This is the third blog post in a series of posts about security. The first was email security, the second was about passwords.
Now that you’ve secured your email, installed a virus checker, and are using a password manager, you can move on to dealing with the Equifax hack.
Role of Credit Agencies
Credit agencies in the US collect data from Banks, Financial institutions, private individuals, corporations, and the government about individual US citizens. For each person they collect employment information, credit information and extensive personal information so that they can assess each individuals credit worthiness. Their customer is not you, you are the product; they sell their services to businesses that what to assess your credit worthiness.
Overview of the Equifax Hack
Equifax used a very common corporate open sourced software called Apache Struts application software to help build it’s website. In late march of 2017, Apache found a serious bug in it’s software and put out an alert to fix the bug. A friend who works at a fortune 500 company that also used the Apache software found Chinese hackers were roaming around when they received the alert with supervisory privilege. Within 30 minutes at this other company the software was patched and the users and their nefarious work were removed. This kind of immediate response was NOT the case at Equifax. From Wired magazine:
“This vulnerability was disclosed back in March. There were clear and simple instructions of how to remedy the situation. The responsibility is then on companies to have procedures in place to follow such advice promptly,” says Bas van Schaik, a product manager and researcher at Semmle, an analytics security firm. “The fact that Equifax was subsequently attacked in May means that Equifax did not follow that advice. Had they done so this breach would not have occurred.”
We are currently depending on each company to treat our data securely; unfortunately this is not something we can depend on. It took until mid-August, over 4 months after the initial problem was announced, for Equifax to even know it had a problem.
What data was stolen
The hackers were able to access names, Social Security numbers, birth dates, and addresses on 143 million Americans. Equifax also said the breach involved some driver’s license numbers (although it didn’t say how many or which states might be impacted), credit card numbers for roughly 209,000 U.S. consumers, and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.” Essentially all the information you need to open a new line of credit with the wrong physical address and wrong email address. And there lies the problem: only the credit agencies know who is trying to access your credit records and they are not obligated to inform you.
Get your credit report for free
Get a free government authorized credit report from each credit agency at annualcreditreport.com. Once a year you can check each of the four credit agencies for free. Many people suggest staggering which one you look at, so every three months, check a different agency, that way once a year you can check all. Other sites trick you into thinking they are free, like freecreditreport.com, but they are not.
What are your options for dealing with Credit Agencies
Credit Freeze – this service is free from Equifax for a limited time, and up to $10 a year from the other three agencies. You log in and install a credit freeze and the agency sends you a pin number to unfreeze the account. It means that no business can access your credit files without your cooperation.
Credit Monitoring – Each of the credit agencies will sell you a service for about $240 a year to ‘monitor’ your credit. They will report on cross agency requests for credit information other than businesses you already do business with. One issue with credit monitoring is the agencies are free to sell your information to people who are interested to know that you’re paying for credit monitoring.
Fraud Alerts – You can notify one of TransUnion, Equifax or Experian that you suspect you are the victim of identity theft. Once you contact one of the three, they will inform the other two. Innovis must be separately contacted. This is a free service that lasts 90 days. It puts the onus on the credit company trying to access your credit: it lets them know THEY should verify your identity, but they can ignore that warning if they want to. After 90 days, if you can show you’re an identity theft victim, you can extend this service.
Other paid players: There are other players like the heavily advertised lifelock.com that will monitor your credit for either $120 or $240 a year. For their ‘premium’ package they will monitor your credit and add credit card checking. They paid the US government a $120 million fine a few years ago for deceptive advertising.
I believe that a combination of Credit Freeze and smart monitoring of your credit cards is the best solution.
Credit Freeze versus Fraud Alert
Here is what one credit expert had to say about the difference between the two:
The FTC also says that if you know you have been the victim of identity theft, you may contact one of the three credit bureaus and have a Fraud Alert placed on your credit file for free. Typically, this means a messages is added to your credit report asking lenders contact you at a certain phone number to confirm identity before granting credit.
The designated credit reporting agency is also supposed to contact the other two bureaus on your behalf. The fraud alert remains on your files for 90 days although it may be renewed.
In my opinion, this is a terrible idea because you never know when an ID thief will attempt to open credit in your name. Even if you knew exactly when your personal details were compromised in a breach, it doesn’t mean your details will be exploited right way. Hacked information can remain in black market databases for years before being sold to cyber crooks. Trying to time a 90 day protection window to when you think an ID thief will exploit it is as silly as wearing a seatbelt in your car only on the day you think you’ll be involved in a crash.
About 10 years ago, I placed a fraud alert on my credit files and found that sometimes lenders did not contact me as required to verify identity. Having now tried both, I very much recommend a security freeze over a fraud alert.
Recommendation for what you should do
This is from the journalist Brian Krebs, who specializes in computer security:
File a security freeze – also known as a credit freeze – with the four major credit bureaus.
Q: What is a security freeze?
A: A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it.
Q: What’s involved in freezing my credit file?
A: Freezing your credit involves notifying each of the major credit bureaus that you wish to place a freeze on your credit file. This can usually be done online, but in a few cases you may need to contact one or more credit bureaus by phone or in writing. Once you complete the application process, each bureau will provide a unique personal identification number (PIN) that you can use to unfreeze or “thaw” your credit file in the event that you need to apply for new lines of credit sometime in the future. Depending on your state of residence and your circumstances, you may also have to pay a small fee to place a freeze at each bureau. There are four consumer credit bureaus, including Equifax, Experian, Innovis and Trans Union. It’s a good idea to keep your unfreeze PIN(s) in a folder in a safe place (perhaps along with your latest credit report), so that when and if you need to undo the freeze, the process is simple.
This should be done for both you AND your spouse for all four credit agencies. If you have a teen or younger who is developing credit (like with a joint credit card with you, or bank account with a debit card) you should also freeze THEIR account with all four agencies. In California a parent can freeze his or her teen’s account if they are 16 years old or younger.
What to do BEFORE freezing your credit accounts
It turns out the IRS and the Social Security Administration use Equifax for how they identify citizens. 🙂 One recommendation is to take control of your online Social Security account, if you haven’t already done that. If you freeze Equifax, you cannot create a Social Security account, but this also means that no one else can in your name. 🙂 . Anyway, it’s a good idea to create your SSA account before you do the Equifax freeze. If you decide to take control of this account REMEMBER to use a STRONG password and put it in your password manager.
Credit Agency Freezing Checklist
- Secure your Online Social Security account
- For each credit agency you freeze make sure you have an entry in your password manager
- Freeze Equifax (https://help.equifax.com/s/article/How-do-I-place-a-security-freeze-on-my-Equifax-credit-file)
- Freeze Experian (https://www.experian.com/freeze/center.html)
- Freeze Innovis (https://www.innovis.com/personal/securityFreeze)
- Freeze Trans Union (https://www.transunion.com/credit-freeze/place-credit-freeze)
- After you freeze each credit file put the pin into a secure note in your password manager
- Repeat steps for your spouse, and any children 16 or under who have credit.
Alerts and Secret Words
After you’ve locked your credit with the credit agencies, you may still be exposed to fraud, since your credit card number and your bank account information and investment account information may be available to hackers. You can easily put protections into place to alert you of fraudulent activity, which will enable you to contact the financial institution and get it straightened out immediately.
I can recommend two options: First, some credit card companies allow you to set a secret word in your file, and they will only change/give information if you disclose this word. This will eliminate people calling in your name to try to ‘social hack’ your account, as long as you choose a word they can’t guess. Second, almost every credit card company allows you to set a messaging threshold such that if something is charged for more than X you’ll get notified. So set it to $500 or $100 or whatever you feel comfortable with. Also make sure the password is STRONG and UNIQUE for the credit card account.
Your accounts at Financial Institutions
Broken record: make sure the password is STRONG and UNIQUE. Some accounts like e*trade offer a two factor authentication, which you should use whenever possible. Many accounts send smartphone messages when you have a transaction.
What’s the future?
I believe that if someone is motivated enough, they can hack you. The steps above will offer a measure of protection if that happens. We have put together a set of open sourced, open dependent products in our online life which will lead to security holes and hacks. We have a government that treats computer security as an individual’s issue, not a governmental issue. Therefore privacy rules in the US are laughable. Try to keep a low profile, don’t taunt spammers or hackers, look to be anonymous. Maybe in the future the government will begin to provide personal protection and the business world will have larger consequences for a future Equifax style hack, but I’m not holding my breath.