Recently I found out my identity was stolen and used by an organized criminal group operating across the United States from coast to coast. This situation was shocking, as I’ve been an overly-cautious security expert for more than a decade. I still can’t be certain where exactly my personal information became compromised, but the only confirmed source I’m aware of comes from the serial compromises that took place at Equifax.
More than half of my fellow Americans had their personal information stolen through the Equifax breach. New information has come to light just recently in Senate Judiciary hearings which indicates the depth of the loss was significantly worse than Equifax first disclosed in September of 2017.
My goal in sharing this information is that other people will be able to prevent themselves from being victimized through no fault of their own and enable those whom are already victims to restore a sense of order to their life and financial affairs.
For those of you who have already had your credit stolen: first and foremost, don’t expect any third party to take charge of the situation, you are the only person who can resolve the matter. You should prepare yourself to deal with a level of bureaucracy that would elevate a Zen Master’s blood pressure, and you’ll be wasting an ungodly number of hours of your life trying to reach some semblance of normal again. The requirements to steal your identity are significantly less complicated than what’s required to get it back.
TLDR: For those of you who have not had your identity stolen yet, follow sections #1, #4, #6, and #7 that are titled:
• FREEZE FREEZE FREEZE YOUR CREDIT
• CHECK YOUR CREDIT REPORT
• SECURE YOUR PHONE NUMBER
• SECURE YOUR ONLINE IDENTITY & CRITICAL ACCOUNTS
1. FREEZE FREEZE FREEZE YOUR CREDIT.
Everyone should take ten or fifteen minutes and freeze their credit. This will prevent anyone from opening any new accounts in your name without first providing a PIN number (don’t lose these) to thaw your credit report.
There are three major credit bureaus you’ll want to start with:
• https://freeze.transunion.com/ - Transunion
• https://www.freeze.equifax.com/ - Equifax
• https://www.experian.com/freeze/center.html - Experian
Some of these sites require you to answer questions from your financial record that are difficult for the accountants among us to answer. Don’t be alarmed if you can’t finish the process online due to the questions or website issues. I was unable to complete an online application for Transunion and my wife was unable to complete an online application for Experian. You can place a freeze on your account using their automated telephone system as well:
• Transunion: 1-888-909-8872
• Equifax: 1-800-685-1111 for NY residents call 1-800-349-9960
• Experian: 1-888-397-3742
The cost of a credit freeze varies from state to state, but on average it should cost you around $10 at each credit bureau. However, with an active police report, they will waive the fee. At this point in time the (approx) $30 will be well worth every penny that you spend. More information on the cost of a credit freeze can be found here:
- https://help.equifax.com/s/article/What-are-the-security-freeze-fees-in-my-state
- https://www.experian.com/blogs/ask-experian/credit-education/preventing-fraud/security-freeze/
Now there are two other companies at which you will want to freeze your credit, including the fourth credit bureau, Innovis, which no one seems to know anything about or even why or that it exists. It’s yet another information clearinghouse that can be used by criminals to gain access to more information and further other types of fraud.
https://www.innovis.com/securityFreeze/index
And once that’s done there’s a completely separate system for debit accounts. I was lucky enough to have a Walmart debit account opened in my name by someone else, into which my federal tax refund could be directly deposited. Mull that one over for a bit. The fraud department at Walmart was considerably more helpful than some of the other vendors I had to deal with so big props to the folks over there. You can place a freeze on debit accounts by going to Chexsystems and placing another security freeze.
https://www.chexsystems.com/web/chexsystems/consumerdebit/page/securityfreeze/placefreeze/
2. FILE A LOCAL POLICE REPORT
Next, you’ll need to file a police report with your local police department. You’ll have to travel in person to do this and will need to sign an affidavit attesting that all the information you provide is true. You’ll need a police case ID number to acquire more information from the vendors your identity was used with as well as to place an extended fraud alert on your account at the major credit bureaus.
Don’t expect the police to solve the crime. In my instance, numerous accounts were opened in person simultaneously at retail stores across the country. The police department may forward information to other local police departments, but don’t expect too much. Identity theft has slowly been increasing for a number of years and impacted a total of 15.4 million individuals for more than $16 billion dollars in 2016. Only about one in 700 identity thieves are apprehended (in 2006), or about .15%. The actual number is probably even smaller now.
Even better is the fact that identity theft isn’t classified as a felony in a large number of states. You’re not filing the police report to ensure criminals are put to justice, you really just need the police case number to file additional reports.
3. PLACE AN EXTENDED FRAUD ALERT
Armed with your shiny new police case ID, you’ll want to place an extended fraud alert at one of the three major credit bureaus: Equifax, Experian, or Transunion. It is the credit bureaus’ responsibility, once notified, to contact the other two bureaus to place a fraud alert there as well.
You can place a 90-day fraud alert free of charge. With an active police report, you can place a 7-year fraud alert at each of the credit bureaus. You’ll need to provide written documentation which differs for each bureau. Be sure to send all mail correspondence by certified mail so you can track when items are delivered and that they in fact made it to their destination.
Equifax: https://www.alerts.equifax.com/AutoFraud_Online/pdf/Fraud_Alert_7.pdf
Mailing Address:
Equifax Information Services LLC
PO Box 105069
Atlanta, GA
30348-5069
Experian: https://www.experian.com/fraud/form-extended-fraud-victim-alert.html
Mailing Address:
Experian
PO Box 9554
Allen, TX 75013
Transunion: https://fraud.transunion.com/pdf/ExtendedAlertForm.pdf?
Mailing Address:
TransUnion
P.O. Box 2000
Chester, PA
19016
4. CHECK YOUR CREDIT REPORT
Every US citizen can go once a year to: https://www.annualcreditreport.com/index.action and receive a free copy of his or her credit report from each of the three credit bureaus. I, however, was not so lucky as thieves had already gotten a free copy of my report a few weeks earlier. So, I paid the about $15 to get a copy of one of my reports. This was a mistake (as I later found I needed all three), but it will give you somewhere to start.
From there you should be able to find whatever new credit inquiries were made in your report and then attempt to contact each vendor individually. You should also be able to identity if any other longer-standing accounts were opened in your name.
NOTE: You should get a copy from each of the major three bureaus. I had conflicting information across all of them once I looked further into things, additional accounts had been opened that only showed up on one report versus another. So, do yourself a favor early on and get a copy of all of them.
I found almost another half-dozen accounts. Depending on how your interactions with different vendors go, you’ll also probably need to start a number of disputes with the credit bureaus themselves. My reports were full of factual inaccuracies and information that literally had nothing to do with me.
5. CHECK YOUR PHYSICAL MAIL
The criminals in my instance placed an electronic hold on my physical mail. If I didn’t have a horrible Amazon addiction and the need for baby diapers and wipes on a near constant basis, it probably would have been much longer before I noticed anything was wrong. If you suspect you’ve been a victim of identity theft, I strongly encourage you to go to your local post office and make sure that no holds are placed on your mail without additional verification or information from you. The US Postal Service will let you hold any person’s mail in the country with nothing more than a phone number, address, and email.
Pro tip: Neither the phone number nor the email need to be valid. As with other methods used in identity fraud, it is often the mechanisms that are meant to make our lives more convenient that end up complicating things further.
The US Postal Inspection Service is available at: 877-876-2455 (option 3) to report incidents related to mail fraud. The USPS also has the following resource available: https://postalinspectors.uspis.gov/. Once I recovered the five or six days of mail I had missed, it was on to unraveling all the accounts at other commercial vendors that were opened in my name.
6. SECURE YOUR PHONE NUMBER
Phone numbers are increasingly being used by criminals as a form of credential to prove that they are you. Phone numbers are also used as an additional means of verification with online websites and institutions across the country. I’ve yet to comes across a company that verifies the phone numbers criminals put on fraudulent applications.
My personal cell phone number was used in nearly every instance of fraud. As you can guess, I changed it. This is one hell of a process. I had my phone number for nearly 20 years. Cell phone numbers have unfortunately become synonymous with your identity; even the IRS uses cellphone numbers to identify people (more on that later).
The problem is that cellphone numbers are essentially public record and thanks to the large availability of sites that scour all public records periodically and sell it to anyone for a price. YOUR PHONE NUMBER IS NOT SECURE. Companies SHOULD NOT be using phone numbers as a means of authentication and verification, but that’s only one small part of a much larger, broken system. The Abine website contains a large number of organizations that collect information from public sources and resell it.
I highly recommend that you GO TO YOUR INDIVIDUAL WIRELESS PROVIDER AND PUT A PIN NUMBER ON YOUR ACCOUNT. This PIN number is required to transfer or port your number to a new carrier, which can easily be done by criminals. If someone steals your phone number you’re going to be in for a bad time. Yes, nearly all cellular messages can be intercepted via slightly more complicated technical means (read about SS7 hacking for yourself), but most identity theft is pretty low-tech.
• Verizon Wireless: https://www.verizonwireless.com/search/vzwSearch?Ntt=pin
• AT&T Wireless: https://www.att.com/olam/unauth/viewAutoGenPassCode.myworld
• T-Mobile Wireless: PIN created during account creation
• Sprint Wireless: PIN created during account creation
I had the luxury of having a “new” Sprint and “new” T-Mobile account opened in my name that, ironically, the criminals protected by a PIN. I couldn’t do anything to shut them down or much of anything else. You should know your rights, however, and under the Fair Credit Reporting Act and the later amendment called the Fair and Accurate Credit Transactions Act of 2003 (FACTA), you can initiate a request to get information out of uncooperative vendors, which we’ll go over later. It’s probably also in your best interest to contact each of the cellular vendors you don’t do business with and ask them not to open any new accounts in your name without additional verification.
You may also want to consider using an external phone application that provides a second telephone number that you can use for unimportant things, people you don’t trust, or on online marketplaces like craigslist. I recommend that if you’re interested in this, you look into the following applications:
• Google Voice: https://www.google.com/voice
• Hushed: https://hushed.com/
• Burner: https://www.burnerapp.com/
• Sideline: https://www.sideline.com/
• 2ndline: https://www.2ndline.co/
Burner and Hushed were much more suited to my individual needs, but I recommend you take a look at all of them if you’re interested. Each has its own pros, cons, and price point.
7. SECURE YOUR ONLINE IDENTITY & CRITICAL ACCOUNTS
Thankfully, in my instance, none of the criminals had gained access to any of my existing financial accounts or other critical accounts. As a best practice, though, make sure you update all of your passwords across the board. You’ll likely need to make use of a password manager to deal with all of the new information.
I know in my case I had to alter my contact and personal information for over thirty online accounts; you will inevitably forget one or two of them. If available, make sure that you enable two-factor authentication on every account that will take it, preferably with a new phone number that the criminals don’t have and that is protected by an authentication PIN.
Your email account is the most critical account and is used as a means of verification and authentication against nearly all of your other online identities; make sure you have two-factor or enhanced verification on this account and never use it on any public system(s). Utility accounts are also critical and can be used to prove your identity and further fraud at other companies.
I strongly recommend that you lock these accounts down as best you can. Most utility companies do not take security especially seriously, but thankfully they’ll usually only send correspondence to the mailing address on file for service. Here’s a shortlist of websites you should check – it is by no means comprehensive:
• Financial Accounts (Bank, Investment, Mortgage, and Retirement Accounts)
• Utility Accounts (Power, Water, Sewer, Gas, Cable, Phone and whatever else sends you a monthly bill)
• Mail Account (Absolutely critical to control access to this as vendors will use it to reset your identity or attempt to confirm your identity)
• Online Services (Netflix, Hulu, YouTube, Amazon, Spotify, Tidal, and whatever else the cool kids use these days)
• Social Media Accounts (Facebook, LinkedIn, Instagram, and whatever else people can collect information from)
In addition, if you are a United States citizen, I strongly recommend that you CREATE ONLINE ACCOUNTS AT THE INTERNAL REVENUE SERVICE AND SOCIAL SECURITY ADMINISTRATION. It is relatively easy to do with stolen information and if someone does it before you do, you will be in for a bad time. Please don’t wait and take my word for it.
• https://secure.ssa.gov/RIL/SiView.do
• https://sa.www4.irs.gov/eauth/pub/login.jsp
The bad news is once your credit is frozen you will not be able to make an account at either government organization without first unfreezing your credit. The good news is neither will anyone else.
8. FILE A REPORT WITH THE FTC
The Federal Trade Commission’s website for identity theft is https://www.identitytheft.gov/. Create a case file there and use it to track information. It probably won’t amount to much, but it’s another feel-good step in the recovery process. They coordinate with both the Social Security Administration and IRS. The FTC also has numerous online resources available at: https://www.consumer.ftc.gov/topics/identity-theft.
9. FILE FORM 14039 WITH THE IRS
The IRS provided another surprisingly positive experience. Go online and file form 14039 https://www.irs.gov/pub/irs-pdf/f14039.pdf as soon as possible. The IRS has a pretty good ID theft resource available at: https://www.irs.gov/newsroom/taxpayer-guide-to-identity-theft. There’s not a whole lot you can do to prevent someone from filing a tax return in your name, but the IRS does have additional PIN verification systems that can be used by contacting Identity Protection Specialized Unit or IPSU here: 1-800-908-4490.
10. INITIATE FACTA REQUESTS
To ascertain which of your credentials were used by criminals at various vendors, you can file a FACTA request. The requirements for each vendor are different, so be sure to check with individual vendors. The immediate issue with how most of this works is that vendors like Walmart, K-Mart, Lowes, Home Depot, Sprint, Target, T-Mobile, Kohls, and whoever else is that they typically outsource their actual credit operations to third party companies, so getting to whoever is actually responsible for the accounts is a Herculean task.
If you’re getting weird calls from random creditors representing different national chains, they may actually be legitimate and it could be in your best interest to investigate. I ignored these for a few days to my own personal detriment. In my case, nearly every account was opened in person in a store in a remote location. Despite providing my home address in another state, none of the vendors did any additional fact checking and my identity was not validated through any serious means at any of the locations.
Unfortunately, it is not in commercial company’s interest to help you other than to provide what they’re legally obligated to provide under the law. Each company will have its own requirements for what you need to submit to receive the information under FACTA, but you should be able to receive the following:
• Account Establishment Date
• Account Name
• Account Address
• Social Security Number used on account
• Date of Birth
• ID or Driver License Number used on account
• Contact numbers
• Form of payments
• Amount and date of payments
What’s interesting is you probably won’t be able to receive a call transaction list or really any information that could be used in apprehending thieves. Don’t expect anyone to pull surveillance footage or anything similar. Commercial companies are not incentivized to spend additional time, resources, and make themselves vulnerable to lawsuits, to assist you; they will only work insofar to protect themselves and their companies. You are the only person who can request this information and you are the only person who can receive this information.
The requirements so far for me personally have been more involved than anything that was required to open the accounts themselves. Send everything certified mail and keep a record of the amount of time you spent, who you spoke with, if anyone, and the dates and times that you called.
11. CHANGE YOUR BANK ACCOUNT NUMBERS
You’ll have to go to each of your financial institutions independently to do this and it is a whopper pain in the ass. You’ll have to correspondingly change your account numbers with any automated payment systems like utility companies, credit cards, and other services. You may also wish to get new numbers for any of your existing credit cards and debit cards. Don’t worry - none of this will involve you having to unfreeze your credit.
12. GET A NEW DRIVER’S LICENSE
In the event that a criminal used your driver’s license as proof of identity in perpetuating a fraud, you will want to get a new one. It’s incredibly easy for criminals to get a copy of your license. Most states now have an online process to request a replacement copy of your license and most of this is not verified through any additional means. Some states even allow you to send that copy to an address that is not listed on your driver’s license.
I recommend that you investigate whether any additional copies of your license were requested around the timeframe your identity was stolen. Unfortunately, there’s no unified national driver database and your information could be used in other states to open pieces of official identification with someone else’s photograph. Typically, all you need is a social security number, one or two pieces of photo ID and some utility bills, all of which can easily be faked or opened within a relatively short period of time.
I recommend that you look into each DMV in each respective state where your information was used to determine if any licenses exist with your information. It’s probably also prudent to enter DHS’s Real ID program: https://www.dhs.gov/real-id. It’s meant to help assist in decreasing identity theft but an extension exists in numerous states for another several years until 2020. Some states already require you to have a Real ID to get on an airplane as of January 2018, but you can rest easy knowing the requirements are not nearly as stringent to open a $30,000 dollar line of credit in your name.
13. CONTACT THE SOCIAL SECURITY ADMINISTRATION
The Social Security Administration’s website for identity theft is: https://oig.ssa.gov/report-fraud-waste-or-abuse/what-cant-oig-investigate/identity-theft. They are most assuredly one of the least helpful government agencies when it comes to identity theft, as they don’t seem to want to engage on the telephone until you prove it’s related to terrorism. It will be in your best interest to receive a copy of your earnings statement using the following mail-in form: https://www.ssa.gov/forms/ssa-7050.pdf.
A webpage also exists to receive similar information: https://faq.ssa.gov/link/portal/34011/34019/article/3709/how-can-i-get-a-social-security-statement-that-shows-a-record-of-my-earnings-and-an-estimate-of-my-future-benefits.
YOU CAN ALSO REQUEST A NEW SOCIAL SECURITY NUMBER IN THE EVENT OF IDENTITY THEFT. There continues to be perpetuated misinformation concerning this fact all over the place. It is in fact possible and done in a number of instances. Official resources are available at https://www.consumer.ftc.gov/articles/0248-do-you-need-new-social-security-number and https://faq.ssa.gov/link/portal/34011/34019/article/3789/can-i-change-my-social-security-number.
In my own personal estimation, using a 9-digit number for a person’s entire life that no agency appears to be able to keep secure anyway, including both government and private organizations (think OPM and Equifax), seems absolutely ridiculous. Just like other antiquated systems of authentication, the Social Security system needs to be overhauled and fixed badly. It is one of the primary reasons that identity theft continues to plague this country. TLDR: Go to an office in person.
14. NOTIFY THE HEALTH DEPT (State Level)
You’ll want to contact the Vital Records division of the Department of Health for the state that you were born in. This one I didn’t really think about until a little later, but essentially all government identification works on a cascading effect from a single document, “YOUR BIRTH CERTIFICATE.” There is almost no authentication or verification needed once someone has stolen your information to receive a copy of your original birth certificate other than name, SSN, DOB, and where to send your birth certificate.
Numerous online portals exist to purchase a copy of your birth certificate, typically under some arbitrary name that contains the word “Vital.” The fact that criminals can easily acquire a copy of your birth certificate means that they could then acquire nearly every other official government document in your name. This is an area that is very badly broken and needs extra security put in place.
15. NOTIFY INSURANCE PROVIDERS
This is one that I thankfully did not have to deal with personally, but I learned about through reading other peoples’ stories. Thousands upon thousands of dollars in medical bills could potentially be accumulated in your name without your knowledge once your information is stolen.
I highly recommend that if you’re insured that you contact your health insurance provider and notify them that your identity has been stolen. Provide them information like your current location and where you would possibly receive medical care in the near future. They can then mark any claims outside of this area as fraudulent much more easily. The same holds true of car insurance if your driver’s license or other similar information was stolen.
16. GET MORE THAN ONE FORM OF ID
Most people don’t bother worrying about anything more than a single driver’s license typically in their daily routine. As online repositories of information become more frequently compromised, this will become a much larger problem. Until the federal government takes control over more of people’s personal information, there will continue to be zero accountability for losing it. It’s not as if any American really has the choice as to which credit bureau they work with; they’re forced to work with all three of them.
Do yourself a favor now and get a copy of your Social Security card, your birth certificate, apply for a passport, your last W-2, a paystub, and keep two recent utility bills in a safe place. I highly recommend a safety deposit box or similar physically-controlled locked container. It may seem like just common sense, but recovering from identity theft without these documents already in hand would be an absolute nightmare.
Conclusion
If you live in the United States, I strongly recommend that you FREEZE YOUR CREDIT immediately after reading this. The FALLOUT from the Equifax breaches is just beginning; a dozen people waiting in line at the DMV all had their identities stolen around the time mine was stolen. Even if you’re not a victim now, chances are pretty good that your information will be compromised in the future. The bits and pieces of information that we rely on in our everyday lives to prove identity and provide authentication are all flawed in their own unique ways.
The technologies and policies employed by our own government are not well suited to protecting its people from much of anything when it comes to identity theft. The system in place removes all accountability and nothing will change any time soon because it’s someone else’s fault. People increasingly forego privacy and freely give up information about themselves on social media and other global platforms. This can in turn be used against them, and it’s not until something truly bad happens to you that you even consider it could be an actual problem.
YOU are the only person who cares or is capable of protecting your digital and physical identity, and even then… we’re all just waiting for the next major breach.