With 477 million records breached in 2015 alone, exposure to identity theft and payment card fraud is very much on the mind of many consumers. I’ve been receiving a lot of questions from friends, family, and colleagues over the past few weeks, and I’ve also had to deal with the fallout from criminals getting their hands on my own identity, so it seems like a good time for a blog.
First, it’s important to understand that there is a big difference between a payment card compromise and a compromised identity. Payment card compromises are a nuisance to be sure, but the impact is relatively minor compared to a true identity theft. To protect yourself against unauthorized payment card use, here are some tips:
- Create unique passwords for each of your online sites. I use a system that makes it easy for me to remember but makes it so that when my password is compromised in a breach (and it is a matter of "when," not "if"), the criminals can't use that password to access other sites. For example, use the same base password (e.g., Madden2) but then add the first four letters of the website. For Amazon, it would be Madden2Amaz, for Chase it would be Madden2Chas, etc. In this way, when your password is compromised in one place, criminals can’t load it into a bot and have it magically enable access to all your other online relationships.
- Enroll in alerts that will notify you if your payment cards are being used in unusual ways. Most financial institutions offer these and will send them via email or SMS. You can usually tailor them so you're not overwhelmed (e.g., specify alerts only when a transaction over $X takes place online and over $Y at the point of sale).
- Check your online bank and payment card statements frequently for unauthorized activity (I do this at least once a week).
When it comes to protecting your identity, here are some tips:
- One of the best ways to protect your identity is to freeze your credit file with the three credit bureaus. This way, nobody can open new lines of credit using your identity data. If you have no need for new lines of credit, there's really no reason not to. It costs US$10 per bureau, but it’s well worth it compared to the time and hassle involved in unwinding an identity theft. If your identity has already been used illicitly and you have a police report, the bureaus will do this for free. You can always unfreeze your file in the future if you need to, it just requires a bit of extra planning (the process takes about 10 days). Here are links that provide instructions on how to do this:
- Sign up for an identity theft protection service. Not all services are created alike—look for a service that can monitor your identity across all of the major credit bureaus as well as public records. Ideally, the service will also monitor the underweb to detect whether your data is being sold on the black market. If you freeze your credit, the bureau monitoring is less relevant, but the underweb monitoring will still be useful, since there are plenty of places your identity can be used without a bureau inquiry (e.g., healthcare providers, IRS).
At this point, it’s a safe assumption that the criminals have access to all of our data. Now it’s incumbent upon us as consumers to make sure the criminals get as little utility from that stolen data as possible.