ITRC Solution 17

While a lost or stolen wallet/purse/PDA may simply mean the loss of your cash and credit cards, it may also be the beginning of an identity theft case. The return of the item does not guarantee cards were not copied, so you need to proceed as if the items were stolen.

  • Identify what was in your wallet. Consider all cards and information, not just credit cards and driver’s license. Was your Social Security Card or number in your wallet?
  • Report the loss/crime to your local law enforcement agency and get a copy of the report. If the loss/crime happened at work, notify the HR and Security departments.
  • Keep a log of all correspondence and conversations. Keep copies of correspondence.
  • Place a fraud alert with each Credit Reporting Agency if your SSN was involved (see ITRC Solution SN 03 – Contacting the CRAs to Place a Fraud Alert)
  • Monitor your credit report and review it for unauthorized account openings or any fraudulent address information. Contact any unrecognized creditors for any unauthorized accounts immediately.
  • Contact all credit issuers to request replacement cards with new account numbers. Monitor bills for any fraudulent activity on any accounts.
  • If you have lost a check cashing card, checkbook, savings account information or debit (ATM) cards, close the account and open a new account with a new number.
  • Password-protect all compromised accounts so that additional names and addresses cannot be added without authorization.
  • Contact the state agency that issues drivers’ licenses and place a stolen/lost warning on your file.
  • If you have lost a supermarket club card, cancel the card and request a new one.
  • For all other lost/missing information, including library or video rental cards or any other cards with membership or insurance coverage information, contact the issuing company, notify them of the loss and request a new card.
  • If out of the U.S., contact the embassy for missing passports or immigration paperwork.

 

Related Links:

ITRC Fact Sheet FS 104 –  My Wallet, Purse or PDA was Lost or Stolen, Now What?

 

This solution sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to itrc@idtheftcenter.org.

ITRC Solution 8

  • Contact the three credit reporting agencies (CRAs) to place a fraud alert on your credit report. Please refer to ITRC Solution SN 03 – Contacting CRAs to Place a Fraud Alert.
  • Request your complimentary credit reports for your review.
  • Make a list of bills, correspondence, etc. that you may have not received.
  • Contact the Post Office and report the crime to the Postal Inspector.
  • Contact the Police Department and make an initial crime report.
  • Contact all financial institutions and credit cards companies you do business with to notify them that your information might have been compromised. You will want to password protect those accounts. Do not close accounts unnecessarily.
  • Monitor your credit report and monthly account statements closely. Notify the company during any billing cycle in which fraudulent activity has occurred. If the account is for a debit or credit card, close the account and request a new account number. See ITRC Solution SN 30 – Clearing Financial Account Takeover, for more details.
  • See ITRC Fact Sheet FS 100 – Financial Identity Theft: the Beginning Steps, if you discover a new account has been opened using your personal information.
  • ITRC recommends using a locked mail box or a P.O. Box at the Post Office.

 

This solution sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to itrc@idtheftcenter.org.

ITRC Fact Sheet 148

This guide includes:

The Non-prime Population:

Traditionally, the non-prime (or sub-prime) population has been described as a group of people who are unable to obtain credit through traditional channels because they are considered the greatest credit risk.

Now, with the economic downturn, it is harder for even more consumers to obtain traditional lines of credit, loan approvals, or even low APRs due to changes in lending practices. Adding to this hardship, consumers coping with salary reductions or the loss of employment are often unable to make their monthly payments, eventually causing their consumer credit scores to drop. As a result, many Americans find themselves struggling with the credit granting criteria of prime lenders (lenders who offer traditional credit). Once considered “prime consumers,” this new and growing population now falls under the category of “non-prime consumers.”

As it becomes harder for consumers to obtain traditional lines of credit, more consumers are using alternatives. According to the study Changing Patterns and Behaviors of Non-Prime Payday Loan Consumers by Clarity Services, Inc., “ … between February 2010 and August 2011, there was a substantial shift in the types of consumers who request payday loans, with the more stable, higher earner segment increasing by over 500 percent.” Payday loan lenders and other companies issuing non-traditional credit are major players in granting short-term loans to this growing population of consumers.

These lenders are often the only institutions offering non-prime consumers access to a reliable cash-flow source. According to Clarity Services, Inc., “the total annual impact to US delinquencies would be $2 billion if payday lending was not available to consumers who take out short-term alternative loans for the purpose of paying back other past due commitments.”

Applying for and Taking Out a Payday Loan:

Consumers are able to apply for payday loans in person at a brick and mortar (storefront) institution or online. When you apply for a payday loan online, you may be applying with one lender or a whole network of lenders. Many of the web sites that advertise loans are third parties that take applications for loans and offer them to lenders in their network. Because of this process, one application can be seen and approved by multiple lenders. It is up to you to decide which loans to take, if any, and to be aware of the fees and due dates of payments.

If you have taken out a payday loan, it is important to note that credit reports from the three major credit bureaus (i.e. Experian, TransUnion, and Equifax) typically do not include information on the payday loan dollar amount borrowed by the consumer or the amount owed unless the lender has referred the account to collections.

Identity Theft and Payday Loans:

Since payday loans typically do not appear on credit reports from the three major credit bureaus unless an account has been sent to collections, a victim will often not know about a fraudulent payday loan until he or she has been contacted by a lender or collections agency. An identity theft victim with payday loans in his or her name may have to utilize several resources in order to understand the extent to which their identity has been compromised. First, if you have been contacted by a collections agency, please refer to ITRC Factsheet FS 116: Collections Agency and Identity Theft and follow the steps provided.

If you have been contacted by a lender or you are contacting a lender about an overdue payday loan that you did not authorize, ask to speak to a representative who can handle fraudulent claims. When speaking to the representative, state that the payday loan in question is fraudulent and you are a victim of identity theft. Then inquire after any other loans in your name. Once you have obtained the information you requested, ask about the clearance process, which may vary according to lender. Follow all the steps the lender gives you to ensure proper removal of all fraudulent activities. Also inquire about any alternative credit bureaus (i.e. not one of the three major bureaus – Experian, Equifax, TransUnion) that offer credit reports that may contain any loan inquiries and/or funded loans from the lender. Request a credit report from any of the bureaus that the lender names. If the credit report(s) show fraudulent activity, refer to ITRC Factsheet FS 100: Financial Identity Theft: The Beginning Steps and ITRC Factsheet FS 100A: More Complex Cases for mitigation steps.

Payday Loan Scams:

According to the Internet Crime Complaint Center (IC3.gov), payday loan scammers made a reported amount of more than $8 million in 2011. However, since not all victims report their losses, it is likely that the amount is even higher. Payday loan scams usually follow the same basic formula. The scammers will contact consumers at all times of day and night. In addition, the fraudsters often claim to be attorneys, part of a government agency, or employees of legitimate-sounding banks or companies. The scammers then state the consumer owes money towards a loan and needs to repay it immediately.

While these victims may have applied for payday loans or may have received loans in the past, they owe no money to the callers. Somehow, the fraudsters have gotten ahold of the consumers’ account and personal information. The fraudsters typically know information such as SSN, address, names of relatives or references, or perhaps the name of a lender that the consumer would recognize. The fact that the scammers have this information makes the scam victim believe that the caller is part of a legitimate company which received a loan application. Also, these fraudsters will intimidate people in a number of ways: using abusive language; threatening lawsuits or jail time; and calling or threatening to call relatives, coworkers, or employers.

The Fair Debt Collections Practices Act details consumers’ rights and states what debt collectors are not allowed to do. Refer to ITRC Fact Sheet FS 116A: Your Debt Collection Rights for information regarding the act. If the person calling refuses to provide you with written notice of a collection (also known as validation notice), or violates the FDCPA in any other way, hang up and do not give any information about yourself because this is likely a scam.

For more information about protecting yourself, please refer to:

ITRC Factsheet FS 123: Scam Assistance

ITRC Factsheet FS 124: Fraud Alerts and Credit Freezes.

You can also report a scam call by contacting the Federal Trade Commission (FTC) and your state Attorney General.

 

This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to itrc@idtheftcenter.org.

ITRC Fact Sheet 140

You will be asked to provide your social security number in order to obtain many types of services.  The ITRC advises consumers to ask the following questions when the number is requested:

  • Why does the company/agency need the information (what law or reason make this a requirement)?
  • What will happen if I don’t provide it?
  • Is there is an alternative to providing SSN? Can you show a driver’s license or attach a password to an account number for identification purposes?

Based on the answers, you can make a knowledgeable decision regarding your actions. If a business or other enterprise asks for your SSN, you can refuse to give it. However, that may mean doing without the purchase or service.

According to the Social Security Administration’s website, these are a list of some situations where a SSN might be requested:

  • Internal Revenue Service for tax returns and federal loans;
  • Employers for wage and tax reporting purposes;
  • States for the school lunch program;
  • Financial institutions for monetary transactions;
  • Veterans Administration as a hospital admission number;
  • Department of Labor for workers’ compensation;
  • Department of Education for Student Loans;
  • Entities that administer any tax, general public assistance, motor vehicle or drivers license law;
  • child support enforcement;
  • commercial drivers’ licenses;
  • Food Stamps;
  • Medicaid;
  • Unemployment Compensation;
  • Temporary Assistance to Needy Families; or
  • U.S. Treasury for U.S. Savings Bonds

“The Privacy Act regulates the use of Social Security numbers by government agencies. When a federal, state, or local government agency asks an individual to disclose his or her Social Security number, the Privacy Act requires the agency to inform the person of the following: the statutory or other authority for requesting the information; whether disclosure is mandatory or voluntary; what uses will be made of the information; and the consequences, if any, of failure to provide the information.”

For more detailed information, the SSA recommends the publication Your Social Security Number and Card.

Frequently Asked Questions:

Q:  Almost every bank, credit card company, health provider, and health insurance company want to use the last four digits, or in some cases, the entire SSN for identification purposes.  What do I do?

A: The companies listed all have legal requirements to use the SSN.  Banks and credit card companies have duties to the IRS and to the government in regards to the use of the SSN, such as reporting for taxes and conforming to the Patriot Act.  Health insurance companies use it to clearly identify the individual covered for tax purposes and liability issues such as mandatory reporting.

The IRS and SSA, as well as state driver’s license and state identification issuing agencies, are part of the government and use the SSN as the key identifier for U.S. citizens.

There are a number of companies that will request your SSN without a clear reason for doing so, which makes them a target of opportunity for data thieves. We suggest questioning their reason for collecting this data. This is a way of reminding the business entity that there is value in the information and consequences for the loss of that same data.

Q: As a part of my job for a major company, I request the last 4 numbers of the SSN everyday before I assist customers. If you are encouraging people to not use the last four, how are they going to call into a company and identify themselves in order to do business with the company?

A: Companies can assign an account number and password to each account, thereby eliminating the need for SSN information. If they need more information, there are many knowledge-based questions they can ask about an account holder.

Q: Do doctors and dentists need my SSN?

A.  Health care providers often require a patient to divulge their SSN. The SSN is typically used for identification and authentication of the patient and their health insurance plans. While there does not seem to be a law mandating the collection of SSNs by health care providers, most will require the SSN prior to accepting the patient. Inquire as to how the health care provider protects your personal and health information.

Q: Why do car dealers ask for the SSN when you purchase a car, even if you pay cash?

A: There are many times when the request for the SSN, being made by the business, is to satisfy a governmental requirement against the business not the consumer. The underlying reason may be due to the Patriot Act, which monitors the transference of specified amounts of money.  Car dealerships, casinos, and pawn brokers are some of the businesses under this requirement.

Q: My SSN is on my Medicare card. Can I get it removed or not carry it all the time?

A: At this time, it will not be removed from the original card.   Please see ITRC Solution SN 22 for best practices on this topic.

Q: Do I need to include my SSN on a job application?

A: A company may allow you to write “will provide during interview” in the space for your SSN on an application.  Your employer will need your SSN for payroll purposes and to document your legal right to work in the United States.  Please see ITRC Fact Sheet FS 121 – Prevention Tips for Job Seeker.

Important Reminder: Take your Social Security Card out of your purse/wallet and never carry it on a daily basis. Only carry the card on the one day when you have a specific reason to show it to a reliable representative of a company or agency.

LF – 140 Requesting a Credit Freeze for a Dependant Adult

 

This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to itrc@idtheftcenter.org.

ITRC Fact Sheet 135

EVALUATE YOUR RISK LEVEL

The following is a guide for the small to mid-size business (SMB) community to assist in planning, addressing, and dealing with issues that may expose the business to data breaches and/or identity theft. In order to conduct business, most companies must keep sensitive personal information in their files. Personally Identifying Information (PII) includes items such as names, Social Security Numbers, credit card information, or other financial account data that identifies customers or employees.

This information often is necessary to fill orders, meet payroll, or conduct other necessary business functions. However, if sensitive data is exposed to the wrong parties, it can lead to fraud, identity theft, or other serious consequences. Given the cost of a security breach, safeguarding personal information is just smart business. In addition to the direct costs, you also risk losing your customers’ trust and perhaps even defending yourself from legal action.

Some businesses may have the expertise necessary to design and implement an appropriate plan in-house. Others may find it helpful to seek a knowledgeable expert. The information in this guide is designed to assist you in identifying the risks to your business. When considering your “Best Practices” strategy, you will need to evaluate what information is required for your business to function, why this information is necessary, and what would be the consequences of exposure of this information. In other words, what is the “Risk Versus Reward Ratio” of collecting and keeping each class of PII?

Note: some reasons for collecting personal information may include:

  • Tax requirements
  • Insurance
  • Contractual agreements

Any additional information that your business collects should be carefully assessed for the risk versus reward benefit.

The key to a strong best practices policy is a six point approach to data and data security.

  • Step one is the assessment of what data you need, what data is required, and what data may be beneficial but ultimately unnecessary. Collecting and keeping only that data necessary for your business is always a best practice.
  • Step two is to identify, create and control the flow of data from the point of collection throughout the entire business operation. This includes when the data may be on the move whether it is moving in or outside of your business.
  • Step three is to determine who within the business needs access to the data to do their job. Controlling the access to data and restricting it to just those that must use the data is very important. You should not assume that those who currently have access to a class of data still need on-going access to that data.
  • Step four is to secure the data. Data storage is a key issue because how you store it may also determine what your legal obligations may be in the case of a data breach. Both digital data and paper files must be considered in this context.
  • Step five is to implement the use of proper data disposal procedures. Proper storage of PII will mean very little if the data becomes exposed when the intention is to dispose of the data. It will not do your business any good to keep data secure if it ends up in the dumpster behind your building, or a used computer is sent to recycling with data files on the hard drive. Properly dispose of what you no longer need.
  • Step six is to plan for what happens when something goes wrong or fails, and a data exposure occurs. There is no fool-proof system for securing all your PII data all the time. There is no way to protect against a truly determined thief, so your best efforts need to be directed towards reducing your risks where and whenever possible, and having a pre-existing plan if data exposure should occur.

It is most important that SMB executive staffs plan ahead. Create a plan to respond to security incidents. Look closely at what your business does, and how you do it. You must assess the information you have, identify those with access to it, and create effective policies regarding information safety. That being said, let’s look at some of the factors that affect data security:

Physical Security

Many data compromises happen when paper documents are lost or stolen. Of particular note is the frequency of exposure of PII through the disposal of paper documents without proper shredding. Appropriate storage is also a concern.

  • Store paper documents or files, as well as CDs, floppy disks, zip drives, tapes, and backups containing PII in a locked room or in a locked file cabinet.
  • Limit access to these documents to employees with a legitimate business need.
  • Control who has access keys and the number of keys issued.
  • Require that files containing personally identifiable information only be taken out of secure storage when being used. Documents and data should be kept in locked file cabinets except when an employee is working on the file.
  • Remind employees not to leave sensitive papers out on their desks when they are away from their workstations.
  • At the end of the day, require employees to secure files, log off their computers, and lock their file cabinets and office doors.

Minimize your risk by implementing appropriate access controls for your building. Instruct employees how to report any incident if they see an unfamiliar person on the premises. If you ship sensitive information using outside carriers or contractors, encrypt the information and keep an inventory log of the information being shipped. Also use a shipping service that will allow you to track the delivery of your information.

Electronic Security

Computer security isn’t just the realm of your IT staff. Make it your business to understand the vulnerabilities of your computer systems, and follow the advice of experts in the field. It is necessary that executive(s) and/or officers of the company continuously update their knowledge of security exploits, and become even more aware of the human factor in most data exposures. The best security practices will fail if employees do not follow the protocols, or are dishonest.

General Network Security

Identify the computers or servers where sensitive personal information is stored. It is good practice to minimize the number of machines that store PII. Physical security of sensitive computers, as well as network security is easier when the number of machines is smaller.

Identify all connections to the computers where you store sensitive information. You may be surprised at the number and types of connections that could be used to copy PII or transfer it outside your security zone. Connections might include the Internet, electronic cash registers, branch office connections, computers used by service providers to support your network, wireless devices (inventory scanners), blue tooth devices, USB devices, CD/DVD burners, and cell phones or PDAs. Each of these types of connections can offer both accidental and intentional exposure of sensitive data.

It is desirable to store PII on servers that are not also used as an Internet web server. There have been a significant number of data breaches in the past year due to incorrect web server permissions. If the PII is stored on a file server (not a web page server), then a host of possible problems are eliminated.

Encrypt sensitive information that you send to third parties over public networks (like the Internet), and consider encrypting sensitive information that is stored on your computer network or on disks or portable storage devices used by your employees. Consider also encrypting email transmissions within your business if they contain personally identifying information. Many state laws do not consider an incident to be a breach IF the data was encrypted at the time of exposure.

Regularly run anti-virus and anti-spyware scans on individual computers and servers on your network. It is vital to see that these programs are updated with the most recent definition files, and that Windows updates are enabled.

Check expert websites and your software vendors’ websites regularly for alerts about new vulnerabilities, and implement policies for installing vendor-approved patches to correct problems. Scan computers on your network to identify and profile the operating system and any open network services. If you find services enabled that are not in use, disable them to prevent hacks or other potential security problems.

Password Management

Control access to sensitive information by requiring that employees use “strong” passwords. Explain to employees why it is against company policy to share their passwords or post them near their workstations. See that password-activated screen savers lock employee computers after a short period of inactivity. Server policies should lock out users who don’t enter the correct password within a designated number of log-on attempts, although the policy can allow the employee to try again after a designated period of time. This policy has a major effect in stopping automated password cracking attempts.

When installing new software, immediately change vendor-supplied default passwords to a secure strong password. Caution employees against transmitting sensitive personally identifying data such as Social Security numbers, passwords, and account information via email. Unencrypted email is not a secure way to transmit any information.

Laptop Security

Assess whether sensitive information really needs to be stored on a laptop. If not, delete it with a “data wiping” program that overwrites data on the laptop. Deleting files using standard keyboard commands isn’t sufficient because data may remain on the laptop’s hard drive. Data wiping programs are available at most office supply stores.

Restrict the use of laptops to only those employees who need them to perform their jobs. Even when laptops are in use, consider using cords and locks to secure laptops to employees’ desks. Also, if a laptop contains sensitive data, encrypt it and configure it so users can’t download any software or change the security settings without approval from your IT specialists.

Additionally, train employees to be mindful of security when they’re on the road. Require employees to always store laptops in a secure place. They should never leave a laptop visible in a car, at a hotel luggage stand, or packed in checked luggage unless directed to by airport security. If it is ever necessary to leave a laptop in a car, it should be locked in a trunk. (For more on travel security measures reference ITRC Fact Sheet FS 134 – Business on the Move).

Firewalls

A firewall is software or hardware designed to block hackers from accessing your computer. It is preferable that you also use a router with a hardware firewall. This is a strong protective measure. Make sure you always have at least one firewall in operation. Remember to keep all firewall software updated. (For additional information on firewalls, please see ITRC Fact Sheet FS 119 – Direct Connections to the Internet).

Wireless and Remote Access

Determine if you use wireless devices like inventory scanners or cell phones to connect to your computer network or to transmit sensitive information. If you do, consider limiting who has the ability to remotely access the computer network. You can also make it harder for an intruder to access the network by limiting the number of wireless devices that can connect to your network. Encrypting transmissions from wireless devices to your computer network may prevent an intruder from gaining access through a process called “spoofing”—impersonating one of your computers to get access to your network. Consider using encryption if you allow remote access to your computer network by employees or by service providers, such as companies that troubleshoot and update software you use to process credit card purchases.

Detecting Breaches

To detect network breaches when they occur, consider using an intrusion detection system. To be effective, it must be updated frequently to address new types of hacking. Maintain central log files of security-related information to monitor activity on your network so that you can spot and respond to attacks. If there is an attack on your network, the log will provide information that can identify the computers that have been compromised.

Employee Training

A well-trained workforce is the best defense against identity theft and data breaches. Check references or do background checks before hiring employees who will have access to sensitive data.

Ask every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data. Employees should understand that abiding by your company’s data security plan is an essential part of their duties. Regularly remind employees of your company’s policy—and any legal requirement—to keep customer information secure and confidential.

Know which employees have access to consumers’ sensitive personally identifying information. Pay particular attention to data like Social Security numbers and account numbers. Limit access to personal information to employees with a “need to know.”

Train employees on how to recognize security threats. Tell them how to report suspicious activity and publicly reward employees who alert you to vulnerabilities. Require employees to notify you immediately if there is a potential security breach, such as a lost or stolen laptop. Impose disciplinary measures for security policy violations.

Have a procedure in place for making sure that workers who leave your employ, or transfer to another part of the company, no longer have access to sensitive information. Terminate their passwords, and collect keys and identification cards as part of the check-out routine.

Security Practices of Contractors and Service Providers

Your company’s security practices depend on the people who implement them, including contractors and service providers. Before you outsource any of your business functions— payroll, web hosting, customer call center operations, data processing, or the like—investigate the company’s data security practices and compare their standards to yours. Address security issues for the type of data your service providers handle in your contract with them. Insist that your service providers notify you of any security incidents they experience, even if the incidents may not have led to an actual compromise of your data.

Document Disposal

Leaving credit card receipts or papers or CDs with personally identifying information in a dumpster facilitates fraud and exposes consumers to the risk of identity theft. By properly disposing of sensitive information, you ensure that it cannot be read or reconstructed. Implement information disposal practices that are reasonable and appropriate to prevent unauthorized access to—or use of—personally identifying information. Reasonable measures for your operation are based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology. Effectively dispose of paper records by shredding, burning, or pulverizing them before discarding. Make shredders available throughout the workplace.

Rules for the Company

There should be a person in your company or organization that audits information and tracks who has access to PII files or records. This person should be the first person notified in the event information is misplaced or lost. This way, a response team can be alerted to follow a pre-established protocol regarding information containment as well as implement the steps which need to be taken at that time by the company or agency.

Point of Contact for Data Breaches

There should be a person in your company or organization that audits information and tracks who has access to PII files or records. This person should be the first person notified in the event information is misplaced or lost. This way, a response team can be alerted to follow a pre-established protocol regarding information containment as well as implement the steps which need to be taken at that time by the company or agency.

Security Check: Reducing Risks to your Company

When consumers open an account, register to receive information, or purchase a product from your business, it’s very likely that they entrust their personal information to you as part of the process. If their information is compromised, the consequences can be far-reaching. Consumers, if victimized by the data exposure, can become less willing – or even unwilling – to continue to do business with you.

Company Rules

Now it is more important than ever that companies have established, well-document policies for the collection, storage, protection and disposal of personal information. More companies are finding themselves being held responsible for the data they collect. This becomes apparent when a company has a data breach that is nothing more than a classic mishandling of information. Across the United States, attorneys are holding these companies to a higher standard. The companies that do not have clearly defined programs and policies find themselves unable to defend themselves in a court of law. It is imperative to put all protocols in writing.

If it is not in writing, then there is little or nothing to protect you in a court of law. A verbal policy is not really a policy.

When adopting a “Best Practices” strategy, consider the following:

  • What information does your business need to function?
  • What information is required to function?
  • What is the risk versus reward value of additional information?
  • When evaluating your business’ security, you need to follow the flow of information so you can identify the potential problem spots.

Some Questions to Ask Yourself

Do you receive or collect PII from:

  • your customers?
  • credit card companies?
  • banks or other financial institutions?
  • credit bureaus?
  • any other source?

How does your business receive or collect personal information?
Does it come to your business:

  • through a website?
  • by email?
  • through U.S. Mail?
  • transmitted through cash registers in stores?
  • by face-to-face interactions?

What kind of information do you collect at each entry point?

  • Social Security numbers
  • Credit card numbers
  • Driver’s license numbers
  • Checking account information
  • Other financial account information
  • Passwords
  • Other general information (such as telephone, address, date of birth)

Where do you keep the information you collect at each entry point?
Is it in maintained or stored in/on:

  • a central computer database?
  • individual laptops?
  • disks or tapes?
  • file cabinets?
  • branch offices?
  • an employee’s home files?

Who has or could have access to the information?

  • All employees
  • Selected employees
  • Consultants
  • Service providers
  • Outside sub-contractors*
  • Temporary/employment agency
  • Non-employees on official business
  • General public

* for example, billing department, janitorial, call center, laboratory, marketing firms, payroll, credit card processing company, check processing company, mail fulfillment house

If you don’t have a legitimate business need for sensitive personally identifying information, don’t keep it. Don’t even collect it. If you have a legitimate business need for the information, keep it only as long as it is necessary.

The most effective data security plans deal with four key elements: physical security, electronic security, employee training, and the security practices of business relationships.

Related Resources:

  • FTC’s Red Flag Rule: Guidelines for creating and implementing a written Identity Theft prevention plan: http://ftc.gov/redflagsrule.

This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to itrc@idtheftcenter.org.

ITRC Fact Sheet 134

The business traveler often carries electronic storage devices and documents for reference or work while on planes, in hotels, and in the spare time between meetings. There is often information you may need in case your office or a customer contacts you during your trip. However, some of the information included may be sensitive personally identifying information (PII). PII includes Social Security numbers, employee identification numbers, addresses, insurance policy numbers, credit card or payroll information, financial account numbers, and other items that could be readily used by an identity thief.

Business travelers must stay alert for situations that an identity thief might use to try to steal this information, and also guard against inadvertent loss or exposure of PII. Any person could be looking for the opportunity to gain access to sensitive information in your possession, waiting for a good opportunity. In this respect, you should not trust anyone you meet with any PII. Housekeeping staff, bellmen, security guards, TSA agents, front desk clerks, and many others you encounter during your trip could have the opportunity to access your data if you are not aware.

You must realize that once you remove PII from your office, you are solely responsible for its protection and security. In addition, even inadvertent exposure or loss of such information (without theft involved) could trigger state breach laws which can require:

  • Law enforcement data exposure notification
  • Consumer or customer notification of those exposes
  • Media notification

These data exposure events (data breaches) may cost your company money, consumer trust and negative publicity.

Rules for the Road

The following items should be considered when you are on the move:

  • Laptops, Computer Storage Devices, and PDAs with personally identifying information (PII) – The best way to protect this information is by using data encryption to encrypt the device prior to leaving the workplace. While many people believe password protection is sufficient they can be bypassed by anyone with enough knowledge and capability. Encryption is the gold standard in data protection. Do not carry the encryption code in writing with you. Commit it to memory.

    Prior to beginning your trip, make time to consider which files really need to be carried on the trip. Although it is usually easier to do a “data dump” to your laptop, such action may expose large amounts of sensitive data to unnecessary risk. Take only those files which are likely to be needed during the trip.

  • Make an effort to keep your laptop in your control at all times. Be especially alert when going through airport security when crowds and security procedures may cause some chaos. Do not put your laptop through the security x-ray scanner until you are in position to be the next person through the metal detector. Thieves are waiting for those moments to distract you while an accomplice picks up your laptop from the opposite side of the x-ray scanner. By the time you get through the metal detector, your laptop is long gone.

    Other protective measures include: GPS tracking devices for the laptop; fingerprint readers to access laptop files; and remote wipe capabilities that enables you to delete all the information off a device in case you lose it or it is stolen. Finally, it is important to log out of your computer when it is not in use, even if it is for just a few minutes.

  • Paper Documents with PII – Sensitive documents should always be kept in a locked briefcase that is secured at all times. As in the case of data files, select only those files for the trip that are likely to be needed. Do not leave sensitive documents in baggage that must be checked for flight.

    If, during a trip particular documents become no longer necessary, see that they are shredded at the first opportunity. Most hotel business centers have crosscut shredders available for your use. Do the shredding yourself. All documents should be cross-cut shredded when no longer needed.

  • Hotel Safes – Be sure to take advantage of hotel safes if you are leaving your laptop, PDA or storage devices in a hotel room, even for a short period of time. Many persons have access to your hotel room when you are not there. Leaving any of your valuable items in the room, in this case PII, is providing an opportunity to a thief. You must recognize that the information you carry is a target for an identity thief.
  • Business Center Computers – There is always a higher risk in using a public computer. In addition to leaving information (history) on the computer about your cyber travels, there may be malware or viruses that have been installed on the computer. These might be a virus, key-logger, Trojan, or worm that you then allow to transfer to your company network when you log in to your company network. Key-loggers are programs that record and store each and every keystroke you make while using an infected computer. That keystroke data is quietly stored for later access by the thief. When it is retrieved, the thief will have an exact record of all the websites you visit, files you access, including your company network, and your user name and password that were used to access any accounts you visited. This information is a goldmine for an identity thief.

    A better choice would be to use your own laptop and connect to a hotel network while using a virtual private network (VPN).

  • Personal and Business checks – Leave personal checkbooks and checks at home. If necessary, keep business checks in a secure location (hotel safe) when not needed. Checking account takeover is one of the hardest types of financial fraud to remedy. ITRC recommends that you use cash, traveler’s checks or credit cards for purchases.
  • Leave bills at home – Taking personal bills and financial account information with you during your travels puts you at greater risk for identity theft. Unfortunately, many people have access to your room while you are away at meetings and victims have reported that financial account information and checking information has been stolen in this way.
  • Pickpockets – Business travelers should be aware that in addition to wallets, pickpockets are also looking for laptops and PDAs that are temporarily out of your control. This can easily happen at airports, in hotel lobbies and in restaurants. Remember, out of sight means out of control. Thieves may travel in pairs and watch where you put your belongings long before you know you are even a target.
  • Shoulder surfers – Many business travelers are tied to cell phones or PDA devices 24 hours a day. In public areas, identity thieves use “shoulder surfing” to gain access to your personal information. That term used to only apply to those who looked “over your shoulder” to see information. With the common use of cell phones, we forget that we are in a public venue and may talk about things that a thief can overhear and use. (This pertains to public payphones as well.) In other words, if you wouldn’t want to see it on a billboard, don’t talk about it on a phone in public. This includes PII as well as company proprietary information.
  • Mail – If you travel frequently, you might want to consider having a P.O. Box rather than allowing mail to accumulate in your mailbox. If you do not have a locked mailbox, and don’t want to get a P.O. Box at the post office, at least put your mail on “postal hold” while you are gone.

Rules for the Company

There should be a person in your company or organization that audits information and tracks who has access to PII files or records. This person should be the first person notified in the event information is misplaced or lost. This way, a response team can be alerted to follow a pre-established protocol regarding information containment as well as implement the steps which need to be taken at that time by the company or agency.

For additional information about ways to reduce identity theft risk while traveling, please refer to:

ITRC Fact Sheet FS 122 – Identity Theft Travel Tips

This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to itrc@idtheftcenter.org.

How To: Place a Credit Freeze

Everyone in the United States has the ability to place a freeze on an existing credit report, regardless of the reason.  Credit freezes restrict access to your credit report and assist with preventing new lines of credit from being opened in your name and can be placed at no cost to the consumer.

If you need access to your credit once you have placed a credit freeze, you will need to go through the necessary steps to lift the freeze and place the freeze again once it has been lifted.  If you need to temporarily grant access to your credit report for a specific company (e.g., for a job or a specific creditor), you can “thaw” your credit by contacting each credit reporting agency (CRA).

Existing creditors will still have access to your credit report, regardless of the placement of a credit freeze.

Placing or Lifting a Credit Freeze – Adults 18 Years or Older

In order to place, thaw or lift a credit freeze, you will need to contact each CRA separately and provide proof of your identity. Keep in mind that when you initially place the credit freeze, you will be issued a PIN by each CRA. It’s important to safeguard this PIN for future use. In addition, each CRA requires different information, and the quickest way to request a freeze is typically through each of their websites:

Credit Freeze for Protected Consumers (Minor Children and Dependent Adults):

If there is no credit file for a child younger than 16 years old, or a dependent adult, you can request that the CRAs create a credit file and freeze the credit report immediately upon creation, at no cost, to prevent new accounts from being opened in the child’s or dependent adult’s name.

If your child is 16 or 17 and does not have a credit report, you will need to continue to monitor his/her credit.  Only some states have a law that allows parents of minors that are 16 or 17 years of age to create and freeze a credit report, and these generally are associated with a fee.  The National Conference of State Legislatures has a chart that lists each state and the corresponding laws/fees.  Please note that most states allow for no fees if the individual requesting a freeze (or his/her parent or legal guardian) can prove he/she is a victim of identity theft.

A credit freeze for a minor or dependent adult cannot be done online, but each CRA has a website link explaining the steps you need to take:

ITRC Solution 36

What do you do when somebody has pulled your annual free credit report using your information?

  • Contact all creditors you do business with (credit cards, bank loans, utilities, etc.) Talk to them about what precautions can be placed on your accounts. Consider placing passwords on accounts or changing account numbers entirely.
  • Contact the three credit reporting agencies directly. In instances like this, it is safest if you write to the three credit reporting agencies rather than going online or calling because you will need to prove your identity in order to get what you need. You can use the ITRC Letter Form 124 C to write to them. Send to each agency a copy of your state ID or Driver’s License, a copy of your Social Security card, a bill, and a bank statement or pay stub. If you have moved, include a copy of your change of address card as well. Send your packets Certified Mail Return Receipt.
    • Equifax  PO Box 740241  Atlanta , GA 30374-0241
    • TransUnion  PO Box 2000 Chester, PA 19022
    • Experian  PO Box 9554  Allen , TX 75013
  • Look into freezing your credit reports (Fact Sheet 124). See if it is right for you.

If you believe or feel this may be related to a case of stalking, consult your Attorney General’s website for programs that are available to help protect you.

Related Links:

FS 115 When you personally know the thief
FS 115A When your spouse is the thief.
FS 124 Credit Freezes and Fraud Alerts
FS 132 – What are Identity Theft Products?
SN 30 – Clearing Financial Account Takeover

This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to itrc@idtheftcenter.org.

ITRC Solution 20

This fact sheet covers the following information:

  • What do I do?
    – Email Accounts
    – Social Networking Site
    – Twitter or Similar Account
  • I have a free email account and there is no phone number, what should I do?
  • Can this lead to identity theft?
  • How can I protect myself?

It can be very unnerving to realize that your email account/social networking site/twitter account has been accessed by somebody else or worse, that it has been completely taken over. It can also be scary to find that somebody has created an email account or an internet profile on a social networking site that is made to look like you.

One thing you must understand if this happens to you is that this is not, by law, considered identity theft. Identity theft is when somebody uses your personal and unique information in order to acquire lines of credit or to avoid criminal prosecution. Depending on what the intruder uses, the email account/social networking account for it could potentially be considered false impersonation which is not the same thing as identity theft.

WHAT DO I DO?

Email Accounts

Account Takeovers

  • Contact the Network Administrator and explain what happened.
  • If your password has been changed, ask them to issue you a different one. This is a temporary password that will allow you to access the account and change your information. When you are able, permanently change both your password and security question for this account. Depending on the severity of the takeover, you may want to consider closing this account entirely and getting a new email account, possibly with another company or on another server. Make sure you inform the people who you want to have your new email address, of the change.
  • Contact everybody in your address book. Inform them of the email takeover. Ask if they have received and/or responded to any emails sent from your account during the time of the takeover. If so, get copies of these emails from them. Look to see if the emails asked for anything (Social Security Number, banking information, money to be sent someplace). If it does, ask the receiver if they sent anything back. In addition, ask them to read the ITRC Fact Sheet FS 123– I Gave My Information to a Scam Artist.

Fraudulent Account Established:

  • Keep in mind that just because you find an email address that is similar to yours, or is using your name, does not mean that somebody is attempting to use your name maliciously. There are millions of people who have similar names. This could be a coincidence. Make sure you know the intent behind the creation of the account.
  • Contact the Network Administrator and explain what happened.
  • Often times a fraudulent email account is created by somebody who knows the victim. If you know who could be doing this, alert email recipient contacts to be wary of the fraudulent email address.
  • If anybody you know has received email from the fraudulent email address, get a copy of it from them. Keep it for your records.
  • You might be able to file a police report with your local police department, depending on the motive behind the email.
  • You will want to consider changing your password and account information.
  • We suggest that you run a virus scanner on your computer before you change any passwords or account information. This will help to insure there are no viruses or key-logging software on your computer that could potentially capture, and send to the thief, your new password information.
  • Gather all the information you have and any copies of any emails they may have sent. File a police report with your local police department. You can also file a report with the FBI/FTC’s task force for internet crime at www.ic3.gov.

Social Networking Site

Account Take Over:

  • Contact the Network Administrator and explain what happened.
  • If your password has been changed, ask them to issue you a different one. This is a temporary password that will allow you to access the account and change your information. When you are able, permanently change your password for this account and your security question.
  • Depending on the severity of the takeover, you may want to consider closing this account entirely and getting a new account. Make sure you inform those who you want to keep in contact with of the new account.
  • Get screen shots of the account if changes have been made to it. Keep these for your records.

Fraudulent Account Established

  • Keep in mind that just because you find somebody with a similar name as you does not mean that they are attempting anything malicious. There are millions of people who have similar names and similar interests. This could be a coincidence. Make sure you know the intent behind the creation of the account.
  • Take screen shots of the account for your records. If the fraudster has used pictures of you or personal information about you, make sure you get screen shots of it all for your records.
  • Contact the Network Administrator and explain what happened.
  • Often times a fraudulent social networking account is created by somebody who knows the victim. Do you know who could possibly be doing this? If so, inform people in your network of the fraud.
  • You might be able to file a police report with your local police department, depending on the motive behind the account.
  • You might want to consider changing your password and account information.
  • Talk to your local police department about filing a police report. Many states have laws on cyber bullying and cyber stalking as well as false impersonation of this kind. Speak with your local law enforcement or bar association about the laws in your state.
  • Each site has a different set of guidelines to follow in order to have fraudulent profiles removed from their social networking site.

Twitter and Similar Sites:

Account Take Over

  • Contact the company and explain what happened.
  • Look on their website for instructions on what to do. Try to get screen captures of anything that was posted fraudulently as you as well as any private/direct messages that were sent. You will need these for your records and if a police report is necessary

Fraudulent Account Established

  • Keep in mind that just because you find somebody with a similar name as you does not mean that they are attempting anything malicious. There are millions of people who have similar names and similar interests. This could be a coincidence. Make sure you know the intent behind the creation of the account.
  • Take screen shots of the account for your records. If the fraudster has used pictures of you or personal information about you, make sure you get screen shots of it all for your records.
  • Contact the Network Administrator and explain what happened.
  • Often times a fraudulent social networking account is created by somebody who knows the victim. Do you know who could possibly be doing this? If so, inform people in your network of the fraud.
  • You might be able to file a police report with your local police department, depending on the motive behind the account.
  • You might want to consider changing your password and account information.
  • Talk to your local police department about filing a police report. Many states have laws on cyber bullying and cyber stalking as well as false impersonation of this kind. Speak with your local law enforcement or bar association about the laws in your state.

I have one of those free email accounts and there is no phone number to speak to an administrator. What should I do?

Unfortunately with free accounts there is almost no way of speaking with a live person when you attempt to notify the administrator. Most of these sites do have an email address or an online report that you can fill out, but the chances of speaking to a live person are slim. Email service providers tend to only extend customer service phone numbers to those customers that are paying for their services.

  • Look under their “help” or “contact us” section of their website. See if you can locate an online form or an email address for direct contact information. Some administrators will issue you a one-time use password immediately so that you can access your account. Others may take a few days to grant you access back into your account.
  • In some cases the administrator may not be able to fix the problems and the thief is able to continue to gain access to your account. In these situations you may have to consider the possibility of abandoning this email account and getting a new one. In this case, if you are able, make copies of all important emails you may be storing in this account. Delete this information so that the thief will not be able to access it again.
  • Do not email anything to your new email address. This could potentially tell the thief where your new email address is and they may attempt to access it again.
  • Try to alert all those in your address book of the takeover so they know not to trust that address anymore.

Could This Lead to Identity Theft?

Yes, depending on what information you have stored in your email account or networking account and what online companies you were doing regular business with.

Email Accounts:

  • Access your online account with all of the companies who you do business with who could have sent you emails about your account/order status. Change your email to your new email account. Change all passwords and safety questions. You may want to consider changing account numbers if applicable. You must consider all the account numbers and information that could have been exposed to the perpetrator while the account was under the thief’s control, and consider whether that information could be used against you.
  • If you had banking information stored in your email, close down all accounts that might be affected. Open new bank accounts and place verbal passwords on those accounts with your bank. Get a letter from the banking institution stating when you closed down the account. If you continue to do e-business with this account, do not store account information in your email box.
  • If you do online stock trading, change the account number and password for your e-trading account. Change the email to the new email account. Do not store your account information in your email box.

Social Networking:

  • Make sure no personal information was posted online such as your address, phone number, social security number, driver’s license number, etc.
  • If you or anyone else’s Social Security number was stored in your emails or posted online, read our ITRC Fact Sheet FS 100 – Financial Identity Theft: The Beginning Steps about what steps to take.

What Can I Do to Protect Myself?

Email Safety:

  • Keep a hardcopy or printed list (like an address book) of all of the email addresses that are in your email account. This way, you can notify these people immediately if fraudulent activity does take place. Remember, you might be locked out of your account for some period of time.
  • Do not open attachments from people you do not know. Even if you know the sender, double check to make sure they did indeed send you the attachment.

Social Networking:

  • Set your account to “Private” so that only those who you invite can see your information.
  • Do not post any private information such as address, birth date, Social Security number, driver’s license number, location of schools or employment.
  • Do not give your password information to anybody.

General Safety:

  • Keep your virus scanner up to date.
  • Do not click on ads or banners as you could inadvertently activate a virus.

 

This solution sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to itrc@idtheftcenter.org.

Solution 37

“Doxing” is the increasingly common practice of tracing internet activity with the purpose of uncovering and then publishing personally identifiable information about the individual. The methods employed in pursuit of this information range from searching publically available databases and social media websites to hacking and social engineering.

In some ways, doxing is a form of cyberbullying, or even extortion. The tactic is often employed when the “doxer” wants to intimidate an individual into a certain behavior. It may be hard to imagine that the average user—you, in this case—would be an attractive target or would engage in any behavior that could cause you to become a victim of this exploitation. But it’s becoming a more and more common practice, mostly because it’s so simple to do and doesn’t require any set technological skill.

One of the unfortunate realities about doxing is that simply uncovering information about someone isn’t a crime; but using it to threaten, intimidate, or extort the victim is. However, some doxers feel completely justified in their behavior. For example, actor Adam Baldwin was doxed because of his involvement in a controversial movement entitled #GamerGate along with “Business Journal” columnist Milo Yiannopoulos and four other people.*. The doxer was apparently offended by their public stance on this controversial issue and punished them for their crimes with the release of personal information in a document posted on Pastebin that could be accessed by the public. Baldwin’s personal phone number was exposed, and other people had their parents’ addresses, their own addresses, and birthdates released. The sender threatened that if activities they found offensive continued “…this list grows”.

There are many ways by which scammers and stalkers can find out things about you just by skimming what you have posted online. Sometimes it can be difficult to understand the long-term implications of posting everyday activities, pictures, or updates about seemingly innocuous information or activities.

People who engage in “doxing” are usually doing it to scare or harass the person they have targeted. If someone targets you and claims to have your information, do not discuss it online or make it public, and do not become confrontational. You may very well be taking the bait the doxer is holding out, and you may inadvertently be confirming the authenticity of the information the doxer thinks he’s acquired. It can also encourage the person to harass you even more in order to get a stronger reaction out of you. Even if he threatens to release the information online, do not confront him or talk about it online. Report it to online moderators, and be sure to report the situation to the police as stalking or cyberbullying, so there is a confirmed paper trail of the initial behavior if the situation escalates.

The following information contains some suggestions that can help you stay safe online:

  • Do not use your name or birthdate in your email, Twitter, Facebook, or other online profile names, such as johndoe1975@gmail.com . This is the first thing doxers will look for, and it is an easy way to identify you if there are other people with a similar name.
  • Use different names for each online profile. For example, do not use the same user name for your Facebook that you use on Pinterest. This will make it harder for people you don’t know to locate you in each social networking sphere.
  • Do not input your real birthdate into any social networking site. It’s fun to have people tell you “happy birthday” online, but this information can be used to find out sensitive data about you. Even though you can make it private, it is safer not to have this information on a publicly accessible site. Use a fake birthdate unless the site has an age requirement to establish an account.
  • Do not accept friend requests from just anyone. Look into who they are first. If you aren’t sure about them or don’t like what you see in their profiles, don’t friend them.
  • Do not download any files from people you don’t know, and look into files or links sent from account holders you do know, just in case that person’s account was hacked. Those files may contain viruses or other ways by which hackers may gain access to your computer. Do not click on any links or share your email address, phone number, or other personal information with individuals you do not personally know.
  • When taking pictures you wish to share online, it’s important to disable the geolocation or location settings in your smartphone or camera before taking the picture. This function, known as “geotagging”, allows smartphones to embed time and date stamps within the picture’s file, along with the GPS coordinates of where the photo was taken. That information gets shared with the photo when you post it online; a cute picture of your child playing in his bedroom can feed the coordinates to a hacker with the know-how and software to retrieve them. Simply switch the location settings to off in your device’s main menu before taking pictures, but remember you’ll need to re-engage the location settings in order to use certain apps, like your map or navigation apps.

 

Related Links:

FS 115 – When you personally know the thief

FS 124 – Credit Freezes and Fraud Alerts

FS 132 – What are Identity Theft Products?

FS 144 – Smartphone Safety

FS 145 – Smartphone  Threats

FS 146 – Smartphone Privacy and Security

FS 147 – Risks of Mobile Applications

 

This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to itrc@idtheftcenter.org