Computer Security Northwest
Computer Security Information and News You Need to Know – From the Pacific Northwest
NOTE: The first part of this webpage is the same info as on my blog post, but then goes on with all the details that the blog post didn’t provide (starting at the section titled, "Detailed Steps to Take"). Also, please see the button above [or this link] for a one-page checklist summary of all the critical steps you should take to protect yourself from identity theft.
If your Identity has already been stolen and you need to know what do to, please go to this page: www.ComputerSecurityNW.com/id-stolen
Introduction to Identity Theft
We have all most likely had our credit card information stolen. Frankly that doesn’t concern me. Chances are my credit card company will notice it and contact me. Even if the charges go through, I can dispute the charges and not have to pay them. That is not identity theft, but credit card fraud. I guarantee if you meet someone who has had their identity stolen, you will be highly motivated to protect yourself by taking the steps listed here.
Although it’s hard to track how many people have experienced identity theft (ID Theft), it’s a growing problem. In 2021, losses from ID theft cost Americans at least $5.8 billion and 1.4 million ID theft cases were reported to the FTC; some reports claim that there were as many as 27 million victims (IdentityTheft.org and applecard.idprotectiononline.com). Some polls estimate 40% of all U.S. citizens have experienced some form of ID theft. Protect yourself so you don’t become one of them!
What is Identity Theft and How can it happen?
The basic idea of financial or medical ID theft is when someone uses information about you to access your existing financial accounts or create new accounts in your name. This can include things such as applying for new credit cards, opening checking/savings accounts, filing tax returns for refunds (tax fraud), using healthcare services (medical ID theft), buying a car, and even taking out a home loan! You are left to pay those charges! They can also drain your current bank and retirement accounts. At worst, you lose thousands of dollars and spend hundreds of hours trying to recover; at best, only your credit score is ruined, and you still spend time recovering. Some may never fully recover financially or emotionally from the experience.
There is an abundance of personal information about each of us on the Internet, especially on social media as well as information released in previous security breaches (that you may not know about). If someone can find enough information about you, such as your name, address, phone number, email, date of birth, and/or social security number (SSN), then they can get credit in your name! Do you wonder if your SSN is known to hackers? Assume it is. (See this article: “Everyone’s Social Security Number Has Been Compromised”)
Some Compelling Examples
If you are not already convinced that you need to protect yourself from ID Theft, then I ask you to take 5 minutes to watch these two YouTube videos: “People Share Identity Theft Stories” and “Identity theft victim: 'It's been hell'”- Nothing more should be needed to convince you to take these steps now, for you and your loved ones.
ID Theft Protection - Introduction
Fortunately, protecting yourself (before you become a victim) is straightforward and easy. (If your identity has already been stolen, you will have a longer road ahead of you; that is addressed at the end of this article.) Have you heard the joke about not needing to outrun the bear, just outrun the person you are hiking with? :-) Well, criminals are looking for the easy way to make money. If you harden your defenses and make it difficult for them, they will move on to easier targets.
The foundation of ID Theft protection is to freeze your credit profile/reports and maintain control over them. This prevents someone from getting approval to open an account in your name. You must also establish your identity at government websites for taxes and social security. If you don’t create these accounts, then criminals are very willing to do that for you!
Your protection plan must include the three-point approach of (1) Education, (2) Prevention, and (3) Monitoring. This article provides basic education, ample resources (listed in the Resources page), and actual steps for ID theft prevention and credit monitoring.
Overview: A Layered Defense
Although no one can guarantee you will never have your identity stolen, what I suggest here is a plan that includes multiple layers of defense to create a strong fortress. The likelihood of having your identity stolen will be minimized and your ability to recover (if needed) is maximized. This plan includes the following major steps, which are explained in detail below (and listed in the attached Check List):
Freeze your credit report with the major credit monitoring bureaus (and checking/savings agency). Freezing your credit has no impact on using current credit cards, bank accounts, and lines of credit you already have. It just means that prospective creditors are prevented from accessing your credit report/file, thus effectively preventing new credit accounts being opened in your name.
- NOTE that you will need to lift the credit freeze when you legitimately want to apply for new credit accounts, so you must be willing to live with the inconvenience of first thawing your credit.
- You must freeze the credit of every person in your household who has a Social Security Number, including children.
Purchase Identity Theft Insurance. This will (1) monitor your credit reports & alert you of changes, and (2) provide protection & recovery services.
Implement strong digital defenses. You must follow good cybersecurity practices to protect against hacking and scams/social engineering, including protecting access to your personal accounts. This will include implementing a Password Manager program and Multi-factor Authentication (MFA). Take time to educate yourself to recognize social engineering scams.
Detailed Steps to Take:
Important Items before you Begin:
Number 1: Depending on how technical you are and where you stand with privacy and security currently, taking the important steps listed here could take you a substantial amount of time. If you think this can be accomplished in a couple hours, then you may grow discouraged and never complete it. Understand that financial and computer security is a journey; start now and take steps over time. This doesn’t have to be finished in an afternoon!
Number 2: It is strongly recommended that you implement Digital Steps #1 and #2 below before beginning the process of freezing your credit reports. This could ultimately save you a lot of time and frustration!
Freezing Your Credit Reports
- Freezing your credit may take several hours. I suggest that you break it up into multiple sessions, maybe over a period of days/weeks. Continue to make progress over time! (You may want to read over this whole document [or at least the Freezing part] before starting the process.)
Note: It is strongly recommended to implement Digital Steps #1 and #2 below in preparation for freezing your credit reports.
Freeze #1: Put a Freeze on all major credit monitoring/reporting companies (Credit Bureaus) (Experian, TransUnion, Equifax). Although you can do this by calling on the phone, it is strongly advised to create an online account with each one as this simplifies the process to freeze and temporarily unfreeze/thaw your accounts as needed. (See this webpage for the personal information you might need for freezing your credit. IdentityTheft.org/protection/credit-freeze/)
Note #1: Important: Some of these freeze activities may generate a PIN code. Don’t lose these PIN codes as they prove your identity; without them you may struggle to prove who you are! Keep them in your Password Manager program notes or write them on a piece of paper; don’t keep them in an unencrypted file on your computer.
Note #2: Freezing your credit is free. However, these credit agencies offer services for pay; they may make it appear you have to pay a fee; only do so if you choose to use their services. They may also send marketing and credit alert messages unless you edit Communication Preferences to turn these off. Please note that you should only turn off alerts if you have ID Theft Insurance that includes monitoring and alerting.
Experian: www.experian.com/freeze/center.html or call 888‑397‑3742 (or 714-830-7000 and press 2 to speak to a live person).
TransUnion: www.transunion.com/credit-freeze or call 888-909-8872 (or 800-680-7289 and press 0 to speak to live person).
Equifax: www.equifax.com/personal/credit-report-services or call 800-349-9960 (or 888-202-4025 and press 6 to speak to a live person).
(Optional: not recommended if you have ID Theft Insurance) Innovis: You can put a credit freeze on this less-well-known credit agency. Do so at: www.innovis.com/securityFreeze/index - This creates some inconvenience as you will not create an account; the PIN to thaw your credit will be sent via physical mail.
Freeze #2: Establish your identity at ID.ME. This is the system used to login to the Internal Revenue Service (IRS) and Social Security Administration (SSA) (unless you previously established accounts with them, in which case you can login directly with these agencies).
Freeze #2a: Go to www.id.me - Choose Internal Revenue Service; "Connect with ID.ME"; "Sign in to Your Account"; "Sign in to your Online Account"; ID.me Create an Account
Freeze #2b: Important: Set an IRS Identity Protection (IP) PIN: After creating an ID.ME account, use it to sign into the IRS at www.irs.gov Then set an IP PIN so a criminal can’t file taxes on your behalf. Note: You (or your Accountant) will need this PIN to file your federal income taxes, so make sure not to lose it. (If it is not obvious where to go to set the IP PIN, go directly to: www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin )
Freeze #2c: Sign into the Social Security Administration to establish your hold on this account. Go directly to https://secure.ssa.gov/RIL/SiView.action (or to https://ssa.gov).
Freeze #3: Monitor your credit and all online accounts. You must be aware of what is listed on your credit report; inaccurate information may indicate ID theft, but at least negatively impacts your credit score. By law you are entitled to one free copy of your credit report (from each of the nationwide credit bureaus) annually. The only site authorized by Federal Law for requesting your free credit reports is www.AnnualCreditReport.com - If you haven’t looked at your credit report recently, you should get a copy now.
Then, on an on-going basis, you must be aware of any changes to your credit report, others trying to fraudulently use your information, and for any attempts to take over your online accounts (email, financial, shopping, social media, etc.). ID Theft Insurance may monitor some of this for you; check those alerts.
NOTE: For hints on manually monitoring your accounts, see this link, “If you decide NOT to get Identity Theft Insurance.”
Freeze #4: (Optional: not recommended if you have ID Theft Insurance) Put a Freeze on ChexSystems. This is the credit rating service for opening checking and savings accounts. You will get a PIN via physical mail (inconvenient; don’t lose it.) which will be needed to thaw your account. Do so at: www.chexsystems.com/security-freeze/place-freeze
Freeze #5 (Optional: not recommended if you have ID Theft Insurance): Put a Freeze on NCTUE (National Consumer Telecom & Utilities Exchange). This credit agency is used for people establishing a cellphone or utilities accounts. There is some inconvenience associated with this as they will physically mail you a PIN. It may take up to 3 days to thaw your credit before getting a new phone or phone number. Do so at: www.exchangeservicecenter.com/Freeze (Make sure to not lose that PIN number if you chose to do this.)
Identity Theft Insurance:
Insurance #1: I strongly recommended you purchase Identity Theft Insurance, but it’s not absolutely necessary if you maintain the following:
(1) you have strong digital defenses (cybersecurity) as outlined below,
(2) you have frozen your credit (probably also including the optional items listed above), and
(3) you are willing to take extra time to regularly monitor your credit and other accounts.
Good ID Theft Insurance will offer both credit monitoring (& alerting) and identity protection (& recovery). Most of us don’t have time to closely monitor every network hack that posts our personal information or passwords on the dark web, or may not find out for some time if someone opens a line of credit in our name. Although all your credit will be frozen, which should repel most ID theft criminals, it isn’t foolproof against dedicated crooks and scammers. Having ID Theft Insurance provides the extra peace of mind that comes from someone else watching your credit and who will pay for any ID Theft recovery. If needed, they will walk you through the recovery process and save you many hours of work.
I suggest doing some online comparison for Insurance that fits your budget and other needs, such as an individual versus family plan, basic vs. premium features, etc. Just make sure it includes credit restoration services. Find out about any deductibles, and what events are covered or not.
Note: If you have done all the items listed in this document, then a cheaper insurance plan (such as Zander, Allstate [Basic], McAfee, Complete ID, etc.) should be enough rather than one of the more expensive full-service plans.
Here is a good place to start: www.safehome.org/compare/identity-theft-protection/ (See their section on “Core Features to Look for When Comparing ID Theft Protection”) and then see more comparison at: www.safehome.org/identity-theft-protection/best/ or just search online for: “best identity theft protection” for other sites that review current offerings.
(NOTE: If you decide not to purchase ID Theft Insurance, please see this link for other items you should do.)
Implement Digital Defenses
When freezing your credit accounts, it is critical to maintain secure access to protect your accounts against hacking and social engineering scams. You will also need to be able to unfreeze/thaw these accounts when needed. If you are allergic to technology :-) or the digital defense steps below seem overwhelming, then you can then come back and work on these important steps over time or get help implementing them later. Remember that security is a journey; the best way to make substantial progress over time is to commit to doing a little at a time each week or month. (Don’t put this off forever or it will come back to bite you! Start working on your digital security journey now.)
Digital #1: Install a Password Manager program, and create strong, unique passwords for each important account.
Note: (1) All your passwords must be unique; do not reuse passwords! (2) Passwords should be long (16 or more random characters or 20+ characters if creating a passphrase). You only can do this securely by using a Password Manager to store your account information and PIN codes in an encrypted format.
Full-Featured Password Manager Programs (for a cost): I suggest either 1Password, Dashlane, or Keeper, where passwords can be shared among multiple devices. [Consider using 1Password if you are primarily a Mac user.]
Basic & Free: If you want a free password manager, I suggest the free tier of Bitwarden (online) or KeePass (stored locally on your computer). If you are a Mac user, you can use the built-in KeyChain, but it doesn't have advanced features and only works on your Apple devices.
Digital #2: Set up multi-factor authentication (MFA) (also called two-factor authentication [2FA]) for all important accounts, including the ones to freeze your credit. (See: www.cisa.gov/mfa) MFA can be done in several different ways, including using SMS messages, an authenticator app, or YubiKeys (hardware tokens). You need to configure MFA for each website that allows for it. At least set up MFA on your credit bureau accounts, bank accounts, email accounts, social media accounts, etc.
Best for most people: Download an Authenticator App on your smartphone from your App store (such as Google Authenticator or Microsoft Authenticator). This is a stronger form of MFA/2FA.
Note: Make sure to record the “backup” codes given to you when setting up each account with an Authenticator; you will need these if you lose your phone.
At minimum, use your phone number to receive a SMS/text message as your MFA code.
However, note that hackers run schemes to steal cell phone numbers and thus intercept these texts or fool you into giving out these codes; this could give crooks access to your financial accounts. If you choose this method, then most mobile providers offer extra protection through use of a PIN code.
“We advise calling your [cell phone] provider directly and telling them that you’re worried about criminals taking over your phone number, and asking for all the extra security measures you can take to protect your account.” www.vice.com/en/article/zm8a9y/how-to-protect-yourself-from-sim-swapping-hacks
Digital #3: Apply security updates/patches to all your devices and applications. Monthly updates are sent out for your computer by Microsoft, Apple, Google, etc.; these updates include important security patches. Similarly, you should update your smartphone when updates are made available.
Digital #4: Train yourself to avoid falling victim to social engineering scams, via email, phone calls, SMS/text messages, etc. (See the section “How do you avoid being a victim?” at www.computersecuritynw.com/4-critical-items#resist-scams or www.cisa.gov/uscert/ncas/tips/ST04-014 and other Resources below.)
Digital #5: Turn on Account Alerts (Change Notifications) on all financial accounts and any other important account. You want to know if a password, email, address, or cellphone number is changed. If that was not you, then you must take immediate steps.
Digital #6: See www.ComputerSecurityNW.com/essential-security-measures for other suggestions, such as using strong antivirus software, encrypting your hard drive, regularly backing up all your files, use a VPN when appropriate, etc..
Protect Your Family – Anyone with SSN:
You also need to protect personal information for those who might not be watching, such as your children, the elderly, and deployed military personnel. Take the steps listed above for each person in your household who has a social security number (SSN) and encourage others to do so. Someone can get ahold of a child’s SSN and open credit cards in their name; you may never know until the real person grows up and applies for credit, only to find that their credit is ruined since no one paid all those bills.
Other Important Information and Links:
If you decide not to purchase ID Theft Insurance, you must maintain very strong online defenses (like the ones mentioned above) and must more carefully monitor your credit, financial accounts, and your important online accounts. Please see this link for more details and for manual monitoring activities you should do regularly. Direct Link: https://www.computersecuritynw.com/id-no-insurance
If you have already become a victim of ID Theft, or believe you are being targeted by an ID thief, then please see this page how to recover and for other steps you should take. Direct link: www.computersecuritynw.com/id-stolen
Here is a list of Resources for all topics discussed here about ID Theft Protection. Direct Link: www.computersecuritynw.com/id-theft-resources