How To Properly Erase A Hard Drive

A prior post covered a humor story about how to destroy a hard drive in 5 seconds. At that time I was discarding an old computer. In its year-in-review, ZDNet lists the "How to Really Destroy a hard Drive" post by Robin Harris as one of its most popular posts. I found it highly informative:

"You may already know that “deleting” a file does nothing of the sort. But did you know that your disk drive has a built-in system for the secure erasure of data? No? Then read on... if you keep business, medical, or personal financial information on disks, simple deletion isn’t enough to protect the data when disposing of the equipment.... Something called Secure Erase, a set of commands embedded in most ATA drives built since 2001."

Robin's post explains how you can download and use the Secure Erase utility to fully wipe your old hard drive clean. The instructions are for intermediate to experienced computer users.

'Whaling' Is The Latest Phishing Threat

From Yahoo News:

"US federal court officials have warned that hackers are emailing phony subpoenas embedded with malicious software to high-ranking executives to steal valuable corporate information. Thousands of powerful US executives have received the bogus emails that contain links which, if clicked on, install software letting hackers take control of computers and swipe passwords or other sensitive data. Internet security insiders refer to the attacks as "whaling" because they use social-engineering trickery involved in "phishing" but target individual "big phish" instead of casting nets in a sea of Internet users."

Apparently, these whaling attacks have had a high success rate with getting executives to open those bogus e-mails and either click on attachments or click on links. Consumers should be aware that within the USA, subpoenas are usually served in person by process servers, to assure judges that the orders from courts have been properly received by those named.

This news article also appears at AFP. If you are unsure how to recognize a phishing scam, read:

• Yahoo Security Center: Phishing
• Microsoft: recognize phishing scams and Fraudulent e-mails
• Privacy Rights Clearinghouse: Phishing
• Anti-Phishing Working Group

Whether or not you are caught by a phishing scam, you should always report it.

CNN Data Doctor: When Criminals Take Over Your Web Mail Account

I'd like to thanks Bruce for alerting me to this CNN video.

A lot of people use Web mail because of its convenience. Criminals use Web mail too, but not in the way you might expect. Criminals will try to take over your Web mail account. Why? One, they can use it to send spam. Two and more likely, they hope to use your sign-in information (e.g., Web mail username and password) to access your financial and bank accounts. Simply, that's where your money is... and many people use the same sign-in information for several accounts.

The CNN video includes advice about how to prevent criminals from taking over your Web mail account, and what to do if they've already taken over your account. So, a word to the wise:

• Protect your e-mail sign-in information like gold, just as you would protect your sensitive personal data
• Don't use a computer you think might be compromised or infected
• Practice safe Internet surfing habits, so you don't become a sidejacking victim
• Keep the anti-virus software on your home computer up-to-date
• Use strong passwords as part of your Webmail and account sign-in information
• Consider a Fraud Alert or a Security Freeze on your credit reports, if your sensitive personal data has already been stolen or exposed
• Stay current with the identity threats and scams. Reading I've Been Mugged is a good first step
• Realize that you may have to change your identity protection tactics, since criminals change their methods and scams
  

There are several posts in I've Been Mugged that can help you with each item listed above.

How To Protect Yourself When Using A Public Computer

You've left your laptop computer at home. Now, that public computer is looking very appealing. It could be a public computer in a library, in a hotel lobby, or an Internet cafe. You know that computer presents a risk. You don't know if the anti-virus software on it is up-to-date or not. There's some risk, but you really need to go online. Now. How do you protect your identity and personal data?

In her Ten Things blog at TechRepublic, Jody Gilbert listed 10 things you should do to protect your identity and your personal information when you use a public computer:

1. "Delete your Browsing History
2. Don’t save files locally
3. Don't save passwords
4. Don't do online banking
5. Don't enter credit card information
6. Delete temporary files
7. Clear the pagefile
8. Reboot the computer
9. Boot from another device
10. Pay attention to your surroundings and use common sense"

Sounds like excellent advice to me.

Security Freeze: Peace Of Mind And Protection For Your Credit Reports

Since I started this blog in July 2007, I've learned a lot about identity theft. I had to after IBM exposed my sensitive personal data. First, I placed a 90-day Fraud Alert on my credit reports. Then, I signed up for the free credit monitoring service IBM provided from Kroll. 90 days later, I renewed my Fraud Alerts.

So far, so good. No problems with identity fraud.

Given the ongoing risk, I wanted more protection for my credit reports than what the credit bureaus provide with their Fraud Alert tool. The fact is, the credit bureaus just append the alert to your credit report whenever they sell it to a potential creditor. A shady creditor could still issue new credit in my name to an identity criminal. So, I placed a Security Freeze (also called a "Credit Freeze") on my credit reports at the three national credit bureaus.

While the Fraud Alert tool is free, that didn't seem to be a good value for me given the risk. The free credit monitoring service IBM arranged with Kroll was only for one year, and it did not provide an automatic Fraud Alert renewal service. While I could have continued to renew my Fraud Alerts every 90 days, stronger protection was more important to me than a freebie.

I didn't want to pay a credit monitoring service (e.g., LifeLock) to renew my Fraud Alerts because this is an easy task any consumer can do by their self -- for free. I've done it and I know. More importantly, I wanted stronger protection for my credit reports. The Security Freeze option fills that need.

To place the Security Freeze, first I visited each credit bureau's web site and printed their Security Freeze instructions page. All three credit bureaus have similar instructions. You have to provide them with documentation verifying, a) who you are, b) your current residential address, c) valid payment; and send a letter via snail mail (or overnight express) requesting the Security Freeze. You can't place a Security Freeze over the phone, via e-mail, nor via text messaging.

While all three national credit bureaus offer the Security Freeze option nationwide, the fees vary by state. According to Massachusetts law, each credit bureau can charge a Massachusetts resident a maximum of $5 to place, lift, and remove a security freeze. Each credit bureau's web site lists the fees for your state. If you are an identity theft victim (e.g, you can prove so by providing a copy of a filed police report), then the Security Freeze is usually free. In many states, the Security Freeze is free for residents 65 years of age or older.

Should IBM have paid for my Security Freeze fees? That's a discussion I'll save for another post. For me, the $15 total fees is a good investment for both protection and peace of mind. I'd like to thank my state's legislators and Governor Patrick for keeping the Security Freeze fee low for Massachusetts residents.

Next, I assembled my Security Freeze letters. Some credit bureaus require a photocopy of your Driver's License, and/or an insurance or bank statement. This was time consuming, but easy to do. The whole process took me about 4 hours.

At the post office, I mailed all letters via Certified Mail - Return Receipt. While this cost a little more, it is a smart investment because it minimized my worries. The Return Receipt notice informed me when each credit bureau received my Security Freeze letter. About 8 business days later, I received confirmation letters from the credit bureaus.

Each confirmation letter included an explanation of that credit bureau's Security Freeze process, additional instructions, and my personal PIN number. You'll need this PIN when communicating with the credit bureau to temporarily lift or remove your Security Freeze. I stored these confirmations in a secure location.

Will a Security Freeze prevent all types of identity theft and fraud? No. A Security Freeze is not a cure-all. I don't have any illusions about this. While a Security Freeze will prevent criminals from opening new credit and new financial accounts in your name, it won't stop criminals from committing a crime in your name, if your personal data has already been stolen or exposed -- like IBM exposed mine. Nor will a Security Freeze prevent criminals from breaking into my financial accounts. There are other things consumers must do like use rotating and stronger passwords, and set up e-mail or text messaging alerts for your financial accounts.

ID-Theft Protection May Not Provide The Protection You Need

I'd like to thank my friend Michael in Oakland for alerting me to this article. Dow Jones MarketWatch reported the following about the current state of credit monitoring and credit resolution services for consumers:

"Plenty of products promise to help consumers avoid identity theft, but none of them is foolproof. If a product claims to prevent identity theft, that should raise red flags for consumers, said Linda Foley, founder of the Identity Theft Resource Center in San Diego. "You can't protect a person from identity theft. It's impossible. All we can do is minimize our risk." And, while these products can reduce your likelihood of becoming a victim, many employ methods that consumers can use on their own, for free."

Finally, somebody is telling it like it is. After IBM exposed my sensitive personal data, I took that as an opportunity to learn about data breaches and the current identity theft marketplace. Since then, I've looked at many of the credit monitoring services for consumers which are available from banks, independent companies, and the credit bureaus. I've reached the same conclusion as the ITRC: there's some protection to reduce a consumer's risks.

The MarketWatch article also discussed the new Security Freeze tool, which is available nationwide from the national credit bureaus:

"Consumers can freeze their reports by calling each of the three agencies. It generally costs $10 to place a freeze ($30 to freeze all three major reports) and $10 to lift each freeze (these costs are sometimes waived.) For more details, visit FinancialPrivacyNow.org. Or, you can pay for a product that includes a credit freeze, such as offered by TrustedID and others."

Well, that's mostly accurate. The fees vary by state. In my state, Massachusetts law limits the Security Freeze fees to $5.00 at each credit bureau; and Security Freezes are free for ID-theft victims (who can prove this with a copy of a filed police report). While a Security Freeze provides consumers with stronger protection than a Fraud Alert, there clearly are limits.

First, the Security Freeze tool from credit bureaus does not cover C.L.U.E. insurance reports.  Consumers must do business separately with Choicepoint, a major provider of C.L.U.E. reports. Choicepoint offers Security Freezes in only about eight states: CO, DC, DE, ME, MT, NH, NJ, and NC. Naturally, you'd expect Choicepoint to offer a nationwide Security Freeze like the credit bureaus, but they don't. Consumer-focused doesn't appear to be a priority for Choicepoint. Second:

"Freezes don't stop thieves tapping existing credit or bank accounts, nor do they address other identity theft, such as when a thief provides your name as his identity when pulled over for a traffic violation."

The use of stolen identities during a crime is a huge problem which the identity protection industry hasn't solved. When criminals use stolen identification during a crime, it's that ID-theft victim who suffers, not just the criminal when (and if) caught. The victim may be jailed temporarily while identification mistakes are resolved, fined, or both.

Plus, this can happen in any country, since stolen identities are sold online worldwide. For example, look at the global trail of stolen credit cards numbers after the TJX/TJ Maxx data breach. Or, read about this ID-theft victim who was jailed after a criminal used his stolen identity during a crime. Consider this: the next time you travel abroad you could be detained by Customs in another country if a criminal has used your stolen identity during a crime in that country. I haven't read a news report (yet) about this, but the risk to consumers is real since stolen identities are traded online worldwide.

If you think that existing identity protection insurance and resolution services will help in these instances, think again:

"Identity-theft insurance helps cover the costs associated with the crime. Your homeowners or renters insurance, or your bank account, may include such insurance already, so check before purchasing. Consumer advocates say the value of such insurance is debatable, since financial losses are often not extensive and credit-card companies generally cover consumers' losses. Still, insurance could be useful if the policy covers debit-card losses and lost wages due to your time spent resolving the crime... As for victim resolution services, some nonprofit and state agencies will help for free, though the services companies sell may offer valuable convenience."

This situation will only improve when consumers pressure their elected officials to enact stronger laws about identity theft which hold companies accountable for data breaches, the punishment and sentencing of identity criminals, and legislation which covers new forms of identity theft such as skimming and house stealing. It will also require some coordination between countries.

If you are detained or jailed in a foreign country due to identity theft, I don't see any of the current ID-theft resolution services helping consumers. If you agree that this situation is scary and unacceptable, write to your elected officials today.

Ten Tips To Reduce Your Risk Of Identity Theft And Identity Fraud

A few months ago, Forbes magazine published a pretty good list of ten tips to avoid identity theft:

1. "Only Make Purchases On Trusted Sites... There are lots of small online retailers that don't have adequately secure payment systems."
2. "Order Your Credit Report... The Fair and Accurate Credit Transactions Act, passed by the Federal government in 2003, mandates that each of the major credit bureaus supply consumers with a free copy of their credit report each year. You can get yours at AnnualCreditReport.com (American users only), a Web site run by the credit reporting agencies to comply with this legislation."
3. "Know How To Spot Phishing: Phishing is a technique used by identity thieves to get your sensitive information by pretending to be a site you trust."
4. "Secure Your Network: If you have a wireless network at home or work, make sure that you secure it. A hacker can gain access to anything you do over an unsecured network in a matter of seconds."
5. "Can the Spam... Not only are these messages often from phishers, but they can also contain Trojan horses (viruses) that can get into your computer and send your information back to their unsavory creators. If you have the option, install spam-filtering software (or ask your e-mail provider whether it can add spam-filtering to your account)."
6. "Don't Store Sensitive Information On Non-Secure Web Sites: As more and more useful Web applications start springing up (like Backpack, Facebook and Google Calendars), it's important to make sure that you're not storing sensitive data on non-secure Web sites."
7. "Set Banking Alerts: Many financial institutions are beginning to offer e-mail and text alerts when your accounts reach certain conditions (being near overdraft, or having transactions over $1,000, for example). Setting alerts for your accounts can ensure that you find out about unauthorized access as soon as possible."
8. "Don't Reuse Passwords: As tempting as it may be to reuse passwords, it's a really good practice to use a different password for every account you access online. This way, if someone does find out what your password is for one credit card, they won't also be able to access your checking, brokerage and e-mail accounts."
9. "Use Optional Security Questions... it's a good idea to set up optional security questions to log into your accounts. Many financial institutions ask security questions that a third party wouldn't know, but you can often set up multiple optional questions that can increase the security of your account."
10. "Don't Put Private Information On Public Computers: If you're away from home, make sure not to save private information onto a computer used by the public. If you're accessing a private account at the library or cyber café, make sure to log out completely from your accounts, and never choose to save login information (like your username or password) on these computers."

To learn more, click on any of the keyword terms in the right column. I'm hoping that Forbes updates this list, since identity criminals change their tactics frequently. A good example of changing criminals tactics is the post about House Stealing.

The State Of Missouri Launches New Anit-Fraud Web Site For Consumers

According to the Springfield News-Leader:

"Missourians concerned about fraud have another resource to protect themselves, according to the Missouri Secretary of State’s office. It is a new Web-based Missouri Investor Protection Center, www.MissouriSafeSavings.com created to help educate investors about potential scams... The Web site provides information on wise investing, recognizing and avoiding fraud and exercising investor rights."

The Missouri Secretary of State Office (SOS) built the web site to address the need for increased protection of Missouri seniors and their investments. The site also features:

• Senior Investor Protection Unit: a staff of attorneys, investigators, auditors and education specialists who investigate "new cases with senior-specific issues, provides investor education and holds outreach and education events"
• An online game to raise awareness about fraud scams and threats/li>
• Additional print publication and online resources

Congratulations to the Missouri SOS for providing this site to their residents. A good next step for the Missouri SOS would be to display online companies' data breach notification letters like New Hampshire does, so Missouri residents have a reliable source to see which companies aren't protecting their sensitive data.

A Free And Easy Way To Test The Security Of Your Wireless Home Network

At the ZD Net SOHO Networking blog (Small Office Home Office), Rik Fairlie provided a really good tip for consumers to check the security on their home wireless (WiFi) network. Security is important because we all (or at least many of us) do online banking, access our financial accounts online, and want to protect our personal data from abuse by both spammers and identity theives.

Rik tested his home wireless network with the Network Magic management tool by Pure Networks. Network Magic has a free diagnostic scan that provides a report on the security status of your home wireless network:

The Pure Networks Security Scan tool, which works only with Internet Explorer 6 or later, is clearly bait for Network Magic... Run the scan, and the resulting scorecard provides a summary status of network devices, the router and network, wireless security, and the computer on which you ran the scan. It advises you of the number of issues tested for each category, alerts you to any worrisome issues found... Some of the items it tests under Router and Network include whether you are running a hardware firewall, if your password is strong (and, of course, changed from the factory default), and whether your router firmware is up to date... This Computer tab tells you whether your PC contains malware that redirects Web sites, as well as whether file and printer sharing are correctly activated, what kind of software firewall (if any) you’re running, and if your antivirus software is up to date.

Sounds like a valuable tool for consumers to improve the security of their home wireless networks, and protect sensitive data.

2008 Identity Theft Survey - Javelin Research (Part Two)

Yesterday's post discussed the results of the latest identity theft and identity fraud survey in the USA by Javelin Research. In it's report, Javelin recommended the following for consumers to detect identity theft and identity fraud:

• Monitor your bank and credit card account activity regularly. Check the activity online, via phone, or via ATM machine
• Use e-mail or telephone alerts to monitor activity on your accounts. Activity can include deposits, withdrawals, balance transfers, specific charges, address changes, new names added to your accounts
• Javelin emphasizes that the longer it takes a consumer to detect fraud, the greater the amount stolen

Javelin recommends the following for consumers to resolve identity theft and identity fraud:

1. Contact your bank or credit card company immediately
2. Close any accounts that have been compromised
3. Ask your financial provider about fraud resolution teams or services to help you fix your credit and recover any money lost
4. Place a Fraud Alert on your credit reports at all three credit bureaus
5. Know the data breach notification rights in your state. When an employer or prior employer  loses your personal data (or it is stolen), in many states that company is required by law to notify you of that loss/theft. Other rights, such as free credit monitoring services, may also be available to you in your state
6. Consider placing a Security Freeze on your credit reports at all three credit bureaus. this will prevent criminals from opening new accounts and obtaining credit in your name. Some states require a Security Freeze to be free to identity theft victims
7. File a report with the local police
8. Notify the U.S. Federal Trade Commission (FTC). The FTC tracks complaints and identity theft activity
9. Consider signing up for a credit monitoring service, which can help you monitor your credit reports at the three credit bureaus

While all of the above items are solid and valuable recommendations, they focus on financial identity fraud. Unfortunately, there are so many ways criminals can abuse stolen personal data. They can use it to commit medical identity fraud, insurance identity fraud, criminal identity fraud, obtain a fraudulent driver's license, or apply fraudulently for a job, and none of these activities will show up on your credit report.

If that sounds awfully scary, it is. And it should scare you. This is the current state of U.S. business and government systems. A good first step would be to write to your elected officials and ask them what they plan to do about it.

2008 Identity Theft Survey - Javelin Research (Part One)

Last week, I spent some time reading the "2008 Identity Fraud Research Report" by Javelin Strategy And Research. Javelin survey about 5,000 adults and identity-theft victims in the United States. Key findings from the survey:

• There is a difference between "Identity theft" and "Identity Fraud." Identity Theft is when, "your personal information is accessed by someone else without your explicit permission. Identity Fraud occurs when a criminal takes the illegally-obtained information to use it for financial gain."
• The most common ways criminals steal consumers' personal data: lost/stolen wallets (33%); "shoulder surfing" while conducting a transaction (23%); "friendly" theft by family members oro others you know (17%); online (12%); and data breaches (7%).
• Vishing is on the rise. Vishing is a phone-based version of the phishing scam. Vishing is when criminals attempt to trick a consumer into providing personal data over the phone. In some instances, criminals contact consumers fist via e-mail with a bogus phone number for replies

So, what can consumers do to protect themselves? Javelin recommends a 3-step approach (e.g., Prevention, Detection, Resolution) similar to the U.S. Federal Trade Commission (e.g., Deter, Detect, Defend). The basic idea is that consumers should use a range of methods to protect their personal data, since criminals use a variety of methods to steal personal data.

Javelin recommends the following to prevent identity theft and identity fraud:

• Protect your personal computer, laptop, PDA, and mobile phone with paswords
• Do not use PIN numbers or passwords that are easily guessed (e.g., birthdays, your maiden name, your kids' names, your pet's name, etc.)
• Shred sensitive documents before placing them in the trash
• Use a locked mailbox or a Post Office Box for your snail mail
• Do not leave documents with your personal data laying around, especially documents with your bank account numbers or social security number
• Monitor your online accounts (e.g., bank, credit card, retirement, and othe financial accounts) for suspicious or unauthorized activity
• Move your paper financial statements to online accounts. Avoid paying bills with checks, and instead pay via online banking
• Review your credit reports at least once a year. You can visit annualcreditreport.com or call toll-free at (877) 322-8228

Tomorrow: more recommendations by Javelin.

What To Do When Your Debit/ATM Card Number Is Stolen

Every few weeks, I get an e-mail from a somebody who has had their personal data stolen. When the stolen data includes a bank account number, the identity thief usually attempts to empty the victim's bank account.

Recently, a coworker (Scott) had his debit card number stolen. When I saw Scott, he was rushing to his bank to discuss and fix the problem. Scott had that frazzled look of "oh crap, what do I do now?" on his face. A couple days later, I contacted Scott via instant messaging (im) to see what had happened. Our instant messaging thread:

George: how did it go the other day at the bank?
Scott: hey George! they were very cool about it
Scott: it was obvious by looking at my transaction activity that something funky was going on

George: did u file a police report?
Scott: i didn't
George: u should

Scott: should i do it here in Boston or in Baltimore where the purchases were made?
George: first, do it here. it will help should the thieves do more damage
George: second, call one of the credit bureaus and place a Fraud Alert on your credit report
Scott: i def will... hadn't even thought about it. think i was more concerned bout the bank
Scott: great suggestions

George: they charged stuff to your credit card, right?
Scott: debit/credit
George: sh--
Scott: a [bank name suppressed] bank account
George: def file a police report. now that the thieves know your debit/checking acct number, they can do more damage
George: did the bank give you a new checking acct number?
Scott: yea
George: third, change all of your passwords on your bank accts
Scott: i'm in there now, so i'll do it right away
George: remember to use a strong password: mix of caps and lower case... mix of numbers and text
Scott: covered

George: leave work today and go file a police report at the police station closest to where you live... ask them how to handle the balt location
Scott: you got it...
Scott: thanks for the suggestions. i'll call one of the credit bureaus too
George: now that the thieves know your debit and bank information, they may try to a) reroute your snail mail, b) break into your online accts, c) try to apply for credit in your name
Scott: oh man
George: d) create a phony ID and visit your bank branch to try to get the bank to disclose your SSN or other personal data
George: so, be alert that you get all of the mail you expect
Scott: for sure

George: yes, this sucks. welcome to identity theft in 2008. check my blog for tips
Scott: i certainly will
George: click on one of the right column categories to learn more about that subject (e.g., fraud alerts, credit monitoring services). u should check your credit reports at all 3 credit bureaus... that is your first line of defense should somebody try to apply for credit in your name

Scott: if i call one of the credit bureaus will all 3 somehow be notified or do i have to call all 3?
George: for a Fraud Alert, if u call one, it notifies the other 2. For a Security Freeze, you have to contact each credit bureau independently
George: my blog explains the difference between a Security Freeze and a Fraud Alert

George: Last... DON'T shop with your debit/ATM card. It doesn't give you the same protections as a credit card. I only use my debit/ATM card at my bank's ATM machines. I have a blog post about why shopping with an debit/ATM card is a bad idea
George: call or im me if u have more questions

George: but do the police report today
Scott: will do. thanks for all the great info
George: call and place the Fraud Alert today
Scott: totally appreciate it
George: u r welcome

[Editor's note: I should have also advised Scott to file a complaint with the Federal Trade Commission.]

More About Sidejacking

After I wrote my first post about sidejacking, I did some more online research. A post at The Consuming Experience blog offered information about sidejacking:

"You're at risk from sidejacking when you use the internet via a free, or even paid-for, unsecured public wi-fi or WLAN (wireless networking) hotspot. That could include just accessing your Hotmail or other webmail, or your Facebook or MySpace or other social networking account, your Amazon account, etc. An attacker on the same wifi network could "sniff", steal and use login details and info of users of that open WLAN - such as "AIM buddy list, their DNS requests, alternate e-mail addresses they use, and so forth."

Since many web sites do not encrypt every site page, identity thieves can:

"... intercept the unencrypted information, particularly the "cookie" files saved with your browser and sent between it and the site - and which are often used to log you in."

And there are other ways your laptop can disclose your personal data:

"... all sorts of other unencrypted info can be intercepted and copied, and used to deduce details about you or your accounts which can then be used by the thief... when you power-on your computer. It will broadcast to the world the list of WiFi access-points you've got cached on your computer, the previous IP address you used (requested by DHCP), your NetBIOS name, your login ID, and a list of servers (via NetBIOS request) you want connections to."

What's a person to do to keep your personal information safe?

"Before you login to a website, at least make sure that the page where you enter your details, the one with the boxes for your login info before you hit Submit or OK, is a secure page - i.e. starts with "https". But that's not enough, it has to be SSL all the way."

The post at The Consuming Experience blog post offers more tips and solutions, for people who are technology-savvy and for those that aren't. There are also some solutions in my prior post about sidejacking.

The Wall Street Journal Complete Identity Theft Guidebook (Book Review)

Recently, I read "The Wall Street Journal Complete Identity Theft Guidebook: How to protect yourself from the most pervasive crime in America" by Terri Cullen. I found the book to be an easy read and appropriate for consumers who know nothing about identity theft and consumers who know a little about identity theft.

Cullen has organized the material into two broad sections:

1. Preventing Identity theft
2. Life After Identity Theft

The first section is packed full of tips about how consumers can protect themselves. Cullen weaves into the text both explanations of important terms and actual stories of consumers who were identity-theft victims. The second section is targeted for consumers who are identity theft victims. It provides practical and usable advice about what to do given your specific situation.  This makes it easy for readers to find the information relevant to their specific situation.

Based on the book's content, Cullen wrote most or all of it in 2006. Much has changed since. For example, I found the book a little weak on Security Breaches. While Cullen explains very well the functions (and biases) of the national credit bureaus, Cullen should provided a better explanation of the differences between a Fraud Alert and a Security Freeze. Yes this is difficult since state laws are changing quickly, but it is critical information for consumers.

Cullen has provided several sample letters (mostly snail-mail) for dealing with identity theft. These letters are mostly identity theft victims who must correspond with banks, credit card issuers, lenders, collection agencies, and credit bureaus. The book includes these letters in print format. A better presentation would  have been  a CD with the sample letters in electronic format.

You can buy Cullen's book locally at many booksellers, or online at Amazon.com.and at BarnesandNoble.com. As you'd probably expect, there's an article excerpt of the book at the Wall Street Journal web site.

Good Primer on Identity Theft (Washington Post Transcript)

I recently read this transcript at this Washington Post webcast about ways to protect yourself from identity theft. The January 15, 2008 webcast featured Washington Post staff writer Nancy Trejos and Adam Levin, chairman of Identity Theft 911 LLC and a former director of New Jersey's Division of Consumer Affairs.

The transcript is easy to read and features some very relevant questions from various consumers around the country:

• How did identity theft get so out of hand?
• Can people take their names off of databases so they won't become identity theft victims?
• What can you do when you find out a family member has used your SS# and name?
• I'm uncomfortable sharing my SS# with requests for information, like for medical care. What can I do?
• How do I access my free annual credit report at one of the credit bureau web sites?
• Is it overkill to tear my name and address out of everything that goes into the garbage, and then shred the identifying bits?
• How to teach teens good credit management skills when the credit bureaus only provide credit reports to adults?
• When moving a residence, will identity theft hinder a consumer's ability to set up utilities and change addresses for bills at their new address?
• Is it a good idea to mark the back of my credit cards with "please ask for ID" so retailers will ask? Will this help protect me against identity theft?
• Is it safer to use my debit card or a credit card?

If you have been reading the I've Been Mugged blog, then you already know the answers to the above questions. Some portions of the transcript I found especially interesting:

"I am a detective for a police department and investigate identity theft. I find the most difficult part of the process dealing with the banks, merchants and businesses who drag their feet on supplying investigative info. or hide behind demands for subpoenas for records. This problem can't be solved until businesses are held accountable for poor record keeping, no investment in prevention and lack of desire to assist law enforcement. Target company, however, is an exception and is an excellent partner in detecting and prosecuting identity thieves. Bally fitness has been notoriously unhelpful."

And, regarding which is safer credit cards or debit cards:

"No question that debit cards are wonderful instruments because they do force consumers to set psychological spending limits. As I indicated earlier, credit cards offer more protection but can create an unreality regarding the question, "Can I afford this." If you are wedded to using your debit card, just make sure that you are very focused on checking your account activity EVERY DAY."

Sidejacking: What It is and How to Protect Yourself

We all know what carjacking is. Sidejacking is when an identity thief spies on your Internet session while you use your laptop at a public, unsecured WiFi connection to the Internet, or "hotspot." Common hotspot locations are airports, coffee shops, hotels, and some downtown city locations.

So, if you use your laptop at public hotspots, this CNN video is a must-see. Colburn suggests the following to protect yourself:

• Don't use a public hotspot if you don't have to
• If you must use hotspots, surf the web but don't sign in to secure sites (e.g., bank accounts, e-mail, etc.)
• If you use hotspots frequently, consider installing a hotspot shield on your laptop

I have not used the product from Anchorfree.com, nor do I have any relationship with Anchorfree.com or with CNN. So I cannot provide an opinion on the effectiveness of the Anchorfree.com software. If you have used this or another brand of wireless VPN software, please share your experience below in the comments section. As with any other software purchase, check the software specifications to make sure it runs on your laptop. Shop around and research Anchorfree.com before a purchase.

Want to learn more about sidejacking? You can start reading here.

How To Stop Junk Snail Mail And Be Green About It

[Pardon the interruption: as the NFL Super Bowl approaches, I found this InformationWeek article fascinating about the video technology which the coaches and players use to prepare.]

Most people dislike junk snail-mail. It can also create an identity theft risk when junk mail contains pre-approved credit offers, which dumpster-diving identity thieves love to steal. Wouldn't it be great if you could stop junk snail-mail, have less to shred, reduce your identity theft risk, and help the environment - all at the same time? The Michigan-based 41pounds.org non-profit company believes that it has the solution:

"Our service stops most common junk mail such as credit card offers, coupon mailers, sweepstakes entries, magazine offers and insurance promotions, as well as any catalogs you specify. You will see a noticeable improvement within 6-8 weeks. After four months, your junk mail should be eliminated by 80 to 95%... Based on the information you provide, we contact 20 to 35 direct marketing companies and catalog companies and instruct them to remove your name from their distribution lists. This includes almost all credit card offers, coupon mailers, sweepstakes entries, magazine offers and insurance promotions, as well as any catalogs you specify."

The fee for their service is $41 which includes stoppage of junk mail for 5 years. One-third of this fee is donated to an environmental or community group at each subscriber's choice. According to an April 2007 press release, 41pounds.org has over 2,000 subscribers.

The company says their junk mail stoppage applies even when you move, but you have to provide 41pounds.org with your new address so they can re-notify the bulk mailers. There's no fee for moves during the first 4 years of your agreement with 41pounds.org.

To stop junk mail, the company collects your name, address, phone number, and e-mail address. The company does not collect your birthdate, SS#, or other sensitive information. 41pounds.org advises its subscribers to also use optoutprescreen.com to stop pre-screened credit offers:

"But one organization has started to require personal information (social security number, birthdates, etc…) that we do not feel comfortable collecting from our customers. To stop these credit card and insurance mailings we highly recommend that you contact www.optoutprescreen.com OR call 888.567.8688."

So, it would seem that 41pounds.org can't do everything for consumers, since some user action is still required to stop all pre-screened credit offers. There have been several news reports about 41pounds.org, but I haven't seen any statistics published about the company's performance at stopping junk mail. There is this brief review at the Piers Fawkes blog:

"Although we believe in their cause, there’s something odd about the site... It seems a little too slick and there’s no transparency. There’s no information on the people behind the site."

I discussed in a prior post the web sites consumers can use (for free) to stop junk snail-mail, e-mail spam, and telemarketing calls. The optoutprescreen.com site is very important since it stops junk snail-mail that includes pre-approved credit offers which identity thieves love to steal from unsecured snail-mail mail boxes.

I have used optoutprescreen.com, but I have not subscribed to 41pounds.org. So I can't state how well 41pounds.org operates. If you subscribe to 41pounds.org, please post a review or comment below.

There are other "green" opt-out resources, which I will discuss in future posts. Like anything else the various "green" services have slightly different options. So, shop around and compare services before buying.

Verification Messages to Both New & Old E-Mail Addresses

This is a security feature I wish that more web sites used. I use the Google Reader site to read and manage several news RSS feeds. When I changed the e-mail address associated with my Google Reader account, the Google Reader site sent this e-mail message to my old e-mail address:

From: accounts-noreply@google.com
Subject: Google Accounts: Email Change Notification

Dear Google Account holder:
We've received a request to change the email address associated with your Google Account from: [my old e-mail address] to: [my new e-mail address]

If you initiated this request, there's no need to take any further action. If you didn't request an email change, please visit the Google Accounts Help Center and fill out our contact form.

Thank you for using Google. For questions or concerns regarding your account, please visit the Google Accounts FAQ. This is a post-only mailing. Replies to this message are not monitored or answered.

The Google Reader site also send this message to my new e-mail address:

From: accounts-noreply@google.com
Subject: Google Accounts: Email Change Verification

Dear Google Account holder:
Thank you for changing the email address on your Google Account. To verify your new email address, just click the following URL: [verification URL]

Thank you for using Google. For questions or concerns regarding your account, please visit the Google Accounts FAQ. This is a post-only mailing. Replies to this message are not monitored or answered.

That's an excellent approach to security I all companies should use. Both messages were clear, easy to read, and reinforced the security for my account. The verification link was quick and easy. The FAQ link provided relevant information I could use, if needed.

How To Do A Background Check On Yourself

To learn what others -- a potential employer or landlord -- can learn about you, you might consider doing a background check on yourself. This June 2007 post at The Consumerist lists several sources, many of which are free. Note the comments in the post about Lexis-Nexis, and in particular their Consumer Access Program. I have contacted only a couple of the sources listed, but in time I expect that I will contact all of them. In prior posts, I have discussed my experiences with C.L.U.E. insurance reports from Choicepoint.

New Wireless Identity Protection Product: Armadillo Dollar

Many of us already have Radio Frequency Identification (RFID) cards in our wallets or purses. You have an RFID card if it's a card that you wave near (about 2 inches) a wall- or table-mounted reader. RFID cards are supposedly easier to use because the RFID card and the RFID reader don't have to physically touch. They just have to be close enough -- a few inches -- for the reader to access the information stored on the RFID card. Some credit cards, debit cards, and store charge cards are RFID cards.

I have two RFID cards. One is the security badge to enter the office building and my employer's offices. The second is my Charlie Card to ride Boston's MBTA mass-transit system. When I worked in London in 2004, my Tube pass was an RFID card.

While I realize that RFID is here to stay, I am not wildly excited about the technology because it's security gaps are well known, and are dependent upon the issuer properly encrypting the sensitive personal data stored on each RFID card. Identity thieves can use a portable RFID reader to collect personal data from unsuspecting RFID cardholders: a process called a "skimming." The thieves can then create, use, and sell duplicate, bogus RFID cards. And, it's almost impossible for the average user to know when an identity thief has used a skimmer to steal your personal data from an RFID card.

With this in mind, I was curious to read this TrustedID blog post:

"Armadillo Dollar, a new product created by Wisteria House Products, offers protection against this new wireless identity theft and RFID monitoring. Users place the product in their wallet, and it blocks the transmission of sensitive private information from RFID (Radio Frequency Identification) enabled debit/credit cards or employee badges. The user can move around undetected by RFID readers, and wireless identity thieves."

If you want to learn more about the RFID technology, read the RFID Journal, the RFID blog, or visit armadillodollar.com. I haven't yet tried the Armadillo Dollar product, so I can't speak to how effective it is. If any I've Been Mugged readers already use the product, please share your experiences.