Q&A: An emergency kit document hack

Dear Liz: Thanks for answering my question about storing hard copies of financial services records for emergency preparedness. My wife and I finally reached a compromise: We printed out our account numbers, but we attached code names to them that only we would recognize. Now both of us are comfortable that even though someone might have our account numbers, they’ll never know which financial institution to contact.

Answer: That’s a terrific compromise that keeps your important financial information accessible to you but not to an identity thief.

Q&A: Credit freeze may be inconvenient, but it’s effective

Dear Liz: Is freezing one’s credit reports the safest bet even though it’s inconvenient to get it temporarily unfrozen? Plus you have to pay a fee. At my son’s urging, I had my credit reports frozen since the Equifax incident but I find it very inconvenient whenever some financial firms need to look into my credit score.

Answer: Credit freezes remain the best way to prevent new account fraud, which is when criminals open up bogus credit accounts in your name.

It is somewhat inconvenient to have to remember to thaw the freezes when you apply for credit or other services, and you have to keep track of the personal identification numbers (PINs) that allow you to do so.

The good news is that the fees for instituting and thawing freezes will go away as of Sept. 21. The Dodd-Frank reform that Congress passed this spring included a clause requiring credit bureaus to waive those fees.

Q&A: Credit alert or phishing scam?

Dear Liz: I received a notice from one of my credit card companies stating that they had noticed something amiss in my credit, though not related to their card. The notice suggested I check my credit reports, which I did. Nothing showed up on the reports that was of concern. What else should I do to ensure my credit stays secure?

Answer: Vague “alerts” are a hallmark of phishing emails that are trying to get you to reveal personal information.

If you followed a link in an email to view your credit reports or accessed them on any site other than www.annualcreditreport.com, you may well have handed your Social Security number and other vital data to an identity thief.

If that’s the case, you should freeze your credit reports to prevent the thief from opening new accounts in your name. You might want to do that anyway, given the prevalence and severity of recent database breaches.

Q&A: Ease identity theft fear by checking your credit report

Dear Liz: I am suddenly receiving junk mail addressed to my estranged brother at my house. I’ve been in this house for 15 years and have never before gotten mail addressed to him. Is it possible he applied for credit or something similar using my address? He has always had money issues.

Answer: It’s more typical for an identity thief to divert a victim’s mail to his own address than to cause junk mail to be sent the victim’s way. Still, it can’t hurt to check your credit reports via www.annualcreditreport.com to see if there are any accounts or activity you don’t recognize.

Q&A: Credit freezes complicate setting up online Social Security accounts

Dear Liz: You’ve recently written about protecting ourselves by establishing online Social Security accounts. Social Security prevents me (or anyone else) from creating an online account because I have credit freezes in place. As I understand the process, Social Security uses the credit bureaus to verify my identity. With a freeze, there’s no identity verification. In other words, in order to set up a fraudulent online account, someone besides me would have to unfreeze my credit report first. Is that correct?

Answer: Pretty much. Another way to establish an online account is to go into a local Social Security office with proper identification. But most hackers are unlikely to take the trouble to do either.

You may still want to create an online account to monitor your Social Security earnings record and promptly correct any mistakes or spot employment fraud (someone using your number to get work).

You could make a trip to a Social Security office or temporarily lift your freeze with the bureau that’s providing identity verification services. Currently, that bureau is Equifax — and yes, that’s the bureau that suffered the massive database breach that started this discussion.

Q&A: Freezing Your Social Security Number

Dear Liz: Recently you answered a question about whether Social Security files could be “frozen” to help prevent fraudulent activity, and your response was no. I had just researched that question after the Equifax breach, and found out the Social Security Administration does have a way to block electronic access to your records now, so I had that set up for me. The administration advised that it can be done whether you have an online account or not (I don’t). There is additional information about this on the Social Security website: https://secure.ssa.gov/acu/IPS_INTR/blockaccess

Answer: When you block electronic access to your Social Security file, no one, including you, is able to see your records or change your information online or through the administration’s automated phone service. Blocking access could prevent someone from tampering with your record, but it also could prevent you from detecting misuse of your Social Security number if someone is using it for employment or tax fraud. Blocking access certainly won’t prevent other kinds of identity theft involving credit, medical care or criminal arrest. A better approach might be to set up an online Social Security account to prevent someone else from doing so fraudulently, and to monitor that account regularly.

There is another government service, myE-Verify, that enables you to “lock” your Social Security number. That may prevent someone from using your number to get a job, but only if an employer uses the service to determine applicants’ eligibility to work in the U.S. — and many employers don’t. Even if you succeed in preventing employment fraud, your number could still be used in other types of identity theft. Also, a Social Security lock expires after one year, so you’d need to renew it annually if you want to keep it in place.

Unfortunately, there’s no easy way to prevent your Social Security number from being misused. As long as those nine digits continue to be used as an all-purpose identifier, we will be vulnerable to all kinds of identity theft.

Q&A: Authentication apps can help thwart hackers

Dear Liz: I’ve heard that authentication apps are a better way to go than two-factor authentication that texts codes to your cell phone. Can you explain more?

Answer: Two-factor authentication adds an additional layer of security to financial, email, social media, cloud storage and other accounts. The first factor is something you know, which is a typically a password, and the second is something you have, such as a code that’s texted to you or generated by a device or authentication app.

The second factor is important, since passwords can be guessed or stolen in database breaches. Texted codes can be intercepted by hackers, so security experts recommend using an authenticator. Three popular apps are Google Authenticator, LastPass Authenticator and Microsoft Authenticator.

To use an authenticator, you must first enable two-factor authentication on the account you want to protect. Unfortunately, not every account provider offers two-factor authentication, although they should. You can find whether yours does at twofactorauth.org.

If the account provider supports authentication, you’ll typically be asked to take a snapshot of a QR code using the authenticator app to establish a connection between your account and the app. When you later log in to those sites, you’ll be asked to type in the code randomly generated by the app.

Any security approach can be thwarted, but the idea behind two-factor authentication is making your accounts hard enough to crack that most hackers will move on to an easier target.

Q&A: Here’s a way to fight Social Security fraud

Dear Liz: To make us less likely to become victims of fraudulent activity, years ago I froze our credit bureau files. I assume the Social Security Administration could be hacked as well. Can those files be frozen?

Answer: No, but you can create an online account to track and monitor your Social Security records — and it’s probably a good idea to do so. Fraudsters are creating such accounts and using them to divert benefits onto prepaid debit cards. If you created yours first, this fraud will be harder to pull off. If someone has already created an account in your name, you can find out and start the process of taking back your identity. The place to set up your account is www.ssa.gov/myaccount.

Q&A: Free credit monitoring won’t prevent identity theft

Dear Liz: I thought I would share some information in light of the Equifax disaster.

Two of my credit card issuers provide free credit monitoring. Capital One scans my TransUnion file and Discover uses Experian. Both send email and text alerts about new activity and a monthly “reassurance” email when no such activity turns up in the previous 30 days.

Along with the credit freeze I placed at Equifax, I feel pretty secure at the moment. I’m sure that other credit card issuers have similar programs in place, and perhaps people should ask their financial institutions if such monitoring is available to them as account holders.

Answer: Free credit monitoring can certainly be helpful, but understand that it can’t prevent identity theft. At best, credit monitoring alerts you after the fact if someone has opened a new account in your name. Only credit freezes at all three bureaus can prevent those accounts from being opened in the first place.

Unfortunately, credit monitoring and freezes can’t help you with the most common type of identity theft, which is account takeover. That’s when someone makes bogus charges to your credit cards or steals money from your bank accounts.

Financial institutions use different types of software to detect fraud, but nothing replaces vigilance on the customer’s part. We should be reviewing transactions on our accounts at least monthly if not weekly. Online access to accounts can help you better monitor what’s going on.

You also can set up alerts that will email or text you if large or unusual transactions happen. (Just beware of a common scam where you’re texted an “alert” that your account has been frozen, along with a link that encourages you to divulge your login information.)

Even if you do everything in your power to avoid identity theft, you still can’t prevent scammers from using your information to file bogus tax returns, get medical care or commit criminal identity theft (by giving your name to the police when they’re arrested, for example). As long as Social Security numbers are used as an all-purpose identifier by businesses and government agencies alike, you can’t make yourself completely secure.

Q&A: How to protect your financial data in the wake of the Equifax breach

Dear Liz: Do I have the right to notify the credit bureaus that I do not want any of my financial information stored in their files? They don’t seem to be that secure. I rarely borrow money and the three financial institutions I deal with have all the data they need to lend me money if I need some. I do finance a car on occasion, because if they want to lend me money at less than 1%, why not?

Answer: The short answer is no, you have no right to stop credit bureaus from collecting information about you. You also can’t prevent them from selling that information or keeping it in inadequately secured databases.

One thing you can do is to freeze your credit reports at all three bureaus to prevent criminals from using purloined information to open credit accounts in your name. But that will cost you.

The only bureau currently waiving the typical $3 to $10 fee for freezing credit reports is Equifax, the credit bureau whose cybersecurity incident exposed Social Security numbers, dates of birth and other sensitive identifying information for 143 million Americans. The other bureaus, Experian and TransUnion, are still charging those fees.

You’ll have to pay an additional $2 to $10 each time you want to lift those freezes, which you’ll probably need to do if you apply for new insurance, apartments, cellphone service, utilities and, of course, credit. Financial institutions may indeed have plenty of information about you, but probably wouldn’t lend you any money without access to your credit reports or scores. Freezes also are a bit of a hassle because you need to keep track of a personal identification number, or PIN, to lift the freeze.

Just in case you weren’t irritated enough by this state of affairs, understand that freezes won’t stop other types of identity theft, such as someone getting medical care in your name or giving the police your information when they’re arrested. Still, instituting freezes is probably the best response to the most devastating breach yet.