In 2017 there were 829 data breaches in the U.S. affecting more than 2 billion individual records, according to the Privacy Rights Clearinghouse.
If that doesn’t cause concern it should because anyone can be a target of identity theft—including children—child identity theft is a fast growing crime.
A definition for identity theft is the criminal use of a victim’s personally identifiable information (PII) to gain a financial advantage or obtain credit and other benefits in a victim’s name. Victims of ID theft often suffer harmful consequences as a result.
Once identity thieves have your personal information, they can drain your bank account, run up charges on your credit cards, open new utility accounts, or obtain medical treatment using your health insurance.
An identity thief can file a tax refund in your name and steal your refund. In some extreme cases, a thief might even give your name to the police during an arrest.
This chilling information was delivered by Steve Muck, Director, Department of the Navy Privacy and Information Sharing, and Steve Daughety, DON Privacy Lead, in the Office of the Chief Information Officer (OCIO) at the DON IT Conference in San Diego. They also provided measures that you can take to protect yourself from identity theft.
Mr. Muck and Mr. Daughety regularly brief participants in an interactive format at DON IT Conferences which are held annually on the East and West coasts to minimize travel costs. They also write the column, “Lessons Learned from the DON Privacy Team,” which appears in each edition of CHIPS.
It’s not a stretch to say session attendees were stunned by the information Mr. Muck and his team shared. This article summarizes their findings and advice.
Identity Theft 101
The largest and fastest growing form of identity theft is using a victim’s government benefits. Criminals impersonate victims to obtain Medicare and veteran services, vote, and apply for a driver’s license or a license to own and carry a firearm.
Mr. Muck explained that government benefits fraud is increasing because it is easy to do and difficult to detect.
“Typically, no one is monitoring their benefits or those of a deceased relative, and the penalty for fraud in these cases is relatively small,” he said.
More than 1.8 million people were victims of medical fraud in 2013, the Ponemon Institute reported, and according to the Bureau of Justice Statistics, an alarming 9 percent or 17 million Americans were identity theft victims in 2017. Figure 1 illustrates common forms of identity theft.
The more PII elements that are exposed, the easier it is to commit fraud, Mr. Muck explained, and once there is an exposure of PII in the public domain, it may be difficult to recover because PII has a very long shelf-life. Figure 2 lists identity theft facts and trends.
Elements of PII, include: full name and full Social Security number (SSN); financial information, such as a bank account and bank routing numbers, credit card number; medical data, such as diagnoses, treatment, medical history; place of birth; date of birth; mother’s maiden name and passport number.
Mr. Muck cautioned that while there has been no known exploitation of biometric data so far, such as finger prints or facial scans, it is a matter of growing concern as more organizations are adopting multi-factor verification for physical and digital access.
Identity thieves are cunning and they exploit whatever means they can to steal your identity, consider these sources of PII:
- Birth certificates – More than 6,000 entities issue U.S. birth certificates. Stolen, counterfeit, and altered birth certificates are often used as “breeder documents” that allow the holder to obtain documents needed to create new identities.
- Driver’s licenses – This picture ID is a widely accepted form of identification and is easy to counterfeit.
- Passports – Over 9,000 U.S. entities process passport applications. Now with a RFID chip, they are the “gold standard” for identity documents around the world; fakes present risks to national security and public safety. Only a birth certificate and a government-issued identity card, such as a driver’s license or military ID, are needed to obtain a passport.
Other documents used to commit fraud include: income tax returns; death certificates; SSN cards; lease agreements; Real Estate Settlement Agreements (HUD-1); canceled bank checks; credit reports, credit card applications, and Form DD 214 – Military Discharge Certificate.
Identity theft often tops the list of consumer complaints that are reported to the Federal Trade Commission (FTC) and other law enforcement agencies. Identity theft can be perpetrated using such low-tech methods as purse snatching, mail tampering or “dumpster diving,” or high-tech techniques like deceptive “phishing” emails or malicious software known as “spyware.”
Ever wonder why when so many people sign on to the National Do Not Call Registry, yet those annoying robocalls continue? You may be surprised to learn that they generate an astonishing amount of money. Entities that spent $438 million on robocalls had more than a $10 billion-dollar return on investment, according to AARP. It’s a great way to trick someone into revealing their PII, and that’s why Americans received 2.8 billion robocalls in December 2017 alone.
Thieves have been known to install devices and cameras to capture bank card and pin numbers from ATMs, gas pumps and other credit/debit card machines, Mr. Muck explained.
“You should be aware of a fraud known as ‘skimming’ when you pay for gas at the pump,” Mr. Muck advised. “This scam occurs when thieves put a device in the slot used for swiping credit cards and the device copies your credit card number. … If the slot jiggles or seems broken, don’t use it.”
He also advised that you should be cautious when using gas stations in remote locations as they have a greater chance of being sources of skimming.
In many situations, through no fault of your own, you may not have physical control of documents containing your PII. Mr. Muck calls these “PII Gold Mines.” For example, anyone can view the documents scattered on the desks in an auto dealer’s credit office or on a receptionist’s desk in a medical office because typically, they are not secured.
Schemers can also copy credit or debit card information during purchase transactions. That’s why it is important to maintain awareness of where your credit cards are at all times, Mr. Muck explained.
“One of the times that my identity was stolen, I am sure it happened in a restaurant when the server took my card to pay the bill and copied my credit card number.”
It’s important to closely guard your SSN, financial cards and to shred charge receipts, copies of credit applications and other sensitive documents.
“Shred everything with your name and address,” Mr. Muck recommended, “and be careful with the documents you store in your vehicle’s glove box and trunk.”
He also advised that you retain income tax returns and other financial documents for no more than three to four years to lessen the chances of identity theft.
Social media accounts often contain PII available for anyone to steal. Interestingly, one in seven identity thieves are known by their victims, according to Javelin Strategy & Research. Download a copy of the Navy Social Media Handbook available on the DON CIO website for tips on how to stay safe online.
Criminals use internet hacking and cyber-attacks that can infect electronic devices, and steal and wipe your data clean, often leaving devices inoperable.
The grocery store checkout line can be tricky with many retailers offering loyalty cards that are confirmed with a telephone number that anyone in line can hear. Be aware these cards also track your purchases and preferences, used with other forms of PII from social media and other sources, criminals can build a profile of your identity.
Common scams using PII include: check fraud; masquerading as an official from Medicare, the U.S. Census Bureau, IRS or other government office; doctor shopping to obtain drugs, usually opioids; the “You have just won a prize…” sham; and posing as a grandchild in desperate trouble who needs money quickly. This last one, unfortunately, has ensnared many grandparents.
Elderly consumers get scammed for more money, but millennials get scammed more often, Mr. Muck said.
Audience members speculated that perhaps millennials aren’t as concerned with their privacy or haven’t developed the healthy skepticism more experienced adults have.
Be aware that the cost of a name with an associated Social Security number and date of birth is ridiculously inexpensive on the Dark Web at a mere $3.
Signs Your Identity Has Been Stolen
Consumers should review their bills, financial accounts and credit reports regularly and be aware of telltale signs that their identity may have been stolen, such as the indicators below:
- Credit and banking fraud: erroneous credit report, denied credit or loans, charged higher interest rates, turned down for a checking account, or a notice of bounced checks.
- Letter from IRS stating your tax return was fraudulently submitted by someone else.
- Stolen government benefits: Social Security, veteran disability, welfare assistance or unemployment insurance denied.
- Legal liability: being the subject of a lawsuit or other criminal proceedings, or being arrested.
- Medical services or insurance fraud: denied medical services, erroneous medical or medication record.
- Other adverse actions: utilities or other services terminated, being turned down for a job, losing a job, or problems with security clearance.
Mr. Muck recommended that you consider placing a Security Freeze on your accounts or a Fraud or Active Duty Alert on your credit file to let creditors know to contact you before opening a new account in your name. See Figure 3 for a description of these options.
Actions you should take now to protect your identity:
- Verify questionable emails or phone calls by contacting the company directly.
- File income tax returns early.
- Do not provide PII over the phone unless you initiate the call.
- Do not use “free” Wi-Fi cafés.
- Never leave your purse/wallet/laptop/smartphone in the car.
- Check your annual Social Security statement.
- Maintain control of your credit card.
- Reduce your exposure by limiting the number of credit/debit cards you have. The average consumer has three.
- Shut off Bluetooth for wearable devices, such as Fitbit, until ready to download information.
- Manage privacy settings on Google to control the data about you that is being collected.
- Remove ads targeted to you by going to Account Preferences then click on “delete your account or services.”
You should request three free credit reports per year (one each from the major credit bureaus by going to annualcreditreport.com; use two-factor identification to access accounts or apps; use strong passwords, do not repeat them and change them periodically. Figure 4 lists useful weblinks featuring more precautions you can take to prevent identity theft.
Many audience members asked about the effectiveness of identity protection services, Figure 5 lists some of the points to consider.
Be sure to look for the DON privacy brief at the DON IT Conference, East, scheduled for June 2-5, 2019, downtown Norfolk, Virginia, at the Norfolk Hilton The Main.
Finally, a salute to the DON privacy team members: Steve Daughety, Don Free and Suzette Buttram, who, along with Steve Muck, work diligently to safeguard the PII of the DON military, civilian and contractor workforce.
Additional privacy information is available on the DON CIO website. If you have questions, please contact a DON privacy expert by using the “Contact Us" link located on the DON CIO website.
If you do become a victim of identity theft, act quickly to limit the damage.
Step 1: Call the companies where you know fraud occurred.
-- Call the fraud department. Explain that someone stole your identity.
-- Ask them to close or freeze the accounts. Then, no one can add new charges unless you agree.
Change logins, passwords and PINS for your accounts.
Step 2: Place a fraud alert and get your credit report.
-- Get your free credit report right away. Go to annualcreditreport.com or call 1-877-322-8228.
-- Review your reports. Make note of any account or transaction you don’t recognize. This will help you report the theft to the FTC and the police.
Step 3: Report identity theft to the FTC. Complete the FTC’s online complaint form. Give as many details as you can. The complaint form is not available on mobile devices, but you can call 1-877-438-4338 to make your report.
-- Print and save your FTC Identity Theft Affidavit immediately. Once you leave the page, you won’t be able to get your affidavit.
Step 4: File a report with your local police department. Go to your local police office with:
-- a copy of your FTC Identity Theft Affidavit
-- a government-issued ID with a photo
-- proof of your address (mortgage statement, rental agreement, or utilities bill)
-- any other proof you have of the theft (bills, IRS notices, etc.)
-- FTC's Memo to Law Enforcement [PDF].
Your identity theft report proves to businesses that someone stole your identity. It also guarantees you certain rights.
- Federal Trade Commission