When it comes to identity theft, people have many questions and few answers. Should I shred sensitive documents? (Yes.) Is it worse to lose a wallet, a smartphone, or a computer? (It depends on how much sensitive information they contain.) Does it really matter if all of the logins and passwords for my online accounts are the same? (Yes, it really does.) How common is identity theft? (Very.) What are my chances of being defrauded by identity thieves? (The odds are ever in their favor.) Is there anything I can do to avoid becoming a victim? (No.)
Identity theft is the worst kind of dumb luck. You can do a number of things to keep it from ruining your life, but there isn’t much you can do to stop it from happening to you. Identity thieves are like coyotes: They wander around looking for scraps. They take whatever they can find. They are opportunists.
The proposition that you will be able to fence off your property and maintain a completely buttoned-up, coyote-free life while remaining on high alert 24/7 is a pipedream. When the coyotes of Scamville pad your way, there’s not much you can do about it. You can hope they don’t find a way into your personal finances, or that your information camouflage is fail-safe, but no one is that good or that lucky all the time.
Cybercrime: You Can’t Leave Home Without It
Skimmers are devices that read the magnetic stripe on the back of a credit or debit card when you swipe it to make a purchase or to access your account through an ATM. They record the following data:
Carefully placed cameras record PIN numbers. With this information, a scammer has everything needed to have an all-expenses-paid shopping trip on your dime, or, worse, to empty out your bank accounts.
Tip: Debit cards increase your exposure to fraud. Use a credit card. They offer better consumer protections, and often have better reward programs.
As Hunter S. Thompson wrote in Fear and Loathing in America, “Luck is a very thin wire between survival and disaster, and not many people can keep their balance on it.” If the present book persuades you of nothing else, let it convince you that everyone gets got. If you believe this, or you’ve already been the victim of an identity-related crime, my hope is that you’ll find what you are looking for here.
With very few outlier exceptions, we’ve all been swiped, scanned, digitized, filed, and disseminated to such a staggering extent that it’s impossible to know where our information is and who’s had access to it. Unless you live in a log cabin on Loon Lake and do all your business in cash or kind, you’re gettable. If you’ve ever seen a doctor, or if you’ve ever registered for classes at an institution of higher learning, you’re already in the crosshairs of countless identity snipers. If you’ve ever provided personal information via email, you may be in jeopardy. If you’ve ever swiped a credit card through a card reader, your chances of being given the gift that keeps on taking are only getting better. If you gave your ZIP code, email address, or telephone number at the cash register of any store you’ve ever shopped in, you’re a target. Every time you roll out of bed, you’re entering the identity theft lottery.
This book is for realists. It is not for people who remember every single retailer, medical provider, financial institution, or government agency that has ever collected, stored, and disseminated their personally identifiable information. If you’re anything like me, you have no idea where your data is, how (or even if) it’s being warehoused, or how long it will be there, wherever “there” happens to be. And, like me, you’re already a target. That’s the point. We all are.
Identity Theft Is a Growth Industry
According to Javelin Strategy and Research, the odds of getting scammed after a data breach in 2010 were one in nine. In 2014, Javelin found that the odds had increased to one in three.
When it comes to identity theft, cyberattacks, and successful hacks, the difference between us and the rest of the world is not terribly big, but it’s nonetheless a crucial one: We use common sense. We don’t think we are invincible, and we’re pretty sure that it’s only a matter of time before we get entangled in a cyberattack. In fact, we assume something is going to go terribly wrong, and we’ve made it our habit to look for it. The fact that we’ve swiped our credit cards, debit cards, identity cards, and work badges means we’re vulnerable to having our personal information swiped and used for all kinds of things. There is one thing that separates us from those who hope that they’ll somehow slip the noose of identity theft because, for some magical reason, it will never happen to them: We approach our personal information and the threat of identity theft in a spirit of preparedness. We are as ready as anyone can be for the worst that can (and most likely will) come our way.
Are You Sure No One’s Listening?
Before the Internet of Things (IoT), the bad guys had to break into your house and hide a very expensive bug in order to spy on you. (Actually, the device was pretty cheap, but the cost of hiring the guys to do the bugging was noteworthy.) Today, there’s a Facebook app and other smartphone features that can do it all at the flick of a fingertip. Perhaps you get a more robust user experience, but at what cost?
The other day, a reporter asked me who’s to blame for the growing epidemic of identity-related tax fraud. I could have answered, “the bad guys”—the identity thieves who devote their days to hacking people’s accounts and putting their personal information to profitable use. Or I could have said it was the government, which is so overwhelmed by the information security problem that it can’t even keep the NSA safe from breaches, never mind the rest of us. But I chose a third answer.
“We’re all to blame,” I said. And I truly believe it. When it comes to any identity-related crime, the buck stops with you and me, because we’re the only ones who can know what’s what in time to stop from getting hurt, or at least to move quickly enough to contain the damage.
Breaches, and the identity theft that flows from them, have become the third certainty in life, right behind death and taxes. Your introduction to the fact that you got “got” can take many forms. It may be a call from a debt collector, or the flashing lights of a police car as you are pulled over for missing a stop sign, only to find yourself handcuffed and cooling your heels in jail because someone stole your identity and used it in the commission of a crime. Whatever it is, you’re far better off if you can see it coming.
This is one reason the face-saving tactics of hacked companies can be dangerous. Consider the case of Anthem, the second largest healthcare insurer in the United States. Hackers broke into their system in 2014, and accessed unencrypted databases containing the sensitive personal information of some 80 million current and former policyholders and employees. When that happened, tens of millions of people were automatically flung into harm’s way.
Oh Baby, Oh Baby
Baby monitors have been hacked and turned into infant-heckling devices, with new parents running into their baby’s room to find a stranger yelling obscenities because no one reset a default password setting.
The popular theory of that attack was that the Chinese government was behind it, and they weren’t looking for personally identifiable information, but rather trade secrets. The theory was that China wanted to set up a similar health insurance program for its citizens, and hacking Anthem was both cheaper and faster than hiring top health insurance executives to create a plan from scratch.
Now, before you breathe that sigh of relief, reflect upon the fact that this doesn’t mean your information is safe. Frankly, the less the Chinese government thinks of its value, the worse it is for you, because they have absolutely no incentive to protect it and quite a bit to gain by finding someone to fence it once they mine the information they need. Doubtless, someone will see the value in 80 million “fullz,” the term of art in identity theft circles for all the personally identifiable information needed to scam someone.
The Anthem breach revealed a more profound problem, too, and even the people who are supposed to know the score don’t seem to understand it. This was painfully obvious when Anthem’s CEO pointed to the hackers’ failure to get health records, credit card numbers, or financial data in the breach. While it’s clear he was trying to cast the best possible light on a nightmare scenario, he couldn’t have been more incorrect about the gravitas of the situation. The information that the hackers got was a very big deal. Those fullz included names, physical and email addresses, birthdates, medical IDs, phone numbers, and employment information—a treasure trove for the cyberpirates of identity theft.
One of the many reasons that the identity theft epidemic keeps getting worse is a lack of public knowledge. It’s telling that the leader of a huge organization like Anthem did not understand the seriousness of so many email addresses being exposed. This kind of ignorance would be shocking if it weren’t for the fact that we see it every day in the news and in enterprise communications. What is shocking is that Anthem’s CEO made these comments even while knowing that another piece of his clients’ information was stolen, an even more important piece—Social Security numbers.
Often what’s lacking in the aftermath of these breaches is a calm voice delivering the bad news. So here it is: With your Social Security number in the wind, whoever finds it—or, more likely, whoever buys it on one of the many black-market information exchanges on the deep web—holds the keys to every part of your life. What that means—plain and simple—is that you’re going to need an efficient way to keep one eye over your shoulder, all the time.
Email Is Better than Explosives
One of the biggest bank heist operations in history—in which over a billion dollars may have been stolen in more than thirty countries—was perpetrated by the Carbanak gang with a simple spearphishing scheme.
They gained access to bank computers and learned how they worked. Then they took a withdrawal from the vaults. No dynamite needed.
While Anthem got out in front of the breach faster than any of the larger companies breached in recent years, they were far from perfect. Congressional committees have correctly noted that Anthem took more than a month to notify the members that were on the breached databases. While they should be commended for the speed of their public disclosure, they did an abysmal job of explaining what was at stake, why the breach mattered, and how it could affect individuals. In other words, when it came time to let their customers know what it all meant—that their personally identifiable information was a commodity that would most likely be sold to a crime ring or lone criminal who would use it to defraud them—Anthem was a no-show. Whether or not that was a public relations move, I cannot say, but it definitely wasn’t solution minded.
Here’s what Anthem should have said: Everything a criminal might need to obtain medical treatment, devices, or medications in an Anthem customer’s name—tainting their medical files with information that could lead a doctor to choose the wrong treatment or even make deadly decisions—was out there in the world for anyone to abuse. Every single person whose PII was leaked in the Anthem breach is a single act of fraud away from having a medical file become a murder weapon.
Death by Medical Identity Theft
Whether healthcare fraud is committed to get lifesaving treatment, cosmetic surgery, or medicine for erectile dysfunction, there’s a good chance the “fake you” isn’t your blood type. Or maybe they can take penicillin, but you’re allergic to it. When your medical file gets comingled with someone else’s, the results can be deadly.
Just as easily, fraudulent tax returns (using their name, date of birth, Social Security number, and a fake W-2) can divert refunds to a scammer. Anyone can obtain personal loans, credit cards, and mortgages using an Anthem customer’s credit profile, accessed with information compromised in the breach; the same data could be used to obtain fake papers for undocumented workers to get jobs, with the income being reported to federal and state tax authorities under a breach victim’s Social Security number. The children of breach victims were exposed as well—their identities are now vulnerable. The list of crimes that can be committed while leaving a trail of breadcrumbs back to a breach victim is endless.
$5.8 billion of fraudulent returns were stolen in 2014. The IRS estimates tax fraud will increase to $21 billion by 2016.
Seemingly every aspect of our lives has been affected. The same week that the Anthem attack made headlines, the software giant Intuit shut down the state tax filing option on TurboTax for almost a day after detecting a large number of fraudulent filings. There was fallout all over the country. In Minnesota, no TurboTax e-filings were accepted. Both Alabama and Utah took a mellower approach, issuing taxpayer warnings. The state of Vermont stopped all refunds. And here’s the kicker: There wasn’t even a breach, at least that we are aware of. A stampede of identity thieves started e-filing with other people’s information, attempting to divert millions of dollars in refunds, and the only way to stop them was to shut down TurboTax. Whoever was behind the attack was using the kind of information that was leaked in the Anthem breach and countless other compromises over the past decade. First, the good news. All affected parties did a good job, or at least better than we might have expected a few years ago. They saw something was amiss, and they took action—although they were criticized for moving too slowly, and there are allegations that they knowingly allowed bad returns to flow through to the IRS.
It may sound implausible that so many fraudulent tax forms could be arriving without a single breach, but it isn’t. There is no way to visualize how much data has been stolen. I can’t tell you how many times I’ve watched people’s jaws drop when I tell them that the black market information exchange has operations that are so organized that a criminal can call a help line for technical support or to request a refund.
A staggering amount of data liberated by breaches, scams, social network oversharing, and individual compromise has been aggregated, and those blocks of identity-rich information are for sale every day. Tax fraud is just one manifestation of that reality. Almost any ill-gotten gain can be had with the right combination of sensitive information and bravado.
We’re all at risk because we are still in the Wild West days of electronic personal information and commerce. The fact that organizations don’t encrypt the PII they gather and store is inexcusable. It’s a serious problem when a sitting governor, South Carolina’s Nikki Haley, can say, “A lot of banks don’t encrypt. It’s very complicated. It’s very cumbersome. There’s a lot of numbers involved with it.” It’s the sort of attitude that explains her government’s failure to encrypt a breached database containing the tax information of every citizen in her state. But the “encryption is hard” dog just doesn’t hunt when it comes to public perception of the problem these days. Of course, South Carolina is not alone. A recent Government Accountability Office report confirms that a significant percentage of federal agencies are not secure. Too many businesses and institutions have yet to harden their defenses or encrypt their data, even after they have suffered a breach. Given all this, consumers are starting to understand that we are on our own—and how scary that can be.
At a March 2015 event in Washington, DC, sponsored by the Identity Theft Resource Center, keynoter Terrell McSweeny, one of five members of the Federal Trade Commission, said in reference to a 2014 Gallup poll, “Americans were more concerned about ID theft than violent crime, natural disasters, or terrorism. 69 percent of Americans said they were very concerned about the safety of their credit cards, and 62 percent had similar worries about their smart phones and computers.”
We live in a very connected world where convenience increasingly trumps security—often in the name of innovation and whizbang. We’ve also learned the hard way that no system is more secure than its weakest link, and humans are almost always the weakest link. Bad practices and lousy data hygiene are about as common as flies in a feedlot on a hot summer day. There is no segment of the connected world that isn’t complicit in the problem. When the Ponemon Institute conducted a survey of nearly one hundred medical providers in early 2014, 88 percent said that they allowed doctors and other medical professionals to connect personal devices to their secure systems, even though those personal smartphones and laptops could contain all manner of viruses or malware. Of all the people who might grok the concept of contagion, you’d think doctors might. But the report suggests that most had no issue with healthcare professionals connecting their who-knows-where-they’ve-been computers to a secure system. More than 50 percent of respondents said that this practice raised serious security concerns, but only 38 percent said they were planning to do anything about it.
In the open market of personally identifiable information and bad enterprise privacy practices, only you can know if you’re all right.
One might hope that Congress would be taking some action to solve this problem. At least three administrations and scores of federal legislators have talked about doing something meaningful in the areas of privacy, cybersecurity, and identity theft, yet we don’t have much to show for it. More recently, through an executive order and a State of the Union address, President Obama put those issues squarely into the spotlight.
For now, we have to accept the bipartisan talking point that, as I’ve put it on various occasions, “we are seeing momentum” toward a solution to the identity theft problem. But lest we forget, we are also seeing countless data breaches and identity thefts, which is where you come into the picture. If you don’t get what I’m saying here, stand in front of a mirror. There’s the enemy. Swiping doesn’t happen to you. You swipe your own information all the time. You’re in a system that runs on information, and no amount of wishful thinking or semantics is going to extricate you. No one is blameless here. If you’re unclear on where you’re “going wrong,” think about it in different terms. We all need to take responsibility for the attackable surface, or vulnerability, of our personal information and our areas of exposure. Depending on what we do, and how we do it, those areas become bigger or smaller targets.
Here’s a thumbnail. We expose our most sensitive personal information any time we
In each of these instances, we leave ourselves vulnerable to those who consider the theft of our identity as their day job. In the big picture, worst-case scenario, we may even be contributing our personal data to state-sponsored hackers or hacktivists planning the equivalent of a “denial of service” attack on our economy, for instance by freezing everyone’s bank accounts at the same time.
The bottom line is that we’re all in this together. In this ever-evolving, connected world, it’s impossible to duck, bob, or weave your way past the bad guys. Even proactive measures to protect your identity like monitoring your credit regularly, setting up transaction alerts, or freezing your credit are no guarantee that your identity won’t be stolen or used in a way that won’t show up on your credit report right away, or in some instances won’t be at all apparent, such as medical identity theft. But the more you know and monitor, and the more you get out in front of the possibility that you may have or will become the victim of a fraudster, the quicker things will get back to normal for you when your information is used.
It should go without saying that governments and businesses should have to protect our PII by law, and if they fail to do their duty, they should be held accountable. That said, each of us has a responsibility to minimize our risk of exposure, to be as alert as possible to signs of an identity-related problem, and to have a damage-control program to put ourselves back together in the event we are compromised.