Another Phine Kettle of Phish:
Identity Theft Prevention
by Carol Ebbinghouse,
Law Librarian California, Second District Court of Appeal,
Los Angeles, Calif.
You read the headlines every day: 40-plus million
Americans have fallen victim to identity crimes. In
fact, one out of every 23 adults will become a victim
of identity fraud this year alone.
And the stories keep coming about the growing number
of large-scale security breaches: UPS loses CitiGroup’s 1 CitiFinancial
records on 3.9 million people and data files on millions
of consumers; LexisNexis and ChoicePoint sell information
to identity thieves; Wachovia and Bank of America customer
records are stolen by employees and sold to collection
agencies; CardSystems alone has exposed 40 million
Visa, MasterCard, and other company cardholders to
ID theft, resulting in the first class action lawsuit
2 in this area. Even more headlines on identity theft
will probably have emerged between the time I am writing
this article and when you read it.
The Better Business Bureau of Metropolitan New York
defines identity theft as “… when someone
uses your name, Social Security number, credit card
number or some other piece of your personal information
to apply for a credit card, make unauthorized purchases,
gain access to your bank accounts or obtain loans under
An article about Internet scams4 written by Riva Richmond
in the Wall Street Journal Online [http://online.wsj.com/article/
0,,SB111948675776567145,00.html] discusses the latest Gartner Inc. research on electronic
In a disturbing message for online retailers and bankers,
more than 42 percent of online shoppers and 28 percent
of people who bank online are cutting back on their
activity because of
“phishing” attacks and other assaults on
sensitive data, according to a May survey of 5,000
U.S. online consumers. … Some 2.4 million online
users have lost money to Internet scams, with total
losses amounting to about 929 million in the 12 months
ended in May. … Indeed, almost 46 percent of
online consumers surveyed reported having found malicious
software on their computers. More than 83 percent said
they had anti-spyware programs running on their PCs
to help them stay safe. … According to the survey,
33 percent of online shoppers concerned with Internet
fraud are spending less money than they would if they
weren’t concerned. And 77 percent of concerned
online-banking customers said they are using online
banking services less frequently. More than 4 percent
of those Internet banking customers concerned with
fraud have abandoned online banking altogether.
It’s not just online vulnerability that concerns
us. Paper statements and bills in unsecured mailboxes
can be stolen and used to steal identity. The California
Public Interest Research Group [http://www.CalPIRG.org] interviewed law enforcement officials; 68 percent identified
theft of snail mail as the leading threat — with
dumpster diving, stolen wallets, and unscrupulous employees
at banks and other lenders next in line. Even giving
a credit card to an unscrupulous salesperson or waiter
is a risk. They can make multiple runs on your card
or use a device called a skimmer to duplicate information
on the magnetic strip.
My ID has been stolen several times. The first time
was at a home show I attended with a friend. Two weeks
after registration, we both received calls from our
bank because of “unusual activity” on our
Visa cards. The thieves did not have our correct expiration
dates, but they spent thousands of dollars at stores
on the East Coast before the credit card company noticed.
The second time, I received a letter from UCLA —
thanks to the notification law in California — that
was sent to all 145,000 people who donated blood through
blood drives in the last 15 years. I had donated blood
at work, where everyone’s name, date of birth,
and Social Security number — yeah, just about
everything someone would need for identity theft — was
added to a database on a laptop. Weeks later, the laptop
was stolen from an unlocked van at another mobile blood
drive. The police classified it as an “opportunity
theft,” and no one thought the thief was after
the password-protected data. The letter notifying me
of the theft mentioned the steps that the university
planned to take in the future to protect identities,
such as data encryption, etc.
But imagine my surprise a few months later, when I
received another letter from UCLA! In this case,
someone had the names and Social Security numbers of
63,000 people admitted to UCLA Medical Center, information
stored on — you guessed it — a laptop that
was stolen. Again, although the laptop was password-protected,
there had been no data encryption and no evidence that
anyone at UCLA had followed steps to protect data since
the earlier laptop theft.
Fortunately, I live in California. Here — and
in a handful of other states (for a list of states
and their privacy laws, go to http://www.consumersunion.org/ and http://www.pirg.org/consumer/credit/statelaws.htm 5) — you
are notified by letter when your information has been
exposed to risk. If you don’t live in these states,
you’ll discover that you’re a victim of
identify theft only when a bill collector contacts
you about delinquent payments on a credit card account
or car loan you never heard of, or when you are arrested
because someone assumed your identity and failed to
appear in court after getting a traffic ticket (in
your name). California leads other states in handling
Thieves will grab laptops. And you can’t verify
that every organization holding data about you implements
password protection and encryption; meets government
banking, financial, and security audit requirements;
makes vulnerability assessments and scans; maintains
and updates firewalls; or takes other security measures
such as destroying6 (more than just shredding) paper
or electronic media consumer information. You also
can’t protect yourself from an unscrupulous employee
(with legitimate access to your personal and credit
information) from stealing it to use or sell to the
highest bidder. Although your personal and credit information
exists in many places, and all of them vulnerable,
you can, however, take steps to protect yourself online
What actions can you take and advise friends, colleagues,
and clients to do as well to protect themselves?
Ten Things to Do Today
1. Credit Report. Go to http://www.annualcreditreport.com,
or (877) 322-8228, to request a credit report by phone.
You will go through a simple verification process and
receive a report by mail. You can also print out a
form requesting your Credit Report by Mail and send
it to Annual Credit Report Request Service, P.O. Box
105281, Atlanta, GA 30348-5281 for a report from one
of the three leading credit reporting companies. Put
reminders on your calendar to request another free
report from a different credit reporting company every
4 months. If you request the credit report, make sure
it isn’t reported as an “inquiry,” which
could adversely affect your credit score.
2. Fraud Alert. If you think you may
have been a victim of identity theft, put a “fraud
alert” on your credit with any one of the credit
reporting services; this service will then contact
the others. With this one call, you will get free credit
reports and be contacted for permission before any
new credit is established in your name for 90 days.
If you are deployed in the military, place an active
duty alert with the credit bureaus. Though renewable,
these alerts do not impose a penalty if a creditor
doesn’t contact you to verify the person applying
for credit in your name is really you. The alert notifies
creditors about possible fraud and asks them to call
you before issuing any credit in your name. If you
are a victim of ID fraud, you can get the alert extended
for 7 years — but you need to prove it with a
police report (or, in my case, the letter notifying
me, per California law, that my information had been
3. Freeze Credit. In California,7 Louisiana,
Texas, Vermont, and a few other states (for a current
list, go to http://www.ncsl.org/programs/
you can have a
“freeze” put on your credit reports to
prevent credit reporting agencies from sharing your
information without your permission. In other states
you must become a victim of identity theft before you
can do this. Placing a credit freeze on my information
cost me $10 for each credit service, but it was cheaper
than the cost of credit monitoring services — even
if the freeze is lifted to apply for a car loan or
mortgage once a year. If you thaw your credit for a
big-ticket item, don’t forget to re-freeze it.
Remember, if you report an ID theft to the credit bureaus,
the credit- or fraud- “alert” initiated
only lasts 90 days and only notifies companies inquiring
about your credit. A freeze literally freezes your
credit report at that bureau for years. Only you can
unlock it with a PIN.
4. ChoicePoint Check. If your state
doesn’t have a law requiring a citizen to be
notified when information is compromised, check out
the information ChoicePoint [http://www.choicetrust.com] has on you. Go to the consumer division to print out
the application. Mail it in to find out what information
is in your files from public records, criminal files,
property owned, cars and boats, professional licenses
held, even business sanctions. Allow several weeks
5. P.O. Box. If you don’t have
a locked mailbox or someone trustworthy to receive
packages at home, get a postal box at a nearby center.
Otherwise, you could find your new checks lying on
your porch or in a mail bin for anyone to snag. There
are account numbers on the checks and perhaps credit
card information in the enclosed billing statement!
Be sure to mail payments from locked mailboxes. Mail
them from a post office or locked mail box on the street.
Having a postal box helps in other ways, too. You won’t
need to send change of address cards when you move.
For personal security, the only thing anyone knows
about you (from bills, checks, etc.) is your P.O. address.
6. Temporary Credit Card Numbers. Ask
your credit card issuers for substitute or temporary
credit card numbers for Internet purchases. You will
first have to register with the credit card provider,
but it is very safe procedure. Since this number isn’t
your real credit card number, no one else can use it.
My bank doesn’t offer this yet, but MBNA, a leading
international credit company, calls its service “ShopSafe”;
others may use different names. You can leave these
numbers with Internet vendors for re-use without putting
your own credit card number at risk. AOL has AOL secured
transaction numbers with a limited number of providers.
Expect to hear more about this and other new security
measures, because banks are liable for use of the credit
they issue. While your liability may not extend beyond
$50 or even nothing, a bank’s liability is nearly
7. Browser Alerts. Download a free Web
browser toolbar to alert you if you access a known
phishing Web site. The Anti-Phishing Working Group
recommends Earthlink’s ScamBlocker. Download
it for free at http://www.earthlink.net/earthlinktoolbar.
Also consider FraudEliminator (the basic version is
free, the FraudEliminatorPro costs $19.99) at http://www.fraudeliminator.com.
For more information, go to http://www.bbbonline.org/idtheft/virtual.asp.
Just be sure to get some protective measure set up.
8. Computer Security. Make sure your
computer has the latest security patches and updates.
If you need to learn how to do this, the GetNetWise
video tutorial [http://security.getnetwise.org/tips/autoupdate] can teach you how to check and update your system preferences
for both Microsoft and Apple computers. If your computer
runs Windows XP or Mac’s OS X, check http://security.getnetwise.org/tools/firewall on how to install the built-in firewall. If you run
or use wireless (Wi-Fi), use a privacy shield. GetNetWise
can also help you protect your network and wireless
Finally, if you share files (peer-to-peer), you should
also check GetNetWise concerning sharing procedures.
Its information is available in video; broadband [http://base.getnetwise.org/gnwtv/bb-filesharing2.ram];
and modem access [http://base.getnetwise.org/gnwtv/modemfilesharing2.ram].
The GetNetWise links are available courtesy of the
Better Business Bureau’s site [http://www.bbbonline.org/idtheft/virtual.asp].
9. Social Security Checks. Check the
Social Security Earning Statements that came in the
mail before your most recent birthday to make sure
the earnings for last year were correct. If the statement
reflects more income than you made, someone else is
probably using your number! Don’t forget to also
check your children’s statements. The theft of
a child’s ID can go undetected for years.
10. Photo ID. Inquire whether your bank
can add a photo ID to your credit card and/or debit
card. If so, get one. On the back of every card (in
permanent ink) write in the signature block, “PHOTO
ID REQUIRED” or “CHECK PHOTO ID.” While
your cards are in hand, make a list: Note the card
issuer, the 800 number for reporting lost or stolen
cards, the account number, the expiration date, and
the time of month the statements usually arrive. Think
about canceling some of the newest cards. Reducing
the credit available to you will likely improve your
credit score.8 This will not affect your oldest cards
with the longest payment history; these card you will
want to keep. Put the list in a safe; do not store
this information on your computer (you should have
a password by now) unless you have complete faith in
your Internet security software (updated each time
you open a browser). Cut up any cards you don’t
use but don’t want to cancel. Throw the pieces
into different garbage bins. Every little bit helps!
Seven Things to Do By Next Week
1. Monitor Accounts. I have created
“peek” at all my bank accounts online.
I can update each account in 2–3 minutes or less.
I have linked my retirement accounts, credit union
accounts, bank savings and checking accounts, 401(k)
accounts, brokerage account, and even credit card balances.
If money disappears, I’ll notice it. If credit
card balances go up unexpectedly, I can check the charges
online and detect a problem right away. After almost
a quarter-century of home-banking, I have never had
a problem with accuracy or security. According to the
FTC9 and the BBBOnline/Javelin10 surveys, people who
monitor their accounts online discover identity fraud
weeks before their paper-statement-only counterparts.
2. Get Online Bills and Statements via E-Mail. Sign
up for e-mail or online bills and statements. Identifying
information is stolen most often through unlocked mailboxes
or leaving bill payments in “outgoing” boxes.11 Each statement, if diverted, leaves you vulnerable
to fraud, since it contains your name, address, account
numbers, balances, and other personal financial data.
If you prefer paper statements and bills, get a mailbox
with a lock and deposit all your mail into secure postal
boxes. Buy a shredder (cross-cut is best) so precious
paper documents can’t fall into the hands of
a dumpster diver. If your information is on a CD-ROM,
be sure to smash it to pieces and toss the pieces into
separate trash containers. Pay bills online and you
will never need a paper trail. Want to keep your statement?
Download the information to a floppy, CD-ROM, or DVD
disk and you can sort by date, creditor, etc.
3. Opt-Out. Call (888) 567-8688 (888-5-OPT-OUT)
to prevent preapproved credit offers from being sent
out to you. If stolen from your mailbox, these preapproved
cards can become carte blanche for ID thieves, giving
them the perfect opportunity to run up items on a new
account billed to another address, one that you can’t
possibly know about until the collections agency calls
after the defaults have been duly noted on your credit
report. Read any and all privacy statements, which
tell you how to opt-out of getting solicitations from “partners” and
other third parties to prevent your information from
being distributed. Privacy notices can be found on
the Web. Contact the national Do-Not-Call registry
at (888) 382-1222 from your home phone or online [http://www.donotcall.gov].
It is free. If telemarketers still call, ask to have
your number added to the company’s do-not-call
list. Get the telemarketer’s name, keep a record,
and note the date. If the telemarketer calls again,
you have the right to sue them in small claims court.
Finally, the Direct Marketing Association (P.O. Box
643, Carmel, NY 10512) will also put your name on a
do-not-mail list, which should limit junk mail [http://www.dmaconsumers.org/consumerassistance.html].
4. Test Yourself. Take the Better Business
Bureau quiz on your risk level for ID theft [http://www.bbbonline.org/idtheft].
You will find out if you are doing enough to fight
ID theft and find out about more recommendations to
5. Reconsider Storing Credit Information with
E-Commerce Providers. Hackers have broken
into Amazon.com’s subsidiary Bibliofind.com.
Some Web companies may not even encrypt data files.
Think twice about such conveniences. The site may
not be as scrupulous about your privacy and security
as you are. What about the scrupulosity of the
next owner of a fly-by-night dot-com? Is using
more than one click to make a purchase and entering
your credit card number each time so onerous that
you are willing to risk ID theft?
6. Back Up Your Computer. Load anti-spyware
software12 to avoid your computer being hijacked, your
keyboard sniffed for credit card and other accounts,
or your keystrokes of bank URLs, passwords, login IDs,
7. Alphanumeric Passwords. If you use
any passwords or PINs with easy-to-learn information
(such as kids’ or pets’ names, mother’s
maiden name, nicknames, etc.), replace them with alphanumeric
passwords immediately. Change your login information
if you’ve had the same one at a site for years.
Alert/Credit Monitoring Subscriptions. Services
such as myFICO Identity Theft Security Deluxe [http://www.myfico.com/Products/
Privacy Guard, Privista, TrueCredit, Equifax Credit
Watch Gold, TransUnion’s “ID-Fraud Watch,” or
some such service from a credit reporting agency will
alert you to any inquiry about your personal information.
It won’t prevent intruders, but it will alert
you to changes on your credit report.
ID Theft Insurance. This insurance may
cover the time and money it costs to recover your good
credit, but the charges that the ID thief incurred
are not covered. These charges are between you and
your bank to resolve. All policies are not the same,
but look for a low (or no) deductible; coverage for
postage on certified letters, FedEx, phone charges,
and lost wages; coverage for notaries public and civil
and criminal defense attorney fees that can easily
run to thousands of dollars; and costs of denied credit,
of reapplying for a loan, and of removing negative
items from your credit report. Note: If you have a
prepaid legal plan through your employer or professional
association, you may not need ID theft insurance. Check
your policy or ask the sponsoring organization. Also,
check your homeowners or renter’s insurance policy,
which may provide coverage as well. This may be available
as an add-on for about $25 a year vs. $60–$180
for a stand-alone policy. One call to your insurance
carrier may save you money. Some companies, such as
Washington Mutual and PMC Bank in Pittsburgh, offer
customers a basic plan for free and a higher version
for a monthly fee. Check with your bank or credit card
company or go to http://www.BankRate.com (search for “ID
theft insurance”). The Insurance Information
Institute’s Web site also links to companies
offering coverage. Check each insurance company with
the Better Business Bureau [http://www.bbbonline.org] before making a final decision.
Worst-Case Scenario: Your Identity Is Stolen
If your identity is stolen, alert one of the following
credit bureaus immediately and the bureau will contact
the others to put a 90-day fraud alert on your accounts
and supply current copies of your credit reports. These
credit reports will help you identify accounts you
didn’t open and will notify you about high balances
that might indicate fraud. The Fraud Alert asks creditors
to contact you before extending credit in your name.
These are the credit agencies:
Equifax ‑ http://www.equifax.com;
(800) 685-1111 or (800) 525-6285
Experian ‑ http://www.experian.com;
TransUnion ‑ http://www.tuc.com;
(800) 888-4213 or (800) 680-7289
Innovis ‑ http://www.cbcinnovis.com;
On each credit report, check the personal information
for any address changes. Check credit inquiries from
unfamiliar lenders (not PRM, or promotional inquiries,
the source of those preapproved offers or inquiries
from your current creditors that don’t affect
your credit score). Hard inquiries are in response
to an application for credit or a loan and these will
impact your FICO score. Each type of credit inquiry
is clearly identified in each bureau’s credit
report. Note the date each account was opened, look
for new, unfamiliar entries or a suspiciously high
balance. Finally, check the public record section for
unknown liens or judgments. Notify each creditor with
a fraudulent account and ask what you need to do and
what can be done for you. Finally, when resolved, request
a document stating that you are not responsible for
Report the crime to your local police department.
Get a copy of the police report and the number because
you will need it for your files. In most states, you
cannot get more than a 90-day fraud alert without a
Contact your bank or go directly to its Web site.
National banks, such as Bank of America and Citibank,
have ID Theft Tool Kits and “theft solutions” (with
downloadable ID theft worksheets and information, as
well as 800 numbers of ID theft specialists to assist
you “every step of the way”).
Start a pocket file or notebook with partitions for
1, the police report; 2, credit bureau statements;
3, telephone call logs (one for each creditor/store/bank)
noting institution, department, and individual you
spoke with; date, time, and topic of the call; and
follow-up dates and information (who is to do what);
4, correspondence, copies of e-mails (download the
FTC sample letters for a start [http://www.ftc.gov or http://www.consumer.gov/idtheft]; review the correspondence
to make sure that the creditors have followed up; 5,
affidavits (federal forms available from the FTC [http://www.consumer.gov/idtheft];
6, clearance letters showing accounts cleared; plan
to save these for several years (or forever) to make
sure that the wrong information doesn’t resurface
or errors remain uncorrected.
Keep track of the time and money spent on phone calls,
fax, FedEx, postage, and other expenses (including
time off from work) because fraud losses and out-of-pocket
costs may be tax-deductible. See IRC 165(c) and ask
your tax advisor. If you have ID theft insurance, these
items are the basis of your claim.
If you detect misinformation on your credit report,
call the security/fraud departments of the fraudulently
opened accounts and have the accounts “closed
at customer’s request.” Be sure to request
that you not be held responsible for accounts you did
not open. Ask that these accounts be “permanently
removed, not just closed,” according to Mari
Frank, attorney, author13 and ID theft victim. You
will need to supply a copy of the police report before
the fraudulent account can be closed. Do not close
any account not affected by the fraud or you will lose
your long-standing credit history, which could jeopardize
your credit score. Ms. Frank also recommends that you
“report the theft to the major check guarantee/verification
[because] merchants use these databases to learn whether
you have a history of writing bad checks. Your bank
may not update this information right away.” She
also recommends checking for civil and criminal court
records “to make sure the thief hasn’t
incurred any lawsuits, civil judgments or criminal
charges in your name.”
Do not pay any bill based on fraud, no matter how
creditors or collection agencies hound you. Send a
copy of the ID theft report from your police report
to the agencies with a note telling them that if they
continue to call, they are violating federal law and
you will take legal action.
Check with the Department of Motor Vehicle (DMV) in
your state to see whether any fraudulent ID or driver’s
licenses have been issued in your name. If so, request
a fraud alert be placed on the national computer to
have the person arrested.
Get new PIN numbers and/or passwords on debit cards
and other online services (which should be done on
a regular basis).
Finally, if possible, prosecute the ID thief and use
expense records to seek restitution and damages. If
the mails were used in the fraud, then contact the
U.S. Postal Service [http://www.usps.com], or your
local postmaster. This can happen when a thief fraudulently
uses the mail to change the billing address on a credit
card or hijacks a preapproved credit card notice in
the mail. If your Social Security number has been fraudulently
used, report it to the Social Security Administration,
and find out how to correct your earnings record [http://www.ssa.gov/pubs/idtheft.htm].
Some ID theft victims have become so desperate to end
the nightmare that they have considered changing their
Social Security number. According to the experts, it
is extremely difficult to get permission to do this.
Unless you want to find yourself stripped of all credit
history, you will need to link to your old number anyway.
One can’t seem to escape one’s past. If
the perpetrator stole information by claiming to be
from the IRS, notify the Inspector General for Tax
Administration at (800) 366-4484. The FBI has an Internet
Fraud Complaint Center at http://www.ifccfbi.gov/strategy/howtofile.asp.
Some thieves may try to use your safeguards to their
advantage. For example, in the case of mass public
announcements about compromised data, dishonest people
might contact victims to “help.” Do not
release more of your private information, whether by
phone, e-mail, or Web site link. If you think the callers
are legitimate, get their number and call them back
via the phone number given on the official Web site.
Keep a record of such contacts and numbers.
Your Attorney General’s Office probably maintains
an identity theft registry and has information on your
state’s services related to identity theft. A
listing of all state attorneys general is available
at http://www.naag.org or http://www.naag.org/ag/full_ag_table.php.
Your state may have an Office of Privacy Protection
offering a variety of information and services about
identity theft. Go to the Identity Theft Resource Center
[http://www.idtheftcenter.org] and look at “Victim
Resources.” The Privacy Rights Clearinghouse
has statistics, fact sheets, and more information about
identity theft [http://www.privacyrights.org/identity.htm].
Finally, if a legitimate business won’t correct
your records after an identity theft, contact the Better
Business Bureau to file a complaint and get the matter
You can also file a complaint with the FTC [https://rn.ftc.gov/pls/dod/
While you cannot prevent the theft of your identity
from banks, credit bureaus, alumni offices, swiped
laptops without encryption, unscrupulous employees,
etc, you can take precautions to limit the odds of
identity theft. Just as using seat belts, yielding
to rights of way, and reading road signs may not prevent
all accidents, these precautions do eliminate many
risks. Using these suggestions will reduce the opportunities
for would-be ID thieves to make you his or her next
A friend shared a New York Times article (July
2, 2005) by M. P. Dunleavey, titled “Don’t
Let Data Theft Happen to You.” It notes that “what
will stop identity theft are stronger notification
laws and stronger penalties, which we don’t have
Learn about laws proposed in your state to make sure
that these laws are as strong as California’s
and make sure Congress does not water down any existing
laws on consumer notices, credit freeze, and other
protection for citizen credit. The credit bureaus have
been lobbying to eliminate such protections, which
make it harder to sell your credit information (a very
lucrative part of their business) to their real customers.
Lobby your state and federal representatives!15 Fight
on, especially at the local level. Representatives
at the state level can be more creative,16 responsive,
and even proactive than Congress.
You should be. Identity thieves get bolder ever day.
John A. Clarke, the executive officer/clerk of the
Superior Court of California, County of Los Angeles,
posted an urgent “Alert to the Public” on
the court’s Web site [http://www.lasuperiorcourt.org],
announcing that the “Court does not —
and will not — telephone jurors or potential
jurors and ask them to disclose personal financial
The notice links to an Aug. 26, 2005, “Warning
to the Public Regarding Identity Theft” announcing
that “The Los Angeles Superior Court has become
aware of telephone scams by identity thieves targeting
members of the public. They call, claiming to be court
employees needing social security numbers for jury
service. Court and jury employees never contact potential
jurors by telephone and would never, under any circumstances
request any personal or financial information over
the telephone.” The warning alerts readers that
“[s]imilar scams have been reported recently
in Riverside and San Bernardino counties as well as
other states. We urge all members of the public to
be aware of such scams and be careful whenever you
reveal confidential information over the telephone.”
Want to assess your risk? To take the Identity Theft
Test, visit http://www.idtheftcenter.org/idthefttest.shtml.
Is snail mail the threat? Take the U.S. Postal Inspection
Service’s “Mailbox Security Quiz”
Your Number, Please
In late September, a California judge ruled
that credit card companies don’t have to
notify customers when their personal information
is stolen. The class action suit was brought
on behalf of cardholders and merchants against
CardSystems Solutions, Visa, and MasterCard.
The judge said he didn’t see an “immediate
threat of irreparable injury” to consumers.
And Visa and MasterCard explained that by dealing
with the issuing banks —
not customers — victims did not have to
be notified. Apparently, this is one loophole
in the California law (passed in 2003) that’s
been touted as the model for disclosure legislation
in alerting consumers about ID theft.
Lucky for me, American Express is literally “watching
the store.” In early September, someone
halfway across the country made several charges
to my account. Within 48 hours of those transactions,
I had received two phone messages and a Western
Union Mailgram from the American Express Account
Security Group, asking about three charges totaling
nearly $1,000. Within 5 minutes of my call to
the 800-number to confirm that the charges weren’t
mine, the company’s fraud specialists launched
an investigation, canceled my card number, and
advised me to examine my coming bill thoroughly
for any other fraudulent charges. Sure enough,
there were two more transactions on my statement.
Because my home base was so far from the transactions,
American Express was quick to alert me of “possible
fraudulent activity.” A friend of mine
who travels frequently said American Express
occasionally asks him to call the company’s
800-number just to confirm that he is actually
using the card in another state.
Credit card fraud, according to American Express,
can happen any number of ways: a clerk makes
an extra imprint of your card, someone lifts
the account number and expiration date from an
old receipt, a telemarketer calls to enter your
number in a bogus contest, or a waiter swipes
a charge card in a device called a skimmer to
make a counterfeit card copy.
So what can you do? The American Express Web
site has some advice: Sign the backs of new cards
immediately; destroy old cards; don’t let
anyone use your card; don’t use see-through
envelopes or write account numbers on envelopes,
postcards, and checks; and never carry your PIN
or Social Security numbers with you. Likewise,
examine statements, notify the card company of
any unrecognized charges, and be sure to shred
preapproved credit card offers.
American Express also offers safety nets for
customers: The Fraud Protection Guarantee protects
customers from liability for any fraudulent charges;
a cardholder may be asked to provide his/her
billing ZIP code to verify identity. To safeguard
online purchases, more vendors are also asking
for the Card Identification Digits (CID) that
can be an extra precaution along with the account
number. Best of all, American Express offers
free Account Alerts to let customers know about
irregular account activity via e-mail, mobile
phone, pager, or PDA.
MasterCard and Visa also have safeguards, such
as zero liability coverage that protects customers
against unauthorized purchases made on an account,
whether in a store, by phone, or on the Internet.
A colleague of mine summed it up best when she
said, “When it comes to being a victim
of credit card fraud or ID fraud, it’s
not a matter of ‘if,’ it’s
a matter of ‘when.’”
Editor in Chief, Information Today
• ‑Never, ever carry
your Social Security card in your wallet, glove
compartment, or purse. Don’t automatically
print it on forms that request it. I don’t
and I am surprised how rarely people notice it, much
less insist on having it. It really isn’t “necessary,” except
for tax, Medicare, or other federal purposes. Requestors
will often happily accept another form of ID if you
don’t want to provide your Social Security
number or are satisfied with the last four digits.
If you carry a Medicare or insurance or other card
with your Social Security number on it, a friend
recommends copying it and carrying the copy with
all but the last four digits inked out. Give it a
• ‑Never, ever throw
out bills or statements before shredding them.
• ‑Never, ever use
“remember my password” on any service.
It will only help a thief who gains access to your
home or work computer, your laptop, or cell phone
(especially with Internet access).
• ‑Never, ever use
public access terminals or friends’ computers
to access any site requiring a password or ID.
Software that someone might have loaded could capture
all your keystrokes and use it to log on to your
accounts, get your essential financial data, account
• ‑Never, ever give
personal information over the phone to someone who
calls you. If the caller seems reputable, ask
for their name and phone number and call them back
using the public phone number in the yellow pages
or on their home page. If someone requests your Social
Security or credit card number, just give them the
last four digits. Legitimate companies don’t
call to get information they already have in their
• ‑Never, ever respond
to e-mails from the IRS about electronic audits.
The IRS doesn’t use e-mail. Such requests are
always phishing expeditions. Beware of “spoofing,” which
occurs when a hacker redirects customers of a legitimate
financial or shopping Web site to a look-alike site
in order to get your IDs and passwords, as well as
credit card numbers. Report phishing and spoofing
to firstname.lastname@example.org and email@example.com,
as well as to the company being spoofed, so customers
can be protected.
• ‑Never, ever respond
to requests for personal information in an e-mail — this
is classic phishing
— whether by replying directly or linking to
the company’s alleged Web site. If you give your
credit card numbers and personal data to strangers
posing as a company you know, then you have been “phished” or “spoofed!” Either
way, you are in big
potential trouble. Report it immediately.
• ‑Never, ever use
a stand-alone or unfamiliar ATM machine. Go an
extra block or two to use your own bank’s ATM
machine. Some public ATM’s have been found
to “capture” debit card numbers and PIN
numbers to create new cards.
• ‑Never, ever co-sign
a loan for a friend or family member. It increases
the risk of ID theft by the bank or car dealership
employees, the friend, and others. Lend cash if you
want, for that will limit your liability.
Under no circumstances should you ever skip over any
of these safety measures.
• ‑Always check
a Web site’s privacy policies before giving
personally identifiable information or e-mail address.
Find out if the policy requires you to opt-in or
opt-out from receiving promotional offers, newsletters,
on the first page, to list any information disclosed
to third parties, the names and addresses of all
third parties, and provide an opt-out mechanism for
the consumer. If you don’t go to the privacy
policy, you won’t be able to “opt-out”
of the privilege of receiving direct marketing from
these third parties.
• ‑Always check
your statements. Examine statements for the balances
due, as well as wrong amounts, duplicate transactions,
transactions in odd stores, or at odd times. Watch
for statements that you normally receive regularly,
which may have been intercepted by thieves.
• ‑Always go
direct to home pages. Don’t rely on a link
from an e-mail to get to a company or organization’s
Web site. Go directly to the Web site through the
known Internet URL. If the real site does not ask
for the information, then report the scam to the
company so it can handle it and alert other customers.
If you suspect a scam, contact the FTC at 888-FTC-HELP.
Put your tax dollars to work.
• ‑Always look
for “https” in the URL whenever you
give personal information. That means it is a secure
site. Also look for a little yellow padlock on the
bottom of your screen — and make sure it is
locked. If it looks unlocked, don’t give any
personal information. Look for the VeriSign shield
and click on it to make sure it links to the VeriSign
site and has not just been “pasted” in
to look like a reliable site.
• ‑Always keep
firewalls and antivirus software current. Make
sure that your firewalls and antivirus software are
up-to-date every time you turn on your computer,
before you open an online browser. Regularly verify
that you have the latest version of your browsers.
Check your computer for spyware with free programs
such as Lavasoft’s Ad-aware and Spybot Search
and Destroy. Download security patches. Check for
Microsoft patches at http://www.microsoft.com/security/ or http://www.microsoft.com/athome/security and
verify that you have 128-bit encryption (see No. 8
of “Things to Do Today” on page 20).
Change your passwords at occasional intervals.
• ‑Always use
a locked mail receptacle. Even if you have e-bills
for all of your creditors, a pay stub or insurance
statement can bear your Social Security number, employer,
address, and more. Don’t let this information
sit in an open or even unlocked mailbox. And always
shred bills, statements, etc., before throwing them
into the trash.
• ‑ Always note
each credit card usage. In your personal calendar,
write down every time you use the card along with
the location and amount of every charge so you can
instantly verify a legitimate purchase from a potential
fraudulent one. And check your bank and credit card
statements for unauthorized purchases.
• ‑Always use
passwords on every machine: office and home computers,
laptop, PDA — even your cell phone. If you
can set up a password through software or hardware,
do so. Consider changing passwords twice a year when
you change your clocks. If you are like me and have
many passwords for online accounts, database companies,
Internet service providers, workstations, library
cards, then keep a list of the name of the service
and a personal clue to the password.
• ‑Always verify,
verify, verify. Telltale signs of a phishing
e-mail include the following: looking as slick as
the legitimate one; requesting information verification;
not addressing e-mails to your name as listed on
an existing account; playing on your fears relating
to security using scare tactics; and, of course,
requesting personal information to validate an account.
Doing that may download a small program that logs
your keystrokes when you enter your account number(s)
Here’s what we need to protect our credit
• ‑Require credit reporting
agencies to verify all “adverse information” before
reporting it to make sure it is not due to an ID
• ‑A national law requiring
consumer notification of compromised personal data.
• ‑An outside time limit
• ‑An adequate definition of “personal
information” that specifies links between credit
information and Social Security number, driver’s
• ‑Prison terms for those
who use data fraudulently.
• ‑The option of free credit
freezes (with free thaws with use of the PIN established
by the consumer).
• ‑Forbidding use of Social
Security numbers on healthcare or other ID cards
(such as student ID cards, driver licenses).
• ‑Requiring encryption and
future state-of-the-art protections as well as password
protection of all confidential personal consumer data
(such as Social Security number, driver’s licenses;
date of birth; account, credit and debit numbers;
Web Sites with More Information
Better Business Bureau
A wealth of information.
Check Guarantee Companies
Cross Check (800)
Global Payments (800)
‑Publisher of Consumer Reports. Check
out the September 2005 issue with its “Online
Survival Guide,” a collection of ratings of programs
fighting viruses, spyware, and spam, beginning on page
Department of Justice
‑The FBI has an Internet Fraud Complaint Center:
Federal Trade Commission
‑Your tax dollars at work. For a free pamphlet, “When
Bad Things Happen to Your Good Credit,” go to
Financial Privacy Now
‑This group wants Congress to pass more financial
Identity Theft Prevention and Survival
‑Mari Frank’s organization. You can also
call (800) 725-0807.
Identity Theft Resource Center
Privacy Rights Clearinghouse
Public Interest Research Group
‑An excellent organization on all kinds of consumer
issues. There are also state groups such as California’s
CalPIRG at http://www.calpirg.org.
Have They No Shame?
Even in the middle of a national catastrophe, some
people see opportunity. Watch out! Charity scams are
everywhere. Li Yuan described the rise of disaster
parasites in The Wall Street Journal article, “Online
Scams Solicit Katrina Donations, Risk Identity Theft” (Sept.
8, 2005, p. B1). For background on charity scams, you
might check out an article I did for Searcher in
the July/August 2000 issue,
“Avoiding Charity Fraud and Misinformation from
Non-Profits on the Internet,”
or even the book edited by Anne Mintz and published
by Information Today, Inc. entitled, Web of Deception:
Misinformation on the Internet (2002, ISBN: 0-910965-60-9)
1 ‑Citibank and Bank of America have Web sites
with a wealth of information on how customers can protect
their data, passwords, etc.
2 ‑Harrington v. ChoicePoint, No. 2:05-CV-01294-SJO-JWJ
3 ‑See http://www.bbbonline.org/idtheft/consumers.asp.
This site has a wealth of information, including how
to defend yourself online at http://www.bbbonline.org/idtheft/virtual.asp.
4 ‑For a list of the current Internet scams
by categories, complete with alerts and examples, go
to http://www.idtheftcenter.org/alerts.shtml For
a list of the major credit security breaches, visit http://www.consumersunion.org/
5 ‑See also the National Conference of State
Legislatures: For breach notice legislation, http://www.ncls.org/programs/lis/CIP/priv/breach.htm and
for security freeze legislation, http://www.ncsl.org/programs/banking/SecurityFreeze_2005.htm Another
site to monitor state ID theft laws is http://www.ckfraud.org/idtheft.html.
6 ‑See the Fair And Accurate Credit Transactions
(FACT) Act of 2003 and the Federal Trade Commission
Rules effective June 1, 2005, 16 CFR Part 682. See
also http://www.privacyrights.org/ar/FTC-DisposalRule.htm and http://www.ftc.gov/bcp/conline/
7 ‑See Cal. Civil Code §1785.11.2through §1785.11.6.
8 ‑An excellent article on credit scores appears
in the August 2005 issue of Consumer Reports.
In addition, FICO (Fair Isaacs Company) itself has
written on ID theft at http://partners.myfico.com/email/071205/?LPID=FICO122.
9 ‑The FTC survey can be found at http://www.ftc.gov/os/2003/09/synovatereport.pdf.
10 ‑The announcement of the most recent surveys
appears at http://www.bbbonline.org/IDtheft/safetyQuiz.asp.
11 ‑See the Better Business Bureau ID theft
statistics at http://www.bbbonline.org/update/issue.asp?id=48.
Also check out the complete chronology of data breaches
reported since the ChoicePoint Incident at the Privacy
Rights Clearinghouse: http://www.privacyrights.org/ar/ChronDataBreaches.htm.
The word “complete” is a misnomer because
the financial institutions still don’t want us
to know that any one of them has been victimized (along
with their clients). For instance, L.A. Times columnist
Michael Hiltzik reported that a laptop computer was
stolen from Bank of America in northern California
containing his Social Security number, name, address,
phone number, and online banking ID on May 20. BA didn’t
call him until 5 weeks later and, when he searched
for “news clips to learn what BA had said publicly
about the May 20 theft, it turned out that the bank
had never disclosed the incident to the general public.
It merely notified the 18,000 California customers
whose privacy may have been threatened, as required
by [California] law, and only after a month had elapsed”
12 ‑See the article by Ross Greenberg, “How
Spyware Works,” for software information, steps
to take on your computer right now, and antispyware
Web sites at http://www.securitypipeline.com/shared/article/
13 ‑Mari Frank, “From Victim to Victor” from
14 ‑See Cal. Civil Code §1798.83.
15 ‑For a sample e-mail to send your representatives,
go to financialprivacynow.org.
16 ‑The Consumers Union and the Public Interest
Research Group have an excellent 25+ page publication, “The
CLEAN Credit and Identity theft Protection Act: Model
State Laws: A Project of the Public Interest Research
Groups and Consumers Union,” by Ed Mierzwinski,
Kerry Smith, and Sarah Ackerstein of the state PIRGs
and Gail Hillebrand, Senior Attorney of Consumers Union.
Dated November 2004 in print, it is updated regularly
on the Web. In addition, Gail Hillebrand’s,
“After the FACT ACT: What States Can Still Do
to Prevent Identity Theft” is available at http://www.consumersunion.org/
For a compilation of federal statutes and a bibliography
of select resources on identity theft, please see www.llrx.com/features/idtheftguide.htm.