You've heard stories, received warnings, or maybe you know someone who it's happened to. But do you really know as much as you should about identity theft? Are you sure you're doing as much as you can to keep your information safe?
On this episode of Industry Focus: Financials, analyst Gaby Lapera talks to Fool techies Sam Davidson and Tyler Reber about research and experience with identity theft -- what information identity thieves are looking for, online security and encryption, making a solid password, RFID safety, and, if worst comes to worst, what you need to do if your information is stolen.
A transcript follows the video.
This podcast was recorded on Dec. 28, 2015.
Gaby Lapera: Hello everyone! Welcome to Industry Focus, financials edition. First I want to thank everyone who has written into the show in the last couple weeks. Not only did you end our email drought, but we also got some great book suggestions from you. We also got some questions and requests to cover certain topics on the show. Shout out to Levi Waddell in South Dakota, who suggested a show on business development companies. We'll be bringing in Jordan Wathen to do that show sometime in January, so be on the lookout.
In the studio with me today, I have Tyler Reber and Sam Davidson who are systems engineers and just excellent all-around people. My co-host, John Maxfield, had a little bit of an emergency today, so he couldn't join us. We were going to talk about Puerto Rico, but instead, we're going to talk about identity theft because Sam Davidson and Tyler Reber don't know anything about Puerto Rican bonds.
This topic was actually also suggested to us by one of our listeners whose name is Brad. Thanks, Brad! Apparently my story about getting all my information hacked during the OPM fiasco, I believe would be the correct word, really resonated with him, and he just wanted to hear some more about identity theft. This is a good idea for a show because apparently around 9 million Americans a year experience some form of identity theft. Here's how the show is going to work. We're going to talk about common ways of getting your identity stolen, things you can do to prevent that, and then what to do if it has been stolen. Get excited guys!
Tyler Reber: Woo! All right.
Sam Davidson: All right.
Davidson: We've talked about this before, sort of in cyber-security Tyler and I have both spoken a couple times about this. Essentially this is a difficult thing to prevent from happening from a security perspective on systems, but as a normal user, this is very simple. Some of the easiest things you can do are 1: don't ever give your information out. It sounds overly simple, but it's true. If somebody asks you for your social and it's not your mother, don't give it to them. They probably don't need it. Most places won't ask you for that. They just need your last 4. You should guard it like you do your own money. Watch out for emails asking you for information. Nobody should ever ask you over email.
Reber: The Social Security number is not the only thing you want to guard closely. Something that I've personally seen is people giving out information like their drivers license number. That is actually surprisingly tied to you as well. In fact, it's probably just as tied to you as your Social Security number in certain instances. Watch out with that one. Don't be overzealous in giving that out.
At the same time, don't be overzealous with giving your credit card information out to random people who may call you asking for it or in emails that you may get where they may ask you for that information. For instance, your credit card company will almost never certainly email you asking for your credit card information over email.
Lapera: Because they already have that. They are your credit card company.
Davidson: Not to spoil anybody's holidays, but guess what? Your rich uncle in Zimbabwe did not die and leave you a chest full of gold. I'm sorry. Exactly. My bad. I wish he did. He tried it with me. It didn't work.
Lapera: That's a really common tactic, and that's called phishing, with a ph-, just in case you're really curious and you want to go Google this later.
Reber: The best thing to do is if you ever get a request for your credit card company or from anyone you believe is tied to your credit card company asking you for credit card information, take your credit card out, look at the number on the back of it for the customer service department or your concierge, and call them up and ask them if they requested that information. They can then verify whether or not that came from them and if something has happened on your account that you need to talk to them about.
Lapera: Also on the theme of not giving out numbers that are important to you, don't give out your pin. Even if you're really, really drunk and you just want me to call up the pizza place and get you pizza, you don't know me. That happened to me last weekend.
Davidson: What Tyler alluded to is called PII, or personally identifiable information. This is one of those things, it's your date of birth, your full name, address, all that stuff allows people to get information on you and to call into a place to impersonate you. This is also critical information that you keep to yourself. Unless people need to know it, don't tell them.
Whenever you're out there online, as horrible as it is to say, assume that everything you're going to is trying to do something bad to you and play it safe.
Lapera: Absolutely, but there are some ways that while you're online you can make sure that you're giving your information to people who are legitimate. Do you want to talk a little bit about how you can tell on Safari and Chrome?
Davidson: Sure. In Safari and Chrome, if you look up at the top left-hand corner of your address bar, you're going to see the lock. In Chrome, it'll be bright green, and in Safari I think it's just gray?
Davidson: Whenever you see those locks, you're going to a site which has SSL or secure socket layer. That basically is a way to verify the identity of the site you're going to. You want to make sure that when you're browsing online, if you're going to one of these sites, that you are sure that it is where you want to go to. It's not "Amazon" missing the second "a," it's not something else, and they should always have that little lock. That little lock tells you that your communications back and forth between them are secure and that nobody can listen in between.
One of the common things people will do is put out ... if you go to a site and put in your credit card information and there's no little lock there, that information is essentially like you going into an open room and yelling it. It is not encrypted, so anybody sitting between you and that other end can get that information online in plain text and just read it, but if that lock's there, it goes in encrypted, so if they get something, it's just garbled.
Lapera: The other thing to look for if you happen not to see a lock is to see "https." The "s" stands for "secure." If there's no "s," it is not secure.
Lapera: Other things that you should not do, when you sell your laptop, make sure that you reformat the hard drive. Otherwise, all your information is on there, and whoever gets your laptop could use that also.
Reber: Not just your laptop. It's your laptop, your cell phone, pretty much any digital device that can contain or has in the past contained any identifying information. I actually wrote an article a number of years ago when I had my own technology blog about personal GPS units. Surprisingly enough, hey look, your personal address is in your GPS unit. You take that, you sell it on Amazon without clearing it first, that information can be recovered from your GPS.
Davidson: Correct, and when you sell your laptops too, there is an option on some of those to do a secure wipe. Whenever possible, you want to do a secure wipe. A single delete doesn't mean your files are gone. Your files are still there on the computer. All that actually does is delete part of a file name from your computer. The rest of the information is actually in there, so you actually want to do a format or a multiple format with overriding.
Lapera: If you don't understand anything that's going on, all the tech people in the world will really hate me, but go find your niece or your nephew or your son during the holidays and ask them to look at your computer for you. You can't see us right now, but all the tech people are cringing because I'm sure they've already had to fix a lot of computers over the holidays.
Also on the vein of personal information on your laptop, don't keep a file folder on your desktop or really anywhere on your computer that's labeled "passwords" with all your passwords actually in it. It's just a bad idea. Maybe if you're just super computer savvy and that file actually contains a virus or something and it's like a triple dot twist thing, that's fine, but otherwise, don't do that.
Davidson: Along the vein of passwords, there are a number of tools out there to help you with that. Password Safe--
Reber: Yep, Password Safe is good.
Davidson: --is great, and change your password often. I usually try to recommend people to change it every 3-6 months. If somebody happens to get part of this encrypted password or part of this chain, through various messages, they are able to decrypt that and find out what your password is. By changing your password every 3-6 months, generally it will prevent people who may have your password from doing that.
Lapera: Should you use the same password for every account that you have? Family members, I'm looking at you.
Davidson: No. And 123456789 is not a good password.
Lapera: Or the word "password."
Davidson: Or "password."
Lapera: Nope. Don't do it.
Davidson: These are commonly used passwords, and they're not just from the Spaceballs movie, for anyone who may be a fan. It's just bad practice.
Lapera: Other things that you should watch out for besides credit card scams or online stuff, people can straight up steal your wallet. Then they have all of your information, which is part of the reason you shouldn't carry your Social Security card in your wallet. Also, people can dumpster dive. Make sure that you shred letters that get credit cards or any kind of personal identifying information in there. Also, something that I saw recently, I have a co-worker who apparently his student ID is his social security number, so it's just printed right on there.
Reber: It's surprising the number of schools that I think probably have done that, at least now or in the past, and in fact the school that I went to did it when I first started there. They changed it within, I think, the first year that I was there. It's interesting.
Davidson: Pretty common.
Lapera: You can request a different one, and if they won't give it to you, just demand it. I don't know. Throw a fit.
Davidson: Blank it out on your thing.
Lapera: Tell them they're not being safe. Also don't put your Social Security number on checks. I haven't really seen this happen to anyone in their mid-20s but some older people do have their Social Security number on their checks. I'm not really 100% sure why, but take that off. No one needs to know that besides you and the government.
Davidson: One of the other things too, along the lines of wallets, is you see a lot of wallets right now that have RFID prevention on there, blocking on there. What this is for is some of the newer cards, access cards particularly, have RFID chips. These enable you wave your card next to something to either pay or get access to it. There are RFID scanners out there. Somebody can walk up to you and bump into you and essentially get the information out of the card without having to actually get the card out of your wallet or do anything like that. By putting them in a wallet that is RFID safe, it essentially negates that. Somebody can't just bump into you and grab that information.
Reber: What exactly do you mean for our listeners? What is RFID safe?
Davidson: RFID safe is essentially a radio frequency identifier. On some cards, there is a chip in there that gives access without actually having to swipe your card. So, RFID safe, you'll see them in ... what was the newest one? The TV commercial for the Aluma wallet. The Aluma wallets had those. You'll see other ones. It's a little mesh that's in there and it prevents people from walking by you and scanning.
Lapera: Yeah. The other thing you should try and do, I think most banks are pushing their customers to do this, is get a chip card, as opposed to one with just a magnetic strip. What happens is that's like a tiny little computer chip, and every time you have a transaction, it generates a new code for that transaction so people can't really steal the credit card's information off the chip because they can only generate one transaction off of it as opposed to a magnetic strip, whereas if they get the information off of that, they have all of your credit card's information, and they can use it over and over again.
The other thing is, when you are out and about online or in the real world, you should probably try and use your credit card for things, as opposed to your debit card. Your credit card often offers a lot better protection just in terms of if it gets stolen, they're more on top of any transactions that don't look like you. Also, it doesn't offer them the opportunity to completely drain your bank account in one go.
Lapera: So often theft resolution is a lot easier with a credit card than it is with a debit card. Things that you can do to prevent identity theft include monitoring your bank accounts online. If you don't have an online bank account, I really encourage you to go on there. You can see everything listed from your credit card, and requesting a free credit report from one of the 3 major credit agencies. You're entitled to a free report from each agency once a year. That's 3 free reports, so you can kind of space them out, or you can use a service like Credit Karma that does soft pulls on your credit whenever you want. I check mine once a month just to be sure. Then you know what your credit score is, and you can do things to improve that if it's terrible.
Reber: Credit Karma's been really great actually. It's a service that I use too.
Davidson: I use it as well. Huge fan.
Reber: They're really great with alerting you when new accounts have been listed. In fact, I just got an email this morning from them saying, "Hey, look. A new account has been listed on your credit report." So that's really great for keeping--
Davidson: I'm keeping that car, though.
Reber: --keeping track of when things happen against your credit that you should know about.
Davidson: Right, and a lot of the credit card companies now will also offer daily alerts, too. so if ... like I get an email every day from my credit card companies that tells me what charges have been made to there. It may seem a little spam-y during the holidays, but if something does happen and your credit card information gets stolen, this information can let you know, "Hey, I didn't charge $300 to that random store that's nowhere near me." It's good to know.
Lapera: I've been shocked by how good my credit card company is about notifying me about any kind of fraudulent activity. For whatever reason, it always seems to be in Laurel, Maryland, and they always seem to go to a liquor store. I guess I don't drink cheap vodka enough for them to think it's me. I'm so classy now, guys.
Davidson: There we go. Tito's all the way, right?
Lapera: Exactly. None of that Aristocrat. So if you are a victim of identity theft, you have to do the following things: contact the Federal Trade Commission. Contact the post office if you think the thief is somehow intercepting or tampering with your mail. That's a federal offense. Contact the Social Security Administration if you think you have your Social Security number stolen. Contact the IRS if you think they're going to do tax fraud with your stuff. Then contact the fraud units of the 3 major credit reporting agencies. They can help put a security freeze on your accounts so no one can open up any more credit cards or loans or anything in your name.
Then go into your local bank branch and talk to a representative. They will counsel you on what to do. You're likely going to have to freeze your accounts for at least a little while. If you use online or mobile banking, make sure you change your passwords. If you're worried that your machine itself may have been compromised, change your password somewhere else and try not to access your accounts from that computer for a little bit until you can get it looked at by someone who knows what they're doing.
Also, don't change it on a public computer. Go to a friend's house or something and use theirs, that you trust, unless you think they're the thief, then don't go to their house. In fact, while you're at it, you should just change the passwords on all the accounts you have. One of my really good friends here, she was also a victim of the OPM hack, and oddly enough, they managed to get her Facebook and Pinterest accounts. They hacked her Pinterest account. They wouldn't let her back in. She couldn't access her quilt patterns, and she was really sad.
Reber: Not Pinterest.
Lapera: Not Pinterest, anything but that. That's a good idea in general, especially with a lot of the new payment systems out there like Venmo, that uses your Facebook account to transfer information. If you think you've been hacked, go ahead and change all of your passwords. The other things that you can do if you're very, very motivated is you can use a virtual private network to browse online. I'm not going to go into that because it's complicated, but again, ask your tech family members how to set that up if you're really --
Davidson: Don't ask us. Don't do that.
Lapera: You look so grumpy. Or ask a computer expert and pay them. You know what? If you ask a family member, the very least you can do is buy them some beer or bake them cookies or something to show your appreciation because they don't really need to work on their off --
Davidson: Baking goes a long way.
Lapera: They don't need to work on their off hours, and they choose to help you anyway. It's not like you'd go to a dentist, and be like, "Can you pull my tooth for free, or can you just take a look in here?" That would be pretty rude. Anyway, the other thing you can do is make sure that your wireless network is secure. Put a password on there. Encrypt it if you really feel the need to. Don't just leave your ... one, people can just use your Wi-Fi in the apartment next door and seriously slow down your speeds while they watch Netflix and play online poker and, I don't know, upload huge files. I don't know what they're doing with your Wi-Fi, but you should definitely put a password on that.
Do you guys have anything to add?
Davidson: Not really. I think you covered it all there. Just make sure, if you happen to be the victim of identify theft, the biggest things you've got to remember from there is contact all your credit card companies, the credit reporting agencies, your bank. Let them know what's happened so you can stop anything else from happening, and absolutely change all your passwords.
Lapera: And, if you have trouble remembering your password, there's password applications that you can use to help you, or if you absolutely feel the need to have it written down somewhere, write it down on a physical piece of paper and then put it in a safe.
Lapera: Don't leave it on your computer.
Davidson: Don't put it on your keyboard.
Lapera: That drives me nuts. Anyway, happy holidays! I hope you didn't get your identity stolen over the holidays. I hope that that never happens to you, but if it does, you're now prepared. Thank you guys very much for listening!
As usual, people on the program may have interest in the stocks they talk about, and the Motley Fool may have recommendations for or against, so don't buy or sell stocks based solely on what you hear. Thanks for joining us. I hope you like this week's episode. Write to us at firstname.lastname@example.org. If you have any more suggestions for topics or if you want to tell me about your sad story about getting your identity stolen, I'll commiserate with you. Thanks and have a happy new year!