All Things Being Equifax: A Cybersecurity Awareness PSA

October 4, 2017 at 10:29 am | Posted in cybersecurity | 2 Comments
Tags: , , , , , ,

Over 9 billion data records have been lost or stolen since 2013. In fact, experts believe nearly 5.5 million records are exposed every day. It’s no longer a question of whether a company has been compromised, but when it will happen, and how consumers can take steps to protect their data.

Not every data breach is the same. Sometimes the stolen data is already public, like your name and street address, or is encrypted to prevent its use by thieves. The most dangerous breaches expose plaintext data (data that is not encrypted or otherwise obscured) and PII (personally identifiable information), such as a government ID with an associated date of birth and legal name.

The recent Equifax breach is a serious security concern because of its breathtaking scope and sensitivity. The stolen data included social security numbers, driver’s license numbers, and other PII as well as credit card numbers. Unlike a username and password, PII is meant to uniquely identify you for your entire life and (usually) can’t be changed. If it’s exposed, you face an ongoing threat of identity fraud.

So what can you do in the wake of such a massive breach? What follows are the best security practices we can recommend, including advice from an actual (anonymous) employee of a big-three credit bureau.

(ETA: as sharp-eyed reader Carol points out, there are actually four credit agencies, though Innovis is typically omitted from these types of list. We have updated the post to add Innovis’ contact information as well.)


thief_bank_heist_mission-wide

Understand the Risk

Assume YOUR identity is at risk.

Equifax is still exploring the scope of the breach, but the known number of 143 million breached records is fully half of the U.S. population, and may not be the final count. While there’s been tremendous media coverage, a large portion of those affected customers might not follow the news and are still unaware of the hack. It’s unlikely that Equifax will contact all affected customers in a timely enough manner to prevent attackers from using those identities.

Beware of phishing sites tailored to the breach.

Equifax has been directing consumers to a site that supposedly reveals whether a consumer’s record was affected after entering part of their SSN. Krebs on Security have already reported lookalike sites popping up. In fact, one phishing site was so persuasive that Equifax officials actually tweeted the link asking people to enter identifying data at the fake lookalike instead of their own site!  Only visit known web sites, or better yet, use the phone to take action (explained below).

Practice ongoing vigilance

It may take months or years for a thief to get around to picking your identity out of those millions of stolen records, so don’t relax if you don’t see suspicious activity right away.

Protect Your Credit

Check your credit history TODAY.

In the three months since the breach occurred, an attacker may have already misused your identity. You can request a free credit report for the three major agencies. Even if you have already requested your free report for the year, you should pay to get the latest version. Doing so will provide a “snapshot” of your credit history and spending patterns that could help you fight fraudulent charges down the road.

Freeze your existing credit. 

A credit freeze – not credit monitoring – is the best way to ensure no one opens a line of credit in your name. If you need to open new credit yourself, you can unfreeze your record on a temporary basis. Unfreezing a record requires you (or an attacker) to know the freeze PIN before a credit check can be run. Even though KrebsOnSecurity reported it MAY be easy for an attacker to get the freeze PIN, this is still better than no protection at all.

Freezing your credit may be free, depending on the state where you live. Consumers Union has a comprehensive, state-by-state breakdown of what you might expect to be charged to place a freeze, if anything.The following phone numbers have automated systems to assist you (contact ALL of them):

  • Equifax – 1-800-349-9960
  • Experian – 1‑888‑397‑3742
  • TransUnion – 1-888-909-8872
  • Innovis – 1-800-540-2505

Freeze the credit for your children and elderly relatives.

If you have minor children, or if you help care for elderly family members, you can help them set up their own freezes or provide documentation proving you have the right to freeze the person’s credit. (It wouldn’t hurt to check on any senior neighbors who might not be aware of the credit breach and see if they require help pulling a credit report.)

Set a fraud alert (but don’t depend on it).

A fraud alert on your account tells the credit provider to require a further identity check before opening a new account in your name. Unfortunately, this will not protect you from attackers misusing your existing accounts; it would only alert you after the fact.

At this point in time, the fraud alert only lasts for 90 days, so you’ll need to renew it. If Equifax verifies your identity has been stolen, then they may extend it for seven years.

You can contact any ONE of the following numbers to set up a fraud alert (note that these may be different from the numbers used to place a credit freeze):

  • Equifax – 1-800-525-6285
  • Experian – 1-888-397-3742
  • TransUnion – 1-800-680-7289
  • Innovis – 1-800-540-2505

File your taxes early.

Attackers could misuse your credit information to take your tax refund, so beat them to the punch and file your taxes early!

Consider credit monitoring, with caveats.

An optional step is to consider signing up for a credit monitoring service. Although they can provide additional notifications based on anomalous or unusual credit behavior, there are a few scammers out there, so stick with a reputable company. The FTC provides tons of of information on monitoring, recovery and theft insurance service alternatives, including the free IdentityTheft.gov website. It is cheaper to monitor your credit on your own, however, if you have the time and diligence.

We would ask you to consider whether you want to pay for any credit monitoring services offered by a company that failed to safeguard your data. If you can only pay for one type of service, pay for a credit freeze instead.

Protect Your Online Identity

Use a secure, unique password

A secure password should meet certain length and complexity requirements, so that they are difficult for password crackers to discover. New NIST standards recommend 64-character passphrases of random words, instead of shorter passwords with special characters like !,#, @ or $. The goal is to create a password that you can remember, but no one else can guess. If someone else can guess it, then the password doesn’t pass the smell test.

Your password for your email, your bank accounts, and your social media accounts should always be unique to each, and never reused. The first thing an attacker will do if they find out your Facebook login is try to break into your email with the same credential.

Krebs on Security has more easy-to-digest advice about passwords and password managers here.

Use multi-factor authentication. 

It’s better to use “authenticator” apps instead of SMS text messages. This is because text messages can be more easily intercepted than having local random generators through authentication apps. It may be a pain to need your smartphone every time you want to open your email, but it makes it far harder for an attacker to gain legitimate access to your account. You can also configure trusted devices (such as your home laptop) that won’t trigger a two-factor request after you log on for the first time.

Verify the website address. 

If you are sharing ANY personal or confidential information online, make sure you’re not entering it on a phishing website. Also make sure the site is using the secure version of HTTP – most browsers will display a padlock icon next to the URL, indicating the communication is encrypted from client to website.

Sign out of every online financial or social media session manually. 

This means you will need to choose the sign out button or menu option and and close the browser when you are done using the website. That is the only way to ensure that an attacker doesn’t try to hijack the session from you.

Never share your password or device. 

You should never share your password with anyone, no matter who they claim to be. Furthermore, you should never reuse passwords across multiple accounts. Also, you should never share the device you use for multi-factor authentication with anyone else. You can use a password manager to help with those unique passwords, but then all of your passwords are in one place and an attacker could hack the password manager itself. So ensure you use a secure password and multi-factor authentication for a password manager as well.

Bonus Round: What would an actual employee of a credit bureau do?

Transcender staff recently spoke to an (anonymous) employee of a major credit agency. While she would not discuss their internal security policies or comment on the breach, she did agree to share her personal security practice: she has placed a credit freeze for herself and every member of her family, and she uses creditkarma.com to monitor her credit score for free on an ongoing basis.

Wishing you a safe and breach-free credit history!

– Josh Hester and the entire Transcender Team

2 Comments »

RSS feed for comments on this post. TrackBack URI

  1. You forgot Innovis, the 4th credit bureau no one seems to know about

    • I actually did remember Innovis, but when I was writing the post, I couldn’t find the number to use for a credit freeze! I’ll update the post now that I have found the right information elsewhere. I hope you found the article useful otherwise. Thanks for reading! ~ the T T


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: