Steps to take to prevent identity theft and related security concerns.
The 2005 Javelin Identity Fraud Survey Report
released by the Better Business Bureau and Javelin Strategy &
Research shows that despite growing fears about identity theft and
online fraud, identity theft remains primarily low-technology crime
today. Internet-related fraud problems are actually less severe,
less costly and not as widespread as previously thought.
According to the report, the most frequently cited
source of information used to commit fraud was a lost or stolen
checkbook, wallet or credit card, at 29%. Computer crimes accounted for
just 11.6% of all known-cause identity fraud in 2004. Of the computer
crime that was detected, about half stems from spyware, software the
computer user unknowingly installs.
In cases where the perpetrator of the information
was subsequently identified, a startling 50% of the violators were
known to the victim; 32% of offenders were reportedly a family member
of relative; another 18% were a friend, neighbor or in-home employee.
By contrast, only 24% of violators were complete strangers, and 13%
were employees of a company with access to the victim's personal
information.
Another study by the Identity Theft Resource Center
entitled Identity Theft: The Aftermath 2004, offered a similar picture.
According to this study, released on September 14, 39.4% of respondents
cited a friend or family member as the source of stolen information.
The study listed the mail as the second greatest source of stolen
information at 10.6%.
A number of studies, including the one by the
Identity Theft Resource Center (ITRC) and a 2003 Federal Trade
Commission study, indicate that identity theft is not evenly
distributed geographically. In ITRC's survey, 19% of the victims
resided in California. Florida (9%), Texas (6%) and New York (5%) also
exhibited high incidences of ID theft. Other oft-cited high-risk states
include Nevada, Colorado and Arizona.
It is also instructive to look at what the thieves
did with the information once they stole it. In the ITRC study, 66% of
victims reported that their stolen information had been used to open a
new credit account with their name, followed by purchasing new cell
phone service (28%), making charges to an existing credit card account
(27%), making charges over the internet (22%) and obtaining new phone
service (19%).
Both studies conclude that the vast majority of
identity theft is self-detected; that is, the victim is the first one
to discover it. ITRC indicates that 85% of victims found out in an
adverse manner, through a denial of credit, collection notice, etc.
Once advisors better understand the nature of the crime, some precautions become readily apparent:
Clients must be vigilant in protecting their
personal information. This includes the contents of their wallets
(driver's license, Social Security Card, Health Insurance ID), their
checkbooks and their credit card numbers.
Sad though it may be, the greatest single risk is
from somebody the victim knows. Therefore, one should not assume that
information in one's home or place of business is safe. It should be
secured at all times.
While all advisors and their clients are at risk,
those living in high-risk states should be particularly proactive.
Monitor your credit report regularly. Clients can
now obtain one free report per year from each of the big three credit
bureaus, but this is not enough. Ideally, reports should be monitored
quarterly.
Consider subscribing to a credit report monitoring
service. These services will notify you whenever someone requests
information about you or applies for credit under your name.
Clients should pay particular attention to unusual
credit-related activities, but they should also pay attention to
communications from cell phone companies, Internet companies and
traditional telephone companies, even if they do not maintain accounts
with those firms. Communications from such a firm may be an indication
of fraudulent activities.
As the ITRC notes, thieves find the mail a good
source of information. Avoid mailing checks or anything containing
personal information from home. Drop it at a secure location such as
the post office.
If your home mailbox is not secure, make sure your
mail is picked up promptly, or have it sent to a post office box.
Consumers can protect their financial data by
using updated spyware, virus and firewall protection software and by
not responding to bogus "phishing" e-mails that request personal data.
Additional prudent security measures include the following:
Never give out personal information over the phone unless you have initiated the call.
Do not use links contained in an e-mail to navigate to a financial institution's Web site.
Always enter the URL yourself, and always use a secure connection.
Use complex passwords (contains letters, numbers and symbols), and guard them wisely.
Shred financial statements and anything else containing confidential information before disposing of it.
One somewhat controversial recommendation of the
Better Business Bureau study is that clients replace paper statements
and checks with online statements and bill-paying services. Since this
particular study was supported in part by CheckFree, VISA and Wells
Fargo, one can question its objectivity; however, the recommendation is
not without merit. The ITRC study, as well as other independent
studies, has concluded that the mail is a rich source of information
for thieves. Financial statements, checks, credit card solicitations
and other incoming and outgoing mail may provide thieves with crucial
ID theft data.
After the mail is read it must be disposed of,
giving thieves another potential source of information. By contrast,
electronic documents and payments, if handled securely, could in fact
lower the chances of identity theft today.
One electronic service that all clients should be
taking advantage of, if available, is the credit card alert. Many
credit card companies, including Citibank and American Express, now
offer to automatically send electronic alerts by e-mail, voice mail
and/or text messages. Among the list of alerts available at various
providers are: daily, weekly or monthly spending reports; when monthly
charges exceed a user-defined limit; when spending nears credit limit;
and suspected irregular usage pattern alert.
While most identity theft today is low tech, there
is no guarantee that things will remain the same forever. Advisors and
their clients should consistently monitor computing practices to ensure
the safety of their data.
One commonly overlooked aspect of computer security
is the physical protection of the computer itself. Any computer or
server containing confidential records should be locked up in a safe
place so that a casual thief cannot easily make off with it. Password
protecting and/or encrypting sensitive files adds an addition layer of
protection against identity theft.
When a hard drive or other media containing personal
information is disposed of, all information should be removed. Deleting
files does not remove them from the hard drive; neither does standard
reformatting of the drive. A special disk-wiping program must be used
to ensure that data is not recoverable by an identity thief.
Spyware is definitely being used by cyberthieves as
a tool to steal personal information. Typically, a computer user will
download "free" software, and unbeknownst to them, also download a
dangerous spyware program along with it. This stealth program will
secretly transmit personal information to the thieves. The best way to
avoid spyware is to install one or more anti-spyware programs.
Microsoft offers a free beta version of their anti-spyware program
here:
www.microsoft.com/athome/security/spyware/software/default.mspx.
Webroot's Spy Sweeper and Sunbelt Software's
CounterSpy are popular and effective commercial products. For those who
favor an all-in-one security suite, we recommend ZoneAlarm Security
Suite 6.0, which includes a firewall, antivirus, antispam and
anti-spyware protection.
The other glaring security hole in many homes and
small offices is the wireless router. Today's entry-level routers can
be fairly secure if they are installed properly, but most are not. To
provide even the most minimal level of security, the default password
on routers must be changed, and the security settings must be enabled.
Many users fail to do this, making it easy for a thief with inexpensive
equipment to literally grab a user's information from the airwaves.
If all of this weren't enough to worry about, new
threats always are on the horizon. Have any of your clients asked you
about "spit" yet? Haven't yet heard of this emerging threat? The odds
are that you will be hearing about it soon. Wikipedia, the free online
encyclopedia, defines SPIT as SPAM Over Internet Telephony. This is the
VoIP (voice over internet protocol) equivalent of spam (unsolicited
e-mail). Imagine a high volume of unwanted voice ads showing up in your
voice mailbox. This is just one of the threats that face VoIP users if
proper security measures are not implemented.
Spit is an annoyance, but it is one of the less
dangerous threats users must deal with in the brave new world of VoIP.
I recently did a Web search for the terms "fraud" and "VoIP," and I
came across numerous articles outlining potential scams. One popular
scam targets the VoIP carrier, rather than the end user. Under this
type of scam, a third party contracts with a VoIP service for "bulk"
minutes, and then reroutes those calls to a high-cost service ($2 per
minute, or something like that). In the end, the VoIP carrier gets
caught holding the bag for a big bill. If a client of yours makes use
of a local VoIP service that gets scammed, or worse yet invests in one,
they could be subjected to a major inconvenience.
Another allegedly popular scam involves the
fraudulent rerouting of calls. For example, let's say someone could
hack into a VoIP service's software, and reroute calls from a
mail-order company to their own extension. The caller would place an
order, leaving their personal information-including credit card number.
Armed with the credit card information, the hacker could have a field
day. Furthermore, since the calls can be routed overseas, detection and
prevention can be difficult.
Is there a way to avoid these mishaps? Nothing is
foolproof, but some simple precautions can minimize the threat. The
easiest is to deal only with firms that have already implemented strict
security policies. Network security is a must, as is software that can
detect suspicious behavior, such as unusual calling patterns. If you
use a VoIP provider, make sure that you are satisfied with their
security policies. As a general rule, the larger firms have a lead here
over their smaller competitors.
Clearly, advisors and their clients must be vigilant
if they are to minimize the impact of identity theft and other
security-related crimes. It may be impossible to totally eliminate all
threats, but a good understanding of the nature of the crimes and the
points of greatest vulnerability can be extremely useful in developing
countermeasures. By following the suggestions in this article, readers
can go a long way to improving their defenses.
Joel P. Bruckenstein, publisher of Virtual Office News
(www.virtualofficenews.com) and an expert in applied technology for
financial services professionals, can be contacted at
[email protected].