Tech Security Bytes

What to expect when you’re not expecting: A firsthand account of identity theft: Part 1

Intro –

You think identity theft is for “other people”? Surprise! I thought so too until it smacked me right in the face. It could happen to you or someone you know just as easily, even if you “do everything right.”

I’m hoping by sharing this, you can learn from my experience and avoid or reduce pain in your lives.

There’s a lot of ground to cover, so I’m splitting this into a series of posts:

  1. Intro and preventative measures (this post)
  2. Navigating the maze of institutions post-theft
  3. The nuts and bolts of “Handling it” – logistical tips, closedown, follow-up

Overall story TLDR – (“Too Long Don’t/Didn’t Read…” for those less tech-geeky: a summary)

  • Identity theft can strike even the cautious.
  • While you monitor the obvious, blind spots can be your downfall.
  • Lean on the FTC and Law Enforcement – they are your friends.
  • Banks & credit bureaus aren’t your “BFF” – their policies can exacerbate the issue.
  • Full Recovery? – expect extensive documentation and possibly a lawyer.

Background

Once, identity theft seemed like the bogeyman of the careless — those lured into dark web alleys or who played fast and loose with their social security numbers. I thought I was good – e.g. I gave obviously fake social security numbers for my daughter when a school program requested them without real need for them. I was paranoid. I thought I was above this kind of risk.

Spoiler: I wasn’t.

Online shopping...

Fast forward to present day, and despite having “done everything right”, I’m buried in phone tag with banks, credit bureaus, pulling together reams of supporting documents, convincing my local police that a crime had in fact been committed – you name it.

It’s been, and it continues to be (even almost 3 months from my initial discovery), a wild and unpleasant ride (with ongoing fallout).

Don't let this be you
Don’t let this be you.

Hopefully you can learn from what I’ve been going through. Top observations…

Preventative Measures

1. Monitor beyond the obvious

I’m sure you’re all in the habit of regularly checking your bank and credit statements for irregularities, because you’re all smart, security-conscious people, right?

OK, maybe not. So go fix that first, then continue reading.

Alright, so now you’re checking your bank and credit balance after that online shopping spree.

But what about those sneaky accounts that you never knew existed? How many of you look for accounts that shouldn’t exist? The only way you’ll see those is if you’re looking at sources like your credit reports (which only about 1/3 of us do annually, according to a 2020 LendingTree survey), or if you get lucky (like I did) and an institution reaches out to either deny an application you didn’t submit or welcome you to “your” new account.

Don’t be overconfident in what you ARE monitoring – think about what you’re NOT looking at…who could be taking advantage of it… and START looking…

While I reviewed my credit card and bank statements, I was not looking at my credit reports on any regular basis, so I got the “dumb luck” of a phone call from a credit company, declining my application, followed by similar mails from another bank a day later, and then a welcome packet from an online credit union I’ve never heard of. I went from “suspicious” to “sure something was” off pretty quickly.

I was lucky and had signal a week or two after things were compromised – you might not be. By law you can get a free credit report at least once annually from each of the major bureaus – and if you cycle through them, that’s basically every 4 months worst case* – thought they (and other companies) offer more frequent options for a fee – which might be worth paying for peace of mind.

* BE AWARE – not all things are reported to all bureaus, and not everything appears on each report in the same timeframe – I saw some things lag several weeks between one agency and another. You’ll need to check several times to ensure things are “Clean”

CONCRETE TIPS: WHAT TO DO

  • GET IT – Free access to your credit report from the major bureaus – get all 3 and cycle which you are reviewing at any given time.
  • LOOK FOR – unfamiliar accounts / loans / credit lines, and inquiries (Especially “hard pull” inquiries which can affect your credit rating overall or clusters of “Soft pull” inquiries around a specific date)
  • LOOK FOR – Activity on older accounts that are still open – these might be a tempting target for attackers. While you’re at it, why not just close them?

2. There are ways to run the same checks for bank accounts – learn about them and use them.

An eye opener was learning that aside from the 3 credit bureaus, there are resources around banking that fill a similar role. And just how important those resources are.

In particular, Chex Systems provides similar information to the major credit bureaus, but with a focus on checking and savings accounts at banks.

While you might be most worried about bad actors pulling credit in your name, shady folks can also open bank accounts in your name to launder money or engage in other activities..

Yep, that’s a thing. And trust me, explaining your “involvement” in a drug cartel’s financial operations to legal or law enforcement isn’t a chat you want to have.

They can also use a simple bank account as a starting point for an actual credit request (e.g. as a bank customer in good standing, of course “you” can take out a $50,000 loan….).

You probably don’t want to be reviewing any of this with a prosecutor.

CONCRETE TIPS: WHAT TO DO

  • Use resources like Chex to monitor bank activity.
  • Look out for any accounts you don’t know.
  • Close old / unused accounts – reduce your exposed surface by eliminating things you don’t need.

3. Thieves can get a lot of what they need publicly

Thieves aren’t just lurking in dark alleyways; they’re on social media, looking through public records, piecing together your life. Remember when you shared your pet’s name or your mother’s maiden name? Yep, those are common security questions. And that’s without anyone lifting a finger to “Hack” something.

Once your primary data is out, thieves can harness public information to fill in the gaps. You can’t control everything, but you can minimize what you put out there.

A little quality time with social media, reviewing public records, a cup of coffee, and some good note-taking are all that’s needed to piece together a LOT about you.

In my case , they tried to open several accounts before getting my address right – but needed nothing more from me to get it right.

I suspect they got my social security number from a 3rd party as well as well – I don’t keep it in writing anywhere, and my official documentation is locked up in a safe. It was likely compromised through a 3rd party breech by no direct fault of my own.

Be careful how much information you have out there about yourself, how many websites you have saved address or contact info, credit card numbers, personal information or photos, etc. into.

That’s all attack surface, and once information has left your hands it is effectively outside your control and protection.

CONCRETE TIPS: WHAT TO DO

  • Be judicious about what websites you store your personal and financial details on, think twice about what you store and why (is it worth it?).
  • Compartmentalize online activities with multiple email addresses and limit personal information sharing in each to what is strictly needed.

Post 1 Wrap-up

That’s the first leg of my identity theft marathon. Whew!

Stay tuned! Next, we’ll unveil the curtain on my thrilling chats with financial and government institutions and some life-saving advice.

Got a similar horror story or burning questions? Drop them in the comments! I’ll try to tailor future posts based on what you’re curious about.

Sean Reilly
,

Leave a comment