Stolen SSN, Credit Bureaus Alerted , Now What?

privacyIntruded asks: "Recently I was informed by a former employer that a computer containing my name, address, drivers' license information, and social security number had been hacked. Though they do now know what, if any, information was accessed on the computer, they recommended I place a fraud alert on my credit report. To my relief, after placing the alert, I received credit reports that look fine. Now what? Assuming that someone does have the information, do I just wait for the day when someone uses the information for fraud, then hope I can minimize the damage when it is? Is there anything I can do to reduce the risk?"

buy more stuff from them.

[JVert]

I'm sure your info has been leaked before, they just didn't tell you. So go back and buy more stuff.

Re:buy more stuff from them.

[pdx_joe]

I believe more information is leaked then we know about. Not necessarily by the "bad guys." I work in a University Computer Lab and use the paper in the recycling bin for scratch. I pull out student's administration papers with their name, SSN, address, DOB. All written and thrown in the bin by students themselves. It would be easy to copy these down and apply for a credit card. People in general need to be more careful with their information. l

Re:buy more stuff from them.

The real weakness is not that people throw away paper with their SSN, DOB etc. on, but that anyone uses that information as authentication rather than identification.

The SSN is great as a unique identifier (at least, for Americans and foreigners who work & pay taxes in America), but saying "my SSN is 123-45-6789" is no different from saying "I'm this particular Dave Jones".

The flaw is that when you fill out a credit application, companies blindly accept that the information you supply is true. An obvous fix would be to register and update your address in the SS database, and require that any company that receives an application for credit etc. with your SSN sends a report to your address of record. Now the bad guys have to compromise your mail (possible, but harder than just copying a number). Add in the possibility to have reports mailed to multiple addresses, emailed etc., and you've just about won.

You still have to ensure that only the SSN owner can change the address records, which probably means fingerprint scanners and photo ID in SS offices.

New Credit Card Number

You can always call your credit card company and tell them you lost your credit card. They will gladly send you a new one with a different number.

Re:New Credit Card Number

[WhatAmIDoingHere]

"name, address, drivers' license information, and social security numbe"

Why does he need a new credit card?

Re:New Credit Card Number

[Nos.]

The concern isn't his credit card number, its that someone will use his SSN, driver's license, etc. to apply for a NEW credit card, or some other fraud. Keep an eye on your credit record is the best bet. If anything suspicious comes in you mail, like a note from a new credit card company the warning lights should come on.

News for nerds??

[woobieman29]

I really think that you are looking for information in the wrong place. Contact the credit bureaus (Experian, etc) for information, and then google for other organizations that deal with identity theft to get some pointers. Sure, someone here may have had some experience with this, but realistically asking this on Slashdot is about as appropriate as asking the dudes on "Queer Eye for the Straight Guy" to help you overhaul your transmission.

Good luck anyway - I hope that nothing bad happens to your credit.

Re:News for nerds??

[magefile]

asking this on Slashdot is about as appropriate as asking the dudes on "Queer Eye for the Straight Guy" to help you overhaul your transmission.

Or, more accurately, about what to do if someone mugs you (i.e., uses your pants as a vector to steal money).

well

[schnits0r]

I recently had my informatiuon used against me (1800$ fanished from my account over night, which put me in a bad position as I was about to leave for vacation in 2 days). Anyways, the money was taken from where I was 3 months prior, so if this happened recently, I suggest you change what is feasibly changeibile before it bites you in the ass in a few months after you forgotten about it.


Inform people this happened, so they don't become victims too. If something had been used already, talk to whoever is in change (if your bank acocunt has been broken in to, the banks will often give you a paper to sign saying they will incur any damages as long as you don't sue them).


There may also be a victim support group somewhere to attend if you are mentally distrought, but since you are on the internet, I'm sure you have gotten around to accepting you ahve no privacy by now.

Here is a list

[justanyone]

Here is a list of what you should do immediately:

1. Invent a new set of 4 passwords. Make them impossible to guess, 8 chars with upper and lowercase, NOT WORDS!, and at least two nonsequential numbers. Something like "FjW7zk2a". Don't practice typing them until you fix your box (see below). Create a paper list of them, memorize them well, then once you can remember them easily for 2 weeks (vital for long term memory), destroy the list or put it in a safe deposit box.
2. Invent a further password that you can use all the time, that you know to be a 'dumb' password that you use to log into websites like slashdot or imdb. Make sure you only use the dumb password for dumb applications, and the good ones (above) for stuff like signing in to your online brokerage or bank's transfer-money-type-website.
3. Fix your box or get a new one. Make sure it has Norton or MacAfee Antivirus on it, plus a good firewall, plus AdAware's SpyAssasin (recognized as best by most of my group of IT/InfoSec friends). Only when your box is secure should you do any online activity.
4. Call your credit card companies and request a new card from each of them. Tell them you believe your card number has been compromised and wish a new card.
5. While you're on the phone with your credit card companies, tell them you add an additional password to your account that they must request and you must provide whenever you talk with them. Chase and Discover at least both do this and have honored my request for it. This adds quite a bit of new security to your account.
6. Visit your bank, and close your existing accounts. Transfer the money to at least two new accounts. One of those accounts should NEVER EVER have any EFT (electronic fund transfer) transactions into/out of it. If your bank allows it, request that the account type prohibit that kind of activity. The other account should be an everyday checking or savings account that you can have the EFT's done with.
7. You mentioned contacting the credit bureaus and having a fraud listing attached to your account. This is good; it is free and effective.
8. If you currently have a Debit card, cut it up. Ask your bank for a card that ONLY does ATM transactions and nothing else. You are NOT protected if a debit card is stolen or misused - your money is GONE. Credit card companies protect you from paying more than $50 if a card is stolen / misused.
9. Re-read your last 6 months of credit card bills. Make sure you understand each charge on it. This allows you to have the familiarity to immedately spot fraudulent charges on your bill(s) and thus to react more quickly if there is a problem.
10. If you feel it necessary, there are companies out there who will do credit reports daily (if not the credit bureaus themselves) and email you if there is any significant activity (new accounts opened, etc., something goes to a collection agency, etc.). This service will probably cost you about $200 per year or so, but might be worth it for your peace of mind.

Just some ideas. Best of luck to you.

Re:Here is a list

[Judg3]

If you currently have a Debit card, cut it up. Ask your bank for a card that ONLY does ATM transactions and nothing else. You are NOT protected if a debit card is stolen or misused - your money is GONE. Credit card companies protect you from paying more than $50 if a card is stolen / misused.

Not true. See here. Granted, credit cards have a broader umbrella then debit cards, but there are protections in place - the Visa and MC "zero-liability" apply to debit cars these days as well. It's tougher to dispute a debit purchase vs a credit purchase, but's its definately doable.

Credit cards. Under federal law, if someone steals your credit card you're only responsible to pay the first $50 of unauthorized charges. And, says FTC lawyer Carol Reynolds, if you notify the issuer before the thief makes any charges, you may not be out anything. You're also free from liability if unauthorized purchases occur when the card is not physically present, say in an Internet purchase, she says.

Zero-liability policies, like those offered by Visa and MasterCard, add a second layer of protection. Under these programs you won't pay anything if someone fraudulently uses your credit card online or off.

Debit cards. The rules are similar for debit cards, but there are a few restrictions. For example, your liability under federal law is limited to $50, but only if you notify the issuer within two business days of discovering the card's loss or theft. Your liability could jump to $500 if you put it off. And even this cap is lifted if you wait more than 60 calendar days from the time your bank statement is mailed.

Federal protections are a bit more generous if a thief just steals your debit card number (and not the actual card), but you still have 60 days after receiving your bank statement to report any unauthorized transactions.

The Visa and MasterCard zero-liability policies also apply to debit cards, but only to non-PIN transactions. If a thief steals your card and your PIN, the federal rules are your only defense.

For additional protection check your homeowners or renter's insurance policy. Most cover up to $500 for losses from unauthorized card use.

Also, get a new SSN issued and have the old marked as fradulent. It will prevent any new credit cards or loans being created in your name and destroy your credit

Re:Here is a list

[Judg3]

Ah, alright - thanks for setting me straight there. I had always just naturally assumed it was possible, now I know different.

Re:Here is a list

[the_cowgod]

Huh, that's not what the Social Security Administration says:

Getting a new Social Security number

If you have done all you can to fix the problem and someone still is using your number, we may assign you a new number. We cannot guarantee that a new number will solve your problem.

You cannot get a new Social Security number if:

* You filed for bankruptcy;
* You intend to avoid the law or your legal responsibility; or
* Your Social Security card is lost or stolen, but there is no evidence that someone is using your number.

Re:Here is a list

[NanoGator]

"Not true. See here [kiplinger.com]. Granted, credit cards have a broader umbrella then debit cards, but there are protections in place - the Visa and MC "zero-liability" apply to debit cars these days as well. It's tougher to dispute a debit purchase vs a credit purchase, but's its definately doable."

I was under the impression this was under the discretion of the bank you're with. Am I mistaken? (Note: The context of your link is about federal law...)

Re:Here is a list

[Judg3]

Debit cards fall under the Electronic Fund Transfer Act, see more info here.

Personally, I think the credit card companies have a lot to do with people thinking they have zero protection. Granted, a debit card isn't as safe as a credit card, but it's not as risky as a lot of people like to think.

Re:Here is a list

[ComputerSlicer23]

Actually, that's not true. I know for a fact that you can get new SSN's. If you can show that the identity theft is bad enough, they will in fact issue you a new SSN.

Furthermore, there is a rule that if you and another family member in your immediatly family have a SSN that differs by only a single digit, the gov't has to let you request a new one. (Notice, that's a single digit, not numerically next to each other). In my family, we have 3 out of 4, but they end in 07, 09 and 10 (actually, now that I've re-read the rule, we might qualify, they say sequential). So we nearly qualified for the rule. Having the first 7 digits and a last name match does create problems for credit reporting companies. Did I mention that there are 5 kids in my family, and we all have names that start with "K". They skipped the 08 one intentionally so that we would not not have sequential ones. So I'm not sure if I am interpreting the rule correctly or not.

http://www.lawsmart.com/ssfaqs/sscards.html

That even references the documentation for the form that you request to have your SSN number changed.

http://ssa-custhelp.ssa.gov/cgi-bin/ssa.cfg/php/en duser/std_adp.php?p_sid=A5OT3Wmh&p_lva=77&p_li=&p_ faqid=79&p_created=955483070

That link has my session in it, the FAQ is FAQ id 79, and is in the Social Security Number and Cards, the sub-category is General- SSNs and Cards. If you look around you'll find it. The following are the criteria:

• Sequential SSNs assigned to members of the same family
• Certain scrambled earnings situations
• Certain wrong number cases
• Religious or cultural objection to certain numbers/digits in the SSN
• Misuse by a third party of the number holder's SSN and the number holder has been disadvantaged by that particular misuse
• Harassment, abuse or life endangerment situations (including domestic violence)

If I didn't have nearly perfect credit, I'd apply to change it just because there are members of my family who know my SSN, whom I wish didn't. Members of my family are nearly indistingishable on the phone from me. Even by other close relatives.

I'd like to see the reference material on non-special SSN's that get re-issued. The SSO has special procedures to ensure that they aren't re-issued for long periods of time after someone is dead. According to the FAQ, no SSN has ever been re-issued (some of the 000-XX-XXXX specials get reused). The SSN has only assigned 450Million of the 1Billion available. In the FAQ search for an entry with the word "died", it'll be one of the first few.

Got any more urban legends you'd like me to debunk?

Sorry that I can't provide direct links, but the site doesn't give them back. You have to have the cookies and goop hooked up to it.

I read up on the rules about SSN's at great length when slashdot posted the story about the man who doesn't have an SSN. There are all sorts of neat rules about them. The IRS is a serious pain to deal with because of it, but it can be done.

Kirby

Re:Here is a list

[demonlapin]

The ultimate danger is not that you can't contest a debit-as-credit (i.e., non-PIN) transaction. It's that you'll have written, say, your monthly rent check yesterday. The thief wipes your balance today. Your landlord deposits the check tomorrow. Presto, you have written a bad check. Good luck getting that wiped off every credit bureau report in the future. It's theoretically possible, but every case I've ever heard of has been a flaming pain in the backside to fix, especially if you've sent multiple checks out (like paying your bills).

Re:Here is a list

[Lordrashmi]

My bank is good about this, because checks will automatically (and freely) overdraft from my savings while my debit card will not.

I always keep 200 in my checking for my debit card, the rest stays safely away in savings.

In three months

[raider_red]

In three to six months, get a fresh copy of your credit report from the credit bureau. Also, see this site about ID theft issues. It provides a pretty good cheat sheet for what to do in your situation.

I had the same thing happen to me last year. We had a break-in at the firm which handled my last company's payroll, which later turned out to be an inside job. Fortunately, I haven't had any problems, and I hope you don't either.

I can help you figure out what to do . . .

[Mordant]

All I need in order to help you is your name, address, driver's license information, and social security number. ;>

Equifax Identity Theft Protection

[Corpus_Callosum]

Purchase Equifax Identity Theft Protection. Not only will they notify you by email any time your credit report changes (e.g. new credit being taken out, etc), but they will insure you in case something happens.

I recommend that everyone does this these days. Your information is out there and easily collected by those that want it. Your information IS NOT safe.

Re:Equifax Identity Theft Protection

Idiot, that's like purchasing protection from the Mob. The only fix is a national identity card based on provably-secure biometrics with a provably-secure, authenication-based transaction scheme. These are only some of the fundamental flaws within current financial systems... it's circa-1970's technology controlling your money without any real transactional integrity being run by some money-grubbing "credit bureaus" that profiteer by charging you for your own info they keep, where the scoring scheme is a secret. Then, they have the gaul to ostensibly sell so-called "identity theft protection" !!! Identity theft would be reduced to almost zero if the system were fixed!!! But, it's not going to happen until "consumers" complain loud enough, because the gov't is reactionary.... and politicians don't want to piss off their prime campaign contributors.

-----------------

"Those who do not understand politics will become a victim of it very soon."

Re:Equifax Identity Theft Protection

[Munk]

I have to second Equifax as being a good company for identity monitoring. I use the Equifax Gold Credit Monitoring service for my wife and I, and it is great. Sure, it costs us $20 a month for the both of us, but I'm sure it will more than pay for itself the first time we have our one of our identities stolen. I like the fact that it notifies you within 24 hours via email if somebody pulls your credit report. Last month we refinanced our house and the morning after the bank pulled our credit, I got an email saying it was pulled and who pulled it. Had this been fradulent activity, then I would have found out months earlier than if I didn't use this service.

Wrong.

[DAldredge]

I wish you would not make shit up. Here is what can be done to get a new ssn.

The SSA has a new publication on what to do When Someone Misuses Your Number discussing Identity Theft in general terms. It says If you can prove that you're being disadvantaged because someone used your Social Security number, visit your local Social Security office to request a new one. If you've done all you can to fix the problem and someone is still using your number, under certain circumstances, we may assign you a new number. which seems not to promise anything, and to leave the discretion in the hands of the local office. They do recommend that you file a report with both Social Security Fraud Hotline at 1-800-269-0271 and the FTC.

Where do you work?

[breon.halling]

You wouldn't happen to work at the Bush Campaign Offices, would you? =)

What to do When Your SSN is Compromised

[tbmaddux]

Unforuntately it looks like you have done all you can. According to Identity Theft And Your Social Security Number on the SSA website, you have to have evidence that someone is currently using your number before they will issue you a new one. One way to determine that is to check your social security statement, but I doubt anything will turn up here as fraudsters are unlikely to use your number to report earnings. SSA also recommends the flagging of your credit report, as you have already done. The Federal Trade Commission suggests the same (fraud flags) but also suggests filing a police report.

For those of us not as unlucky as the original poster, there is a lot of information available at EPIC

You've already done what you need to do....

[foniksonik]

You processed the fraud alert...

You are done... now it is up to your credit companies to deal with unlawful inquiries... you put them on alert that you may have unwanted access happening.

If they want to minimize their own risk they will issue you new cards, etc.

you have reported... you can now request new cards and move on....

that's it... fairly simple...

-james

I dispute your #8 as wrong...

[way2trivial]

it can be a MAJOR BITCH to enforce but your bank has to give you the same protections on a visa debit card, as a visa credit card, not as a matter of law, (which requires you pay the first 50$) but their contracts with visa..

see the visa's zero liability policy The Zero Liability policy covers all Visa credit and debit card transactions processed over the Visa network--online or off. The only transactions not covered under the Zero Liability policy are commercial card, ATM, and non-Visa-branded PIN transactions.

If your bank won't treat it as such, you can write Visa, and they'll work on it.

Just a few more things

There are two types of credit fraud alerts: one is a 90-day fraud alert and the other is a 7-year fraud alert. The latter is only allowed if you have had your identity stolen (so you qualify). You must explicitly ask specifically for a 7-year fraud alert or the credit bureaus will give you a 90-day one. There's more paperwork required for the 7-year fraud alert too. It's well worth the effort - once in place, no one can extend credit without contacting you by phone and getting your explicit permission.

In some states, e.g., Texas, you can get what is called a credit freeze. This locks out credit applications and is probably worth the effort to obtain.

Be patient and don't worry. There's really nothing that can be done to you that cannot be undone with a little time and paperwork. I used to worry and go ballistic after I suffered identity theft. But then one day I heard a lawyer speaking about it and he made the point that, when fraudulent purchases or applications are made in your name, it is (at most) necessary that you file a letter (to the foolish firm who extended credit to an imposter - not to the credit bureaus) explaining that the application/purchases were fraudulent. That made me rest easy.

Check your credit reports from the major credit bureaus (Experian, Equifax, Trans-Union and the new one, ChoicePoint) every 6 months. Write letters to all firms that received fraudulent applications for credit, explaining that the application was fraudulent and not made by you. It is by law their responsibility to then properly update the credit bureaus' reports. Keep copies (one folder for each account) of your letters and be persistent but patient.

The credit bureaus will not change a credit report at your request - they only will change it in response to a request from one of your (supposed or real) creditors. So don't get irritated at the credit bureaus. While they are not your friend (after all, they invented this silly system without asking anyone's permission and ought to be sued by the government for malfeasance), they are not your enemy.

Easy, commit identity theft on yourself!!!!

Identity theft on ones's self? Is it even possible?

Of course it is. Find other people to fill out and sign applications in your name, at other addresses. Make sure no fingerprints are on it. When the cards come, go get the cash advances with your cohort. Just make sure you aren't in the ATM camera's view. If your accomplice takes off with the card, it's easy to cancel it.

Since your SSN situation is kinda fucked at the moment, why not turn lemons into lemonade?

What to do.

[Mysticalfruit]

1. Get a new SSN number. Seriously.
2. Goto the bank and have them transfer your money into new accounts and have them issue you new a ATM/debit card and checks.
3. Also have your bank restrict the types of EFT's that can be done to your account.
4. Have a new credit card issued and ask that your account be assigned a password.
5. Contact the company that your 401k and have modify your account so that only in person can any withdrawls or wiring of money can occur.

SSN and Imports

[codeguy007]

It's going to get harder to prevent people from getting your SSN number. It's now required on anything imported by you. So if you purchase a $30 cd-burner from Canada, you now has to supply the vendor with your SSN number so he can ship it to you.

It use to be that was only required on shipments over $1000 but now it's required on all shipments. So you government isn't helping the situation.

Re:SSN and Imports

[mamba-mamba]

Can you provide some backup documentation for this claim? It sounds like complete BS to me.

MM
--

Re:SSN and Imports

[codeguy007]

I wish it was BS.
Fedex Note about it

Re:SSN and Imports

[Eschatus]

I guess that no Canadian company is getting any of my business, then. It amazes me how people just roll over to this kind of bureaucratic branding. I've personally chewed out many companies for asking for an SSN for me to do business with them. They don't get one, and I've never had a company refuse my business(non-financial ones, that is).

Change your SSN

[msoftsucks]

You can go down to your local SS office and ask for a new SSN. This is painful, time consuming and difficult because you will need to notify all of the businesses that you used the old SSN ligitamiteley (such as credit cards, mortgages, loans etc.) They may reject the change, but then if you get into a bigger pickle with identity theft, you can hire a lawyer and sue SS.

The biggest thing to watch for

[budgenator]

The biggest thing to watch for is a change of address on your credit report, it means that someone has opened an account and the statements are going to someplace you aren't, bad sign.

Mistaken Identity is probably a bigger problem than Identity theft, there is a woman localy, who's first name, last name and middle initial is the same as my wife's, who's SSN is one digit different, who's driver's license is one digit different and she seems to like bouncing checks and not paying taxes or hospital bills.

SSNs are NOT unique

[tomhudson]

The SSN is great as a unique identifier

The SSN is not unique to each individual. http://www.epic.org/privacy/medical/ssn_letter.txt

Fourth, from a technical viewpoint, the SSN is not a good identifier. It is not unique, there are multiple users of a single SSN, and the absence of certain technical features makes it difficult to determine whether a random nine-digit number is in fact an SSN. The use of the current SSN as a patient identifier will likely lead to record misidentifications that could otherwise be avoided.

Don't take my word for it - check out the list of people who signed this letter

Marc Rotenberg, Director, CPSR Washington office
Professor Eric Roberts, Department of Computer Science, Stanford University; President, Computer Professionals for Social Responsibility (CPSR)
Janlori Goldman, Director, ACLU Privacy and Technology Project
Evan Hendricks, Chair, US Privacy Council
Sheri Alpert, author, "Medical Records, Privacy and Health Care Reform"
Michael S. Baum, Chair, EDI and Information Technology Division, Section of Science and Technology, American Bar Association
Professor Mary J. Culnan, School of Business Administration, Georgetown University
Simon Davies, Director General, Privacy International
Jack Esbin, Secretary, Association of Computing Machinery
Professor Oscar Gandy, Annenberg School for Communication, University of Pennsylvania
Marc Greidinger, plaintiff in Greidinger v. Davis
Chris Hibbert, Chair, CPSR Palo Alto Civil Liberties Working Group
Professor Lance Hoffman, Department of Electrical Engineering and Computer Science, George Washington University
Jim Horning, Systems Research Center, Palo Alto, Digital Equipment Corporation
Larry Hunter, Chair, CPSR/DC
Professor Gary Marx, Director, Center for the Social Study of Information Technology, University of Colorado
Peter G. Neumann, Principal Scientist, Computer Science Laboratory, SRI International
Amy Pearl, Member of Technical Staff, Sun Microsystems
Professor Henry H. Perritt, Jr., Villanova University School of Law
Professor Priscilla M. Regan, Department of Public and International Affairs, George Mason University
Virginia Rezmierski, Information Technology Division, University of Michigan
Professor Ron Rivest, Laboratory for Computer Science, MIT
Professor Rohan Samarajiva, National Regulatory Research Institute, Ohio State University
Barbara Simons, Chair, ACM Public Policy Committee
Robert Ellis Smith, Publisher, Privacy Journal
Professor George Trubow, John Marshall School of Law
A. Joe Turner
Fred W. Weingarten, Executive Director, Computing Research Associates
Paul Wolfson, staff attorney, Public Citizen Litigation Group

You may also want to read this (Computer Professionals for Responsible Society) http://www.cpsr.net/oldsite/externalSiteView/cpsr/ privacy/ssn/SSN-addendum.html

... Many people assume that Social Security Numbers are unique. They were intended by the Social Security Administration to be unique, but the SSA didn't take sufficient precautions to ensure that it would be so. ...

Read how the ssn is encoded: http://www.koolpages.com/hokuspokus/ssnumber.html

The problem is not limited to SSNs - other identifiers that people think are unique are often duplicated.