“The best way to avoid danger is to be aware of it..”
In 2006, I was caught blindsided, unable to get pre-approved for a mortgage. We were moving back from Washington to California, and since buying our last home in Washington, I was completely unaware that I had become a victim of identity theft. Apparently, there was another Stephen Pao that wasn’t paying his medical bills, and my credit report was showing delinquencies.
This incident occurred before the Consumer Financial Protection Bureau (CFPB) started operating in 2011, and the process for disputing errors on credit reports was less clear. I somehow mishandled my interactions with the credit bureaus and consumed all of my allocated “escalations” in the back-and-forth in trying to report the error. After exhausting my options, the credit bureaus left it up to me to contact all the reporting creditors. Ultimately, I was able to get the delinquencies cleared off my record on my own, but not without a lot of pain and agony.
(If your credit report gets screwed in the modern era, check out the CFPB’s guide to disputing errors on your credit report.)
Since that incident in 2006, I have been more vigilant about trying to protect my identity. Here is a “top 5” checklist I had been keeping in my head. I know most of these checklist items are likely familiar to most, but I felt compelled to just write these down as a “call to action” for others to take care of them if they haven’t already.
Freezing your credit
Credit score monitoring
Dark web monitoring
Passkeys
Google “Results About You”
The fifth on the list was the subject of a recent iMessage thread within our beer group. That iMessage thread is what motivated me to write this post!
Freezing your credit
I froze credit reporting with the three credit bureaus (Experian, Equifax, and TransUnion) a long time ago. Freezing prevents new creditors and lenders from accessing my credit report to approve new credit applications, and it serves as a “speed bump” to open new accounts in my name. Somewhat painfully, I have had to “unfreeze” my credit reporting at times for background checks or other reasons, but I think it’s worth it.
There is information online on how to freeze credit, so I won’t document the process here. I hope I’m just helping to motivate people to freeze if they haven’t done it yet or at least to validate that a freeze remains active if they have!
I just verified that the freezes that I set up a long time ago are still active. Here’s an example from one of the credit bureaus::
Credit score monitoring
All of the major banks now seem to provide credit score monitoring services for free. It’s a good idea to use one of them to avoid being blindsided, as I was back in 2006. While I also have these services active with Bank of America and Capital One, I tend to use Chase Credit Journey because JPMorgan Chase is my primary bank anyway.
Dark web monitoring
There are so many hacking incidents that it makes sense to understand when information gets leaked online. I used to be a fan of Mozilla Monitor, but they charge money now. So, I now just use the free options bundled into Capital One CreditWise and Chase Credit Journey. Here’s a recent breach report of my social security number reported by Chase Credit Journey.
This reporting is more of a nice-to-have for items like SSN breaches because there’s little action that can be taken on the part of the breached. It is more useful for website hacks, with the call-to-action to change passwords.
For the context of this post, I don’t consider password change strategy really a quick “checklist item,” as overhauling password hygiene is its own dedicated topic and project. It’s one I strongly recommend, but not when trying to go down a list of 5 things.
Personally, I use iCloud Keychain as a password manager to automatically generate and use unique passwords for every site and app. I have also started the migration of multi-factor authentication from Google Authenticator and Microsoft Authenticator to iCloud Keychain for multi-factor authentication. The new Passwords app in iOS 18 and MacOS Sequoia makes it all even better. There is also iCloud Keychain support on Windows, too. It’s a little slow but it works! There, of course, are other password managers, and 1Password is also a really good one I’ve used in the past.
Still, much of the reason I don’t want to overly espouse password change strategies is that I am personally against passwords. I am of the growing opinion that beyond the basics, new incremental efforts by individuals beyond what they’re already doing for sign-in security should prioritize going passwordless wherever possible.
Passkeys
To this end, the recent trend for passwordless operation that I appreciate is use of Passkeys. In essence, Passkeys offer innate two-factor authentication because they rely on both “what you have” (the Passkey itself) and “who you are” (TouchID or FaceID). I don’t need a separate authenticator app or access to SMS to use them! The whole concept behind “what you know” (passwords, answers to security questions, PINs) seems so obsolete nowadays, particularly because it takes a password manager or other system to use them securely anyway.
For example, this is how I log into my Google account now, and it requires access to the Passkey from an iCloud-connected device AND either my FaceID on the phone or TouchID on my Macbook Air.
I generated separate passkeys for my Windows device, too.
Whenever a site or app doesn’t support Passkeys on their own, I try to use a “Sign in with Google” option to leverage the convenience and security of Passkeys!
Google “Results about you”
Driving back to the motivation behind this post, a thread came up in a group iMessage with my beer friends about some targeted USPS mail that came to the home address of one of our friends. She wondered how the sender got her home address. A quick Google Search revealed several possible sources, as her address came up in multiple search results.
Scrubbing these bad search results is not a one-time affair. I had already removed my name from Google search results for most of the services, but a new one popped up - information.com. Here’s what it looked like when I typed “Stephen Pao site:information.com” into Google. While my name was misspelled as “Stephen Shi M Pao,” the search results still contained an entry with my name in the description (redacting, or more appropriately, “magenta acting,” the details).
Bringing up that page with my name in the description shows an alias for “Stephen Shi M Pao” with my name spelled correctly (circled) along with past addresses..
After processing a removal request with Google, searching for “Stephen Pao site:information.com” no longer lists that page..
How does this get fixed? Set up Google “Results about you” and remove them!
https://myactivity.google.com/results-about-you
Follow the instructions, and wait. Once signed up, Google provides a display of removal requests to review, as well as the reviewed requests that are approved, denied, and pending. Google works pretty quickly to approve these requests!
Your turn
I know this particular post was more lightweight than most of my other ones! I encourage you to use the extra time that you might have spent reading a longer post to do some hygiene. These aren’t time consuming items. And, even if you think you’ve done all of this stuff in the past, the world moves.
Just in writing this article, I noticed that LinkedIn supports Passkeys. It turns out that I hadn’t set up Passkeys for that site, even though I thought I had set it them on all the apps that prompted me to do so!
It’s done now!
I also checked for new sites (again!) that may be disclosing my personal info using Google’s “Results About You.” I have three more under review as I write this!
And, after proofreading this post, these are done, too!
It’s your turn now!