identity theft attempt

[surfivor]

 someone I know went to file their taxes electronically and was rejected because the IRS said someone else tried to file a tax return using the same SS. The IRS easily flagged it as a false return apparently and recommended contacting one of the 3 major credit unions and banks etc.

 I was wondering, if you sign up for one of those things like life lock, is it worth doing it for a few months and then canceling it ? Perhaps every year or every 18 months joining something like that for 1 month just to see what they come up with ? Being frugal and all, one might have doubts about the value of staying with something like that indefinitely but it might be worth checking it out or joining periodically ..

 Other than that, what are the big risks ? I seem to have heard a few bad stories, but how common are they and besides dumb stuff, if it happens is it not that hard to clear things up when it happens. Lots of people get their credit card info stolen. Someone buys a fridge or a TV in another state, the bank flags it and sends out a new credit card .. Are some banks better than other with that ? I have an account with BOFA, not the best bank for many reasons but if they have decent protection maybe thats a good thing

[Carl]

send me your Social Security number and all credit card numbers and I will help MySELF

[DonC]

Nice one Carl, (I mean B-Dawg), hahahaha!

Seriously Surf,

The AIr Force recently sent my wife and I documentation saying our information was stolen and could possibly be abused. As a precaution, they set us up with a "LifeLock" wannabe company. 1st 3 years was on the Air Force. After that, about $125/yr. That covers my wife, me, and my children.
Long story short, everytime something "suspicious" went on, they emailed/called me. (About 5x/week). Was pretty coolant first. Now its a PITA! But, our identities are safe or at the very least, insured.

To answer your question, NO! It wouldn't be worth it. Because most places like that won't let you sign up for anything less than 6months. And, it's more expensive for anything less than a year. If you're serious about it happening to you, knock yourself out. Protection is always good. Saved me from a lot of unwanted kids. But a few times, the protection broke, and caused a scare for a day or two.

Better off being cautious and buy a cross shredder and some RFID blockers. Cheaper and safer. BofA is horrible! Go with Wells Fargo or maybe even a local bank. Better yet, since you're so concerned with identity theft and security, put it in a jar, under your floor boards....LOL!

[r_w]

It is still a major PITA.  New thing is for the thief to bounce online purchases through a non extradition country so even when tracked down, they can't be charged. 

Biggest issue these days is when they get the three digit code, so don't give your card to your waiter/waitress.

[gopack84]

You can get a free credit report via http://www.annualcreditreport.com (search annualcreditreport.com if you don't trust my link - and you shouldn't!!  ). And you can kind of keep an eye on things yourself. You are entitled to one free credit report per bureau per year. So what I do is pull one every 4 months in a round robin fashion.
Jan - Equifax
May - Trans Union
Sept - Experian

Now of course they'll try to upsell you to get you join their club, get you pay more for your score, etc. But if all you want is a free copy of your credit report, just pay attention to the prompts and work your way through their maze and you can get it. Just kind of do your homework and be ready to save your file or print it off because you really only get one shot at it and if you mess it up it's kind of hard to do it again. I think you'll often get a code and a link that let's you access the saved report for 30 days but don't count on it. So be ready with your financial info so you can answer the identity questions but that's a good starting point anyway.

You can also put a lock on your credit file which will prevent them opening up NEW credit in your name. Though it won't prevent them making purchases on stolen cards. I think the fee for that is either free or very small like $3. The downside is anytime anybody needs to run a credit check on you for a legitimate purpose (apartment rental, bank loan, job, whatever), you'll have to manually unlock your credit file at all 3 bureaus, then lock it back after it's done. That is a pain.

[FreeLancer]

I just paid for a second year with lifelock and, while I'm satisfied with it, it costs way too much.

[Mr. Bill]

LifeLock has some issues.

FTC, 12/17/15: LifeLock to Pay $100 Million to Consumers to Settle FTC Charges it Violated 2010 Order

...The FTC’s filing in the case alleged that LifeLock violated four components of the 2010 order. First, the FTC alleged that from at least October 2012 through March 2014, LifeLock failed to establish and maintain a comprehensive information security program to protect users’ sensitive personal information including their social security, credit card and bank account numbers.

Second, the filing alleged that during this period LifeLock falsely advertised that it protected consumers’ sensitive data with the same high-level safeguards used by financial institutions. Third, the FTC alleged that, from January 2012 through December 2014, LifeLock falsely advertised  that it would send alerts “as soon as” it received any indication that a consumer may be a victim of identity theft. Finally, the FTC alleged that the company failed to abide by the order’s recordkeeping requirements. ...

[FreeLancer]

There are several ongoing class action lawsuits against them, as well.

[I.L.W.]

Identity Security.

Never make photo-copies of IDs.
A lot of identity theft comes from hard drives on Copy Machines, which the asshats in government never wipe before selling their old machines to 3rd parties. Get a wallet-sized Fresnel Lense and some clear adhesive. Attach the lense to your ID's, and a copy machine won't be able to copy them (most of the time). If someone needs a copy of your IDs (and you are willing to allow them to retain one), make the copy before hand at home, don't use their copy machines. Consider using security paper for your copy to make sure the copy isn't duplicated after you hand it over.

Hospital Paperwork.
They need your insurance number and medical history, and that's it. They will ask for a lot more, and the staff usually doesn't know what's relevant or not, often insisting that all their paperwork be filled out. They can't deny you treatment for a partial form. Just say "I don't know" when they press you for more info. Don't give them information that isn't medically relevant. Hospitals are by far the worst secured data centers. Information needs to be available to Doctors, Nursing Staff, Billing people (three vocations that score extremely low on technical aptitude assessments). A lot of data is visible to temp hires, which is where a lot of fraud data collection comes from. While hospitals have good InfoSec people, they are usually understaffed, under funded, and supporting thousands of users who's password is "123456"... not the people you want to trust with your information.

Turn off Java and Flash
There is no need for any legitimate website to be using these today. They are inherently insecure, and open you up to XSS attacks. If you have a spouse who needs them for Facebook games, get a divorce. Kids... adoption. The low-tech security threats in your own home, educate them or rid yourself of them, lol. I'm serious here, when it comes to computers, you can do everything right, but if you have another user on the computer who doesn't, you might as well have no security at all. 1 person, 1 computer. No sharing computers... these days that's about as socially acceptable as sharing underwear, it's just weird.

File Early.
For personal income tax, Consider Feb. 1 your deadline, not April 15.

Death...
If a spouse dies, get something like LifeLock for the next 5 years. Dead people have a way of filing for a lot of tax returns, it's almost a certainty someone will use their info to file in the next few years as nobody really secures their ID. They just busted a coroner in Louisiana making copies of the contents of incoming wallets.. literally pickpocketing the dead for their IDs. This is an extremely common occurrence amongst hospice care workers as well.

Use an RFID shielded wallet.

Avoid large tax preparation services like H&R block. They hire a lot of seasonal temps. Many are legitimate professionals, some are crackheads. It's just a reality, you don't need to be an experienced professional to work for these places. File yourself or use a small local business that's been around for a few years and doesn't hire seasonal workers.

Incarceration, Parole, Probation for any federal crime post 2005... if any of these things apply to you or anyone you know, you'll (they'll) probably be fighting with Identity Theft for the remainder of your life. Everything needed to falsify a tax return is available through public records related to any prior conviction in several states. Identity thieves do mass collection of this data. If the records are available in one of these states, they're already compromised.

Reality:
You cannot "protect yourself" from Identity theft. Even if you do everything correctly, you are dependant on some systems which will not be good stewards of your personal information. At some point, you have gone, or will go to a hospital, and that's game over for security. The DMV, most Banks, The IRS themselves... Social Security Services, Medicare, Medicaid, Healthcare exchanges, public or private schools, including colleges and trade schools. All of these places absolutely suck at protecting your information, and it's difficult to avoid them all. Even if you do avoid them, data is still leaked through Friends and Family members which can be used to commit fraud in your name. You'd have to be hard-core off-grid to find any real security. Living as a hermit, squatting on someone else's land, and not interacting with people. Unless you identity is rendered functionally meaningless in your life, you are vulnerable.

For the past few years, police agencies have boasted about the declining rates of mugging and armed robbery. This is why. It's not that there are fewer criminals, or we've been more effective at catching them. Why would they risk a violent altercation for the $30 in your pocket, or the $200 in a cash register when they can sit back and steal thousands from hundreds of people at once, never showing their face to anyone, from thousands of miles away. Lower risk, higher reward, and it's damn hard to catch these people.

LifeLock is expensive, and it's a pain in the ass (worse than an auto-insurance company in terms of filing a claim), but they can help with the cleanup after your Identity is stolen. Their track record for prevention kinda sucks, mostly because the theft is predicated on mistakes made by you or the businesses and government institutions you deal with, which are entirely out of their control. But at the end of the day, they can help pick up the pieces a bit faster. Ignore the advertising, they cannot protect you. They can however expedite recovery after the fact. You can get better deals with them through third parties like AARP (which I don't recommend, they're basically a communist organization... look where they spend their money. Makes you wonder how many people would betray their country if Al Qaeda offered a 65 and over Denny's discount, lol... but I'm getting off topic), AOL (yeah... I know, lol. They do have some good services, just nothing Internet related) and others. Some banks even secure group rates for members. If you get it bundled with another service you actually use, it can be a lot cheaper. They were offering a credit card. Instead of "Cash Back" rewards, it basically comes bundled with LifeLock and the incentive value pays the subscription. Not sure if the protection was just for that one card or for all of them. Don't know if it ever left their test market either, but it might be worth a Google search.

Monitoring your own credit is good as an early warning to you. You will know much sooner that you have been F***ed, but it won't really keep you from getting F***ed.

There simply isn't an elegant solution or effective defense right now. Do what you can to be safe, and hope for the best. There really isn't a lot of good news on this front as our Credit, Banking and Tax systems just haven't kept pace with the criminals and show no signs of catching up any time soon.

If you want to be safe, change your name legally to ";" (yes, a semi-colon). You'll be doing paper filing for the rest of your life (if that even remains an option), but a would-be Identity Thief wouldn't be able to enter your name in any online form as it would be Regex'ed out (a security filter that prevents some character from being submitted to help prevent injection attacks on the site). That's enough to screw with the IRS and Banks too, so you'll never see a refund, lol. The cure will be worse than the disease, but at least this will let you make a stand on principal, lol.

[Carl]

If you want to be safe, change your name legally to ";" (yes, a semi-colon).


But my colon has been removed...changed my name to WATER TIGHT....

[fritz_monroe]

You could just wait.  You will eventually be a customer of a company that got hacked and part of their CYA will be to offer free Life Lock or some other credit monitoring service.

I've had free credit monitoring for just over 2 years.  This started with Home Depot, went to Target and then to a large government agency.  I think that eventually this will be subsidized by someone, maybe the .gov or maybe it will be the large muti-national companies trying to look like they care.

[jerseyboy]

Turn off Java and Flash
There is no need for any legitimate website to be using these today. They are inherently insecure, and open you up to XSS attacks. If you have a spouse who needs them for Facebook games, get a divorce. Kids... adoption. The low-tech security threats in your own home, educate them or rid yourself of them, lol. I'm serious here, when it comes to computers, you can do everything right, but if you have another user on the computer who doesn't, you might as well have no security at all. 1 person, 1 computer. No sharing computers... these days that's about as socially acceptable as sharing underwear, it's just weird.

If you have a SOHO router that has a Guest network, put your spouse on the Guest network and you in the normal network. That way if they get infected their computer cannot talk to your computer.

If you are running IPFire or pfSense, you can set up VLANs so you are on different subnets for each family member.

This might be cheaper than divorce and adoption.

These won't protect their computers from themselves but it can protect your computer from their computer.

As a friend of mine used to say, "You can't defend against stupid. "

Jerseyboy

[I.L.W.]

I still like the idea of a prenuptial agreement with a clause that immediately dissolves the marriage with complete forfeiture of martial assets upon logging into pogo.com. 

The big thing is never to share a computer, even with a trusted family member. I can't tell you how many people I've worked with after having their identities stolen. There's always one moderately tech savvy person and one techno-idiot. The smart one is always running malware scans to clean up after the other and bitching at the dumb one to get off facebook and stop emailing everyone garbage. As soon as I look into the computing habits, the "I told you so's" start getting thrown around. Every single case is like this, without fail. Ending a marriage over it seems an over reaction, but many marriages do inevitably end all the same after identity theft. When a spouse enters your data into a pop-up window for a free "Kredit Check" (yes, "Kredit" with a "K"... and grammar to match the spelling) it's hard not to say some hurtful things. Added to the stress of being suddenly flat-broke, I don't hold out much hope for that union.

The best thing is for everyone in the household to be educated on common scams and use some common sense. Hopefully they would discuss situations where this information is shared with one another before sharing it. But the reality is that seldom happens. It's better to isolate the potential damage, and each person using their own computer is a good start. It's not just a matter of security, but a convenience as well.

[surfivor]

If you have a SOHO router that has a Guest network, put your spouse on the Guest network and you in the normal network. That way if they get infected their computer cannot talk to your computer.

If you are running IPFire or pfSense, you can set up VLANs so you are on different subnets for each family member.

This might be cheaper than divorce and adoption.

These won't protect their computers from themselves but it can protect your computer from their computer.

As a friend of mine used to say, "You can't defend against stupid. "

Jerseyboy

 Turn of Java or JavaScript ? Java is not used in alot of apps and flash is old as well. There's alot of modern web apps that use JavaScript however which is completely different than Java despite the similarity of the name .. With out JavaScript, many website won't work

[FreeLancer]

LifeLock is expensive, and it's a pain in the ass (worse than an auto-insurance company in terms of filing a claim), but they can help with the cleanup after your Identity is stolen. Their track record for prevention kinda sucks, mostly because the theft is predicated on mistakes made by you or the businesses and government institutions you deal with, which are entirely out of their control. But at the end of the day, they can help pick up the pieces a bit faster. Ignore the advertising, they cannot protect you. They can however expedite recovery after the fact.

That's exactly how I see it, a warning mechanism/cleanup assistant.  It's probably not a matter of if, but when. While I try to maintain vigilance and defensive behaviors, the fact that I haven't had an ID theft is probably more due to luck than anything else.

[FreeLancer]

Well, the when referenced in my last post has become now.

Three days ago Lifelock notified me of three credit applications using my ID, at Sprint, Macy's, and Verizon.  They advised me that they were able to shut down the Sprint application and are working on resolving the other two.  Since Lifelock is not allowed to do it for me, they had me place a fraud alert on my credit history with one of the big three (that one will share the info with the other two), which was accomplished fairly easily online.  Then, just today I'm getting notifications from the credit agencies of two more credit application attempts from Sterling (I have no idea what kind of entity that is) and Kohl's.  These last two were not picked up before by Lifelock, but they freely admit that they're monitoring network is not able to pick up all potential credit applications.  At this point, Lifelock is telling me to contact them with each new credit inquiry I'm notified for and they'll dispute them for me. 

I'm pretty happy that I got an early heads up from Lifelock that something was amiss, but it's a little more cumbersome of a process to notify them of all the other attempts than I'd hoped it would be, but probably a hell of a lot better than trying to figure this stuff out on my own.  We'll see how it goes and I'll update my progress.

[RitaRose1945]

The social security theft happens a lot, at least in my neck of the woods, and I know several people who found out when they filed their tax returns in the last two years.  In both cases, employers were the likely problems (breaches in payroll and HR departments).  Really frustrating.  The IRS suggested filing taxes the minute you have all the paperwork.  Sometimes just beating them to the punch helps.
[/size]
[/size]I agree with the idea of checking your credit report.  I do the same thing (when I remember) by checking one agency every four months, then repeating the cycle.  But it's really not super secure either.
[/size]
[/size]I think my youngest son has some kind of Lifelock-ish coverage for free since his information was stolen from the army.  So... yeah, it can happen to anyone.
[/size]
[/size](%$#ing post formatting)

[FreeLancer]

I found out about a sixth fraudulent attempt yesterday when AT&T mailed me a statement for a newly opened mobile account, which occurred the same day as the other attempts. Since I have other accounts with them it did not trigger a credit check, but fortunately they were not able to hijack any of my legitimate accounts, and I had no problems confirming my identity with AT&T's fraud department, resolving the issue, and marking my account for the highest security scrutiny in the future.  I was really pleasantly surprised how helpful they were.

Apparently, they walked into a cell phone store in NM with a fake drivers license and SS card and conned their way into two new iPhones attached to numbers in my CA area code.  They also appear to know my profession and provided a plausible current employer.  I'm wondering if my HR files at a previous employer were compromised.

LifeLock is still working on the others and they tell me they should be resolved within the next week.  We will see.

[FreeLancer]

It looks like all but 1 of the 6 fraudulent account applications have been successfully squashed.  Today LifeLock arranged conference calls with the various fraud departments involved and we would have finished Macy's if they weren't on east coast time, so that will have to wait until Tuesday. 

Here's what I've learned from dealing with each company:

Sprint:  This was the first application that LifeLock notified me about and they were able to squash this all on their own.  Apparently Sprint has been so hammered by fraud that they will take LifeLock's word for it and cancel account requests right away.

Verizon:  Two phones on installment, along with a service plan, were obtained using my info, amounting to an account balance of $435, none of which I will be responsible for.  Verizon apparently already shut the account down after I initiated the Fraud Alert with Experian.  Once they noticed that there was no activity logged to the numbers assigned to the phones, that confirmed the fraud in their minds, and they immediately closed the account.  They wouldn't tell me if this fraud was perpetrated in store or online.

AT&T:  I already provided the details on my prior post, but this was the only company that didn't trigger any alerts, due to the fact that I have legitimate accounts with them.  Fortunately, dealing with their fraud department directly went smoothly and they were really helpful.  Account balance was $266, with no responsibility on my part.  This was an in store fraud.

Sterling:  This is a jewelry store conglomerate and they stated the application triggered a bunch of their internal red flags and was denied right from the start.  They wouldn't share any other details.

Kohl's:  The attempt to open an account for store credit card was immediately declined and referred to their fraud department due to the fraud alert flag that I initiated with Experian the day before.  They also noted a difference in address and phone numbers that raised a confirmatory second red flag for them internally.  They wouldn't say whether it was in store or online.

Macy's:  Pending until after the holiday weekend, but the LifeLock employee handling my "Identity Restoration" seems to have some hint that they failed to successfully open an account.


LifeLock suspects that my personal information was bought off the blackmarket, likely by organized criminals outside the US who pay mules to utilize personal information to obtain goods that are shipped back to the mothership and resold on the blackmarket.  She said it's not uncommon for mules to be shipped fake driver's licenses to improve their chances.  In this situation, it looks like they netted $4000 in iPhones.  Could have been worse, I guess.

LifeLock recommended that I request a security freeze be added to my ChexSystems Report online at www.consumerdebit.com.  This redflags my identifying information with banking institutions, minimizing the chance of an account being opened in my name for money laundering purposes, such as occurs with tax refund fraud.

Has LifeLock been worth the high subscription costs?  Probably.  It certainly gave me a week head-start on realizing that something was wrong.  While the credit agencies have all confirmed that they have instituted a fraud alert for me, they have not notified me of the individual instances where a credit check was requested for fraudulent purposes.  I'd need to log in to view those, whereas LifeLock notifies me of them automatically.  I certainly didn't need LifeLock's assistance in closing the AT&T account, and Kohl's and Sterling didn't go anywhere, so I didn't need to deal with them, either, but I didn't know that until the conference calls occurred.  Similarly with Verizon, they pretty much already figured out the fraud on their own, too.

Apparently, once your information has been flagged as having being used fraudulently, these companies mark it for high scrutiny in the future, regardless of what the credit agencies do, so repeat fraud at those companies is very unlikely. 

I'm conflicted about whether to freeze my credit with the agencies.  LifeLock recommended doing it if these applications continue to flood in, but warned that you must be extremely careful about maintaining the PIN code required to unlock credit again.  She said if you can't produce the PIN that proving you are you things get messy, like they may require DNA-level proof of identity.  Maybe that's marketing to scare you into staying with LifeLock, but I don't know.  For now I'm going to stick with LifeLock and, despite spending about 16 hours on this, it's probably still worth it in terms of early warning and the extra leg-work and uncertainty surrounding figuring out the system on my own.