Do you know where your identity has been?
To ensure that their personal information isn't hijacked, consumers need to protect themselves. Here are some tips to help keep your data out of the wrong hands.
'Who steals my purse steals trash," wrote William Shakespeare in ''Othello."
These days it's the other way around. Steal somebody's trash, dig out his old credit card bills and tax documents, and you're well on the way to emptying his purse, and making his existence a living hell.
It's called identity theft.
Real money is at stake, and lots of it -- more than $50 billion, according to the Federal Trade Commission.
As always, crooks go where the money is, and where the pickings are easy. Information about people -- from Social Security numbers to computer passwords -- is all too easy to get, thanks to careless consumers and businesses.
The recent rash of security breaches at data centers makes many realize it's a bad problem -- though not as bad as we sometimes think.
According to TowerGroup, a Needham consulting firm, most of the estimated 10 million cases of identity theft cited in 2002 were standard credit card and check forgery scams.
Fewer than 200,000 were serious attempts to duplicate someone else's identity, in an effort to get new credit cards, drivers licenses, or passports.
Still, that's more than enough to worry about, especially considering the immense impact of these crimes. Victims are often presumed guilty and must spend lots of hours and dollars to prove their innocence and clear their records.
State and federal lawmakers are rolling out legislation to toughen the penalties for identity theft and to force companies to lock down their customers' private data.
Better laws might help, but only to a point. We've got to protect ourselves.
Don't worry about shopping or banking on the Internet. Instead, worry about shopping and banking -- period.
According to Your Credit Card Companies, a coalition of credit card issuers, only 11 percent of identity thefts involve the use of the Internet. The bad guys are more likely to be retail workers who secretly copy your credit card data or ''dumpster divers" who ferret through piles of trash for old phone bills and credit card statements.
The Internet isn't the problem -- every reputable Web company uses end-to-end encryption for business transactions, so there's virtually no way your data can be stolen in transit. Look for a padlock-shaped icon at the bottom of your Web browser--the symbol that your transaction is being encrypted.
But what happens to the data once they're stored on the company computers?
A new study from the Enterprise Strategy Group of Milford found that 65 percent of financial services firms don't store data in encrypted form, meaning they don't scramble the information to protect the data. The same goes for 67 percent of healthcare companies and 77 percent of government agencies.
It doesn't matter whether the company got this data through the Internet, over the phone, or in person.
If a computer thief breaks into a machine full of unencrypted information, he can swipe files on tens of thousands of people in a few hours.
''Look at some of the things that have happened at some of the biggest names," said Adam Levin, chairman of Identity Theft 911, an Arizona security firm. ''Who would believe that a company like Wells Fargo would lose a computer with credit information?" But that's exactly what did happen to the huge financial services firm in November.
There's no easy answer to this problem, which can only be fixed if thousands of businesses and government agencies toughen their computer network security. State and federal legislators are getting involved, offering bills that would slap tough financial penalties on companies that don't do enough to protect their customers' data.
Checking your credit
Most identity thieves are after your money, or your good credit rating, which they can use to run up bills in your name. You can protect yourself by keeping a sharp eye on your own financial network.
Review your bank statement regularly. Make sure you recognize every withdrawal, check, or debit card purchase. Do the same for all your credit cards. Make sure you call the bank or credit card agency if you see anything that's out of line.
It's also a good idea to get copies of your credit report from the nation's three credit reporting agencies -- Equifax, Experian, and TransUnion. A new federal law requires these companies to provide free reports once a year to anybody who asks for one.
The companies have set up a website -- www.annualcreditreport.com -- to deliver these reports. This service is running in only about half the country; reports for New England are supposed to be available this fall. While you wait, you can order a free report from each of the companies by phone or mail, or you can subscribe to services that will mail you regular credit report updates.
If you've been victimized by identity thieves, it's a good idea to ask the credit reporting agencies for a ''fraud alert."
This tells the credit reporting agencies that you've recently been victimized. If someone applies for credit under your name, the reporting agencies will have to telephone you before giving your credit information to a merchant or bank. This prevents a thief from getting credit in your name.
File for an alert with one of the three agencies, and it will notify the other two.
A standard fraud alert lasts for 90 days. You can get an extended alert that lasts seven years but only if you file a report with federal, state, or local law enforcement stating that you've been victimized by identity theft.
You can get more details, including the phone numbers of credit reporting agencies, at the Federal Trade Commission website, www.consumer.gov/idtheft.
Broadcasting your identity
If you're using a wireless computer network at home or at work, it's transmitting your data to any other computer within range. The network even announces its presence to other machines -- a flagrant invitation to bad guys.
Once someone's connected to your network, he may be able to gain access to data on your computer, or he could collect your personal information when you broadcast it. There have even been cases in which spammers have used other peoples' wireless networks to send junk mail.
All the more reason to secure your network. Give your wireless router a hard-to-guess password. Don't use the default password, don't use your pet's name or your kid's name. The ideal password is gibberish -- one that's not a real word and that combines letters and numbers.
Your router also broadcasts its own electronic ''name," called an SSID. The SSID usually identifies the brand of router, which makes it easier to find ways to break in. So change it; feel free to use your kid's name, if you like. It'll do no harm here.
Also, make sure that all computers attached to the network have file-sharing turned off, or at least password-protected.
And use the router's built-in encryption system. It's easy to do -- just follow the instructions that come with your router. Remember that the encryption settings for the router must also be added to the wireless cards on all your other machines. Otherwise, these machines won't communicate with the router. Older wireless devices use a not-very-good encryption system called WEP, which is fairly easy to crack. You might want to upgrade, because newer hardware uses WPA, a much tougher system to beat.
The devil inside
Your own computer could betray your most sensitive secrets if it's infected with spyware programs that collect passwords or credit card numbers. Lots of computer infections are actually Trojan horse programs that sneak aboard machines and snoop on their users.
That's why anybody who goes online should have a good antivirus program, such as Symantec's Norton Antivirus or McAfee VirusSafe. Many Internet providers have begun offering such software for free, but it's worth your while to buy it.
You also need firewall software, which can detect illicit programs trying to ''phone home" and deliver their stolen information. Microsoft's Windows XP software has a primitive firewall, but you're better off with commercial firewall products. Again, Symantec and McAfee make good ones. There's also ZoneAlarm, free for home users at zonelabs.com.
Finally, be sure to get a spyware scanner, which is designed specifically to root out these nasty programs. Microsoft makes a good one, available free at microsoft.com. Also use the free Ad-Aware program at www.lavasoftusa.com. Spyware is harder to detect than viruses, and different spyware filters will sometimes find programs that others miss. So run two or more spyware scanners at least once a week.
None of these precautions will help if you don't use common sense. ''Phishers" send legitimate-looking e-mails, supposedly from reputable businesses, which ask for credit card numbers, Social Security numbers, or account passwords. Never respond to an unsolicited e-mail asking for such information. Contact the company yourself and notify it that they're being phished.
A thief who doesn't mind getting dirty can harvest lots of personal information from the old bills and receipts you throw out with the trash. So chop your records to bits with a good paper shredder. By ''good," we mean the kind that reduces the pages into tiny, unreadable fragments.
The cheaper shredders just cut paper into long strips. Believe it or not, some crooks will actually tape these strips back together to read your documents. So don't just shred your documents -- grind them up.
Grind up your CDs as well. Lots of us burn CD backups of sensitive files, but throw them away, letting any crook fish them out of the trash. Go to the trouble of encrypting your files before copying them to disk.
Or you can just buy a CD shredder. Stand-alone units are available, or for $200 or so you can get a double-duty device that'll devour disks and papers alike.
Hiawatha Bray can be reached at email@example.com.