It is relatively easy from the standpoint of a thief to impersonate your online identity and assume your financial standing. Using your identity, a thief can open up a line of credit under your name and go on a shopping spree making you assume all of the responsibility until you rectify the problem. As more and more of our personal information gets warehoused online, protecting information against theft is a continuing challenge on both sides of the fence, customers and financial institutions alike. Just recently, an IRS employee stole $70,000 from the government using identities of a few taxpayers and went on a 2-year long spending spree.
New online security measures now exist that make it very difficult to assume a person’s digital identity, but each institution that hosts online services to their customers needs to implement it. I touch on this at the end of this article. On the one hand, they want to, and do respond to threats after the fact pretty well. On the other hand, real security is about preventing attacks in the first place. Most well established financial institutions are large behemoths and do not like change. In most cases many will most likely play the “wait and see” game to assess which of these security measures becomes a standard. While outdated security implementations exist (Which become weak points of attack over time), thieves are taking advantage of the situation while they can. This is where Identity Theft Protection (ITP) Services come in.
On the surface, ITP services like Lifelock seem to act as an intermediary that aims to preemptively protect against theft of personal information, and respond to suspicious activity at the source, usually a bank or financial institution. Personal information like your name, address, mobile number, social security number, and birth date can be stored with these third parties. The information is used by financial institutions to provide you with corresponding services. This is why these institutions are often under attack.
At $120 a year, ITP Services use these online systems (already accessible to the public) and further automate them to provide you with regular updates under one account controlled by the ITP service. The idea is that the ITP service acts on your behalf, interacting with your bank, or financial institution, to correct personal information inaccuracies, or act on an instance of fraud activity.
I have found that in the world of information security, there are business minded people that use fear to profit on the uninformed, and there are security minded people who try to educate. I definitely fall into the latter camp. I would rather people become better informed on how to protect their information, than to support a system that puts many of its customers in the passenger seat of information security.
On the other hand, information security can be complex, especially if you have multiple accounts with multiple financial institutions. Due to your financial solvency, if you are finding that your information is constantly being compromised, or that you might be a good target for an attacker, it might be worth it for you to pay an ITP service to help you protect your identity. The drawback is that you have to trust another third party (and its employees) with all of your personal identifying information. This could be another angle of attack for some, but if you have already become accustomed to giving out your personal information to any service that asks for it, without question, or you are required to, then it might benefit you to have one more link in the chain work for you.
The Strong Points of ITP Services
ITP services attempt to be proactive by:
- Flagging all three credit bureaus with a fraud alert on a regular basis. This forces financial institutions to contact you personally before a line of credit gets opened in your name. This makes it harder for criminals to impersonate you.
- As a secondary benefit to the fraud alerts, these services may also collate important about changes to your personal information from various sources in an account that you can view at-a-glance. Focusing on your current credit report, changes to your stored contact information, and any data-mining campaigns that you have been opted into. Thus, making it easier to opt-out of any programs you have been opted into with or without your knowledge.
The Weak Points of ITP Services
- For the most part, ITP services seem slow to respond to real-time fraud activity.
- Due to ITP services’ dependence on outside automated systems, the information the service gathers can often contain inaccurate data. This requires a manual review by you, or the ITP service’s own staff, increasing the length of time it takes to act on a discrepancy.
My research has shown, based on the experience of customers that have tried and reviewed these services, that ITP services do not offer much beyond what financial services already offer except to babysit your accounts for you, however slowly. You can protect yourself by:
- Using 2FA (two-factor authentication) paired with an authenticator app using TOTP (Time-based One-time Password) and/or a USB/NFC device that uses U2F (Universal 2nd Factor) for sites that support it wherever possible. Replace text based two-factor authentication with the above as soon as you can, and when you do disable text based two-factor on your account. If your smartphone gets compromised, the text-messaging based two-factor authentication can be easily circumvented, or redirected to an attackers mobile by social engineering your mobile provider to get them to swap your mobile account to another sim card. You can read more about how to secure your mobile phone and online accounts in my article “Protecting Your Smartphone From Being Hacked”.
Using a web browser with some kind of scripting protection. I use Firefox with the Noscript Addon, but there is a Chrome noscript extension as well now. This prevents sites from using aggressive forms of tracking techniques to steal information (Like Cross-Site Scripting (XSS) or Clickjacking). These add-ons/extensions help prevent your computer from leaking information about you, but they might also change your browsing experience in such a way that might prevent you from accessing certain areas of specific websites. Depending the amount of scripting a site uses, many of these types of sites do not react well when the scripting becomes disabled. In these cases having scripting protection depends on your ability to white-list sites that you know are safe.
If you have been victim of identity theft already, you can:
- Freeze your credit report If you have been a victim of ID theft.
- File a ID theft report with the Federal Trade Commission
Being aware of exactly what, or how much information about you is online, and closing out, or making an effort to remove information you do not want online. If you want to see how much of your personal info is available online, you can pay a site such as Radaris, Advanced Background Checks, or Public Records Now to search out what is available about you. Please note these sites are not exactly legal and they may disappear and reappear under different names, at will.
Developing a mindset of data protection at all times. Always resist attempts to put your information in a computer system. Don’t let your dentist have your SSN without a fight. Don’t let them have your real birthday without asking why they need it and asking if it’s required, or more importantly: “By what authority are you obligating me to provide YOU with this information?” Obviously this is going to slow down your intake process and you might get denied service by some providers. If a service requires too much personally identifiable information from you that can be used in a way to steal your identity, is it really worth it to use that service?
Activating a fraud alert by contacting (by phone, or online, one of the major credit bureaus: (No need to contact all three, as they are required to communicate fraud alerts with each other. Remember to renew the fraud alert every 90 days.)
These three major credit bureaus are required to provide you with a free credit report once a year, apply for a report using the respective bureaus websites.
This article was created with the intent of educating my customers who have had questions about ITP services. I have been working in the computer industry for over 20 years, educating the public about best practices with information security. Contact me when you have questions about any computer or information related services.
I am not liable, or responsible for any result derived from any action you take on behalf of what you read in this update.