What I learned from my identity theft nightmare. Your questions answered
The following are highlights from a Reddit “Ask Me Anything” Q&A with The Times’ Jessica Roy, lightly edited for style and clarity. These questions were all posed by Reddit users. You can read the original AMA post here.
My name is Jessica Roy, and I’m an editor on the utility journalism team at the L.A. Times. In 2018, my wallet was stolen out of my purse at a bar. A few weeks later, I found out I was the victim of a ring of persistent serial identity thieves — and that banks, credit bureaus and police weren’t going to do anything to help me.
I write a personal finance newsletter for the L.A. Times. I use free credit monitoring. I have unique passwords and two-factor authentication on all my financial accounts. The only personally identifying piece of info in my wallet was my driver’s license. I never would have thought that this could happen to me.
What I learned, first as a victim and then as a reporter writing about it, was that identity theft happens to millions of people every year and very little is being done to prevent it. Every victim, like me, is on the hook to clean up after the thieves who stole our identities and the institutions that let them do it.
I wrote a front-page story about what happened when my financial identity was taken from me and how I fought back. I also wrote about how to minimize the chances of it happening to you and what to do if your identity is compromised. Finally, I proposed a series of solutions that would make it tougher for identity thieves to pull off this crime in the first place.
AMA!
A stolen wallet precipitates a reporter’s years-long fight against identity thieves — and a system that doesn’t care and won’t help.
How did you first realize your identity had been stolen, and is there anything you could have done, in hindsight, to have stopped it happening?
My wallet was stolen in late November. I first realized something was going on in mid-January, when I got a bunch of mail congratulating me on my new checking and savings accounts with Bank of America and Wells Fargo, and alerts from my free credit monitoring that there were new inquiries on my report.
In retrospect, I should have frozen my credit when my wallet was stolen. Really, I should have left it frozen all the time (and so should you, and everyone else reading this). But I had no idea what people could do with a wallet that had only my driver’s license, a couple of credit cards and some gift cards and a couple of bucks in cash in it. I didn’t realize how vulnerable I was, and that even though I’m financially conscientious and tech-savvy, anyone can be a victim with the way our systems exist now.
If I had frozen my credit before the thieves got their hands on my wallet, they probably would have had trouble opening those checking accounts. Because I used free credit monitoring and acted quickly once I realized what was going on, they weren’t able to take out any credit cards in my name. (Though they sure tried! A lot!) They still would have been able to use my driver’s license to steal a car and [commit] various other crimes, because California does not flag licenses that have been reported stolen to banks or law enforcement. There was no single thing I personally could have done to stop everything they did.
In your opinion, if my wallet goes missing like yours, what is the absolute first step I should take?
Freeze your credit! I was really surprised at how easy it was to do that. It took me 15 minutes to set up accounts and freeze my credit with all three [major] bureaus.
And, if possible, report your stolen wallet to the police. They probably aren’t going to do anything about it, but having that report was vital when I was dealing with debt collectors and investigators. I basically had to mount a court case in defense of my innocence over and over again. The police report about the stolen wallet showed how it all had started.
What is the benefit of freezing your credit? Is there any downside?
The benefit is that no one can open a new line of credit using your identity. The downside is that if you want to do something like apply for a mortgage or a car loan, or get a store credit card somewhere, you have to unfreeze it. But you can download the apps for the credit bureaus and do that in seconds from your phone.
The credit bureaus don’t want you to freeze your credit because they make money by making your information available to creditors. You are less valuable to them if your credit is frozen. To me, that is a good thing.
One interesting thing I learned while reporting this: Equifax, Experian and TransUnion are the major players, but there are more than 100 related bureaus that monitor your financial activity, including ones for checking accounts, payday loans, phone lines, utilities, etc. There is no way to completely “freeze” your financial identity with all of them at once. Frustrating!
User chickenwater replied: Don’t they each charge a fee for freezing and unfreezing an account?
The credit bureaus used to charge for this, but they don’t anymore. It has to be free. They will try to upsell you on additional products that cost money, which you should say no to.
Is identity theft insurance worth the expense? What do identity theft protection companies such as LifeLock and Aura do? Here’s what to consider.
Your bank seemed totally unhelpful. If your identity is stolen, is there a way to get your bank to do something that would help protect you?
Yeah, the banks seem remarkably cavalier about all of this. To them, fraudulent accounts are a cost of doing business. It feels like they would rather write off 100 bad charges than possibly prevent one person from becoming their customer.
I think if you use smaller banks and/or credit unions, you are more likely to get good customer service. I have my checking and savings through a smaller bank, and they were great — the thieves were never able to access those accounts, even though they tried repeatedly. But the major banks involved (Bank of America, Wells Fargo and others) were wildly unhelpful.
Say you report an ID theft via police report — as I recently had to — and the police never contact you. Were you ever assigned a detective, and did you find that you needed to badger them to look at your case? It’s been a month for me and I don’t know if the cops will be any help.
Oh, you absolutely have to follow up. I did. Multiple times. I called the station repeatedly and asked for the name of the detective assigned to my case, and I regularly left him voicemails and emailed him. He was not particularly helpful. The only reason I know who stole my identity is because they were caught doing other crimes.
Really, the benefit of reporting identity theft to the police is having that police report as evidence when debt collectors start calling you. It is statistically extremely unlikely that police will do much to help you.
There is no way to completely prevent your identity from being stolen. But taking these steps can help make it less likely, and lessen the impact if it does happen.
Which was the single most frustrating bureaucratic entity you had to deal with during all this?
The credit bureaus. They are private businesses, but you can’t opt out of participating if you want a bank account in America. They maintain tons of information about you, but they don’t seem to care at all about protecting that information, or helping you when the information they have is bad.
When I was finalizing reporting on this story in September, I looked through my credit reports with all three bureaus. All three of them still had incorrect information about me, like the thieves’ addresses. I filed disputes with all three of them, and each of their sites was broken in some way. As a consumer, it doesn’t feel like they’re accountable to anyone.
Here’s what happened when I tried to dispute that stuff in September: I submitted disputes to TransUnion and got an error message about a technical issue where I might not be notified after my dispute was resolved. I tried to submit disputes to Experian and got an error message that said identity theft disputes could not be processed online. I was able to submit my disputes to Equifax, and received a notice that the disputes had been resolved, but every time I tried to click the PDF with the results, I got an error message.
I decided to check in on those disputes just now. Here’s what happened:
- Equifax: Worked fine, disputed information is gone (hurray!)
- Experian: The login screen resets every time I enter my info.
- TransUnion: It says “view my report,” but when I click that I get a blank screen.
Again, these companies track your every financial move, yet seem to have zero interest in maintaining their systems. Awesome. Love this for us, as a society.
User shogunreaper replied: “I hate Equifax so much. Earlier this year I locked my credit and right afterwards I couldn’t even log on to the account, I still can’t to this day.”
Absolutely wild that the FBI doesn’t track what is obviously a major kind of crime. Why doesn’t the federal government seem to care, and what could be done to incentivize more support there?
So, this story was about twice as long when I first filed it. For space reasons, and also to keep the narrative flowing, we had to cut a lot out.
I had originally written a lot more about my conversation with Shima Baughman, particularly her work on what she calls “the police myth”: the belief that law enforcement exists to control and solve crime. Statistically speaking, it does not. Certainly not for cybercrime, but also not really for traditional crime. Her work on clearance rates showed 97% of people who commit burglary are not held responsible for their crime by police.
I think identity theft and other cybercrimes are newer types of crime, and law enforcement — from the FBI down to local police — seem to be more invested in violent and property crime. In my piece about potential solutions for identity theft, I wrote about how tracking cybercrimes like those other types of crime would be a good start.
People need to make more noise about this. A lot of victims of identity theft and other cybercrimes — stalking and harassment, scams, revenge porn, etc. — are ashamed. They blame themselves. Don’t. Reaching out to your representatives (by email, or even by just tagging them on Twitter) and asking why the FBI doesn’t track cybercrime is a good place to start.
User seccocular replied: The FTC does track that and FBI has access to these numbers, when people take the time to report it. They are basically in information-gathering mode, and won’t open investigations into individual cases unless they involve other crimes like money laundering.
Right, but that information doesn’t go into NIBRS, which is what most police departments, institutions and journalists refer to for crime reporting and demographics. You can look up violent and property crime rates through the FBI’s crime data explorer, but you can’t look up cybercrimes.
As it is, our financial and law enforcement systems don’t do much to prevent identity theft. Nor do they offer much help to victims. Some policy and societal changes could help.
Do you think the Social Security number system will go away or change at some point in the future?
Yes, but only at the point that the entire system is worthless. Eventually, you’ll probably be able to Google Social Security numbers just like you can search for people’s phone numbers and home addresses right now. If you think your Social Security number doesn’t exist somewhere on the dark web (and, increasingly, with “light web” data brokers), you are wrong.
So yes, at some point, we will need to move beyond static data like Social Security numbers and the tiny photo on your driver’s license. I think we’ll see more financial and government institutions adding the option for things like Face ID or fingerprints for identification. That tech isn’t perfect either, but it’s a lot better than a nine-digit number.
User RockStrongo replied: “With the number of places you have to enter your full SS# and the amount of people it passes through, basically everyone is compromised. Once it’s out there there’s nothing you can do about it but hope you aren’t randomly selected by a thief. Not like you can request a new one.”
User secoccular replied: Are you certain about that? It’s literally one of the reasons you can get a new number.
The bar is very, very high to get assigned a new Social Security number. Knowing yours is compromised from a data breach is not enough. Even being a victim of identity theft is not enough, unless you continue to experience issues after taking a number of steps to fight it.
User secoccular replied: With so many transactions being done online, how would Face ID or fingerprints even work?
Well, you don’t show your driver’s license for online transactions, either. It’s more about adding layers of identification for opening new accounts. For instance, when I was getting [Family and Medical Leave Act] benefits earlier this year when I had a baby, I had to take a face scan video and send it in.
But online transactions could be more secure. More cards could add two-factor authentication for online purchases. It’s just a balance between convenience and protection, and right now most institutions lean toward convenience.
User Eizah replied: In Sweden, we have a system called BankID that is used for identification on various platforms when you log in using your SSN. The same system allows you to approve transactions, which you can do either via a personal code only you know or by using your fingerprint.
User mata_dan replied: A face or fingerprint is also static and can never be changed, ever — remember, digitally they are still data being sent over whatever protocol. We also have AIs that can regenerate your face, in different poses and animated, and they are getting better constantly. That’s worse than a Social Security number.
I disagree that facial identification is less secure than a string of nine digits, but I agree that we don’t have a perfect method yet.
User mata_dan replied: 9 digits can be changed to 9 other digits. Not sure I want a face swap if my facial data is stolen.
User nerd4code replied: Speaking as somebody with less fingers than he started out with, no, fingerprints aren’t static.
If you’re a victim of identity thieves or a data hack, you need to act quickly. Here’s what to do to protect yourself.
What should I be doing now as a parent to help protect my child’s identity from ever being stolen?
Great question! If your child is under 16, you can ask the three major credit bureaus to place a freeze on their credit. (It’s a lot of paperwork, which the credit bureaus love, apparently.) Make sure any documents with personal information, like their birth certificate and Social Security card, are stored safely in your home. Wipe phones and computers before trashing, selling or donating them.
And be thoughtful about the information you share about your child. Places love asking me what my baby’s Social Security number is. Does his pediatrician really need to know that? Does his daycare? I don’t think so. I leave that field blank wherever possible.
Did you get a new Social Security number and California driver’s license number? When I had my ID stolen in the ‘90s, that was the response from federal and state entities.
I debated it, but ultimately decided against it for both. I was so overwhelmed with this stuff in early 2019, I just couldn’t add any more bureaucratic paperwork to my plate. I was (and am!) furious at how much work I was expected to do to clean up after someone else’s mess, and going in person to appointments with the Social Security office and the DMV sounded like a new circle of hell.
The bar is very, very high to get a new SSN. Even as a victim of identity theft, I’m not sure I would qualify. Leaving my credit permanently frozen and locking down my identity in other ways is sufficient for me, for now.
User notfreefood replied: “It needs to be easier to get a new Social Security number, especially for how many people now who have had theirs disclosed due to mishandled data. Once yours gets on the internet, there’s nothing you can do to reverse that, and you have to live with the possibility that at any time, someone may decide to try to use your number, and freezing your credit is not a perfect solution.”
About The Times Utility Journalism Team
This article is from The Times’ Utility Journalism Team. Our mission is to be essential to the lives of Southern Californians by publishing information that solves problems, answers questions and helps with decision making. We serve audiences in and around Los Angeles — including current Times subscribers and diverse communities that haven’t historically had their needs met by our coverage.
How can we be useful to you and your community? Email utility (at) latimes.com or one of our journalists: Jon Healey, Ada Tseng, Jessica Roy and Karen Garcia.
More to Read
Inside the business of entertainment
The Wide Shot brings you news, analysis and insights on everything from streaming wars to production — and what it all means for the future.
You may occasionally receive promotional content from the Los Angeles Times.