261 Broad Street
Windsor, CT 06095
(860) 285-0172

Your Website Should Be Easy to Edit

Hackers at Your Door - Protecting Yourself and Your Business from Identity Theft

Hackers at Your Door - Protecting Yourself and Your Business from Identity Theft
Photos and Story by John Waiveris
Antique locks provided by Adivasi in Brattleboro Vermont.

OK, I know you are tired of hearing about Identity Theft. I am too. It's just another modern affliction that we'd prefer to ignore. But, I own a business that accepts credit cards and figured there was more I could do to protect my clients. When the local Chamber of Commerce asked me to do a presentation, I jumped at the chance to learn more.

"This new research offers a very different but accurate and helpful perspective about identity theft fraud and it shows how we can stay on top of this problem," says Steven J. Cole, president and CEO of the Council of Better Business Bureaus. "Consumers can do a lot to make sure they cut down the risk associated with this fraudulent activity."

What is ID Theft?

click to expand
Someone commits Identity Theft when they use your name to open accounts and make purchases. They disappear with the goods and leave you with the bill. These modern day pickpockets are taking advantage of the fact that most people are careless with their critical information, and even worse about keeping track of their accounts.

But what can you do to protect yourself? Do you have a clear understanding of what information is valuable? Do you have an early warning system that would alert you when something is amiss? As a business owner, you are being negligent if you haven't educated yourself to the risks and protections available.

Let's start with a great little survey created by the Better Business Bureau. Go to www.idsafety.net and answer 20 questions about how you conduct your own life. You'll get the idea that it's really just a matter of keeping a tight reign on your mail and account information.

Why Does It Exist?

click to expand
At the risk of preaching, I blame ID Theft on our lax credit lending industry. They could solve it overnight if it didn't benefit their bottom lines so well. Companies are able to create accounts in your name without sufficient confirmation and sensitive information exists in marketing databases that are bought and sold every day. While large sums of money are transported in armored trucks, databases with your credit card numbers are transported by postal mail.

"In the two recent cases, thieves posed as legitimate customers to gain access to databases compiled by ChoicePoint and by its rival, LexisNexis. LexisNexis' corporate parent said personal information on as many as 32,000 consumers was compromised; in the ChoicePoint raid, as many as 145,000 people had their information stolen. At least 750 so far have become the victims of fraud." MSN Money - Blame lenders, not thieves, for identity theft


click to expand
There are some simple ways you make yourself a tougher target. Start out by getting your accounts in order. The easier it is for you to keep track of your funds and credit report, the more likely you will catch a thief early in the process. You may want to create a list of accounts and the ways information is accessible.

First, how many account numbers sit unprotected in your mailbox? If possible, switch to all online billing and account management. Experts also recommend using a P.O. Box or a locked mailbox. The same goes for trash. Don't let any sensitive information sit unprotected. Send nasty letters if necessary to get companies to change their ways.

Second, create an early warning fraud screen to detect unauthorized use as early as possible. Ideally you want to be able to check account balances in just 2-3 minutes. Keep in mind that you don't need to balance your checkbook...just catch big stuff right away. Banking software such as Microsoft Money or Quicken can download various account balances automatically and display everything on one screen.

Third, make a personal policy about giving out account numbers, passwords, anything that should be secret. You might want to stop using credit cards while dining out, start using one time credit card numbers, and start making online purchases with PayPal. You also want to think twice if someone asks you to login or provide sensitive information.

I received this email last week from someone "phishing" for eBay accounts. They could use this information to defraud someone else in my name. I had a hard time determining if the email was legitimate so I closed my email program and logged into eBay directly. Just as I suspected, there was no mention of the message. Big companies (perhaps yours too?) have policies about account information and email messages posted on their websites. If in doubt, contact the company directly.

Here's an interesting resource from the Better Business Bureau with statistics about Identity Theft victims. In one third of the cases it was due to mishandling by a business they trusted rather than something they did wrong. In the second third, it was due to a lost or stolen wallet or credit card. The last third was split between friends and acquaintances, stolen paper mail (or fraudulent change of address), and online transactions or spy ware.

Early Detection

click to expand
Assuming your personal information is protected, the next step is to track and discover new accounts created in your name. We need to make a radar screening system to alerts us when an account is created or our credit rating is accessed. Sadly, it is up to us to keep track of our credit history and it's not exactly free. Each of the three major credit bureaus will give you a free credit rating once per year. (www.freecreditreport.com for more information) However, you might want to sign up for a commercial system with periodic reports and alert notices. (About $10 per month) It's crazy but true that thieves will go as far as buying a new car in your name.

What if You Become a Victim?

click to expand
As a victim, you basically need to notify the three major credit bureaus and local law enforcement. Read this great article written by a law librarian that fell victim several times. It has SO much information; I would hardly be able to repeat anything without risk of plagiarism. It might be a good idea to print out a copy for long term storage with your financial records.

Another Phine Kettle of Phish: Identity Theft Prevention

As a Business

click to expand
A business owner has a higher standard of conduct. You need to protect yourself, your clients, and your business so you can keep offering services. It is doubly important that you be diligent in protecting your customer information. This includes determining who can access it, how it is disposed, and where it is stored.

Remember, thieves like to prey on uncertainty about accounts and responsibilities between employees. Rarely is there an emergency that needs a signature right away. Simply put a few trusted individuals in charge of finances and financial passwords (or keep it all to yourself). And consider putting credit card scanning equipment in customers' view. (It's a good idea to hire employees that you trust but limit the consequences if you are wrong.)

You should also use a strong locking mailbox (or post office box) and caller ID on your phones. Finally, equip employees to avoid ID Theft themselves. It may payoff in more ways as victims often miss 30-40 hours of work in clearing their name.

Hire a professional to help lock down your computer systems (yes, they should all require a password). Protecting access to files and databases with passwords and encryption is a good step. Though you should erase or destroy all information before it leaves "protected" locations in your business. Remember that lost "pen drives", outdated computer drives, stolen laptops, and discarded backup tapes are all potential risks.

Accepting Credit Cards

click to expand
Last, while the lending industry has created part of the problem, businesses accepting fraudulent payments created the other. If you sell directly in retail, try always asking for identification. Remember an unsigned credit card is not valid. Also, try addressing a person by the name on their credit card. If they don't respond, ask for identification.

If you accept credit cards remotely (online or by phone) make use of built in security features. While CVV and CVV2 numbers claim to be secure, they are simply an additional number that a thief would be smart to provide. (It's still something you should require.) A more valuable technique is to require Address Verification and only ship to the billing address (even during the holidays). This at least prevents someone from using a stolen card to ship products to another address.

You also want to protect yourself from "charge backs" (where the credit card company takes the money back). Clearly state a return policy, personally verify bulk orders, include a disclaimer that explains customer fees and who pays them, require shipping address even if you don't require one, and only use shipping companies that provide tracking numbers so you have records of where and when packages are delivered.

Good Luck

Hopefully none of this information will be useful and the government enacts laws that make Identity Theft a thing of the past. Otherwise, I hope it helps at least someone hold onto what is rightfully their own.

John Waiveris writes about websites and small business marketing for Invisible Gold, LLC. For more information call 860-285-0172 or visit www.invisiblegold.com. "Your Website should be Easy to edit."