Ask Liz Weston

Get smart with your money

Identity Theft

Q&A: Ease identity theft fear by checking your credit report

By

Dear Liz: I am suddenly receiving junk mail addressed to my estranged brother at my house. I’ve been in this house for 15 years and have never before gotten mail addressed to him. Is it possible he applied for credit or something similar using my address? He has always had money issues.

Answer: It’s more typical for an identity thief to divert a victim’s mail to his own address than to cause junk mail to be sent the victim’s way. Still, it can’t hurt to check your credit reports via www.annualcreditreport.com to see if there are any accounts or activity you don’t recognize.

Q&A: Credit freezes complicate setting up online Social Security accounts

By

Dear Liz: You’ve recently written about protecting ourselves by establishing online Social Security accounts. Social Security prevents me (or anyone else) from creating an online account because I have credit freezes in place. As I understand the process, Social Security uses the credit bureaus to verify my identity. With a freeze, there’s no identity verification. In other words, in order to set up a fraudulent online account, someone besides me would have to unfreeze my credit report first. Is that correct?

Answer: Pretty much. Another way to establish an online account is to go into a local Social Security office with proper identification. But most hackers are unlikely to take the trouble to do either.

You may still want to create an online account to monitor your Social Security earnings record and promptly correct any mistakes or spot employment fraud (someone using your number to get work).

You could make a trip to a Social Security office or temporarily lift your freeze with the bureau that’s providing identity verification services. Currently, that bureau is Equifax — and yes, that’s the bureau that suffered the massive database breach that started this discussion.

Q&A: Freezing Your Social Security Number

By

Dear Liz: Recently you answered a question about whether Social Security files could be “frozen” to help prevent fraudulent activity, and your response was no. I had just researched that question after the Equifax breach, and found out the Social Security Administration does have a way to block electronic access to your records now, so I had that set up for me. The administration advised that it can be done whether you have an online account or not (I don’t). There is additional information about this on the Social Security website: https://secure.ssa.gov/acu/IPS_INTR/blockaccess

Answer: When you block electronic access to your Social Security file, no one, including you, is able to see your records or change your information online or through the administration’s automated phone service. Blocking access could prevent someone from tampering with your record, but it also could prevent you from detecting misuse of your Social Security number if someone is using it for employment or tax fraud. Blocking access certainly won’t prevent other kinds of identity theft involving credit, medical care or criminal arrest. A better approach might be to set up an online Social Security account to prevent someone else from doing so fraudulently, and to monitor that account regularly.

There is another government service, myE-Verify, that enables you to “lock” your Social Security number. That may prevent someone from using your number to get a job, but only if an employer uses the service to determine applicants’ eligibility to work in the U.S. — and many employers don’t. Even if you succeed in preventing employment fraud, your number could still be used in other types of identity theft. Also, a Social Security lock expires after one year, so you’d need to renew it annually if you want to keep it in place.

Unfortunately, there’s no easy way to prevent your Social Security number from being misused. As long as those nine digits continue to be used as an all-purpose identifier, we will be vulnerable to all kinds of identity theft.

Q&A: Authentication apps can help thwart hackers

By

Dear Liz: I’ve heard that authentication apps are a better way to go than two-factor authentication that texts codes to your cell phone. Can you explain more?

Answer: Two-factor authentication adds an additional layer of security to financial, email, social media, cloud storage and other accounts. The first factor is something you know, which is a typically a password, and the second is something you have, such as a code that’s texted to you or generated by a device or authentication app.

The second factor is important, since passwords can be guessed or stolen in database breaches. Texted codes can be intercepted by hackers, so security experts recommend using an authenticator. Three popular apps are Google Authenticator, LastPass Authenticator and Microsoft Authenticator.

To use an authenticator, you must first enable two-factor authentication on the account you want to protect. Unfortunately, not every account provider offers two-factor authentication, although they should. You can find whether yours does at twofactorauth.org.

If the account provider supports authentication, you’ll typically be asked to take a snapshot of a QR code using the authenticator app to establish a connection between your account and the app. When you later log in to those sites, you’ll be asked to type in the code randomly generated by the app.

Any security approach can be thwarted, but the idea behind two-factor authentication is making your accounts hard enough to crack that most hackers will move on to an easier target.

Q&A: Here’s a way to fight Social Security fraud

By

Dear Liz: To make us less likely to become victims of fraudulent activity, years ago I froze our credit bureau files. I assume the Social Security Administration could be hacked as well. Can those files be frozen?

Answer: No, but you can create an online account to track and monitor your Social Security records — and it’s probably a good idea to do so. Fraudsters are creating such accounts and using them to divert benefits onto prepaid debit cards. If you created yours first, this fraud will be harder to pull off. If someone has already created an account in your name, you can find out and start the process of taking back your identity. The place to set up your account is www.ssa.gov/myaccount.

Q&A: Free credit monitoring won’t prevent identity theft

By

Dear Liz: I thought I would share some information in light of the Equifax disaster.

Two of my credit card issuers provide free credit monitoring. Capital One scans my TransUnion file and Discover uses Experian. Both send email and text alerts about new activity and a monthly “reassurance” email when no such activity turns up in the previous 30 days.

Along with the credit freeze I placed at Equifax, I feel pretty secure at the moment. I’m sure that other credit card issuers have similar programs in place, and perhaps people should ask their financial institutions if such monitoring is available to them as account holders.

Answer: Free credit monitoring can certainly be helpful, but understand that it can’t prevent identity theft. At best, credit monitoring alerts you after the fact if someone has opened a new account in your name. Only credit freezes at all three bureaus can prevent those accounts from being opened in the first place.

Unfortunately, credit monitoring and freezes can’t help you with the most common type of identity theft, which is account takeover. That’s when someone makes bogus charges to your credit cards or steals money from your bank accounts.

Financial institutions use different types of software to detect fraud, but nothing replaces vigilance on the customer’s part. We should be reviewing transactions on our accounts at least monthly if not weekly. Online access to accounts can help you better monitor what’s going on.

You also can set up alerts that will email or text you if large or unusual transactions happen. (Just beware of a common scam where you’re texted an “alert” that your account has been frozen, along with a link that encourages you to divulge your login information.)

Even if you do everything in your power to avoid identity theft, you still can’t prevent scammers from using your information to file bogus tax returns, get medical care or commit criminal identity theft (by giving your name to the police when they’re arrested, for example). As long as Social Security numbers are used as an all-purpose identifier by businesses and government agencies alike, you can’t make yourself completely secure.