May 1, 2008 -- The first step to preventing identity theft is to understand how it happens. Here are some of the most common vulnerabilities and strategies for fighting back:
Hacked Shopping Sites
Shopping online has become so routine for many of us that it's easy to forget that some Web sites haven't taken the steps they should to protect us. Sophisticated identity thieves -- often in foreign countries -- spend all day just trying to figure out how to hack into those sites and grab their treasure troves of credit card numbers and other identifying information. What to do?
Make sure when you move from the informational section of a Web site to the purchasing section, that the "HTTP" in the URL changes into an "HTTPS." The "S" stands for "secure."
Only shop at well-established retailers. If you must buy from an obscure site, check its reputation first with the Better Business Bureau.
Never use a debit card to make online purchases. If the thieves snatch your account information, they will be draining your actual bank account. Better to use a credit card, which limits your liability to $50. Usually the card company covers the entire loss.
When I infiltrated the Internet underworld where identity thieves buy and sell people's information, it was most gut-wrenching to see "full profiles" where the crooks even had the person's Social Security number, mother's maiden name and ATM PIN. Usually, this kind of detail is provided to the crooks by the victims themselves, when they respond to phishing e-mails. A phishing attack is an illegitimate e-mail made to look as if it's from a bank or government agency. They're very convincing. The crooks claim they need to verify your account information "for your own protection." They then ask for every possible financial detail.
Keep in mind that banks and government agencies rarely communicate with their customers/citizens via e-mail. If in doubt, call the entity in question and ask if they sent you an e-mail.
Be on the lookout for poor spelling and grammar. Many identity thieves are foreigners who mangle the English language. On the other hand, in researching this story, I found that some ID thieves actually copy phishing e-mails from consumer protection Web sites that post samples for educational purposes.
Only provide financial information when you have initiated the contact, whether by e-mail or by phone.
If you are phished, you need to know about the Federal Reserve Board's Regulation E. It states that as long as you report the problem within two days, you are only liable for $50 in losses. Wait three days and your liability jumps us to $500. Wait more than 60 days and your liability is unlimited.
As we show you in Part 2 of our special report "Stealing You" on "World News With Charles Gibson," clever con artists have learned to attach false fronts to ATM machines and capture people's PIN numbers that way.
Basically, they mount a skimming device over the slot where you insert your card. Then, there are two ways they learn your PIN. Either they mount a hidden camera nearby to record your PIN. Or they rig the machine so your card gets stuck in it. A spotter waits nearby, and when you struggle with the card, he offers assistance, claiming he just had the same problem. Eventually, he asks you to input your PIN, claiming that's what's needed to get your card out.
You should be aware that crooks have even managed to mount skimmers on the increasingly common credit card authorization devices in stores. A ring in Delaware slapped one right on the device at the front counter of a drugstore without employees even noticing.
Try to use mainly one "home base" ATM. And the next time you do, take a few minutes to memorize the look of it.
If the card slot of an ATM looks odd, give it a tug. Some customers have had illegal skimming devices come off in their hands.
Stay on top of your bank balance and bank statements -- a tedious but healthy habit.
Would you hand a stranger your credit card? Sounds risky, but we do it all the time at restaurants. It's one of the few times we are separated from our card. Florida authorities say it's the No. 1 source of credit card cloning cases in that state. Waiters and waitresses can carry tiny skimming devices, the size of a pack of gum, and record all the information on the magnetic strip of your card. They then sell that information to more serious crooks who use it to clone cards.
Consider paying cash at restaurants.
More and more restaurants now use tableside credit card authorization devices. Encourage this service when you see it.
Use a credit card rather than a debit card at restaurants. Again, better that the crooks tap into your bank's money than your own money.
Data BreachesIt's frustrating to write about this category because consumers have so little control. When companies lose laptops carrying precious personal information or when hackers gain access to their hard drives, there's so little consumers can do. We live in a high-tech world and it's nearly impossible to withdraw from it.
Order your free credit reports faithfully. If you alternate between the big three credit bureaus, you can get one every four months and keep a pretty regular eye on your accounts. Scan them for unfamiliar accounts.
Consider one of the credit check services offered by the credit bureaus and some others. They alert you if anybody tries to open an account in your name or if there is unusual activity in your accounts. Don't go with a no-name company that could just be trying to get your personal information.
Another tip: Carry fewer cards. The more you have, the more that can be breached. Even if you cut up a card long ago, all a crook needs is the account number to activate it. Send a letter to formally cancel those accounts. It's usually better for your credit score anyway.
Dumpster DivingThis is the oldest form of identity theft and it still happens. Garbage can be a rich target for thieves willing to do the legwork.
Shred important documents.
Ask your doctor, dentist, attorney, accountant and others who keep records on you to do the same.