Identity fraud, also known as ID fraud or identity theft, is a serious problem. Thankfully, it’s one that you can help to prevent by taking advantage of a number of tools including ID protection services.
Unlike, say, antivirus software, ID protection services are different because they don’t directly protect your devices, your data or your passwords. Rather, they alert you to the fact that email addresses and services you use online have been hacked, and your password or maybe other personal info has been leaked.
ID protection services are therefore perhaps best thought of as intelligence operatives, or early-warning systems, if we’re to extend the vague military metaphor. Forewarned is, as they say, forearmed.
Ideally, once an ID protection service has given you a heads up, you’ll then be able to take action and change passwords, enable 2FA (if you’ve not done that already), and, if necessary, freeze any cards and get in touch with your bank.
Of course, this is just one anti-fraud weapon against the bad guys and should really be used along with antivirus software, a VPN and a password manager.
Here, we’ll explain more about what ID protection services are, and cover broadly how they work.
What are ID protection services?
They work by scouring dark web destinations for evidence that their customers’ personal details are being put up for sale.
‘Dark web’ is a catch-all term used to describe secure, private networks and heavily encrypted websites which are separate from the general world wide web, or the ‘clear’ web.
While dark web sites are useful for people living in repressive societies where governments have rolled out surveillance programs, dark web destinations are also used by criminals who want to sell and trade information – like people’s email addresses, phone numbers, and other personally identifiable information (PII), which can be used for fraudulent activity.
A full set of PII – potentially enough information for someone to go on a shopping spree in your name – is sometimes referred to as ‘fullz’ or ‘fullzinfo’ on dark web marketplaces.
A fullz would likely include your name, date of birth, email addresses, bank details (including your account number), credit or debit card numbers, Swift codes, CVVs, expiration dates. With that information, someone could cause you a lot of financial pain, and could even involve the police coming after you if loans are taken out, then defaulted on.
If any of your PII is discovered in this way, you will receive an alert and hopefully some advice on what to do next, such as alerting your bank, changing any affected passwords and informing security services as well, such as Action Fraud in the UK.
How do the ID protection services know what to look out for? They simply use the information you give them, which means you need to hand over your bank details, card numbers and any other PII that you would want an alert for.
Jim Martin / Foundry
This also means the service providing the monitoring has to be completely trustworthy and ensure that it keeps that data secure for you.
How much does ID protection cost?
ID protection is usually a subscription service. Costs start from £7.99, US$9.99 and AU$12.99 for monthly subscriptions, and £19.99, US$89.99, and AU$99.99 for yearly ones.
That’s for an individual, but you can also get family plans to monitor the whole household’s details. Some examples include Bitdefender Digital Identity Protection, F-Secure ID Protection, IdentityForce (U.S. only, owned by credit agency TransUnion), Norton LifeLock (U.S. only), and Norton Identity Advisor Plus (UK and Australia).
Additionally, you can get ID protection bundled with antivirus, a VPN and password manager with some security suites such as McAfee+, Bitdefender Premium Security Plus and F-Secure Total.
Likewise, Norton 360 Premium in the UK and Australia, and Norton Select + LifeLock in the U.S. come with ID protection built in.
You will pay more, but they’re better value overall, as you can get all-round protection for your family and your devices.
How much is ID protection in the UK?
So the big question is what it’s going to cost you. This will give you a very good idea of what’s available right now (prices correct at time of writing).
Standalone ID protection services
Security suites with ID protection
F-Secure Total – from £44.99 for the first year (£69.99/year thereafter)
How much does ID protection cost in the United States?
Standalone ID protection subscription services
Norton LifeLock – $9.99/month for the first year ($11.99/month thereafter), or, $89.99 for the first year ($124.99/year thereafter)
Security subscription services featuring ID protection
F-Secure Total – from $59.99 for the first year ($89.99/year thereafter)
McAfee+ – $89.99 for the first year ($199.99/year thereafter)
ID protection services in Australia
Standalone ID protection subscription services
Security subscription services featuring ID protection
Do ID protection services help recover from a breach?
It’s important to understand that most ID protection services are there primarily to help prevent ID fraud from taking place. They are not designed to help you recover after your identity has been stolen.
Having said that, both the IdentityForce and McAfee+ services in the United States offer up to $1m to cover any expenses incurred as a result of your identity being stolen, and McAfee+ also provides up to $25k for ransomware cover.
Also, while ID protection services typically don’t help you recover any stolen money, your bank should reimburse you in cases of fraud.
Have I Been Pwned / Foundry
Can I get free ID protection?
If you’re not willing to pay, there are a few good resources at your disposal.
Haveibeenpwned, perhaps better known as HIBP, is a free online email address checker which presents results in a clear and comprehensive manner.
By entering your email address into the HIBP search bar, you will see in a matter of seconds if any websites or services linked to your email address have been compromised at any point in history. It’s likely that if it’s a big data breach, such as the 2018 Currys PC World hack, or the 2020 Twitter leak, you will have already heard about it and (hopefully) secured your account with a new password.
If not, it’s still a good idea to change those passwords. HIBP also offers a free email notification service, should your email address get, as they say, “pwned in future.”
McAfee has a checker like this on its Identity Theft Protection page and F-Secure also has a free Identity Theft Checker tool. The only downside to these free checkers (often available from security companies) is that you have to run those checks yourself regularly and you won’t be notified of new leaks automatically.
DeHashed / Foundry
DeHashed offers a breach monitoring and notification service that’s free for individuals. Like HIBP, DeHashed will search the dark and the clear web for your personal information, and tell you if your search queries return anything. It also offers a free notification service, so it will contact you via text or email if any of your information appears for sale online in the future.
Similarly, Intelligence X has a search service that’s free to use, as well as more expensive paid tiers which are aimed at businesses and security researchers. In addition to entering email addresses, you can also search for US social security numbers and Bitcoin addresses.
Finally, there’s also Firefox Monitor, which features bulletins on recent data breaches, plus other useful information. As Firefox Monitor’s search tool draws on HIPB’s database, it shouldn’t tell you anything that HIBP won’t.
Should I buy an ID protection service?
Armed with the information above, you should be in position to answer that for yourself. However, a better question would be, “Should I buy a security suite with ID protection included?” because that is where the best value lies.
It’s hard to recommend subscribing to a standalone service when you can get a more comprehensive suite of security software for not much more money. For example, at the time of writing, Bitdefender’s solo ID protection offering is actually more expensive per month than the introductory rate on Premium Security Plus bundle – which comes with Digital Identity Protection.
All the tools we’ve talked about are undoubtedly useful. Anything that can offer insight into any old account associated with your email addresses that you might have forgotten about is worth making use of. A lot of the free tools available to you are very good as well, with DeHashed in particular offering an early-warning service for free.
Taking the time to do an audit of your online profile is never a bad idea, and ID protection services can help in this regard.
If you’re in the market for an antivirus or security package, ID protection should absolutely be on your radar, but think twice before buying such a service on its own.
My data was leaked: what should I do?
The first thing you should do is change passwords on every account that has been compromised. If a password has been leaked and you use it for multiple accounts then change the password on all those accounts and, please, use different passwords for each one.
If your primary email account has been compromised, consider switching email accounts, even if that means opening up an new one with the same provider (such as Gmail). If someone has access to your email account, they could intercept any password reset emails that you receive, potentially causing further damage.
If anything connected to your online bank or any financial services you use have been hacked, contact your bank and/or service provider and change all security details: passwords, memorable words, answers to security questions etc.
Check your credit rating with a credit agency as well, and ask for a free Notice of Correction if you see anything suspicious on the report.
In the first instance, contact the police. If you’re in the UK, you can contact either Action Fraud (if you’re based in England, Northern Ireland, or Wales) or Police Scotland (if you live in Scotland).
You’ll need to create an account with Action Fraud before beginning your report – create a fresh email account if you think or know that your primary account has been compromised.
You’re not required to create an account via the Police Scotland secure contact form, just leave contact details.
UK residents can also apply for Protective Registration from Cifas (Credit Industry Fraud Avoidance System). This is a paid service which costs £25 for two years’ worth of cover, and it places a red flag against your name on Cifas’s National Fraud Database.
Companies can then use this if your details are used to apply for things – additional checks to make sure it’s actually you buying things, and help stop someone from clearing out your accounts.
If you’re in the United States, you should report identity fraud to the FTC (Federal Trade Commission) at the IdentityTheft.gov site, where you can create an Identity Theft Report, and you download template documents to send to credit agencies and businesses, if you need to.
If you’re in Australia, you’ll need to file a report with the Australian Cyber Security Centre. Click through and scroll down to the ‘Identity fraud and identity theft’ section to begin your report.