IAmA --- Identity Theft expert --- I want to help clear up the BS in typical ID Theft prevention so AMA

Aside from freezing your credit, having individual password phrases, and not using open dodgy wifis, what are the top things someone can do to protect themselves?

Also, if your identity is stolen, what are the best things to do?

I had my identity stolen. I got a random call from a store asking if I tried to open a credit card. I contacted Citi (Citibank) identity theft services and they helped a ton. It still took about a month to get everything cleared up (getting lists of all opened accounts, contacting each lender, etc).

There was no way to prevent this as it was a state government agency worker who stole mine along with 70 other identities.

About 3 years later I testified in court against the thief and he got 30 years in jail (many people were affected).

How do you distinguish between identity theft and some moron who just got/gave the wrong number?

Did they have other personal information on you?

Credit checks require many details: name, address, dob, SSN, etc. If one of them was wrong, it would be denied usually. If all the data was accurate enough to pass the check, they'd usually get the credit. Sounds like someone at the store was feeling suspicious and helpful in this case.

Not sure if you might be able to respond to this(or anyone for that matter) or not at some point, but at one point some one used my SSN for a house in a different state. They used a completely different name though. Did some one just fuck up and put in a typo that led to my SSN? I wasn't really afraid of any issues, as there didn't seem to be any loan in my name at all for said house, just the owner of the house had my SSN attached to it for whatever reason.

Might be worth filing an identity theft report at identitytheft.gov anyway. You want to be sure to have proof that you went on record to say it wasn't yours and have the paperwork to back you up when you challenge it to get it removed from your credit reports.

Starting with your last question, there are numerous guides that I wouldn't be able to add a lot to because I focus more on prevention. In short, report it to the FTC (https://www.identitytheft.gov/) and your police. Get reports that you can use for proof for when you dispute the accounts/charges/accounts.

For your first question, the best answer is to develop a mindset of data protection at all times going forward. In other words learn to be a data miser. A quick summary is to always resist attempts to put your information in a computer system. Don't let your dentist have your SSN without a fight. Don't let them have your real birthday without asking why they need it and asking if it's required.

I have an 8 minute video that explains more here:

https://www.youtube.com/watch?v=e_QINj-tU8Y

Also an article here (though I need to update it so please ask follow-on questions or leave comments there if you'd like): http://www.thegeekprofessor.com/guides/privacy/data-defense/

I'm planning on rebuilding those as paid courses soon so get them now while you can :)

This is difficult to do when the motor vehicles division of your state is requiring your entire social security number be mailed in with a form that includes your DOB, address and drivers license number all right there together plus, you enclose a check with your banking info on it. If you want to drive, you have to provide all of this... in the mail.

The DMV in texas makes you submit your thumbprint like a criminal, but there's no other option if you want to drive. I would ask if you can bring the data to them directly and do so if you can, but otherwise, do as they say and take steps. Put it in a secure envelope, confirm receipt, and freeze your credit reports: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#place

Holy shit, how has no one in Texas fought that thumbprint DMV bullshit?

I tried, but neither the DMV, the State Attorney General or the handful of other people I contacted ever responded. I am but a man... and have only so much time so I haven't pushed further. But if there was any effort to fix this travesty, I'd be all in.

So now that my credit is frozen, every month I get a new piece of mail that there has been a failed fraudulent attempt to open a different credit card account.

Aside from updating my FTC complaint is there anything I can do? I can change my mailing address as I recently moved to a new apartment, would that help?

And what about the nuclear option of changing my ssn?

Changing your mailing address to your current one is a good idea as the theives using the old address might be denied credit on that alone (but if the freezes are working you'd be safe anyway).

As for changing SSN, that's an option, but I have no idea what the total consequence of that would be. The only reason I'd consider it personally is if my SSN had been used in criminal activity since those records can sometimes never be cleared.

Dentist here. Some insurance companies (still) use SSN as your identifier, so if that is the case with your carrier, we cannot file a claim for treatment without it. Inscos are getting away from using it, but not all.

Correct. However, there are ones that do NOT require it. I recommend checking with your insurance first because I've seen dental office who ask for it just for convenience when they don't actually need it.

Don't let your dentist have your SSN without a fight. Don't let them have your real birthday without asking why they need it and asking if it's required.<<

Wife's a dentist and I do the back office work. . . Please don't say this. We actually need the SSN if you have insurance and the DOB is required regardless just for medical history reasons.

The big problem here and it's not our fault but a lot of insurers aren't issuing member id's etc and so they use the SSN as their membership number. If we don't have that number we can't bill your insurance or ask what benefits you have.

I understand the security involved regarding SSN's and if you're concerned with getting it stolen I recommend calling your dental insurance and asking them to send you a membership card if you don't have one. Also keep in mind that a lot if folks just add on their dental to their medical. Sometimes this number is the same but majority of the time it isn't. And quite often it's not even the same company for the dental as the medical although you pay both at the same time. So please contact your dental insurer for that membership Id.

Otherwise if you don't have dental insurance then we don't really need your SSN.

I'm not saying people should withhold it needlessly, I'm saying people shouldn't provide it needlessly. If it's necessary for the service and you want the service, of course you must provide it.

Don't let your dentist have your SSN without a fight. Don't let them have your real birthday without asking why they need it and asking if it's required.

I totally agree about the SSN part, and as a medical secretary I can confirm this - there's an SSN section on our forms, a lot of people fill it in without a second thought, and I have literally never used someone's SSN. I don't even transfer them from the intake forms to our computer system.

However, the second part about birthdate is really awful advice. Every dentist and doctor needs your birthdate, it's an essential identifier in the medical field. Any time I have to refer to a patient over the phone (like when talking to a pharmacist), I say "first name last name birthdate," like it's a part of their full name. If I have to file an insurance claim for a patient, I have to fill in their birthdate. If you try to fight your doctor or dentist about your birthday, you're going to lose. They will tell you they're unable to provide you services without your real birthdate. If you leave your SSN blank, on the other hand, they probably won't even notice at all because they never need it anyway!

It seems like people are reading that as "never give it to them ever". I would like to stress that my advice was to understand why they need it then provide it if they answer to your satisfaction.

I’ve seen commercials about “dark web hackers stealing your identity” and if you pay extra, they’ll “scan the dark web” to see if your identity may have been stolen. This seems like a load of crap. Is it? Are there legitimate safeguards against “dark web thefts” or is it just fearmongering to make money off of people’s ignorance?

Huge load of crap. They're using buzzwords to sell fear and find a place in your wallet. I would say there's some truth to it, but it's mostly marketing BS.

It isn't crap - there are services that purchase or gain access to leaked databases and then send you an alert if your email is found in one of them.

http://haveibeenpwned.com/

is one such service, but there are also commercial services with larger/broader datasets that are almost always obtained on the dark web

On the topic of haveibeenpwned - I can't believed it hasn't been mentioned in this thread, it is one of the most important free services you can make use of to prevent or alert yourself to theft of your own data

When I say this, it is the historical and odds-based truth. If you're saying there's an exception, I would say research it, evaluate, and determine for yourself if it fits the pattern. It is certainly possible that one exists that isn't full of it, but I wouldn't offer my credit card until I was very sure.

Is it true that millions of families suffer from identity theft every year?

Yup: https://www.bjs.gov/index.cfm?ty=tp&tid=42

17.6 MILLION U.S. RESIDENTS EXPERIENCED IDENTITY THEFT IN 2014

Holy crap. US Population was ~318.6MM in 2014. That's an average of one identity theft per 18 people. That's... a lot more than I would think.

I guess my question would be "what constitutes identity theft?" A while back, my credit card was used without my permission. The bank flagged a couple but one got through and was caught by the vendor's system (or so they said, after I told them).

Would this be flagged in those statistics as an identity theft, even though the name the attacker used for the purchase wasn't even remotely close to mine?

Credit card fraud is not tracked as ID theft I believe. If so, I would think it would be much higher.

It kinda sucks being me, what's the best way to ensure some other sucker steals my identity?

More seriously, what unexpected actions leave someone vulnerable to identity theft? I assume there's more to it than just old folk falling for phishing scams.

Mostly having your data easily available. How many website profiles did you list your birthday for example? Have you frozen your credit reports? Have you opted-out on the major data broker (LexisNexis for example). On that last one, check out this site (it's a great way to get started): https://www.stopdatamining.me/opt-out-list/

If you just opted out on the top 10, you'd be way better off than most.

But I have to give them my birthday and phone number to do it...

Excellent point. Sometimes the right answer is to not bother... but most of the biggest brokers have the data anyway so you're giving them nothing new. One way you can tell is to do a search on yourself on their public page if they have one or a people search page that says its "powered by Lexis Nexus". Example: whitepages.com (IIRC) is fed by the major brokers. You can search for yourself and see a blurred phone number that you'll be able to tell if it's yours.

But really, odds are that all the major brokers have it considering they get data from your credit reports too.

Can you elaborate on the LexisNexis thing?

For real, my company is about to hire their services and would love to provide a reason not to.

Lexis Nexis collects as much information as they can about you into profiles that they sell to others. This puts you at significant risk and I would opt out if possible. Preferrably, laws eventually come out making this practice illega, but for now, opting-out is all you can do. See more information here: http://www.thegeekprofessor.com/tag/lexisnexis/

I work for one of the companies on that site; basically we collect everything we possibly can about you (which is much more than you probably think) and then sell that information (generally in bulk) to companies for marketing.

At the risk of sounding like a shill for my company: I can appreciate what /u/TheGeekProfessor is doing, and I think he (she? idk) should absolutely keep it up. There's nothing wrong with opting out of those lists. It's worth mentioning, though, that we have to adhere to very strict privacy laws that vary from country to country and take information security very seriously. Not only that, but your individual data isn't worth very much - most of our value comes from being able to combine that data to provide very specific subsets that meet a certain criteria. For example, we're the reason you get certain credit card offers in your mail and your friend who has shit credit gets a different set of offers. Depending on the online services you use, we may be responsible for some of the ads you get there as well.

Just saying, we're not some evil Big Brother gathering your data so that we can take over the world - nor do we just take your data and throw it on a pile on someone's desk so that anyone who wants to can take a peek. Especially considering recent events, we take privacy and security very seriously. Opt-out if you want though, I couldn't give a shit less - and we'll still have plenty to sell so I doubt my company does either. Not only that, but I obviously can't speak for any of the other companies on that list - have no idea how they run things.

Someone else said that Lexis Nexus is restricting opt-out to people who are with the police or at imminent threat of bodily harm. Do you have any tips for this kind of situation? Some way to escalate or force through the opt-out?

I responded to the guy who responded to you... I don't think you see that automatically so chck this thread for more detail.

Is it unreasonable not to trust their opt-out processes?

I feel like I'd be providing a lot of information to them, even information that they may not already have.

Depends on what they ask. Basic stuff they'll have anyway, but if it makes you uncomfortable declining the opt-out isn't a bad idea. That said, the biggest data brokers surely have your data anyway. You have to judge based on who they are and what they want from you as proof.

Is it really necessary to shed my mail? I kind of feel like if someone goes Ebeneezer McDuckin' through the town dump for my mail, there's not much that would have stopped them anyway.

The "they'd get it anyway" argument is popular, but think it through... it assumes that all people have the same level of intent. Someone can easily go through your trash, but might not be able to get your email or have the time, skill, etc. to recover your mail if it's been shredded.

The idea is to balance how much work you make it for THEM compared to how much work it is for YOU. Shredding isn't particularly hard or time consuming so it's a good idea. A lazy-man's approach is to rip unwanted mail in half and throw away each half in different loads. That way if they have half an application, they can't do this: http://cockeyed.com/citizen/creditcard/application.shtml

Point is that trash isn't your biggest threat, but shredding or doing SOMETHING to your more sensitive papers isn't hard either so it's usually well worth it.

Given the time I've spent being homeless making a living from dumpster diving, mainly aluminum cans, food, and some durable goods, people really do need to better understand their own trash. Even the mail thrown in the dumpster at lawyers offices were uprising. I also collected computer from dumpsters and kept connected with the computers I built from parts. Some of those computers had complete tax records for entire families with no missing bits of information. People worry about hackers but are completely oblivious to what they dump in the trash.

I didn't mention, but you have to be 100% more vigilant at work or any business. The dumpster diving threat is COMPLETELY different at work vs home.

What's the best way of disposing of old computers? I have an old laptop that's literally just gathering dust and I'd like to be rid of it, but I don't want to donate it or sell it (mostly because I'm sure the money I'd get wouldn't be worth the effort).

Someone else posted about physical destruction, but that's not really an option for most people. The most interesting trick I've heard that works for computers and phones is to encrypt the hard drive/phone THEN reset the device/computer. Right now, this is my go-to until I hear of something better.

In America this isn't nearly as big as it is in Europe.

I work in fraud for a bank and maybe 5-7% of the time we overlook documents that were stolen. This would include utility bills which are used to verify someone's address. As far as other stolen documents, they wouldn't be in your mail. For example a picture of your social security card or a picture of a drivers license. If I had to guess how many of our fraud cases used stolen "mail"... I'd guess 1% overall. Most stolen documents pictures of IDs

Would I say to shred your mail? Ehh probably not.

I'm very curious to hear OP on this. I only have 1 perspective of this and that's from preventing fraud for a very large financial institution.

I replied above :)

Bottom line, if you weight risk vs cost of doing the thing, it's still not a bad measure and can be worth it. Like I told the questioner, even if you just cut the mail in half and threw them away in different loads, that's better than nothing (and is super easy).

​

Someone took out a loan and bought a car with my daughters ID. We discovered it when an insurance bill came for the car. We tried to contact everyone and no one wanted to help. Local police said it wasn't their jurisdiction because the car was bought out of state. Finally, after the loan company wasn't getting paid they made a police report against my daughter. The detective investigating sent her a photocopy of the DL used for the purchase. It had all of my daughters info but with a picture of someone else. There were some discrepancies on the DL, such as spacing, should have raised suspicion. How did they pull this off?

File a ID theft report with the Federal Trade Commission: https://www.identitytheft.gov/

Use that in your quest to clear this crap up. Not sure how they did it, but chances are they wouldn't have been approved if the credit request had been blocked. FREEZE YOUR CREDIT REPORTS NOW. Yours, hers, everyone you know. https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#place

Have you seen if you can file a police report in the given state? Preferably with the same department the dealer did? Have you called the dealer? See if they're reasonable. Don't threaten them. If you can work with them to get this cleared, use that to clear the credit report. Alternatively, clear the credit report through their process then use that to clear the dealer records. I wish I could say this would be easy, but I can't. You may need to get a lawyer.

Is there a growing concern over the rising ease of being able to "social engineer" enough details on people such that they could steal your identity/ cause great malice?

Social engineering is the most powerful form of attack because people who aren't prepared for it are easy to fool. That's why "THIS IS THE IRS AND YOU OWE US MONEY SO PAY UP" phone calls work. It's critically important that people learn to doubt emails, phone calls, and other forms of communication until they can verify the source and information.

Biggest tip: always be suspicious if someone reaches out to you and makes you feel an emotion like fear, greed, etc. The point of social engineering is they can't do something without YOUR help so if you don't do what they ask, you win.

I was recently the victim of a pickpocket whom managed to lift my ID, debit card, and social security card. Now, being massively in debt and having atrocious credit, I’m inclined to not be all that concerned.

My questions are then, should I be worried about some other implications and if so, what would be some indications that my identity was being used in a malfeasant way?

Are you under the impression that it can't get worse? I would rethink that.

Regardless, never keep your SSN in your wallet and deal with your bank as quickly as possible after a theft. Indications of ID theft are usually obvious if financial, but less so if medical, job, or legal. I would make a police report of the lost wallet and keep it as inurance to prove you lost your data in case something comes up later.

Is there a way to check regularly that my identity is still my own? Or do I basically have to wait until something bad happens?

And is there a way to clean up my past of carelessness in sharing information? I used to sign up for everything online and have had so many jobs where people have seen my personal information.

Is there a way to get into jobs without having to give away so much personal information?

You get one free credit report per year from the major companies so you can do that. You can also set google alerts to monitor your name and other information to see if someone's pretending to be you online.

As for jobs, never give them full details until and unless you have confirmed they are a serious prospect. Put your name and qualifications, sure, but don't give birthday, address, social or anything else until there's a job offer on the table.

[removed]

See here: https://www.google.com/alerts

What is some of the best advice you could give someone trying to protect their identity?

Freeze your credit reports

Opt out of data mining: https://www.stopdatamining.me/opt-out-list/

Learn to be a pain in the ass when people or website ask for data. Omit as much as possible and lie (where legal and ethical to do so) everywhere else. The less places your data is, the harder it is to find and use.

​

Omit as much as possible and lie (where legal and ethical to do so) everywhere else.

More people should do this. I have a fake identity with his own email, google voice number, DOB, name, reddit account, all memorized. I've been using him for so long he probably has quite a history. Anyone can put gibberish in an online form, but you often need an actual email or phone number which will tie you back to your real self.

The most important reason to have a persona (as you're doing and I have also done) is that you can remember the fake data later. For example, when you put in fake challenge questions, it's easier to remember Malta as the place you grew up instead of random values every time.

Should I be alarmed if I am getting a lot more spam emails lately?

I think I noticed someone used my email to avoid getting annoying dealership emails. It seemed to be the extent of the issue. Their name didn’t match mine and my email is pretty generic.

Would it be extra to change my email? And what should I do if I suspect my email is used in a malicious manner?

Are you getting regular email from the same dealer? If so, you can easily filter it away in most email programs. If the dealer is real, but the name is fake that WOULD suggest someone has been using your information and I would freeze your credit as soon as possible: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#place

Changing your email can be a pain so I wouldn't unless it gets completely out of control. I actually did my master's studies on spam so my best tip is this: if the company is real and the emails are definitely from them, the unsubcribe button will work. If you doubt the source at all, never touch the links or call phone numbers or do any action described in the email.

My email is pretty much a common last name with my initial and some numbers.

I’ve seen a total of maybe 4 emails for one person and 2 for another before I unsubscribed them.

If the dealer is real, but the name is fake that WOULD suggest someone has been using your information and I would freeze your credit as soon as possible: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#place

By fake name do you mean that the person the email is going to is not my name? It’s never my been name so I wasn’t sure if it meant identity theft or not but this was a new thing for me.

Are you saying that the name NOT matching mine means that it is tied to misuse of my information?

Forgive me, I’m a little confused.

If you are getting emails regularly for Joe McFuckwit from the dealer and the emails appear real and the dealer is real, that would suggest that someone used your email at the dealer with their fake name. Thinking again about it, I'm not sure what sense that makes since they wouldn't use a fake name if they wanted credit... I may have spoken too soon. Either way, freeze your credit, be careful with your data, and unsubscribe or block repeat emails that come to you (but if the email is clearly spam or scams, never respond, only delete).

Similar question: I’m getting a lot more spam/spoofed phone calls and “sign up for __” text messages. I always block these numbers and then delete (which might not be the best idea because of spoofing).

Is this a cause for concern? Should I be alarmed that other identifying information might already be obtained?

A general increase in spam texts isn't likely anything major. Watch for patterns and private details (like your name and such), but it likely suggests you were part of a breach more than anything. Protip is to have your phone number in as few places as possible. Try not to let companies have it when they ask because they can't lose what they don't have.

Is a VPN a worthwhile investment?

I'd say so. They're not super expensive and they will help a lot when traveling. For home use, meh. Not as important unless you want to protect your privacy to some degree.

If there is so much misinformation out there, what should we be doing? What do we do that we don't really need to be doing?

When it comes to credit-based ID theft, freeze your credit reports. Fraud alerts are worthless and monitoring and insurance plans are IMO a straight-up scam. If it makes you feel better, go ahead, but make sure you really read what they're offering and know what you're paying for because there's a lot of BS in the industry of profiting from ID theft.

I'd like to see more detail in these AMA responses. If you think something is a scam, tell us why. Use real examples. So far, the most useful response was the guy with actual data on the percentage of documents stolen from mail.

Insurance scam: https://www.youtube.com/watch?v=yH7bfxIHuvQ

Monitoring scam: https://www.youtube.com/watch?v=3DKnHgsyeS8

Fraud alerts worthless: https://www.youtube.com/watch?v=srtZs1cxrbg

So how do we know you're not a identity thief who stole u/thegeekprofessor's identity and is now using it to spread misinformation to con people into giving you their sensitive information?

I'd say that thief is doing a great job helping everyone out today :)

When we "unsubscribe" From certain emails. like News letters or updates from say Amazon or Newegg. They SAY they dont keep our emails or sell them off. But do they really?

I actually did master's research on this in college. I wanted to prove companies were scum who sold your email and ended up proving the opposite. As long as you can tell the email is legit from a major company, using the unsubscribe works.

What's your social security number?

457-55-5462

What's the worst they can do with my stolen passport in Europe?

I'm afraid non US issues are out of my experience area, but if it were US, a stolen passport isn't more special than a driver's license. The main thing someone can do is gain services that require an ID. For us, that might be loans, jobs, access to accounts, etc. If I were targeting you specifically, I might use the ID as proof that I'm you to unlock credit reports or access to bank accounts.

If it were me, I'd check with your bank and other financial institutions to see what they say specifically. Maybe they can make a note on your file not to accept passport by email or mail but only in person and with additional ID.

Why does identity theft seem to be much more prevalent in the US compared to Europe? To me it seems that many of the issues center around the fact that americans don't have a proper secure identity card/number or online service, only the horrifyingly insecure social security card and drivers license.

Well it wouldn't be if we had better privacy and data control laws (something that it seems the EU does better). That and if everyone knew about credit freezes.

What practical steps should I take whenever I hear or see news stories about data beaches at major companies? Is it too late to protect my identity by the time I hear about the beach?

First, remember that companies try to shirk responsibility for breaches. Every data breach that has ever happened (that I know of) was due to company negligence.

They will recommend fraud alerts and possibly offer free monitoring trials, but that's a sham. Freeze your credit reports to help prevent your data from being used to get credit: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#place

As for "too late", kinda, but not really. If bad guy x has breach data, but bad guy y doesn't, doing better from now on will help. Opt out of as many major data brokers and you can: https://www.stopdatamining.me/opt-out-list/ . Then learn to be a data miser and never give your information up unless you absolutely have to. Every time someone asks for your phone or email or birthday or SSN, challenge them to justify their request and refuse if possible.

Hello, thanks a lot for doing this! Couple of questions please: 1. Is identify theft insurance essential? 2. In the event of someone else using my credit card, can my credit card company still force me to pay those charges? What are the powers in my hand to tell them I won’t or can’t pay?

> Is identify theft insurance essential?

Lol, no. Forgive me for laughing, but if you search for "Lifelock Sucks" on google, my website is the #1 link. I think most insurance is sketchy, but ID theft insurance most of all. Anyway, do it if the terms are really good (but you have to read and understand them pretty well before you make that determination), but generally just freezing your credit will be plenty: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#place

As for your credit card, good news. There was a law passed long ago that forces credit card companies to take on ALL responsibility for unauthorized charges. That's why they're so militant about shutting down your card or calling you when there's weird stuff (because they are legally on the hook so they care a lot more :) ). Here's the deets: https://consumer.findlaw.com/credit-banking-finance/are-you-liable-for-unauthorized-credit-card-charges.html

​

Is there anyway to hold companies financially liable for their failure to secure my data? I can do everything right, but that doesn't stop Target, my local hospital, Or ISP from fucking my shit up.

Possibly a class action suit, but I don't think our laws cover it well. The first and most important step is that everyone needs to know that companies are being negligent from the beginning to the end. First in getting hacked and secondly in trying to shift the blame to "clever hackers" instead of their own sloppy security. They also offer credit monitoring and insurance to pacify the masses when they SHOULD be directing people to freeze their credit reports. It's ugly and sad how they get away with it, but few people know better.

If I opt out of data mining, what services will be impacted? Will I have trouble building credit, or getting a loan in the future?

For what it's worth, I don't know. I haven't had a problem because, from what I know, most of the data brokering is all about marketing to you and not anything that will affect your life. That's not to say it can't or won't in the future, but you have to decide if the chance of that is really worse than the free trading of vast profiles of your personal data now.

I work from home, which in practice means working from coffeeshops a lot. What should I never do in a coffeeshop on public Wifi? I mean, I wouldn't log into my bank account. But should I avoid paypal? Amazon? Anything that has anything to do with money or accounts? What do I need to know?

Make sure that all your important connections are over HTTPS. Be especially cautious if there's more than one wifi connection (it's easy to spoof wifi). Make sure you have a password on your computer/tablet/phone and never leave it unattended. Be cautious about who can see your screen as you work.

I'm a nobody. I don't own a credit card, I don't have a job (ret), I live in a nation that doesn't have Social Security numbers, I'm not famous, and I have no secrets.

Why should I give a shit about protecting myself from identity theft? Who could conceivably want it?

It costs nothing to freeze your credit reports or be careful with your information and it can still bite you. Maybe they can get credit, maybe they can't, but what if they use your name and SSN when being arrested? Surprise warrents in your name are no fun.

If someone successfully steals your identity, how do you go about proving you are who you say you are? What stops the thief from making the same argument?

That's part of why this is such a shitty situation. Proving it wasn't you can be difficult, but may be easy as well. For example, it's hard to apply for a car loan in New York when you live in New Mexico. Anyway, the key is that ID theft is generally a drive-by deal and they won't stick around to prove that you owe anything. They already got what they wanted. Now it's up to you to clean up the mess.

This is why prevention is so important. Be careful with your data and freeze your credit reports:

http://www.thegeekprofessor.com/guides/identity-theft/credit-freeze/

http://www.thegeekprofessor.com/guides/privacy/data-defense/

I recently had my Apple ID stolen and used to register several new devices. Why would someone want to register new devices under my name? They even went as far as to name their devices my name.

Apple confirmed someone called into apple support as me and that’s where it started.

Should I do anything more than delete the devices and change my passwords to everything?

Delete the devices, change passwords, and ask Apple if they have options for better security to prevent this in the future. For example, can you require a PIN or confirmation of details they wouldn't have?

Please, stop using the term "identity theft". There is no such thing. The term is a propaganda term that attempts to shift the responsibility for carelessness of corporations to people who have done nothing to cause the problem.

An identity, i.e., who you are, can not be stolen, that's just plain nonsense. What actually happens is that some scammer goes to a corporation and makes the unsubstantiated claim that they are you. The corporation doesn't care to check that it is indeed you (usually by performing some nonsensical ritual that is useless for determining your identity, like asking for information about you that isn't secret), and then claims that you are liable for whatever the scammer did to them because the scammer said they were you.

Now, there might still be a legal responsibility, but the point is that that needs to change - and you don't change that by using a propaganda term of the enemy.

There is also a brilliant sketch my Mitchell and Webb on the topic:

https://www.youtube.com/watch?v=-c57WKxeELY

True or not, fighting terminology that has been codified in the public mind is a waste of time. I could argue that "gay" means happy and "hacker" just means someone who writes computer code, but it's way too late.

Should I really be worried about my identity being stolen when browsing the internet? If so, what are the common mistakes people make. What are things that happen that most people don't know is possible?

Online identity is a totally different ballgame, but here's some basics.

Yes, it matters because people have been fired for the things they said (or people thought they said) online. The most important things to do are to be careful what you say and post, take your online account seriously (good passwords, don't fall for scam emails), and monitor your name and usernames online with google alerts: https://www.google.com/alerts

I just recently discovered my identity was stolen, and whoever did it, opened a few accounts (couldn't do too much damage since I had a bad credit score anyway, but I just started getting creditor calls). What are the next steps for me to fix this?

File a report of theft with the FTC and the police. Use that as proof to challenge items on your credit report and get that cleared. Use that to tell the creditors to buzz off. If they are collection agencies, make sure you read up on your rights under the Faird Debt Collection Act: https://www.consumerfinance.gov/ask-cfpb/are-there-laws-that-limit-what-debt-collectors-can-say-or-do-en-329/

​

Identify theft expert makes it sound like you are great at stealing identities. Is that right?

Maybe you could do something for the viewing audience to explain what the real risks are from identify theft? People typically panic at the notion of the latest major-breach-of-the-month, but I have to think that, for most people, identity theft begins at home, and is done by someone who knows the victim, like a relative. True, or not so much?

I think I could do it pretty easily... hard not to learn of the darkness when you stick your head in it for a while :P

ID theft is a mixed bag when it comes who who robs you, but the common thread is that they have access to your data. Once they have it, they can open credit in your name, get jobs in your name, commit crimes in your name, etc. Luckily the most common is credit theft and freezing your credit reports will block most of that: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#place

Statistically, families are a big risk, but then again, I've never known someone who was ripped off by direct family so meh? I would say just keep your data away from everyone and freeze your credit reports and you're fine regardless.

I feel as if identity theft prevention, identity theft protection, and identity theft insurance are all kind of lumped under the same umbrella far to often.

In regards to the latter of these, is there anything about identity theft insurance that most people don't know about? As in situations that might not be covered despite people thinking they are insured against identity theft?

Most people don't know that it's a scam I suppose based on Lifelock's annual earnings. Obviously there are other options and I haven't looked specifically at Lifelock in a while, but the idea is to carefully read and make sure you understand the terms of the insurance. I've never seen one that was worth it.

Instead, focus on prevention as much as possible. Most ID theft is credit-based and most of that can be blocked/hamstrung by freezing your credit reports (which is now free for everyone since Sept): https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#score

In a SpongeBob situation, if your nametag isn't on your back and somebody actually stole it, what steps can you take to get your identity back?

Check with Patrick. He probably put it on by mistake.

Joking aside, freeze your credit reports, opt out of all data brokers you can, and be really stingy with your data:

http://www.thegeekprofessor.com/guides/identity-theft/credit-freeze/

https://www.stopdatamining.me/opt-out-list/

http://www.thegeekprofessor.com/guides/privacy/data-defense/

If you're into Id Management.. what do you think about the concept of self sovereign Identity?

Sovereign Identity is a bit complex and I haven't looked deeply into it. I have largely focused on the financial and general data risks to end users and not the computer/information security aspect. I can teach you to minimize your online profile and data risks, but not how block chain identities work :P

If somebody steals my identity and buys a car in my name. Then gets caught. Do I keep the car?

Not if you don't pay for it.

If someone uses your bank account to make an online purchase, and you discover the address that the purchase was sent to (several states away), how likely is it that your local law enforcement will do anything with that information?

Hard to say, but it's worth reporting anyway. The more they get, the more likely they'll act. Just keep in mind that the address something is sent to isn't necessarily where the bad guy actually lives. Don't get any funny ideas of going vigilante.

What's up with those phone calls that spoof other people's numbers that are similar to their own number? What do they get out of it?

A chance to talk to you and trick you into doing something that makes them money.