to remember all those unintelligible strings. I copy and paste them into the login fields on the different web sites I visit. Click here to read my Gimme KeePass.

But, no matter what you do, even if you do everything you can, you still might become a victim of identity theft.

Why is this such a murky issue?

I think it has to do with the nature of the crime. There is lots of information out in the world about each of us, but our identity is not stolen until somebody poses as us. We are not going to know when that happens except after the fact. Even then, we may never know for sure.

For example, many instances of “identity theft” are nothing of the kind. If/when you see a large wire transfer of funds out of your bank account that you did not order, and you call the bank and report it, the bank will restore your funds and investigate the matter. Chances are good that you will not hear anything from the bank about the results of their investigation. You'll never know if somebody hacked your computer and got your account information, if the Russian mob hacked the bank's systems, if a bank employee pulled an inside job or if it was an innocent keypunching error. The bank is not going to tell for fear of revealing something about its security systems and for fear of eroding confidence.

At the same time, the fight against ID theft is the only weapon that financial institutions can publicly wield against certain frauds, so even if it was only a typographical error, the bank is okay with having you think it was ID theft.

Does it make sense to fight ID theft in order to defeat electronic financial fraud?

This is a not a war with only one front. There is an overt war on ID theft and there is a covert war on electronic financial fraud. At the same time, I am not sure that the covert war is being fought in a way that helps the fight against ID theft.

What do you mean?

The frauds associated with ID thefts tend to be relatively small, around $5,000 while a hacker gaining access to its systems can cost a financial institution millions. These institutions are certainly doing everything they can to prevent big losses.

In terms of battling ID theft, I am not sure that the banks and credit card companies are doing their share. Charge cards are so profitable that banks and charge card companies are not going to take steps to prevent the fraud associated with ID theft if that might reduce the overall profitability of the cards.

  • Consider that the banks and credit card companies are usually able to avoid the losses arising from fraudulent card charges by reversing the payments to the merchants.
  • Consider also that many of these fraudulent charges are done by family members, and the card holders end up paying them anyway.
  • Finally, many of the institutions selling ID theft products and services are financial institutions.

So, the banks and charge card companies have little incentive to pursue their side of ID theft. At the same time, the merchants lack the resources and the information to pursue the bad guys. Ultimately, the losses associated with ID theft are passed on to consumers in the form of higher prices.

What does the future hold?

The war against ID theft will not be won without the concerted efforts of financial institutions. They are the only players in the game that can see the big picture. If there is an organized ring that is counterfeiting credit cards, the banks and credit card companies will know, but merchants and consumers will not.

Unless merchants or regulators force them into the game, identity theft will be a continuing problem. Unfortunately I don't see that happening.

What's your final word?

ID theft will be with us for a long time. It is not going to go away soon. Your vulnerability has more to do with your relatives, muggers and thieves than it does with electronic privacy and security. Electronic information and transactions are relatively safe because they are generally protected. So I want people to adopt best practices for safeguarding your computer and your network. Use a firewall, antivirus software, download and install software patches and upgrades, and be smart about opening suspicious emails and browser links.

Monitor your credit reports and financial accounts. Take action quickly when you see something that you do not recognize.

Finally, I want everyone to improve the security of the usernames and passwords they have for online access to all their accounts. Increase the complexity of your passwords, use different passwords for each of the different accounts you have, and periodically change your passwords. Check out Keepass to help get you on the right path.

For further information, go to bbbonline.org and idtheft.gov.

1 comment:

Danny y said...

Thanks for sharing this blog. I got lot of information from this blog. It is a great and very instructive blog. Do u know about hearing dealers in Bangalore