Practical privacy and simple cybersecurity.
TheNewOil.org

Should You Pay For An Identity Theft Protection Service?

Identity theft is a common cause of anxiety in modern society, and it's pretty justifiable. According to a recent survey from US News, almost three quarters of adults have experienced at least one case of identity theft, and 27% have experienced more than one. In 2022 there were more than 1.1 million reports of identity theft, costing Americans a total of $8.8 billion dollars with a median of $650. One-in-five respondents reported that they continue to suffer financial consequences to this day. It's no wonder that a multi-billion-dollar industry has sprung up around protecting against identity theft. But does it make sense to pay for an identity theft protection service? Or is it just snake oil?

A Quick Note About Identity Theft

Before diving in, I want to clear up a common misconception I see a lot. Many people I talk to seem to have the idea that “identity theft” means “a stranger walking into a bank, pretending to be you, and withdrawing all your funds.” While that certainly does happen, what's far more common is someone stealing your credit card online and using it fraudulently, or trying open new accounts in your name. Despite the half-joking replies people give me, no matter how bad your credit is or how little money you have, I guarantee you I can find some shady payday loan service or sketchy rent-to-own shop willing to open a line of credit in your name, which I can then use to buy a bunch of high-ticket items and sell them. Now you have to take the time, headache, effort, and stress of filing a police report, gathering the necessary evidence to prove it wasn't you, and fighting to get it off your credit report. This goes hand-in-hand with the false belief that cybercriminals target individuals to be their victims. In reality, cybercriminals target companies because there's more opportunity to get lucky and a bigger payload if they do. Why try to hack one random person who probably doesn't have a lot of money when I can target a company with poor security practices who collects more data than they should on their thousands of customers, which I can then resell or use for other ends? No matter who you are or your financial situation, you are never safe from the risk of being caught up in a data breach and your sensitive data landing in the hands of a cybercriminal. These breaches are unbelievably common, with over 7 million records per day in 2020 and and average of 3 breaches per day in Australia alone.

What is an Identity Protection Service?

With so much sensitive data being leaked constantly, it's pretty easy to see where the market for identity theft protection services came from. Where there's a need, some industry will always rise to fill it. Identity theft protection services are – as the name implies – services who promise to help protect you from becoming a victim of identity theft. They do this in a number of ways such as alerting you of any suspicious financial activity on your accounts, any new accounts being opened up in your name, and scanning the dark web to see if your data pops up.

Are They Worth Paying For?

Point blank: no, in my opinion most people don't need to pay for an identity theft protection service. First off, identity protection services are reactive instead of proactive. They'll only let you know after someone has stolen your identity and tried to abuse it. There are much better ways to be proactive that are – in my opinion – more effective (which I'll talk about in a moment). Second, “dark web scanning” is something that makes no sense to me. Maybe I'm misunderstanding it, but the whole point of the dark web is that it can't be indexed. It's not like a Google Alert where you can just make a bot that says “let me know if this shows up anywhere on the web.” Instead, they have to be monitoring known dark web marketplaces, and your information may not surface on the known ones. Think of it like having an account in a chat room or on a social media account and hoping they see your name pop up. Even then, it may be hidden behind a paywall since most cybercriminals want to sell the data they've stolen rather than just share it publicly. And if one of their strategies is to scan the regular web for companies announcing data breaches, not all companies admit to that, even when the evidence is overwhelmingly against them (and some companies even block such announcements from showing up on search engines).

To be clear, I said “most people.” I've heard from some people in unique situations who value the peace of mind or extra protection behind an identity theft protection service. But most people can get the same protections as an identity theft protection service – and arguably better – for a fraction of the cost. (You could even use some of the money you saved to help support this project and still have money left over.)

What to Do Instead

The first step is to freeze your credit. In America, this is free by federal law. In other countries, your results may vary but I've been told that the credit agencies in other countries also offer credit freezes, so you should have some recourse even outside the US. A credit freeze doesn't affect your credit score (so if you're trying to fix your credit this won't affect that), but it does prevent people from being able to open new accounts in your name without additional verification, and they can be easily temporarily lifted if you ever need to open a new account (such as to apply to for a new credit card or a loan). This is – in my opinion – far more effective than the reactive methods of identity theft protection services, who basically say “let's wait til someone tries to open a new account and then do something about it.” This way they never even get the chance to open said account, and it costs you nothing. (How often do you really open new accounts without warning that freezing your credit would be such a huge hassle?)

The second concrete step I recommend is to try to use digital payment methods less. From the real world to the digital one, card skimming is incredibly common, and it's one form of identity theft. When in person, try to pay with cash as often as possible. Online, I strongly recommend gift cards or masked payment options. Even cryptocurrency could be helpful here if it's something that you're familiar with and it's offered. By doing this, you'll reduce the amount of sensitive financial data – such as credit card numbers – sitting in a server somewhere waiting to be stolen by a lucky crook. They can't steal what isn't in the database in the first place.

Finally, if you really want to have maximum effect... well, to be frank, this is a privacy project. We have lots of advice on this front. Taking your privacy a little more seriously can pay off in droves when it comes to identity theft. The answers to many common identity-based security questions can be found easily with a quick Google search, questions like “what is your father's middle name?” or “where did you go to high school?” You can scrub much of this information from the internet by using a data removal service, making it much harder (if not impossible) for attackers to find those answers. It also helps to start being defensive with your online identity. This starts with good cybersecurity practices such as using strong passwords and multifactor authentication which can make your accounts harder to hack into (even after a breach), but it also extends into simply trying to hand out less information. Not every field on a website or form needs to be filled out, and not all of them need to be accurate. Don't be afraid to use a fake phone number for services that should never have a valid reason to call you, or a fake name when signing up on a website. Use different usernames on your accounts to make them both harder to hack and harder to find for would-be attackers. You can set your accounts to be friends-only or other similar settings that reduce what outsiders can see about you – or better yet, simply delete the services you don't use very often and post less on the ones you do. You can switch to encrypted services like email, messaging, and cloud storage so that data breaches become almost impossible in the first place.

Conclusion

There's a lot you can do to protect your identity for less than what the big guys cost (in some cases for free), and in my opinion it's far more effective. And for the record, you don't have to to do it all or even all at once. “There's a lot you can do” is mean to be encouraging: you're not powerless. You have a lot of tools at your disposal to help protect your identity. I recommend you be proactive and find the ones that work best for you. With a little bit of research and preemptive effort, you can save yourself tons of money and time. Privacy isn't as hard as it sounds. It may be convenient to shrug off the effort of identity theft protection onto someone else, but if you're willing to put in just the tiniest little bit of elbow grease now, you can keep that money in your pocket and get even more protection than those services can offer.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...