You have probably heard about many data breaches over the years. They happen with some regularity. A famous breach at the credit reporting company Equifax exposed the personal information of over 143 million people. Many had information stolen including social security numbers, birthdays, addresses, and in some cases credit card and driver’s license numbers.
In this article, we review a few strategies for data security and offer some actions that you can take to reduce your risk and help you to sleep better at night.
There are a variety of ways in which your personal information can be used in unauthorized ways that can be harmful to you. Let's go over three of them.
- The first is someone gaining unauthorized access to a specific account that you own, (a credit card, your email, or your Facebook account).
- Another is obtaining your personal information and using it to create new accounts in your name.
- A third, which is becoming more common, is tax return identity theft.
A breach like the one at Equifax has the potential to increase the risk of the last two. But let's look at each of them and review some ways that you can be proactive to protect yourself.
Unauthorized Account Access
In order for an unauthorized person to gain login access to your account this to happen, the perpetrator only needs to know your user name and password for the account, or in the case of a credit card, the card number and security code. Fortunately, if this happens with a credit card, you are usually not liable for any unauthorized purchases, as long as you notify the card company in a timely manner. The card company will issue a new card, and you will be back in business. So, be sure to review your card statements every month. Many credit/debit card accounts also allow you to receive text or email alerts for certain types of transactions. For example, you can get an alert for transactions over a certain amount, or if a transaction happens overseas. This will allow you to contact the card company almost immediately and have a new card issued. Some credit cards, have an app that will allow you to authorize transactions one at a time while you are waiting for your new card so that you can continue to use it, but the attacker cannot.
In the case of a social media account (email, Facebook, Twitter, Instagram, etc) where they are more likely to cause havoc with your contacts, the recovery process can be more involved, even though the immediate financial jeopardy might be less. If you have a reasonably robust password, it is unlikely (though possible) that a hacker can figure it out, and gain access to your accounts. Once you have a strong and different password for each account in place, the most likely way that someone can gain access to your account is that you unintentionally give them the password. The perpetrator does this most often through a phishing attack, where they send you an email that asks you to give personal information or to log into a bogus website that collects your username and password. Never click on links in unsolicited emails, or log in to websites that you do not recognize. Bookmark the sites that you log into, and always log in through the official website, not one that is presented to you in an email, even if it looks like it is legitimately from the institution. Phishing attackers can be very good at copying the look of the official website.
You can further reduce the chances of someone learning your password by having different passwords for each of your accounts. If you have more than a few accounts, make it easy on yourself and use a password manager to keep track of them, so that you are not tempted to make them overly simple, or use the same one. There are many password managers available. LastPass is a popular one. The most important thing is that you find one that you will use. A good password manager will also create very strong passwords for you.
Stealing Personal Information to Creating an Unauthorized Account
This is the second type of identity theft and is what we are concerned about with the earlier Equifax data breach. This type of identity theft is becoming common and is more dangerous and challenging for you to detect. No company or agency is beyond the risk of being hacked and having your information stolen. Hundreds of organizations have been hacked. In recent years twenty companies have had greater than 50 million identities stolen from each of them. There have been at least eight breaches that each resulted in over 100 million identities stolen since 2009.
Given these numbers, it is reasonable to assume that your personal information has been compromised. But that doesn't mean that it's been used by hackers yet. It's important to remember that there are two steps that have to happen before you will be personally affected by this type of identity theft.
- Your personal information has to be stolen. Yes, this has probably already happened.
- The thief has to do something with your information. (open up a credit card, apply for a car loan, etc.) This has probably not happened yet.
Read on to see how can you tell if someone is trying to use your stolen identity. I'll also give a brief introduction to what to do if someone has ACTUALLY succeeded in creating an unauthorized account in your name, and provide a link with more details for this specific situation.
Monitor your Credit Reports
The way to prevent the creation of an unauthorized account is to monitor your credit report. I hope that you already do so. If not, I recommend that you start. You are entitled to a free credit report once per year from each of the three credit reporting agencies, Equifax, TransUnion, and Experian. Request a report from each agency annually but stagger them by 4 months between each agency. That way you can you will see your credit history throughout the year. Review the reports and make sure that there are no accounts or credit activity that you don't recognize. Here's a link to the website where you can request your credit reports. https://www.annualcreditreport.com/gettingReports.action
Consider Freezing Your Credit
Another thing that you can do in light of the previous data breaches is to freeze your credit. Freezing your credit just means that no one can apply for new credit while the freeze is on; no new credit cards, no new auto loans, mortgages, etc. If you do freeze your credit and you need to get a new loan or a new credit card, you can temporarily unfreeze it during the application process, and then refreeze it. This will go a long way towards preventing unauthorized use of any information that was compromised. Here is a link to the Federal Trade Commission's website, which explains how a credit freeze works and provides toll-free numbers for each credit agency where you can freeze your credit.
What about "Fraud Alerts" or "Credit Monitoring" services?
All of the credit agencies offer these services for a fee, and they are a great money maker for them. This service will monitor your credit report for you and identify suspicious activity; for example, someone applying for a new credit card. I think it's better that you monitor your credit yourself as described above. But if you don't have the time or just don't want to, the next best alternative is to pay someone else to do it. Not monitoring your credit reports is just not a good option.
You've found an account that you didn't authorize. Now What?
When you review your credit reports, chances are, you will only see accounts that you know are yours. In some cases, you might find an old account that you no longer use, but is still in force, perhaps a retail store card (Macy's, Target, Home Depot). You can simply contact the company that gave you the credit to close the account. In the unlikely event that you actually discover unauthorized use of your information to create an account that you do not recognize, you will need to work with the credit reporting agency where the account is listed to have that line of credit removed from your record. This can be a challenging and time-consuming process and is beyond the scope of this discussion. You can find more information on the steps to take from the Consumer Financial Protection Bureau, including how to file an identity theft report through https://www.identitytheft.gov/#/.
Tax Return Identity Theft
Tax return identity theft happens when a thief uses your stolen social security number to file a false tax return in your name in order to obtain a refund. The problem is that the IRS will assume that the first return filed is the true return. If you file your tax return later than the identity thief, you will get a notice from the IRS that one has already been filed. You might also receive this notice if the thief files a return after you. If you suspect that this has happened, you can find information on actions to take on the IRS website’s guide to Identity Theft.
I hope that knowing how to stay safe online helps you to sleep better at night.
Mike