Post Equifax: Will Free Credit Freezes Help?

freeze your credit

When Equifax announced the historic data compromise that exposed the sensitive personal information of up to 143 million consumers, the company said victims would have access to credit freezes for a month free of charge. This was not exactly a solution to the fresh hell it had just announced.

Frankly, it seemed like a relatively cheeky move considering the staggering number of people who had just learned that they will be looking over their shoulders for a virtual mugger for the rest of their lives. I wouldn’t be surprised if Saturday Night Live re-creates Equifax’s offer of free credit freezes (for a whole month!) as a classic schoolyard drama featuring a bully holding a stolen bike in front of its owner and offering to give it back for a hefty fee.

My first thought was definitely not, “That seems fair.”

And while I can’t speak to whether there was any discussion of sketch comedy in their process, the Identity Theft Resource Center (ITRC) seems to have had a similar reaction. It launched a change.org petition that urged Experian, TransUnion, and Equifax to let consumers freeze, thaw, and refreeze their credit files, free of charge, once per year.

Sadly, this is not a solution either.

The Legislative Angle

Senators Elizabeth Warren (D-MA) and Brian Schatz (D-HI) recently introduced legislation that would force the Big Three credit bureaus to provide more robust solutions to the 24/7 identity-theft quagmire we now inhabit thanks to the Equifax breach.

One of the main provisos was a legislative version of the ITRC petition: Give all Americans access to free credit freezing (and unfreezing) for life. Additionally, the bill would force the credit bureaus to reimburse any fees collected for freezes purchased after the Equifax compromise was made public.

“Credit reporting agencies like Equifax make billions of dollars collecting and selling personal data about consumers without their consent, and then make consumers pay if they want to stop the sharing of their own data,” Warren said when announcing the bill.

The Freedom from Equifax Exploitation Act is a move in the right direction, a roadmap for the Big Three to provide consumers with more robust fraud protections as well as an additional free annual credit report. (One free report is already a consumer right in the United States. You can check your credit report for free at Credit.com.)

That SNL sketch encapsulates the feeling of the Freedom from Equifax Exploitation Act: credit bureaus shouldn’t be able to profit off the fear generated by their failures to protect our sensitive data.

Freezes Aren’t the Answer

While it is good to get those freezes (if you can figure out how to set them up), a credit freeze is by no means the be-all and end-all answer to the “What now?” reality of 143 million consumers.

Credit freezes do not mitigate all threats.

First of all, you are still vulnerable to attacks on existing accounts. Two easy ways to help diminish this threat is by setting up transaction alerts and opting for two-factor authentication wherever it is offered.

You are also more susceptible to spear phishing emails and texts now, since fraudsters now know where you bank, where you have debt, and who financed your car. They no longer have to guess which bank you use, thereby making the whole process of defrauding you much more expedient—a real win for scam artist productivity. Employment and tax fraud as well as medical/healthcare fraud are also real concerns after the breach.

The best course of action given all these variables is to change the way you think about your vulnerability and practice the Three Ms, which I discuss in my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves.

  1. Minimize your exposure. Don’t click on suspicious or unfamiliar links; don’t authenticate yourself to anyone unless you are in control of the interaction; don’t over-share on social media; be a good steward of your passwords; whenever offered, opt for 2-factor authentication; safeguard any documents that can be used to hijack your identity; and freeze your credit.
  2. Monitor your accounts. Check your credit reports religiously; keep track of your credit scores; review major financial accounts daily if possible (better yet, sign up for free transaction alerts from financial services institutions and credit card companies); read the Explanation of Benefits statements you receive from your health insurer; and seriously consider purchasing a sophisticated credit- and identity-monitoring program.
  3. Manage the damage. Make sure you get on top of any incursion into your identity quickly and enroll in a program where professionals help you navigate and resolve identity compromises—oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions, and employers.

The Three Ms are not a solution to the threat of scams in the wake of the Equifax hack, but they are a lifestyle change that can help fend off the inevitable attempts to exploit your identity for ill-gotten gain.

Image: istock

The post Post Equifax: Will Free Credit Freezes Help? appeared first on Credit.com.

The Equifax Breach and the Cybersecurity Silver Bullet

acer hack

Some time ago, the popular show Mythbusters wanted to find out if the Lone Ranger was right about silver bullets being better than lead ones. Turns out silver bullets are actually slower and less accurate.

When it comes to cybersecurity, quick-fix silver bullets are also less effective than tried-and-true approaches. The most effective cybersecurity strategies begin with two certainties: mistakes will be made, and breaches like the one that hit Equifax will keep happening.

The 143 million consumers exposed in the Equifax breach provide plenty of evidence that there’s still no effective “silver bullet” when it comes to both chronic and acute threats to our collective cybersecurity.

While the Equifax breach is by no means the largest hack to date (that distinction still belongs to Yahoo), it definitely stands out as the breach with the greatest potential to harm its victims.

The Equifax hackers got the most complete data dossiers possible on millions of people. Those dossiers are worth about $30 on the black market and include Social Security numbers, names, addresses, birth dates, and, in some cases, driver’s license numbers. Additionally, the credit card numbers of 209,000 consumers were lifted.

What can be done with this information? Just about every sort of identity theft imaginable.

Credit lines and credit-worthiness can be destroyed overnight, health care records can be polluted with the information of thieves using your benefits illegally, and it can be nearly impossible to get medications filled in a timely manner. Crimes can even be committed in your name, since the thieves have all they need to create a driver’s license with your information and someone else’s photograph.

No Easy Fix

If there were any easy way to solve the data-breach problem, we’d be seeing fewer newsworthy compromises. But as yet, nothing works.

Take, for instance, biometrics. Fingerprints, retina scans, body weight, and shoe size—they offer a great addition to the various ways we authenticate ourselves to the systems storing our data. But they are not a true fix. If a security patch released by a software provider is not installed, as happened in the Equifax breach, it doesn’t matter how many body parts you scan.

Picture the mailboxes in the lobby of a city dwelling—the individual boxes can be opened with one master key so the letter carrier can slot the mail for all the apartments at the same time. It doesn’t matter how well you protect the key for your one apartment’s mailbox if a thief gets access to the master key. The same goes for individual cyber hygiene in the face of a breach.

One of the most promising solutions was once thought to be tokenization—a system of referents that create an impenetrable security trail—but it suffers from the same issue that was behind the Equifax hack: human beings messing up.

Tokenization systems have to be secured and validated using security best practices. That’s where the fallibility part creeps in. Those best practices still need to be implemented by fallible humans with busy lives who have not been told—and consistently reminded—that they are the only solution to the data breach problem.

Data breaches and the identity-related crimes that flow from them are the third certainty in life—right after death and taxes—because there will always be that fallible human element. Education can help mitigate the risks, but even the savviest populace will make mistakes.

Real Solutions

Senator Elizabeth Warren has set her sights on the three credit reporting bureaus, specifically demanding that they offer credit freezes for free. The looming threat of credit hijacking is made possible by the hoarding of information—the credit reporting bureaus’ daily bread. It seems logical, then, that the bureaus should have to pay for the most common crime that data can lead to: credit fraud.

While new laws are good, education is the only real solution.

For many years now I have been advocating a system called the Three Ms, which are the centerpiece of my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves.

Practicing the Three Ms continues to be the best way to keep your personally identifiable information from being used in identity-related crimes. 

  1. Minimize your exposure. Don’t click on suspicious or unfamiliar links; don’t authenticate yourself to anyone unless you are in control of the interaction; don’t overshare on social media; be a good steward of your passwords; opt for two-factor authentication whenever it’s offered; safeguard any documents that can be used to hijack your identity; and freeze your credit.
  2. Monitor your accounts. Check your credit reports religiously (you can check your credit report for free on Credit.com); keep track of your credit scores; review major financial accounts daily if possible (better yet, sign up for free transaction alerts from financial services institutions and credit card companies); read the Explanation of Benefits statements you receive from your health insurer; and seriously consider purchasing a sophisticated credit- and identity-monitoring program.
  3. Manage the damage. Make sure you get on top of any incursion into your identity quickly and enroll in a program where professionals help you navigate and resolve identity compromises—oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions, and employers.

The odds of President Trump giving his entire fortune to the NAACP are probably better than the chances that we’ll be experiencing fewer big breaches in the future. An individual’s security protocol is only so useful, but an individual’s actions make all the difference.

Image: istock

The post The Equifax Breach and the Cybersecurity Silver Bullet appeared first on Credit.com.

Your Equifax Download: What You Need to Know about the Equifax Hack

Teenage girl with hands on face victim of cyber bullying

Everyone knows a mosquito bite doesn’t really start itching until the damage has already been done, and the same goes for many kinds of identity-related crimes. With news of the recent Equifax breach continuing to surface, what do you need to know now to limit your exposure?

Equifax has estimated the hack impacts 143 million people, mostly in the United States. (That’s almost half the US population!) The thieves stole names, Social Security numbers, birth dates, addresses, and driver’s license numbers.

Each item of personally identifiable information (PII) is like an ingredient for a recipe. The more ingredients you have, the more recipes you can prepare. Similarly, the more pieces of PII exposed, the more kinds of fraud thieves can commit. If there were a fraud equivalent of The Joy of Cooking, thieves just got access to all the ingredients necessary to make every recipe in the book.

The Problem with Freezing Your Credit Report

The New York Times reported still more bad news in the wake of the Equifax announcement.

The credit freeze service the credit bureau offered (originally offered for a fee until it finally decided to provide it for free for 30 days) generated PINs that were based on the time and date the PIN was created. These PINs are required to release the freeze whenever you need to grant access to your credit files in connection with a loan, an apartment rental, or a job application (where permitted by law). Unfortunately, they’re laughably easy for a hacker to guess before then.

The bigger problem is that a freeze needs to be in place at all three reporting agencies in order to be effective. As credit expert John Ulzheimer told the New York Times, putting a freeze on your credit with only one reporting agency is “like locking one of three doors in your house and leaving the other two unlocked. You’re hoping the thief stumbles on the locked door.”

Types of Fraud to Be Aware Of

The hackers also made off with 209,000 credit card numbers and 182,000 credit dispute documents containing personally identifying information.

In August, there was a spike in credit card fraud, according to the New York Post. It seemed odd to security experts at first, since credit card fraud typically increases around the holidays. The Equifax news seems to provide an explanation for the statistical oddity. “We saw a 15% increase in the overall fraud attempts in our system in August, which is an unusual time of year to see such a spike,” said Liron Damri, cofounder of Forter, a fraud-prevention service for online retailers.

But the threat goes way beyond maxed-out credit cards, fraudulent credit applications, and tax-refund fraud. With Department of Motor Vehicle information also in play, the risks are elevated. A fake ID made out in your name could cause you to get arrested for an outstanding warrant. In the realm of identity-related fraud products, a fake driver’s license is a luxury item for sure, but it’s still one that could hurt you if a scammer provides your information on a fake license the next time they’re pulled over for speeding or collared for a crime.

And then there’s the serious risk of medical-identity fraud. Consumers could see delays in prescription fulfillment because of fraudsters using their health care information. Worse, consumers may not be covered for health care expenses until they are able to prove they are who they claim to be using the same information that the crooks used—a frustrating and often complicated process.

Legal Remedies 

One can only assume there will be lawsuits galore. In fact, one enterprising person has already automated the process. A robot lawyer is on the case, allowing consumers to automatically file a claim against Equifax in small claims court.

According to the Verge, consumers are still able to join class action suits while pursuing a small claims court remedy.

“Even if you want to be part of the class action lawsuit against Equifax,” the Verge reported, “you can still sue Equifax for negligence in small claims court using the DoNotPay bot and demand maximum damages. Maximum damages range between $2,500 in states like Rhode Island and Kentucky to $25,000 in Tennessee.”

Protecting Yourself Now

To say that the Equifax PIN assignment process was incompetent is an understatement. Nevertheless, it is a teachable moment. While it’s okay to hope that your services and vendors will do things right, you need to stay vigilant. And this should go without saying: if you can change privacy and authentication settings on a product or service, do it. If that’s not possible, perhaps you should consider finding a new vendor or service.

The easiest way to protect yourself, in my opinion, is by using a system called the “Three Ms.” The Three Ms is the centerpiece of my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves, and the approach continues to be the best way to keep your personally identifiable information from being used in identity-related crimes.

And they are simple: 

  1. Minimize your exposure. Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t oversshare on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and freeze your credit.
  2. Monitor your accounts. Check your credit report religiously, keep track of your credit score, and review major accounts daily if possible. (You can check your credit report for free at Credit.com.) If you prefer a more laid-back approach, sign up for free transaction alerts from financial services institutions and credit card companies, or purchase a sophisticated credit- and identity-monitoring program,
  3. Manage the damage. Make sure you get on top of any incursion into your identity quickly, and enroll in a program where professionals help you navigate and resolve identity compromises—oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions, and HR departments.

Your Chances of “Getting Got”

Scammers pay around $30 per complete ID dossier on the black market. With 143 million packets available through the Equifax breach, that’s more than 4 billion dollars’ worth of information. Though it may not seem so at first glance, this could actually be good news for you: your chances of “getting got” decrease with an increase in available targets.

Odds aside, though, Equifax is not the first, nor will it be the last, breach of note. Being prepared and alert is still the best remedy, because breaches have become the third certainty in life—right behind death and taxes.

A final tip: check with your insurance company, financial services institution, or employer. You may already have access to identity protection and resolution services, which is your best bet when it comes time to navigate the identity theft quagmire.

Image: AIMSTOCK

The post Your Equifax Download: What You Need to Know about the Equifax Hack appeared first on Credit.com.