|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
.ISSUE 21.40 • 2024-09-30 ON SECURITY By Susan Bradley Not a day goes by that I don’t receive some sort of notification that my name, address, email ad
[See the full post at: So your identity has been stolen? Again?]
Susan Bradley Patch Lady/Prudent patcher
It’s what the bank uses as their identifier. You want to ensure you have control over it.
Susan Bradley Patch Lady/Prudent patcher
I use PayPal to purchase and inquire about things online. If a Dark Web or other scammer tries to get my bank account numbers, he or she just gets my email address from PayPal, so they can send me money. The debit or credit card number is also protected. Usually they already have my email address, just like decades ago mom and dad’s names, addresses, and phone number were in the White Pages, except now the White and Yellow Pages are online. My debit cards say Visa, Mastercard, American Express, etc. so they are protected from fraud just like a credit card. I’ve reported thefts and fraud, and within a week, everything was put back by Visa, Mastercard, American Express, or the holder of the card. Then they put their IT and Fraud Divisions on it and notify the Credit Bureaus, so my credit is not screwed up from something a scammer did! I also use a Password Manager and change the passwords frequently. I don’t use factual information, like what high school did I attend because it’s public information that can be had via a Freedom of Information Act request through the government. I don’t even use the name of childhood pets since my dad registered our dogs with the AMerican Kennel Club. Imagine trying to guess where I work when I say Livermorney or I’m Headmaster or Defense Against the Potions Teacher at Hogwarts with Professor Loony Lovegood! LOL!
EFL, ELA, History, Civics, and Social Studies Teacher
https://www.facebook.com/kurt.steinbach/
http:www.linkedin.com/in/kurtdsteinbach
To me, there is no such thing as a student who cannot learn. All students can succeed, and as a teacher, it is my place, my goal to give them the tools to succeed....
Our problems are man made; therefore
I also had a fraud alert when someone made a test-ping for under $2.00 USD from London, England, when I had never been there.
-- rc primak
I got a fraud alert by text from my bank earlier this year when someone in Kuwait tried to start an account for smartphone service using my credit card number. It was probably pretty easy for the bank to flag the first transaction from that provider since I have never been to that part of the world and never had any previous transaction for anything from over there. When I saw that text I immediately called the bank and after probably fifteen minutes of Q&A to prove I was the actual cardholder, I told the person I was speaking to that the transaction was definitely not mine and he told me that they had already blocked it from processing and would immediately issue me a new card. There wasn’t even a question about doing that, they simply did it. I got the new card two days later. I was very happy with the way my bank handled this.
After having my bank account cleaned out by an identity theft scheme I now am careful to monitor transactions and have setup notices for any unusually activity on my accounts. Unfortunately protecting yourself is only half of it considering how many companies and third parties have personal information of you. Almost everyone has at least some personal information floating around the dark web.
doylestown PA has this service. BUT, read the disclaimer of the searching agency. you are holding them harmless, no litigatino, etc, etc, etc. it is a multipage disclaimer agreement. just to get notice that there was inquiry/action on your deed.
yet philadelphia has similar service, with no such agreement.
Susan – Thanks for posting this very timely advice! I’ve just gone through this same exercise following the NDB breach notification – it made me realize it was time to take some serious preventive action if my SSN is out there!
It might be good to compile and post a list of all the protective actions we can take in addition to credit freezes. For example last year someone mentioned on an Askwoody thread about getting an IP PIN from the IRS so no one can file a tax return fraudulently under your SSN. You can also sign up for an ID.me account which the IRS and SSA accept as proof of identity. There’s the excellent advice about using a good password manager to generate complex passwords everywhere, and also using 2FA wherever possible. I had no idea how many hack attempts were being made against my Microsoft account until I stumbled across their account security page which lists them all!! Yikes!! I’ve even got “approve this login request” prompts when I didn’t try to log in!!
You can’t be too safe these days – I like the old saying “it’s not paranoia if they really are out to get you”!
Peter
I’m the one who wrote about the 1040 PIN https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin Very few of my clients have signed up for it.
Susan Bradley Patch Lady/Prudent patcher
Just FYI, if you e-File your return you must select a 1040 PIN for it to be accepted by the IRS.
@noads, That’s not the same as an IPPIN. In order to obtain an IPPIN the taxpayer must have an account with the IRS and sign into that account before an IPPIN will be generated for the taxpayer. The way its supposed to work is that once a taxpayer has obtained an IPPIN no return will be accepted unless that IPPIN is provided.
If I understand you correctly the 1040 pin selected by the taxpayer in connection with e-file was simply an identifier, not a security barrier. In my opinion an IPPIN should be obtained as soon as possible and certainly long before the taxpayer files returns to minimize the window of exposure to fraudulent filings.
The point is that the 1040 pin is created at the time the return is e-filed. The user decides the pin and the IRS has no knowledge of the selection until the e-filing is completed. A bad actor could e-file a fraudulent return with their own 1040 pin BEFORE you file your own return. That’s why I don’t consider it a security barrier.
An IPPIN is supposed to prevent a bad actor from filing a fraudulent return with your identity information. The IRS issues the IPPIN to you independent of the filing process.
Currently we generate a PIN code that we just “make up” and efile with the return. The IRS Identity PIN is a number you get uniquely to you that is sent to you and has to match up with what they expect it to be in order to efile. I don’t think we’re talking about the same thing. This is a stronger authentication process.
Susan Bradley Patch Lady/Prudent patcher
As an aside – stumbled on this video
https://www.youtube.com/watch?v=GHF9kNwRyh4
The important part of a card is that chip.
Susan Bradley Patch Lady/Prudent patcher
Exactly! As someone who has worked in Retail, is a U.S. Navy Veteran, and has done Private Security, the most reliable way to copy or steal Credit or Debit Card data is a Skimmer. They look just like real PIN Pads. The RF IDs of the past constantly put out an RF ID signal, which is why someone near you could steal the information right off the card. Modern Chip security does not transmit Debut/ Credit Card information until you put it into the PIN Pad or swipe it right across the surface within a foot or less. It may be a daunting technical challenge, but it is possible, or you or the thief could just use a Skimmer. Downside, when the Skimmer is discovered, the thief probably won’t be able to get it back, but it gathers the data of swiped cards and transmits it. Many transmissions being sent around checkout at a Retail Store, especially Home Depot, Kroger, Target, Walmart, Cash Saver, Aldi, Publix, and other establishments with multiple PIN Pads say in regular checkout and self-checkout. If your Debit or Credit Card has the Visa, Mastercard, AmEx, Discover, or Diner’s Club logo, you may not be liable for fraudulent charges. . . .
EFL, ELA, History, Civics, and Social Studies Teacher
https://www.facebook.com/kurt.steinbach/
http:www.linkedin.com/in/kurtdsteinbach
To me, there is no such thing as a student who cannot learn. All students can succeed, and as a teacher, it is my place, my goal to give them the tools to succeed....
Our problems are man made; therefore
“Even if you haven’t had an identity-theft alert and are in the US, review the recommendations at the Federal Trade Commission’s IdentityTheft.gov site. And to keep yourself informed in advance, take a look at the FTC’s Recovery Steps page. Then ask yourself, “Am I prepared to take all the actions listed there?””
I would need an AI to take care of all this!
“One thing that sounds excessive but can be quite effective is “freezing” your accounts at the major credit-reporting agencies — the top three being Experian, Equifax, and TransUnion.
Doing this is a real PITA. Consumers should be able to institute a freeze across all credit agencies through a single interface and ast one time.
Write to the FTC and ask for this functionality if you support this.
You can also request a detailed report from LexisNexis. It’s amazing the amount of info that is publicly collected and available about you.
Access Your LexisNexis® Consumer Disclosure Report
See what information about you is maintained in our files by requesting a Consumer Disclosure Report. The report includes items such as real estate transaction and ownership data, lien, judgment, and bankruptcy records, professional license information, and historical addresses.
Just sharing another idea to consider, do beware of the risks involved in DNA testing. As with anything where we share our information with other companies, we have to hope that they keep our privacy intact. Oftentimes that is just not the case. When our DNA gets hacked, new perils can arise. The Major Geeks website has an educational editorial titled:
The Dark Side of DNA Testing: What the 23andMe Breach Means for Your Privacy – By Corporal Punishment – No Date Found – Summary:
“The recent 23andMe breach shows us just how vulnerable genetic data can be. DNA isn’t like a password you can change—it’s permanent. This breach highlights the growing importance of protecting your genetic information as it becomes more valuable to hackers. Take steps like using encrypted communication, understanding your privacy rights, and carefully selecting DNA testing services, you can enjoy the benefits of genetic discovery while staying vigilant about the risks.”
There is nothing that can presently be done with DNA data in terms of identification or misuse.
Tell that to all the people who had their DNA involuntarily included in police and other law enforcement dragnets over the past few years, all without any warrants or probable cause filings. There is no way that all those dragnets didn’t “catch” some innocent people.
I say almost because there is one real exposure. Under the GINA act, companies cannot use DNA data for hiring or health insurance decisions.
Just because the law says they can’t openly do it, does not mean they don’t actually do it. Same with every other type of discrimination, much of it based on physical appearance. There have been studies done about how face to face interviews reinforce the interviewers’ pre-existing biases. Knowing something, even if you can’t legally “use” it, does influence hiring decisions. And academic admissions decisions.
-- rc primak
It has to be done legally and constitutionally. Warrants and other judicial reviews , not wholesale dragnets without user consent. A EULA is not sufficient notice.
Better yet, people who don’t want themselves or family members to be falsely accused should not participate in any publicly available DNA database, unless required for employment or other legitimate purposes. Again, with legal safeguards included.
At least in the USA, we are a nation of laws, not unwarranted searches.
-- rc primak
Susan:
Great article. You said: “For my firm, I have the business credit card configured to send both texts and emails to me for every transaction. That might seem like overkill, but I’ll know instantly if anything looks off.”
I have the same for my personal bank account. I set a $100 minimum for being notified, but your choice for every transaction is probably safer. Mine was recently scammed for a $4000 airplane ticket to the UK. My bank put a hold on it when I didn’t instantly respond to their email. But it was a real mess getting all my web addresses that used my credit card fixed.
And although my bank said they would send my replacement via UPS and require a verified signature, they actually just send the replacement card as regular mail! Anyone who touched the enveloped could feel that it contained a credit card, and then I would have been it trouble again. Sometimes the banks are their (and your) worst enemy when it comes to protection.
One thing you didn’t mention is to look at every website you normally access with a password, and see if they have your credit card info. Sometimes they ask for the card number ‘just in case’. I am removing the card number from all such websites.
Harry
using same credit card – when it gets hacked, yoiu are right, it is a pain changing all them at the web sites.
I use CitiCard, virtual card numbers. you go online, generate a virtual card, it is tied to your amain card, but you give the virtual card (up to 2 year expire date available) (and can add daily spending limit on t), and you give that to the merchant online.
if the mERCHANT gets hacked and that virtual card nuber was with that merchant, then you just need to change that merchant’s virtual number, and not your main number, and don’t have to go to all the other web sites and change them.
BUT, if your main number gets hacked, then stil the same situation, have to go and change them all…
Some banks offer card controls via their mobile banking app – these different between debit and credit cards. On my debit card, I can reduce the contactless payment from the maximum allowed in the UK (so if you only ever use contactless on a car for small items like coffees, you can reduce it).
On my credit card, I can freeze 4 classes of transactions – Gambling, cash machines, online and telephone and “contactless, chip & PIN” (which includes Apple and Google Pay). Since I have control over these via the app, I can change them at any time. So for a card that I don’t normally use in cash machines, I keep that facility frozen. There are some limitations, but these are explained.
I also use another online bank that lets me use a “one off” card for transactions – in other words, it generates a card number and details which are only valid for a single transaction. I use this for any transactions that I am dubious about.
Naturally the app is well protected. A further little known fact is that you can set up greater checking and validation with the bank – as I discovered after a fraud had been detected and prevented, but the fraudsters then telephoned the bank pretending to be me to try and use the new card. So I now have an extra set of challenge/response verbals for security when discussing things with the bank.
I’d like to add 2 other places where you can “freeze” your information”: Credit Reporting company INNOVIS https://www.innovis.com/ and the bank clearing house CHEX SYSTEMS https://www.chexsystems.com/.
I’d like to add 2 other places where you can “freeze” your information”: Credit Reporting company INNOVIS https://www.innovis.com/ and the bank clearing house CHEX SYSTEMS https://www.chexsystems.com/.
I tried to create an account with Innovis so I could more easily monitor my credit report, but I could not. I successfully created login accounts with Equifax, Experian, and TransUnion, despite some ambiguous instructions and “dark patterns” trying to steer me toward subscription products. Innovis, however, was a hard fail.
Creating an Innovis account requires them sending a 2FA code to your phone. That is their one and only means of authenticating you. The catch is you cannot give them your phone number. Innovis will only use a phone number pushed to them with creditor reports. If you do not have a phone, or have recently changed phone numbers, or if creditors do not include customer phone numbers amongst the data they report to the credit bureaus, you are flat out of luck. (Not every creditor reports phone numbers. For example, my Chase credit cards apparently do not.)
Even phone calls to a Customer Service Rep and, after escalation, to a “Supervisor” were futile. Both flatly reaffirmed I would not be allowed to create an Innovis account. Further, both stated there is no alternate method of authentication for persons without an acceptable phone number.
In fairness, I would not expect Innovis to just accept a phone number from any random caller, as that would be an obvious security loophole. However, the flaw is Innovis not having any alternate means of authentication at all.
In my case, the phone number I have used with creditors for the past 44 years has been my residential land line number. Even though I have mobile numbers as alternates with some creditors, the mobile was not configured as primary, so the land line is the only phone number Innovis has.
After retiring, we sold our house and moved to a different state. I no longer have access to that old phone number. Thus, the Catch-22: I cannot create an account without an “acceptable” phone number, and I cannot update my phone number with Innovis.
The only hope would be to identify a creditor that reports phone numbers to Innovis (not all do), and update my primary phone number with that creditor, and wait for them to update Innovis (it’s up to the creditors, so there’s no time frame for that), and wait for an additional “cooling off” period (a couple months) before Innovis would eventually concede that number to be an acceptable 2FA conduit.
The lesson for others is to create your login accounts now, before you lose your phone, or lose access to historical phone numbers or mailing addresses that may be on your credit bureau record. If I had created an Innovis account before moving two years ago, I would not be in this stalemate now.
My checking account at a major bank was repeatedly & frequently breached – money stolen. Each time, I closed the account & opened a new account. I also always set up alerts for any transaction so I could review them right away.
I do all the transactions with this particular bank online & never use their ATMs so, after yet another breach, I told them I don’t want a Debit Card with the new account. It’s been many years since & no more thefts. While I can’t be sure having a Debit Card was related to the thefts, I’m also not sold on the Debit Card adding much to an account’s security – unless maybe it’s been “locked”, as mentioned in the article?
PS – one of the thieves was caught & prosecuted. The detective I worked with said the thief admitted to using inside bank employees to obtain account information – he also claimed to average $7k/day between financial fraud & narcotics sales. (Could afford a good lawyer & was released on bail & into the wind before eventually being captured again several months later!)
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Notifications
