ITRC Fact Sheet 133
The Military and Identity Theft

Checking Accounts 

The ITRC suggests that active duty personnel consider using online banking services in order to monitor and track bank account activity.   Please be aware of your environment (for example key loggers, spyware, shoulder surfing) when accessing accounts.

Placing an Active Duty Alert

An active duty alert is similar to a fraud alert in that it requires an inquiring creditor to verify that it is you who is attempting to open a line of credit. The difference is, unlike the 90 day fraud alert, this alert lasts for a year. Additionally, if you are deployed out of the country and cannot be contacted, you may appoint somebody you trust to act as your representative. 

Contacting CRAs by mail (see ITRC Solution SN 02 – CRA Contact Information)

  • Experian:  P.O. Box  9701, Allen, TX  75013-0949
  • Trans Union:  P.O. Box  2000, Chester, PA 19016
  • Equifax:  P.O. Box  740241, Atlanta, GA  30374-0441 

Send a letter asking for an Active Duty Fraud Alert to be placed and your credit report to be mailed to you (see ITRC Letter Form LF 133). Enclose the following items:

  • A copy of your driver’s license or state identification card
  • A copy of your Social Security card
  • A copy of your military identification card
  • A copy of your orders
  • A copy of a bill that shows your address of record, if address is different from the address on driver’s license or state identification card

Contacting Credit Reporting Agencies – Placing Alerts Online

Power of Attorney

Service members in the U.S. Military often consider granting a Power of Attorney to a spouse or a loved one before they are deployed. Although this can be a good idea, please be careful. 

Unfortunately, many service members have found out too late that the person they gave a General Power of Attorney to did not have their best interests in mind. They come home to find their bank accounts cleaned out, credit cards opened in their name, and other credit problems that are all legally possible due to a General Power of Attorney.

We suggest that you read the Explanation of Powers of Attorney put together by the Judge Advocate General office.  This document on Powers of Attorney covers issues like: how to stay safe when filing a POA, what you will need to grant a POA depending on POA category, and how to revoke it when you are ready to. The ITRC strongly suggests that you consult with the Judge Advocate General office for Command Legal Assistance prior to granting any Power of Attorney.


Identity Theft Resource Center

  • 24/7, Toll-free, no-cost victim assistance:  888-400-5530 (U.S. only)
  • ITRC Fact Sheet FS 124 – Fraud Alerts and Credit Freezes

Federal Trade Commission website:

For further information visit the following links:


This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to This email address is being protected from spambots. You need JavaScript enabled to view it..

ITRC Fact Sheet 132
Identity Theft Products

This fact sheet covers:

The Identity Theft Resource Center receives numerous inquiries from consumers regarding identity theft products and services available for purchase.  While ITRC does not endorse any specific product or service, this document has been created to help consumers understand various products, their benefits and limitations, and what items should be included. Most of these services can be done by an industrious and identity theft-aware consumer. For instance, you can check your own credit reports via the free federal program: Please refer to ITRC Fact Sheet FS 125 for more information.

However, if you have the discretionary money and want to take advantage of consumer products, this guide will help you understand a little bit more about what you’re purchasing.

Identity theft is not just a financial crime. Therefore, it is ITRC‘s position that no one product can fully protect you from identity theft and that any advertisement stating it provides a complete protection program may be misleading.  For example, none of these products can stop a criminal from using your information when being ticketed by a police officer. Additionally, they cannot stop someone from using your Social Security number to get a job or apply for government benefits.

Using the word “protect,” implies the ability to proactively stop a crime before it happens. Some of these products and services are reactive and only let you know a crime has occurred after the fact.

As you consider the following services, ITRC would like to remind you to shop carefully, read contracts and privacy policies, and check out companies with the Better Business Bureau or state Attorneys General. You can also do an Internet search for complaints about specific companies or services. 

Credit Monitoring Services:

Credit monitoring is a service which allows consumers to be advised about changes on their credit reports, and/or to view a summary of their credit report upon request. This service may monitor only one credit report or it could monitor reports from all the major Credit Reporting Agencies (i.e. Experian, Equifax and TransUnion). You should be aware that all three reports are not identical.

If you wish to sign up for a credit monitoring service, you should review and evaluate the various options available to determine the product and/or service that best meets your needs.

To date, credit monitoring products only help in a limited area of financial identity theft, and do not address the other forms of identity theft, such as criminal, governmental services, etc. They also do not indicate account takeover or the misuse of existing credit cards. In addition, new bank accounts, utility accounts, and some other types of financial accounts may not appear on your credit report until they go to collection.

Please beware of the following:

  • The credit monitoring information may not be current. Some credit issuers may not provide new credit application information or collection actions to the three credit reporting agencies in real time.
  • Credit monitoring is dependent upon credit issuers providing new application information to the CRAs. The reality is that not all credit issuers report to the CRAs.
  • A report that only has information from one of the three CRAs is incomplete. It must be a tri-report from all three CRAs. Otherwise, it may not show all the pending applications and open accounts.
  • Credit monitoring is a reactive process, not a proactive process.

Identity Monitoring Services:

These new services go beyond traditional credit monitoring by including additional areas where fraudulent activity may be indicated. In some cases, these may be more proactive in alerting you to fraudulent activity in real time. Each service is slightly different. 

Additional areas may include:

  • monitoring for items such as address changes
  • identifying unusual personal activity (such as applying for several lines of credit with auto dealers in the same week)
  • scanning the Internet for exposed account information
  • screening for other items that may indicate something is awry

Some companies calculate identity risk by looking for any suspicious or unusual relationships among billions of basic identity elements. Others include credit monitoring and some of the additional items mentioned above. Look for a service that notifies you quickly of any developing problem.

Credit Freeze Products: 

A credit or security freeze is a stronger measure than a fraud alert. It literally locks your credit report from viewing for the purpose of new lines of credit, and for some employment and tenancy purposes. When in place, potential creditors, insurance companies, landlords and some employers doing financial background checks may be told that your report is unavailable for viewing. The price varies from state to state and is usually free for victims of identity theft (please see our State Resources Map for your state’s freeze law). This product is typically added to other identity theft services. For more information about Credit Freezes see ITRC Fact Sheet FS 124.

Ask the following questions?

  • What are costs and fees associated with the service?
  • What is the company’s reputation?
  • What services will they provide?
  • Is the cancellation policy reasonable?
  • Will the credit freeze product provider contact you at the time of credit application?
  • How long does it take this product provider to activate your freeze?
  • Is a “live person” readily available by phone if you have questions?
  • What help is provided if you find you are an identity theft victim due to a failure to observe a freeze?
  • Do they make overreaching claims, such as “our product always prevents identity theft?”

Victim Resolution or Restitution Products:

By definition, victim resolution or restitution is the process by which a victim clears all fraudulent records created by an identity thief. 

There are companies that will do all the restoration work for you. Make sure the company will cover any identity theft case that unknowingly existed before you purchased the program. A contract clause denying coverage for a pre-existing identity theft case is the one that most consumers discover after the fact and then find themselves without assistance.

Ask about the following items:

  • What are the fees? What services are provided?
  • Do they cover all types of identity theft? (Financial, criminal, governmental services, etc.)
  • Do you need to sign a power of attorney? 
  • Do you need to provide your Social Security numbers and financial account numbers to this company?
  • What is the process they use to restore your good name?
  • What type of training do their investigators undergo?
  • What is their reputation for getting the job done completely and effectively?
  • What is their guarantee? Is there a refund policy?

ITRC cannot stress enough the need for victims to do their homework as part of your “buyer beware” due diligence.

Note: There are many state and non-profit organizations that will assist victims WITHOUT charge. These organizations will guide victims through the process, step by step, and will even provide letter forms to use.

Data Sweep Services: 

This type of company checks the Internet for listings of your personal identifying information. While names, Social Security numbers and financial records are critical to identity theft, other pieces of information, such as your email address, also expose you to spammers and identity thieves. Once personal information is detected, these services will provide an alert so that steps may be taken to remove it.

Questions to ask these companies include:

  • What is the price? What other products does it include or can you buy it as a stand-alone product?
  • What information do they search for? Does it include all or just some of these items: name, Social Security Number, email address, telephone number, financial records, and home address?
  • How frequently do they do a sweep? “Real time” is preferable.
  • How quickly do they notify you of any listing and how do they notify you?
  • How persistent are they in making sure you received their notification?
  • Do they allow a trial period for you to decide if you want to continue with this product? Many companies will allow you at least a one month trial period.
  • What is their background and expertise in data sweeping? Do they interact with law enforcement agencies? That is a plus.

Identity Theft Insurance:

These are insurance programs, or add-ons to existing policies, that help replace real expenses incurred by the victims of identity theft. Look for the following items:

  • Low cost premiums - $25-$50 annually is typical.
  • A low deductible amount. If the deductible amount is too large, your expenses may not be enough to justify a claim.
  • Should cover lost wages. Note: This should include salaried employees and those who are self-employed. It should not require that you use any earned sick or vacation time first. It should reimburse you for sick or vacation time you have to use for your case.
  • Includes legitimate legal expenses directly related to recovering your good name.
  • Includes out-of-pocket expenses.
  • Make sure the company will cover any identity theft case that unknowingly existed before you purchased the program. A contract clause denying coverage for a pre-existing identity theft case is the one that most consumers discover after the fact and then find themselves without assistance.
  • Verification that any claims on the identity theft insurance do not affect any other policies you have with the same company. This is very important since some identity theft policies are add-ons on homeowner’s insurance. If a claim on the identity theft policy raises your rates for a related home-owners or other policy, it may not be cost effective.


This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to This email address is being protected from spambots. You need JavaScript enabled to view it..

ITRC Fact Sheet 131
Credit Card vs. Debit Card

 This fact sheet will cover:

The World of Debit vs. Credit

According to a Nilson Report in April, 2009, 78 percent of American households - about 91.1 million - had one or more credit cards at the end of 2008. “In less than 15 years, debit card transactions in the United States grew from 1 percent of noncash transactions to more than 50 percent." (Source: Tower Group, August 2009)

Visa reports there are 309 million Visa credit cards and 352 million Visa debit cards in circulation in the United States. MasterCard states that as of Sept. 30, 2009, there were 211 million MasterCard credit cards and 130 million debit cards. According to data from the U.S. Census Bureau, there were 159 million credit cardholders in the United States in 2000, 173 million in 2006, and that number is projected to grow to 181 million Americans by 2010.

The fact of the matter is banks make money on purchases made with debit or credit cards. Whether it is a percentage based fee on a “signature” transaction or a flat fee for a PIN-based transaction, banks profit from consumers’ growing use of plastic.

You have two main choices when making purchases with a card:

Credit cards – making purchases with the creditor’s money until billed
Debit cards – having your money immediately extracted from the linked account

What is a credit card?

A credit card is a bank-issued card that allows people to purchase goods or services from a merchant and to pay for them at a later date. Every month the credit card company provides a bill, which reflects the card activity during the previous 30 days. Also, credit cards may be sponsored by large retailers (such as major clothing or department stores) or by banks or corporations (like VISA, MasterCard or American Express).

 About Credit Cards:

  • Must be applied for with a bank or other creditor (i.e. department store).
  • Allows consumer to buy goods and services on credit
  • Limited by the available credit at the time of purchase
  • “Buy Now, pay later”
  • Allows for disputes with vendor – option of withholding payment should there be dissatisfaction with product or service or in the case of a fraudulent charge
  • Many come with Reward Programs and extended warranties on purchases
  • Best form of payment for on-line purchases
  • Greater protection from fraud loss if reported within 60 days
  • If you find an error, you have 30 to 60 days to notify the creditor in writing and need not pay the amount in question during the investigation

Fair Credit Billing Act

  • If reported within 60 days, maximum liability for the unauthorized use of the credit card is $50
  • If reported before fraudulent use, cannot be held responsible for any unauthorized charges

 What is an ATM Card?

The ATM card is the most basic form of “plastic.” An ATM card is offered by financial institutions as a method of withdrawing cash/funds through the use of Automated Teller Machines. In addition to withdrawing money, you can check account balances, transfer money between accounts or deposit funds into an account. The Debit feature, adding the ability to make purchases, is a feature now offered by most financial institutions.

 What is a Debit Card?

According to the Federal Deposit Insurance Corporation (FDIC), a debit card looks like a credit card but works like an electronic check. A debit card is linked with the customer’s checking or banking account. When used, money is immediately withdrawn from that account. There are two ways for a merchant to process a debit card transaction:

  • Debit with PIN – In this instance, you press “debit” and enter a PIN (secret numeric number) to authorize the purchase. Once this has been entered, you need not sign for the purchase. In transactions where the PIN is used, you may have the opportunity to get cash back over the cost of the purchase.
  • Debit with Signature- For these transactions, you sign the merchant’s copy of the receipt. At the check-out counter, you hit the “credit” option then sign for the purchase. You can also use a debit card on the Internet and over the phone as a “credit card.”

The problem with Debit cards is that they can be used for credit without your PIN. The swiping of a debit card, with the use of a forged signature, can easily wipe out your account/s.

Debit Cards

  • Readily available with the establishment of a checking or savings account
  • Cash removed immediately from a linked account
  • May be attached to a checking, savings or brokerage account
  • Very important to protect Personal Identification Number (PIN)
  • Alleviates concerns over finance charges and interest rates
    • However, user fees may be charged at point of purchase
  • Limited to the amount of funds in designated account
  • Can result in overdraft fees in cases of insufficient funds
  • In cases where additional accounts are attached for overdraft protection, there is a risk of these accounts being drained of funds
  • No ability to place a “stop payment”

Electronic Funds Transfer Act

  • Limited time to report loss or unauthorized use of card
  • If debit card is reported missing before it is used, cannot be held responsible for any unauthorized charges or withdrawals
  • If reported within 2 business days, cannot be held responsible for more than $50
  • If reported after two business days but before 60 days, the most you could lose is $500
  • Card issuer has 10 business days (from notification) to investigate error
    • Pending continuing investigation, funds must be returned to consumer’s account on 11th day.
    • If no fraudulent activity is detected, the funds may be withdrawn from consumer’s account.
  • If loss is not reported, greater risk of losing all funds in account
  • In case of fraudulent charges/losses, consumer has to fight with bank to have funds replaced

 The Dangers of Plastic Cards: 


A growing threat to both credit card and debit card users is an activity commonly known as "skimming."  Skimming occurs when thieves set up a scanning device that captures the magnetic strip and keypad information from ATM machines, gas pumps, and retail and restaurant checkout devices.  This allows for the duplication of the card enabling it to be used as either a debit or credit card.

Example 1: 

After the waiter takes your debit card for payment, he skims (scans) the card before returning it to the table. With this number in hand, there exists the possibility of duplicating that number onto a fraudulent debit card. At this time, the new card may be swiped as a CREDIT purchase without the need for a PIN number.

Example 2: 

You pull into a gas station to fill up your tank. Someone has mounted a skimmer on the face of the point of purchase device. At this point, the thief has the information necessary to create a fraudulent card. Additionally, an extra device may be placed within the line of sight of the keypad to video record your PIN code.

Key Logging 

Key logging comes in two forms: the first form is a physical device which can be attached to a computer, most commonly via the keyboard input port. These devices tend to collect a finite number of key strokes. The device can then be removed and used by the thief to see every key stroke made on that computer.

The second form of key logging is software-based. In other words, this is a program which may be added to your computer by logging into a website, receipt of a bogus email, or the exposure to a virus or Trojan horse. This type of key logging will transmit your exact key strokes to a remote location where the thief can have access to it. This occurs whenever your computer is logged on to the internet.

Example 1: 

Mr. Brown is a traveling salesman staying at a well-known hotel equipped with a business center. He uses the business center computer to access various accounts. Once he leaves the computer, the thief comes by and removes the physical key logger device.

Example 2: 

A software-based key logging program has been loaded on your computer by way of a Trojan horse. Unaware, you go through your day to day on-line activities which included monitoring your financial accounts, accessing emails, on-line shopping, etc. The entire time your computer is linked to the internet, it is communicating your keystrokes to a remote site. The thief may then retrieve this information at will.

ITRC Recommendations: 

  • Use caution when using stand-alone ATMs, especially those which might seem out of place. 
  • Establish a separate account for debit purchases. Make sure that this account is NOT linked to any other accounts. This avoids the draining of all your attached accounts due to fraudulent purchases.
  • Limit your use of debit cards.


This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to This email address is being protected from spambots. You need JavaScript enabled to view it..



ITRC Fact Sheet 130A
Correcting Misinformation on Medical Records

Misinformation on medical records may be caused by human error or identity theft. It can lead to an inaccurate diagnosis of a condition and could be fatal if the information causes a drug interaction, allergic reaction or inappropriate diagnoses.

You should be able to fully correct medical records created in your name. HIPAA, the Health Insurance Portability and Accountability Act, is federal law that protects patients from unauthorized access to personal medical information and addresses the problem of errors in medical records.

Health care providers are often unwilling to remove any information from your medical record because it may simply be a case of mixing two patients’ records and they don’t want to lose any information regarding either patient. Outlined below are steps that you can take to rectify mistakes in your medical records and protect yourself from the consequences associated with erroneous health records.

For the purpose of this information guide, all information provided is per HIPAA regulations. We suggest that you also check your state laws about any additional rules or regulations regarding health care privacy and record correction.

How to correct errors in your medical and insurance records:

  • Request copies of your medical records from any health care provider where you feel your records may contain errors. If you are denied copies of your medical records, you have a right to appeal their decision. You are entitled to knowing what is in your medical records. If the provider still denies you access to your medical records after 30 days of your written request, you have the right to file a complaint with the Office for Civil Rights in the U.S. Department of Health and Human Services.
  • HIPAA does not prohibit providers from charging a reasonable cost based fee for copying records. The health care provider may allow you to read your records in-house and avoid those costs.
  • HIPAA requires that each hospital and health care provider to post a notice of its privacy practices. You may also request a copy, as it describes your rights, including your right to ask for an “amendment,” or correction, to a medical record. This may also provide information about which department you need to talk with, or to write to, if you have questions or complaints.
  • Make notes about, or mark, any erroneous information you find on your medical records while you are reading the file. Ask the provider if you may write on the file or if you need to write down notes. Be specific as to the location of the misinformation, so you can find it again for correction.
  • Speak with your individual health care provider or doctor. HIPAA does not require they remove the erroneous information but they must mark it and record a correction, called an amendment. You can request that the provider RED FLAG your file so other readers know there are at least two different patient records merged in the one file.
  • Per HIPAA they must make amendments within 60 days. They can take an additional 30 days to act if they provide you with a written explanation of the delay.
  • Make sure any information about your medical condition that has been shared with other parties is also tracked down and notified about the correction. This list, or accounting of disclosures, includes: other health care providers, insurance and pharmaceutical companies, benefit agencies, or employers that may have requested medical information with written approval by the employee. Health providers should have a list of the groups with whom they have shared your information. You may also have to request that list of other parties, and to send out corrective letters yourself.
  • If an entire medical file is not yours, you may try to have your name and SSN or medical record number removed from that file. There is no federal law that states they must do so, other than note that it is “in error.” You will need to sit down with the legal department, compliance officer, or patient records manager and negotiate for a resolution.
  • If the file is not amended, you have the right to request a “statement of disagreement” placed in your file, written by you explaining the situation and itemizing the erroneous information. A “bullet format” works best for the itemizing misinformation. HIPAA does not address the length of your statement. Some states do, however. For ease in reading, ITRC recommends that you limit your statement to 250 words or less. If your statement is lengthy, people might be reluctant to take the time to read it.
  • Review every EOB, “Explanation of Benefits,” that you receive as well as medical bills for any possible use of your medical insurance by another person.
  • ITRC Letter Form 130A is a sample letter you may wish to use to make requests of the medical agency. Be sure to mail the letter “certified, return receipt requested.” Enclose identifying documents such as copies of your driver’s license and health insurance card. You may want to check with your provider to see if you need to include any additional information.


ITRC Fact Sheet FS 130 – Basic Medical Identity Theft

ITRC Letter Form LF 130A - Request for Medical Records - a nonprofit organization that studies medical privacy rights

U.S. Department of Health & Human Services - The area of medical privacy is complex. It is guided by HIPAA (U.S. Department of Health and Human Services), and your state laws.


 This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to This email address is being protected from spambots. You need JavaScript enabled to view it..


ITRC Sponsors and Supporters 





Go to top


The TMI Weekly

Breaches here, identity theft there and invasions of privacy everywhere... Should you be worried and, if so, how can you protect yourself? Sign up now to receive The TMI Weekly and get the latest hot topics in identity theft, data breaches and privacy and helpful information on how to protect your information.