Your computer’s hard drive contains an extraordinary amount of personal information; information that an identity thief could use to commit financial, criminal and medical fraud under your identity. So when you are considering selling or throwing away an old computer, naturally, you delete everything off of your hard drive. But is that enough?

There are different methods of “deleting” information off of your hard drive and not all of them actually delete anything. Data is encoded onto a hard drive by magnetizing strips of material that the computer can later retrieve by reading the magnetic pattern encoded into the disk. To permanently delete information, the magnetic code must be fully removed from the disk.

Recycle or Trash Bin

Most people delete files and information off of their computer by dragging or sending the file to the recycle or trash bin and then emptying it. This is misleading because that information is not actually deleted. When a file is “deleted” in this manner, the computer does not remove the magnetic information from the disk, but instead makes that space on the disk available for information to be stored. Thus, you may think you deleted a file, but in actuality the information is still encoded into your hard drive and could be retrieved by someone else unless your computer happened to write over that information when you saved something else.

Physical Destruction or Degaussing of Hard Drive

There are two ways you can destroy the hard drive to ensure the data stored on it is unrecoverable. One, you can smash the hard drive yourself with a hammer or other tool, but you run the risk of leaving some information that is recoverable if you do not do a thorough enough of a job. There are many companies who provide shredding machines capable of reducing a hard drive into a pile of scrap metal, fully eliminating any ability to recover any information.

Another way to permanently delete information off of the hard drive is to degauss it. Degaussing is a process by which magnetic fields are either reduced or eliminated. Unfortunately, this method of permanent deletion will also damage your hard drive, rendering it incapable of storing information in the future. Obviously, the downside to these methods is that you will not be able to sell or use the hard drive ever again, but at least you know your data is gone forever.

Electronic Shredding

Electronic shredding is the process in which information is deleted off of a hard drive by rewriting information over the old information multiple times. This is a form of formatting the hard drive, but is more thorough due to the multiple rewrites and the pseudorandom data that is used to write over the old information. The multiple rewrites continually erode any old magnetic fields coded into the disk until they are unrecoverable. Some programs permanently delete individual files or folders and others permanently delete the entire hard drive. It is recommended that if you are throwing away or selling your computer to use the electronic shredding program that wipes your entire hard drive. This ensures that no personal information is left on your hard drive in the case that some of your personal information is in a file or folder that you forget to individually delete.

The bottom line here is that when you are releasing control of your hard drive, you need to make sure that all of your personal information is permanently erased or destroyed to avoid identity theft and fraud.

“Electronic Shredding – Get Rid of Ghost Data” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

Sending your child off to college for the first time is incredibly exciting! All of the hard work you put into telling them to do their homework and filling out those applications has finally paid off.  However, while this is a time of joy and pride, it can be a scary time as well.

Your little one is going off on their own, perhaps for the first time in their entire life, and you will not be there to protect them.  While we cannot help you with all of the safety warnings you will need to relay to your young adult, we can help you with some great tips to help them avoid becoming a victim of identity theft. Here are three  key things to tell your college freshman to help them steer clear of identity theft:

  1. Your Social Security number is VERY important: Most young people do not know that their entire identity is linked to their Social Security number (SSN).  They don’t realize that not only is their ability to get credit connected to this number, but their criminal and medical records are tied to this little gold nugget as well.  You need to explain to them just how important this number is and help them understand why they need to keep it safe.  Explaining to them that an SSN can be used by somebody with a different name, age or sex will help drive home the point that they need to keep it protected from EVERYONE.
  2. Your computer is YOUR computer: While we understand that sharing is caring, it is not a good idea for everyone in your dorm to have access to the information on your computer.  Passing your computer around for everyone to update their Facebook isn’t just a risk for identity theft, it is a matter of privacy as well.  Our computers contain every aspect of our lives today and, unless you are peeking over the shoulder of everyone using your computer while they use it, you have no idea what information they may be accessing.  Even if the person is a trusted friend, you don’t want someone to download music or click on a link that could infect your computer with malware, which could lead to identity theft.
  3. It is necessary to properly dispose of sensitive documents: While most schools have moved from using a Social Security number as a student ID, there are bound to be documents moving through the hands of a college student that contain personal information.  Financial aid forms, scholarship applications and tuition bills are just a few of the school related documents that may have an SSN on them, as well as other personal identifying information.  Students may also be receiving credit card statements or other financial documents. In addition, just because a student ID isn’t an SSN doesn’t mean that someone cannot use it to check out library items and not return them, or get into other school accounts. All documents containing ANY type of sensitive information need to be shredded and they should never be left in the open where someone could come across them.

So while it may be more fun to pick out matching décor for your freshman’s dorm room, don’t forget that shredder, computer security software and perhaps a mini-safe.  These may not make them the coolest kids on campus, but it will make them the most protected against identity theft.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/itrc-launches-anyone3-campaign.

Governmental identity theft and fraud occurs when an imposter uses a victim’s personally identifiable information to obtain employment, obtain a driver’s license, receive unemployment benefits or receive any other state or federal benefits or aide.

Governmental identity theft does not always immediately affect one’s credit so checking a credit report or having a credit monitoring service will not always alert a victim to the crime.

Victims of governmental identity theft discover that their identity is being used in different ways and include the following:

  • When the victim is seeking a job and the employer runs a background check, the results will indicate that the victim is already employed.
  • The victim receives notification from the Internal Revenue Service (IRS) that their Social Security number has already been used in a previous tax return and as such the IRS is unable to process the return that they filed.
  • A victim of criminal identity theft may discover that the reason the criminal identity thief was able to commit a crime in the victim’s name is because they obtained a fraudulent driver’s license using their identity.
  • A victim who is receiving unemployment or other state or federal benefits will receive notification that their benefits are being terminated because income is being reported under their Social Security number because an identity thief is working under their identity.

There are many other ways that a victim could be alerted that they have fallen victim to governmental identity theft, but they have to be watchful for any clues that something is afoot. Should you discover that someone is using your identity to commit governmental identity theft you should do the following:

  • Request your Social Security Earnings Information report using form Social Security Administration (SSA) Form 7050.
  • After reviewing your Earnings History Report, remove any incorrect information using form SSA Form 7008 – Request for Correction of Earnings Record.
  • File your next year’s tax returns as early as possible to avoid having the identity thief file a fraudulent tax return under your name before you do. The IRS does not verify that a return filed under your Social Security number and information is actually you, so it is first file first serve.
  • In the case of someone using the victim’s identity for employment, check with the Department of Motor Vehicles or Department of Transportation in the state where the identity thief worked to ensure they did not obtain a fraudulent driver’s license using the victim’s identity.
  • And, as always, you can call the Identity Theft Resource Center at (888) 400-5530 or visit our website at www.idtheftcenter.org.

“What is Governmental Identity Theft?” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

Privacy concerns over the Affordable Care Act’s Navigator program has prompted thirteen State attorneys general to write a letter to Department of Health and Human Services Secretary Kathleen Sebelius requesting answers to their questions and concerns by August 28, 2013.

 “Navigators” are entities that will receive grants to carry out duties including:

  • Conducting public education activities to raise awareness of the availability of qualified health plans
  • Distributing information concerning enrollment in qualified health plans and the availability of premium tax credits
  • Facilitating enrollment in qualified health plans
  • Providing referrals to appropriate organizations or State agencies for people who have complaints or questions regarding their health plan

In carrying out their duties, these navigators will likely have access to people’s personally identifiable information (PII) including their Social Security numbers, tax return information and some medical history. The information that will be available to navigators is more than what is needed to commit identity theft and fraud and, as such, should be well protected; however, the State attorneys general claim that the policies regarding privacy are lacking. They point out multiple flaws regarding the program policies in their letter such as:

  • The program does not require uniform criminal background or fingerprint checks before hiring personnel and does not list any criminal acts that are per se disqualifying.
  • Training for personnel is lacking in that the program only requires 20 hours of initial training which was reduced from a previous 30 hours.
  • The program requires that state licensure or certification rules must not prevent the application of Affordable Care Act navigator requirements.

The open enrollment period begins October 1, 2013 and potentially millions of Americans will be disclosing their personal information to these navigators in order to receive help in understanding and enrolling in the qualified health plans available to them. Most Americans will be required to have health insurance effective January 1, 2014, as mandated by the Affordable Care Act. In just a few months, from October to December, millions of Social Security numbers and other pieces of PII will be trading hands as people try to obtain health insurance by the January 1st deadline. The need for proper screening, proper training and the protection of people’s personal information is clear. The State attorneys general have expressed legitimate concerns and we look forward to hearing the Department of Health and Human Services’ response.

“State Attorneys General Voice Concern Over Affordable Care Act’s Navigator Program” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

We are not yet thinking about 2014, but the antivirus community certainly is.  We can expect a lot of new product introductions in the antivirus sector as they attempt to get on your holiday shopping list with newer products.

You’ll find that the competition to get your AV dollar is fierce.  One particular website comparison found at http://www.av-comparatives.org/dynamic-tests/ , allows you to download a PDF of the comparison results.  The important thing is that AV-Comparitives.org actually tracks how well each antivirus actually deals with real world threats over a 6 month period.  Even better, it’s presented in a format that gives direct comparisons between competing products.

Of course, cost is always an issue, particularly if you have to protect a small fleet of pc’s, laptops, and tablets.  Ad-Aware, AVG, and Microsoft all provide free antivirus programs, and the range of pricing for paid products seems to be between $20 and $60 at this time.  Some companies may provide special pricing for multiple license users, and for a typical household this might be important to your cost estimate.  It would be smart to choose a short list of highly rated products, and then compare the pricing.

All antivirus products considered for your use should have automatic capability for updating the virus definitions.  You should ensure all your pc’s are operating in a mode where both antivirus and operating system updates are automatic.  There are many thousands of new viruses and security exploits uncovered each year, and an absolutely sure method to be vulnerable is to have a system operating with old virus definitions and none of the latest security patches.  You should pay special attention to systems that are used infrequently and left powered off, since updating of AV definitions and system patches takes some time, and there is a tendency to “power it up, open a browser, and view a website.”  During that period of updating, that PC might be an easy target for a virus, malware, or hacking exploit.

Some of the antivirus products are rated highly at cleaning up malware that has already been installed on the machine.  Those products are worth thinking about because threat removal is not a simple task with some malware or viruses, and the odds are pretty high this will happen to you at some point.  I will mention an “initially free” product which has worked extremely well for me over several years, Hitman Pro from a company named Surfright.  Hitman Pro is not intended to be a primary antivirus, but is a very good cloud based secondary scanner that has proven extremely proficient at removing threats without my intervention (this is a real blessing if you’re the go-to guy for a bunch of machines).  It’s intended to be run on a scheduled basis, and at any time that you think something bad has happened.  So it doesn’t do real-time scanning, and you should always have a primary antivirus running.  But, the free version of Hitman Pro will do a complete, fast, and thorough pc scan, and alert you to what it found.  And it can then be purchased to use its malware removal skills if needed.

It pays to “pay attention” to your antivirus tools, and to see that they are current and effective.  It is important for proper pc operation, and to keep your personal information personal.

‘Getting the Most Out of Your Antivirus’ was written by Rex Davis.  Rex is the Director of Operations at the Identity Theft Resource Center.

On August 6, Michael Daniel, Special Assistant to the President and the Cybersecurity Coordinator, posted on the White House blog a set of possible incentives for companies that voluntarily adopt the Cybersecurity Framework currently being created by the National Institute of Standards and Technology (NIST).

The Cybersecurity Framework is a voluntary set of rules based on existing standards, practices and guidelines designed to reduce cybersecurity risks to critical infrastructure authorized by President Obama Executive Order 13636 (EO), Improving Critical Infrastructure Cybersecurity.

Once the Cybersecurity Framework is completed, the EO tasks the Department of Homeland Security (DHS) with creating a Voluntary Program intended to encourage private companies to follow the guidelines established in the Cybersecurity Framework. Recommended by the Departments of Homeland Security, Commerce and Treasury, these incentives are to be used to make compliance with the Cybersecurity Framework more attractive to private companies who may not want to spend the money and time to invest in their cybersecurity protection:

  • Cybersecurity Insurance – The insurance industry should be engaged while developing the Cybersecurity Framework and Voluntary Program in order to help build underwriting practices that encourage the use of cyber risk-reducing measures and risk-based pricing.
  • Grants – Federal grant programs should encourage the adoption of the Cybersecurity Framework by making participation in the Voluntary Program a criteria or factor in determining the award of certain federal grants.
  • Process Preference – The participation in the Voluntary Program can be used as a consideration when private companies request government service delivery be expedited.
  • Liability Limitation – Reduced tort liability, limited indemnity, higher burdens of proof, or the creation of a Federal legal privilege that preempts State disclosure requirements can be offered to private companies participating in the Voluntary Program.
  • Streamline Regulations – Agencies will continually work to reduce overlaps between existing laws, regulations and the Cybersecurity Framework to make participation in the Voluntary Program as painless as possible.
  • Public Recognition – The use of public recognition for Voluntary Program participants could be used as a method of encouragement for companies to comply with the Cybersecurity Framework.
  • Rate Recovery for Price Regulated Industries – It is recommended that consideration be given to working with federal, state and local regulators and specific agencies that regulate utility rates to allow recovery to private companies for cybersecurity investments related to participation in the Voluntary Program.
  • Cybersecurity Research – The government can direct research and development to help create solutions to gaps in cybersecurity where commercial solutions do not yet exist.

These incentives are only suggestions and are not final policy; however, they are a good start to helping the Cybersecurity Framework and Voluntary Program make a real difference by encouraging private companies to comply without forcing them to via federal regulation.

“Cybersecurity Framework Incentive Ideas Released” was written by Sam Imandoust, Esq.  He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the original piece.

Our most recent Twitter chat was a very exciting event for us here at the Identity Theft Resource Center.  This was our latest effort of many in which we have been concentrating on spreading awareness about Medical Identity Theft.

We recently released a video on Youtube about the topic and are excited that the media has become very interested in reporting on this topic. That being said, we were very excited to host our monthly Identity Theft Twitter Chat on the topic of Medical Identity Theft.

This month’s Identity Theft Twitter Chat was on the 1st of August at 11:00am PST and was a pleasure to host. We were incredibly lucky to have Rick Kam and Robin Slade on board from the Medical Identity Fraud Alliance (MIFA).  MIFA is the first cooperative public/private sector effort created specifically to unite all stakeholders in jointly developing solutions and best practices for the prevention, detection and remediation of medical identity fraud. You can follow them at @MedIDFraudAssoc. Meredith Phillips from Henry Ford Health Systems also joined us to lend her expertise on the topic and we were very glad to have her!  Since she is tackling the problem on the front lines her insight was truly valuable!

The chat was aimed at both consumers and businesses who wanted to know more about the issue of medical identity theft.  We had some great questions from consumers about what medical identity theft actually is and how they could protect themselves.  MIFA stepped up in a big way by providing multiple resources to everyone who had questions. With nearly thirty accounts attending the chat, we were able to reach over 48,000 accounts and made almost 865,000 impressions. We think that is a pretty good start to making people aware of the issue of Medical Identity Theft!

The next Identity Theft Twitter Chat will take place on September 5th, 2013 at 11:00am PST. The topic will be online shopping and safety.  Anyone can join the chat and provide resources to consumers and businesses by following @IDTheftCenter on Twitter and using the hashtag #IDTheftChat. We hope you will pop in and spend some time learning and spreading the word about identity theft!

“Medical Identity Theft Twitter Chat Recap” was written by Nikki Junker.  Nikki is the Social Media Manager at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to www.idtheftcenter.org.

It’s never fun to receive a breach letter in the mail. Out of nowhere, you’re informed that through no fault or ill-advised action of your own, your personally identifying information (PII) has been compromised and may have been exposed for all the world to see.  This can cause panic on the part of the consumer. As we at the ITRC often see firsthand, in addition to being scary, it can confound and confuse.  What information was exposed? What does this mean? Am I a victim of identity theft? What should I do now?

Identity TheftThe first thing you need to know is that a breach letter is never in and of itself, a declaration that you are now a victim of identity theft. If you’ve received a letter of this type, it’s because according to the law of the state, an entity that’s had an exposure where consumer information was improperly exposed is required to notify you.  Read the letter carefully, as they must disclose exactly what type of information was exposed and when.  They’re also required to inform you in a timely manner. The only permissible reason for a delay in notification is if it would compromise an ongoing criminal investigation into the perpetrator of the exposure (if there was specific criminal intent in the case of this particular breach).

So, really all the letter is informing you of is that some portion of your PII was improperly exposed. The letter will detail exactly how and where the information was compromised.  What it means in simple English is that your information was exposed and as a result you may be at greater risk for identity theft or fraud than the average consumer.  Sometimes credit monitoring or other aid services are offered as part of the company’s attempt to make amends for the breach (or to offset the tarnishing of their public image).  If such services are offered free of charge it is always advisable to take advantage of them. The letter will usually have numbers to call for the service in addition to the numbers for the credit reporting agencies or information services to help walk you through the process.  Be sure to use them all.

Check your credit reports and issue fraud alerts through the credit reporting agencies. Remember, the more information you have about exactly what happened and when, the better position you’ll be in to mitigate any added risk or resulting damage to your identity. If you have additional questions or want to be talked through exactly what you should be doing, it never hurts to call the ITRC toll free at (888) 400-5530.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

Passwords “are starting to fail us,” says PayPal’s Chief Information Security Officer Michael Barrett at a recent event in Las Vegas.  Much like a locked front door to your home, it may serve as a minor deterrent to the casual passer-by, but anyone who really wants to find a way in, will most likely be successful.

A lot of it has to do with the seeming inability of internet users, despite many attempts to educate the public, to pick passwords that are truly secure.   “Users will pick poor passwords – and then they’ll reuse them everywhere,” says Barrett. “That has the effect of reducing the security of their most secure account to the security of the least secure place they visit on the internet.”

The number of data breaches in the US increased by 67 percent in 2011, and each major breach is more expensive than many people realize.  When Sony’s PlayStation account database was hacked in 2011, it cost the company upwards of $171 million to rebuild its network and protect users from identity theft. Add up the total cost, including lost business, and a single hack can cost millions or even billions…with a B.

Face It: Internet Passwords Often Fail to Keep Hackers Out

Asked about passwords, ESET Senior Research Fellow David Harley says, “Static passwords are problematic – even a good password is next to useless if the provider doesn’t take good care of credentials data and allows unlimited retries. The trouble is, that password authentication on the Internet is cheaper and easier to implement than most of the alternatives.”

So what’s the answer? How does one protect themselves in an online environment with so many dangers?  While there’s no way to completely eliminate your risk, there are several things that can be done to mitigate the risk.  For starters, don’t make it easier on would-be hackers. Don’t make your password “password,” or “123456.”  Use 10 digit passwords, containing both letters and numbers, as well as capital and lowercase symbols.  Try and vary passwords for different online accounts, so that if one account gets hacked, it doesn’t create a situation where the hacker now has access to every online account you own.  Additionally, avoid making passwords or security questions things that a stranger could guess at just by reviewing your publicly available information.  What city you were born in, for example, might not be the best security question for an online account if you have that information publicly listed on your Facebook Page.  Using varied and less typical/obvious passwords will go a long way to making your information online more safe.

On the industry side of things, more investigation needs to be done on better authentication methods than are currently in place.  Cheap is always appealing, but not always effective. And as was pointed out, if a company is hacked those cost savings go out the window, and then some.  There also needs to be greater limitation on the number of times someone can incorrectly answer a password prompt or security question before the account gets frozen. Understanding on the part of both the service provider and the consumer of what sort of tactics hackers use and what they’re looking for is essential if we are to protect ourselves with a higher rate of success.

In short, don’t be lazy with your passwords, even though they are in some ways antiquated forms of security. Be aware of what personal information about you is floating around on the cloud and be mindful of this when picking your fail safes for account access. Don’t store information online that you don’t absolutely need to and be mindful of who you’re giving your information to and what they plan on using it for.

Face It: Internet Passwords Often Fail to Keep Hackers Out” was written by Matt Davis.  Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to repost the above article, as written, giving credit to the author and linking back to www.idtheftcenter.org.

With all the already implied stresses of travel: Will your bags arrive at the correct airport? Will you make it to the train station on time? Will the hotel still have your reservation in their system? There is no need to add a stolen identity to the list. You should be able to enjoy your trip! Whether you’re leaving town for business or pleasure, you must always stay alert. But do not worry. There are simple ways to take precautions; some that may even seem like a no brainer.

These days, who carries cash anymore? Credit and debit cards are so easy to use and they take up less space in your wallet. Vacation ID TheftSome cards even give you rewards after each use. However, your personal information is on the card. All it takes is for one server at a restaurant or one bar tender to write down your card numbers while you’re paying, and keep them for their personal records. Have you ever opened a tab at a bar? Of course that’s easier than paying for each item you order as you go. But the risk is higher for your information to be stolen. By using cash for meals at restaurants or at bars, you can keep this worry at bay.

Unless you’re in a location with your bank branch, ATM’s are a must for taking cash out of your bank account and putting safely into your wallet. They’re fast, easy, and basically effortless (as long as you remember that pin number). Before entering your pin, take a look around. Make sure no one is watching you. If there are a lot of passing pedestrians or lingerers, lean forward so your body is taking over as much of the screen and keypad as possible. Or, if you’re traveling with a friend, share the task and have him or her use their body to block the view from wandering eyes thirsty for your personal info.

You finally made it to your hotel. It’s time for you to take off your shoes and rest up for your trip’s activities. Hopefully your hotel provides a relaxing home away from home experience. That being said, it is not your home. When you leave the room, do not leave personal items out. Many hotels provide safes guests able to rent. The front desk can give you a key, and you may store passports, credit cards, jewelry, or whatever else strikes your fancy within your rented safe. If you do not want to rent a safe, be sure to take your passport and other important items with you wherever you go (of course while keeping them in a safe spot). Some safe spots are the inside zipper pocket of a coat or jacket, or a travel wallet that can be worn around your neck and inside your shirt with the zipper pockets facing towards your body.

Public computers can be handy during travel. They help confirm the location and address of that important board meeting, or to a café you promised you’d meet your old college roommate at while in town. Oh, the good old days! For research tasks, public computers are great. For personal information filled tasks, not so much. If you forgot to pay that electric bill before heading out on your trip, do not use a public computer to do so. Call your electric company and pay over the phone from a private location. Computers can store your personal account information, leaving it easily accessible for the next person who uses it.

If by chance your information is stolen, report it to your bank and the police immediately. Before traveling, make copies of your debit and credit cards, passport, and any other important information you are taking with you. Leave those documents in a safe location at home or with a family member. This way, if your identity is stolen, it’ll be easier for you to take the necessary steps to efficiently fix the situation. The less worries during travel, the better. Just be aware of your surroundings and be extra protective of your possessions. And have a safe trip!

This guest post was written by Cara Giaimo, a blogger for SimpliSafe. Cara covers issues regarding home security, safety, consumer technology, and crime; in her spare time, she likes running, jamming with friends, and making strange types of ice cream. SimpliSafe is a leader in the wireless home security field.