SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

5 Things To Know About Identity Theft

Posted on July 27, 2017

Today’s episode of The Checklist is all about identity theft. With the right information, the wrong people can steal your identity – basically pretend to be you – and do a lot of damage in your name, and to your name.

With threats from malware on the rise and hackers always looking for ways to trick us into handing over vital information like passwords, it’s easy to think all these individuals want to steal is access. Really, though, the right access can allow someone to take much more: your actual identity. Of course, they can’t steal away who you are — but with the right information they can certainly pretend to be you. If that happens, it’s stunningly easy to rack up serious debt and damages in your name.

That’s why identity theft is our theme for today’s episode of The Checklist. What does it really mean to have your identity stolen? How could it happen to you — and are there any viable ways to protect yourself? There are in fact, and we’ll cover all this and more. Without further delay, let’s dive into what we have for you today.

  • What is identity theft?
  • Common methods used to steal identities
  • Notable cases of identity theft
  • How to protect yourself
  • What to do if you think someone has stolen your identity

What is identity theft?

The phrase “identity theft” might seem strange on its own; your identity is something essential to you — how could someone take it away? Prior to a huge spike in Internet-connected identity thefts in the mid-2000s, most people probably didn’t even know that “identity theft” was a thing. Today, it’s no longer as literal a term as it may have been in the past, but that doesn’t makes it any less dangerous.

In the past, impersonating someone wasn’t quite so difficult as it is today; with no pictures or instant communications, it could be as simple as gaining access to enough information to convince others you were who you said. Other times it was simply a matter of being in the right place at the right time. The actor Wallace Ford, popular in the early 20th century, took on the identity of an itinerant traveling companion after his friend’s untimely death. With the growth of more modern systems and record-keeping, identity theft changed from something that escaped notice to something that affected many more people.

The crime we know today has little to do with the wholesale taking of a person’s life story and name to live anonymously. Instead, it has much more to do with financial motivations. A good definition of identity theft might be: when a bad guy obtains private, personal information or important financial details and then uses that info as a tool for financial gain.

That might be taking out a loan, opening a credit card, or just racking up tons of purchases on a stolen credit card number. Modern identity theft can take many forms, but it all boils down to stealing someone’s “identity” on paper so you can pretend to be someone else, your victim. The term “identity theft” was coined in the early 1960s as a way to describe a new crime that was occurring over the telephone networks.

In that form of identity theft, people used what we’d today call “social engineering.” They’d call you up and claim that you’d won some fabulous prize, like a week-long cruise or even a cash prize. To claim your prize, you needed only to supply some basic information — like, say, some banking details to make the deposit and some important personal info to verify your identity. You can see where this is going — there was never any prize, and the callers would turn around and abuse that information for personal gain.

These telephone scams are still around in limited numbers today, but cold calling for identity theft fell out of favor a long time ago. Today they represent less than 10% of all identity theft cases. By the 80s, the criminals turned to other dirty tricks like digging through the garbage. How much thought do you give to your trash when you throw it away? Have you ever thrown away documents that might have contained sensitive information?

A few decades ago there was a marked increase in identity theft-related crime caused by thieves finding documents in the garbage such as bank statements, tax documents, and even items like bills and credit card offers. By piecing together enough basic info about a person from these items, a thief could start opening lines of credit and going on a spending spree in your name. A surge in the popularity of shredders in the late 80s led to a slow decline in this type of identity theft. That doesn’t mean you’re free just to throw away sensitive info, though. Does your bank send you offers for balance transfers on your credit cards? Those blank balance transfer checks could be used like cash against your own credit cards! Always think carefully and destroy something that prying eyes might be able to misuse!

Now it’s the web, email, and digital technology in general that provides these criminals with access to the information they want. Without the need for direct interaction with a victim much of the time, it’s far easier for thieves to thrive in the digital age. As we’ll discuss today, some thieves have gone on to steal the information for thousands and thousands of people. First, what are the methods in use?

Common methods used to steal identities

So, with a sense of what identity theft is and where it came from, what are the big threats out there today? Most identity thieves aren’t calling people anymore, in part due to the shift away from landline numbers, which are as easy as looking in the phone book to find. Most of those same thieves aren’t interested in staking out homes and crawling through your garbage, either.

But again, that doesn’t mean that’s a threat you’ll never encounter. It does still happen. Think before you toss papers with your information on them into the garbage. Ask yourself: is this enough info to impersonate me? Even if it isn’t, you don’t want to give bad actors any of the puzzle pieces to your life. Shred or otherwise destroy any documents that might be too sensitive to fall into the hands of a stranger.

Okay, but that aside, how else are identity thieves making a living? It’s mostly the Internet, of course, and the general proliferation of technology into all areas of our lives. It’s easier than ever for someone to steal a credit card or to pilfer your Social Security number. Now, that doesn’t mean there is an overwhelming threat — but it does mean we need to be aware of how these thieves operate. Otherwise, it’s impossible to take proactive steps to guard against identity theft.

Before we dig into the details of web-based identity fraud schemes, we should think of a few other common “offline” methods out there today. A quick example: have you heard warnings in your area about so-called “skimmers”? Bad guys attach these fake credit card readers to legitimate hardware, like an ATM or a gas pump. They can be clever and difficult to detect. Most of them will let you transact business as normal, but it also harvests your name, card number and PIN. The skimmer’s operator then uses this harvested data to commit credit card fraud in your name.

Some schemes involve individuals with inside access to sensitive information; as such, it’s impossible to avoid if someone else’s negligence or malice is in the picture. There have been a ton of convictions related to people who’ve sold personal information, like credit reports, to third parties. One case from the early 2000s saw a man from Long Island sell off tens of thousands of customer reports to an unidentified third party, who then sold the information on to other identity thieves. The FBI called it the largest case of identity theft they’d seen yet, and thousands of people lost their life savings in the fallout.

Black market activity is common with personal information. Much like the way hackers sell passwords and emails on the dark web, they sell consumer information useful for identity theft too. It’s not surprising then that your identity might be stolen as a side effect of a malware infection. Imagine if you encountered a malware payload that left a keylogger on your Mac undetected.

Unaware, you go about your business — maybe you do some online shopping, maybe you log in to your bank account to transfer funds. Maybe you’ll even use an online form to apply for a job, including your Social Security number for verification purposes. Now whoever operates that malware has all that information, too. It won’t be long before it ends up in the hands of someone who will try to impersonate you.

Phishing is a popular tool for stealing identities, especially if it’s able to evade spam filters and convince a victim to provide some vital information. Anti-phishing filters and campaigns have helped reduce the impact it has, but the fact remains that phishers continue to be innovative in their deceptive practices. Large-scale data breaches are another problem, whether they come from hackers stealing information from a website or by compromising physical hardware. Obviously, the modern identity thief has many ways to try to make a grab for your data; it’s why we need to be careful about where we submit important details.

Notable cases of identity theft

With so many methods available, it’s not surprising that it’s a booming underground industry. We’ve heard stories about credit card numbers and personal info going up for sale on the dark web before. With so much widespread potential for abuse, it doesn’t take much looking through the news archives to find plenty of big stories about identity theft. Let’s examine some of the real-world impacts of the crime along with some of the most notable incidents.

Remember LifeLock? They blitzed the airwaves with ads and plastered highways with billboards back in the mid-2000s. They claimed to offer the strongest anti-identity theft protection around. Their founder claimed he was so confident in their services that he published his own Social Security number during TV ads and elsewhere. Can you guess what happened next? Of course, he had his identity stolen — 13 times! Though none of the bills totaled more than a few thousand dollars, it still exposed the fact that his company did little to protect consumers.

In fact, the Federal Trade Commission agreed. They fined Lifelock for deceiving customers with their advertising first in 2010 to the tune of $12 million. Five years later, the FTC slapped them down with an even bigger fine for continued deceptive advertising — this time the bill was $100 million. Lifelock is a good reason to treat all third-party companies offering protective services with some skepticism. Like with malware, there are plenty of snake oil salesmen out there trying to sell you bogus products or far more than you need.

In the mid-2000s, a man named Albert Gonzalez led a group of other hackers on a spree that eventually led to the theft of tens of millions of credit card numbers and financial information. They accomplished this incredible feat by doing something called “wardriving” — driving around with a laptop and looking for vulnerable wireless networks to attack. Once they gained access to the systems of major companies, they deployed malware to sniff out the data they wanted. It’s a sure bet that at least some of that info ended up on the black market. Gonzalez committed numerous other acts of identity theft and is currently serving a 20-year sentence in federal prison.

A quick Google search will bring up tons of other major identity theft cases, too. With so much information in digital storage today, it’s all too easy for one small vulnerability to lead to a huge breach. That’s why it’s important to know how to protect yourself from the damages these bad guys can cause.

How to protect yourself

If all this sounds very concerning to you, well, that isn’t an unreasonable way to feel! Identity theft is a real problem, and it isn’t a threat that will go away anytime soon. The good news, however, is that since so many more people know about it today, there are more tools available to protect yourself.

You’ll find that your banking institutions and your credit card issuers both take steps to protect your identity and to offer additional services. Plus, there are other methods we can all use to keep an eye out for identity thieves. Even if someone gets their hands on some of your information, acting fast can minimize the damage and shut them down before it goes too far. We’ll go over what to do if that happens in a few minutes, but for now, we can focus on preventative steps you can take right now.

First, keep a close eye on your credit score. Identity thieves rely in part on your inaction to enjoy the ability to get away with their crimes over an extended period. Those who monitor their credit and maintain a close watch on their financial accounts can quickly spot charges or activities that aren’t normal. You can even sign up for credit monitoring services that will provide you with additional alerts of any untoward actions. It’s a smart move to keep an eye on your credit throughout the year anyway — preventing fraud and identity theft is just an added bonus.

Next up, you have some options with the credit agencies. You can request the credit agencies put a “fraud alert” flag or a full-on freeze on your account. A fraud alert is usually a step you should only take when you suspect someone has stolen your identity. These alerts last for 90 days and are difficult to remove from your account before their expiration date, so it’s a serious measure.

Freezes are also a big step. They prevent anyone from pulling your report — it’s a “scorched earth” technique that you shouldn’t use if you’re planning on opening a line of credit or applying for a loan. You’ll need to pay up to $30 to get one started. The good news is you can call up the agency and ask for a removal on the freeze at any time. So, if you feel like there’s a short-term risk to your identity, you might want to request a freeze just to be on the safe side. That said, watching your FICO score and checking your report throughout the year can be just as effective.

What about other third-party services offering protection and insurance? Well, they might not actually be worth your time. According to Consumer Reports, proactive actions on your part can be just as effective as a third-party service. They point out in their review of many such services that the terms offered by identity theft insurance are seldom friendly to the individual, and the amount they insure against is simply overblown.

The likelihood that someone will rack up $1 million in identity theft damages against you is small. These insurance companies also state they won’t pay out if anyone else covers your losses — and with Federal laws and creditors both providing protections against out of pocket costs, you’re not likely to see any of your premiums ever again.

Some credit monitoring services can be a waste of money, so look carefully at what these companies offer you. Many will send you false positives or erroneous reports of suspicious activity for what is, in fact, a routine check on your credit. Often, you don’t need to rely on others to protect your identity. Being proactive about checking your credit every four months is the more effective choice. Of course, you should also be careful to protect your identity online — sweep for malware, exercise caution using unsecured web pages, and don’t transmit sensitive info over a public Wi-Fi network. In other words, the usual precautions!

What to do if you think someone has stolen your identity

All the best plans and protections in the world still don’t guarantee that no one will ever manage to steal your identity. After all, some of the things we’ve been discussing are ways to spot suspicious activity after someone’s gained your info. Let’s say that you haven’t been relying on third-party services or constantly monitoring your credit. What happens when you realize, one way or another, that someone succeeded in stealing your identity?

It’s important to get over the initial shock as fast as possible; once you find out there’s a problem, you should move quickly to help prevent any further damage from occurring. Let’s talk about several steps you can take in this unfortunate scenario.

Figure out what has been compromised — is there a particular account someone fraudulently accessed, like your bank or a credit card? Move to put a freeze on that account ASAP; call your bank to let them know you suspect identity theft. They’ll be able to advise you on the next steps you should take. With good luck, this is the extent of your problem.

Due to the protections the Federal law provides, you shouldn’t be on the hook for more than $50 per account, but it can vary based on the type of account and the type of problem, so check with your issuer to know the full extent of your liability. For example, reporting the potential for unauthorized use before it happens can shield you from the charges altogether. If you wait too long to report the problem, you could wind up responsible for the entire amount. That’s why quick detection and a fast response are so important.

Sometimes, thieves compromise identities to a far greater extent. Once you know one account was used without your permission, it’s worth scrutinizing everything else you control for any other bogus charges or activity. A look at your credit report can help with this, but you can also take the step of informing the agencies that you’re an identity theft victim.

You should request that your account receives the “fraud alert” tag we discussed a few minutes ago. What do these alerts accomplish? They serve as a red flag to anyone who pulls your credit report, like a credit card company that receives an application from a thief using your credentials. This alert will tell the person reading the report that they should further verify the applicant’s identity. At the very least this should stop the thief from causing further damage; at best, maybe it could even lead to their arrest. Renew your alert every 90 days until the threat has passed.

What next? In the most serious cases, you might need to file a police report. That’s only if someone compromises your identity to the point of thousands of dollars in charges such as you might see in a case of medical identity fraud. If someone used your Social Security number without your knowledge, you should let both the Social Security Administration and the IRS know about the problem. You don’t want to find out that a hefty tax refund owed to you went to someone else who fraudulently claimed your identity. Preemptive action ensures this can’t happen. Again, speed is an essential element of your response. When you’re informing everyone that needs to know that there could be an impostor out there, the chances the thieves will succeed drops dramatically.

Taking all these precautions and worrying about your identity can be exhausting. Yet the threat posed by identity theft is too real to ignore. With millions of dollars in damages every year, we must be active in our efforts to fight back. While you can’t protect yourself from every possible angle, a vigilant approach to your credit — and the employment of other methods and plain old good security practices — can help stave off any would-be thieves.

Problems? Questions? Security concerns? If you have anything to ask us, send us an email at checklist@securemac.com!

Join our mailing list for the latest security news and deals