Is there a day which passes which we don't hear of an individual having had their identity stolen or another being arrested for stealing the identity of another? I did a search this morning and found numerous headlines -- 200 identities stolen, thousands at risk of ID theft, ID theft a risk in buying health insurance, Social Security manager pleads guilty of ID theft -- so there is no lack of evidence that ID theft is occurring today and will be tomorrow. Unfortunately, the criminals have purloined data sets which make the previous seem like child's play, they have successfully compromised some of the largest data stores of personal information available. Think of it as data on personnel too numerous to count, or data acquisition on steroids.
The time to have persistent monitoring of your personal identity assets has arrived. We now must monitor our fiscal engagements (credit card, bank accounts, loans, etc.) for ourselves and parents, for your children as well. Monitor, our health insurance for medical identity theft (think of going into the hospital and their records have you as O- and you are AB+ due to someone having stolen your healthcare identity?) and even our Social Security records.
What am I speaking of?
This headline last month caught my attention: Data Broker Giants Hacked by ID Theft Service, an article by noted security reporter, Brian Krebs. In his piece he describes the "identity theft service that sells Social Security numbers, birth records, credit and back ground reports on millions of Americans." He goes on to describe how the criminal service has infiltrated the data stores of some of the United States biggest data aggregators of consumer and business data. Your personal data is a commodity within the criminal market place. Only when the criminal database itself was hacked did it become clear the type of raw sources of information which was being culled by the criminals. Atlanta, Gerogia-based LexisNexis Inc. confirmed, two of their public facing servers had been compromised. This was not the first compromise for LexisNexis, in 2005, 310,000 individuals had their personal information compromised. Dun & Bradstreet also had their systems compromised, as did one of the leading providers of background checks, Kroll Background America, inc, a part of Hire Right.
Then just a few days later, we learn, again from Krebs, of the compromise of the National White Collar Crime Center, (NW3C), a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime (see Data Broker Hackers Also Compromised NW3C. But there is more.
In January 2013, the Social Security Administration (SSA) expanded the capabilities within the SSA's my Social Security to allow beneficiaries to change their address of record and direct deposit information. According to the SSA's Office of the Inspector General (OIG), there had been more than 37,000 reports concerning questionable changes between then and June 2013, when the OIG testified before congress (Social Security Goes Paperless: Protecting Seniors From Fraud and Confusion), and were averaging 50 complaints per day since then. The OIG noted that the Jamaican Lottery Scam aka the 876 scam (Lottery Scam - The Jamaican Lottery Scam) was used to induce many seniors to redirect their SSA payments to bank accounts to which the criminals had access
While October is National Cyber Security Awareness Month in the United States, many entities, including the National Cyber Security Alliance, Senior Online Safety and others are providing useful tips for the average user, specifically seniors to stay safe online both today and everyday, many users view the exercise as a once and done. The standard response one sees when reviewing the many breach notification letters sent to individuals does little to dispel the short term threat to an individual who has their personal identifying information compromised, by recommending you check your credit report and financial transactions for a period of 90 days. There is a major problem with this approach. Our identities don't change after 90 days, there is only one expiration date on the value of your personal identifying information to a criminal, your well documented demise.
The sky is not falling, though we are getting a jolt from a bolt of lightening. Banks and other financial institutions, including the SSA are changing their manner of engagement to include more sophisticated, multilevel forms of authentication which raises the probability that when someone is dealing with your bank, SSA, or other accounts, that someone is you. This is excellent news.
What can you do?
Practice good cyber hygiene, with your devices -- laptops, desktops, tablets, digital storage devices, etc. Actively (every day) monitor your current accounts. With respect to the SSA, you can block electronic access to your information via a service the SSA makes available -- Block Access, which means all interaction between you and the SSA will need to be handled in person. Better to establish your legitimate account, so that a criminal who has purloined your Social Security number can't establish one in your name. Avail yourself to a good identity theft monitoring service, one that goes beyond letting you know if activity has been noted on your credit report, but actually monitors for criminal activity and if detected, provides remediation assistance. Taking these steps doesn't guarantee you won't be targeted for identity theft by a criminal, it does, however, ensure you are prepared and well positioned to detect the attempt.