Keeping your identity safe online and offline

A few years ago I noticed a charge on my credit card that didn't belong there.

While I was on a work trip in San Diego someone used my credit card number to buy two airline tickets from San Diego to Chicago in names I didn't recognize. I called the credit card company and it credited my account. Someone at a restaurant had stolen my credit card number when I paid my bill.

Then earlier this year someone broke into my apartment building's mailboxes, probably looking for checks, credit card offers, and bank statements. Fortunately, I had already picked up my mail. But who knows if I've been a target of dumpster diving, where someone rifles through the trash or recycling.

Although identity theft overall has declined the past few years, the fact of the matter is everyone is at risk of having personal information stolen. But there are steps people can take to keep their sensitive data private.

"Getting a cheap cross-cut shredder is one of the most important things someone can do to protect against identity theft, and also making sure the mailbox is secure," says Paul Kocher, president of Cryptography Research.

Criminals may be buying credit card numbers over the Internet, but more often they are using machines called "skimmers," which are fake faceplates for ATMs that steal credit card data when the card is swiped. And the old-fashioned theft of a customer's credit card number by a waiter or store employee still happens all the time.

"Why do you think grocery stores put credit card processing machines on the customer side of the counter?" says Jay Foley, executive director of the Identity Theft Resource Center (ITRC), a nonprofit created to help victims of identity fraud, including individuals and merchants. "They don't want to be responsible for their employees handling your card."

These are traditional identity fraud scams. Computers and the Internet have opened up even more avenues for stealing people's personal information. Recent data breaches have been attributed to: stolen laptops, missing backup storage tapes, and employee records stolen from an outsourcing company. Other data breaches have been traced to: employees sharing customer data with outsiders, workers using peer-to-peer networks, malware intercepting grocery store checkout credit card transactions, and hackers breaking into an ATM network.

Phishing scams, where victims are tricked into providing their passwords and other sensitive information, are commonplace. These include e-mails that look like they come from your bank, eBay, or PayPal and ask you to confirm your information. Phishers also are posting fake job listings and stealing applicants' information.

There also are Web sites with prices that are too good to be true that will take your credit card information and disappear.

Number of reported breaches higher
Data breaches in the first three months of this year potentially affected more than 8 million Americans, according to the ITRC. Just because the data was exposed to the outside world doesn't mean that it was used in a crime or that identity fraud was committed. The 2008 ITRC Breach Report (PDF) for the first three months of the year shows 167 reported breaches, which represents more than one third of the total number for 2007 and is more than double the number reported in the first quarter of last year.

In 2007, between 9 million and 15 million people were victims of identity fraud, according to Foley of the ITRC. According to Javelin Strategy & Research, the total number of victims in the U.S. has decreased from 10.1 million in 2003 to 8.4 million last year.

In a recently released ITRC survey of people who were victims of identity fraud (PDF), more than half said their personal information had been used to open a new line of credit in their name. About one third said the fraud was committed by someone the victim knew (such as a friend, family member, or former spouse), and 14 percent said their wallet or personal digital assistant had been lost or stolen. Meanwhile, fraud due to mail theft and car or home burglaries has dropped over the past three years, the survey found.

A separate study from Javelin Strategy & Research found that fraudsters using mail or the telephone to reach victims rose from 3 percent of ID theft in 2006 to 40 percent last year.

For example, beware the phone call informing you that you won the lottery but need to wire money to receive the winnings, as well as the call about a missed jury duty appointment, asking for your personal information to schedule another date.

Identity thieves are particularly aggressive in preying on the elderly, who may be easy to confuse and intimidate. A 78-year-old relative of mine recently received a phone call from someone claiming to be from Medicare saying that he needed her Social Security number to give her a new ID number. Savvy enough to know better, she declined and finally hung up when the caller began screaming at her, saying she would lose her benefits if she did not provide the information.

Cost per consumer up
Meanwhile, wireless phone accounts were found by Javelin to be the most frequent type of new account opened by criminals using other peoples' data. That study also found that overall identity fraud has declined in the past three years, but the cost per consumer has risen to about $690 on average, an increase of 25 percent over the $554 recorded in 2006.

In addition to the expense and time lost following identity fraud (it can take up to several years to just uncover the crime), there are longer-term impacts on victims. For example, victims have reported that their insurance and credit card rates jumped after the crime, criminal records weren't cleared, collection agencies continued to call, and credit cards were cancelled. Some also say they were unable to get a job and some had trouble landing housing as a result of the identity theft, according to the ITRC survey.

While mortgage fraud is up--176 percent in 2007 from the year before, according to the FBI's 2007 Mortgage Fraud Report--bank and credit card fraud remain the biggest problems. With access to someone's bank account number and routing number, both of which are printed on checks, someone can easily transfer money and make purchases, says Matt Shanahan, senior vice president of AdmitOne Security.

Fraudsters are also taking advantage of weak authorization in other systems, such as those of telephone companies, transferring phone numbers to a new address so that when a bank or other company calls the number to verify a transaction the criminal can answer the phone and approve it, Shanahan said.

Criminals change billing addresses on credit cards so the victim won't be alerted to fraudulent charges. They also open bank accounts and write bad checks in someone else's name, make counterfeit checks and credit cards, take auto loans in someone else's name and give another name during an arrest, according to a Federal Trade Commission report on identity theft that includes information on what to do when your identity is stolen.

"People used to wash the ink off an old check. Now they just scan the routing and account number into a computer, buy blank checks at Staples, and mass-produce (fake) checks," said Foley.

From credit cards to debit cards
Foley predicted that credit card fraud will taper off as more companies install analytics software that raises alarms at suspicious activity, for instance if the card is used to buy gas in Topeka, Kansas, and a few hours later to make a purchase in New York City.

"The downside is the identity thieves will be going after debit cards instead" because they don't require a personal identification number to use them for credit transactions, Foley says. This is bad for consumers because, while they aren't liable for more than $50 with credit card fraud, they can be liable for much more than that if their debit card is fraudulently used.

Foley's tips to thwart identity thieves include:

• Never give out information over the phone.

• Don't keep your Social Security number in your wallet.

• Shred everything before disposing of it.

• Be skeptical. If someone asks for your personal information, find out who gets it, why they need it, what steps will be taken to protect it, and when they are done with it how will they dispose of it. If you don't get an adequate answer to all of those questions, don't give your information out.

Web surfers should also choose strong passwords, keep their passwords secret, and use antivirus and other security software to keep thieves out of their computer.

The ITRC has a comprehensive list of specific identity fraud-related scams, as well as a helpful checkoff list if your wallet or personal digital assistant has been lost or stolen.

While the FTC is telling citizens to be careful giving out their Social Security numbers, some government agencies are printing them on identity and insurance cards and encouraging people to carry the cards in their wallets and write the number on checks.

Government and corporate practices may be lax, but consumers should do whatever they can to safeguard their data and keep their Social Security numbers as secret as they can, Foley said. And employers shouldn't be asking for Social Security numbers until after they've interviewed job candidates or they could be liable for any exposure of that data, he said.

As for medical purposes, Foley said, "The doctor only needs the Social Security number for one reason--to fill out the death certificate if you die in his care."

Hot security discussions now on CNET

More on security from CNET.com

• Video: Secure your Wi-Fi network
• Video: Pick secure passwords
• Defense in Depth security blog
• Video: Thumbdrive encryption
• Latest Crave posts on security
• Video: Completely wipe a hard drive
• Video: Surf the Web anonymously
• CNET Downloads: Antivirus, firewall, and antispyware