Protecting Your Identity

Joel Winston
Associate Director, Federal Trade Commission
Thursday, September 21, 2006; 1:00 PM

Thieves are no longer only after your wallet, jewels, artwork or other precious belongings. Instead, they want you. With the proliferation of online transactions and the trend toward a cashless society, the number of identity thefts are rising. Being a victim can not only wreak havoc on your credit -- preventing the ability to buy a house or car -- it can take years to overcome.

Joel Winston , associate director for the FTC's Division of Privacy and Identity Protection, was online Thursday, Sept. 21 at 1 p.m. ET for a discussion on how to shield yourself from identity theft and what to do if you're a victim.

A transcript follows .

More information on identity theft: Special Report: Protecting Your Identity .


Newport News, Va.: I have been paying my bills online, is it still safe to do so with the proliferation of technological gadgets that could potentially infiltrate your home PC?

Joel Winston: Hello,

Of course, there is no fool-proof way of sending information to your creditors. But, so long as you take reasonable precautions, paying bills online is no less safe than using the mail. The most important thing to remember is never respond to a "phishing" email, which comes unsolicited, directs you to a website that looks like a legitimate one, and asks you for personal information


Houston, Texas: I had my identity stolen in 2000. I was living overseas at the time the theft occurred. Early this year I settled out of court with a collection agency who had tried to sue me to collect money they clearly knew I did not owe. One of the provisions of the settlement was that they inform the credit reporting agencies that this debt must be removed from my credit report. This was done, and in June my report was clear. Yesterday, my credit monitoring agency reported that this bad debt has shown up AGAIN on my report. What do I have to do to get this taken care of? I have informed the credit agencies multiple times and I feel like I am going crazy.

Joel Winston: Getting your credit report cleaned up can be frustrating some times. You should send a dispute - with documentation - to the credit bureaus and explain the problem. If the wrong information continues to show up on your report, file a complaint with the FTC. Our website,, has lots of good information on this.


Annapolis, Md.: I was the victim of some fraud on my MasterCard to the tune of $25,000. Once I noticed the fraudulent charges I promptly canceled the card which was always in my possession. It looks like Mastercard will delete all charges, but that remains to be seen.

I got a credit report which looked fine and plan to get one on a regular basis. My question is what else should I do to make sure other financial info has not been compromised?

Joel Winston: Assuming only your credit card number was stolen, you've done everything you need to do. But, if you are concerned that someone may have gotten your Social Security or Driver's License number, you may want to put a fraud alert on your credit file and monitor your credit report. Remember, you have the right to get a free credit report from each of the national credit bureaus every 12 months. See for more details


Jamie , Washington, D.C.: I recently received a letter from a company warning that my personal information may have been compromised. The letter recommended that I obtain free copies of my credit reports, but stagger my requests. Is this good advice? I thought the credit bureaus have different information, so one report may not accurately provide a good snapshot of activity that might be present.

Joel Winston: Staggering your requests for free reports is a good idea. It's true that the reports aren't identical, but if an identity thief is opening new accounts in your name, they should show up on all 3 bureaus' reports. It may take a few months for that to happen, however. In the meantime, you may want to put a fraud alert on your credit file.


Washington, D.C.: Regarding advice to check your credit reports regularly: are multiple inquiries listed on a credit report an indication of someone trying to establish credit with your information? Or is it normal to see multiple inquiries on your credit report (with no corresponding open account) from any any of the myriad companies that try to extend us credit on a regular basis?

Joel Winston: your credit report sometimes will show multiple inquiries from companies getting "prescreened" lists from the credit bureaus to market credit cards or phone service to you. That's normal and nothing to be concerned about. But, keep your eyes open for other unusual activity which might indicate identity fraud, like new accounts being opened that you didn't do


Washington, D.C.: I have been told from members of my bank that identity theft is a hoax, and that it is committed 90% of the time by family members or "friends". Is that true?

Joel Winston: The FTC's surveys indicate that the leading cause of credit card fraud is family, friends, or other people you know. But, it is not 90% and there are millions of incidents each year that come from third party fraud


Lawrence, Kans.: If a business has SSN information without any names attached to it and the file is stolen, what can a thief do with that information?

Different question--If a number is truncated but has a name/identifier, can a thief do anything with that?

Joel Winston: A Social Security number without a name can lead to identity theft, because the thief often can "reverse engineer" the name using public data services and online search engines.

Truncated numbers are far safer, but not foolproof


Chicago, Ill.: Do you see any new legislation that will surface in regards more strict enforcement of company's commitments (as companies outline in their own privacy policy) to its customers?

For example, I see companies commit strong authentication and best industry practices in their corporate privacy policies. Yet, we here elementary level breaches and data compromises occurring all the time. Why isn't FTC doing a better job in holding, especially Fortune 50, companies responsible for their commitments?

Joel Winston: Actually, the FTC has brought a number of lawsuits against companies that made false or misleading promises about the data security practices, including such big names as Microsoft, Tower Record, Guess Jeans, and Petco.


City of Fairfax, Va.: I have heard stories where some people were filling out credit-card applications and using the SSN of their children (or their neighbor's children). Could this really happen? Is it really going on? Wouldn't the credit-card companies see that something is wrong and deny it? More importantly though, how would a parent keep watch on a 13 year-old's social security number or credit report to make sure it is not being used that way?

Thank you for talking about this important topic; everyone needs understand as much as they can about what the 'bad-guys' are doing to help stop them. Thank you for your time and any help.

Joel Winston: I hadn't heard about this one, but the credit card companies certainly should be spotting cases where the name and social security number don't match. It's not a bad idea to order a credit report (it's free) for your children to make sure everything is okay. Don't be surprised if your children don't have a file, however.


Rochester, N.Y.: I understand that some members of congress are attempting to pass legislation that would prevent states from implementing the "credit freezes." What has happened to this legislation?

Joel Winston: Congress has been considering about two dozen bills on identity theft and data security issues this session, but none have made it to a floor vote. Most likely, there will be another push for legislation next year. Some of the bills would provide for credit freezes on a national basis, and preempt any state laws on the subject. For those who are wondering, a credit freeze is available in several states and enables you to "freeze" your credit report so that no one can get it. That way, you can keep an identity thief from opening a new account in your name. In some states, anyone can get a freeze, but in others it's available only to identity theft victims


Atlanta, Ga.: Who is the genius who neutered the Fraud Alert so that it is only valid for 90 days?! The more-permanent alternative requires a copy of a police report, which I lack because I, having all of the credit I need, don't want anyone extending credit in my name without contacting me first (which may or may not happen with Fraud Alerts in place). So that this isn't just my griping, short of setting a reminder to re-up the Fraud Alert every 90 days, is there a way to proactively 'permanentize' it? Thanks!

Joel Winston: The fraud alert system was established by Congress in 2003. It's true that you cannot get a 7-year alert unless you have a police report showing that you were a victim of ID theft. But, you can renew the 90 day alert.


Arlington, Va.: My cell phone was stolen and used by the thief to call other people. I reported this to the police but they refused to help me retrieve it and said it is not worth their time. I really want my phone back because it has lots of data. What can I do if the police refuse to help?

Joel Winston: I'm not sure what you can do if the police won't conduct an investigation. You should, of course, contact your telephone carrier, which I assume you've done


Arlington , Va.: About nine years ago someone tried (unsuccessfully) to get credit cards in my name, at that time I reported this to the police but they said they did not have laws that allow them to go after the criminal. I know the person who tried to get the cards in my name from the address he used. Are there new laws that allow me to follow up on this now?

Joel Winston: There are a number of state and federal laws that make identity theft a crime, some of which are new. So, it depends on the individual state.


Annapolis, Md.: My son has the same name as his father and does not always use the "Junior" on his name. He checked his credit report recently and found a credit card listed from the 1980's that clearly belongs to his father. Does he need to have this removed from his credit report?

Joel Winston: Definitely. He should file a dispute with the credit bureau to get the information corrected. There's a good how-to guide on the FTC website,


Maryland: I just want to make the point that what many people believe is, and what the media often portrays as, "identify theft" in fact is old fashioned credit card fraud. There truly is a difference.

Additionally, I applaud your comments about the comparable safety of online transactions vs. paper ones. There isn't anything to be afraid of as long as one takes standard precautions. You have a lock on your front door - so make sure you have one on your computer in the form of a firewall and associated programs. You wouldn't give your credit card in person to a business you did not know or trust - so don't do that online. Common sense will go a long way here.

Joel Winston: I agree with your points. Technically, federal law defines "identity theft" to include credit card fraud. But, the far more damaging problem is when a thief gets your Social Security number and opens new accounts in your name. If they only steal your credit card number and make unauthorized charges, typically you won't have to pay for them. The law limits your liability to $50 and most credit card companies waive even that


Toronto, Canada: How safe is it to request an electronic credit report from the Internet? Is is possible that the credit reporting Web sites are fake?

Joel Winston: Good point. We have seen some fraudulent websites that mimic the official free report site. When people go to the fraudulent site, their information may be harvested by identity thieves.

Make sure you go to (don't misspell it). To be safe, you can link to it from


Tucson, Ariz.: Are there any additional precautions individuals living in border states should take to protect their identities? It seems like we hear more stories in our state every day about border crossers purchasing falsified documents that use the social security numbers and birth dates of others.

Even infants and the dead seem not to be immune. It also seems like the elderly are scammed at a higher rate than others. Suggestions?

Joel Winston: Yes, there has been a growing problem of illegal immigrants and others stealing identities, forging papers, etc. The same advice applies as to other forms of identity theft. Keep an eye on your credit report, make sure you monitor your credit card and other bills for phony charges, etc.


Chevy Chase, D.C.: The identity theft problem can be so devastating because creditors are allowed to attach information to a person's file without having to actually authenticate the identity of the person. An easy fix would be to allow the ability to the ability attach a phone number to the credit file and require the creditor to confirm through this phone number that the person is indeed applying for credit.

This or some other simple authentication could take care of a lot of the problem. Why isn't this being done?

Joel Winston: The FTC and the federal bank regulatory agencies are conducting a rulemaking to address this problem and other situations that might indicate identity theft. In the meantime, you can put a fraud alert on your file, which signals creditors to be careful to authenticate a credit applicant who might be an identity thief. Again, monitoring your credit report and disputing inaccuracies is critical


Tucson, Ariz.: I keep receiving mail (they look like bills) addressed to an individual with my last name. This individual is unknown to me and is not a family member. The odd thing is that the address belongs to the neighbor directly across the street, who knows nothing of this. I have called the company issuing the bills (they service the the credit cards of a national appliance and electronics company.) and they assured me they would stop sending bills. However, I keep receiving and returning them every month. Should I be worried about stolen identity?

Joel Winston: It's probably just a mistake, but it's a good idea to check your credit report to make sure everything is okay.


Arlington, Va.: Don't we need to update existing laws so that any type of identity theft is illegal. Prefixing or using any other method to get any type of protected information (financial, medical, educational, etc.) should be illegal. Why have we not attacked this in a comprehensive way? Also, why can't we de-link Social Security Numbers from personal information. It would cost certain companies money, but many companies use a unique customer ID instead of Social Security. If they need to link to other databases containing SSNs, they make sure the data isn't available to the public or hackers.

Joel Winston: Pretexting - using fraud to obtain another's personal information - is illegal with respect to financial information. Congress is considering extending this to telephone call records, a problem that's been in the news a lot lately because of the Hewlett-Packard situation. So far, Congress hasn't passed a bill.

As for Social Security numbers, you are right that they are too widely used and too available. For many purposes, the Social is very useful and necessary for our economy to function. For example, it's your Social that matches you with your credit file - that's why you have to give it to a lender when you apply for a loan. But, in some cases, it's used when it doesn't need to be. For example, some colleges use the Social as a Student ID number and print it on ID cards. That's a bad idea, because an identity thief can steal the card and use the name and Social to open new accounts in the student's name


Downtown, D.C.: Mr Winston, Does IT insurance really provide protection -or is this another way for the insurance industry to drain our wallets?

Joel Winston: I'm assuming you're referring to identity theft insurance, which some companies now offer. The insurance pays for your losses if your identity is stolen. I can't really give you a broad answer, because the products vary so much, but it depends on how much risk you're comfortable with. You should think about whether the risk is high enough to justify the cost, kind of like extended warranties on appliances that may give you peace of mind, but are relatively expensive compared to the risk.


Washington, D.C.: I am increasingly concerned (and have been for quite some time) about companies asking for my "social" (SSN). I do -not- provide it generally, but my mortgage company has it, my cell phone company has it (a condition of getting service), my bank has it -- this is nuts! The more disseminated the SSN is, the higher the risk of identity theft. I am a privacy freak, have a cross-cut shredder running regularly, I never take my checkbook with me, with minor exceptions, and yet the proliferation of SSNs in our society, with what appears to be a corporate entitlement to this vulnerable information, is very troublesome, to say the least. Any comments?

Joel Winston: Because the SSN is how you're matched to your credit report, any business that needs to pull your report (which includes creditors, insurance companies, phone companies, employers, landlords) will need your Social. But, I agree that too often businesses ask for it out of habit. It's not a bad idea to ask why they need your SSN before you give it to them.


Fairfax, Va.: Hi -- My husband was the victim of identity theft last month. It turns out the thief was able to obtain credit with my husband's SSN, DOB, and address, but used the wrong last name! When we reviewed his credit report, this fake name now appears as one of his aliases.

Of course, we directed the credit agencies to delete this name, but it makes me wonder how in the world in this age of heightened security can someone be approved for credit using the wrong name? What's even more maddening is when we contacted the agencies to put an extended fraud alert onto his credit reports, they require all kinds of documentation (copies of social security cards, utility bills, etc.). I find it ironic that we have to provide so much documentation just to put an ALERT on his report, yet a thief doesn't even have to use the correct name to set up credit.

My question to you is what can be done to make this system tougher for the bad guys, and easier for the good guys? And who's in charge of monitoring the credit reporting bureaus?

Thanks for your time.

Joel Winston: good questions! To answer the last one first, the credit bureaus generally are regulated by the FTC under the Fair Credit Reporting Act. That law sets us detailed rules on what credit bureaus can and can't do.

Certainly, the company should not have opened an account with a wrong last name - it sounds like sheer sloppiness. As I mentioned in an earlier answer, the FTC and others are working on rules that would make creditors be more careful before opening accounts to make sure that the applicant really is who he says he is


Harrisburg, Pa.: Joel: Will there be federal ID theft legislation so that states are not left in the position of having 50 different pieces of legislation? thanks

Joel Winston: There's already a fair amount of legislation on identity theft on the books. What Congress has been wrestling with is federal legislation that would require companies to protect sensitive consumer information and to notify consumers when the information is lost or stolen. It is very unlikely that this legislation would be enacted this year, but it may well happen next year


Marc, Washington, D.C.: Why does the FTC do nothing with the list of identity thieves generated by SSA and IRS? Why is an agency with no enforcement power on identity theft in charge of it's reporting?

Joel Winston: The FTC maintains a national database with over a million complaints from identity theft victims. Although we don't have criminal authority to prosecute the thieves, we share the information with over 200 law enforcement agencies - federal, state, and local - who do have that authority.


Munich, Germany: In the recently scandalous investigation of news leaks at Hewlett-Packard, detectives hired by HP had attempted to install spyware on the laptops of suspected leakers.

How often do you think that such a thing occurs?

Is this type of spyware available off the shelf for any detective agency or had the detectives working for HP developed their own spyware?

Joel Winston: There's lots of spyware out there. In particular, the spyware in the HP case included a "key logger" program that would enable someone to monitor the key strokes on your computer. This type of spyware is illegal


Fairfax, Va.: This is a great topic and very much needs to be in the front of peoples minds these days. I am in the security field and am fairly vigilant when it comes to my personal information. However, I am most worried about protecting the denies of my children. What can you recommend to parents - aside from the usual recommendations of keeping the computer in an area where we can watch them, etc. - that we can do to help ensure their personal information is not being targeted or used in bad ways? They probably don't have a credit report at 10 years or younger. Am I overly cautious?


Joel Winston: Not at all! The key is to educate your children not to give out their personal information online or to anyone they don't know. That also means telling them that, if they use Facebook or some other program like it, they should be extremely careful about what information they reveal.


Kansas City, Mo.: What about notifying a company after you've applied for credit that you want them to remove/delete your SSN from their files? Is there any legal basis for forcing them to do this? What about if you cancel a credit card, can you force a company to remove your SSN from their systems?

Joel Winston: I'm not aware of any legal requirement that a company would have to delete your social security number after you close your account, but it can't hurt to ask! Keep in mind that under federal law, the ability of the company to share your personal information with others is restricted, and you may have the right to "opt out" of the sharing of your information with third parties. Unfortunately, the law is very complex and has lots of exceptions, so I won't have time to explain it


Washington, D.C.: Although it is a pain, I routinely shred any correspondence I receive that has my name and address printed on it. Is this overkill? Can someone steal an identity with just a name and address?

Joel Winston: Usually not, but it happens. It's a good precaution in particular to shred those "prescreened" or "preapproved" credit card and phone offers, because there have been at least a few cases where thieves have rummaged through the trash, retrieved those letters, and opened accounts in the consumer's name. Remember that you can choose not to receive prescreened offers by calling the "opt out" number listed on each prescreened solicitation. This won't eliminate all credit card offers, but many of them


Baltimore, Md.: What is/are the best Web site(s) for consumers to refer to that are updated regularly to explain new dangers and best ways to protect themselves? Thank you! Our Identity Theft Special Report Page offers news and tips.

Joel Winston: Not to toot our own horn, but the FTC website - - is the best one around. It also has links to other useful sites like


Tucson, Ariz.: Regarding the question posed by the writer from Munich- If key logger spy wear is illegal, why is it not illegal for employers to monitor the emails of their employees and Internet use?

Joel Winston: Typically, when you go to work for a company they have you sign a statement consenting to their right to monitor your email, Internet and phone use, etc.


Pittsburgh, Pa.: When I arrived at the emergency room of a hospital for which I have a medical card (which I presented), they asked for my SSN as well. I said "no," but they told me that I couldn't be admitted without giving it. I was so seriously ill that I didn't have the energy to argue. Did they have the right to require it, or were they just bullying a sick person who was in no position to fight?

Joel Winston: The Social Security number is often used by hospitals for medical reimbursement, verification, and bill collection purposes. So, you probably need to give it to them. There's no law that prohibits them from requiring them.


Washington, D.C.: A utility company is claiming that I owe them a rather absurd amount, although I can, and have proved, that it is not the case. This money is owed under new account that they apparently created in a different name (my long-ago-discarded maiden name) but using my own SS#.

Does this qualify as fraud where my credit is concerned? It's a public utility, so I'm worried that no one will be on MY side.

Joel Winston: It sounds like you're a victim of identity fraud. If you can get a police report from your local police department that will help you a lot in getting this fixed. has a step-by-step guide to follow in this situation


Minneapolis, Minn.: My 18 year old son was robbed at gun point last May. In his wallet was his state drivers license and (despite my warnings not to carry it) his Social Security card.

When I contacted the credit reporting agencies to put a fraud alert on his record, I was not able to do so because he has no credit record. So far we have done nothing more. Any advice?

Joel Winston: That's a difficult one. The fact that he doesn't have a credit file means that it's unlikely that the thief will be unable to open new accounts in his name. But, his identity still might be used in other ways. I don't know of any specific steps you can take, but make sure you get a police report to prove that he was a victim


Anonymous: Do you contact the companies where charges falsely were made to you or just use the credit agencies?

Joel Winston: You should do both. If you can get a police report, that will help with any creditors.


Ballston, Va.: Is the FTC doing anything about outfits like who advertise free credit reports without having the disclaimer that consumers are already entitled to a free credit report once a year from the Big 3? This is deceptive advertising.

Joel Winston: Last year, the FTC settled a lawsuit with the company that markets that product, requiring them to make better disclosures of what they are selling and to provide refunds to customers.


Joel Winston: Thanks to all of you who have written in or followed our conversation. I wish I could have gotten to more of your questions, but the time has run out.

My advice to anyone interested in identity theft is to spend some time at There are some wonderful - and fun - materials on there that should answer most of your questions.



Editor's Note: moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. is not responsible for any content posted by third parties.

© 2006 The Washington Post Company