Tuesday, March 18, 2014

Foiling the Identity Thief: Is Identity Theft Insurance Worthwhile?

A friend once asked my thoughts on insuring against identity theft and fraud. As I had never really thought about this category of insurance before, it seemed a good excuse to do a bit of research.

There are a number of different definitions for identity theft depending on whom you ask, but in general they fall into two broad categories:
  • Unauthorized use of an existing relationship or account (for instance, credit card fraud, email compromise, or exploiting a Facebook or Twitter account)
  • Unauthorized use of personal information to establish a new relationship or account (for instance, opening new credit accounts, tax return fraud, or medical identity theft)
While both categories are often used interchangeably, there are distinct differences in how they come about and in how they affect the victim. The first generally affects only one institution and can be isolated by closing one or more accounts and by working with a single institution to restore rightful control over the accounts. It involves an account you already know about, with an institution you already have a relationship with, and can easily be detected by paying attention to transaction records. Consumer protection laws and prevailing bank practices severely limit the potential damage, in many cases to $0.

The second type is a far more insidious event. With enough of your personal information, an attacker can impersonate you for any number of reasons. They may open financial accounts in your name, file fraudulent income tax returns, obtain medical care using your insurance, or even pretend to be you while committing a crime against someone else. In each of these cases, you may not have any idea your identity is being abused until long after the fact. The consequences can be significant: financial fraud may affect your credit score, making it difficult or impossible to buy a house, finance a car, or obtain home or auto insurance. Income tax fraud may mean your legitimate tax return is rejected, putting the IRS on your back. Medical ID fraud could mean insurance may not cover you for a legitimate procedure, or worse yet, could lead doctors to recommend the wrong course of treatment based on incorrect information in your medical records. You might even be arrested for a crime someone else committed in your name.

There are several simple steps you can take to reduce the risk of identity theft: opt-out of pre-approved credit card offers; sign up for electronic delivery of account statements (thief's can't swipe statements from your mailbox if there are none there); don't share your actual birthdate or address in online profiles. But even if you do everything right, you have no control over what others do with your information. You can't even trust the credit bureaus companies, as last year's massive flub by Experian shows.

So, enough with the paranoia. What's the real deal?

According to The US Department of Justice Bureau of Justice Statistics, in 2012 approximately one of every 15 US residents age 16 or older experienced some form of identity theft that year. The vast majority of these cases involved misuse of an existing credit card, bank, or other account. Honestly, that statistic surprised me at first, but it shouldn't have. I can think of at least 6 cases involving my own accounts (iTunes, Best Buy, Walmart, and three credit cards) in the past half-dozen years. That's significantly higher than a 1-in-15 chance each year. But as I blogged before, credit card fraud involving an existing account is relatively straightforward to resolve, especially if caught quickly. In my most recent case, I knew about it before the retailer even shipped any product, so it was a simple matter to cancel the fraudulent orders and close my account.

According to the same BJS report, fewer than one in every 200 Americans had personal information misused to open new accounts. Even in these cases, over 70% of individuals were able to fully resolve the matter in less than a month, and the overwhelming majority suffered less than $500 in total loss.

Standalone identity theft insurance is available from a variety of sources, generally for under $200 per year. Even more conveniently, a growing list of homeowner insurance policies provide a degree of identity theft coverage as a standard feature. The irony though is that individuals concerned enough about identity theft to purchase insurance, are likely already taking the basic steps that reduce their risk of becoming a victim in the first place. And that's the real bottom line for this article: a few preventive steps will do more than any insurance policy.

A few additional resources to consider:



Edit:

After I wrote this, security blogger Brian Krebs posted a very well-written and well-researched article on a similar topic. He covers credit monitoring services, which are closely related and often provided to consumers by businesses after a major breach. He also discusses his own personal experience with several cases of attempted fraud, and how the credit monitoring service he uses helped / didn't help, and provides some suggestions for minimizing your own risk. It is a very good read.


Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.