The Equifax Breach and the Cybersecurity Silver Bullet

acer hack

Some time ago, the popular show Mythbusters wanted to find out if the Lone Ranger was right about silver bullets being better than lead ones. Turns out silver bullets are actually slower and less accurate.

When it comes to cybersecurity, quick-fix silver bullets are also less effective than tried-and-true approaches. The most effective cybersecurity strategies begin with two certainties: mistakes will be made, and breaches like the one that hit Equifax will keep happening.

The 143 million consumers exposed in the Equifax breach provide plenty of evidence that there’s still no effective “silver bullet” when it comes to both chronic and acute threats to our collective cybersecurity.

While the Equifax breach is by no means the largest hack to date (that distinction still belongs to Yahoo), it definitely stands out as the breach with the greatest potential to harm its victims.

The Equifax hackers got the most complete data dossiers possible on millions of people. Those dossiers are worth about $30 on the black market and include Social Security numbers, names, addresses, birth dates, and, in some cases, driver’s license numbers. Additionally, the credit card numbers of 209,000 consumers were lifted.

What can be done with this information? Just about every sort of identity theft imaginable.

Credit lines and credit-worthiness can be destroyed overnight, health care records can be polluted with the information of thieves using your benefits illegally, and it can be nearly impossible to get medications filled in a timely manner. Crimes can even be committed in your name, since the thieves have all they need to create a driver’s license with your information and someone else’s photograph.

No Easy Fix

If there were any easy way to solve the data-breach problem, we’d be seeing fewer newsworthy compromises. But as yet, nothing works.

Take, for instance, biometrics. Fingerprints, retina scans, body weight, and shoe size—they offer a great addition to the various ways we authenticate ourselves to the systems storing our data. But they are not a true fix. If a security patch released by a software provider is not installed, as happened in the Equifax breach, it doesn’t matter how many body parts you scan.

Picture the mailboxes in the lobby of a city dwelling—the individual boxes can be opened with one master key so the letter carrier can slot the mail for all the apartments at the same time. It doesn’t matter how well you protect the key for your one apartment’s mailbox if a thief gets access to the master key. The same goes for individual cyber hygiene in the face of a breach.

One of the most promising solutions was once thought to be tokenization—a system of referents that create an impenetrable security trail—but it suffers from the same issue that was behind the Equifax hack: human beings messing up.

Tokenization systems have to be secured and validated using security best practices. That’s where the fallibility part creeps in. Those best practices still need to be implemented by fallible humans with busy lives who have not been told—and consistently reminded—that they are the only solution to the data breach problem.

Data breaches and the identity-related crimes that flow from them are the third certainty in life—right after death and taxes—because there will always be that fallible human element. Education can help mitigate the risks, but even the savviest populace will make mistakes.

Real Solutions

Senator Elizabeth Warren has set her sights on the three credit reporting bureaus, specifically demanding that they offer credit freezes for free. The looming threat of credit hijacking is made possible by the hoarding of information—the credit reporting bureaus’ daily bread. It seems logical, then, that the bureaus should have to pay for the most common crime that data can lead to: credit fraud.

While new laws are good, education is the only real solution.

For many years now I have been advocating a system called the Three Ms, which are the centerpiece of my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves.

Practicing the Three Ms continues to be the best way to keep your personally identifiable information from being used in identity-related crimes. 

  1. Minimize your exposure. Don’t click on suspicious or unfamiliar links; don’t authenticate yourself to anyone unless you are in control of the interaction; don’t overshare on social media; be a good steward of your passwords; opt for two-factor authentication whenever it’s offered; safeguard any documents that can be used to hijack your identity; and freeze your credit.
  2. Monitor your accounts. Check your credit reports religiously (you can check your credit report for free on Credit.com); keep track of your credit scores; review major financial accounts daily if possible (better yet, sign up for free transaction alerts from financial services institutions and credit card companies); read the Explanation of Benefits statements you receive from your health insurer; and seriously consider purchasing a sophisticated credit- and identity-monitoring program.
  3. Manage the damage. Make sure you get on top of any incursion into your identity quickly and enroll in a program where professionals help you navigate and resolve identity compromises—oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions, and employers.

The odds of President Trump giving his entire fortune to the NAACP are probably better than the chances that we’ll be experiencing fewer big breaches in the future. An individual’s security protocol is only so useful, but an individual’s actions make all the difference.

Image: istock

The post The Equifax Breach and the Cybersecurity Silver Bullet appeared first on Credit.com.

No, Equifax Is Not Calling You. Watch Out for Scam Phone Calls After the Data Breach

Source: iStock

Less than a week after the Equifax data breach was made public, it seems scammers are already looking for opportunities to prey on concerned consumers.

The Federal Trade Commission posted a scam alert Thursday warning consumers to not give their personal information to anyone who calls and claims to be an Equifax representative. Over the summer, hackers breached the Atlanta-based credit bureau’s database and accessed the personal information of about 143 million consumers, including sensitive information like Social Security numbers.

But Equifax is not calling those affected by the breach, so if you get a phone call from someone saying they represent Equifax and want to verify your account information, the FTC advises you hang up. It’s ironic, in a way, to target victims by posing as a concerned Equifax representative. The company has been criticized widely for its sluggish response to the breach, which occurred sometime between mid-May and July but wasn’t discovered until July 29 and wasn’t announced until more than a month later.

In response to the security failure, the House Committee on Energy and Commerce has demanded Equifax answer several questions about the breach, including why the company put off announcing the breach for so long. Equifax has until Sept. 22 to respond to the committee’s questions, and the committee plans to hold hearings on the breach in September or October.

In a company statement, Equifax CEO Richard Smith said the breach was a “disappointing event.”

“Confronting cybersecurity risks is a daily fight,” he added. “While we’ve made significant investments in data security, we recognize we must do more. And we will.”

In the breach, people’s Social Security numbers, dates of birth, addresses, and other personally identifiable information (PII) were compromised, so it’s understandable you’d be worried and are looking for help.

Here’s what you can do to take control of protecting your identity.

Assume you’re affected

While you can go to Equifax’s website and go through a multistep process to see if your information has been compromised, you can also just assume someone has their hands on your personal information. (It’s also worth noting the Equifax site reportedly isn’t reliable for telling you if you’re affected, and many consumers have reported the site is slow to load or doesn’t load at all.) Even if you weren’t among the 143 million whose personal information was compromised in this breach (and the odds aren’t in your favor), chances are it has been or will be in a breach at a different company or organization. With that in mind, you’ll want to focus on how to detect signs of identity theft and how to respond to them.

Monitor your credit

Equifax responded to the breach by offering free credit and identity monitoring to everyone — not just those affected — for a year through TrustedID Premier. You must go to equifaxsecurity2017.com to enroll, which requires entering your last name and the last six digits of your Social Security number. You’ll then be given an enrollment date, which may be several days after you start the enrollment process, at which point you can return to the site to continue enrollment. You’ll need to set a reminder to continue the process, as Equifax won’t send you a notification when it’s time.

You have many other ways to find out if someone has misused your personal information. Several companies offer free credit scores — Credit Karma, Discover, Capital One, Mint, LendingTree (our parent company), etc. — either to everyone or to their customers. To help you choose, we put together this guide to getting your free credit score. Credit Karma also offers a free credit monitoring service, and Discover cardmembers can sign up for alerts when their Social Security numbers are detected on suspicious websites. You can also pay for credit monitoring services from a number of providers, including the three major credit bureaus Equifax, Experian and TransUnion, as well as credit scoring giant FICO.

Consider a credit freeze

You can also freeze your credit so no one, not even you, can apply for new credit using your information. If you do this, you have to initiate a freeze with each of three major credit bureaus, as well as “thaw” each report when you want to apply for a new credit account. Every time you freeze and thaw your credit you may be charged a fee, which varies by state. This only protects you from credit fraud and does not prevent things like taxpayer identity theft, criminal identity theft, medical identity theft, and insurance identity theft.

On Sept. 15, Equifax announced it is waiving the fee for removing and placing credit freezes on Equifax credit reports through Nov. 21, 2017. Anyone who paid for an Equifax freeze at or after 5 p.m. EDT on Sept. 7 will receive a refund, the company said.

Have a plan for responding to identity theft

One of the best ways you can prepare for identity theft is to detect it early. After that, you need to know how to resolve it. You can do this yourself by filing a police report, disputing fraudulent accounts on your credit reports, and making the phone calls necessary to correct any problems stemming from the fraud. Or you could pay someone to help you with this time-consuming task. Check with your employer to see if they offer identity theft insurance or identity theft resolution services as an employee benefit, and if not, consider paying for it.

We’ve rounded up the best identity theft resolution services here.

More than anything, remain calm as you sort through the fallout of this breach. Focus on making a plan for protecting yourself from and responding to identity theft and making sure you only deal with trustworthy service providers.

The post No, Equifax Is Not Calling You. Watch Out for Scam Phone Calls After the Data Breach appeared first on MagnifyMoney.

Freaked Out by the Equifax Hack? Here’s What You Need to Know

Source: iStock

About 143 million consumers’ sensitive information has been compromised in what was one of the worst data breaches to date in size and potential impact on consumers. Credit reporting agency Equifax announced the breach Thursday, more than a month after detecting the intrusion.

Equifax is one of the three national credit reporting agencies (the others being TransUnion and Experian) and collects a wide variety of consumers’ sensitive and personally identifiable information (PII). The information on credit reports determines credit scores and is used in lending decisions, among other things.

What happened

The breach exposed the names, Social Security numbers, birth dates, addresses, and, in some instances, driver’s license numbers of about 44 percent of the current American population. Hackers also took the credit card numbers for about 209,000 U.S. consumers and dispute documents for 182,000 U.S. consumers.

In its announcement, Equifax said “criminals exploited a U.S. website application vulnerability to gain access” to the files. In addition to the millions of U.S. consumers affected, the company says the criminals had access to limited personal information of some U.K. and Canadian residents.

The Atlanta-based reporting agency said the thieves had access to the data from mid-May through July 2017, but it didn’t discover the breach until July 29. Equifax announced the breach more than a month after discovering it and hiring a cybersecurity firm to investigate.

The company says it’s also working with law enforcement authorities and that its investigation will be complete soon. Equifax has not said who they believe attacked their database.

What the breach means for consumers

The breach isn’t the largest to date, but it’s close. In 2016, Yahoo announced an attack that affected 500 million users. Another breach, announced just a few months later, involved 1 billion users. In those breaches, hackers stole users’ phone numbers and passwords.

The Equifax breach could be worse in impact, given the sensitive nature of the consumer data the company has on file. In its release, Equifax said it had found “no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.” That doesn’t necessarily mean the information hasn’t been misused or that it won’t be misused, as signs of identity theft may not immediately show up on a credit report.

“If you were going to rate this breach from one to 10, this is a 10. The amount of sensitive info that is contained in the Equifax database is staggering,” says Adam Levin, founder of CyberScout and author of “Swiped,” a book on how and why consumers can protect themselves from identity theft.

When this level of information has been compromised, it “opens up the door for thieves to commit many different other types of identity theft. Not just financial, but criminal, government, medical theft as well,” says Eva Velasquez,the president of Identity Theft Resource Center.

Levin adds, when Social Security numbers are part of a database that’s been exposed, all of the individuals who have their numbers in that database will need to be “looking over their shoulders for the rest of their lives.” The Social Security Administration rarely changes someone’s Social Security number.

What to do now

First, don’t panic.

“People really feel violated when things like this happen,” says Velasquez. “Direct your energy from being angry or upset and feeling powerless to actually doing something and taking some steps to feel more empowered.”

Levin says the breach may add to “breach fatigue” — how the drastic rise in security breach causes consumers to believe breaches are inevitable and react to them apathetically instead of with urgency.

“But it shouldn’t,” Levin says. “It should be a clarion call. Unfortunately, as consumers we have to think of this as as if we’re alone. The government has failed us. The financial industry has failed us, and frankly we have failed ourselves. It’s important that we develop a culture of privacy and security.”

Find out if you are one of the impacted
Given the increasing threat and frequency of data breaches, everyone should be proactive in detecting identity theft. For this breach in particular, Equifax set up a website to see if you’re one of the people affected and how to enroll in the free year of credit monitoring it’s offering victims.

Visit equifaxsecurity2017.com and click on “Potential Impact.”

You’ll see a page with a large, rectangular button that says “Check Potential Impact” and a few lines of text.

Source: Equifax

The text explains that if you click on the link that says “Check Potential Impact,” you’ll be taken to a form that asks you to provide your last name and the last six digits of your Social Security number.

Based on that information, you’ll then be shown a message that says whether your personal information may have been impacted by the breach.

Source: Equifax

Regardless of the message you see, Equifax will give you the option to enroll in a credit monitoring service from TrustedID Premier. Beware: if you enroll, you’ll have to agree to waive some of your rights to sue Equifax. The arbitration clause is written in all caps in the company’s terms of service, but consumers may miss the language. The Washington Post reports Equifax on Friday updated its terms to incorporate a way out of the arbitration clause.

Consumers can be excluded if they let Equifax know within 30 days in writing they would like to be excluded from the arbitration clause, but must first accept the agreement.

If you choose to enroll, you’ll be given an enrollment date. There’s quite a backlog of people enrolling, so you have to take it upon yourself to return to the site on your enrollment date. In short: You have to take your protection into your own hands. Equifax isn’t doing it for you.

Source: Equifax

Sign up for credit monitoring

Equifax is offering one year of free credit monitoring through TrustedID Premier to all U.S. consumers, regardless of whether they were affected by the data breach. There are five services under the program:

  • Get a free copy of your Equifax credit report.
  • Sign up for credit monitoring and automated alerts to be notified of key changes to your credit report on any of the major big three reporting agencies.
  • Put a freeze on your Equifax credit report.
  • Scan suspicious sites for use of your Social Security number.
  • Get up to $1 million of identity theft insurance to help you pay for any costs you may incur if someone commits identity fraud against you.

Even if you don’t want to enroll in Equifax’s service, you should enroll in a credit monitoring service, like free options offered through Credit Karma, Discover, Mint, Wells Fargo, and Capital One® — there are lots of ways to keep tabs on your credit.

Some identity theft protection services like the ones offered through myFICO, charge a monthly fee to monitor your credit year-round and provide identity theft insurance.

Regularly review your credit reports

You’re entitled to a free annual credit report from each of the major credit bureaus, which you can get through annualcreditreport.com. Carefully check your credit report for any accounts or recent activity you don’t recognize.

Make a plan to respond to identity theft

Detecting identity theft as soon as possible is crucial to minimizing the damage and stress it can cause — that’s where credit monitoring and reviewing your credit reports comes in. But the next step is just as important: Know what to do when it happens.

You can dispute errors on your credit report, file a police report documenting the identity theft, and do the legwork of resolving any problems it causes. You can also pay for identity theft insurance or identity theft resolution services (some employers offer this as a benefit, so check with your human resources department). Here’s a guide on identity theft resolution, so you know what to do in case you see anything suspicious. Even if you don’t see anything out of the ordinary, you should continue to remain vigilant in monitoring your credit activity.

Freeze your credit report

Velasquez says a credit security freeze is an option impacted consumers should look at. It prevents any application for new credit without first verifying your identity. If you want to apply for new credit, you’ll have to “thaw” your credit reports. The credit bureaus charge a fee, which varies by state, every time you freeze and thaw your credit report.

“While that does create some added inconvenience, the level of protection is worth it,” says Velasquez.

Be alert for unusual activity

Now is the time to practice what Velasquez calls good “identity hygiene.”

“Being vigilant about your identity is just a part of the world that we live in,” says Velasquez. “ If being involved in a data breach is the catalyst that brings that to the top of your mind, then we can see that as a positive.”

Velasquez recommends consumers act proactively and remain cognizant of anything that may involve using or verifying their identity. For example, if you receive a notice from a government agency about benefits or some weird explanation of benefits, pay attention to it.

Even after you do things like enroll in credit monitoring and freeze your credit, continue to do your best to watch out for signs of abuse. Don’t wait until you start receiving strange calls from government agencies and debt collectors.

When tax season rolls around, file your return as soon as possible. Identity thieves frequently use Social Security numbers to get fraudulent refunds, and if they file before you do, it will further complicate your tax-filing process.

At the least, go through your financial statements regularly (the more often, the better) to look for anything out of the ordinary. While protection is top of mind, sign up for any alerts you can set up on your mobile banking app to receive transaction notifications.

The post Freaked Out by the Equifax Hack? Here’s What You Need to Know appeared first on MagnifyMoney.

3 Things to Consider After the Latest Yahoo Breach

Here's how to protect yourself in the wake of Yahoo's latest data breach.

No payment card or banking information was compromised in the latest 1 billion-user breach at Yahoo, according to expert reports. But what if there had been? The truth is that for most users it would be annoying, but not the end of the world.

So, why is this big news?

First of all, Yahoo can now claim two of the biggest security breaches in history. It is noteworthy that such a distinction should be attributable to a single entity. The response to the latest breach news has been huge. Ask any three experts and you’ll probably get three different figures, but according to ZDNet, the users exposed in the two Yahoo breaches exceed the total number of records compromised between 2005 and 2013 by nearly double. (Yahoo did not immediately respond to Credit.com’s request for comment.)

The post-breach news commentaries have been many and various. There are some experts who advocate foregoing any digital connection to the security-challenged giant. Others predict that the latest bad news will negatively impact Yahoo’s sale to Verizon further, if not kill it. Within days of the breach, there were various articles advising how you could replace Yahoo services and delete your Yahoo account. That said, Yahoo is not the problem per se.

First of all, let’s be crystal clear: This latest news does not refer the to 500 million Yahoo users who were affected by the breach reported this September. While there may be some overlap, this is a different breach with different issues. It occurred way back in 2013, but that’s not really even the bad news here, though, yes, it is less than awesome that user information — including poorly encrypted security questions and passwords that could be used in an account takeover — has been out there for three years.

The bad news here is not limited to the fact that Yahoo didn’t know about this breach until law enforcement officials told the company that their stolen user data was offered for sale on the dark web. The bad news is not even, as PC World reported, that in a separate incident an intruder was able to crack Yahoo’s proprietary code and forge cookies, which would allow a hacker to get access to user information without a password. This last frightening bit of news seems to be related to the state-sponsored hack reported in September.

The bad news here is that this unsettling state of affairs — of having your information out there at the fingertips of bad players looking to make a quick buck — is not confined to Yahoo users. The real bad news is that we are all willing and/or unwitting conspirators in the exploitation of our own information, which has been sloshing around the hold of a virtual — and somewhat unmanned — freighter for years.

It Always Already Happened

There is, however, a bit of good news here. There are ways you can better protect yourself. All the subscriptions to identity theft monitoring cannot replace your active participation in your own defense. You are your best guardian.

Whether or not you choose to stay with Yahoo, it’s a good idea to change your behavior to stay safe, and that means changing your outlook and approach to the digital world. The main point is this: We are always about to “get got.” You don’t need breaking news coverage to know that you are exposed. With literally billions of compromised files floating around, you have to be exceedingly lucky not to be within easy reach of a sticky-fingered thief looking to make bank at your inconvenience.

While there is no way out of the information inferno we all inhabit, there is a way to live in it peaceably. I go into the details more thoroughly in my book, “Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves,” but the basics of the practice I explain there can be summed up by three Ms: Minimize, Monitor and Manage.

Minimize Your Risk of Exposure: This can be anything from how you use the internet to what you choose to carry in your wallet. The goal is to decrease your attackable surface.

Monitor Your Identity: Get a free copy of your credit reports from each of the major credit reporting agencies at least once a year (some states permit more than one) at AnnualCreditReport.com. Consider subscribing to a credit and identity monitoring service. Set up transaction notices with your bank and credit card accounts, and pay attention. If you stay on top of things, you make it harder for crooks to get a foothold into your financial life. And if you have reason to believe you’ve been the victim of identity theft — unexplained accounts and mysterious addresses are two warning signs — don’t ignore it. You can view two of your free credit scores, updated every 14 days, on Credit.com.

Manage the Damage: Notify the authorities if you have become a victim. Get an identity theft incident report that you can use to straighten out your credit and identity issues. Check with your insurance agent, financial services rep or the human resources department where you work to see if they offer an identity theft protection services program and if you are enrolled. You may be pleasantly surprised to learn that they do and you are enrolled free, or can access it at a discount as a perk of your relationship. You may also want to consider freezing or placing a fraud alert on your credit as well, depending on what’s been compromised.

Never forget — the ultimate guardian of the consumer is the consumer, and no one has a bigger stake in protecting your economic security and well-being than you.

Image: sturti

The post 3 Things to Consider After the Latest Yahoo Breach appeared first on Credit.com.

Yahoo Confirms Massive Data Breach: What You Need to Know

yahoo-data-breach

Yahoo confirmed a massive data breach Thursday that compromised an estimated 500 million users’ personal details.

The announcement follows a Yahoo investigation into claims that a hacker going by the name “Peace” was trying in early August to sell the usernames, passwords and dates of birth of Yahoo account users on the dark web.

The investigation found that “certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,” Yahoo said in a news release. “The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”

The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected, Yahoo said. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.

Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven’t changed their passwords since 2014 do so.

Keeping Your Information Safe

If you ever have reason to believe a password to any of your accounts has been compromised, it’s a good idea to change it immediately. And you’ll want to do that across any account that shares the same password (not a best practice, by the way) as the affected one since hackers who obtain one username and password may try to use it to gain access elsewhere.

Remember, to keep passwords long and strong by using alphanumeric characters and phrases that can’t easily be guessed via social media (like, say, your pet names.) And, if you ever have reason to believe your personal information was hacked, it’s a good idea to monitor your credit for signs of identity theft. You can view a free credit report summary, updated every 14 days, on Credit.com.)

Image: Nicolas McComber

The post Yahoo Confirms Massive Data Breach: What You Need to Know appeared first on Credit.com.

The Target Data Breach Changed Nothing About How We Use Credit & Debit Cards

Remember a couple of years ago when the Target data breach was in the news? Here’s a refresher if you don’t. In December 2013, Target announced that hackers may have accessed 40 million credit and debit accounts used in their stores late that year.

With so many people affected, it would seem logical that consumer behaviors around card usage might have changed. Turns out, that isn’t the case, according to a recent report by Claire Greene and Joanna Stavins of the Federal Reserve Bank of Boston.

Greene and Stavins looked at survey data collected by the Survey of Consumer Payment Choice (SCPC) before the breach and then after consumers were made aware of the hack. In the survey, consumers were asked about the security of their personal information tied to debit cards and, on average, they saw it as 11.3% less safe after the Target breach.

Based on this information, the authors expected to see a decline in debit card usage. However, the authors reported “no statistically significant change in the adoption or shares of payment instrument use of debit cards in the long run.” Meaning, they don’t believe the Target breach announcement caused any long-term affects on how people use their plastic.

What to Do If Your Information Is Stolen

It’s generally a good idea to keep a close eye on your credit card statements for any suspicious activity. (Tip: make sure you’re doing this through a secure Internet connection so you don’t open yourself up to any additional threats.) If you spot fraud, report it to your issuer right away and, if your card gets lost or stolen, it’s in your best interest to call up your issuer and have the card replaced with new account numbers.

If your personal information gets compromised during a data breach (or otherwise), it’s a good idea to check your credit scores for sudden changes, like a sudden score drop or unfamiliar accounts in your name, as these are signs of identity theft. You can see two of your credit scores for free, updated each month, on Credit.com.

[Offer: If you need help fixing your credit, Lexington Law can help you meet your goals. Learn more about them here or call them at (844) 346-3296 for a free consultation.]

Image: Steve Debenport

The post The Target Data Breach Changed Nothing About How We Use Credit & Debit Cards appeared first on Credit.com.

Own an Acer Computer? You Might Have Been Hacked

acer hack

If you purchased something on computer manufacturer Acer’s website over the last year, your credit card information may have been stolen.

Hackers made off with the names, addresses, card numbers, expiration dates and three-digit security codes of a reported 34,500 customers. So far, there is no reported evidence that usernames or passwords were compromised during the unauthorized third-party access.

Acer acknowledged the data breach, which reportedly happened more than a year ago, in a letter prepared for customers. Customers who purchased products on the site between May 12, 2015 and April 28, 2016 might have had their data compromised.

“Safeguarding your personal information is important to us,” Mark Groveunder, vice president of Acer customer service, wrote in the letter. “We took immediate steps to remediate this security issue upon identifying it, and we are being assisted by outside cybersecurity experts. We have reported this issue to our credit card payment processor. We have also contacted and offered our full cooperation to federal law enforcement.”

Review Your Credit For Signs of Identity Theft

The company is urging customers to review their accounts for any signs of identity theft.

If you are concerned that your credit card data was stolen in the Acer hack, it’s a good idea to check your credit scores and credit reports for any signs of unauthorized activity, such as new accounts you don’t recognize. Thieves often get credit cards, buy cars or take out a loan, and when they don’t repay it, the victim’s credit suffers. Until the victim realizes what’s happened, files a police reports and gets rid of the fraudulent accounts, the negative information reported to credit bureaus continues to do damage. (You can get free annual credit reports on AnnualCreditReport.com and you can check two of your credit scores for free every month on Credit.com.)

You can also consider freezing your credit until you’re certain you’re in the clear. When you freeze your credit, no one can open a new credit card or loan — not even you. Once you need access to your credit, you have to thaw it before a potential lender has the ability to review your application. You can continue to use your existing accounts, and a freeze won’t keep you from getting your free credit reports or credit scores.

More Money-Saving Reads:

Image: scyther5

The post Own an Acer Computer? You Might Have Been Hacked appeared first on Credit.com.

Could Your Campaign Contribution Expose You to Identity Theft?

campaign-identity-theft

Over the past few years, we’ve experienced more ginormous data breaches than any of us can, or would even care to, remember. Against this backdrop, reflect upon the fact that political campaigns know as much, if not more, than advertisers about us — what inspires us and what will move us to vote.

The Wild West

Consider the various kinds of information a campaign crunches to determine who might be persuaded into voting for their candidate and the parallel to advertising and marketing becomes instantly clear.

Many campaigns don’t “only” (and I use the term advisedly) collect things like your name, email address, postal address, phone number, mobile number, credit card information, location, what you’re called on social media sites (your handles) and other contact or identifying information you choose to provide when you go to make a donation or sign up for their emails. There’s also often a cornucopia of data collected when you use a campaign’s site — cookies, your IP address and other digital no-see-ums. While that information would be horrible to leak, it’s nothing compared to the granular details that campaigns purchase from data mining companies.

“This is the Wild West,” Tim Sparapani, a data privacy consultant and former director of public policy for Facebook, recently told the Los Angeles Times, “There is nothing that is off-limits to political data mining.”

They Have WHAT?

This is not just about social media, but it definitely starts there. Data mining companies have long scoured social media to glean information about potential customers, proponents, fans, outraged citizens and any other manifestation of subjective choice “out there.”

There are too many instances to bring up here, but a report in Bloomberg late last year can serve as a general example. It was about a data mining firm that was working for former presidential candidate John Kasich’s Super PAC to create “a ‘social graph’ of possible supporters by scanning high school yearbooks, small-town newspapers, and sports-team rosters.”

If a yearbook is OK in the land of deep dives, what other records could be put to use? Like rose petals in the wind, data is scattered about everywhere, and there is no place too insignificant for a data mining company to potentially send employees to scour for useable bits.

What’s the Big Deal?

What may not be as obvious is that the type of information they collect is often of significant value to hackers and their clientele. Hackers, advertising executives and political operatives constantly search for ways to move a person to take a particular action. With hackers, the action is to click a link that downloads account or sensitive personal information-grabbing malware or otherwise provides access to money or services using your information. Politicians simply want your vote.

Concern that hackers will compromise political campaign databases seems like a prudent response to the current information security landscape, yet disappointingly, at least for those of us in the data security community, the conversation between candidates about security has been largely focused on the “Great Wall of Mexico” and whether or not ISIS should be nuked.

Were a major campaign hack to go down, it would not only create a very unfortunate political situation, but also the information of millions of voters would be at risk for phishing attacks and identity theft. If one of these data-heavy campaign databases were to fall into the wrong hands, there is no end to the scams that creative, sophisticated and persistent fraudsters could pull off with it, or the havoc they might wreak.

The attacks could be based on a familiarity with the target and/or target group—phishing, spearphishing, picking purchases that go unnoticed, cooking up scams involving known networks of friends gleaned from voter data married to social networking accounts — but I digress.

The Solution

As things stand, there is no solution. Data breaches are the third certainty in life, right behind death and taxing presidential elections.

To be completely honest (isn’t that a refreshing concept in a presidential election?) in order to be almost cyber bulletproof, you would have to live in a log cabin on Loon Lake and never associate with anyone or anything. That said, there is a point in the drive to be careful with your information where you have to also live life.

Bottom line: As I mention in my book “Swiped: How To Protect Yourself In a World Filled With Scammers, Phishers and Identity Thieves” – practice the 3Ms: Do everything you can to minimize your risk of exposure, monitor aggressively so that you know as quickly as possible if you have a problem and have a plan to manage the damage. (You can check for signs of identity theft by viewing your free credit report summary each month on Credit.com.)

Don’t assume that your candidate of choice, no matter how much you think you can trust him or her, actually has your back. Frankly, in this decidedly insecure digital world, they don’t even have their own.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More on Identity Theft:

Image: EdStock

The post Could Your Campaign Contribution Expose You to Identity Theft? appeared first on Credit.com.

The LinkedIn Password Breach Is Way Bigger Than We Thought: Here’s What You Need to Do

linkedin

Quick, what was your LinkedIn password in 2012? OK, now think of every password you use for every service, and make sure that LinkedIn password isn’t reused anywhere.

If ever you needed a reminder not to reuse passwords, here it is. We knew that LinkedIn got hacked in 2012, but at the time we thought only 6.5 million passwords were stolen. Now, we’ve learned the real figure was more like 100 million-plus. That means your old LinkedIn password — and any derivations of it — should not be used anywhere else. You already knew that, but now you really know.

A security researcher found an ad yesterday posted by a hacker offering a list of 167 million LinkedIn passwords for sale for about $2,300. LinkedIn confirmed to Ars Technica on Wednesday that it knows an “additional set of data has just been released.” It’s working to invalidate any passwords on the list that might still be in use. Because of duplicates, etc., the real number is probably far less than 167 million, but it’s certainly much larger than 6.5 million.

Of course, LinkedIn can’t help with other services where you might re-use its password. And you probably forgot it anyway. (Sadly, computers never forget these things.) Even if you only signed up for LinkedIn once, back in 2012, and never used it again, the password you set at the time is now poisoned.

There is no need to panic. No doubt, whoever had this list had wrung all the value out before offering it for sale – probably many times over. If it were really a gold mine, it likely wouldn’t be for sale at $2,300. Most of the user/password combinations in there have no doubt already been tried at other websites.

Still, your job today is to think about all the critical sites you use — places where you keep and spend money (banks, Amazon) — and make sure those passwords are clever and fresh. Then let your mind wander to places where hackers might make bank by scrolling through your digital life: Hacking into your email account, for example, or even your Facebook account. Using your email, they could reset passwords at your bank. Using Facebook, they could trick friends into sending money — or just embarrass you.

Doing that kind of security inventory is a good exercise at any time. But today presents a great reminder.

“There needs to be a sense of heightened security every day when it comes to cyberattacks and thinking passwords could be stolen,” said John Peterson, Vice President of Enterprise Products at cybersecurity company Comodo. “Consumers, small businesses and large enterprises all need to understand that criminals have established, working organizations with paid hackers, spammers and phishing experts who think of ways to steal and leverage passwords, bank records, Social Security numbers, company trade secrets and data, and credit card and financial data every minute of every day.”

[Editor’s Note: Remember, if you has reason to believe you’ve been a victim of fraud, it’s crucial to check your credit. Specifically, you should keep an eye out for sudden drops in your credit score, mysterious accounts opened in your name and unknown addresses. You check your credit by pulling your reports for free each year at AnnualCreditReport.com and viewing your scores, updated monthly, for free on Credit.com.]

More on Identity Theft:

Image: KIVILCIM PINAR

The post The LinkedIn Password Breach Is Way Bigger Than We Thought: Here’s What You Need to Do appeared first on Credit.com.

Nearly All Data Breaches Happen in Minutes, Report Finds

identity_theft

Most data breaches happen fast — in a matter of minutes, according to a new Verizon report — but the impact on you and your credit report could make for a very long lasting financial headache.

Cybercriminals institute data breaches to steal your Social Security number, credit card number, bank account information and many other forms of personal financial information. And according to the latest Verizon 2016 Data Breach Investigations Report, these thieves still find success with phishing emails. Per the report, 30% of phishing messages were opened. This compares to the previous year figure of only 23%. Meanwhile, 13% of those clicked to open the malicious attachment or nefarious link.

Regardless of what method was used to compromise sensitive data, in 93% of cases, attackers were able to compromise systems in just a matter of minutes.

Verizon anaylzed more than 2,260 confirmed data breaches and more than 100,000 reported security incidents, finding that 89% of all attacks involve financial motives while ransomware attacks were up 16% from 2015. Meanwhile, 63% of data breaches were thanks to weak or stolen passwords.

Also blamed for data breaches are ‘miscellaneous errors,’ which can include improper disposal of sensitive information, misconfiguration of IT systems, and lost and stolen devices, such as laptops and smartphones. These errors also include people mistakenly sending sensitive information to the wrong person, which accounts for 26% of these errors, Verizon found.

What Can You Do About It?

When your information is stolen, thieves will typically sell it — or use it for themselves — to open as many accounts as fast as they can in your name. Unfortunately, you may not find out about it until you’re applying for a mortgage, opening a line of credit or financing a car, when it’s already too late.

You can, however, take a few simple steps to help protect yourself from cybercrime. For starters, you can implement a two-factor authentication for your applications and social networking sites, encrypt your data and limit who is authorized to access it. It is also helpful to be familiar with the signs your identity has been stolen or your credit information has been compromised.

Staying informed about your credit scores and individual credit accounts is also helpful in minimizing any damage done by data compromises. You can check your free annual credit report every year at AnnualCreditReport.com, and keep track of your credit scores by viewing your two free credit scores, updated monthly at Credit.com, to make sure there aren’t any fraudulent accounts on your file. You can also go here to learn what to do if you are victim of identity theft.

More on Identity Theft:

Image: Anchiy

The post Nearly All Data Breaches Happen in Minutes, Report Finds appeared first on Credit.com.