Coffee heat rising

identity theft

Trash Scavengers: What Could Go Wrong?

by

Trigger warning: This post contains an amazingly gross scheme that is not for the tender of tummy. 😉

As I’ve remarked, because my neighborhood has a problem with identity thieves and transients sifting through the trash, normally I would not throw out anything that has a bank account number on it, or a credit card number, a Social Security number…that kind of thing. But even without those items of information, someone who is raiding your trash for data to sell to identity thieves can still unearth stuff that can do you a lot of damage. In the identity-theft department, plain old junk mail can present some serious threats.

For example:

  • Any solicitation or notice that comes in from AARP signals that you’re a senior citizen and therefore a particularly vulnerable species of pigeon.
  • Notices from Medicare, your Medigap insurance, and Social Security: same issue.
  • Pre-approved credit card solicitations: All the thief has to do is change the address, and voilà! He’s got a new card in your name.
  • Periodicals. These tell an aspiring thief what your interests are and hint at how affluent you are. All those weekly Economist magazines, for example…maybe you’d just as soon not have your name and address on their labels. A copy of American Hunter tells an alert burglar you’re a member of the NRA, which means you have at least one firearm in the house…and how convenient: there’s your address!
  • Catalogs. They reveal just how expensive (or cheap) your taste is and where you shop. They also contain a bar code that can reveal vulnerable information about you.
  • Anything you throw out unopened because it’s stamped “Standard Mail” instead of “First Class Mail.” Cox (among others) inundates me with “special offers,” always delivered by junk mail. Trash digger finds one of those, bingo! He knows the house is served by Cox, not by CenturyLink.
  • Renewal notices. Costco just sent a notice for renewal. And yes, it does have my account number on it.
  • Business announcements. Fidelity sends libraries-full of prospecti for the many companies my money managers invest in. I don’t read them, because I don’t have that much time left in my life. Neither do I shred them — these things are fat, saddle-stitched booklets: just one of them would jam the shredder. A guy who understands what he’s looking at can parse out where my savings are invested.
  • Insurance company solicitations. Bar code: personal information.
  • Reminders to re-up your membership in a political party. Your political leaning is none of some thief’s business.
  • Requests for donations. Ditto your charitable inclinations.
  • Paychecks, checks for reimbursement or for freelance gigs, wage & earnings statements, tax returns and statements, bank statements, credit-card statements, medical bills, insurance bills, insurance claims and information, and random ID documents. These are usually sent by first-class mail and so are easy to differentiate from junk mail. Still: because they’re juicy pickings for identity thieves, they should never land in an unlocked mailbox. In fact, they probably should never come to your mailbox at all, locked or not. Payments to you should be made electronically — either direct-deposited to your bank account or sent through PayPal. As for those other obvious targets: get yourself a hefty steel locking mailbox. Intercept these documents at the mailbox, file them as need be, and shred them before discarding.

To shred all of the piles of junkmail the postperson delivers six days a week would soon add up to hours of wasted time. I do not want to spend any of my time tearing open envelopes and feeding their contents, a page or two at a time, through my shredder. Burning them in the fireplace is illegal, and it leaves a big mess to clean up.

Registering with the Opt-Out list to waylay prescreened credit card offers is about as futile as signing up for the National Do Not Call list. Both of these sops for angry citizens are simply ignored by mail and telephone solicitors. Signing up for do-not-send lists just wastes still more of your time.

So…is there an easier way to deal with the stacks of junk mail?

Sure, if you have a pet dog or cat.

Here’s the strategy:

Get yourself a tall kitchen trash can that has a step-on lid. This, you will use only for junk mail…and for one other kind of debris. Line the trash can with a sturdy plastic drawstring garbage bag.

Every time you visit the mailbox, drop the junk mail directly into the lined trash can, unopened.

Every time you clean the kitty turds out of the cat box, toss them in on top of the day’s layer of junk mail. Every time you pick up the dog mounds out of the yard, toss them in on top of the junk mail. When you change the cat box, pour the used cat litter over the accrued cargo of junk mail.

Keep this stash outside in the yard, since it’s likely to get a bit odoriferous before it’s time to haul the garbage out.

When the time does come, though, pour a cup or two of plain tap water over the combined mail and animal excreta. Tie the bag shut with the drawstring right before you toss it out. Over the course of a few hours in the city’s garbage bin, this will convert a yucky mess into a truly revolting mess.

And that will be your gift to your data-hunting garbage scavenger. He won’t have to break into more than one of those bags of layer cake to decide to pass on your trash.

Equifax Damage Control

by

Topmost on the list of today’s chores: Call the accursed credit bureaus over the latest identity theft caper at Equifax. Fortunately, after previous exploits, I have phone numbers that go to humans.

Usually. Experian, first on the call list, has a special number to ask about the Equifax fiasco. They’re saying wait times are up to 30 minutes. And of course, they have loud, annoying Muzak to keep you alert and make your head hurt worse.

But in less than 30 minutes — by far — a living creature picked up the phone, one who sounded like she had a fair number of IQ points between the ears.

She said it’s an option to change one’s PIN, but clearly she had been coached not to dispense advice. But it seems pretty obvious that anyone who busted into your account is going to have your PIN and also will have all the information needed to change the PIN. So instead of adding that kind of hassle, possibly to no avail, I put a 90-day fraud alert on the account.

This seems to be the path of least resistance, for two reasons:

a) It means than ANY time anyone tries to create a new credit or bank account, you get a phone call to that effect; and
b) Experian shares the fraud warning with the other credit bureaus, meaning you don’t have to kill time in other punch-a-button phone mazes.

Since a fraud alert will let you know if anyone tries to use your information to acquire credit in your name, and since I already have a “freeze” on all my credit bureau accounts thanks to the vast Maricopa County Community College District hack, I think I’m going to let it go at that. Rather, I mean, than spending half the day navigating telephone punch-a-button mazes. It might be good to change bank account numbers again, but that is SUCH a huge hassle…it probably would be better to simply access credit union accounts online about once a week and check for any unauthorized transactions.

Understand: frequent bank account checks will have to become a permanent habit for everyone. Hackers know better than to use stolen information right away. They’ll often wait a year or more, by way of getting around various inconvenient alerts and hassles you’ve set up to foil them. Since these devices foil you, too, after awhile you’re likely to let them lapse.

The type of fraud alert that is shared among all three companies lasts only 90 days. You can get a seven-year fraud alert, but to do so you have to jump through hoops at all three companies, and you have to show that you’ve actually been a victim of an identity theft using your private information. Whether you can renew the 90-day thing or not, I cannot tell.

Another permanent habit: get used to filing your income tax returns at the earliest possible moment. One handy use for your stolen data is to file fraudulent tax returns in your name claiming large refunds — meaning you get no refund until you jump through hoop after hoop after migraine-building hoop to prove it wasn’t you.

Now…to find out how to sign on to a class action suit against those craven morons… Olson & Daines, an Oregon law firm, is already organizing one. You can go here to notify them that you’d like to join the class action. And if there’s ever been an event that demonstrates loud and clear why class action suits are valuable and should never be curtailed, this one is it. Equifax knew this hack was going on from May through July; they knew about it long enough for their top executives to get their money out of the firm’s stocks before the news hit the public media.

Without your permission, they collect data on you that is none of anyone’s business but yours — spying on you, really. Though this data, gathered in one place, renders you extremely vulnerable, they do nothing to encrypt it, and so naturally sooner or later some hacker steals it. Now you are screwed and the worst that happens to them is that their stock loses a few points…after their executives have pulled their money out.

With the government defanged — and if the right wing has anything to say about it, permanently enjoined from regulating business models like this — citizens have very little recourse other than through legal action.

Ain’t life in the 21st century grand?

Fun & Games with Equifax

by

Amazing. A hundred and forty-three million people get all their private financial information stolen from Equifax, an organization that snoops into your business and accrues data about you without your permission — without encrypting said data. Adding to this latest entry in the Annals of the Floored and Flabbergasted, Equifax executives knew what was coming down the pike, so sold their stock in the company before the news hit the street.

So. If your personal information hasn’t already been stolen, chances are pretty good it’s gone now: 143 million is one in two Americans who may be a victim of this latest heist. What can you do?

You’re not helpless, interestingly enough: there are several strategies that will help protect against the effects of identity theft.

Freeze your credit bureau accounts. You have to call all three credit bureaus to have each one apply a freeze. It ensures that no one — including you — can set up a new bank account, credit card, mortgage, or the like without your knowing about it.

This is probably the best move you can make. It does add some hassle to your life. Any time you want to take out a loan or open a new bank account, you have to un-freeze at least one account — usually Experian. This is made slightly less inconvenient by the fact that you can limit the period that it’s unfrozen, having it refreeze after x number of days. Which sounds good until you realize that you have no way of getting the people your dealing with off the dime: invariably, they don’t get around to asking for a credit report until after the un-frozen period ends.

Monitor your credit card and bank account statements. You should be doing this anyway, but now that’s even more true. Check each statement promptly after it arrives for any transactions you don’t recognize, and if you suspect fraud, call the card issuer or bank immediately.

Set up fraud monitoring on your accounts. Equifax proposes to give its victims a year of free fraud monitoring — conveniently, through its own subsidiary.

This is problematic. First, one year of monitoring ain’t much. If bad guys have your Social Security number, you don’t have a year-long problem: your problem is going to last the rest of your life. After that year, you’re going to have to pay for the privilege. And second, if you sign up for the service offered by Equifax, you have to give up your right to sue the bastards — or to be part of a class action suit.

There is some wrong-doing here: they knew about this on July 29, plenty of time for the higher-ups to unload stock. We proles didn’t learn that our personal data was on the way to the Dark Web until yesterday. So no: you do not want to forego your right to sue, and no: you do not want to agree to accept arbitration.

Paid identity fraud monitoring is probably unnecessary. You can accomplish the same thing for free or for very little by freezing your credit bureau accounts, keeping a sharp eye on your financial statements, and also checking the EOB (explanation of benefits) statements that come from your health insurer for any treatments you didn’t receive.

For free, you can monitor your credit reports. By law, credit bureaus are required to give you one free credit report a year. Since three credit bureaus dominate the privacy-invasion landscape, you can arrange to stagger requests for reports, so that one comes in every four months, giving you a recurring view of activities reported to the credit bureaus.

The federal government has a free identity theft recovery program for people who believe they’ve been victimized. When you review the complicated, time-consuming steps required to respond to an attack on your identity, you realize exactly how serious this vast breach is. It is, in a word, a fiasco.

Foil debit card hacking and balance inquiries

by

Did you know you can use your debit card without entering a PIN? Identity thieves hacking into merchants’ hardware and software and stealing customers’ PINs have made using a debit card risky business. And some merchants, such as gas stations, transmit balance inquiries each time you use a debit card, racking up bank charges. Here’s an easy way to foil them:

When you get to the merchant’s cash register, swipe your debit card, then select “credit” on the keypad and sign the receipt. Your money still comes direct from your checking account, but when you sign for your purchase, you don’t have to enter a PIN. So, even though you’ve used your debit card, you haven’t put your PIN into the system.

This bit of intelligence comes from the Arizona State Credit Union and is confirmed by another credit union in Virginia. The Virginia credit union adds that the strategy also will avoid balance inquiry fees, which occur when you shop at places like gas stations that transmit balance inquiries when customers use debit or ATM cards, because such merchants don’t do balance inquiries when you select “credit.”

Alternatively, you can tell the cashier that you want to sign for your purchase. She or he will ask you to sign the receipt, as you would do with a credit card.

According to The Consumerist, selecting “credit” with a debit card sends the transaction through a different network than the one used for PIN transactions. Banks like you to do this because merchants have to pay more money for signature debits. But it doesn’t cost you a thing.

Image: Channel R, Wikipedia Commons

Identity Theft: Three ways to fight it

by

A few years ago, SDXB and I learned separately that each of our credit reports said we had lived at an address neither of us had ever heard of, in Tempe, Arizona. Although neither of us was harmed financially, it indicated a type of identity theft known as “application fraud” or “true name fraud.”

It took about a year to get the fake address off my credit records. Once it was expunged, I pretty much forgot about it…until a couple of weeks ago. That was when Costco announced it didn’t have my current address and my membership renewal was overdue. When I went to customer service to pay up, the CSR happened to show me her computer monitor, and what should I discover but that my home address was listed as SDXB’s former address and my business address is now at that same fake address in Tempe!

The appearance of an unfamiliar address on your credit report is one of many possible signs of identity theft. Other warning signs are missing bills, unexplained charges to your accounts, the existence of accounts you didn’t open, denial of credit for no apparent reason, and dunning calls from bill collectors for items you didn’t purchase.

Undoing a mess some crook has made is very difficult. It can take years to persuade creditors and credit reporting agencies that you’ve been a victim of identity theft, and the crime can haunt you for a long time. Thieves have so many ways to steal your private information, many of which you have no control over, that you really can’t prevent it. But you can take a few steps to reduce your risk. I think of them in terms of three strategies:

1. Monitor

You’re entitled to free annual credit reports from each of the three major credit reporting bureaus, Equifax, Experian, and Transunion. Rather than having to go through the hassle of contacting each of these agencies separately, it’s now possible to order credit reports through a single source, annualcreditreport.com. Instead of ordering all three reports at once, take advantage of the federal law by revisiting annualcreditreport.com once every four months, so that you can spread out reports from the three agencies over the course of a year. This will allow you to monitor your credit reports steadily. Watch for any unexplained activity or accounts you don’t recognize.

Also, before you pay a credit card bill, remember to review the statement carefully. Check financial accounts and billing statements each month, looking for charges you didn’t make.

2. Prevent

Limit the number of credit cards you carry around. Keep no more than one or two cards in your wallet.

Pay in cash at restaurants and other establishments where you can’t watch what an employee does with your card after you present it for payment. This eliminates the use of a skimmer, a handheld device thieves use to swipe cards for later download into their own computers.

Don’t use debit cards. If you must, memorize your PIN; don’t carry a note with your PIN in your wallet or purse. Avoid using your birthdate, numbers of your address, sequential numbers, or four digits of your Social Security number as PINs. Never use a debit card for online shopping.

Photocopy your credit and debit cards, front and back, and keep the photocopies in a safe place. This makes it easy to contact issuers if cards are stolen.

Don’t allow anyone to write your credit card number on a check.

Always take credit card receipts with you. Carry them in your wallet or purse, and shred them before discarding.

Carry outgoing snail mail to a USPS post box or postal station. Don’t leave it in your mailbox to be picked up by the postal carrier. To protect financial information sent to you through the mails, install a locking mailbox.

Avoid giving out your Social Security number. Don’t carry a Social Security card or Medicare card on your person. You (or your parents) can photocopy a Medicare card, trim it down to wallet size, and cut out the last four digits of the SSN that appears on it. Take the original the first time you see a doctor; otherwise, store it in a safe place at home.

Opt out of marketing lists for the three credit bureaus, limiting the number of free credit offers sent to you in the mail. When you do get such offers, always shred them or scissor them into tiny pieces before throwing them in the trash. Also register your telephone number with the National Do Not Call List, to further reduce offers from hustlers.

And of course, never respond to phishing e-mails. Remember, a legitimate bank or creditor will not ask you for your account number or Social Security number.

3. Fight back

At the first sign of identity fraud, notifiy all three credit bureaus and place a fraud alert on your account. This is good for 90 days. This step entitles you to a free credit report; get one from each agency and review all three reports carefully.

Report the theft or fraudulent activity to the police in writing, using an identity theft report.

Once you have filed an identity theft report with law enforcement agencies, use that and your evidence of identity theft to extend the credit bureaus’ fraud alert for seven years.

Report the crime to the Federal Trade Commission, using the police report number you got when you filed a police report.

Learn what your rights as an identity theft victim are.

If an identity thief has opened new accounts in your name, contact these creditors immediately. Federal law allows you to block businesses from reporting fraudulent activity to credit reporting agencies; the sample dispute letter available here will come in handy for that purpose.

If the thief has used existing accounts that belong to you, report the fraudulent activity to the creditors. Arrange to close the accounts and have new accounts with new account numbers issused to you.

So…what am I going to do about the Costco situation?

Well, we have a fair idea where this came from: only one person could connect SDXB and me in quite that way (the phony entry showed my legal first name, which I don’t use socially; few people who knew the two of us as a couple know my real name). At the time the spurious address popped up in our credit reports, this person was engaged in an extramarital affair. We figured she and the boyfriend had forged driver’s licenses in our names so they could rent themselves a love nest.

More recently, the same someone, who has been in deep financial trouble for quite some time, likely ran out of cash about the time her Costco membership lapsed. So she dug out the fake ID, presented herself as me, and said she’d lost her card. If she went in and asked for a new card in my name, she might have been asked for an address. SDXB’s old street address was at the same number as my new street address; the only difference is that one house is on Erewhon Road and the other is on Erewhon Place. So if she gave his old address as “hers”/mine, it would be credible.

I guess what I will do is cancel my Costco membership. Then we’ll have M’hijito buy a new membership in his name, with me on his account as a secondary card holder. This will be a hassle, because they’ll have to issue a new Costco American Express card with a new account number.

But since she hasn’t done anything (so far) that’s cost me any money or damaged my credit rating, maybe I’ll just let it ride and keep a close eye on the credit reports. Who cares if she gets into Costco for free?