How To Properly Erase A Hard Drive

A prior post covered a humor story about how to destroy a hard drive in 5 seconds. At that time I was discarding an old computer. In its year-in-review, ZDNet lists the "How to Really Destroy a hard Drive" post by Robin Harris as one of its most popular posts. I found it highly informative:

"You may already know that “deleting” a file does nothing of the sort. But did you know that your disk drive has a built-in system for the secure erasure of data? No? Then read on... if you keep business, medical, or personal financial information on disks, simple deletion isn’t enough to protect the data when disposing of the equipment.... Something called Secure Erase, a set of commands embedded in most ATA drives built since 2001."

Robin's post explains how you can download and use the Secure Erase utility to fully wipe your old hard drive clean. The instructions are for intermediate to experienced computer users.

Where's The Value: Credit Monitoring Or Credit Restoration? (Poll Results)

Last year, American Banker interviewed me and representatives from Kroll and IBM for an article about the obligation companies have to assist ID-theft victims after a corporate data breach. IBM and Kroll representatives argued that ID-theft victims benefit more with credit restoration services: the processes and work to fix or clear the fraudulent records and accounts created by identity thieves. I argued that ID-theft victims would benefit more from credit monitoring services.

To explore this subject further, I ran a poll on this blog to see what I've Been Mugged readers value more: credit monitoring services or credit restoration services. The approach by companies should focus on the greatest need consumers have (and not what some corporate executive believes is best to minimize their company's post-breach costs). Since I began this blog, I've talked with dozens of consumers, both in-person and via e-mail. Most people seem to need the basic services first: monitoring their credit information, an understanding of the basic threats/scams, and ways to protect their data.

I know my poll does not contain a rigorous scientific design. Participants weren't chosen at random, but included readers of the I've Been Mugged blog who decided to take the poll.

The poll question: What is the most important feature of a credit monitoring service?

The results:

Question	%	Votes
Continuous monitoring of your data	45%	22
Credit restoration services	39%	19
Non-financial crime monitoring	2%	1
Credit score and credit analysis tools	6%	3
I don't know	8%	4
I don't care	0%	0
Total	100%	49

I'm impressed that 4 people were honest enough to admit that they didn't know what feature in a credit monitoring service was most important to them. I think that this statistic highlights an important need in the marketplace. It suggests that roughly 8% of consumers don't know or aren't sure what to look for in a credit monitoring service.

Knowing what to look for is important since after a data breach ID-theft victims must decide whether or not to accept their employer's (or former employer's) credit monitoring service offer. Even if the offer includes free services, it may not of value. Knowing what to look for is important for any consumer trying to decide which credit monitoring service to register with.

If you missed this poll, don't worry. There's another poll running on our ID-theft Polls page.

During the next few weeks I will share my reviews of the various credit monitoring services. You should judge for yourself, as your personal data and identity protection needs may be very different than mine. Like the ads say, your mileage may vary. So, shop around and shop wisely.

How To Protect Yourself When Using A Public Computer

You've left your laptop computer at home. Now, that public computer is looking very appealing. It could be a public computer in a library, in a hotel lobby, or an Internet cafe. You know that computer presents a risk. You don't know if the anti-virus software on it is up-to-date or not. There's some risk, but you really need to go online. Now. How do you protect your identity and personal data?

In her Ten Things blog at TechRepublic, Jody Gilbert listed 10 things you should do to protect your identity and your personal information when you use a public computer:

1. "Delete your Browsing History
2. Don’t save files locally
3. Don't save passwords
4. Don't do online banking
5. Don't enter credit card information
6. Delete temporary files
7. Clear the pagefile
8. Reboot the computer
9. Boot from another device
10. Pay attention to your surroundings and use common sense"

Sounds like excellent advice to me.

Monthly Update From The Suze Orman Identity Theft Kit (TrustedID)

When you sign up for a credit monitoring service, most provide a monthly report via e-mail about the status of your credit information and files. A coworker of mine signed up several months ago for the Suze Orman Identity Theft Kit. My coworker shared the latest report she received via e-mail:

The report is simple and easy to understand. The message make it clear and easy what the consumer should do next, if there is a problem. My coworker seems to be very happy with the service she receives from Suze Orman. If you have a different credit monitoring service, you can compare the monthly message you receive from your service with the message above.

CVS And The State Of Texas AG Reach An Agreement Regarding Information Security

KLTV reported that the Texas Attorney General's office and CVS Pharmacy, Inc. agreed to a settlement to protect CVS customers from identity theft:

"The settlement resolves the state's April 2007 enforcement action against the nation's largest retail pharmacy, which was charged with violating state laws that govern the disposal of customer records containing sensitive personal information. Under an agreed final judgment obtained by the Attorney General, CVS will overhaul its information security program. The program must be fully documented in writing and contain administrative, technical and physical safeguards designed to protect the personal information of CVS customers. CVS also will pay $315,000 to the State of Texas, which will be appropriated for the investigation and prosecution of other identity theft cases, pursuant to the Identity Theft Enforcement and Protection Act."

The Attorney General's office took action after hundreds of documents containing customers' sensitive personal information (e.g., credit card numbers and expiration dates; prescriptions with date of birth, doctors names, medication type) were unlawfully dumped behind a CVS store in Liberty, Texas. The state will use the money to prosecute other identity theft cases.

Details about the settlement:

"... CVS must implement a new training program to inform its Texas employees about the company's enhanced information security procedures. The employee training program must provide employees with a review of CVS' privacy procedures and a review of state laws governing the disposal of customer records. The training program also must explain identity theft, its costs to individual consumers and businesses, and the importance of abiding by the company's disposal program."

Only Texas employees? This sounds to me like sensible and appropriate data security actions any and all companies should implement nationwide, without waiting for a state AG to sue them to comply. Forbes Magazine reported:

"... the improper disposal of this information was a violation of [CVS'] record retention and privacy policies, and CVS took appropriate disciplinary action,' the statement said. When the suit was filed last year, CVS said the store manager had been fired. Earlier this month, CVS Caremark agreed to pay almost $37 million to nearly two dozen states and the federal government to settle claims it billed Medicaid programs for a more expensive formulation of an antacid."

When disposing of customers' and employees' records, companies would be well advised to follow the advice in this National Law Journal article: "Shred It Or Regret It."

ID-Theft Protection May Not Provide The Protection You Need

I'd like to thank my friend Michael in Oakland for alerting me to this article. Dow Jones MarketWatch reported the following about the current state of credit monitoring and credit resolution services for consumers:

"Plenty of products promise to help consumers avoid identity theft, but none of them is foolproof. If a product claims to prevent identity theft, that should raise red flags for consumers, said Linda Foley, founder of the Identity Theft Resource Center in San Diego. "You can't protect a person from identity theft. It's impossible. All we can do is minimize our risk." And, while these products can reduce your likelihood of becoming a victim, many employ methods that consumers can use on their own, for free."

Finally, somebody is telling it like it is. After IBM exposed my sensitive personal data, I took that as an opportunity to learn about data breaches and the current identity theft marketplace. Since then, I've looked at many of the credit monitoring services for consumers which are available from banks, independent companies, and the credit bureaus. I've reached the same conclusion as the ITRC: there's some protection to reduce a consumer's risks.

The MarketWatch article also discussed the new Security Freeze tool, which is available nationwide from the national credit bureaus:

"Consumers can freeze their reports by calling each of the three agencies. It generally costs $10 to place a freeze ($30 to freeze all three major reports) and $10 to lift each freeze (these costs are sometimes waived.) For more details, visit FinancialPrivacyNow.org. Or, you can pay for a product that includes a credit freeze, such as offered by TrustedID and others."

Well, that's mostly accurate. The fees vary by state. In my state, Massachusetts law limits the Security Freeze fees to $5.00 at each credit bureau; and Security Freezes are free for ID-theft victims (who can prove this with a copy of a filed police report). While a Security Freeze provides consumers with stronger protection than a Fraud Alert, there clearly are limits.

First, the Security Freeze tool from credit bureaus does not cover C.L.U.E. insurance reports.  Consumers must do business separately with Choicepoint, a major provider of C.L.U.E. reports. Choicepoint offers Security Freezes in only about eight states: CO, DC, DE, ME, MT, NH, NJ, and NC. Naturally, you'd expect Choicepoint to offer a nationwide Security Freeze like the credit bureaus, but they don't. Consumer-focused doesn't appear to be a priority for Choicepoint. Second:

"Freezes don't stop thieves tapping existing credit or bank accounts, nor do they address other identity theft, such as when a thief provides your name as his identity when pulled over for a traffic violation."

The use of stolen identities during a crime is a huge problem which the identity protection industry hasn't solved. When criminals use stolen identification during a crime, it's that ID-theft victim who suffers, not just the criminal when (and if) caught. The victim may be jailed temporarily while identification mistakes are resolved, fined, or both.

Plus, this can happen in any country, since stolen identities are sold online worldwide. For example, look at the global trail of stolen credit cards numbers after the TJX/TJ Maxx data breach. Or, read about this ID-theft victim who was jailed after a criminal used his stolen identity during a crime. Consider this: the next time you travel abroad you could be detained by Customs in another country if a criminal has used your stolen identity during a crime in that country. I haven't read a news report (yet) about this, but the risk to consumers is real since stolen identities are traded online worldwide.

If you think that existing identity protection insurance and resolution services will help in these instances, think again:

"Identity-theft insurance helps cover the costs associated with the crime. Your homeowners or renters insurance, or your bank account, may include such insurance already, so check before purchasing. Consumer advocates say the value of such insurance is debatable, since financial losses are often not extensive and credit-card companies generally cover consumers' losses. Still, insurance could be useful if the policy covers debit-card losses and lost wages due to your time spent resolving the crime... As for victim resolution services, some nonprofit and state agencies will help for free, though the services companies sell may offer valuable convenience."

This situation will only improve when consumers pressure their elected officials to enact stronger laws about identity theft which hold companies accountable for data breaches, the punishment and sentencing of identity criminals, and legislation which covers new forms of identity theft such as skimming and house stealing. It will also require some coordination between countries.

If you are detained or jailed in a foreign country due to identity theft, I don't see any of the current ID-theft resolution services helping consumers. If you agree that this situation is scary and unacceptable, write to your elected officials today.

A Free And Easy Way To Test The Security Of Your Wireless Home Network

At the ZD Net SOHO Networking blog (Small Office Home Office), Rik Fairlie provided a really good tip for consumers to check the security on their home wireless (WiFi) network. Security is important because we all (or at least many of us) do online banking, access our financial accounts online, and want to protect our personal data from abuse by both spammers and identity theives.

Rik tested his home wireless network with the Network Magic management tool by Pure Networks. Network Magic has a free diagnostic scan that provides a report on the security status of your home wireless network:

The Pure Networks Security Scan tool, which works only with Internet Explorer 6 or later, is clearly bait for Network Magic... Run the scan, and the resulting scorecard provides a summary status of network devices, the router and network, wireless security, and the computer on which you ran the scan. It advises you of the number of issues tested for each category, alerts you to any worrisome issues found... Some of the items it tests under Router and Network include whether you are running a hardware firewall, if your password is strong (and, of course, changed from the factory default), and whether your router firmware is up to date... This Computer tab tells you whether your PC contains malware that redirects Web sites, as well as whether file and printer sharing are correctly activated, what kind of software firewall (if any) you’re running, and if your antivirus software is up to date.

Sounds like a valuable tool for consumers to improve the security of their home wireless networks, and protect sensitive data.

Suze Orman Identity Theft Kit Debuts

Recently, I was talking with a coworker who had purchased the Suze Orman Identity Theft Kit. In January 2008, the TrustedID blog announced:

"Financial expert Suze Orman and TrustedID have launched Suze Orman’s Identity Theft kit, the first identity theft protection solution that protects the financial and personal information of all members of a household. Shortly after launching on QVC, the kit will be available online at www.suzeorman.com and TrustedID.comas well as through leading retailers nationwide."

I checked www.suzeorman.com and consumers can purchase the kit online. At the site, click on "Identity Theft Kit" in the left column navigation area. According to the site, the kit contains the following:

• Two People Protection
• Medical Record Protection
• Anti-Spyware Software
• Lost Wallet Protection
• Address Scanning
• Enhanced Junk Mail Reduction
• Credit Card No. Scanning
• Annual Credit Reports
• Bank Account No. Scanning
• $1 Million Service Warranty
• Child Identity Theft Protection
• Fraud Flag Placement
• Elderly Parent Identity Theft Protection

At first glance, the service seems to have a lot of value. It definitely seems worth consideration for consumers who have no identity protection in place today. However, I found the web site content very thin. The site did not explain many of the kits features. So, it's hard to tell exactly what is offered for "Medical Record Protection," "Address Scanning," "Bank Account Number Scanning," and the "$1 Million Service Warranty." Unfortunately, the QVC page didn't supply any more detail either. Maybe the actual television pitches explains these features, but I rarely watch QVC.

There are about 46 user-submit product reviews at the QVC page. You may find some of these helpful. Most of the reviews are positive, but the negative ones seem to be where consumers encountered technical problems installing the kit software and returned the product. Some of the reviewers noted that the kit does not cover department store charge cards.

For me, the kit provides services I already have from other credit monitoring services. Regarding Fraud Alerts, I added those to my credit reports on my own. I already have anti-spyware software for my home computer from McAfee. To reduce spam and junk mail, I have already signed up at several free opt-out resources for consumers.

Later this Spring, I plan to post a detailed comparison of several of the leading identity protection solutions for consumers. The comparison will definitely include Orman's Identity Theft Kit. I've Been Mugged readers would love to hear the opinions or experiences anyone has had with the Suze Orman Identity Theft kit.

The Wall Street Journal Complete Identity Theft Guidebook (Book Review)

Recently, I read "The Wall Street Journal Complete Identity Theft Guidebook: How to protect yourself from the most pervasive crime in America" by Terri Cullen. I found the book to be an easy read and appropriate for consumers who know nothing about identity theft and consumers who know a little about identity theft.

Cullen has organized the material into two broad sections:

1. Preventing Identity theft
2. Life After Identity Theft

The first section is packed full of tips about how consumers can protect themselves. Cullen weaves into the text both explanations of important terms and actual stories of consumers who were identity-theft victims. The second section is targeted for consumers who are identity theft victims. It provides practical and usable advice about what to do given your specific situation.  This makes it easy for readers to find the information relevant to their specific situation.

Based on the book's content, Cullen wrote most or all of it in 2006. Much has changed since. For example, I found the book a little weak on Security Breaches. While Cullen explains very well the functions (and biases) of the national credit bureaus, Cullen should provided a better explanation of the differences between a Fraud Alert and a Security Freeze. Yes this is difficult since state laws are changing quickly, but it is critical information for consumers.

Cullen has provided several sample letters (mostly snail-mail) for dealing with identity theft. These letters are mostly identity theft victims who must correspond with banks, credit card issuers, lenders, collection agencies, and credit bureaus. The book includes these letters in print format. A better presentation would  have been  a CD with the sample letters in electronic format.

You can buy Cullen's book locally at many booksellers, or online at Amazon.com.and at BarnesandNoble.com. As you'd probably expect, there's an article excerpt of the book at the Wall Street Journal web site.

Good Primer on Identity Theft (Washington Post Transcript)

I recently read this transcript at this Washington Post webcast about ways to protect yourself from identity theft. The January 15, 2008 webcast featured Washington Post staff writer Nancy Trejos and Adam Levin, chairman of Identity Theft 911 LLC and a former director of New Jersey's Division of Consumer Affairs.

The transcript is easy to read and features some very relevant questions from various consumers around the country:

• How did identity theft get so out of hand?
• Can people take their names off of databases so they won't become identity theft victims?
• What can you do when you find out a family member has used your SS# and name?
• I'm uncomfortable sharing my SS# with requests for information, like for medical care. What can I do?
• How do I access my free annual credit report at one of the credit bureau web sites?
• Is it overkill to tear my name and address out of everything that goes into the garbage, and then shred the identifying bits?
• How to teach teens good credit management skills when the credit bureaus only provide credit reports to adults?
• When moving a residence, will identity theft hinder a consumer's ability to set up utilities and change addresses for bills at their new address?
• Is it a good idea to mark the back of my credit cards with "please ask for ID" so retailers will ask? Will this help protect me against identity theft?
• Is it safer to use my debit card or a credit card?

If you have been reading the I've Been Mugged blog, then you already know the answers to the above questions. Some portions of the transcript I found especially interesting:

"I am a detective for a police department and investigate identity theft. I find the most difficult part of the process dealing with the banks, merchants and businesses who drag their feet on supplying investigative info. or hide behind demands for subpoenas for records. This problem can't be solved until businesses are held accountable for poor record keeping, no investment in prevention and lack of desire to assist law enforcement. Target company, however, is an exception and is an excellent partner in detecting and prosecuting identity thieves. Bally fitness has been notoriously unhelpful."

And, regarding which is safer credit cards or debit cards:

"No question that debit cards are wonderful instruments because they do force consumers to set psychological spending limits. As I indicated earlier, credit cards offer more protection but can create an unreality regarding the question, "Can I afford this." If you are wedded to using your debit card, just make sure that you are very focused on checking your account activity EVERY DAY."

Verification Messages to Both New & Old E-Mail Addresses

This is a security feature I wish that more web sites used. I use the Google Reader site to read and manage several news RSS feeds. When I changed the e-mail address associated with my Google Reader account, the Google Reader site sent this e-mail message to my old e-mail address:

From: accounts-noreply@google.com
Subject: Google Accounts: Email Change Notification

Dear Google Account holder:
We've received a request to change the email address associated with your Google Account from: [my old e-mail address] to: [my new e-mail address]

If you initiated this request, there's no need to take any further action. If you didn't request an email change, please visit the Google Accounts Help Center and fill out our contact form.

Thank you for using Google. For questions or concerns regarding your account, please visit the Google Accounts FAQ. This is a post-only mailing. Replies to this message are not monitored or answered.

The Google Reader site also send this message to my new e-mail address:

From: accounts-noreply@google.com
Subject: Google Accounts: Email Change Verification

Dear Google Account holder:
Thank you for changing the email address on your Google Account. To verify your new email address, just click the following URL: [verification URL]

Thank you for using Google. For questions or concerns regarding your account, please visit the Google Accounts FAQ. This is a post-only mailing. Replies to this message are not monitored or answered.

That's an excellent approach to security I all companies should use. Both messages were clear, easy to read, and reinforced the security for my account. The verification link was quick and easy. The FAQ link provided relevant information I could use, if needed.

The New U.S. Passports (RFID)

In a prior post, I discussed the new RFID technology and its data security and privacy issues. There is an excellent Los Angeles Times article which questions just how secure the U.S. State Department's new RFID passports are. Here's how the new U.S. passports work:

"The chip on your passport stores your name, gender, birth date and place; your passport number, its issue and expiration dates; and a digital version of your ID photo. It broadcasts this data when its antenna is activated by signals from a government reader at a border crossing. The security of this broadcast is the crux of the debate. The State Department says the chip's range is about 4 inches and that it cannot be read when the passport book is fully closed. But with the right equipment, early critics said, people several feet away or more could secretly access the data and use it to identify Americans, track their movements and steal their personal information. The chip could also be copied or altered to make phony passports..."

To respond to the threat, the State Department modified its new passports:

• "To block radio signals, it put metallic material in the passport's front cover and spine.
• To thwart eavesdropping, it placed a cryptographic key on the printed data page that must be read by an optical scanner to unlock the chip's data. (Officials note Social Security number and address are not on the chip.)
• To prevent tracking, it installed a "randomized unique identification" system that presents a different ID to a reader each time the chip is accessed.
• To counter fraud, it installed a digital signature that flags chips that have been altered."

Are the new passports 100% safe? Nobody knows. I hope that these identity protection measures work. There's an awful lot at stake.

Satisified With RFID Skimming Protection (Product Review)

A couple weeks ago, I purchased online the Armadillo Dollar "skimming" shield product. I ordered two shields and both arrived in separate business-size envelopes within a larger U.S.P.S. Express Mail package. Each envelope included a shield and instructions. That makes it easy to give the second shield as a gift.

I opened one envelope and read the instructions, which were clear and simple. The instructions said that you could place the Armadillo Dollar product in your wallet to protect multiple RFID cards, often referred to as "smart cards" or contact-less credit cards. I folded one Armadillo Dollar product in half, placed two contact-less smart cards inside, and then placed the bundle in my pants pocket. I don't want to open my wallet every time I need to use one of my RFID cards. I planned to test Armadillo Dollar the next day on the way to work.

One the way to work the next morning, I pulled the Armadillo Dollar and my RFID cards out of my pocket and waived them near an RFID reader at a Boston MBTA station entrance. Nothing happened: the turnstile did not open. The RFID reader was unable to penetrate the Armadillo Dollar shield. Great! Then, I removed my MBTA Charlie Card by itself and waved it by the station's reader. The turnstile opened as usual.

At work, I repeated this process at the the downtown-Boston office where I work. Employees use RFID badges to access both the building elevators and individual company offices. As expected, the RFID reader was unable to penetrate the Armadillo Dollar shield. I then removed my employee badge by itself and waved it the RFID reader. The turnstile opened as expected.

While this isn't a scientific test, it is good enough for me. The product works as advertised... RFID readers couldn't penetrate the Armadillo Dollar shield. Wisteria House fulfilled my product order as requested, and applied the product discount as promised. I am satisfied since I now have some identity protection for my RFID cards. When I receive my new RFID U.S. Passport, I'll repeat this test with the Armadillo Dollar shield.

Want to learn more? This video provides some background about RFID or smart cards and "skimming"... how an identity thieve can clone a smart card:

Want to learn more? Read this New York Times article about no-swipe credit cards, or this C/Net Review about contact-less credit cards. You can also visit the Smart Card Alliance, armadillodollar.com, or the National Envelope web sites.

[Author's note: you can rely on I've Been Mugged for independent product reviews. The I've Been Mugged blog is wholly independent, and is not affiliated with any identity theft or identity protection products. Nor do we accept any advertising or payments from manufacturers of identity theft products or services.]

How To Do A Background Check On Yourself

To learn what others -- a potential employer or landlord -- can learn about you, you might consider doing a background check on yourself. This June 2007 post at The Consumerist lists several sources, many of which are free. Note the comments in the post about Lexis-Nexis, and in particular their Consumer Access Program. I have contacted only a couple of the sources listed, but in time I expect that I will contact all of them. In prior posts, I have discussed my experiences with C.L.U.E. insurance reports from Choicepoint.

New Wireless Identity Protection Product: Armadillo Dollar

Many of us already have Radio Frequency Identification (RFID) cards in our wallets or purses. You have an RFID card if it's a card that you wave near (about 2 inches) a wall- or table-mounted reader. RFID cards are supposedly easier to use because the RFID card and the RFID reader don't have to physically touch. They just have to be close enough -- a few inches -- for the reader to access the information stored on the RFID card. Some credit cards, debit cards, and store charge cards are RFID cards.

I have two RFID cards. One is the security badge to enter the office building and my employer's offices. The second is my Charlie Card to ride Boston's MBTA mass-transit system. When I worked in London in 2004, my Tube pass was an RFID card.

While I realize that RFID is here to stay, I am not wildly excited about the technology because it's security gaps are well known, and are dependent upon the issuer properly encrypting the sensitive personal data stored on each RFID card. Identity thieves can use a portable RFID reader to collect personal data from unsuspecting RFID cardholders: a process called a "skimming." The thieves can then create, use, and sell duplicate, bogus RFID cards. And, it's almost impossible for the average user to know when an identity thief has used a skimmer to steal your personal data from an RFID card.

With this in mind, I was curious to read this TrustedID blog post:

"Armadillo Dollar, a new product created by Wisteria House Products, offers protection against this new wireless identity theft and RFID monitoring. Users place the product in their wallet, and it blocks the transmission of sensitive private information from RFID (Radio Frequency Identification) enabled debit/credit cards or employee badges. The user can move around undetected by RFID readers, and wireless identity thieves."

If you want to learn more about the RFID technology, read the RFID Journal, the RFID blog, or visit armadillodollar.com. I haven't yet tried the Armadillo Dollar product, so I can't speak to how effective it is. If any I've Been Mugged readers already use the product, please share your experiences.

Unsecure Sign-in Pages At Web Sites

In a prior post, I listed my personal data New Year's Resolutions for 2008. One of my resolutions is to contact companies I do business with online that have gaps in their data security. Earlier today I contact NetFlix about their customer sign-in page:

"I would like to inform you that the NetFlix Sign-In page is unsecure. That is, it is http:// when it should be https:// . This is very important since credit card information is attached to my account and to my sign-in information. The work-around I have used todate has been to click the "Continue" button since your site currently serves up a secure (e.g., https://) Sign In Error page. Then I enter my sign-in information.

While I am generally a satisfied NetFlix customer, this unsecure sign-in page is a big problem. I blog about identity theft and I'd hate to see NetFlix get hit by hackers or identity thieves who might harvest customers' sign-in information from an unsecure sign-in page."

I also sent a similar e-mail to TypePad, the producer of this blogging software. TypePad has a similar problem with an unsecure Member Log-in page. You might want to check the web sites you sign into. While banks and financial institutions are good about providing secure sign-in pages, retailers don't seem to do as good a job.

Also, I've found that the web-savy companies respond quickly to e-mail inquiries. We'll see how soon TypePad and NetFlix respond to my inquiry.

Credit Monitoring vs. Credit Restoration: What's The Difference?

Recently, a friend asked me what the difference is between "credit monitoring" and "credit restoration." While writing this blog, I kept some notes which morphed into the comparison chart below:

	Credit Monitoring	Credit Restoration
Definition	The process of reviewing a consumer's credit reports and credit scores at the three national credit bureaus. May also includes alerts when a credit bureau provides the consumer's credit report to potential lenders.	A process of notifying law enforcement, credit bureaus, banks, lenders, state and local government agencies, federal agencies, and other companies about the theft of a consumer's identity and/or money; and the process of correcting the information in the victim's credit reports.
Advantages	1. Includes alerts via cellphone and/or via e-mail 2. Timely alerts minimize the amount of money stolen or damage done by identity thieves 3. Almost always provided for free for 1 or 2 years by companies that have had a data breach 4. Service usually includes the full text of your credit report from all 3 national credit bureaus 5. Service may include tips on how to improve your credit score and manage your credit	1. Professionals do the work a consumer may not have the time or knowledge to complete 2. The better services include both credit/financial and non-credit/criminal work 3. The better services do most or all of the restoration work as the victim's agent 4. May include an insurance policy to cover expenses and legal fees incurred 5. Sometimes provided for free for 1 year by companies that have had a data breach
Disadvantages	1. Monthly fees vary widely 2. Can be difficult to compare services 3. Many credit monitoring services don't include credit restoration services	1. Monthly fees vary widely 2. Can be difficult to compare services 3. Usually, insurance doesn't cover actual money lost or stolen 4. Often not included in many credit monitoring services
Availability	Provided by many banks, credit bureaus, and independent companies	Provided by some banks, but mostly by independent companies

Which is best? It really depends upon your personal situation. If you are unfamiliar with identity theft, then a comprehensive credit monitoring service probably is best. Several resources are listed in the right column under "Credit Monitoring Services." If you are a DIYer (Do It Yourself) who gets your free credit reports at www.annualcreditreport.com, then a credit restoration service may be best.

As things change, I will update the above chart.

Want to learn more? Read prior posts about credit-monitoring services. You probably will want to read about the Security Freeze and C.L.U.E. insurance report topics. I urge everyone to consider opt-out resources to reduce your identity theft risk.

Fraud Alert or Credit Freeze: What's The Difference?

While discussing identity theft with a business acquaintance, the topic came up about how best to protect our identities. The person mentioned that they had a Credit Freeze in place, but that it was only good for 90 days. This was a clue to me that the person had a Fraud Alert in place and not a Credit Freeze. A comparison of the two options:

	Fraud / Security Alert	Credit / Security Freeze
Definition	A special message attached to a consumer's credit file that indicates the individual may be a victim of identity theft. The alert may require potential lenders to contact the consumer via phone before issuing credit.	A feature for national credit reports where all companies and potential lenders (except where exempted by law) cannot access a consumer's credit report without the consumer's permission.
Advantages	1. Free for consumers 2. Alert durations available for 90 days or 7 years. Military personnel: Active-Duty Alert (12 months) 3. After adding an alert at one credit bureau, the other 2 credit bureaus automatically add an alert	1. Generally, free only for identity theft victims (IL, NM, and RI: free for all residents 65+) 2. Stops identity thieves from opening new accounts or getting credit, loans, or mortgages in your name 3. Stops credit bureaus from distributing your credit report 4. Consumer can lift or remove the freeze when needed for potential lenders (PIN number provided)
Disadvantages	1. Credit bureaus still distribute your credit report 2. Identity thieves can apply for credit or loans and approval may still "sneak through"	1. If you are not an identity theft victim, fees apply to add, lift, or remove a freeze at each credit bureau 2. You must add, lift, and remove a freeze separately at each credit bureau 3. To apply for credit, you must temporarily lift the freeze on your credit reports. This may cause a delay getting credit approval 4. Banks and companies that provide consumer data to the credit bureau will not be allowed to update the name, address, SS#, and birth-date data on your credit reports
Availability	Nationwide	Nationwide, including Puerto Rico, Guam and the U.S. Virgin Islands
Other	1. Adults only	1. Adults only 2. Temporary freeze lift: 3 days minimum and 30 days maximum

Want to learn more? You should be aware of certain identity-theft situations where neither a Security Freeze nor a Fraud Alert will prevent. Also, the Security Freeze laws in many states do not cover consumers' C.L.U.E. insurance reports. You still should shred snail-mail and paper documents with sensitive personal data. And, for maximum protection you should also take advantage of the opt-out resources.

New Year's Resolutions: How To Protect Your Personal Data

The second half of 2007 was a busy year for me. First, I learned that IBM lost my personal data during a data breach. Then, I learned about identity theft and some of the ways to protect myself. Along the way, I started this blog and learned about fraud alerts, security freezes, and corporate data breaches.

Before compiling my list of New Year's resolutions, it seemed wise to list the activities and habits I have already started during 2007:

• I shred all snail mail that might be useful to identity thieves
• I check my Social Security Earnings Record at least once every year
• I keep the e-mail spam filter set on "High" at my Internet Service Provider
• When searching with Google.com in my Firefox web browser, I use McAfee SiteAdvisor to avoid dangerous sites
• Immediately after learning about IBM's data breach, I placed a Fraud Alert on my credit reports
• I checked my 3 credit reports: Experian, TransUnion, and Equifax
• I checked my C.L.U.E. insurance report with Choice Trust
• I set up e-mail alerts with my two credit monitoring services to inform me if anyone attempts to access my credit reports
• I installed better anti-virus software protection on my laptop computer
• I stopped using my ATM debit card for purchases at retail stores, and use cash or a credit card
• I opted out of pre-screened credit and financial offers - both e-mail and snail-mail
• I went paperless with my online banking and set up alerts to notify me immediately
• I created stronger passwords for all of my sensitive online accounts

I feel really good about these accomplishments. You can read about them in prior posts. Just click on one of the topics in the right column or start with my first I've Been Mugged post.

Now that 2008 is here, I realize that there's more to do to better protect my personal data. I've learned so far that there's no single "silver bullet" solution to protect myself from identity theft and identity fraud. The tools and resources for consumers are constantly changing and evolving.

My list of identity protection resolutions for 2008:

• Place a security freeze on my credit reports
• Read "The Wall Street Journal Complete Identity Theft Guidebook" by Terri Cullen
• Continue to do business online only with companies I already know
• Always check both the Better Business Bureau and TRUSTe web sites before doing business with a company I don't know
• Check my Medical Information Bureau report
• Guard my health-care insurance card as carefully as I guard my credit cards and Social Security card
• Insist that the companies I do online business with offer secure sign-in pages (e.g., https://) and if they refuse switch to another company
• Research credit restoration companies to decide whether to keep my current service or switch to a better service
• Periodically, check the IBM data breach web site for any news or updates regarding their February 2007 data breach
• Change my online passwords every 3 months

What are your New Year's resolutions to protect your personal data?

In The News: Kroll, IBM, and I've Been Mugged

I've Been Mugged readers may remember that in August of 2007, I was interviewed by the American Banker publication for a news story about the credit monitoring service IBM had arranged with Kroll. While this article has been available at the American Banker web site for a fee, I just learned that it is available for free in the media section at Kroll's web site.