Identity Theft Hysteria Overblown, Watch Your Debit Card Instead

If you need the straight story on issues of credit card, debit, and banking fraud and security, something more than “we’re taking it seriously,” Avivah Litan, VP and distinguished analyst at Gartner research is your go-to-gal. I recently interviewed her over the phone about consumers can protect themselves in an era where just keeping your mother’s maiden name a secret doesn’t cut the mustard. I learned that you can buy a credit card number for a few cents, losing your Social Security Number is NOT the most dangerous fraud that is likely to happen to you, and how Obama’s helicopter plans got stolen thanks to P2P music-sharing software…

BEN POPKEN: Your name pops up a lot in articles. You seem to be one of the few people with an insider perspective willing to go on record about these issues.

AVIVAH LITAN: That’s because I work for a third-party unbiased research firm.

BEN POPKEN: That always helps. (both laugh)

AVIVAH LITAN: Yeah, it does. That’s what we’re paid to be, third party unbiased observers. That makes it easier to talk.

BEN POPKEN: So, what are the five pieces of personal information you should never give out?

AVIVAH LITAN: My bank account number, my password to anything, my debit, check card number and my PIN. After that, almost everything’s public anyways. The politically correct thing to say is your SSN but we’ll get to that one later.

BEN POPKEN: I notice you didn’t say mother’s maiden name.

AVIVAH LITAN: It’s so public anyways, people can find it out or they’ve stolen it, they’ve phished for it. I would’ve gotten to mother’s maiden name after SSN. PINs and debit card numbers and bank accounts and passwords sell for a lot more on the black market than social security numbers and date of birth mother’s maiden name, what we call full identity records. A bank account you can get $100, or sometimes up to $1000, depending on volume and what kind of information you have, and how wealthy the individual is. An identity record is like $10-$20 depending on volume. Credit card numbers are a few cents now, up to ten cents. The market price reflects the danger to the consumer.

BEN POPKEN: Paint me a worst case scenario. Your wallet gets stolen, and it had your social security card in it along with driver’s license and your debit card. If I’m a dedicated thief, what could happen?

AVIVAH LITAN: The thief could use that info to apply for a new credit card, or a new loan. The thing is, the chances of your bank account getting raided are much higher. Though, it’s much worse when someone takes out a new loan in your name. So, they could steal social security number and all that wallet info and apply for a new credit card, change the address, and start racking up the charges and get away with it for at least a month. That is a terrible thing to have happen. But it’s even worse is someone steals your debit card and your PIN and raids your bank account. They’re not buying on credit, they’re raiding your bank account. Then you need to prove to the authorities that you were not negligent that it wasn’t you and it’s a real hassle to get your money back with debit. To me, that’s the worst case scenario.

BEN POPKEN: Why is it that much more dangerous if it’s your debit card?

AVIVAH LITAN: There’s two kinds of debit, just step back a minute, there’s signature debit when you sign the piece of paper at the register and then there’s PIN debit, you use that at the register or ATM, and then there’s credit cards which are always signature in this country. The reason why signature credit is the least worrisome is because it’s protected by something called Regulation Z. It’s a federal regulation that limits your liability to $50. Most of the credit card companies won’t even hold you liable for $50. They passed that regulation a long time ago, I think in the 80s to get people to you know not be worried and spend a lot on their credit cards. (both laugh) They also have these rules that if there is fraud it generally goes back to the merchant so the bank doesn’t eat the fraud.


AVIVAH LITAN: The consumer doesn’t eat it, the bank doesn’t eat it, the retailer eats it. So it’s pretty easy for the banks to just shift the reliability back to the merchant, and then pay you back, plus you’re covered by Regulation Z. When it comes to debit cards, those are protected by regulation E. The rules on regulation E are not so consumer friendly. You have to report the theft generally within 30 days of getting your bank statement. Sometimes up to 60 days. And then there’s limits on how much they’ll pay you back. Like you have much more, like a $500 liability in some cases.

Now, signature debit is usually protected by VISA/Mastercard rules. If you use your signature debit you have the same kind of protections as under Regulation Z. If you use a PIN then you’re not protected by VISA/MasterCard rules. Then you’re protected by Regulation E. If you’re using the signature debit card the banks get more revenue than they do with PIN debit, so they always want you to use signature. Secondly, there’s typically always another party involved. You can’t use signature at an ATM so they just shift the liability back to the retailer like they do with credit cards. When you use PIN debit it’s typically at an ATM or to get cash back. That money’s out the door to the bank and they cant’ get it back once it leaves the ATM. They don’t have anyone to shift the liability to. (laughs) So when they can’t shift the liability to a retailer, they absorb it, and so the rules aren’t as consumer-friendly because they don’t want to pay for the loss.

And if someone cleans your bank account out with PIN debit , you’ll get late fees, NSF fees, it’s a mess to straighten out. You may have your mortgage going against it, your health club, a number of bills, and they’ll keep charging you NSF fees and late fees. It’s a spiraling effect. And you’ve lost your money too. I’ve heard many nightmare stories about that.

BEN POPKEN: You have to get it back from the crooks, and then you have to get it back from the thieves.

BEN POPKEN: Was the Social Security Number really ever designed to do all the work we’re asking it to do these days?

AVIVAH LITAN: No, not at all. It was designed to register you in the Social Security office. It was never designed to be your identifier. But it’s turned out to be the best identifier that these systems have. Because it’s unique for each individual. It’s not as valuable as you think is because criminals can make up their own SSNs. They know the numbering protocols and what state and date of birth they’re associated with. You just have to assume, frankly, that your SSN ssn is out there already. The black market’s full of SSNs. What I do, is I have a fraud alert on my credit report. If you’re not in the need for credit, then you put a fraud alert on your file.

The truth is the value of a SSN is overrated altogether. I see the data from the banks. If they want to create a new credit record they just make up an identity. It happens at least 50% of the time. It’s a lot of trouble to steal someone’s identity and turn it into cash. You have to go and apply for the loans, and then get the credit, and then change the addresses, and then buy things that you can sell for cash. Sure, people do that, and it happens in 4% of the American adult population. But it’s a lot easier to just steal their bank account and get the money out.

BEN POPKEN: Sounds scary…all of a sudden it sounds like we’re standing out there naked on the street. What can you do to protect yourself against all this?

AVIVAH LITAN: The best thing that they can do in that case is bank somewhere that has a zero liability policy in online banking for example. As a precautionary measure I never use my PIN unless I’m at a bank ATM. I check my balances frequentl because if you report something right away you have a much better chance of getting it back. I keep my PC as secure as possible. The best thing you can do is you can use a locked-down browser, meaning that criminals can’t get spyware into it.

I don’t give anything out to people. If someone calls you and says they’re your bank or anyone like that asking you anything at all that’s sensitive I hang up on them. Or you could say I’ll call you back and call the registered phone number. Don’t ever call a number they give you, because there’s systems now where they call the criminal’s number and they’ll route right through to the real bank but they’ll be listening in on there cause it’s routing through them.


AVIVAH LITAN: It’s like called the “vishing attack.” You call their 800 number and they route it right through to the bank. So you’re talking to the bank but they’re listening to the whole thing. And they get your PIN when you type it in.

BEN POPKEN: Basically if someone starts asking for sensitive information you don’t want to dilly-dally and feel them out.

AVIVAH LITAN: Just hang up on them. No legitimate company would…if they’re smart, I mean they may do that I’ve seen some really, some good legitimate companies do really stupid things but that’s their problem you know you should just I hang up on people like that immediately and I’ll call the bank back, you know? It’s not like you can’t call your bank back. Don’t believe anyone that calls you, basically. I’m not kidding! I have had a couple of attacks. “We’re from Yeshiva Hospital in Jerusalem and we’re a charity and we need your money…” Some of them are so obvious.

Don’t fall for anything. A lot of these attacks are delivered through advertising and Google searches. Say you want to buy a lawn mower. And then something will come out in the sponsored links and if you click on it it downloads malware. Don’t ever download anything unless you’re 100% sure. Another big area is P2P file sharing, like if you share a local network with your kids and they’re always downloading music or videos. A lot of sensitive data is stolen that way.

BEN POPKEN: Because the kid will download what they think is the latest Lady Gaga track and it turns out it’s actually a Trojan. And then you grab it…

AVIVAH LITAN: That’s one reason. The other reason is, the kid opens all your storage files on your hard drive to the crooks.

BEN POPKEN: Oh, right.

AVIVAH LITAN: They can see everything on your hard drive. Actually, I wrote a little note that got a lot of publicity that didn’t get attributed to Gartner, which was fine, I didn’t want it to, but did you read about the Obama helicopter plans being revealed? That was all through P2P software file transfers. These guys can get sensitive military information because contractors’ PCs are compromised by these home networks, tax returns, business plans on corporations… Anything on a hard drive that’s been exposed to a P2P network is fair game.