This post comes from Bob Sullivan at partner site Credit.com.
The question is as old as the first case of credit card fraud.
“What can I do to protect myself?”
I’ve been hearing that question a lot lately, as tales of leaked credit card data and other personal information mount. Target, Neiman Marcus … you know the list now. These high-profile hacks shined a light on a massive problem that seems to get bigger every year. The Identity Theft Resource Center says there were 619 data breaches last year, an increase of 30 percent from the year before.
Each time a new leak is announced, the logical question arises: What can consumers do to prevent identity theft?
The brutal answer: Nothing. Nothing at all.
When I published my ID theft book, “Your Evil Twin,” back in 2004, every TV and radio producer begged me to offer them “five ways to stop yourself from becoming a victim.” I constantly refused. There’s only so much shredding you can do, I explained. Consumers can’t prevent identity theft.
Dealing with identity theft is not an issue of prevention, but rather an issue of containment. It’s not a question of if it happens, but rather what to do when it happens.
This is important because I spend a lot of time with security experts, and many people who work in this field have a bad habit of blaming victims. They joke about consumers who put PIN codes or passwords on sticky notes, or they tell stories about foolish medical patients who cough up their Social Security numbers during patient visits. And — can you believe the documents your neighbor just leaves out in the recycling?
Sure, there are some things you and I can do to improve our digital hygiene. But for the most part, these are the equivalent of a man boiling water when a pregnant woman starts to give birth. They are … busywork. There is nothing any one of the Target victims could have done to prevent their credit card account numbers — or their email address, or their home address — from being stolen.
I reject out of hand the advice that consumers should just avoid using all credit cards, or avoid shopping at stores that suffer data leaks. After all, given than Target lost data on 70 million consumers, AND on 40 million credit card accounts, we know that using a credit card at Target was not a prerequisite for being a victim of that breach. There are even reports that non-Target customers are caught up in the leak.
Many such offers of blanket advice are flawed, like this: “Don’t use your credit card online, or give it out over the phone.” That doesn’t work. As we learn with every one of these hacks, even if you only use your card at a store, the retailer puts your account number online anyway. The personal information will be beamed from the point-of-sale terminal, to a store server, to a processing company, to the acquiring bank, to the issuing bank … you get the idea.
In truth, if you want to participate in the American economy, you are participating in activities that make you a likely victim of identity theft. We just learned there were 13.1 million victims last year, the second-highest annual total ever, according to Javelin Research. Using very rough numbers, that means your odds of being hit last year were 1 in 20 or so.
Put another way, most Americans will be victims during the next 10 years.
Yes, you can place a fraud alert on your credit report, which will make it harder for criminals to open new credit accounts in your name, something known as “new account fraud.” You can take another step: You can place a credit freeze on your account, usually for a few dollars each year. That, theoretically, prevents anyone (including you!) from opening new credit accounts.
These steps tend to be a hassle, however, and credit freezes are best suited for ID theft victims who are struggling with serious bouts of the crime. Also, they don’t prevent fraud on your existing credit cards, and they are useless to preventing someone from getting a driver’s license in your name, or to preventing targeted spamming, and in some cases they don’t even stop criminals from opening non-credit accounts, such as utilities, in your name.
So what can you do? You can’t stop it. But you can contain it.
If the Target incident has taught us anything, it’s been a great universal reminder to carefully check our credit card bills, line by line, every month. That’s just good financial hygiene, anyway. It only takes a few moments to yell, “Honey, did you buy this?” If you don’t notice it, you paid for it.
Vigilance extends beyond credit card bills, of course. Check your credit report for free every four months (you can stagger the three reports you get over the course of a year). Watch your snail mail for anything suspicious. Don’t click on links in emails, even if they appear to come from friends. Do all the things you do when you first land in a strange city, and you are on high alert — clutch your purse tighter, put your wallet in your front pocket. Because the Internet is, and will always be, a strange city.
If early detection is the key, then technology is your friend. Most banks now allow a text alert system that tells you when credits and debits hit your accounts. They require some one-time tweaking, but it’s well worth your while. Get a text whenever an amount higher than $100 is withdrawn from your checking account, for example. It’s a great service.
Consumers can also get similar texts based on credit report events if they sign up for one of the numerous free credit monitoring offers flying around right now in the wake of the credit card hacks.
Consumers can’t stop ID theft. We are merely pawns. But banks, retailers and other data collectors can. Firms that leak data need to pay. Companies shouldn’t be allowed to keep our data for longer than they really need it, a right Europeans enjoy. In fact, America has no comprehensive federal privacy legislation, and few rights after we’ve been victimized by neglectful companies.
Nothing makes companies sit up and take notice faster than the potential for losing money. Fines and civil liability — the potential for consumer lawsuits — would get their attention.
Put the burden where it belongs
Not long ago, there was much fear and loathing over theft of consumer online banking logins and passwords. You don’t hear much about that any longer. Why? Banks have installed back-end systems that are very good at preventing Romanian hackers who steal logins from wiring money out of the country.
The systems work a little like the credit card fraud detection systems we are all familiar with — those welcome security phone calls from fraud experts who ask, “Are you really in London right now buying a diamond ring?”
Firms that use consumer data hold full responsibility for its safety. Consumers will always be the weak link in any security chain. Of course they are. They are just trying to live their lives, raise their kids and make their mortgage payments. Leaning on them to keep systems safe is like asking airline passengers to fly their own airplanes. Kudos to banks for making online checking accounts safer. Now, do that everywhere else.
Anyone who has attended a typical hearing in Congress knows they are largely charades. But I was very glad to hear Sen. Patrick Leahy, D-Vt., begin a recent Judiciary Committee hearing on the Target fraud with a reference to trust. Fraud isn’t ultimately the problem with identity theft. The real risk is reduced trust, which could make consumers reluctant to participate in the marketplace.
That would hurt us all. How do we restore trust as soon as possible? By not blaming the victim, and by placing the burden of keeping this information safe with those who deserve it — the experts. Consumers can’t do anything to stop ID theft. The companies that created our loose data culture must be the ones who stop it.
This story is an op/ed contribution to Credit.com and does not necessarily represent the views of the company or its affiliates.
More on Credit.com: