Rose-Colored Glasses for All

The lens that we currently view identity theft through is wrong. Especially when it comes to monitoring services. While I will never discourage anyone from being proactive about monitoring his or her data, it’s simply not an all-or-nothing game. As I mentioned in a previous post – not all transactions can be captured (nor all at once).

My point is not to dismiss being diligent about your data, but be clear about what is really being monitored. It is simply a way to feel like you have some control over something you have little or no control over.

Under the guise of tracking fraudulent activity, what monitoring programs are truly capturing are instances of gross inefficiencies in our transactional systems.

Entities are failing us in three ways: not protecting the data that you have entrusted to them, participating in fraudulent transactions and they have positioned themselves as victims and look to you to buttress their inadequacies. And, consumers have unquestionably accepted this burdensome responsibility.

This current view is not working. Until identity theft is no longer tolerated as being shouldered by consumers, it will continue to be an insurmountable threat and one that will drain resources.

 

        photo courtesy of Derek Gavey

Times New Roman Does No Wrong

Last week, while running errands, I stopped inside a store to pay a bill and had to sign-in first. I had been in this store before and knew the drill - type your name and toggle through the options that best explain your visit. I filled-in the information as I told myself next time to save this hassle and mail my payment.

As I finished, I looked around for a good place to awkwardly stand until my name was called.

"Steve M."

A customer service representative came to the lobby to greet next-in-line customer "Steve M."

"What?!," a group of people waiting at the front of the store declared. "We have been waiting and now two people have been called before us!"

Their patience was gone and Steve M. didn't recuse and seemed excited at his good fortune of skipping ahead of the line. I looked at the CSR to see what action she would take.

She just shrugged her shoulders and assured the group that they would be waited on next.

Back at the service counter I heard the CSR confide in Steve M. that she didn't know what the deal was that caused the situation; she was just doing what the computer told her to do and according to it, Steve M. was next.

And therein lies the problem.

Computer content is developed by humans. Sure, maybe there is a computer program that is programmed to "think for itself" - but that ability is created by humans. No chicken or egg question here.

Therefore, content generated by technology or populated by input is subject to human error and must be scrutinized. However, there is some type of phenomena that despite the repeated occurrences and mounting evidence of technology vulnerabilities - people continue to put much trust in the information that is captured on a screen. Even though wherever the information goes or where it comes from no one ever seems to surely know for certain. Somewhere in a cloud or something, right? Sure. OK. Sounds cool and works for me. 

While being skipped in line may land in the minor inconvenience end of the spectrum of life, there are certainly more serious ramifications that can occur if due diligence is not practiced in scrutinizing information and questioning data and processes.

 

photo courtesy of interestedbystandr

Business as Usual

Despite the threat of identity theft, I am surprised at the number of places that continue to ask for a social security number.

Some (a FEW) do need it. For example, filing your taxes. Some (a LOT) do not need it. For example, a doctor’s office – the exception being people on Medicare since your ID number is your social security number followed by a code. Consumer Reports provides a good overview of, Why you shouldn't give your doctor your Social Security number(Umansky, 2015).

Another place that does not need it are schools - this includes providing your child's SSN and your SSN. According to a fact sheet issued by the U.S. Department of Justice and the U.S. Department of Education,  "A school district may not prevent your child from enrolling in or attending school if you choose not to provide your child’s social security number."  

A good rule of thumb is to leave the SSN space blank or if you are asked in person for it tell them “no.” Frankly, I think an even better idea is for places not to ask for it if it is not necessary in the first place. If you are questioned for not providing the SSN, do your research to ensure it is legally required otherwise do not provide it.

References:

U.S. Department of Justice (n.d.). Fact Sheet: Information on the Rights of All Children to Enroll in School. Retrieved from https://www.justice.gov/sites/default/files/crt/legacy/2014/05/08/plylerfact.pdf

Umansky, D. (2015, February 10). Why you shouldn't give your doctor your Social Security number. Retrieved from http://www.consumerreports.org/cro/news/2015/02/why-you-shouldn-t-giver-your-doctor-or-hospital-your-social-security-number/index.htm

 

photo courtesy of sboneham

 

 

Offering Free Credit Monitoring Does Not Make It All Better

Offering free credit monitoring seems to be the go-to canned response to every breach, data hack, and the like – as if it is the solution to right the wrong.

But credit monitoring does little to help anyone who has had his or her information compromised. You are not providing any ounce of protection at this point. No, at this point you have provided a disservice by not initially protecting the personal information that you hold in the first place.

All credit monitoring does is keep tabs on the status of an individual’s credit and is intended to send alerts when there is activity – which is all well and good, but knowing that the information has already been compromised what if a victim’s credit is used by a criminal, for instance an account is established at a store where it wasn’t authorized – now what will the victim do?

While credit monitoring can alert you to the first instance of fraud in order to try to stop the activity in its tracks and give good reason to freeze credit if not done so already, keep in mind not all instances where a social security number could be fraudulently used will necessarily show-up on the traditional credit reports (Experian, Equifax and TransUnion). These can include tax returns, health care services (which only show-up if there is a payment due that goes into default after 180 days)(Karp, 2015) and bank accounts (ONeil, 2015). Furthermore, if it is a child’s social security number that is compromised, chances are they do not have a credit report to monitor – unless the criminal creates one for them by utilizing the child’s information as their own.

Once information is stolen there is not a 100% foolproof protection option to put in place. And, if the credit monitoring service includes someone “helping” if credit is fraudulently accessed, the last thing a victim may want is yet someone else with his or her hands in their personal matters; they may be inclined to fix the mess themselves.

Credit can be monitored all day long, but how are entities who do not have the proper safeguards implemented and allow the information to be accessed going to help once the bad guys get the data? They aren’t going to – instead pointing to the free credit monitoring – which virtually means nothing to the victim. In this day and age, consumers should be monitoring their credit regardless of whether they are a victim of identity theft.

Offering free credit monitoring as a consolation for ineptness isn’t doing anyone any favors and instead signals a weak public relations move. Alternatively, assume some accountability and do a better job of preemptively monitoring and securing the data that you have been entrusted to protect.



References:

Karp, G. (2015). Protect your medical records from identity theft. Chicago Tribune. Retrived from http://www.chicagotribune.com/business/sc-cons-0416-karpspend-20150413-column.html

ONeil, E. (2015). Do Checking Accounts Affect Your Credit? About Money. Retrieved from http://banking.about.com/od/creditscoresandreporting/a/checking-accounts-affect-credit.htm

 

 

 

 

 

A Purse or Wallet is Not a Safe

Last night I had a dream that my purse was stolen. I went to visit someone, parked out front of a house and left my purse in the car since I was just running in for a minute. While I would never think of leaving my purse in my car – one minute or not – apparently I didn’t question this action in my dream state.

My dream continued when I went to leave and not only was my car gone, but so was my purse. Double whammy. I had to remember all of the information I kept in my purse and contact all of the companies and get everything shutdown, re-issued, etc. Since my cell phone was in my purse I couldn’t even use it to start the process. And, I remember the sinking feeling of knowing some thief had their hands on my personal information. Although I have lived this reality, albeit not by a purse theft, this was more like a nightmare!

When I woke up, I was relieved that it was just a dream, but it is a good reminder to be careful of what you carry in your purse or wallet if it is ever misplaced or stolen.

Do you know what is in your purse or wallet? If you lost yours, do you have a list of contact information so that you could minimize the damage and take care of everything immediately?

While modern times have brought along with it modern ways to steal identities, the old-fashioned purse or wallet stealing is alive and well. 

According to the Dallas Police Department, one of the most reported property crimes are those involving the theft of a purse or wallet.
(http://www.dallaspolice.net/content/11/66/uploads/pursewallettheftpreventiontips.pdf.)

Although you probably don’t think it will ever happen to you, consider the following:

1) Clean out your purse or wallet and be aware of the important information you carry around with you and what could happen if it got in the wrong hands.

2) Never carry anything that contains your social security number, these items can be stored in a safe place – a purse or wallet is not a safe place.

3) Consider only carrying around necessary cards and identification – do you really need to always carry around every credit or debit card you have, the same can be said about your insurance or prescription cards, you might want to consider storing these in a safe place and only accessing them when necessary.

There are also thieves who do not steal your actual purse or wallet, but will sift through it and take pictures of credit cards numbers, and other pertinent personal information. You can never be too careful, so be aware of what you carry with you and take the time to be pro-active and in control of the information important to you and your family and how you protect it – so my nightmare doesn’t become your reality.

 

photo by donna sutton

The Unhackable is Unthinkable

Is there any entity that exists that cannot be hacked?

Even one of the three largest credit reporting agencies in the United States – Experian – that holds millions upon millions worth of consumer data, yep hacked.

Global information services group Experian announced Thursday that one of its business units had been hacked. The breach occurred on a server that contained data on behalf of one of its clients, T-Mobile. The data includes personal information for a combination of about 15 million customers and applicants in the U.S. who at one point may have applied for T-Mobile service. The company said that the incident did not impact its own consumer credit database (Source: Nasr, R., CNBC NEWS, 1 Oct 2015).

Am I supposed to be comforted by Experian’s statement that the breach did not impact its own consumer credit database? Here is a company that according to its website “…help businesses to manage credit risk, prevent fraud, target marketing offers and automate decision making.” Is it opposite day at Experian? In addition to Experian being responsible for massive amounts of consumer data, let’s underline the fact they sell identity theft protection. Yet Experian is so inept they cannot prevent identity theft within their own system.

I have not heard much about this occurrence, in fact hardly anything. When in reality, there should be uproar. These organizations have zero accountability. Even when our own government data is hacked, let’s say the bar has not been set real high.

Who can you trust to safeguard your information; at this point I think it is safe to bet that you can trust no one to safeguard your information. 

It is clear we have no idea what we are doing when it comes to utilizing technology. And by organizations and the like continuing to roll out and adopt the latest in technology that they do not understand they are continually putting us at a real risk. Yet, what is their risk?

If you aren’t 100% percent certain the data you collect is protected – then your organization should not be utilizing technology it does not fully understand. We are too far into these discussions and awareness of security issues for an organization to claim they are a “victim”, or for this to be occurring at all. It’s high time that organizations are held accountable – both organizations that allow your information to be stolen, and organizations that do not conduct proper due diligence and allow fraudulent information to be used.

Experian should immediately get out of the business of selling identity theft protection when they cannot even protect the data that they monitor. Lucky for the T-Mobile customers concerned with identity theft looks like they are being offered two years of free credit monitoring and identity resolution services through...Experian. So the same company that put your personal information at risk is your option for monitoring the aftermath? 

 

photo by martin belum

EENIE, MEENIE, MINEY, MO: The Sophisticated Go-To Formula When Responding To a Hack

So your organization has been hacked. Well, if only there had been a warning that there is an eminent threat that exists against entities large and small. People should be doing more stories warning of identity theft, hacking, data breaches and the like. We just don’t hear much about it these days.

Since you have been completely blindsided, and are clearly a victim in all of this, take some time to figure out what could have went wrong. But before you announce to your stakeholders, customers, employees and their family, partners, sponsors, etc. that their personal information, and the fact that the organization itself has had its insides examined in the hands of thieves – whatever you do, don’t tell them right away – give it at least a good month or two. Or tell them initially it was just one or two people and when that wears off, say just kidding it affected thousands – the formulas for revealing the hack are endless – time to put that creative juices hat on. After all, it’s just people’s livelihoods that are at stake, there are more important things to do right now, like think about how you’re going to make yourself not look too shabby in all of this.

First things first, since you haven’t been made aware that there is a problem of epidemic proportions concerning hackings and the like, not only have you not protected the sensitive data that you hold, you most certainly don’t have a crisis communications plan in place. As those things are most effective, throw it together – just look around your office and grab one or two people (or we have found eenie, meenie, miney, mo is effective) and have them put together a plan on how to tell everyone how the organization cares deeply about its stakeholders, customers, employees and their family, partners, sponsors, etc. but has put zero safeguards in place and that their personal information is now in the hands of thieves (for inspiration check your local greeting card aisle, there may be a section now devoted to this area – perhaps under Sorry for Your Identity Loss).  Put something about identifying gaps too, and how you’re going to now protect their personal information – be unwavering, yeah that sounds good. Hmmm, maybe offer some monitoring protection, because monitoring once something goes haywire with their personal information is the way to go – that’ll be a lot more helpful then it would have been protecting them in the first place.

Whatever you do, make sure you position yourself as a victim in all of this, and lucky for you, you have company! You can cite all of the other victims who also didn’t see it coming…the government, major insurance companies, large corporations, mom and pop stores – all blindsided.

Going forward be glad this doozy is behind you. View it as something you will be stronger from experiencing. Sure now you have to dole out some extra time and money to put some haphazard safeguards in place for appearances sake and maybe add a line to your organization manual, but when it happens again, chances are your stakeholders, customers, employees and their family, partners, sponsors, etc. have already had their information compromised someplace else too, so no harm done.

Fortunately, for you, this is commonplace.

 

photo by clyde robinson

Who Really Benefits in Reward Programs?

Back in 2013, I wrote a post about my disdain for “reward” cards. I was reminded today why I still don’t like this marketing approach and I question in this day and age why so many of us are willing to have our buying habits monitored.

Since my last post on this subject, another trend has emerged. The “if you don’t participate in our rewards program we are going to charge you more” approach.

It was one thing to not get the “perks” associated with your purchases, now stores are charging you more if you don’t sign-up for their program.

That right there should tell you how valuable it is to these companies to monitor your buying habits. It is a very bold statement. You either give us your personal information or you pay more.

I had to make that decision today. Pay more, or sign-up. I paid more.

After discovering I was a victim of identity theft, I am no longer comfortable participating in these programs, and have not signed-up for any new reward programs since.

I have grown tired of everything having this caveat of participating in a program. I don’t want to participate in any program, I just want to buy what I want to buy at the best price possible.

As consumers, we don’t seem to accept this approach. We want to feel like we are getting a deal and enjoy reveling in knowing that some sucker paid more than we did for the same item, and if it means signing-up for a program, we will do it.

Reward cards are an invited invasion of privacy, not to mention they are a hassle to the consumer, turning the easiest of errands into a series of complex steps.

Let’s start with the hunt before you go to the store.

The bulk of reward programs come with a card that you get to make sure you don’t lose. Hopefully, the card is on your keychain. If not, you get to tear your house apart looking for that little laminated piece. And whatever you do, don’t grab the wrong key set. Then you get to either bypass your rewards accumulation, or you get to try the “15” phone numbers that the card could be registered under.

Then at the store you have to think about what rewards you have accumulated and what you can buy with them. If you don’t participate in the rewards program, then you have to try and figure what price you get to pay.

It usually looks something like this:

 $35.98
-$15.98  SPECIAL SALE

$20.00 FOR REWARD PROGRAM PARTICIPANTS ONLY!!!

At checkout, you are immediately asked if you have the reward program card. If you don’t have the card you are asked to sign-up for one. And, if you graciously decline, you get to repeat saying no thank you to the cashier's “top ten” reasons why you need one.

Companies large and small have demonstrated that they are not capable of protecting our information; therefore they have a responsibility to not put consumers in a position where we need to furnish our personal information in order to pay a lower cost. It’s too high a price to pay for the consumer.
 

P.S. I don’t want to hunt for 15 minutes for your promo code either. 
 

photo by osseous

There is Nothing “Secure” About Your Social Security Number

Not 24 hours after I posted my most recent blog about protecting consumers against identity theft, reports that thieves stole tax information of 100,000 taxpayers from the IRS surfaced.

How does this even continue to occur? It doesn’t seem as if there are any competent organizations capable of protecting sensitive data. This instance is all the more infuriating because information is being stolen from an entity that by law we are required to furnish it to for tax purposes.

While the use of social security numbers has evolved over the decades, it is apparent that the technology and safeguards required to protect us are severely lagging.

The Social Security number (SSN) was created in 1936 for the sole purpose of tracking the earnings histories of U.S. workers, for use in determining Social Security benefit entitlement and computing benefit levels. Since then, use of the SSN has expanded substantially. Today the SSN may be the most commonly used numbering system in the United States. As of December 2008, the Social Security Administration (SSA) had issued over 450 million original SSNs, and nearly every legal resident of the United States had one. The SSN's very universality has led to its adoption throughout government and the private sector as a chief means of identifying and gathering information about an individual. (by Carolyn Puckett Social Security Bulletin, Vol. 69 No. 2, 2009)

What are you doing to protect your consumers from identity theft?

There hasn’t been some large scale hacking story in the news, so I guess all identity theft issues have been solved.

Thanks, it’s been real.

Uh, not so fast.

It’s just a matter of time until we’ll hear about another hacking. While the large scale occurrences are the ones that typically make the news, data compromises can happen anywhere and anytime where there is sensitive data stored, including social security information.

With hackings and the like becoming commonplace, they become less newsworthy while the ramifications of the crime remain the same.

The time to take a look at the safeguards you have in place at your business is not when you learn that information has been hacked or compromised.

Much too often we do not hear of businesses taking a proactive response to the threat of identity theft. It is not until information has been compromised that entities then decide to “identify gaps” and place stronger policies or mechanisms in place.

You need to assess those weak access points yesterday.

A good place to start is to address some basic questions including:

  • What data do you require that could be deemed “sensitive”?
  • Is it vital for your organization to collect this information?
  • Where is sensitive data stored?
  • How is sensitive data protected?
  • How long is sensitive data retained?
  • How is sensitive data destroyed?
  • Who has access to sensitive data?
  • Who is ultimately responsible for monitoring the protection of captured sensitive data?
  • Do you have a sensitive data policy that you communicate both internally and externally?

I've posted these nine questions in a one-page document that you can use as a worksheet to get started.