March 28, 2024

Bucks Blog: Steps to Guard Against Identity Fraud

If you get a letter notifying you that your personal data was involved in a corporate data breach, you should pay close attention, a new report says.

Nearly a quarter of people who receive such letters become victims of identity fraud, the report, from Javelin Strategy Research, found. (The firm makes a consumer version of its report available free.)

The latest report from Javelin is based on an online survey, using a probability-based panel fielded by Knowledge Networks, which questioned 5,249 adults in the United States from Sept. 20 to Oct. 12, 2012. For questions answered by all participants, the margin of sampling error is plus or minus one percentage point; for questions answered by all 857 participants who were identity fraud victims, it is plus or minus three percentage points.

The survey was sponsored in part by Citigroup Inc., Intersections LLC and Visa Inc. The sponsors were not involved in the tabulation, analysis or reporting of the final results, Javelin said.

The annual report found that the incidence of identity theft overall was about 5.3 percent of consumers, compared with 4.9 percent the year before.

Much of the increase was driven by so-called “new account” fraud, involving the unauthorized opening of general use or store brand credit cards, as well as “account takeover” fraud, in which the identity thieves may change consumers’ contact information — like their mailing addresses — to gain illegal access to their accounts, the report said.

Data breaches involving Social Security numbers are the most damaging, the report found, because they can be used to open new accounts and authenticate existing ones. Consumers who had their Social Security number compromised in a data breach were five times more likely to be the victim of fraud than consumers on average.

So, what should you do if you get a breach letter?

First, contact the company to make sure the letter is legitimate, Javelin advises. Then, don’t take the letter as some sort of reassurance. If you get one, you need to be more vigilant — not less — about checking your account statements and your credit report for suspicious activity, like new accounts you don’t remember opening or charges you didn’t make.

“We have a national problem, which is getting people to take these notifications seriously,” said Jim Van Dyke, Javelin’s chief executive.

If the company reporting the breach offers free monitoring of your credit report, you should use it, Mr. Van Dyke advised. “A surprising proportion of people don’t even take advantage of an offer of free service,” he said. At a minimum, you can check your credit reports without charge at AnnualCreditReport.com. (You can also request one from the different credit bureau — there are three big ones — every four months.)

Putting a security freeze on your credit report stops the fraudulent opening of new accounts without your knowledge. There may, however, be an “inconvenience” factor involved in lifting the freeze, in case you do want to apply for credit, Mr. Van Dyke said. (There’s also usually a small fee involved, unless you’re already an identity theft victim.)

Putting a fraud alert on your credit report is a less sweeping step that lets lenders know to do extra checking before issuing new credit in your name, and is usually a good idea if your Social Security number is compromised.

A security freeze or fraud alert won’t help if the data exposed in the breach was, say, the account number of a credit card you already had open. In that case, you need to check your account regularly — either online, or by checking your paper statement — for suspicious charges. Or, as the Identity Theft Resource Center suggests, you can request a new card with a new account number, if the card company doesn’t offer you one voluntarily.

What other steps can you take? In general, Javelin advises, never reveal your full nine-digit Social Security number unless it’s necessary. If you’re asked for it to establish your identity, ask if you can provide another form of identification instead. Also, ask service providers like cable companies and utilities to replace the last four digits of your Social Security number with a different four-digit security code to validate your identity when you call for service.

Even if you don’t get a breach letter, Javelin advises monitoring your bank and credit card accounts electronically at least once a week — and preferably daily. Use whatever method is easiest for you — checking online, via a mobile app, or touch-tone banking. And take advantage of any automatic account alerts your bank offers.

Have you ever received a data breach notice? What did you do as a result?

Article source: http://bucks.blogs.nytimes.com/2013/02/21/steps-to-guard-against-identity-fraud/?partner=rss&emc=rss

Bucks Blog: Banks Rely Too Heavily On Social Security Numbers, Report Finds

Banks can do better at protecting their customers from the risk of identity fraud, a new report from Javelin Strategy Research finds.

The firm’s annual Banking Identity Safety Scorecard looked at the consumer-security practices of 25 large banks and credit unions. It found that far too many still rely on customers’ Social Security numbers for authentication purposes — for instance, to verify a customer’s identity when he or she wants to speak to a bank representative over the telephone or re-set a password.

All banks in the report used some version of the Social Security number as a means of authenticating the customer, Javelin found. The pervasive use of Social Security numbers was surprising, given the importance of Social Security numbers as a tool for identity theft, said Phil Blank, managing director of security, risk and fraud at Javelin.

Customers must provide their Social Security number when opening a bank account, he said, but it shouldn’t be used routinely for other purposes, because telling people to keep their number private but habitually asking for it sends the wrong message. “This is something the financial institutions really need to do some work on,” he said. “The consumer should not be trained that it’s O.K. to give up your Social Security number.”

Even partial numbers should be avoided, the report said, because as they have become more widely used, they have become a common target for phishing. “Along with the mother’s maiden name, a truncated version of the S.S.N. is not an effective means of identifying the consumer,” the report says.

The average score of banks in the report was 56 out of a possible total of 100 points, based on criteria that included steps to prevent, detect and resolve fraud.

Banks should also improve their ability to send alerts automatically to customers when crucial changes are made to an account, Mr. Blank said. Nearly three-fourths of the banks in the analysis offered alerts for a change of address, but just 20 percent let customers set up an alert in the event another registered user is added to the account — even though that technique is one way criminals can gain access to bank accounts. “That’s one of the basic ways account takeovers happen,” he said.

Banks can be proactive with their behind-the-scenes behavior analysis, which helps them detect unusual patterns that might be cause for suspicion and alert the consumer. But the option for automatic alerts is important, he said, because “no one knows your financial habits better than you do.”

On the plus side, 40 percent of the banks in the report offered free browser security software, Javelin found.

Have you recently been asked for your Social Security number when contacting your bank? Does that concern you?

Article source: http://feeds.nytimes.com/click.phdo?i=6d3353f192406743f9d32898c92b9214