Friday, June 12, 2015

Assume Your Social Security Number Is Already Out There

I’m going to briefly depart from my typical retirement finance post to talk about ID theft and retirees, who are frequent targets of this crime.

A few weeks ago, the IRS informed me that someone had filed a federal tax return for last year in my name and claimed a tax refund. In my case, the fraud have been discovered and IRS had not yet paid the bogus refund, as they apparently have for several hundred thousand or so other fraudulent filings. My real tax refund, tiny though it was, arrived unimpeded a few days later.

The way the scam basically works is that the criminal gathers enough of your personal financial data to electronically file a 1040-EZ and claim a tax return. The IRS is working with the electronic tax return filing industry to put better safeguards in place.

My wife freaked out when she heard. I didn’t. The difference was in our expectations.

“Some criminal has our Social Security number!” she pleaded.

“True,” I replied, “but it’s safe to assume that it’s been out there for quite a while."

News stories appear almost daily about massive security breaches. This one at the IRS. A few weeks ago it was the bank that issued my credit card. Target’s database was compromised by criminals gaining access through their HVAC service company. There’s a really good chance that your financial data has also been compromised and, at any rate, it’s safest to assume that it has been.

If ID thieves had rubbed a magic lamp in the mid-twentieth century and had been offered one wish, it would have been "tie every individual American's sensitive financial information to their Social Security number forever." Unfortunately for the rest of us, they didn't need a lamp.

A website called Information is Beautiful justifies its claim by organizing a history of major breaches in this fabulous display. See any merchants or websites there that you have used?

This brings up an important point. We worry that someone will access our home computers, tablets or smart phones and steal our financial data. While that is possible, it’s a lot easier to get our financial data by stealing millions at a time from Target than it is to sit around a coffee shop waiting for someone to log onto their bank account. The latter is actually a lot easier to protect against, and why pick up crumbs when the entire delicious cake is right there for the taking?

While the IRS works on ways to prevent fraudulent returns, there are some steps that retirees (or anyone, really) can take to secure their credit. I placed a freeze on credit reports at the three credit agencies, Experian, Trans Union and Equifax. Now, no one can use these agencies to approve loans or open new credit accounts in my name or my wife’s without my knowledge. The cost of placing, removing and replacing a credit freeze varies by state law, but there are exceptions for free credit freezes for seniors, minors, documented ID theft victims, etc.

The Federal Trade Commission explains how to place a freeze here.

Be sure to freeze the credit of both spouses!

There are valid considerations for not freezing your credit, as explained in this post by Consumer Reports.  If you take out new car loans or apply for credit cards, you will need to remove the freeze and that can take several days. As the Consumer Reports article mentions, it may be easiest to find out which credit agency your car dealer uses and temporarily lift the freeze at only that agency for only that dealer (or a few).

My household's days of applying for new credit cards is long past and unfreezing my credit a few days before I buy a car every few years isn’t a burden compared to the peace of mind the freeze brings. And if having to unfreeze credit a few days before buying a car stops one of my relatives (you know who you are) from continuing to trade cars on impulse so he or she can later wallow in buyer's remorse, all the better.

Freezing our accounts included the unexpected opportunity to request that the agencies never again allow my credit history to be accessed by someone offering pre-authorized credit cards. This should cut by junk mail problem in half.

Another possible solution is to use an “Identity Theft Protection Plan” like the ones reviewed in this Huffington Post article entitled, "Do Identity Theft Protection Services Work?"

Most are not free, although when major breaches occur like the one at Target, the breached company frequently offers a year of such a service free to their customers who may have been exposed. To make my point, I currently have three such services monitoring my credit paid for by three different companies that "may" have offered up my personal credit information to hackers.

A credit freeze protects us from thieves opening new accounts but it doesn’t protect existing accounts. ID Theft services supposedly cover both. Fortunately, most credit cards and debit cards don’t hold us responsible for fraud if we report it in a timely manner. Debit cards, however, can handle the response to fraud claims in a less convenient manner than credit cards. 

The conversion of American credit cards to chip-and-pin technology is largely underway and offers a higher level of credit card fraud protection that has been available for a decade or more in Europe and Asia. You may already have a card or two with the embedded computer chip. Now, we have to wait for a zillion American merchants to convert to chip-and-pin readers and systems that actually use the chip. Then, as a side benefit, when we travel to Europe, we won't have to look like someone out of the 1980's whipping out a stack of traveler's checks.

My recommendation to retirees, given the likelihood of fewer new credit accounts to be opened, is to implement a credit freeze at all three major credit agencies. Again, instructions on how to do so can be found here. For younger households that need more frequent access to credit reports, a credit freeze may be more burdensome, but possibly worth the extra effort. 

And, of course, take advantage of your free annual credit report and review it carefully. To avoid free credit report website offers with strings attached, use the official one promoted by the FTC. It's free, as in free.

And lastly, I recommend that you assume your private and sensitive financial information has already been hacked.  Even if it hasn’t been, you’re safer assuming that is has.
Check out my next post, "Have You Already Been Hacked?"


  1. I asked the ID Theft Service why they gave my account the "all clear" just days after fraudulent activity was detected on my credit card and the account consequently closed. They responded that they can't access current accounts, which is understandable. But that means they're primarily watching just my credit report and that isn't nearly as useful. On the upside, Target is paying for it and not me. And now I know the "all clear" signal isn't as comforting as it sounds.

  2. Dirk--
    Very useful article! We've had credit freezes for the past 6+ years but your article prodded me to see if any expire in Pennsylvania. According to Consumer's Union online, all credit freezes expire after 7 years in PA. However, when I called the 3 major credit bureaus, only TransUnion required steps (and $10 per person) to renew for another 7 years; the other bureaus said that credit freezes placed with them do not automatically expire in PA or elsewhere. So much for uniformity...

    Also, with your retired status and keen financial acumen, do you really buy cars on credit, as suggested in your article?

    1. When the interest rate approaches zero I do!

      Thanks for the info. Turns out it's all free under North Carolina state law. Readers should check the links above for your state.


  3. I like the chip-and-pin cards which we've had for donkey's ages. But the only time we've been defrauded was in the chip-and-pin era. Phone call "Have you or your wife been in the Subcontinent lately, sir?" "Only to change planes in Delhi, and that was years ago." "So I may take it that you've not bought jewellery in Sri Lanka this week?"

    We have a pretty good idea where the fraud was perpetrated: as soon as we mentioned it in a local shop we were tipped off that a particular filling station was notorious for the crime. We pay only in cash there now.

  4. Freezing my credit sounds good. However, don't insurance companies check my credit yearly upon policy renewals? What about switching the electric utility company for the service generation portion of my electric bill which I often switch every 4 or 6 months, if I am lucky 9 or 10 months, for better rates)? If I have to pay for a temporary lift of the freeze this seems like it is a pain plus an expense. I am conflicted as my credit reports don't indicate problems which I order a new one every 4th month.


    1. Tom, those are good questions. Wish I had short answers. After a little web research, it appears that in many states there are laws that provide exceptions for insurance companies and others to get access to your credit information even with a freeze. Probably the easiest way to find the answer is to get a copy of your credit report and see if your insurer or utility company requested information in the past. Whether or not you have to pay a fee is also state law. As I mentioned, it's all free in North Carolina. The links I provided should provide the information for your state. Please let us know what you find and what state you reside in.

      Great questionn Thanks for raising the issue.

  5. Canada has effectively prevented tax refund fraud by requiring forms to be mailed in with verifying information, such as a void bank check, in order to set up your account for getting direct deposit of your refund. This bank account is what gets used for all of your various government deposits. The IRS has only required that you provide a bank routing and account number, which anybody can generate.

    Security is a state of mind. Your society is either willing to execute some minor steps (such as Revenue Canada's, chip and pin credit cards, encrypted files in servers, etc.) or not. The US has taken the attitude that the government and companies have to do little to protect individual's information (other than HIPPA) and it has the right and obligation to intrusively collect it to boot (NSA per Snowden's and others revelations).

  6. Coincidentally, Brian Krebs recently posted an article on his security blog called "How I Learned to Stop Worrying and Embrace the Security Freeze."