What Michiganders need to know to stay on top of identity theft

The recent data breach at Equifax has left a whole lot of people wondering how at risk they are for identity theft—and with good reason.

Equifax, one of three major credit reporting agencies in the U.S., was hit by a catastrophic cyber attack between May and June that compromised the personal information of an estimated 145.5 million people. The hack involved the theft of data like people's names, addresses, phone numbers and social security numbers, and in some cases credit card information. 

With this in mind, we decided to look into the identity theft threats people are facing in Michigan, which state organizations are protecting them, and what they can do to prevent or recover from a hack. 

Identifying identity theft threats
Wendy Nather - courtesy of Duo Security
As with the Equifax breach, criminals commonly rely on a combination of software vulnerabilities and human error to gain access to people's personal information, which can then be used to commit fraud.

"Anything that can be done to turn information into money is something that organized criminals will be doing," says Wendy Nather, principal security strategist for Duo Security, an Ann Arbor-based firm that specializes in cybersecurity products. "And they do it especially at this time of year, because volume is so high that it makes it more likely that stores won't notice fraudulent activity."

In the retail realm, criminals often steal credit card numbers or log into online accounts to purchase items which can be shipped elsewhere to make money. They'll also cash in a victim's consumer reward points to buy gift cards. Personal information like social security numbers can also be used to open fake credit accounts.

Beyond that, hackers can use private data to pursue personal vendettas against people they don't like. A malicious hacker could, for example, damage someone's reputation by posing as them on social media, ruin their credit or put them at risk by publishing information about them online, a practice known as doxxing.

Criminals often gain access to people's data through what are known as phishing scams, which involve getting a hold of sensitive data like passwords or credit card numbers by disguising themselves as someone trustworthy through an electronic communication.  
Jason Brown
Jason Brown is the chief information security officer with Merit Network, a research- and education-oriented nonprofit governed by Michigan universities that runs a special cyber range to train cybersecurity professionals on how to deal with security threats. Today's modern phishing operations, he says, can be much more sophisticated than the classic "Nigerian Prince" email scams, and often involve scoping potential victims out online prior to contacting them.

"We deal mostly with universities during tax season," Brown says. "The security teams are really upping their game and making sure the W-2 forms faculty and staff are receiving are legit, so they can hurry up and file for their taxes before somebody follows up on them and files the tax returns on their behalf."

In addition to convincing people into giving up information, criminals can also trick victims into uploading malware onto their computers and smartphones which could potentially allow them to keylog passwords as they're typed or even gain remote control over a device.

And these sort of phishing scams are surprisingly common. Institutions Brown has spoken with in the last few months have reported between 1,000 to 6,000 email accounts compromised by phishing incidents.

Beyond these sorts of situations, individuals can also have their data stolen by unscrupulous restaurant or retail employees or by electronic skimmers illegally attached to gas pumps and ATM machines. Crooks have also figured out how to pirate data from public Wi-Fi connections with skimming technology. And, of course, as we've seen with the Equifax breach, malicious hackers can always just opt to steal consumer information from the database of service providers.

So who's perpetrating these attacks? Well, a lot of different folks.

"You do have some criminal organizations that are going at those Fortune 500 companies to try and get money of them," says Brown. "But a lot of these are small groups of maybe one to five individuals that find code online … and launch attacks against other people or organizations.

"I can't say that it's a majority of large nation-states or large criminal organizations," he adds. "It's all across the gamut."

Protecting yourself

In order to avoid being the victim of identity theft, it's important to take some sensible precautions.

Nather advises not using the same passwords for every site, as once a hacker has access to one, they're liable to try in many places hoping for a duplicate. She suggests writing them down and keeping them in a wallet or using an online password manager program to keep track of them. Beyond that, use two-factor authentication, which in addition to asking for a password, either sends a phone notification or a special authentication app. That way even if a password is stolen, there's an additional layer of security that prevents criminals from compromising someone's data. 

Duo Security offices

Nather also thinks consumers should consider getting two separate credit cards, one for shopping in person and another for e-purchases and monthly payments.

"That way if their in-person one is compromised, they don't have to go back and change the other one. They have something to pay their monthly bills with."

Because the process of recovering from identity theft can be such a headache, Brown suggests preemptively putting a self-imposed credit freeze on services like mortgages and car loans if you're not actively using them to make it more difficult for criminals to open false accounts.

Recovering from identity theft

Regrettably, simply taking precautions is no guarantee against identity theft, so it's important to check regularly with credit monitoring agencies, which provide one free credit report to consumers a year. Computer users can similarly check with online monitoring sites (like this one) to see if their email addresses have been compromised.

In the event that someone is victimized by identity theft, Michigan State Police spokesman Lt. Michael Shaw says the first step is to report the crime to local law enforcement. 

"They may try to hem-and-haw a little bit, but you need to get that police report," he says. "Everybody's going to ask you for it, from the Secretary of State's office to credit unions to collections agencies, they're all going to want some type of proof."

Unfortunately, much of the leg work of reclaiming an identity will fall on the victim. To make things a little easier, the Michigan State Police does have online resources, including forms and steps that can be taken, for people who have fallen prey to identity theft. 

Once a police report is filed, victims will need to start notifying banks, creditors and various agencies to begin cleaning up their identity. It's an intensive process that takes about six months to complete, but it will need to be done to start getting things back to normal.

"I think everybody just needs to be aware that it happens everyday," says Lt. Shaw. "Don't be afraid to check your credit reports more than once a year to make sure there's nothing fraudulent going on."

This article is part of a series on the state of STEM education and workforce development in Detroit. It is underwritten by the Michigan Science Center. Read more articles in the series here

All photos, except where mentioned, by Doug Coombe
Enjoy this story? Sign up for free solutions-based reporting in your inbox each week.