MONEY Ask the Expert

How to Tell if Your Broker Protects You Against Identity Theft

Investing illustration
Robert A. Di Ieso Jr.

Q: Are there any brokerages that protect customers from unauthorized computer access or theft? I was going with Vanguard, but on page 7 of its brokerage account agreement, under liability, the company says in writing that it is not liable. — Patty

A: This is a good reminder of why it’s important to actually read brokerage account agreements, especially in light of the massive security breach at J.P. Morgan Chase.

While the details may differ slightly from one firm to the next – which is why you should always check – the wording in Vanguard’s policy is similar to that of other large brokerages. (We ran your question by Charles Schwab, Fidelity and Vanguard.)

The short answer: If someone gains access to your account through no fault of your own — a security breach, for example — the broker would be liable for your losses. If the theft, however, is a result of your own negligence (more on that in a second) then that’s a different story.

“The brokerage account agreement explains that under certain circumstances, Vanguard will not accept legal liability for certain losses in or related to an account,” notes Vanguard spokesperson David Hoffman, adding that this is consistent with Vanguard’s online fraud policy. “… If the client has taken certain appropriate steps to protect the account, we will reimburse the assets taken from the account in the unauthorized transaction.”

Fidelity and Schwab offer similar responses. Under Fidelity’s customer protection guarantee, the firm will reimburse Fidelity accounts for losses due to unauthorized activity, says Fidelity spokesperson Adam Banker. Likewise, the Schwab security guarantee says the firm will cover 100% of losses in any Schwab accounts due to unauthorized activity.

In case you didn’t pick up on it, that word “unauthorized” is key in determining who’s liable.

That’s all the more reason to be particularly vigilant about protecting your account information. Set up a unique and unpredictable password (mix numbers, characters, lower case and upper case). Change your passwords regularly and don’t reuse passwords from other accounts. Store your password in a safe place — ideally not on your computer, your phone or online — and make sure computer has up-to-date security software. Check your accounts regularly and if you see something suspicious, let the broker know immediately.

Finally, never give your account information to anyone calling or emailing and claiming to be your broker or bank.

If someone calls claiming to be from your broker, or any financial institution for that matter, hang up and call the number listed on your statement or the company’s site. Never log in to your account by clicking on a link in an email.

You should also be careful about sharing your account information with family and friends. If you give someone access to your account, that’s considered authorized use, and, yep, you’re liable.

MONEY identity theft

4 Reasons Why You Should Shop at Stores That Got Hacked

141020_EM_CCBreachStores
Mike Blake—Reuters

Almost half of all consumers surveyed are afraid to shop at retailers like Target. They shouldn't be.

This post was updated with news about Target’s new free shipping offer.

Retailers are gearing up for the holiday shopping season, but one thing has some consumers spooked: According to a new survey by CreditCards.com, 45% of respondents say they are less likely to shop at stores that have suffered a data breach, such as Target, Home Depot, or Michaels. Almost 30% say they will “probably” avoid stores that have been hacked, and 16% claim they “definitely” will.

While it’s hard to believe that half of all shoppers will actually skip the sales at major retailers come holiday season, Target did suffer a 5.5% decline in transactions last year after its data breach.

But shoppers, you’re being silly. You don’t need to avoid stores that have been hacked. Here’s why.

1) If someone steals your credit or debit card number, you have very limited liability.

You’ve got at least one reason to thank Congress: The Fair Credit Billing Act and the Electronic Fund Transfer Act cap how much money you’ll lose if someone steals your credit or debit card. If someone steals your card number but not your actual card — which could happen during a data breach — you are not liable for any fraudulent transactions. Read: You won’t lose any money. Just be sure to report any fraudulent debit card charges within 60 days of receiving your statement.

The rules are a little different if someone steals your physical card. With credit cards, you still won’t need to pay anything if you report the loss before a thief uses the card. Otherwise, your liability is capped at $50. With debit cards, you’ll only pay up to $50 if you report the theft within two days, or up to $500 if you report the theft within 60 days of receiving your statement.

There’s another reason to prefer credit over debit. When someone makes fraudulent charges on your credit card, you can challenge the bill when you receive it. But when someone else uses your debit card, that money comes straight out of your account, so it could take a little bit longer to recover your funds.

And if you’re really afraid, just stash the plastic. CreditCards.com reports that 48% of shoppers say data breaches have made them more likely to spend cash.

2) Avoiding these stores won’t protect you from the scariest kinds of identity theft.

When someone steals your credit card number and spends your money, that’s considered “existing account fraud.” Banks and credit card companies have gotten pretty good at identifying abnormal spending patterns, so you’re likely to catch existing account fraud early, and your liability is limited.

But if someone steals your Social Security number, opens a new credit card in your name, provides a new billing address, and runs up big charges, it might take you a while to notice. That’s called “new account fraud,” and it’s a real headache.

To catch new account fraud, check your credit report three times a year. It’s not hard to do, and it’s free. Your report will show all your accounts and debts, as well as your payment history. Check to make sure all of the information is accurate and all of the accounts actually belong to you. (Go. Do it now. Did you catch a problem? Here’s what to do.) If you’re afraid that your social security number has already been stolen, you can put a free fraud alert on your credit file to let lenders know or freeze your credit so that no one else can open new accounts in your name.

But you don’t give out your Social Security number every time you swipe your credit card, don’t worry about going shopping.

3) Safer cards are on the way.

Are you sick of all these data breaches? So are businesses — after all, they’re the ones on the hook for fraud, not you. That’s why Visa and Mastercard are sending out new “chip-and-pin” cards. These cards have embedded microchips, which are more secure than magnetic stripes. If you’ve ever traveled abroad, you might remember what chip-and-pin technology looks like; Europeans have been using this system since the 1990s. While not foolproof, these cards are a great improvement. President Obama signed an executive order last week requiring that all government credit cards use chip-and-pin technology.

Practically speaking, chip-and-pin cards won’t do much more to help consumers at point-of-sale — remember, you have limited liability. But starting Oct. 1, 2015, the liability will shift to whichever business has the oldest technology. If credit card companies don’t update their cards, they will be liable for any fraud; if retailers don’t offer chip-and-pin terminals, they’ll be on the hook. So everyone has an incentive to make payment systems more secure, which is ultimately in consumers’ best interest.

4) Retailers that got hacked are working harder to win back your trust.

Guess which retailer is installing chip-and-pin technology in all of its stores and on all of its branded cards — Target!

Guess which retailer offered free credit monitoring to all its customers — Target!

Guess which retailer just started offering free shipping — Target!

Given that there have been 606 data breaches already this year, according to the Identity Theft Resource Center, you can probably expect more to come. But the retailers that have already been hacked are beefing up security and offering free identity theft protection services to consumers, so you’re probably safer there than everywhere else.

If that doesn’t put your mind at ease, here are some more steps you can take:

 

MONEY credit cards

Obama’s Credit Card Was Declined—No, Really.

US President Barack Obama tells a story about his credit card was recently declined at a restaurant
Saul Loeb—AFP/Getty Images

The president shared a story about his own credit card troubles during an executive order signing at the Consumer Financial Protection Bureau.

First, we heard that the former chair of the Federal Reserve couldn’t get a mortgage. Then we learned that one of the most powerful economic figures in the world makes less money than at least 113 of her underlings.

Now we find out that President of the United States had his credit card declined.

At an event at the Consumer Financial Protection Bureau today, President Obama said a New York restaurant rejected his card last month. But it wasn’t because he maxed out his credit (or so he says).

“I guess I don’t use it enough, so they thought there was some fraud going on,” Obama said. “I was trying to explain to the waitress, no, I really think that I’ve been paying my bills.”

The President made his remarks while signing an executive order to improve security features on government credit cards. “Even I’m affected by this,” Obama joked.

Luckily, Michelle picked up the tab.

Read on for more help with common credit woes:

Read next: Obama Signs Order to Secure Government Credit Cards From Data Breaches

TIME How-To

Tips for Stopping Identity Theft

This has been a good year for hackers. To date, businesses, medical centers, banks and schools have suffered some 578 data breaches, exposing over 76 million records of personal and financial information (Identity Theft Resource Center PDF).

Home Depot recently announced its database had been breached, with hackers making off with around 56 million payment card numbers. Earlier in the year, Neiman Marcus and Michaels revealed similar hacks, exposing 1.1 million and 2.6 million records respectively (PDF).

While some fraudsters might take advantage of stolen information to clear out your bank account or make claims on your insurance policies, a more insidious form of identity fraud has emerged based on scammers who create whole new accounts — bank accounts, store accounts, credit card accounts — in your name.

Identity thieves can use your personal information to open and max out multiple credit cards, apply for loans and place deposits on big-ticket items. This activity all goes onto your credit profile, eventually sinking your credit rating. Yet you might never find out about the unauthorized activity until the debt collectors come calling or you find yourself summarily rejected for a loan or mortgage application.

Many folks have turned to credit monitoring services that will notify you about unusual activity. But that’s the equivalent of closing the door after the horse has already left the barn. At that point, thieves have already opened accounts and compromised your credit.

So what can you do to thwart identity thieves? The major credit bureaus let you freeze your credit or add a fraud alert. Both are free, but each has its limitations.

Is it time for a freeze?

Closing any compromised credit and bank accounts can stem your financial losses, true. But thieves can continue opening false accounts and piling up debt on your credit profile, making it impossible to successfully apply for credit.

To stop thieves in their tracks, put a security freeze on your credit profile, which prohibits lenders and companies that are trying to check your credit from accessing your profile. This prevents thieves from opening new accounts under your name, because creditors are unable to check your credit history.

“The security freeze is a good tool for someone with recurring fraud issues,” says Rod Griffin, director of public education for credit reporting agency Experian. “That’s the insidious nature of fraud. Once an identity has been stolen, more false accounts may pop up again six months or two years later, and we wouldn’t necessarily recognize it as fraud.”

A fraud alert may be more helpful

If you’re planning on getting a mortgage, a car or even a new telephone service, a security freeze can hold up the process by preventing the service providers from checking your credit. “For most people, if you plan to apply for credit or services that need credit checking, a security freeze tends to be more intrusive than it is beneficial,” Griffin says.

Instead, if you believe you’re the victim of fraud, Griffin recommends first requesting a copy of your credit report. At the same time, alert a credit reporting agency that you suspect you may be at risk for fraud. The credit reporting agency will place an initial fraud alert on your profile so that any companies requesting a copy of the profile are told to ask for additional proof of identity. This makes it more difficult for identity thieves to prove they are you. The credit agency you alert will let the other two agencies know to do the same.

Next, comb your credit report for activity that wasn’t generated by you. Common signs of fraud include social security number and address changes or names and accounts you don’t recognize. “If you discover you have been the victim of fraud, file a police report, send it to Experian, and we extend the fraud alert so that it stays on your profile for seven years,” Griffin says.

Set fraud alerts and security freezes

Follow these steps to set a security freeze or a security alert.

1. If you suspect you have been the victim of identity theft, set an initial fraud alert at any of the three credit agencies. You can do this online, and the agency you contact will alert the others to add a fraud message to the profile they hold on you. We also recommend alerting Innovis, a smaller credit agency. Here are the links to their fraud alert pages for quick access:

An initial fraud alert on your profile advises potential creditors to request additional verification of your identity if an account is opened in your name. This alert lasts for 90 days. If you apply for anything requiring a credit check during this period, you should be prepared to provide greater proof of your identity than usual.

2. If you find that you are the victim of identity theft — for example, if your credit profile shows suspicious activity or a debt collector turns up demanding payments for something you know nothing about — you can request an extended fraud alert that lasts for seven years. File a police report and mail a copy to the credit agency along with your request for an extended fraud alert. The credit agency will verify the fraudulent accounts and clear them out of your profile. Potential creditors will continue to receive alerts that your profile is associated with fraud, with instructions to request additional ID verification.

3. If fraudulent activity continues to appear on your credit profile, you may want to consider a security freeze. With a credit freeze, no one can access your credit profile except lenders you specify during a time period you set. You need to set up a freeze individually with each credit agency, either by phone or via each agency’s online form.

When you freeze your credit profile, you’ll receive a PIN to use for temporarily lifting the freeze to allow specific credit checks. Security freezes are free for victims of identity theft, and will run anywhere from $0 to $10 for other applicants, depending on age and state of residence. Fees for lifting and restoring freezes vary by state from free to $5.

How to stay safe

“Knowing when your personal data has been compromised is very difficult, as it could happen from any number of places which hold that data,” says Thomas Labarthe, managing director (Europe) for security firm Lookout. When a security breach occurs at a point-of-sale terminal, as it did in the recent Home Depot breach, consumers are especially powerless and may never find out about the breach until the retailer itself uncovers it. “It’s best to only use credit cards, as there’s an added layer of protection which makes it easier to claim money back in cases of fraud,” Labarthe says.

When you’re shopping online, use encrypted sites with “https” in the URL, and only use credit cards even when using secure online payment services. Offline, make sure your mailbox is secure; fraudsters can get plenty of identifying information from stolen mail.

Most importantly, check your credit profile once a year. You can request an annual free copy from each credit agency at AnnualCreditReport.com.

This article was written by Natasha Stokes and originally appeared on Techlicious.

More from Techlicious:

MONEY identity theft

JP Morgan Data Breach Threatens 76 Million Households

JPMorgan Chase, hit by hackers this summer, is disclosing how much customer information might have been exposed.

MONEY data breaches

The One Foolproof Thing You Can Do to Protect Yourself from Identity Theft

JP Morgan Chase
Bloomberg via Getty Images

Place a security freeze on your credit.

Your private information may have been stolen… again: JPMorgan Chase disclosed on Thursday that hackers accessed 76 million accounts during a cyberattack this summer. JPMorgan Chase says hackers stole only names, addresses, phone numbers and emails, and not passwords or Social Security numbers. If that’s the case, it won’t be easy for crooks to steal your identity or your money.

But if you’re worried that one of the recent data breaches at Target, Home Depot, or P.F. Chang’s could make you vulnerable — or are just fed up with hearing about a new data theft every other week and want some peace of mind — you may be yearning for a foolproof solution. The simplest thing to do: Put a freeze on your credit.

Here’s how it works. Whenever anyone applies for credit, the would-be lender pulls their credit report from one of the three bureaus, Equifax, Experian, or TransUnion. If you institute a security freeze at each of the three credit bureaus, nobody will be able to access your credit report, so identity thieves won’t be able to open any new accounts in your name — period.

There are some downsides to this option. First, there’s the cost. The price of a security freeze varies by state — you can check yours here — but it’s typically $5 to $10 per credit agency. (It’s often free for people who have already been victims of identity theft.)

More of a problem is that whenever you want to allow someone to check your credit, you’ll need to pay a fee to lift the freeze. And that may happen more often than you expect because your credit report gets pulled not just for credit applications but often when you sign up for a cell phone contract or apply for a new apartment or job as well. The credit agencies will give you a password to lift the freeze and charge up to $12 each time you do it — so this option can get pricey.

Finally, if you’re afraid that an identity thief may already have used stolen information to open accounts in your name, a credit freeze won’t help. To find out if that’s the case, you’ll have to check your credit report, which you can do for free three times a year at annualcreditreport.com. If you suspect fraud, you’ll want to notify your financial institutions, change your passwords, watch your statements, and file a police report.

Ready to act? You can place a credit freeze online, right now:

RELATED:

MONEY Taxes

How Identity Thieves Stole $5.2 Billion from the IRS

Invisible Man at computer
Getty Images

And how to make sure you won't be their next target.

More than $5 billion, with a B: that’s how much the IRS estimates it mistakenly paid to identity thieves last year, according to a new study from the Government Accountability Office. The thieves filed fraudulent tax returns on behalf of unsuspecting citizens, and the IRS didn’t catch the fraud until after long after the refund checks had been sent. The only good news? It could have been a lot more money. The IRS estimates it identified and stopped another $24.2 billion in attempted fraud — but the agency acknowledges it’s hard to calculate the full extent of the problem.

Here’s how thieves get away with it: You usually receive a W-2 from your employer by the end of January, then file your tax return by April 15. During that time, thieves steal your identifying information, file fake returns on your behalf, and collect the refund check. It all happens pretty quickly, since the IRS tries to issue your refund within three weeks of receiving your return.

Employers have until March to send their W-2s to the Social Security Administration, which later forwards the documents to the IRS. The IRS doesn’t begin checking tax returns against employers’ W-2s until July. The GAO has found that it can take a year or longer for the IRS to complete the checks and catch the theft.

The easiest way you can deter this kind of fraud? File early, and file electronically. Once the IRS receives a return with your social security number, the agency will reject any duplicate filings and notify you right away. The IRS is also piloting an initiative to issue single-use identity protection PIN numbers to taxpayers who have verified their identities.

Still, the danger could be growing: As recently as 2010, tax- and wage-related identity theft made up just 16% of all ID-theft complaints at the Federal Trade Commission. Last year that portion rose to 43%. Below are four more common ways ID thieves can strike — and what you can do to protect yourself.

1) Purloined paper.

Have tax documents sent to a P.O. box or delivered electronically so they can’t go missing. Shred extra copies. “Your tax return needs to be treated as an item of extreme privacy,” says Staten Island CPA John Vento.

2) Unsecure networks.

Never file electronically over public Wi-Fi or a network that’s not password-protected. Make sure you have up-to-date antivirus software and a firewall on your home computer.

3) Dodgy emails.

Be leery of any email claiming to be an IRS notice of an outstanding refund or a pending investigation; the IRS will never email you to request sensitive information. Forward suspect messages to phishing@irs.gov. Other electronic traps: fake websites similar to irs.gov, and tweets purporting to be from the IRS (@IRSnews is the verified handle).

4) Phone fakes.

In October of last year, the IRS warned of a sophisticated phone scam in which callers already knew the last four digits of your Social Security number and mimicked the IRS toll-free number on your caller ID. If the IRS calls you out of the blue, hang up and call back (800-829-1040).

This advice was excerpted from MONEY’s 2014 Tax Guide.

MONEY identity theft

Here’s What To Do About the Home Depot Hack

Home Depot says hackers have stolen tens of millions of its customers' payment card information. Here's how to protect yourself.

On Thursday, Home Depot acknowledged that hackers were able to access 56 million credit and debit cards when the retailer’s systems were cracked this April. The company says all malware has been removed from its U.S. and Canadian networks, but hackers have had access to card numbers as recently as September. If you’ve shopped at Home Depot within the past six months, here’s what you need to know:

Home Depot is providing free identity protection. The company is working with AllClear ID to give identity theft protection services, including credit monitoring, to all customers who have shopped at Home Depot since April 2014. To sign up, either go to this web page or call 1-855-252-0908, and AllClear will assign you an identity theft investigator.

Check your statements frequently. Credit card users shouldn’t worry too much about their number being stolen because credit card companies limit individual liability to $50. Of course, if you don’t identify fraudulent charges, your credit card company won’t cover them — so make sure to at least check your monthly credit-card statements.

Debit card users should be more vigilant about scrutinizing account activity — going back to April and going forward on a regular basis. The reason is that fraudulent charges are covered by banks for just 60 days after you receive a statement with such charges on it. The Home Depot data breach lasted months, so you could already be on the hook for purchases you didn’t make. Home Depot says AllClear’s identity theft protection service “will do the work to recover financial losses,” but it’s unclear what that means in the case of debit cards. (AllClear declined to comment on its partnership with Home Depot, and did not immediately respond to general questions about how debit card fraud is handled.) Home Depot claims there is no evidence that crooks obtained debit card PINs, but a company spokesperson would not say whether or not other information, like customer names, was stolen.

Stolen card info can be sold to and used by other fraudsters long after a breach — there’s a secondary market for this kind of stuff — so it’s a good idea to check your debit account activity as often as several times per week. Your debit spending is not only more vulnerable to fraud, but also can be more damaging. You won’t be out of pocket for bogus credit card payments; with debit card fraud, by contrast, the money is actually gone from your account until the issue is cleared up.

Look into getting a chip and pin payment card. Chip and pin payment cards are more secure, and offer an additional level of security by requiring users to enter a pin even when paying with a credit card. Matt Schulz, senior industry analyst at CreditCards.com, recommends consumers call their bank and ask about upgrading to a chip and pin card. This technology hasn’t been widely rolled out yet, but some bank already offer upgrades Schulz says most banks should offer this type card within the next year.

Try to relax. As these breaches become more common, it’s important not to panic each time a business is compromised. Instead, always practice good security habits, like creating strong passwords for e-commerce and frequently checking your payment cards’ transaction history.

MORE:

MONEY 101: What should I do if my wallet is lost or stolen?

MONEY 101: What should I do if I have been a victim of a data breach?

MONEY identity theft

Home Depot Says Hackers Stole 56 Million Card Numbers

The home improvement retailer says it has eradicated the malware that compromised its customers' debit and credit card numbers.

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser