The Roots of Identity Theft

Identity Theft does not occur serendipitously. 

There are many points of responsibility.

Let’s examine these areas:

POINTS WHERE YOU ARE RESPONSIBLE

 

1. Your personal information. 

            Yep, if you are a person, you have identifying information – this covers everyone. So, invest in yourself throughout your life in a positive way. Do this so that you want to continue to identify as you and only you and don’t become a criminal in the future stealing someone else’s identity, including mine (thanks!).

2. Where you store personal information.

            Where do you store the personal information that you have control over? Personal information includes social security number, date of birth, address, financial information (credit card, bank, etc.). Do you store this sensitive data in a locked filing cabinet or drawer, a safe, etc.? You are responsible at this point for making sure that your information and dependent’s information is kept in a safe place. What might not be a safe place? Top of refrigerator, in a pile, thrown in the trash (without shredding), vehicle, a computer – yes, I would categorize a computer as not a safe place. You must be very diligent in how you store information on the computer. Good rule of thumb – if it is on the computer, the whole world may be able to access the information. 

3. With whom do you share personal information?

            If you remember nothing else – remember this – just because an official looking document, or an official looking person, or an official looking place asks you for your (or your dependents) social security number – DOES NOT MEAN TO HAND IT OVER. (Side note – When we see stories about identity theft there is inevitably a picture of a scary masked person hunched over a computer in a dark room looking up to no good. Well, guess what. Nice looking people and places can steal your identity too – or at least not be protecting it as they should.) While there are many places that will ask you for personal information, that DOES NOT MEAN IT IS REQUIRED. (Then why do they ask for it? Because they can. Not because they should.) So, always – ALWAYS – ask why the personal information is required (chances are, it’s not). Better yet, do your homework and decide if the entity must be provided the information.

WHEN AN ENTITY IS RESPONSIBLE FOR YOUR INFORMATION

4. Who collects personal information?

We’ll term “an entity” as many things here – business, doctor’s office, school, non-profit, hotel, church, etc. When an entity asks for personal information, it had better be necessary. If necessary, mechanisms and protocol to protect the personal information it has now assumed responsibility must also be in place.  

5. When personal information is compromised, who suffers?

If personal information that an entity holds is accessed fraudulently that simply means that the appropriate safeguards were not in place – otherwise, the information would not have been accessed. Guess what an entity loses? The ability to call themselves a victim. Here, the true victims are the people who entrusted their information only to find themselves at risk. Instead, an entity can explore the definition of accessory to a crime.

6. When do you break the news?

If and when personal information that an entity has is compromised, report it immediately. Three months down the road to favor your timeline of preferred events so that you can plan which ala carte of canned response to the crisis is not immediately.   

7. Practice safeguards on both sides of the transaction.

This is a biggie. Read this one twice. Not only should an entity closely monitor the personal information it has, it should vet the personal information it receives during a transaction. Stolen personal information has no value to a criminal if it cannot be used to access goods and services. 

Integrating the latest in technology into the stream of the engagement process (with customers) – including point-of-sale –without any understanding of the technology itself can infinitely increase the chance of personal information being accessed and fraudulent personal information being used.

 

photo by Marta Tycinska

 

The Fun Never Ends

Identity theft has become a way of life. In its latest mass resurgence, Equifax admitted that “unauthorized access occurred from mid-May through July 2017” ("Equifax Announces Cybersecurity Incident," 2017) At this point, entities that "experience" these breaches are not victims, but rather part of the problem. Proper safeguards must be in place in order to conduct business.


Not only is the Equifax breach disturbing because of the sheer volume, “impacting approximately 143 million U.S. consumers,” but Equifax is a credit bureau ("Equifax Announces Cybersecurity Incident," 2017). Consumers cannot win. What power does a credit bureau wield? “While credit bureaus don't actually make lending decisions, they are very powerful institutions in finance and the information contained in their individual reports can have a substantial impact on an individual's financial future” ("Credit Bureau," n.d.) So, here we have an institution who is collecting and reporting information on us - impacting some of the biggest events in our life (at least financial) - yet, as demonstrated by this latest instance, it is 100% inept.  


This breach was only a matter of time as Equifax is not the only credit bureau who has had data it was entrusted to protect breached. In 2015, Experian announced that one of its business units had been breached.


Who is responsible for monitoring credit bureaus? In 2012, “The Consumer Financial Protection Bureau (CFPB) adopted a rule ... to begin supervising larger consumer reporting agencies, which include what are popularly called credit bureaus or credit reporting companies. This is the first time these companies will be supervised at the federal level" ("CFPB to Supervise," 2012). I am curious what this supervisory role has entailed. Clearly, protecting consumers has not been a responsibility taken seriously.


 

Resources:

CFPB to Supervise Credit Reporting. (2012, July 16). Retrieved from https://www.consumerfinance.gov/about-us/newsroom/consumer-financial-protection-bureau-to-superivse-credit-reporting/

Credit Bureau.(n.d.) Retrieved from http://www.investopedia.com/terms/c/creditbureau.asp

Equifax Announces Cybersecurity Incident Involving Consumer Information. (2017, September 7). Retrieved from https://www.equifaxsecurity2017.com. 

 

 

photo by Jeremy Thompson

 

Rose-Colored Glasses for All

The lens that we currently view identity theft through is wrong. Especially when it comes to monitoring services. While I will never discourage anyone from being proactive about monitoring his or her data, it’s simply not an all-or-nothing game. As I mentioned in a previous post – not all transactions can be captured (nor all at once).

My point is not to dismiss being diligent about your data, but be clear about what is really being monitored. It is simply a way to feel like you have some control over something you have little or no control over.

Under the guise of tracking fraudulent activity, what monitoring programs are truly capturing are instances of gross inefficiencies in our transactional systems.

Entities are failing us in three ways: not protecting the data that you have entrusted to them, participating in fraudulent transactions and they have positioned themselves as victims and look to you to buttress their inadequacies. And, consumers have unquestionably accepted this burdensome responsibility.

This current view is not working. Until identity theft is no longer tolerated as being shouldered by consumers, it will continue to be an insurmountable threat and one that will drain resources.

 

        photo courtesy of Derek Gavey

Times New Roman Does No Wrong

Last week, while running errands, I stopped inside a store to pay a bill and had to sign-in first. I had been in this store before and knew the drill - type your name and toggle through the options that best explain your visit. I filled-in the information as I told myself next time to save this hassle and mail my payment.

As I finished, I looked around for a good place to awkwardly stand until my name was called.

"Steve M."

A customer service representative came to the lobby to greet next-in-line customer "Steve M."

"What?!," a group of people waiting at the front of the store declared. "We have been waiting and now two people have been called before us!"

Their patience was gone and Steve M. didn't recuse and seemed excited at his good fortune of skipping ahead of the line. I looked at the CSR to see what action she would take.

She just shrugged her shoulders and assured the group that they would be waited on next.

Back at the service counter I heard the CSR confide in Steve M. that she didn't know what the deal was that caused the situation; she was just doing what the computer told her to do and according to it, Steve M. was next.

And therein lies the problem.

Computer content is developed by humans. Sure, maybe there is a computer program that is programmed to "think for itself" - but that ability is created by humans. No chicken or egg question here.

Therefore, content generated by technology or populated by input is subject to human error and must be scrutinized. However, there is some type of phenomena that despite the repeated occurrences and mounting evidence of technology vulnerabilities - people continue to put much trust in the information that is captured on a screen. Even though wherever the information goes or where it comes from no one ever seems to surely know for certain. Somewhere in a cloud or something, right? Sure. OK. Sounds cool and works for me. 

While being skipped in line may land in the minor inconvenience end of the spectrum of life, there are certainly more serious ramifications that can occur if due diligence is not practiced in scrutinizing information and questioning data and processes.

 

photo courtesy of interestedbystandr

Business as Usual

Despite the threat of identity theft, I am surprised at the number of places that continue to ask for a social security number.

Some (a FEW) do need it. For example, filing your taxes. Some (a LOT) do not need it. For example, a doctor’s office – the exception being people on Medicare since your ID number is your social security number followed by a code. Consumer Reports provides a good overview of, Why you shouldn't give your doctor your Social Security number(Umansky, 2015).

Another place that does not need it are schools - this includes providing your child's SSN and your SSN. According to a fact sheet issued by the U.S. Department of Justice and the U.S. Department of Education,  "A school district may not prevent your child from enrolling in or attending school if you choose not to provide your child’s social security number."  

A good rule of thumb is to leave the SSN space blank or if you are asked in person for it tell them “no.” Frankly, I think an even better idea is for places not to ask for it if it is not necessary in the first place. If you are questioned for not providing the SSN, do your research to ensure it is legally required otherwise do not provide it.

References:

U.S. Department of Justice (n.d.). Fact Sheet: Information on the Rights of All Children to Enroll in School. Retrieved from https://www.justice.gov/sites/default/files/crt/legacy/2014/05/08/plylerfact.pdf

Umansky, D. (2015, February 10). Why you shouldn't give your doctor your Social Security number. Retrieved from http://www.consumerreports.org/cro/news/2015/02/why-you-shouldn-t-giver-your-doctor-or-hospital-your-social-security-number/index.htm

 

photo courtesy of sboneham

 

 

Offering Free Credit Monitoring Does Not Make It All Better

Offering free credit monitoring seems to be the go-to canned response to every breach, data hack, and the like – as if it is the solution to right the wrong.

But credit monitoring does little to help anyone who has had his or her information compromised. You are not providing any ounce of protection at this point. No, at this point you have provided a disservice by not initially protecting the personal information that you hold in the first place.

All credit monitoring does is keep tabs on the status of an individual’s credit and is intended to send alerts when there is activity – which is all well and good, but knowing that the information has already been compromised what if a victim’s credit is used by a criminal, for instance an account is established at a store where it wasn’t authorized – now what will the victim do?

While credit monitoring can alert you to the first instance of fraud in order to try to stop the activity in its tracks and give good reason to freeze credit if not done so already, keep in mind not all instances where a social security number could be fraudulently used will necessarily show-up on the traditional credit reports (Experian, Equifax and TransUnion). These can include tax returns, health care services (which only show-up if there is a payment due that goes into default after 180 days)(Karp, 2015) and bank accounts (ONeil, 2015). Furthermore, if it is a child’s social security number that is compromised, chances are they do not have a credit report to monitor – unless the criminal creates one for them by utilizing the child’s information as their own.

Once information is stolen there is not a 100% foolproof protection option to put in place. And, if the credit monitoring service includes someone “helping” if credit is fraudulently accessed, the last thing a victim may want is yet someone else with his or her hands in their personal matters; they may be inclined to fix the mess themselves.

Credit can be monitored all day long, but how are entities who do not have the proper safeguards implemented and allow the information to be accessed going to help once the bad guys get the data? They aren’t going to – instead pointing to the free credit monitoring – which virtually means nothing to the victim. In this day and age, consumers should be monitoring their credit regardless of whether they are a victim of identity theft.

Offering free credit monitoring as a consolation for ineptness isn’t doing anyone any favors and instead signals a weak public relations move. Alternatively, assume some accountability and do a better job of preemptively monitoring and securing the data that you have been entrusted to protect.



References:

Karp, G. (2015). Protect your medical records from identity theft. Chicago Tribune. Retrived from http://www.chicagotribune.com/business/sc-cons-0416-karpspend-20150413-column.html

ONeil, E. (2015). Do Checking Accounts Affect Your Credit? About Money. Retrieved from http://banking.about.com/od/creditscoresandreporting/a/checking-accounts-affect-credit.htm

 

 

 

 

 

A Purse or Wallet is Not a Safe

Last night I had a dream that my purse was stolen. I went to visit someone, parked out front of a house and left my purse in the car since I was just running in for a minute. While I would never think of leaving my purse in my car – one minute or not – apparently I didn’t question this action in my dream state.

My dream continued when I went to leave and not only was my car gone, but so was my purse. Double whammy. I had to remember all of the information I kept in my purse and contact all of the companies and get everything shutdown, re-issued, etc. Since my cell phone was in my purse I couldn’t even use it to start the process. And, I remember the sinking feeling of knowing some thief had their hands on my personal information. Although I have lived this reality, albeit not by a purse theft, this was more like a nightmare!

When I woke up, I was relieved that it was just a dream, but it is a good reminder to be careful of what you carry in your purse or wallet if it is ever misplaced or stolen.

Do you know what is in your purse or wallet? If you lost yours, do you have a list of contact information so that you could minimize the damage and take care of everything immediately?

While modern times have brought along with it modern ways to steal identities, the old-fashioned purse or wallet stealing is alive and well. 

According to the Dallas Police Department, one of the most reported property crimes are those involving the theft of a purse or wallet.
(http://www.dallaspolice.net/content/11/66/uploads/pursewallettheftpreventiontips.pdf.)

Although you probably don’t think it will ever happen to you, consider the following:

1) Clean out your purse or wallet and be aware of the important information you carry around with you and what could happen if it got in the wrong hands.

2) Never carry anything that contains your social security number, these items can be stored in a safe place – a purse or wallet is not a safe place.

3) Consider only carrying around necessary cards and identification – do you really need to always carry around every credit or debit card you have, the same can be said about your insurance or prescription cards, you might want to consider storing these in a safe place and only accessing them when necessary.

There are also thieves who do not steal your actual purse or wallet, but will sift through it and take pictures of credit cards numbers, and other pertinent personal information. You can never be too careful, so be aware of what you carry with you and take the time to be pro-active and in control of the information important to you and your family and how you protect it – so my nightmare doesn’t become your reality.

 

photo by donna sutton

The Unhackable is Unthinkable

Is there any entity that exists that cannot be hacked?

Even one of the three largest credit reporting agencies in the United States – Experian – that holds millions upon millions worth of consumer data, yep hacked.

Global information services group Experian announced Thursday that one of its business units had been hacked. The breach occurred on a server that contained data on behalf of one of its clients, T-Mobile. The data includes personal information for a combination of about 15 million customers and applicants in the U.S. who at one point may have applied for T-Mobile service. The company said that the incident did not impact its own consumer credit database (Source: Nasr, R., CNBC NEWS, 1 Oct 2015).

Am I supposed to be comforted by Experian’s statement that the breach did not impact its own consumer credit database? Here is a company that according to its website “…help businesses to manage credit risk, prevent fraud, target marketing offers and automate decision making.” Is it opposite day at Experian? In addition to Experian being responsible for massive amounts of consumer data, let’s underline the fact they sell identity theft protection. Yet Experian is so inept they cannot prevent identity theft within their own system.

I have not heard much about this occurrence, in fact hardly anything. When in reality, there should be uproar. These organizations have zero accountability. Even when our own government data is hacked, let’s say the bar has not been set real high.

Who can you trust to safeguard your information; at this point I think it is safe to bet that you can trust no one to safeguard your information. 

It is clear we have no idea what we are doing when it comes to utilizing technology. And by organizations and the like continuing to roll out and adopt the latest in technology that they do not understand they are continually putting us at a real risk. Yet, what is their risk?

If you aren’t 100% percent certain the data you collect is protected – then your organization should not be utilizing technology it does not fully understand. We are too far into these discussions and awareness of security issues for an organization to claim they are a “victim”, or for this to be occurring at all. It’s high time that organizations are held accountable – both organizations that allow your information to be stolen, and organizations that do not conduct proper due diligence and allow fraudulent information to be used.

Experian should immediately get out of the business of selling identity theft protection when they cannot even protect the data that they monitor. Lucky for the T-Mobile customers concerned with identity theft looks like they are being offered two years of free credit monitoring and identity resolution services through...Experian. So the same company that put your personal information at risk is your option for monitoring the aftermath? 

 

photo by martin belum

EENIE, MEENIE, MINEY, MO: The Sophisticated Go-To Formula When Responding To a Hack

So your organization has been hacked. Well, if only there had been a warning that there is an eminent threat that exists against entities large and small. People should be doing more stories warning of identity theft, hacking, data breaches and the like. We just don’t hear much about it these days.

Since you have been completely blindsided, and are clearly a victim in all of this, take some time to figure out what could have went wrong. But before you announce to your stakeholders, customers, employees and their family, partners, sponsors, etc. that their personal information, and the fact that the organization itself has had its insides examined in the hands of thieves – whatever you do, don’t tell them right away – give it at least a good month or two. Or tell them initially it was just one or two people and when that wears off, say just kidding it affected thousands – the formulas for revealing the hack are endless – time to put that creative juices hat on. After all, it’s just people’s livelihoods that are at stake, there are more important things to do right now, like think about how you’re going to make yourself not look too shabby in all of this.

First things first, since you haven’t been made aware that there is a problem of epidemic proportions concerning hackings and the like, not only have you not protected the sensitive data that you hold, you most certainly don’t have a crisis communications plan in place. As those things are most effective, throw it together – just look around your office and grab one or two people (or we have found eenie, meenie, miney, mo is effective) and have them put together a plan on how to tell everyone how the organization cares deeply about its stakeholders, customers, employees and their family, partners, sponsors, etc. but has put zero safeguards in place and that their personal information is now in the hands of thieves (for inspiration check your local greeting card aisle, there may be a section now devoted to this area – perhaps under Sorry for Your Identity Loss).  Put something about identifying gaps too, and how you’re going to now protect their personal information – be unwavering, yeah that sounds good. Hmmm, maybe offer some monitoring protection, because monitoring once something goes haywire with their personal information is the way to go – that’ll be a lot more helpful then it would have been protecting them in the first place.

Whatever you do, make sure you position yourself as a victim in all of this, and lucky for you, you have company! You can cite all of the other victims who also didn’t see it coming…the government, major insurance companies, large corporations, mom and pop stores – all blindsided.

Going forward be glad this doozy is behind you. View it as something you will be stronger from experiencing. Sure now you have to dole out some extra time and money to put some haphazard safeguards in place for appearances sake and maybe add a line to your organization manual, but when it happens again, chances are your stakeholders, customers, employees and their family, partners, sponsors, etc. have already had their information compromised someplace else too, so no harm done.

Fortunately, for you, this is commonplace.

 

photo by clyde robinson

Who Really Benefits in Reward Programs?

Back in 2013, I wrote a post about my disdain for “reward” cards. I was reminded today why I still don’t like this marketing approach and I question in this day and age why so many of us are willing to have our buying habits monitored.

Since my last post on this subject, another trend has emerged. The “if you don’t participate in our rewards program we are going to charge you more” approach.

It was one thing to not get the “perks” associated with your purchases, now stores are charging you more if you don’t sign-up for their program.

That right there should tell you how valuable it is to these companies to monitor your buying habits. It is a very bold statement. You either give us your personal information or you pay more.

I had to make that decision today. Pay more, or sign-up. I paid more.

After discovering I was a victim of identity theft, I am no longer comfortable participating in these programs, and have not signed-up for any new reward programs since.

I have grown tired of everything having this caveat of participating in a program. I don’t want to participate in any program, I just want to buy what I want to buy at the best price possible.

As consumers, we don’t seem to accept this approach. We want to feel like we are getting a deal and enjoy reveling in knowing that some sucker paid more than we did for the same item, and if it means signing-up for a program, we will do it.

Reward cards are an invited invasion of privacy, not to mention they are a hassle to the consumer, turning the easiest of errands into a series of complex steps.

Let’s start with the hunt before you go to the store.

The bulk of reward programs come with a card that you get to make sure you don’t lose. Hopefully, the card is on your keychain. If not, you get to tear your house apart looking for that little laminated piece. And whatever you do, don’t grab the wrong key set. Then you get to either bypass your rewards accumulation, or you get to try the “15” phone numbers that the card could be registered under.

Then at the store you have to think about what rewards you have accumulated and what you can buy with them. If you don’t participate in the rewards program, then you have to try and figure what price you get to pay.

It usually looks something like this:

 $35.98
-$15.98  SPECIAL SALE

$20.00 FOR REWARD PROGRAM PARTICIPANTS ONLY!!!

At checkout, you are immediately asked if you have the reward program card. If you don’t have the card you are asked to sign-up for one. And, if you graciously decline, you get to repeat saying no thank you to the cashier's “top ten” reasons why you need one.

Companies large and small have demonstrated that they are not capable of protecting our information; therefore they have a responsibility to not put consumers in a position where we need to furnish our personal information in order to pay a lower cost. It’s too high a price to pay for the consumer.
 

P.S. I don’t want to hunt for 15 minutes for your promo code either. 
 

photo by osseous