YNAB Podcast Episode 56: How to protect yourself from identity theft. | YNAB

YNAB Podcast Episode 56: How to protect yourself from identity theft.

Hello YNABers. My name is Jesse Mecham and this is podcast number 56 forYou Need A Budget, where we teach you four rules to help you stop living pay check to pay check, get out of debt and save more money.

Last week was significant because the United States found out that we’re keeping our President for another four years – and that’s pretty much all I have to say about that. But it was a big week. And man, I’ve got to be honest, I’m kind of glad that we’re going to hear different news for at least a little while – it has nothing to do with today’s podcast.

But I am excited, VERY excited to have an expert in identity theft on as a guest today. His name is Robert Siciliano and he knows his stuff. He is the author of ’99 Things That You Wish You Knew Before Your Identity Was Stolen'; he is – how do you say this company’s name? – McAfee… Will someone please give me the pronunciation on that? McAfee. That company has been around for so long, I still don’t know how to say that name. Anyway, he consults for them. They’re big into security – computer security, viruses and all that. Over the last 29 years Robert has studied white collar crime, cyber crime, identity theft, martial arts and self-defense. So you’ll hear more of his back story when I give you the interview, but his goal is to educate and empower audiences, and help us stay smart and keep our families safe from potential physical or virtual attacks in today’s world. And it just doesn’t seem like… I don’t know, it just happens all the time.

I had a lot of questions going into this interview and I honestly felt a little bit powerless, and Robert provided info that made me feel pretty darn good. He’s appeared on Anderson Cooper, the Today Show, CNN, MSNBC, CNBC, Fox News and Inside Edition, and just a ton of others that I won’t list. But without further ado, let’s learn a little bit about how we can outsmart the thieves and protect our identities from being stolen. You will be happy to know that it is not NEARLY as hard as you think. Here we go…

J: Alright, I’m on the phone with Robert Siciliano of robertsiciliano.com. Robert, thanks for helping on the podcast today.

RS: Thanks so much.

J: This is… I’m pretty excited to discuss this, because this is a topic that’s near and dear to my heart. I have never been a victim of identity theft, but it’s just becoming more rampant; and since I’m in the financial arena I felt like we had a lot of people that would do well to hear what you have to say. So, just really quick, just kind of tell me how you got into speaking on this and… you’re an expert on it, so I’m just kind of curious about your back story a little bit.

RS: Sure. I’ve been involved in issues revolving around personal security since I was a kid; and personal security essentially is securing the person from violence and theft. And back in the day – ’80s and ’90s – my focus was on preventing predators from hurting you – robbing your home, mugging you, and then sexual assault, things like that. As I grew older and as technology became a significant part of my life and everybody else’s life, personal security evolved into the virtual world as well. So now I speak to all things violence and theft prevention, both online and on the ground.

J: I see. Every day it seems I hear some news story about credit card numbers being stolen and some server being accessed, some company saying, “Hey, we’re going to do this without,” or pay for identity theft for all these people whose names were exposed – it’s just growing crazy fast. It’s insane.

RS: And it’s one of those problems that unfortunately isn’t going to get any better anytime soon. It’s going to continue to get worse. And we just saw – just last week or a couple of weeks ago – in South Carolina there were 350,000 or so Social Security numbers that had been leaked. This is the situation we’re in. We live in a data-based society, and that means that our information isn’t just in one database, it’s in hundreds if not thousands of different databases and filing cabinets; and everybody that has access to those databases has access to our personal information. And then, of course, those same databases are becoming huge targets by criminal hackers looking to cash in on our personal information.

J: Yes. I remember… I became more aware of this, I read a book a while ago – you may even be aware of it – called ‘How to be Invisible’ by a guy named J.J. Luna – well, that’s his pseudonym – but it kind of clued me in on just privacy and just being more aware. And I was trying to practice that, and I was surprised at the resistance that I got from people on the other side of a transaction. So I’m out… one incident I was at some department store and they asked me for my phone number, and I pushed back and said, “Well, why do you need my phone number?” And then were upset with me for enquiring about why they were enquiring. Have you seen that? I mean, what do you tell people in those regards? Is that something that’s pretty common?

RS: Yes, and the funny thing is is that clerk or whoever it was you were speaking to, he doesn’t even/she doesn’t even know why they need the phone number. They have that set up in their system – it’s part of their sales and marketing process, it’s part of the way in which they identify you and the products and services that you buy and so forth – and that clerk essentially is told by his or her superiors that they need that information. And by you not giving it to them, it just makes their job that much harder. But in the end, it doesn’t serve you any better to give up that information because it’s just one more way that sales and marketers can get to you, and they know that much more about you. In the end, what kind of harm can that do, by giving out your phone number? Probably not much. If anything, it will cause annoyances for you down the road.

But I’m a firm believer that – and some… and many will disagree with this – that privacy essentially is an illusion; that it’s not privacy that you should fight for today so much that it is your security that you should fight for. It’s more so not that they have the data, it’s what they can do with it that can hurt you in regard to your financial life: essentially new account fraud – bad guys opening up a new account under your name; or account takeover – taking over existing accounts that you own and basically draining those accounts. So those are my two big concerns, really, from a security perspective. Privacy certainly is a problem, but really security is the ultimate issue.

J: That’s a great way to put it, because honestly, when I read about protecting your information I feel like it’s impossible. And so it leaves me overwhelmed and then I take no action. Where you’re kind of coming at this and saying, “What can they do with this information that they will get, and how can you protect yourself from that?” I like that – that’s more empowering, to be honest.

RS: You know, the data that they get that can ultimately hurt you financially is your Social Security number. And when your Social is compromised, and when they get it and they use it against you, essentially they’re opening up new financial accounts under your name – they’re getting a new loan, they’re getting a new credit card, they’re using that Social to get credit in your name with a mobile phone. And when they do get that credit, they go for a period of time without paying the bill and eventually that goes on your credit report, and that soils your good name. It soils your credit standing in society, and today we judge a person based on their credit. If you have bad credit, you are irresponsible in the eyes of society – and that’s a problem.

So, getting your Social can hurt you through opening up new accounts. And then of course they get your account information, like a credit card number, a bank account number and so forth, user names and passwords; and then they can take over your existing accounts. Your credit card in your wallet – they get that number, they take it over, they make unauthorized charges. If you’re not paying close attention to your statements, which many people don’t – you know, it’s amazing how many people don’t actually reconcile their statements and let charges go through and they pay the bill – that can hurt you financially as well. So it’s those two things – new account fraud and account takeover – that we mostly have to be concerned about, and there’s ways to deal with and respond to both in different ways.

J: So what’s the most… that is the most critical piece of information that we safeguard? is that the Social Security number?

RS: Yes, without a doubt. It is our primary identifier; it’s the key to the kingdom; it’s your national ID. And the thing about a Social Security number is that it was never meant to have as much responsibility as it does today.

J: Absolutely.

RS: It carries a tremendous amount of weight. Back in the day – late ’30s – when they developed the Social Security administration, the Social Security number was for just that one purpose: to pay your Social Security benefits. So you paid into that account over the course of your life, and it wasn’t until really the ’70s and ’80s – more so the ’80s – that banks and creditors and the IRS and everybody else started to use your Social Security number as that de facto ID. It wasn’t until the late ’90s that babies actually started to get Socials at birth – so that’s a new thing. It’s only been the past 15 to 25 years that we’ve really heavily, heavily relied on the SSN, and it was never meant to be this private number that you protect and you don’t give out and you keep secret. But now, you know, you have to kind of shield it; you have to keep it below board. But you can’t because every time you give it out to an insurance agent, to a doctor’s office, to whoever, it’s one more opportunity for the bad guy to do something with it.

J: Absolutely. And I think a lot of times people make the mistake – I know I have… Another experience I had in trying to be more diligent with my information is I was booking a room to do a speaking thing, and the lady – I’m sitting across from her, face to face – and she says, “Can I get a card and we can reserve it?” And I said, “Absolutely,” I thought that was fine. I thought she’d have a machine that she was going to swipe the card through, but she just pulled out a form and started… you know, was going to write down my credit card number on this piece of paper; and I really had to push back. And it got a little awkward, but I just told her, “Hey, I’m really not comfortable with this. Can we do it any other way?” And so we figured it out, but she felt like I wasn’t trusting her. But what I was really doing was I don’t trust… I don’t know who I can or cannot trust, and she may be perfectly honest but the guy in the office next door knows exactly where those papers are filed and they never shred them and all that stuff. So it’s just one more leaky place to stick an important number.

RS: True. And here’s the thing about credit cards. So, I use my credit cards often, probably at least two or three times a week if not more. I don’t generally use cash if I don’t have to.

J: I’m the same way.

RS: And I just pay my credit card bill every single month and then I reconcile my charges nice and easily. So, here’s the thing about credit cards. I tell people when they ask me, “How do I protect my credit cards?” and I say, “Listen, don’t worry about protecting your credit cards.” I say, “Any time anybody wants that number for whatever purpose, whatever reason, for you to make a purchase in any way, shape or form, give them the number and don’t worry about it. Just swipe the card, write it down, give it out over the internet, give it to them over email, whatever you want to do – give out that credit card number.” And here’s the thing, because you can’t protect it; no matter what you do you can’t protect it. You hand it to waiter/waitress/gas station attendant, they’re going to be able to get the numbers off the credit card, whether they write it down or whether they skim it. It doesn’t matter because the numbers are printed on the card, right? Anybody can see it.

And so what your real responsibility is is not to protect the card, but really just to pay attention to your statements. Every single month, or really every couple of weeks, you really should look at your credit card statements online, making sure that you authorized each and every charge. And as long as you’re doing that and paying attention to your statements, in the event that there’s an unauthorized charge you just refute that charge and they will take it off the bill. That’s generally all you can do anyways, but as long as you’re paying close attention you’ll be fine.

J: Okay, it’s much more manageable. On the Social Security side and the new account fraud, are we just talking about freezing… is it a credit freeze? Is that the phrase?

RS: You know, I’ve been doing this now for over a decade and I’ve probably done 1,000 radio shows and spoken to hundreds and hundreds of journalists, and I’d say maybe two or three of them mentioned to me about getting a credit freeze. So, congratulations on that! It’s one of the things where… it’s one of those tools where everybody should have but nobody wants you to know about it. The credit bureaus don’t want you to know about it, the creditors don’t want you to know about it, the banks don’t want you to know about it. Anybody that’s in the business of granting credit does not want you to know about a credit freeze, because essentially when you have a credit freeze it takes you out of the business of getting credit. It takes you out of the credit-driven society that we have, at least temporarily. With a credit freeze you cannot get instant credit because… you can’t walk into Best Buy and just get that $5,000 plasma on instant credit because your credit’s frozen.

J: Got you.

RS: So it takes a little more planning when you have a credit freeze to make big purchases. So my mum, for example; she buys or leases a vehicle every three to five years, and every three to five years she rings me up and says, “Oh, Robert, I need to get a car again and you need to do that credit thing you do,” and so I have to thaw her credit temporarily, and then within a week or so it automatically freezes back up and she’s fine. And that’s it. I don’t have to worry about my mother’s identity getting stolen because her credit is frozen. Same thing with me, same thing with my wife and my kids and everything else. Credit’s frozen across the board. That’s what you want. You want to have a frozen credit so the bad guys can’t open up new accounts under your name.

J: Okay. Now, I used to… no, I do still. I subscribe to LifeLock and I know there’s been some controversy on… you know, I haven’t followed it too much, I just kind of set it up and honestly forgot about it. Is that… Are they essentially just having me pay for them to do the freeze on my behalf?

RS: No. So, identity theft protection services today, the majority of them do pretty much the exact same thing. They all pretty much have an engine working in the background that does this. So, for example, you supply the identity theft protection service with your Social Security number, and they plug that into their system; and the back engine of their identity theft protection monitors your Social. So, any time that you or anyone else uses your Social to open up a new line of credit somewhere, that identity theft protection service probably will be notified of it. Through their system, they would get some type of a hit, some kind of a notification that so-and-so’s Social Security number is being used to open up a new American Express card in Albuquerque, New Mexico. And so at that time, as a subscriber to that identity theft protection service, you might get an email, you might get a text message, you might get something in the mail saying, “At this given point in time your Social is being used to open up an American Express card in Albuquerque, New Mexico. If you did not actually process this application yourself, give us a buzz, let us know so we can shut that down before it becomes a problem.”

So, there’s a technology out there that basically has… it’s in the process of every new account application for mobile phone companies, for utilities, for most of the major creditors, and before that application I fully completed, that Social is checked against your name, your address, your credit report, your age. So there’s a number of factors that are tied into your Social that this technology looks at and recognizes, and it scores that application and that transaction based on the information provided in that application on whether or not there’s potential fraud there.

J: I see. So the credit freeze is prevention of even having a notification created, it sounds like.

RS: You got it. That’s it, exactly, right. A credit freeze basically stops it all at the beginning. They can’t even use that Social to even access your credit because your credit is frozen; it’s done, it’s locked down. So identity theft protection without a credit freeze, identity theft protection allows the fluid process of you being able to access new lines of credit at any given point in time that you want. That’s what that’s for. In addition to that, identity theft protection services offer restoration in the event your identity is compromised, and generally that means in the event that their service fails.

So, you really have to pay attention to the fine print on that as well. But for $100 a year/$150 a year, it’s generally worth it, especially for kids, because children under the age of 18 can’t really freeze their credit, and identity theft protection really is the next best thing for them.

J: I see. So what’s the process for freezing my credit? How do I do that?

RS: So, the best thing to do is to do a search online for “state security freeze laws” – four words – “state security freeze laws”. And generally, at the top of search you’re going to find consumersunion.org – and if it’s not consumersunion.org it might be listed under financialprivacynow.org. It’s basically the same website. It’s not for profit, and when you click on that link there will be a website that you’ll… a web page you’ll access that will have a map of the United States, and you just click on your state and you’ll download a PDF file that essentially is the laws regarding a credit freeze for your state. In addition to that, you’ll see a download for a PDF that will have an affidavit and everything that you need to fill out, documents to send in to Experian [?? 0:20:03] and [?? 0:20:04] on getting a credit freeze. So, everything that you need via doing a search for “state security freeze laws” via consumersunion.org is right there. And you just fill it all out, send it all in. You need to send a copy of your Social Security number, which is fine – give it to them; give them a copy of a utility bill or two to verify your address; and they’re going to want to check.

So a credit freeze, depending on your state, is free if you’re a victim of identity theft; up to as much as $15 per credit bureau. So, the max you’re going to pay is $45 to freeze your credit and you’re done – and I think that’s a pretty good deal. And if you want to thaw off your credit, if you want to open it up and get a new line of credit, when you freeze your credit they send you a document in the mail within a couple of weeks with a username and a password and a website that you visit to thaw your credit when you want to get credit. So, it’s just… it takes a little bit of planning. So you want to go lease that car – you thaw your credit and then you go to the dealership a day later and your credit will be thawed. And then for a week or so it will be open and then it will automatically freeze a week later.

J: Wow. This does sound pretty easy.

RS: Yes, it is. Yes. I did it years and years and years ago when it first came out in 2008, and it was a little bit more cumbersome. They made a lot of mistakes, they didn’t have the paperwork or technology in order, and I had to redo it a couple of times. But today it’s much easier, it’s much more fluid, they have it together, and I recommend that everybody freeze their credit across the board.

J: I like that. So regarding your… I mean, that’s kind of the action that everyone listening to this podcast is… I’m hoping they’ll take. They’ll say, “Okay, I can do that,” and $45 is well worth it unless you’re leasing a new car every month it might be a bit of a hassle.

RS: And here’s the thing. I’m 44 years old. I’m in the house I’m going to be in for quite some time, I’m in the vehicles I’m going to be in for quite some time, I have my Visa, I have my American Express; I don’t need new lines of credit. And in the unlikely event that I do – which happens every one or two years, you might go to refinance your home or whatever – you just thaw it. It’s a once every one to two to three year process, and the older you are the less credit you need. And the younger you are, the more vulnerable you are. So I just think that everybody should freeze their credit.

J: Awesome. So, tell me, I mean, what do you… I know you go around and you speak, you’ve been on all sorts of news stuff, but can anyone… I mean, your website – robertsiciliano.com – they can check out for more info; and I saw you had a book on… Was it on Amazon that you have a book?

RS: Yes, it’s called ‘The 99 Things You Wish You Knew Before Your Identity Was Stolen’. So if you just go to my website – robertsiciliano.com – you’ll see “new book”, you’ll see stuff right on the home page, everything that you need to access that book.

J: Cool. Yes, it says $11 on Amazon, so the amount of info that… I mean, identity theft, I’ve never been a victim but you hear stories, and so it seems like the value proposition of spending a few bucks and a little time to freeze your credit, maybe looking at the ID protection services for your kids, sounds like it’s well worth the little bit of investment to save yourself mountains of headache.

RS: Yes, and read my book! Because it goes beyond just identity theft protection. In today’s day and age we rely on technology every day for something. I don’t know anybody at this point that doesn’t have a Smartphone, an iPhone or an Android or a Blackberry. That right there is a little computer, and that has a lot of your personal information in it. And then think about all the information that’s on your desktop or your laptop or your Mac. There’s enough data there generally to steal your identity. And in my book that’s what I talk about – all the different ways in which the bad guy can get access to your information, and all the different things you need to do to secure your digital technology; the difference between spyware and malware and ransomware, and what typosquatting is and cybersquatting is; and all these different terms and all these different scams that you need to be aware of. And the more… Knowledge, of course, is power, especially in your financial life. Right? And the same thing in your security life. If you up your security intelligence, the better off you’re going to be, the better chance you’re going to have of fighting off the bad guy.

J: What’s the number one mistake people make with their information?

RS: They think that nobody wants it. “Why would a bad guy want to come after me?” And that really is just denial and being lazy – that’s what that boils down to. They think that, “It can’t happen to me,” and so they don’t really do anything about it. They don’t invest in any antivirus, anti-spyware, anti-phishing and firewall. They don’t update that license when it says, “Hey, there’s a pop-up here that says it’s time for you to renew your license for your antivirus.” They don’t invest in a credit freeze. They don’t think about these things, and they don’t educate themselves – and you have to do that today. You know, tell your kids not to talk to strangers and then here they are on social media and they’re talking to these people all over the world. I work with McAfee. We just did a study and the recent study showed that more than one in ten kids are actually communicating with complete strangers online and then meeting them in the physical world.

J: Oh my gosh.

RS: So there’s a lot to know about our digital lives today, and the less you know the more vulnerable you are. And it’s one of those things, like you HAVE to do this. You don’t really have an option of not knowing what’s going on out there today. You can’t just throw your hands up in the air and say, “Okay, I’m overwhelmed. I’m just going to do nothing.” Inaction is not an option.

J: I like it. I love action and I love that it boils down to basically some really simple things you can do to kind of halt the criminals in their tracks. So, awesome. Man, this is good info. It was an overwhelming topic for me because I was thinking of trying to plug holes, but what you’re saying is, “No, just stop them at the final spot.” I like it – you’ve put me at ease.

RS: Good. And you know, a lot of things that you hear, don’t worry about. Like don’t worry about the privacy stuff. DO limit the information you put on social media; like DO limit… you don’t want to speak too much about your personal life on social media and here’s why – and this is what I mean when I say that. Think about password resets for certain accounts. So when you answer those questions, “Where did you grow up?” and “Where did you honeymoon?” and your mother’s maiden name and your kids’ names and your pets’ names and your birthplace and all that stuff; if those are the answers to the qualifying questions or the password reset questions and you post all that stuff on social media, that’s a problem. So, I try to keep that stuff more business; especially being somewhat of a public figure and so forth, you want to keep that stuff a little somewhat innocuous, not giving out too much information – for everybody, for that matter. And so just keep that in mind. Just be aware of what you’re posting and think of, “How could a bad guy use this against me?” Otherwise, you want to just talk about how you just ran a 10k, great; but just be cognizant, “What can a bad guy do when I’m posting right now?”

And then, you know, as far as giving out your phone number and stuff like that, just be careful who you give it to and when you give it out. Maybe get one of those Go phones, or you have a throwaway phone number, get a Google Voice number as a number that you might give out for certain accounts rather than just giving out your home phone or your mobile phone. Just be aware of that stuff and determine what your options are.

J: This is cool. I was just thinking about the maiden name and all that stuff – “What’s your mother’s maiden name?” – and I was just thinking on Facebook it’s really customary for you to put… for women to put their maiden name and then they’re… so you can find people. Like high school, some girl in high school, you don’t know her new name now; and I was just thinking, “Well, yes, you just find out what the person… who the person’s mum is on Facebook and she may list her maiden name,” and then you’ve got your first answer to that question.

RS: That’s how Sarah Palin’s Yahoo account was hacked by… The bad guy hit the password reset and just basically answered all the questions to reset the account by searching social media and the web.

J: You know, just last night I woke… well, it was this morning, it was about four in the morning; I reached for my phone on my bedside table – I’m trying to see what time it is – and I can’t find my phone. And I don’t know if I was sleepwalking or something, but my phone was nowhere to be found. I thought maybe I’d knocked it off; I couldn’t find it anywhere. So I pull out my iPad, I login and use the Find My iPhone App, and I find out that it is in my house somewhere. And then I do the little… you have an option to push this button and it will beep and send this to your phone so it starts making a noise, a