Educate yourself by attending a seminar offered by credit card companies and card processors.
Some merchants are joining fraud-screening organizations and beginning to use extra security software that determines the risk assessment. The merchant can decide to accept the card number or not based on that fraud rate value. Some organizations such as www.antifraud.com offer less expensive help ($10 per month). These groups also offer tips, databases of stolen credit cards, and web look up tools.
Terry Jepson http://www.wiscocomputing.com
Lock your credit away from ID thieves
When California introduced the first credit-freeze law in 2003, I thought it was overkill for most consumers.
I still do. But the universe of people for whom credit freezes make sense is rapidly expanding, and you might be among them.
A credit freeze, for those who don't know, is a way to block your credit reports to make it a lot tougher for an identity thief to get a loan or open a credit account in your name. That's because while a freeze is in place, no one, not even you, can open an account in your name. Lenders, insurers and even employers doing background checks are not able to access your credit file.
You can have the freeze lifted, or "thawed," if you need to get new credit, but you have to give the bureaus a specially issued personal identification number and a few days' notice to do so.
Since California pioneered credit freezes, dozens of other states and the District of Columbia have passed laws allowing at least some residents to lock up their credit reports. All other states except Alabama are considering similar laws.
Fraud alerts, credit freezes differ
Despite their rapid spread, credit freezes remain a bit of a mystery to consumers. Many people don't realize they have access to this tool. Others confuse credit freezes with old-fashioned fraud alerts, which allow consumers to put an electronic red flag on their credit reports at the three major bureaus, Equifax, Experian and TransUnion.
In a couple of ways, credit freezes and fraud alerts are similar. Neither prevents or limits you from using the credit you already have. And neither prevents your current lenders from cruising your credit reports to see how well you're handling your cards, loans and lines of credit.
But freezes and fraud alerts differ in several important ways:
Fraud alerts can be ignored by lenders. By law, lenders who see a fraud alert on your file are supposed to take "reasonable steps" to verify the identity of someone who is applying for credit in your name. Those steps haven't been spelled out, however, and consumer advocates say fraud alerts are too often ignored.
"The law-enforcement folks I talk to say the fraud alert is not doing what it's supposed to do," said Michelle Jun, a staff attorney for Consumers Union, the nonprofit that publishes Consumer Reports magazine. "Lenders and retailers aren't paying attention to it."
When you have a credit freeze in place, however, ignoring it isn't an option. Lenders who try to view your reports to check an application for credit just get a code saying your reports are frozen.
Fraud alerts are pretty easy to put in place. All it typically takes to get a fraud alert is a phone call to each credit bureau. (The bureaus say you need to contact only one of them and that the fraud-alert information will be shared with the other two, but that doesn't always work.) By contrast, to get a credit freeze you have to send a letter via certified mail that includes a bunch of identifying information and, typically, two proofs of your residence, such as copies of your driver's license and a utility bill.
If you want to lift the freeze so you can get credit, you have to call the bureaus, supply the PINs they gave you and then wait. The amount of time the bureaus have to honor your request varies by state. Kentucky gives the bureaus 10 business days; California requires the freeze to be lifted within three days. Utah passed a law that says the freeze must be lifted within 15 minutes, Jun said, but that won't go into effect until September 2008. In any case, a freeze puts an end to "instant credit'; you'll actually have to plan ahead if you want to open an account (which, for most of us, is not such a bad thing).
Fraud alerts are free. With a credit freeze, you'll typically have to pay $10 to $12 to each bureau to freeze your credit reports, for a total cost of $30 to $36. The fees are typically waived if you're a victim of identity theft, and a few states also waive fees for senior citizens.
Lifting and reinstating the freeze may also cost money. In several states, you'll pay $10 to each bureau for a general credit-report thaw, or $12 per bureau to thaw your report for a single lender. Fees can also be assessed for removing the freeze completely or for reissuing a PIN if you forget it.
Fraud alerts expire. In as little as 90 days, a fraud alert can disappear from your file. You can keep renewing it -- if you remember. You also can extend the alert for seven years but only if you're a victim of identity theft with a police report to prove it. By contrast, a credit freeze generally remains in place until you lift it -- that is, in every state except South Dakota, where credit freezes expire in seven years.
The fees you pay and the hassles you endure for a credit freeze make it clear: The credit bureaus would much rather you place fraud alerts on your files than to freeze them entirely. The bureaus are in the business of collecting and selling credit information about you; anything that impedes that costs them money.
Not that you need to care. What matters most is whether a credit freeze makes sense for you.
When to freeze
You probably need to freeze your credit if:
You've already been the victim of "new account" fraud. If someone stole enough information about you to open a credit card account or get a loan in your name, then you need to make sure such fraud doesn't happen again.
On the other hand, if the thief just swiped your credit card or credit card number, a freeze is definitely overkill. Just report the theft to your credit card issuer, fill out its paperwork and go on your way with your new card.
You've been told that your personal identifying information has been compromised. More than 100 million personal records have been stolen, hacked into or otherwise compromised since the Privacy Rights Clearinghouse started keeping track in 2005. This is what I meant about there being a rapidly expanding universe of people who could benefit from a freeze. You probably don't need to bother with a freeze if thieves accessed a database that contained just your credit card number. Credit card fraud is relatively easy to catch and fix without long-term damage to your credit reports.
If, on the other hand, the criminals got into records that contained the keys to your financial identity -- your name, Social Security number, address and date of birth -- you should start to sweat. Although there's no guarantee you'll become the victim of new-account fraud, the odds just went up considerably.
Your wallet or purse is missing. The thief now has your driver's license with your name and address. You may have been smart enough not to carry your Social Security card, but the number may be on your health-insurance card. Or the thief could use the information he now has to buy your number online. In any case, it's time to shut down the candy store.
You don't trust your nearest and dearest. As I outlined in "8 signs you may know an identity thief," you may be most at risk not from strangers but from relatives, friends, acquaintances and household employees who have access to the details of your personal and financial life. If you have reason to suspect someone in your life is less than honest, a credit freeze could be warranted.
You just can't sleep at night without it. I'd ask you first to read "The hysteria over identity theft" so you'll have a clearer idea of your actual risk. If you still want to get a freeze after that, you have my blessing. I've heard from many readers who weren't at any great risk for identity theft, but who still insisted on getting a credit freeze for peace of mind -- and are glad they did.
If you want to institute a credit freeze and your state allows it, just use the links in the chart above to connect to instructions on how to go about it. Although several companies offer to place fraud alerts or freezes for you, it doesn't make much sense to pay others to do what you could do yourself for less (or for free, in the case of fraud alerts).
If you just want to place fraud alerts, you can call Equifax at 1-800-525-6285, Experian at 1-888-397-3742 and TransUnion at 1-800-680-7289.
If your state doesn't yet have a law allowing credit freezes, tell your lawmakers to get on the stick. You can call or write them directly, or send an e-mail from Consumers Union's FinancialPrivacyNow.org.
Your 5-minute guide to protecting your identity
Thieves may sell your information on the black market or use it to obtain money, credit or even expensive medical procedures. Unless you're vigilant in protecting your records, you'll have to work even harder to repair the damage to your credit. The average victim spends 30 to 40 hours rectifying the problem.
Some of the e-threats to your identity are:
- Phishing. You get an e-mail that appears to be from your bank or an online service, most often PayPal or eBay, instructing you to click on a link and provide information to verify your account.
- Pharming or spoofing. Hackers redirect a legitimate Web site's traffic to an impostor site, where you'll be asked to provide confidential information.
- Smishing. This is phishing done with text messaging on your smart phone. It instructs you to visit a bogus Web site.
- Spyware. You've unknowingly downloaded illicit software when you've opened an attachment, clicked on a pop-up or downloaded a song or a game. Criminals can use spyware to record your keystrokes and obtain credit card numbers, bank-account information and passwords when you make purchases or conduct other business online. They also can access confidential information on your hard drive.
You don't need to have a computer to become a victim. (See "How safe is your financial information?")
- Vishing -- voice phishing. You get an automated phone message asking you to call your bank or credit card company. Even your caller ID is fooled. You call the number and are asked to punch in your account number, PIN or other personal information (See "Your phone may be under attack.")
- ATM skimming. Crooks use a combination of a fake ATM slot and cameras to record your account information and PIN when you use a cash machine.
- Crooks will steal your wallet, or go through your mail or trash.
More than half of identity theft cases involve credit card fraud. Checking accounts are the second most popular target. (See "Keep thieves out of your bank account.") But some crooks have other plans:
- At least 250,000 people have been the victim of medical identity theft in the last several years. (See "Diagnosis: Identity theft.") Crooks use fraudulently obtained personal information to get expensive medical procedures or dupe insurance companies into paying for procedures that were not done.
- The victims of about 5% of reported identity theft cases are children. The fraud often goes undetected for years -- until the young adult applies for credit. (See "Stolen innocence: Child identity theft.")
16 tips to protect yourself
You can take steps to protect yourself from identity fraud:
- Keep your confidential information private. Your bank or credit card company won't call or e-mail to ask for your account information. They already have it.
- Keep an inventory of everything in your wallet and your PDA, including account numbers. Don't keep your Social Security card in your wallet.
- Monitor your bank and credit card transactions for unauthorized use. Crooks with your account numbers usually start small to see if you'll notice.
- If you conduct business online, use your own computer. A public computer is less secure, as is wireless Internet.
- Look for suspicious devices and don't let anyone stand nearby when you use an ATM. Take your card and receipt with you. Keep your PIN in your head, not your wallet.
Protect your computer from vulnerability:
- Install anti-virus, anti-spyware and firewall protection, and keep them up to date.
- Don't open e-mails from strangers. Malware can be hidden in embedded attachments and graphics files.
- Don't open attachments unless you know who sent them and what they contain. Never open executable attachments. Configure Windows so that the file extensions of known file types are not hidden.
- Don't click on pop-ups. Configure Windows or your Web browser to block them.
- Don't provide your credit card number online unless you are making a purchase from a Web site you trust. Reputable sites will always direct you to a secure page with an URL starting with https:// whenever you actually make purchases or are asked to provide confidential information.
- Use strong passwords: at least six characters, including at least one symbol and number, and no reference to your name or other personal information. Use a different password for every site that requires one, and change passwords regularly.
- Never send a user name, password or other confidential information via e-mail.
- Consider turning off your computer when you're not using it or at least putting it in standby mode.
- Don't keep passwords, tax returns and other financial information on your hard drive.
6 steps to clean up the mess
If you suspect your identity may be compromised, place a fraud alert with the three credit bureaus. When you place an alert, you are entitled to a free copy of your credit report. After that, take advantage of the free annual reports the bureaus are required to give all consumers. Stagger your requests so that you get a report every four months.
If you are the victim of identity theft, take the following steps:
- Close accounts that have been tampered with. Contact each company by phone and again by certified letter. Make sure the company notifies you in writing that the disputed charges have been erased. Document each conversation and keep all records.
New credit cards allow hands-free theft
Millions of so-called contactless credit cards have been mailed to Americans in recent months on the theory that we just don't spend money fast enough.
While you're absorbing that little nugget, consider this as well: The cards, which wirelessly communicate information about you and your account, don't have an "off" switch.
Contactless smart cards rely on radio-frequency-identification (RFID) technology to speed retail transactions. Instead of handing our credit cards to a clerk or swiping them through card readers, we just wave our plastic in front of a scanner. Often, no signature is required; it's whoosh and go.
Mobil's Speedpass was an early example of this technology. After trial runs in several cities, MasterCard, Visa and American Express began issuing contactless cards in earnest last year. If you watch television, you've probably seen the ad for MasterCard's PayPass version, which features Olympic marathoner Meb Keflezighi waving his card to buy sports drinks and other small items on the way to a race's finish line.
The technology looks cool; the card issuers assure us these transactions are encrypted and safe. But privacy advocates aren't so sure.
Grad students from Johns Hopkins University hacked a Speedpass a couple of years ago to get free gas. More recently, two researchers at the University of Massachusetts pulled unencrypted names, account numbers and expiration dates off contactless credit cards using a homemade scanning device.
The New York Times reported that one of the UMass researchers, Tom Heydt-Benjamin, was able to buy electronic equipment online using information pulled off a contactless card sealed inside an envelope.
The "Today" show aired footage demonstrating another data capture, in which Heydt-Benjamin concealed the scanner in a briefcase and "read" data from a contactless credit card in another person's back pocket.
The problem, you see, is that radio-frequency tags are always open to wireless access, whether you're using them or not. So anyone with the right equipment can read the data, and the equipment needed to do so is getting cheaper and more sophisticated all the time.
RFID technology isn't new or novel. It's gotten a lot more popular, but it's been used for years in:
- Corporate, government and student ID badges.
- Electronic passes that allow drivers to zoom by toll booths.
- Plastic tags on clothes to discourage shoplifting.
- Identification tags embedded under pets' skin.
- Books, compact discs and other media at many libraries.
Wal-Mart and other retailers are using RFID chips to track inventory. Ports use the technology to track shipping containers.
Furthermore, if you're a U.S. citizen, the next passport you get will contain an RFID chip. The federal government started issuing these in October 2006. Concerns about RFID signals led the government to include a small shielding device in the passports to block access to the chips' data.
Your contactless card doesn't have such a shield, but you can buy RFID-blocking sleeves for your contactless cards or create a simple one out of -- seriously -- aluminum foil.
Card issuers say sleeves aren't necessary, of course. They insist the unencrypted account information that the UMass researchers found was an anomaly and that most contactless cards employ stronger security.
Still, the idea that the card is always "open" -- and that we might not be able to control who is picking up our information and what's being done with it -- should concern every consumer.
"We think it's a pretty serious issue," said Marc Rotenberg, the head of the Electronic Privacy Information Center. "The contactless card design is inherently flawed."
It's not just the evildoers that concern Rotenberg. He wonders if retailers and others might quietly pull information from the cards sitting in unsuspecting consumers' wallets and add it to their databases.
Adam Levin, the founder of Credit.com, paints a more nightmarish scenario. He can picture bad guys who could access RFID data, then combine that information with other data about you that can be purchased off the Web.
"This could give someone yet another avenue into destroying your life," Levin said. "With enough information, they could get a feel for how much you're worth. ... They could target people for robberies, burglaries, carjacking."
The good news, if there is any, is that you typically wouldn't be on the hook for any charges made by a crook who merely stole and used your account data to buy stuff. And there are much easier ways for thieves to take your data.
So what do you do if your credit card issuer sends you a contactless card or you already carry one in your wallet? You have a couple of choices:
- You can send it back and demand a regular credit card. Your card issuer should comply; few will risk losing your business by trying to force the cards down your throat.
- If you like the technology and want to use it, consider buying or making a signal-blocking sleeve. Yeah, it might feel a little like making a tinfoil hat to keep out alien mind-reading beams, but better safe than sorry.
Identity Theft: Advice From the FTC Chairman
As chairman of the Federal Trade Commission, Deborah Platt Majoras is charged with protecting consumers from unfair, deceptive, and illegal business practices. Since her appointment in 2004, she has focused on identity-theft prevention through consumer education campaigns and lawsuits against companies that fail to protect consumer data. She spoke with Associate Editor Kimberly Palmer.
How vulnerable is the average person to identity theft?
The average person is vulnerable enough to identity theft that each and every one of us has to take some precautions in the way we handle our own information. It's difficult to get our arms around the true scope of the problem, but we do know that millions of Americans are victimized every year.
What should people do to protect themselves?
The first thing to know is that you need to be a smart consumer about protecting your personal information both online and offline. Online, you never give account information out unless you've initiated the contact. Don't throw away your bank statements that have your account numbers on them. Make sure you shred them. Make sure your wallet isn't lying around when you have people coming in and out of your home. Check your bank account and credit card statements very carefully to make sure there are no unauthorized withdrawals or transactions, and you need to check your credit reports from all three credit bureaus at least once a year. If you are victimized, act immediately. Report it to the police department, call the credit bureau, get an alert put on your credit report, and report it to the FTC.
Didn't your own credit card information get stolen?
Yes. The breach was at DSW Shoe Warehouse [in 2005]. They had their system hacked into, and my credit card was one of the card numbers that were taken. But to date, the card has not had any unauthorized use on it.
What should a person do in that situation?
You can cancel the card if you'd like. That's being the most cautious, or you can just monitor your statements very carefully. All I've been doing is just looking at my statement every month to make sure the charges are mine or my husband's.
Should people give out their Social Security number when they're asked for it?
I think it's perfectly legitimate for people to ask, "Do you really need to have this?" I've done this in the doctor's office, and I've been told, "Yes, we need to match it up with your insurance and so forth," and I've given it in those kinds of situations. I do think that there are likely places in the economy where we've always used Social Security numbers, but it may not be necessary, and we really should whittle it down to places where it is absolutely necessary.
You've said that you would support a national law against identity theft. What would that look like?
It would be useful if we had a standard across the board for all businesses [that] collect and use consumer information so everyone is subject to the same standard. The other thing we would support is that if there's been a data breach, organizations should have to inform consumers so they can take steps to protect themselves.
Why are those changes necessary?
We've been moving so quickly in this information age with new technology that is so fabulous, but we left some of these safety issues behind. What we're trying to do now is to literally catch up and develop a culture of security. It's important not just that consumer data not be stolen, but it's important that consumers keep confidence in the marketplace and that they know that if they go online and make a purchase, or they go into a store and hand over their credit card, that they're not at great risk. That is really important because the marketplace is all built on consumer confidence.