Identity theft insurance, is it worth it.

This is a personal account from one of our Wealth Advisors, Jeff Clark.

 

I get this question quite a bit.  Especially now that most of us find ourselves quarantined in a digital world where we’re forced by social distancing to be spending a lot more time conducting our daily business online.

I personally had my identity stolen trying to buy a pair of earbuds online.  The webpage looked promising and clean, similar to other sites I had used in the past.   But as it moved into the online “cart” I started to smell a rat.  Things like the shipping cost or estimated delivery date were not where I expected them to be.

Something wasn’t quite right.  And as soon as I got to the last page I realized the tracking number was fake and I soon realized it was a scam.  But it was too late. I’d already plugged in my credit card number, phone, address, and everything that one would need to ship me a product.

So they got me.   Now what?  

This is where being organized and being able to respond quickly can snuff out this this fire while it’s small before it starts burning into something bigger.

So first thing’s first.   Cancel the card so it’s un-usable.  I dutifully logged into my credit card app and froze my card.

Then there was place on the same page for me to report that it was a stolen card.  So I reported the card stolen.  I also was able let them know that it was a false charge and dispute the charges.   I was able to upload a copy of the receipt (Screenshot from my phone) and a link to Better Business Bureau where this organization had a number of client complaints about the company misleading people online.  (I wish I’d seen that sooner.)  48 hours later they had resolved the claim and refunded the charge as well as sent me a new card in the mail.

In reality it took 15 minutes of my day to resolve the breach, and probably 45 minutes of anxiety just being mad at myself clicking the link and not being more careful.   But overall, it was resolved fairly quickly.   And I’m sure most of us have been through something like this where it steals our peace of mind at the time but now we can laugh about it.

But what would have happened I didn’t act quickly, or have any awareness that I should?  What if a breach like this ran unknown for months and I didn’t realize what was going on until I started racking up false charges?

The reality is that even if we play good defense, have great passwords, and we are clever enough to know the “Saudi prince” is not trying to send us money; the places where we do business themselves are vulnerable as well.

Companies employ humans and they are vulnerable too.

Just in the last year, Marriott was compromised releasing 5.2 million user’s information.  And Microsoft who’s very business is literally data security had 250 million users exposed.  T Mobile, over 1 million users exposed.  And the list goes on.

We’ve all had notification come to us from Target or Home Depot letting us know, “Hey, we’re sorry but we’ve had a breach and we need you to change all of your log in and password information… and you should probably change your credit cards too…” So how do we adjust to this new normal knowing that both we and the places we do business with are equally being attacked by opportunistic thieves?

How do we create a situation that gives us the best shot at being organized enough to respond to these things quickly and effectively where it’s not disruptive to our daily lives?  Speed is important because the data that is stolen is then sold on a black market where thieves know that they have to use it quickly because eventually the information may be changed and become useless.

Then what about us as a family?  We all share these services so how do we get organized as a group so spouses and kids have access, but the wrong people don’t.

Playing Defense

The good old master notebook in the office drawer.  It’s the keeper of the passwords.  Dummy proof and simple.  Even getting groceries today we find ourselves having to log in to an online account just to maintain social distance.   This has created a world where we need so many passwords that the notebook approach has some risks to it.

Hackers know that many people re-use passwords.  How could we not with so many accounts to access?   But this means that if one is compromised, a thief’s first move is to simply try that username and password on other commonly used sites.  Often they have a good shot at hitting a jackpot.

There are certainly ways to avoid duplication and predictability using the old “notebook” system.  You could do things like use memorable song lyrics.  For example using the first letter of every word in a memorable phrase.  “It’s a beautiful day in the neighborhood” could be converted to IABDITN for example.   Or the old phone key trick, where words like “barbell” can be converted into a phone number 2272355.  And as long as you can find a phone with letters on the keys, you can decrypt and figure out what that code was.

Even this has its flaws though.   How do I remember the code words?   Does everyone in the family know the cipher process and follow it?   How do I avoid duplication?   And more importantly how do I make changes quickly when I need to respond to a reported data breach?

Several online password managers have been created to upgrade the old notebook system.   But I know what you are thinking.  “What if my password manager is hacked?”   Good question.  

Password Managers & Encryption

One reason to have confidence is that top level password managers use data encryption.  Encryption means that neither a hacker getting into that system nor employees working for that company can decrypt the information that’s put in there.  Encryption by design is unreadable to all parties involved and without the perfect combination of each parties credentials the “lock” cannot be opened to unscramble the information.  As a personal aside, I spent a semester in college studying the mathematics behind how encryption algorithms work as my senior capstone project.

In a nutshell, the way that ciphers are built today they are un-hackable from a brute-force approach.  Even if you used Tianhe-2 (MilkyWay-2), the fastest supercomputer in the world, it will take millions of years to crack 256-bit AES encryption by brute force.

The only way to steal information through an encrypted system like this is through human error.   And if we’re being honest we know that our habits are really the weakest link.  It’s not the cyber-criminal in a basement somewhere whose overwhelming skill is going to break down our digital front door.  It’s going to be because we, or someone at the company where we do business with, left it wide open in the first place.

So the benefit is, for one, that the information that’s stored in the online vault is scrambled and unreadable except to the right person who puts in the right credentials in to get access to it.  This is the same for digital cloud services and credible online document storage services.  Maybe a topic for another time.

Complex Passwords Lock the Door

If the vault is protected by encryption, then door then protected by the password.   The more characters, the more combinations, the harder a password is to guess.

Imagine a bike lock with four digits on it.  There are ten thousand combinations to try to brute force guess that combo.  (10x10x10x10 = 10,000)  It would be easy if it were something like your birthday or your anniversary and someone happened to know you well enough to have a shot at guessing it.  To prevent “guessers” from having a shot, companies typically require passwords with at least 6 characters or more.  When you add letters and complex characters into the mix the number of potential combinations skyrockets leaving guessers without any real chance.  Unless of course you choose “password” as your password.   Which brings up an important point.

The very act of being able to remember a password is a risk in and of itself!  Why?  Because it’s memorable!   Password managers help solve this challenge by offering to generate a truly random password for you that’s unique, enough characters, and fits the requirements of the field that they’re looking for.

Letting a tool generate something that isn’t memorable adds a layer of security that can then then be saved in your shared vault so that you and your other family members don’t have to remember the Netflix password either and thus risk giving it away by accident.

We’ve all seen it.   The email that looks like we are logging into a page that is really is a fake copy posing as the real deal.   Password managers would recognize these phishing pages right away and let you know Netf1ix.com is not a real website and won’t let you or your kids enter your credentials.   And if they did bypass the warnings and enter them anyway, there are resources to help you learn about it quickly via email notification, and quickly log in to change them.

Instead of being links in the chain of telephone tag, family members can instead use it as a shared resource with checks and balances to protect each other from each other.  I’m certainly not saying that anyone is likely to be a bad apple and do something they shouldn’t, but the very existence of multiple users of these online services itself creates the potential for miscommunication and accidents.

Fortunately they all typically have a phone, so they can verify their identity with two factor authentication by receiving a security text.  IPhone users have the added benefit of being able to verify their identity using a thumbprint scanner so they don’t have to remember a master code.  This key unlocks the door and they are then able to login without asking you for the password.

Using a password manager also helps you remove duplication because it prompts you with a notification that says, “Hey dummy, you have the same password on 15 different accounts here.”  And “Here’s a recommended password change.”  Personally I have now adopted LastPass which has a feature that will prompt me when it notices I have duplicated passwords and provide a quick “game” like experience that walks me through changing the passwords and improving my “security score.”   It’s also nice I don’t have to bug my wife for passwords anymore or bother trying to remember them at all.

Playing Offense

Facing a data breach is an eventuality for all of us.  So what can you do to arm yourself with the resources to fight back?   Identity Theft Insurance.  It’s worth it.   For example, LifeLock for around $10 to $30 dollars a month offers coverage for stolen funds reimbursement, personal expense compensation, and even funds to pay lawyers and experts to help you manage the situation.

What’s cool about a system like this is that behind the scenes, they have already assembled a suite of resources and vetted relationships to help you manage your way through addressing the challenges involved as they pop up.   And depending on how severe the breach is, it could be like whack a mole for a while where you have to keep swatting those mosquitos until it’s finally run it’s course.   Without having organized the resources to do battle, it can turn a molehill into a mountain pretty quickly.

Fortunately with a service like LifeLock, you can side step the hours and hours on Google researching on what to do and dive into taking action.  You basically call LifeLock, “say I’ve been breached,” or they send you an email saying, “Hey, we think you’ve been breached.”  Then you get connected and after they’ve verified your identity they get you started on checking the boxes to make sure you take the right steps.

Not only is there peace of mind that the insurance like this will provide money to reimburse you for what you may have lost, but the time that is saved by them have already having vetted resources to help is priceless to snuff that fire out before it gets out of control.  This is why I personally carry LifeLock insurance.

My hope in writing this is that you consider a password manager like LastPass, or maybe identity theft insurance like LifeLock so that you can have the resources you need to prevent breaches where possible and take action quickly when necessary with simple tools that don’t have to truly disrupt your day because you did all the legwork on the front end to be ready for this.

And maybe that you take yourself a little less seriously.  This is planet earth and people steal things.  We’re all human and it’s not our fault that people steal from us.  But we can get organized to make it difficult for them so that when they do eventually get something they don’t steal our peace of mind in the process.