GetSafenSecure.com - Password Protect Your Files & Folders

From Javelin Strategy:

We are not saying (online access and data breaches) are not significant factors,” said James Van Dyke, Javelin’s president and founder. “But the point is that it has really been overblown. I think it is to the detriment of consumers to focus exclusively on these electronic methods of communication. Criminal don’t have a (bias) toward technology. They will use any channel that works.”

My first thought is to ask what does the empirical data say? Let's see what our tax dollars bought us. I opened my copy of the FTC 2006 Identity Theft Survey Report (yes, that's the most recent). See the chart (click for full-size). 56% of respondents did not know how data was taken. For the remaining 44% here's the breakdown as I see it

• Offline: 16% know thief personally, 5% from wallet, 2% from the mail
• Online: 1% Hacking into computer, 1% Phishing.
• Unsure: 7% Some other way, 7% purchase or other transaction*, company that had information 5%*.

* These two categories are questionable, as it's difficult to determine exactly what is meant.

As you can see, the data is difficult to categorize. But it's pretty clear that offline is simply more prevalent than pure online. However, you could argue that there are vast numbers of online thefts that go unreported and so fall under the "don't now how info was taken" 56%. I certainly think the data backs up Javelin's assertion that one shouldn't blow the online threat out of proportion. From personal experience, offline is what has nailed me on more than one occasion.

Take away: protect yourself offline

1. Protect your mailbox: lock it or stop account statements, pre-approved offers and "convenience" checks
2. Protect your personal belongings: remove unnecessary items from wallet/purse, lock away your check book, protect sensitive documents at home (anything with SSN or account numbers).

Frankly, most people don't go to these lengths.

Truston has been named one of the 2008 10 Companies to Watch by the Pacific Coast Business Times. 

This was part of the Business Times' annual awards program called the 101 One Hundred Awards. The 10 Companies to Watch were selected because they are the fastest growing and most innovative start-up companies in California's Central Coast--covering Ventura, Santa Barbara and San Luis Obispo counties.

This recognition comes on the heels of being named a 2008 Hot Company and receiving a technology award from the Info Security Products Guide.

See the Truston press release.

ITRC points out that the Department of Defense will finally begin blocking out Social Security numbers on military ID's, dog tags, clothing and military records. About time don't you think? Just imagine the number of cards, documents, and more that have full SSN's on them, putting every military member at serious risk of identity theft.

More from the Leaf-Chronicle:

According to an American Forces Press Service report, military IDs will soon be reconfigured without the cardholder's full Social Security number.

The plan, the report said, is to remove the numbers from ID cards issued to family members by the end of the year, but the sponsor's number would still be displayed for now. Between 2009 and 2010, all department-issued identification cards will feature only the last four digits of a cardholder's Social Security number, the report stated.

One common tip I have heard is that you should not sign the back of your credit cards or write something in its place asking that ID be checked. What should you do? Well, the right question to me is "Is this an effective fraud deterrent?" Frankly, it doesn't do much. While existing credit card fraud (unauthorized charges on a bona fide account) is a serious issue, you are afforded the most protections by law, as long as you are diligent in checking your account statements.

You may hear people, who write "check ID" in place of their signature on a credit card, raising a stink that cashiers so rarely look and request ID. While strictly speaking these businesses are violating their merchant agreements with the payment card processors (i.e. Visa, Mastercard), let's be practical. I don't think this is a gigantic scandal we need to focus on. There are far bigger fish to fry. Do you really expect MacDonald's to get in people's faces over a $2 purchase?

Recently, Lifehacker had a post on this topic with quite a few comments (with a lot of misinformation and poor advice in the comments). Some people make the point that signing your credit card makes it easy for a thief that steals your card to forge your signature. That's silly -- criminals don't use stolen cards to get your signature. They steal cards to use them ASAP and then get rid of them. Besides, you are required to have a signed credit card according to payment card industry rules. Here is an excerpt right from Visa merchant rules:

While checking card security features, you should also make sure that the card
is signed. An unsigned card is considered invalid and should not be accepted. If a
customer gives you an unsigned card, the following steps must be taken:

• Check the cardholder’s ID. Ask the cardholder for some form of official
government identification, such as a driver’s license or passport. Where
permissible by law, the ID serial number and expiration date should be
written on the sales receipt before you complete the transaction.

• Ask the customer to sign the card. The card should be signed within your
full view, and the signature checked against the customer’s signature on the
ID. A refusal to sign means the card is still invalid and cannot be accepted.
Ask the customer for another signed Visa card.

• Compare the signature on the card to the signature on the ID.
If the cardholder refuses to sign the card, and you accept it, you may end up with
financial liability for the transaction should the cardholder later dispute the charge.

Moreover, Visa goes into even more detail about those who write "See ID" or something similar in place of a signature. Here are guidelines from Visa about this and when merchants should be asking for ID:

“See ID”:

Some customers write “See ID” or “Ask for ID” in the signature panel, thinking
that this is a deterrent against fraud or forgery; that is, if their signature is not on
the card, a fraudster will not be able to forge it. In reality, criminals don’t take the
time to practice signatures: they use cards as quickly as possible after a theft and
prior to the accounts being blocked. They are actually counting on you not to look
at the back of the card and compare signatures—they may even have access to
counterfeit identification with a signature in their own handwriting.

See ID” or “Ask for ID” is not a valid substitute for a signature. The customer
must sign the card in your presence, as stated above.

Requesting Cardholder ID

When should you ask a cardholder for an official government ID? Although Visa
rules do not preclude merchants from asking for cardholder ID, merchants
cannot make an ID a condition of acceptance. Therefore, merchants cannot
refuse to complete a purchase transaction because a cardholder refuses to
provide ID. Visa believes merchants should not ask for ID as part of their
regular card acceptance procedures. Laws in several states also make it illegal
for merchants to write a cardholder’s personal information, such as an address or
phone number, on a sales receipt.

If you are suspicious about the transaction or feel you need additional information
to insure the identity of the cardholder, make a Code 10 call.

Take away: stop trying to be clever. Sign your credit or debit cards. There are many other more effective means to reduce fraud.

The misconception that fraud alerts by law require that you be contacted continues on unabated. In fact, a fraud alert is just words on your credit report. Can it be effective in some cases? Yes. Are fraud alerts some kind of "system" that connects lenders and the credit reporting companies together in some automated fashion to protect consumers? No.

It is dismaying that even leading experts like Javelin Strategy & Research make significant errors that perpetuate the misunderstandings about fraud alerts. In their research report entitled "Identity Fraud Protection Services: Double Digit Growth to Continue", they write on page 8 about fraud alerts: "Requires lenders and merchants to confirm an applicant's identity to open a new line of credit." (my emphasis). This is not accurate. There is no law, either federal or state, that requires any lender, bank, credit card issuer, or merchant to pay heed to a fraud alert. Do some of these companies pull a credit report and check to see if the individual has reported fraud (or suspected fraud)? Yes. Is it compulsory? Absolutely not.

Update: Are fraud alerts a good idea of you are a victim of identity theft? Yes, depending on what has happened (i.e., if your personal credit or Social Security number were compromised). Can fraud alerts help you detect identity theft fraud if you use them as a prevention tool? Yes, they may help (however, they don't always work and only help with credit-related identity fraud). This is why you get fraud alert assistance as part of our MyTruston Plus package, along with several other tools to help prevent/detect ID theft (and recover afterwards). Fraud alerts are a nice option to have, yet their effectiveness is overrated.

Update 2: Luke at Javelin (and Mary in the comments below) pointed out to me that in their report, page 19, Figure 11, in reference to the "Fraud Alerts" type of services, Javelin says "Eager lenders may not always verify the applicant's identity before granting credit." This is accurate. I'd like to expand on that: lenders may even check the identity, pull a credit report and still not see the fraud alert (or ignore it).

Attrition.org, a non-profit hobby site, has shuttered its news service. They had become one of the "go to" information sources on security and data breaches. Here is an excerpt of their explanation for the shut down (although they leave the door open for occasionally posting news):

In the past few weeks, it has come to our attention that too many people are more concerned with making a profit off of our work without any offer of acknowledgement or compensation. For those who aren't familiar with Attrition, we're a non-profit hobby site that takes on "projects" as we see fit, when we want to, and when we have time. For those who *are* familiar with Attrition, you probably know that we don't take kindly to being dealt with unfairly. Commercial entities, including "identity-theft prevention" upstarts and book authors, will gladly contact us, ask for information and advice, and then not even offer us the equivalent of a reach-around when selling their materials. We don't pimp our resources to others; they come to us. Unfortunately, more often than not, they won't even send us a "thank you".

I can't blame them. Although we at Truston have never contacted them, or used their information to sell product, I can understand their position. I thank them for their unpaid dedication and service to the industry and consumers. I've been reading their site for a few years now and appreciate what they have done. Thank you guys.