Do you own a paper shredder? I used to do the “budget” version of tearing the account numbers into small bits of paper and then putting them in different trash cans. But could you imagine if you sent all your payment envelopes with your account numbers to the bank and they left them out in an unattended lobby? Or added post-it notes to each one with your username and password and then threw them in their trash without shredding them? Well, that’s essentially what happens when any one of these institutions gets hacked.

These hacks are becoming so increasingly common and widespread that shredding our documents or keeping our own passwords safe seem like almost negligible precautions. I’m not an expert in cybersecurity but worked on several digital products for the financial industry during my career as a user experience designer so got some exposure to the systems and flows that way. Running my own e-commerce store also gives me a “behind the scenes” view of how the other side of payment processing works. Honestly, both of those experiences make me even more concerned than I used to be, but have helped me learn about a few simple precautions you can take which I’d like to share in case you haven’t already.

Auto-Pay Card

Prevention

While hacking can make you feel powerless to keep your own information safe, it’s important that you still take every precaution you can… and that starts with the place where most of your financial transactions take place: your credit cards.

Method 1: Sandbox your credit cards

About 5 years ago, I started developing and refining my own personal system for managing different credit cards. It was primarily aimed at efficiency and reducing the number of cards I carried but in addition to being more convenient, I also think it’s a bit safer since different types of transactions carry different types of risks. All I did was strictly assign the credit card accounts I already had into 3 categories:

  • Auto-pay cards
  • Online shopping
  • Daily purchases

I even taped little labels on each one to keep them straight. I used an existing Visa card (since it’s accepted everywhere) for auto-pay and online purchases. Then for daily purchases I actually had both a Visa and an AMEX for points stuff. For the auto-pay one, I also suggest making a list somewhere of which things it’s set up to pay. I use Evernote for that.

This approach has two main benefits. First, it essentially digitally quarantines the information from these accounts. Once when some mysterious charges showed up my daily purchases card, I received a notification from AMEX. Ironically, it used the multimodal mobile notification system I had helped design! Since I indicated to the system I hadn’t made the charges, it connected me to a person.

When there are charges you didn’t make, it’s always good to ask whether their system shows that the card was present for the transaction. This can help you troubleshoot what kind of information the thieves had and how they may have gotten it. In this case, the representative said their records showed that the card was physically swiped even though I still had it in my possession. This can happen if someone gets your information (i.e., through skimming) and transfers it onto a blank magnetic card, easily purchased online. My usage behavior may or may not have made it easier for AMEX to detect the suspicious activity but it definitely made it easier for me to spot the charges which were different then the places I visit regularly.

The second benefit is that it makes it really convenient to swap out that card when it’s replaced. I didn’t have to modify any of my auto-pay accounts. Likewise, because you’re not using your auto-pay card for anything else, it’s sandboxed from the “risky” behavior you’re participating in through the normal course of using your credit card.

Method 2: Only take your “daily purchase” cards with you

Take a look in your wallet. Do you auto-pay anything with any of those cards? If so, it’s going to be a major pain in the butt to untangle the digital mess that comes about if you loose your wallet. It’s also pretty inconvenient if you have to cancel all your cards and don’t have another one handy. When i had to cancel my daily use AMEX, i was pretty much unfazed because I just used the other card until a replacement arrived. Leave the rest of your cards at home… a great use for any old “down-cycled” Tyvek wallets you may have.

This minimizes your everyday carry (EDC) but also serves as a physical sandboxing between your different accounts. The wallet you carry around doesn’t necessarily need to be a physical representation of your entire digital life. At this point if you have extra cards, you could consider cancelling them as well just to streamline what you have to track in your life.

Protection

Despite any additional steps you take, it seems practically inevitable that somehow some of your information will be exposed at some point, either by something you do or through one of the many institutions and companies you interact with digitally. If you assume that someone has your personal or account information, these are things which can make it more difficult for a criminal to get what they’re after.

Method 3: Place a Fraud Alert

If someone has your information, especially related to your identity, they may try and open up new accounts such as credit cards. In almost all cases, this will trigger a credit check with one of the three credit reporting agencies. By default, these agencies reply to these requests automatically with the requested information, such as your credit score. However, there are various ways to change this default with a "freeze" so the reporting agencies won’t provide any information without further confirmation.

This is a fairly strong prevention of damage being done, but it is a bit cumbersome to initiate… and when you actually DO want to apply for a credit card, or buy a house, or even apply for a job, you’ll need to temporarily lift the restriction or authorize a specific inquiry.

Each agency seems to offer some form of freeze and it usually costs $10-$15 for each one to both lock and unlock your report so that may not be worth it unless you know that your information has been compromised or you already have seen some indications of someone trying to use your information.

One service to consider which is slightly less powerful than a full freeze, but more convenient is to place a fraud alert on your file. This allows your credit report to be retrieved, but there’s a prominent note on it saying you suspect your information has been compromised. This should make anyone issuing credit ask for further proof before creating any new accounts. Here are a few advantages:

  • Free
  • Only report the alert with one agency and they are required to alert the other 2
  • Somewhat straightforward to implement with a phone call but you also need to send in physical documentation
Honestly, I have not set this up for myself… I called the TransUnion phone number and thought it was only going to take a minute or two with their automated system, but then they describe that you need to send them physical copies of a variety of identity information.

Update: Ok, so as I was proofreading this getting ready to publish, I went ahead and did the Equifax check for myself and it turns out I was affected by the breach! So I looked into the freeze a bit more and found that the Experian one has an online service which doesn’t require you to send in copies of documents. They will then notify the other two agencies on your behalf.

Method 4: Enable 2-factor authentication

This may seem similar to setting strong passwords and fall into the “prevention” category but in many ways it’s more powerful, especially if someone else already has your information. It basically means that in order to access your account, someone needs to go through an additional authorization step… or another “factor” in addition to the password. In practice, this is usually accomplished by inputting your mobile phone number, which allows the system to send a text to your phone with an additional code needed to complete authentication. These codes usually expire within a certain time and are also called one-time passwords (OTP).

Almost every online service, especially in the financial industry now offers some kind of similar authentication. Sure, it may take an extra few seconds but the security far outweighs any inconvenience. If you can’t find it in your account settings, it’s worth the time to call in and have them explain how to set it up for each of your accounts. I would argue this is more important than setting a strong password but I’ll let security experts hash that one out (pun for the security experts intended).

Detection

Okay, so you’ve taken a few simple steps to streamline your cards and somewhat protect your accounts. But how will you know if something does happen?

Method 5: Turn on paper statements

I know, this one is a bit counter-intuitive and it’s not environmental, but sometimes analog solutions are easiest to manage. Now that you’ve reduced the number of credit cards you use, get paper statements for these so you can take a quick look whenever one arrives. This should really only take 1-2 minutes as a sanity check to make sure you made the charges. If the cards are separated by use it should be much easier since you won’t see Netflix subscription charges right next to grocery store purchases.

This method works well for me and has also proven to be handy if I ever needed to go back and look for the record or a purchase. But I can understand if you skip this one and just follow the spirit of it, which is to check your online statements for irregularities.

Method 6: Enroll in credit monitoring

Confusingly, in addition to the fraud alert and freeze option, each credit reporting agency seems to offer its own additional credit monitoring product. I find it a bit disingenuous that Equifax’s offers their product TrustedID as a remedy for the breach they created… and that in the fine print it says that if you enroll, their partners can still get credit reports to send you pre-approved offers. Essentially, instead of offering a true freeze for free, they are gaining more customers for their service. Even if it's "free" they can sell your information to partners such as LifeLock. I even read that Equifax, alerted their partner LifeLock about the breach before the general public so that they could get their marketing and customer service ready. And their sign-ups have increased 10x.

This isn’t going to be a comprehensive comparison of the services out there but I will mention one I’m familiar with since I worked on a product related to it during my time as a UI designer. It’s called Credit Wise (formerly Credit Tracker) by and it’s a free service provided by Capital One. It’s powered by TransUnion®, one of the big 3 credit reporting agencies. Experian is the other one that hasn’t been hacked and Equifax is the one that got hacked. You can go here to check to see if your information was compromised.

The Credit Wise service is completely free (really) and has a well designed and highly rated app. Their business model seems to partly be to retain current credit card customers and advertise their own credit card products to potential new applicants as lead generation.

Note: I am not affiliated with the company or the app and get nothing if you choose to use it.

These aren't all the conceivable things you could do to protect your identity or credit. But if you’re not doing all of these things yet, they’re quick and easy to get up and running. Then you can move on to some more sophisticated measures which perhaps I’ll cover down the road.

Did you implement any of these as a result of reading this? Please leave a comment below and let me know if you’d like more info like this in the future... or if you have any additional tips to share which could help others keep their personal and financial information safe.