I was a victim of ID theft this last week. Luckily, my credit card company (and their AI) were vigilant and phoned me on the weekend, and I was able to cancel the account before too much <financial> damage was done.
I am now still faced with the fact that this compromise throws all my personal system security in doubt. According to the 10 Immutable Laws of Computer Security:
Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
“It's an unfortunate fact of computer science: when a computer program runs, it will do what it's programmed to do, even if it's programmed to be harmful. When you choose to run a program, you are making a decision to turn over control of your computer to it. Once a program is running, it can do anything, up to the limits of what you yourself can do on the computer. It could monitor your keystrokes and send them to a website. It could open every document on the computer, and change the word "will" to "won't" in all of them. It could send rude emails to all your friends. It could install a virus. It could create a "back door" that lets someone remotely control your computer. It could dial up an ISP in Katmandu. Or it could just reformat your hard drive."
spogscreen: if you are reading this on any site other than http://blogs.technet.com/tonyso, please come on over to the original post.
So, now all my personal systems are untrusted. This means a weekend of rebuilding my home network and the PCs from original media to ensure integrity, restoring required backups of music and pictures (thanks WHS!) and working through the following checklist:
Contacting my financial institutions to ensure no accounts have been taken over or been created in my name without my knowledge. I get an average of 2 unsolicited “pre-approved” credit cards per week in the mail for example. If my bad guys have physical access to my recycling can – they can grab these and open accounts. I wouldn’t know for weeks.
Change my Automated Teller Machine (ATM) card, account, and Personal Identification Number (PIN).
Contacting all creditors that the bad guys defrauded. For example, checking every online bill-payee – such as my long-distance telephone company.
Pre-emptive filling out the ID Theft Affidavit at http://www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf to dispute new unauthorized accounts.
Contacting the fraud departments of the three major credit bureaus at http://www.consumer.gov/idtheft/recovering_idt.html#9 and place a Fraud Alert on my files.
File a report with my local Police Department, so I have a copy in case any creditors require proof of the crime.
File a complaint FTC: Online at https://rn.ftc.gov/pls/dod/widtpubl$.startup?Z_ORG_CODE=PU03
Contact my postal inspection service in case my bad guys has submitted a change-of-address form with the post office to redirect my mail, after sending in one of those “pre-approved” CCs: http://www.usps.com/nationalpremieraccounts/findlocators.htm.