My identity was stolen about two years ago. It started out with panic, I was away on a vacation and I still remember sitting in a car in the freezing cold for hours trying to stem the flow of what I thought would be my entire life’s savings gushing into the hands of an unknown virtual assailant.
That never happened.
But during this time I have learned a LOT, and thought it was time to relay some of that info, just to clear my head a bit, but also in the effort to spread the news.
The good news? Not much, but it is unlikely that a stolen identity will not come down to you forking over your hard earned cash. As long as you keep notes and pay attention, fraud is fraud and you are indemnified against ownership.
But alas, I am getting ahead of myself, lets look back a wee bit to see how I ever got to be so laissez faire about the whole magilla.
After my breach I did my due diligence, what I was told. I signed up for a credit monitoring service (AllClearID) and returned to my life. Credit monitoring services are services that can see that you have activity in your credit account, that a new credit card has been applied for with your name or social and then notify you to see if it is indeed a valid credit account. What they cannot do is see a fraudulent account before it is created, only the credit agencies, TransUnion, Experian, and Equifax can see that, they are the holy trinity of really messed up credit creation in our world gone completely screwy on money.
I chose AllClearID because I was given a free year to their services due to a breach at my place of employment. They also have a partnership with TransUnion, the largest credit agency, which has come in handy over the years. But there are many credit monitoring services and you can read up on some of the differences here.
I also filed a police report and learned two very humbling things:
Midday, Tuesday, local police station and the middle aged guy with a kid in a stroller standing next to me was doing the exact same thing, filing a police report for a cyber identity crime. The intaking officer said:
“This is what I do all day, this is the crime of the 21st century”
The other “wow” moment happened about two months after filing the report the case still had not been assigned to a detective, (this was supposed to happen within two weeks). I called the Western Division of the LAPL, got through to the cyber crimes division and was told, very nicely and very apologetically, the they receive approximately six thousand reports a month in there division alone and are a little behind schedule on assigning detectives.
The transgressions continued, not huge amounts, (though they did nab $30,000 from Sears at one point. You start to see who gives easier credit or doles out the moola faster by noticing which credit companies the fraudsters keep going after). It seemed about once a month or so I would get an “alert” from AllClearID and low and behold there would be a new credit account created using my identity in the form of name, DOB, SS#, latest address or two. We know it does not take a lot to open a credit account these days, they basically give you credit just by walking in the door.
I then was pointed towards a great article on a security website Krebs, about placing a security freeze on your credit agency accounts and how this is really the only way to safeguard against someone creating bad credit using your credentials. A security freeze is simply a block on your account that needs a ten-digit pin code that only you have in order to lift the freeze. So, say if you wanted to buy a car or get a new credit card, you would temporarily lift the freeze using the pin code and then re-instate the freeze after you were done. Sounds great, relatively easy to do online and is either free or ten bucks depending on what state you live in. Here are the freeze sites for TransUnion, Experian and Equifax.
OK, now I felt pretty cool. I was locked in and using the best info I had yet found, time to rest easy…
All was quiet for about seven months, then another alert from ALlClearID popped up. Then another, and another. It was weird and confusing until I figured out that the fraudsters were doing exactly what I had been lead to believe was impossible, they had the freeze lifted without the ten digit pin code. How? Well, because what I now know deep in my heart is that there are minimally trained, minimally paid human beings sitting on the other end of the phone line and if you submit the required documents for having “lost” your pin code: driver’s license, Social Security Card and a utility bill (all forged), the agency would remove the freeze and the you the fraudster are back in business.
Some people I tell the story to (I tell the story a lot while dealing with the numerous breaches), think it is a bit odd that the fraudsters would go through so much trouble and that it seemed a bit personal? It is pretty straight forward to purchase personal identity information online, here’s another Kreb’s article about that. So, I upped my game a bit. I happen to know a private investigator well and she was able (in like thirty minutes mind you) to locate the names and location of the fraudsters. Name, address, phone number, even their Facebook page. Of course I handed this info over to the police and of course I had dreams of going to their house and telling them to stop it, but in essence it really means nothing, the fraud continues on and on. (Remember the police are sifting through six thousands cases a month in my neighborhood).
About my fourth round of getting my credit reports back to normal (each round involves a lot of time on the phone and faxing) and ALWASY asking, pleading, wondering, if there was ANYTHING I could do to stop this back and forth between me and the fraudsters? I finally got a slightly different response from a TransUnion supervisor one day. (the largest agency by far) She suggested a secondary passphrase, one that is given verbally over the phone and supposedly trumps all other attempts to access my account. Supposedly NOTHING could be changed without this passphrase uttered from my very own lips. That sounded great. We implemented and for about the fifth time in two years I had some sense of security that the breaches would stop.
Because of the time it takes to do a lot of these things, I am not as methodical as I might be, I didn’t seize the moment and make the same secondary passphrase at Experian and Equifax. Guess what, the fraudsters just moved on to Experian and removed my security freeze and started cashing in once again.
I then went on to Experian and was told flat out, without a doubt, no question, that a secondary passphrase was not something that Experian has the ability to implement and that TransUnion may have there own system and bla, bla, bla.
I was about to give up and I thought, I would take one last crack at it, calling and asking for a supervisor (I something I know form many years of customer service issues, usually yields a better response) and after a very truncated version of the story you have been reading here, she said:
“Secondary passphrase?, sure we can do that”
So, the show goes on, I still have not dealt with Equifax, but I will, and it has been quiet on the fraudster front for a few months, so I feel it is working, but I have also given up on any sense of real security over this and instead have embraced it, made peace with my little fraudsters, like evil, yet dependent pets that need to be fed once in awhile.
My shoe is off, my foot is cold.
I have a bird I like to hold.
My hat is old, my teeth are gold.
And now my story is all told.