40 Million IDs Stolen: How to Respond

On August 5, 2008 eleven people from five different countries were indicted for stealing 40 million credit or ATM card numbers. Their intricate plot, which spanned several years, began with a simple practice commonly known as wardriving. At least three of the five suspects parked their cars in retail parking lots and searched for wireless signals on their laptops or electronic handheld devices. When retailers without encrypted servers popped up they would simply log onto those networks and access the files where customer credit or ATM account numbers were stored. This information was then sold on the international black market or used for the thieves’ own gain.

To date, this is the largest single documented case of identity theft—and some of the victims might not even know they were victims for several years as their private information continues to be bought and sold on the black market. When it comes to credit and ATM card fraud, this is definitely a case of epic proportions.

As news of this case broke, panic began to spread among consumers. How will I know if I am one of the 40 million? How could something like this happen? How do I protect my information from this type of hacking? Questions continue to flood people’s minds as more and more details of this case become public. Because of the elaborateness of the crime there are no easy answers to these questions and others like them.  

Figuring Out if You Are One of the 40 Million

In well developed identity theft schemes like this one, it is common for stolen information to change hands countless times before it is ever even used. That means your information may have been stolen even though it hasn’t yet been used for fraudulent purchases. With all of the media attention this case is garnering, thieves who currently have your personal information may wait for several months or even years to pass before actively tapping into your accounts out of fear of getting caught.

But, with that said, it’s not necessary to begin closing down any active accounts you may have used at Office Max, Barnes and Noble, Boston Market, Sports Authority, Forever 21, DSW Shoes, BJs Wholesale Club or TJX companies (TJ Max and Marshall’s). Instead, there are primarily four things you can do to help protect yourself if your identity has been compromised by this fiasco.

1) Read all of your bank and credit card statements closely and make sure all purchases are legitimate and have been authorized by you. If you tend to make a lot of credit card purchases each month, consider keeping a ledger similar to the one for your checking account so you can reconcile it to your statement each month. This is easier than having to remember every purchase you made in the last 30 days. Make sure you reconcile your checking account at the end of each month when you receive your statement. Don’t simply rely on the balance reported on your receipt each time you withdraw cash from the ATM. Even numbers that “look right” can sometimes be off by hundreds of dollars. As soon as you notice any suspicious activity, notify your credit card company or bank and all three credit reporting agencies immediately. 

2) Contact your bank and credit card companies and inquire about any extra security measures they may be willing to offer you in response to this crisis. Some banks and credit companies are now offering features where you are notified by telephone if purchases that don’t match your regular spending practices are initiated. If they try to charge you extra fees for adding these services, kindly reminding them that identity theft is a multi-billion dollar crime and that they have something to lose too. It might not work, but it’s worth a shot. 

3) Call the three major credit reporting agencies (Experian, Equifax and TransUnion) and ask them to place a “fraud alert” on your credit file. That way, if anyone tries to open new credit in your name you will be notified before credit is granted. In many cases of identity theft, thieves don’t view the initial stolen card as their real goldmine, but instead see that card as an opportunity to open new credit in a person’s name and defraud them of a much larger amount of money. 

4) Visit www.annualcreditreport.com and request a copy of your free credit report from each of the three major credit reporting agencies. This is the only place you can obtain a truly free credit report, and not all information may show up on each report so it is wise to check with all three bureaus. If you want to keep an extremely close eye on your credit history, don’t contact all three bureaus at once and instead obtain one free report from one agency every four months (so you will receive one from each agency in the course of a year). 

Unfortunately, there wasn’t anything the 40 million people who had their credit or ATM card numbers stolen could have done to prevent the theft of their information. The problem was with the stores from which they made purchases. Although you can begin asking companies whether or not their servers are encrypted before making purchases, it probably won’t help and might make them suspicious of you.

The recently enacted Fair and Accurate Credit Transactions Act should eventually take care of the problem of companies who have been lax about encryption and safety. Under this act businesses can now be found liable in identity theft cases where information was stolen from them due to poor security. With all of the attention this recent case has garnered, you can bet that countless businesses are busy working on ensuring that their security systems meet the highest standards. Although there isn’t much you can do about businesses and their online security systems you can do several things to protect your home and office computers and networks.

Protecting Your Home and Office Computers and Networks

With an increase in people using wireless internet at home and in the office, more and more people are unwittingly putting themselves at risk for identity fraud. Wardriving isn’t just a practice used in retail parking lots. Some thieves target small businesses and residential areas knowing that it is less likely they will use encrypted networks. If your home or work server is unencrypted and a wardriver is able to identify that, he or she can then gain access to any file stored on your network and can even download and save it to another computer without you ever knowing it.

This is a potential nightmare for companies with human resources departments that keep computer records containing employees’ names, birthdates and social security numbers. It can also be disastrous for businesses that have customer credit or bank account numbers on file somewhere on a computer. But businesses aren’t the only ones who should worry. Anyone who shops online, uses online banking or enlists the use of some sort of online bill pay system may be susceptible to identity theft as well.

Here are four ways you can decrease your chances of identity theft through your home or office computers:

1) Install firewalls and encryption software. Firewalls are extra layers of security that will block unauthorized users from being able to access the content on your server. Many systems allow you to regularly check for any data breach so you can make sure that the information you think is protected really is. Encryption software scrambles important information so that even if it does fall into the wrong hands the unintended recipients aren’t able to read what it says. Using these two methods of security in tandem greatly reduces your risk of hackers or wardrivers being able to infiltrate your system.       

2) Avoid saving any personal information on your computer. If it is not necessary, do not store any account numbers, social security numbers, passwords, birthdays or any other sensitive information anywhere on your computer. Information doesn’t have to be online for someone to access it. If information is on your computer it can be stolen—even by someone who never physically touches your computer.

3) Use anti-virus and anti-spyware software and always check for automatic updates. Software like this has become significantly less expensive over the last few years making it affordable for anyone who has a computer. If your computer is hooked up to the internet, you need this software. By setting your system up to automatically check for updates, you will always be aware of (and hopefully protected from) new potential threats.

4) Keep your wireless access point (WAP), also known as a router, as far away from any windows as possible. Since wireless signals can sometimes be picked up outside of buildings (which explains why your neighbor can piggyback off of your wireless internet or how wardrivers can hack into systems) it’s important that your WAP be placed as far away from any windows as possible. Sure you may get the best results when your WAP is placed near a window—but everyone else near that window can access it with almost as great of results too. The further your WAP is from a window, the harder it will be for someone outside to get a strong signal.

While the security breach that allowed for 40 million credit and ATM card numbers to be stolen is a big deal, it isn’t a cause for panic. Follow the steps outlined in this article, and you will be nine steps closer to a protected identity. There is no foolproof way to protect yourself from identity theft completely, but every step you take certainly counts. So, be proactive. Take the next step to protect yourself today.