Saturday, June 25, 2011

How to survive identity theft

Waitasecond. Someone out there is pretending to be me? Attempting to get credit? In my name? Why those dirty bastards!

This, dear readers, is how to prepare for, and deal with, identity theft.

What happened?
Someone, persons unknown to me, pretended to be me in order to attain credit at department stores and buy things. Expensive things. Really expensive things.

How'd they do this, JRub?
They had my name, my SSN, my phone number, and a driver's license with my current address.  They walked into a few really swish department stores and, pretending to be me, tried to buy designer-label goods. Little do they know I'm an Armani or a Zegna kind of man, and clearly not a Ferragamo or a Paul Smith dude. Pfft. Idiots.

How'd they get that info!?
I haven't a clue. I have some guesses, all semi-educated, as to how they might fish up my personal info. But lets leave it at that - they got it, and they used it.

What happened?
Very little. Most credit for this schmuck was denied. And I found about it out so quickly that the door of felonius opportunity slammed shut so fast that the dumb bastard couldn't get away with very much.

How'd you find out?
  • I subscribe to a credit-monitoring service (see below) and received an alert of several credit inquiries against my report.

  • One of the retail stores called me to ask ..."if I still wanted the Ferragamo". I did not; That was not me; I was not in the store that day (or week, or month). This confirmed the credit-monitoring alert that someone was pretending to be me. I got as much information as I could from the store clerk who called me.

  • I received a letter from another retail credit company asking for verification of identity. Again, it wasn't me.

  • Once I knew there was fraud going on, I called each and every credit fraud dept at each business for each incident of which I was made aware by the credit monitoring service. I asked for as much information from them as possible and answered all of their questions. 

How to protect yourself before any fraud occurs. Or: the paranoid, proactive part of the story
Years ago I purchased a subscription to one of those credit-monitoring services. Whenever there is a change of any kind to my credit on any or all of Experian, Equifax, or Trans-Union reports, I receive an email indicating the change and the approximate date of activity.

This, it turns out, was a wise move:
  • Good: I received an email within days of several credit inquiries against my credit history.

  • Bad: Some (but not all) of the reporting was up to 4 days behind the actual credit inquiry event, and two days behind a fraudulent credit event. I'd have liked the notification to have been within hours of every, and not just some, activity, but: a few days at most is better than nothing, or than a month.

  • Summary: GOOD, because I found out that something fishy and illegal was going in within days, and not weeks, of the event(s). I was able to respond very quickly and shut the door of criminal opportunity.
Without this service, I would not have known that some loser was out there lining up credit in my name, using my personal information, as quickly as I did.

What happens when someone steals your identity (Or: the reactive part of the story):
  1. As soon as you get notice from your credit-monitoring service (usually via email, but you can get notices via SMS) that funny business is going on with your credit history, read:

    What to do if your identity is stolen

  2. Place a fraud alert on your credit reports at all three agencies.

  3. Place a security freeze on your credit reports at all three agencies.

  4. Immediately, and I do mean immediately, contact the creditors' credit-fraud departments and get the credit lines canceled (or suspended).
    Get as much information as you can from them as possible as to what information the thief had, what they purchased, when, and where. Get the mailing address and email (or fax number) of the credit fraud department, and if they have their own fraud claim form, have them send one to you. You'll need the information you receive from them in later steps, below.

  5. File a police report with your local police. (I walked to my local police station with all the paperwork I needed, organized, and prepared. The officer was very helpful: I made his job easy and he went the extra mile for me).

  6. File an FTC Identity-theft complaint form. You can use this to help get the fraudulent credit canceled by the creditors as well as removed from the credit agencies' reports. This is where you'll need the information you asked for from the credit fraud department (above).

  7. Send a copy of the FTC form, and any police reports if available (you should at least have the report or case number) to the creditors' fraud claims department. Send it via fax, email, and regular mail. If the fraud department(s) have their own form, of course fill that out and return it as well.

  8. Contest any fraudulent credit reporting with each credit bureau. You may need to send them copies of the reports as well.

  9. Don't let up until the fraud has been removed from your credit reports, and you're not responsible for paying anything. Not one thin dime. Keep contesting the credit report, and keep at it.

  10. Watch your mail over the coming months. You may receive a bill for credit you've never asked for, or a letter requesting clarification of identity, or a bill for some new service, or a collections notice. This is indication of additional fraud the credit monitor may not have picked up or been alerted to, and you'll need to act.
In summary: Do not fuck around. Act, and act immediately. Show the world (and the would-be creditors, and the credit bureaus) that you are like-a-goddam-heart-attack serious.

WTF are these credit bureau or credit agency things you're talking about, Mr. Rubble?
If you don't know what a credit bureau is, and you're in the U.S., read this:

Can't I get a free copy of my credit report?
Why yes; yes, you can. Read here for more info:

What else can I do to prevent loss, web identity theft, hacking, or other financial damage?
Here are some general tips that can help you reduce the probability of significant financial loss.
  1. Register with a credit-monitoring service that covers all three major bureaus, or with the credit-monitoring service of one (or all) of the credit bureaus.

  2. If the monitoring service alerts you to activity that you did not initiate, act immediately. (see above)

  3. Use complex passwords for every website you use.
    • a simple password is one that reads like a real language or sequence: examples are "fluffy", "fido", "123 Main Street", "123456789", "1020304050" or even keyboard patterns that are easily guessed like "1q2w3e", "qwerty", "asdfgh", and so on. Also, any proper name like "Chicago", "Dixon", "Sacramento", "OMalley", "Goldberg", "Lee", "Twilight", "Harry Potter", "Serenity".   Do Not Use These.

    • a complex password is a password made up of a wild mix of UPPERCASE letters, lowercase letters, digits, and if possible symbols ("@#$%&_.").  A great example of a complex password looks nothing like a real language: for example "nj2.TXd5", "A7&M20vkL", or "788$jK6b00Y4H!".

  4. Never, ever, ever, ever, ever use the same password at more than one website.

  5. No, really, I'm not kidding. Re-read that until you are ready to puke potted-violets. Never, and I mean never, use the same password twice. Don't complain to me about how hard it is to remember crazy complicated passwords all over the place! This is YOUR bank account / IRA / 401k / Level 85 Night Elf Warrior. Not mine. I'm just trying to give some reasonable advice here. Use unique passwords.

  6. If possible, for banks and other sites that have access to your money (whether cash or credit), use the longest password possible. If you like, use a password manager. Some of my passwords are 32-characters long. No kidding. And they look like a someone left a box of Alpha-Bits on a live land-mine.

  7. And, whenever possible, use different user names (login IDs, whatever you want to call it). Some sites restrict you to using your email address  (""), but if you can use different ones for different sites, go for it: "john.doe", jdoe1975, johnqdoe, johndough, and so on.

  8. Shred any documents at home before tossing them into the recycling bin.  (Hey, look! Shredders!) Believe it or not, some people like to dive into the dumpster behind your apartment building and look for documents that contain personal information. Yes, I know: these people are losers. But rather that sit there and psychoanalyze these jerks, instead do yourself a favor and buy a shredder.

  9. Go through your email and delete any email that has a password from a website in it. On the odd, but possible, chance your email is compromised, at least the thief won't be able to get to any other accounts whose credentials are lurking in your email. Make sure you "Empty the trash" of your email service, if possible. 
There are probably more things you can do to protect your credit and your assets. This is  a good start. 

There is no such thing as perfect security. But remember: "Perfect is the enemy of Good". These steps should reduce the probability that your online identity will be compromised.