Answer: You’ve pointed out another problem with using Social Security numbers as an all-purpose identifier. Federal and state laws require businesses that collect Social Security numbers to protect that information. But the fact remains that the more entities that have your number, the more vulnerable you may be to identity theft.

As an individual, you’re unlikely to change the IRS’ mind about the necessity of collecting this information. But when you’re asked for your Social Security or tax ID number, it’s fair to ask the requester how your information will be protected. That at least puts the requester on notice that you expect the laws regarding the safeguarding of personal information to be followed.

Answer: More than half the states have banned the use of Social Security numbers on health insurance cards, but those laws don’t apply to the federal Medicare program. Unless Congress acts to change the federal law, you’re stuck with having your Social Security number as your Medicare identifier.

The Privacy Rights Clearinghouse recommends you protect yourself from identity theft by making a copy of your Medicare card and using a black marker to cross out the last four digits of your Social Security number, or cutting out the last digits with scissors. Then you could carry that version of your card, so that if your wallet is stolen the thief doesn’t have access to your full number. You would still need to bring your original card the first time you visit any new healthcare provider, but you wouldn’t have to carry it with you all the time.

People need to be aware of anything funny-looking about the ATM or the door lock. If there’s a piece of plastic sticking above or below the door lock, don’t use it. Personally, I don’t use the ATM anymore. I go inside to a teller to get cash.

Answer: People can be remarkably trusting when it comes to using ATMs. Stand-alone ATMs may be phonies, designed just to take your bank card information and PINs. Even ATMs attached to banks can be compromised, as your experience shows.

Some security experts advise avoiding stand-alone ATMs, and all advise being cautious about using any cash-dispensing machine. Before sticking your card into one, you should grab the slot where your card goes in and see if you can move it. If you can, don’t use the machine. If you enter your card and PIN into an ATM and get any kind of error message, alert your bank immediately, as that can be a sign of a compromised machine.

You don’t have to avoid using ATMs, but they should be used with caution.

Answer: New Social Security numbers wouldn’t necessarily protect you from identity theft and could create additional complications.

Thieves might still be able to use your old numbers to establish new accounts, and those fraudulent accounts could show up in your credit reports. If for some reason the credit bureaus didn’t combine the records for your old and new numbers, then you could be left without any credit history at all, which could make getting future credit difficult.

The Identity Theft Resource Center, which advises victims and has a fact sheet on this issue (No. 113, available on its website at http://www.idtheftcenter.org), typically doesn’t recommend applying for new numbers. Instead, it suggests credit freezes, which prevent most lenders from viewing your credit reports or establishing new accounts without your consent.

Credit freezes aren’t foolproof, since some lenders don’t check with credit bureaus before opening accounts. Credit freezes also won’t prevent a thief from using your Social Security numbers to commit healthcare fraud or criminal identity theft (which is when a thief pretends to be you when he or she is arrested). Also, there may be fees involved with freezing and unfreezing your credit reports.

But credit freezes are probably your best defense at this point, before you’ve been victimized. You can learn more about credit freezes at the Consumers Union site, DefendYourDollars.org.

A few minutes later I got an email from American Express emblazoned “Fraud Protection Alert.” I called the toll free number and identified the attempted charges as legitimate. Then I called the main number to ask why the Girl Scouts was suddenly considered a risky operation.

The rep first tried to blame it on the fact that there were “multiple transactions,” but she had to back off when I pointed out there were only two, and that didn’t explain why the first charge was declined. When I asked her if there was a way to get American Express’ overly vigilant fraud protection software to back off a bit, she said no.

As I wrote in “Big Brother is helping you?“, these programs flag about 20 transactions for every one that’s truly bogus. It’s up to the card issuer to decide how and when to follow through. American Express has obviously set its bar pretty low, opting to inconvenience and possibly embarrass customers rather than risk a loss.

A surprising number of people tell me they appreciate these alerts and blocked transactions. They feel like the card issuers are looking out for them. But the card issuers are really only looking out for themselves, since customers aren’t on the hook for fraudulent transactions if they’re reported promptly.

Issuers certainly have a right to try to protect themselves, and reducing fraud theoretically reduces costs for everyone. But they should find a way to do so without needlessly annoying their customers. Otherwise, we’ll take our business elsewhere. As I did. The charge using my Visa went right through.

Answer: If she hasn’t done so already, your wife should call the police to report the crime and get a copy of the report in case she needs it later to prove she’s a victim of identity theft.

Your wife is the one who needs to have fraud alerts placed on her credit reports at all three of the major credit bureaus: Equifax at (800) 525-6285, Experian at (888) 397-3742 and Trans Union at (800) 680-7289. These alerts are good for 90 days and can be renewed. It’s unfortunate the bureaus are using these help lines to pitch products, but you don’t need to buy anything to get a fraud alert placed on your files. In two or three months, she should use http://www.annualcreditreport.com to get a free look at her credit reports to make sure no one has opened accounts in her name.

Your wife also may want to consider a credit freeze, which locks up her credit reports to make it much harder for someone to apply for credit in her name. Get more information about these freezes, which typically involve fees, at http://www.financialprivacynow.org.

In addition, she needs to call your state’s department of motor vehicles to report the stolen license. If she discovers later that someone is using it, she can request a number change.

For more on coping with stolen information and dealing with identity theft, visit the Identity Theft Resource Center at http://www.idtheftcenter.org.

Apparently, many older gas pumps don’t encrypt the PINs you enter when you use your debit card. If a criminal can get a key to open the pump—not all that hard to do if you have a disgruntled or otherwise cooperative gas station employee to help—then a card-skimming device can be installed inside to scoop up the PINs along with the information contained on the magnetic stripe.

So far from being safer to use at the pump, as this horribly incorrect Yahoo! Answers entry contends, debit cards can be far more vulnerable than credit cards. A bad guy with your debit card info and PIN can swipe money directly from your bank account. (The criminal gang that compromised debit cards at Michaels recently did exactly that.) With a credit card, on the other hand, you don’t have to pay bogus charges. Those are typically removed as soon as you report them, while a compromised bank account may take weeks to fix.

A couple of years ago, VISA made a push to require that all newly installed gas pumps encrypt this crucial data, but gas station owners howled at the idea of retrofitting older pumps at a cost of around $10,000 each. So many pumps still lack encryption.

I don’t know about you, but the few pennies I used to save at the debit-only gas stations aren’t worth potentially compromising my bank account. Until gas station owners fix this issue, I’m sticking to my credit card.

Answer: In both instances, sensitive financial documents were entrusted to the U.S. mail system. Although this is common, it’s certainly not secure, since such mailings aren’t tracked and they certainly aren’t encrypted. The two taxpayers didn’t think to question the way their papers had been handled until those papers went missing, but both taxpayers and tax preparers would be wise to use more secure methods to transmit sensitive data.

• You’re a Sony online games customer, since hackers just scooped up names, home addresses, phone numbers and credit and debit card numbers for millions of users.
• You recently got an email or emails saying something like “An important message to our customers” or “An important email security alert.” These emails were triggered by a massive computer break-in at Epsilon, which handles promotion emails for some of the biggest companies in the world, including Bank of America, Chase, Target and Wal-Mart. The hackers got names and email addresses, which will allow them to create targeted phishing attacks that will probably look identical to legitimate communications from those companies.
• You’ve gotten any other notice from a company that your identifying information has been compromised.
• You use the same password for a bunch of sites, or haven’t changed your passwords in six months or more.

It’s particularly important to change your passwords if you’re using the same one for social media sites as you do for financial sites. Social media passwords are easily hacked, thanks to spoofs and other tricks that send you to lookalike sites that encourage you to retype your ID and password.

The good news is that there are some password vault programs out there that will not only keep track of all your passwords but help you generate new, more secure ones: KeePass, One Pass, LastPass are among them. (Update: LastPass is asking users to change their master password after noticing some weird traffic on one of their servers. Read this for more. Lifehacker also put together a nifty list of LastPass alternatives here.)

Here are some suggestions from consumer advocate Mitch Lipka, who wrote about the break-ins for DealNews.com:

Do not send your personal information in response to an email, even if it appears to be coming from a company you do business with

Beware of links in emails and do not input your personal information if requested on the pages that open from those links (if you do click)

Note the URL that an email link is going to take you to by pointing your mouse over the link (that will quite often reveal that you’re going to a spoof site)

If you have a question about the validity of a communication from a company you do business with, call a known phone number (such as the one on the back of your credit card) and not a number or email contact that is sent to you

Monitor your credit card charges and immediately report any usage that is not yours (you are not responsible for fraudulent charges that are promptly reported)

Check your credit report every few months to ensure someone is not opening credit in your name. You are entitled to a free report once a year from each of the big three credit reporting agencies from this site they have set up.

If you’re a Sony customer, consider these  suggestions, courtesy of FoolProof:

At the very least, change your passwords on your PlayStation Network account, any accounts associated with this, and change any email addresses you may have used on PlayStation.

At the very least, if you use the same PlayStation Network password on other accounts, change the password on every one one of them. For instance, if your PlayStation Network password is also used on your online banking account, change that password!

Think carefully about other places you may have used your PlayStation Network passwords. Do you buy plane tickets or hotel rooms online?  Did you store credit card information on those sites?  Do any of those credit cards use the same password?  Go to every account and change them.

Check your bank accounts and credit cards tied to your PlayStation Network account daily for unusual activity.

Call your credit card provider (of the card or cards you used on PlayStation Network) and ask them to cancel and replace. “If you want to live on the edge, you can skip this step,” says the Editor of Privacy Times, Evan Hendricks. “But if you really want to be safe, have the PlayStation Network cards cancelled and replaced.”

Do others in your family have a PlayStation Network account? If so, tell them to read this fact sheet and listen to the Podcast with Hendricks at www.foolproofme.com.

Answer: Actually, the reader followed up to say her supporting paperwork eventually made its way to her mailbox. The return itself, as noted in the column, was electronically filed without her permission or review.

Whether there’s a software glitch or simply overworked preparers making mistakes is unclear. But these experiences do highlight the risks of using the U.S. mail for sensitive information. Here are another reader’s thoughts on the subject:

Dear Liz: As a tax preparer, I deal with clients who live 100 or more miles away, and I have never had a problem with mailing of documents in either direction. Perhaps they may be delayed somewhat, but they have always arrived. As to the issue of the preparer filing electronically without permission, the IRS mandates that a return can be filed electronically only after the preparer receives the taxpayers’ approval (IRS Form 8879 must be signed by the client). Therefore it appears that the tax preparer in this case may have acted in a manner not acceptable by taxing agencies. This is something taxpayers should be wary of in dealing with tax preparers.

Answer: That’s definitely true, but perhaps you should consider being a little more wary of the mail system. Just because nothing has happened yet to all that sensitive data doesn’t mean something can’t or won’t. It may cost a little more, but if your clients can’t drop off information and pick it up themselves, paying for delivery services that offer tracking information is a way to make these transactions more secure.