Identity Theft: A Personal Risk Management Approach (Part 2)
August 2005
After identifying and analyzing the identity
theft loss exposure (see Part 1), the next step is
to select the appropriate risk management techniques. Arguably, the most important
technique is risk control. The goal of risk control is to reduce the possibility
that a loss will occur and/or reduce the severity of the loss if one does occur.
by Robin Olson
IRMI
Choosing effective risk control techniques is the best mechanism to reduce
the likelihood of an identity theft and the severity of the theft. Risk control
techniques are classified into two major categories—loss prevention and loss
reduction.
Loss Prevention
The goal of loss prevention is to reduce or eliminate the possibility of
loss. In regard to identity theft, the goal is to avoid becoming a victim. There
are various techniques a person can take in the home, online, outside the home,
at work, and when traveling to reduce the chances of being victimized.
In the Home
The first step to prevent identity theft from striking at home is to securely
safeguard personal information. For example, an alleged representative of a
bank may call a customer asking for certain information for "account verification
purposes." If a person, however, receives an unsolicited phone call from someone
asking for financial information, this call is probably fraudulent since the
bank already possesses this data. According to Security Analyst Robert Hammond,
"the only purpose of such a call is to steal that information." Personal information
should never be given out by mail, phone, or in person unless the individual
has initiated the contact and knows the entity being addressed.
Passwords for credit cards, and bank accounts should be memorized and not
shared with anyone. Persons should avoid using their mother's maiden name, date
of birth, or the first three or last four digits of their Social Security Number
(SSN). In addition, the SSN should be shared only when absolutely necessary.
The Social Security card should not be kept in a wallet or purse except in unique
circumstances, such as the first day on a new job. Instead, it should be stored
in an extremely safe place, such as a safety deposit box. The SSN should also
not be utilized as an account number of any type, according to the Social Security
Administration, and should never be printed on personal checks.
Individuals should be cautious when storing personal information in the home,
especially if he or she has a roommate, employs outside help, or has frequent
guests or visitors. According to one legal expert, "The three items identity
thieves most covet—your Social Security card, birth certificate, and passport"
should be kept in a safety deposit box.
Investing in a high quality shredder is a wise move to prevent identity theft.
Dumpster divers are particularly interested in preapproved credit card applications,
old credit card statements, and other financial documents. Many persons are
unaware of the dangers of simply throwing away the credit card applications
because a thief can retrieve the application, mail it in with the address changed
to the thief's own address, receive the new cards in the victim's name, and
immediately run up charges. The main point is that a person should shred all
financially-related documents once they are no longer needed.
A person may opt out of receiving preapproved offers of credit cards or insurance
by calling 1-888-5-OPTOUT (1-888-567-8688) or accessing www.optoutprescreen.com.
The Direct Marketing Association operates this service, which excludes a person's
name from preapproved credit card offers for at least 5 years. In addition,
people can instruct the three major credit bureaus in writing not to share their
personal information. By writing directly to the three major credit bureaus
listed in Exhibit A, consumers can ensure that their names will no longer appear
on direct marketing lists.
Equifax, Inc.
Options
P.O. Box 740123
Atlanta, GA 30374-0123
www.equifax.com
800-525-6285 |
Experian
Consumer Opt-Out
701 Experian Parkway
Allen, TX 75013
www.experian.com
888-397-3742 |
TransUnion
Marketing List Opt Out
P.O. Box 97328
Jackson, MS 39288-7328
www.transunion.com
800-680-7289 |
Outgoing mail with important information should never be placed in personal mailboxes. Instead,
it should be mailed at the post office or a secure postal box. When ordering
new checks, an individual should pick them up at the bank. If a person has a
post office box, this address should be listed on personal checks, so that thieves
will not know the person's residential address.
It's also a good idea to order credit reports on an annual basis from all
three major credit bureaus. A new federal law now requires each of these credit
bureaus to provide one free annual credit report to each consumer. The free
credit reports are available by accessing www.annualcreditreport.com or calling 1-877-322-8228. This service allows consumers to check for unusual
activity and take quick action, which could impede an identity theft in its
early stages. This allows consumers to close out all unused accounts so that
there is as little information about them as possible.
There are several miscellaneous steps a person can take if a checkbook, wallet,
or purse is stolen. Show only your initials rather than your first name on checks.
With this method, if your checkbook is stolen, the thief will not know how the
checks are signed, but the bank will. When writing checks to credit cards companies,
place only the last four digits of the credit card number on the check. The
credit card company knows the rest of the number. In addition, persons should
photocopy both sides of each license, credit card, and other important information
and keep in a safe but accessible place. These copies allow the victim to contact
the appropriate parties as quickly as possible if a theft occurs.
Online
There are numerous techniques a person can implement to reduce his or her
exposure to online identity theft. First, information on a personal computer
(PC) should be secured through the use of the following.
-
Anti-virus software which scans the PC for viruses intended to harm the
system. This specialized software removes the virus before any damage occurs.
-
Firewalls head off destructive programs before they strike. Norton and
McAfee offer firewall software at affordable prices.
-
File encryption software that secretly codes and secures the files on
a PC.
-
Password protection software secures sensitive files.
Never open up unsolicited e-mail or spam. There are several anti-spam programs
that effectively filter out spam before it lands in you inbox.
Be wary about shopping online. According to a June 2, 2005, report by the Dallas Morning News, one survey showed
that three-fourths of Internet users believe that if a Web site has a privacy
policy, this automatically means the site won't share data on its shoppers with
others. This privacy policy, however, often simply explains how a Web site shares
data with other companies. A consumer should never purchase anything online
from a merchant without a secure server. According to Internet Concepts, Inc.,
"all Web servers that handle credit cards should use SSL (secure socket layer)
encrypted communications. While a secure server discusses sensitive credit card
information with the customer, anyone eavesdropping on this electronic conversation
through any Internet computer … will only see illegible data."
Secure Web sites have an address that begins with https://, with the "s"
indicating that the site is secure. The "s" only appears in that section of
the Web site in which customers enter their financial or personal information.
Another way to determine the security of a Web site is to look for a closed
padlock displayed at the bottom right side of the page. If that lock is open,
the Web site is probably not secure. According to one computer specialist, a
person should double click on the closed padlock to check the "certificate"
for the site. The Secure Certificate Authority ensures the identity of a remote
computer via this certificate process, which should specify to whom the certificate
is issued. This party should be the same as the one shown on the Web site being
visited.
Outside the Home
There are many steps a person can take while outside the home to reduce the
exposure to identity theft. First, an individual should reduce the amount of
personal information in his wallet. For example, a consumer should pare credit
cards down to one or two and cancel the remaining cards. In addition, a person's
Social Security card should nearly always be stored in a safety deposit box.
Second, an individual should be wary of his surroundings when approaching
an ATM or public telephone or when using a cell phone in a public location.
All efforts should be made to prevent shoulder surfing. In public areas, criminals
can more easily abscond with these important numbers by watching the unsuspecting
person's fingers or by utilizing a video camera with a zoom lens. A shoulder
surfer can also listen near a public or cell phone while the victim is giving
out a credit card number to reserve a hotel room or rent a car. A quiet, private
location is best to minimize eavesdropping.
Third, an individual should avoid giving out his SSN to merchants when shopping.
If an identifier is absolutely necessary, simply reciting the last four digits
of the SSN often suffices. Some businesses request the SSN for general record
keeping. In this event, the consumer should ask the merchant to use another
identifying number.
At Work
While at the job site, ascertain who has access to the employee records and
verify that this information is securely maintained. The employee should also
ask his employer not to use the SSN as a personal identifier.
When Traveling
When engaged in business or pleasure travel, have your mail held at the post
office or ask a trusted neighbor or friend to retrieve it each day. Stop all
newspaper delivery as well. While on the road, avoid passing on personal financial
information to another party unless the setting is private. In addition, while
traveling abroad, passports, driver's licenses, and other key data should be
stored in the hotel's safe, if possible. A traveler should keep only a copy
of his passport on his person.
Loss Reduction
Rigorous loss prevention efforts reduce the chance of a loss, yet identity
theft still occurs. There are multiple steps a person can take to mitigate the
effects of the identity theft after it occurs. These include the following.
-
Contact the "Big Three" credit bureaus
-
Notify law enforcement
-
Contact all creditors
-
Notify the bank regarding check theft
-
Complete the ID Theft Affidavit
-
Contact the Federal Trade Commission (FTC)
-
Notify the Social Security Administration office
-
Obtain legal advice if necessary
-
Organize the repair process
Contact the "Big Three" Credit Bureaus
Identity theft victims should immediately call the three major credit bureaus,
as shown in Exhibit B.
Request that a fraud alert be placed on the account. A fraud alert is a notice
placed prominently on a credit report that informs creditors and potential creditors
that this person is a victim or a possible victim of identity theft due to the
compromising of personal data. With this alert on the credit report, creditors
or potential creditors must first call the person for proper verification. This
fraud alert should remain in place indefinitely or until the victim asks that
it be removed.
The victim's statement should also be included in the report. This statement
may read something like "I am the victim of identity theft. Someone has used
my identification to fraudulently apply for credit. If an application for credit
in my name is received by your organization, please contact me directly at ###-###-####
prior to extending credit." The credit bureau must also provide free copies
of credit reports for victims every few months to allow the person to monitor
all changes.
The credit bureaus should also remove all inquiries generated due to the
fraudulent access. In addition, the victim should ask the credit bureaus to
notify those who have received the disputed credit report and alert them about
the problem.
Notify Law Enforcement
According to the FTC, identity theft victims should file a report with the
police in the locale in which the theft occurred. They should ask for a copy
of this police report, which can help with creditors who need proof of the crime.
If the local police are reluctant to take the report, they should ask to file
a "miscellaneous incidents" report, or try another jurisdiction, like the state
police. Unfortunately, the police are not always keenly interested in assisting
in this crime. Victims can also contact the particular state Attorney General
to discover whether police are required to file reports in incidences of identity
theft.
Contact All Creditors
Identity theft victims should also contact creditors, credit card companies,
banks, and other lenders, and close any accounts tampered with or opened fraudulently.
The injured party should ask for the security or fraud department of each creditor
when calling. In addition, the theft or compromising of data should be reported
to these companies in writing.
Notify the Bank Regarding Check Theft
If checks are stolen, the account should be immediately closed. Be sure to
ask the bank to notify the appropriate check verification service, such as TeleCheck
or Certegy, Inc. While no federal laws limit check theft losses, state laws
may protect the victim. Most states hold banks responsible for losses stemming
from forged checks, but banks can require their customers to notify them of
the theft in a timely manner.
Complete the ID Theft Affidavit
In 2002 the FTC unveiled a new tool to assist identity theft victims in restoring
their good names. The ID Theft Affidavit allows victims to report the theft
to many companies at once, particularly where new accounts are opened in the
victim's name. Previously, victims typically had to fill out a separate reporting
form for each fraudulent account opened by the identity thief. This affidavit
is available on the FTC's Web site.
Contact the FTC
The Social Security Administration also recommends that identity theft victims,
particularly where theft of an SSN is involved, immediately contact the FTC.
The FTC serves as the federal clearinghouse for identity theft complaints. While
this governmental body does not resolve individual consumer credit problems,
it utilizes an online complaint process that helps the government investigate
fraud and can lead to effective law enforcement action. The FTC enters Internet,
telemarketing, identity theft, and other fraud-related complaints into a secure,
online database available to hundreds of civil and criminal law enforcement
agencies worldwide.
Notify the Social Security Administration Office
Identity theft victims should also contact the Social Security Administration
(SSA) office if their SSNs are being illegally used by thieves for work purposes.
One mechanism to determine this is to check the social security statement. In
unsolvable cases, SSA can assign the victim a new number, but it cannot guarantee
that this measure will permanently fix the problem. It cannot issue a new SSN
if a person has filed bankruptcy; tries to avoid the law or legal responsibility;
or has had their card lost or stolen, but where there is no evidence that a
criminal is using the number on the missing card.
Obtain Legal Advice If Necessary
Even after doing all of the above, it may be necessary to contact an attorney
to help restore your good name. Contact the American Bar Association (ABA) for
assistance in finding an attorney who specializes in identity theft issues or
consumer law. More information is available for locating attorneys at www.abanet.org/legalservices/findlegalhelp/home.cfm.
Many cities also have local ABA offices to call to get attorney leads. Another
good online reference for locating attorneys is Martindale-Hubbell at http://www.martindale.com.
Organize the Repair Process
One of the keys to regaining a stolen identity is to be extremely organized
during the whole process. Without total dedication to organization, a victim
becomes easily overwhelmed when dealing with the countless parties that need
to be contacted. Being disorganized can also slow down the process of fixing
the problem. Mari Frank, an attorney who experienced identity theft herself,
provides several reasons why great organization facilitates the restoration
process, including the following.
-
Professionalism—being organized results in greater respect from creditors,
credit bureaus, attorneys, and law enforcement agencies.
-
Peace of mind—a sense of empowerment is experienced when the victim can
access the information when necessary.
-
Effectively answer questions—when all the documents are efficiently organized,
the victim is able to speed up the repair process when answering inquiries.
-
Prove violations—a documented paper trail assists legal counsel who may
need such documentation to analyze the case. It can also save legal fees
because the attorney will not have to perform many of these functions.
Ms. Frank also recommends that identity theft victims follow nine specific
steps in this organization process, as abbreviated in Exhibit C.
| Obtain proper supplies and equipment |
Examples include file folders, filing
cabinet, color labels, legal pads, word processor, and printer. |
| Be prepared at the start |
A legal pad, pen, and master log should
be ready for the first phone call. |
| Log all phone calls |
The name of the person, title, direct
phone number, e-mail address, mailing address, date, and time of call
should be properly documented. |
| Record details of conversation |
Information should include an overview
of what each party said, tasks each must perform, and information or
documentation that is needed by either party. |
| Establish a filing system |
This step involves setting up a file
folder for each merchant, bank, or agency involved in the process. In
addition, a filing system on the computer for items that can be stored
electronically should be established. A master list of all the names
and contact information for the people at the various entities is important
to maintain. |
| Establish an expense file |
This file should include costs incurred,
time spent for each step of the process, payments to anyone hired to
assist, travel and mileage expenses, and lost wages or time off from
work. |
| Maintaining composure |
The victim should not panic or let
the situation become overwhelming. Establishing a time of day to check
the log and calendar helps to reduce stress. |
| Innovate |
While engaged in this process, the
victim should incorporate any improvements or innovations into the plan. |
| Persist |
Real effort and perseverance finally
results in the recovery of the victim's identity. |
|
Source: Frank, Mari J. From Victim to Victor. Laguna
Niguel, California: Porpoise Press, 1998.
|
Part 1 of this article appeared in July, and Part 3 will be published in September.
References
Arata, Michael. Preventing Identity Theft
for Dummies. Hoboken, New Jersey: Wiley Publishing, 2004, p. 107.
Better Business Bureau. Identity Theft.
2004. Available from URL: www.macon.bbb.org [June 18, 2005].
Federal Trade Commission. "ID Theft: When Bad Things Happen to Your Good
Name." 2005. Available from URL: http://www.fmsmf.org/newsletter7/badthings3.htm [July 2005].
—"Press Release—Federal Trade Commission Announces ID Theft Affidavit." [February
5, 2002].
—"Take Charge: Fighting Back Against Identity Theft." 2004. Available from
URL: www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.htm [June 24, 2005].
Godinez, Victor. "Shoppers Online not Always on Guard." Dallas Morning News, June 2, 2005: 1D.
Hammond, Robert. Identity Theft. Franklin
Lakes, New Jersey: Career Press, 2003.
Internet Concepts, Inc. "Merchant Account Glossary." 2005. [June 21, 2005].
May, Johnny. Johnny May's Guide to Preventing
Identity Theft. Bloomfield Hills, Michigan: Security Resources Unlimited,
LLC, 2004.
Privacy Rights Clearinghouse. "Coping with Identity Theft: Reducing the Risk
of Fraud." San Diego, California: Privacy Rights Clearinghouse, 2003.
—"Fact Sheet 23: Online Shopping Tips." 2005. Available from URL: www.privacyrights.org/fs/fs23-shopping.htm [June 21, 2005].
Social Security Administration. "Identity Theft and Your Social Security
Number." Feb. 2004. Available from URL: www.ssa.gov/pubs/10064.html [June 21, 2005].
United States Department of Justice. "What are Identity Theft and Identity
Fraud?" 2000. [April 20, 2005.]
Weisman, Steve. 50 Ways to Protect Your Identity
and Your Credit. Upper Saddle River, New Jersey: Prentice Hall, 2005.
Yip, Pamela. "Credit Bureaus Cope with Demand." Dallas Morning News, June 2, 2005: 2D.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.