One of my favorite quotes is "Locks keep honest people honest" the punch line to that statement is its "too bad more people are not honest".
There are lots of ways to mitigate security risks, putting bigger locks on doors can help for both technological and physiological reasons, but we need to make sure that when we do that we understand the actual value that lock is providing. For example a big steel door with a high security lock right next to a big glass window still provides some physiological value, the residents feel safer the and the dumb crooks are kept out but the real bad guys just put a rock through the window and walk right on in.
We (on some level) recognize this risk and purchase home owners or renters insurance that offers us some mitigation from the impact of this risk, one might even argue this insurance offers you more value than that big steel door with its high security lock as it works even when the door is left open.
Identity theft is no different, you can protect yourself a number of ways:
- Only give out your "sensitive" (SSNs, etc.) information when you absolutely must (which is far too frequent IMHO).
- Have as few as posible "sensitive" (Bank Statements, Credit card offers, etc.) documents mailed to your home.
- Buy and use a high quality confetti shredder for ALL information you put in the trash (ALL is just safer).
- Install and use a locking mail box.
- Use credit card companies that offer features that help prevent (photos on the back) and mitigate the impact (indemnification, one-time card numbers, etc.) from identity theft.
- Have only one credit card (a VISA or Mastercard - not a debit card) you use for all online transactions, preferably one with one-time card numbers.
- Never give your credit card, social security number or other sensative information out over the phone; especially watch out for automatic calling systems that are "pharming" for your information under the guise of a doctors apointment or financial transcation verification.
- At least once a year look at your credit report for suspicious activities.
- Have two (or three) email addresses one for general use (use a free email service like live.mail.com with good spam filtering), and a private email address; Only give the private address to people you trust and use the public one for nearly everything else.
- Pick strong passwords and write them down, yes don't fall prey to the fools who tell you its bad to write down your passwords its much worse to pick a lame password that you can remember than it is to jot down a password you wont be able to remember.
If you do these basic things you go a long ways towards protecting yourself from financially related identity theft in both the online world as well as the physical, but there are a new class of services coming to market that offer to help you mitigate the impact of identity theft if it does happen to you that you could also look at.
For example a company called Debix offers a identity theft insurance policy that protects you for up to $10,000 worth of losses in the event your identity is stolen while your their customer; these services also help reduce the risk of the identity theft taking place in the first place by periodically sending a letter to each of the credit bureaus asking them to put a "fraud alert" on your files so that creditors have to jump through additional hoops to grant you credit.
There is another company called Lifelock that has with a similar product offering, they do essentially the same thing Debix does the core difference being they offer a million dollar policy.
With services like these the devil as they say is in the details, the "functional" offering of these two companies is essentially the same (they periodically send letters to credit bureaus saying don't give you credit without extra steps) but the insurances differ greatly, one being offered by AIG and the other being a self backed policy.
There is nothing wrong with a self backed policy, but the thing to remember about insurance its only as good as the underwriter; and in the case of Lifelock you have to consider who is running the ship when looking at the value of such a promise.
In any event, even today most identity theft is rooted in the physical world and through the application of a little common sense (outlined above) you can reduce the probability of you being hit with this form of identity theft, and if the risk of such a attack is great enough you can sign up for a service that will help reduce the impact of a attack if it were to happen.
[Update 08/13/07 8:45PM] It's been brought to my attention that Robert J. Maynard resigned from LifeLock, those who did not read the linked in article above about Robert he was the founder and CEO of LifeLock, that is up until the end of the month (he has a sketchy past at best). I still have my questions about their offering, but this is atleast a good sign.
I also wanted to let you know that I "undersold" Debix's offering, one of the other differences that has real value if you subscribe to a service like this is their credit authentication solution; it looks like its done as well as one could imagine and making these sorts of transactions smooth is key to being able to live with a service like this.
[Update 03/04/08 10:00AM] Its been a while since I added to this post but someone told me about another LifeLock related issue so I thought Iwould add it here, apperantly Experian is sueing LifeLock; if they win the same sort of suite would likley be applicable to others (like Debix) who use the same basic model; check it out: http://redtape.msnbc.com/2008/02/experian-sues-l.html
It was also brought to my attention that there is another player in this space I had not seen before, see: http://www.zanderins.com/idtheft/idtheft.aspx In addition to offering fraud alert management and insurance they offer recovery services, also a good thing.