Tips for Buying Safe Connected Devices This Cyber Monday

phone-bill

Keeping up with news alerts about cybersecurity flaws in consumer electronics is a lot like picking up spilled jelly beans one at a time with a plumber’s wrench. Even if you figure out how to do it and have endless patience, a few will skitter out of sight.

Assume for the moment that, unlike most people, you think a lot about cybersecurity and you do your homework before buying a connected device. (I know. This is a truly ridiculous proposition. But let’s just say it’s the case.)

As you prepare for Cyber Monday, make cybersecurity part of the purchase process. What does your thinking about cybersecurity look like? What form does it take? Perhaps you like to use a search engine to see if there have been any obvious problems associated with the product, service, or device you’re considering. And by problems, I mean specifically cybersecurity and privacy issues.

This simple action can save you from a time-consuming hassle later. Security lapses abound. It’s your job to know about them.

Your Role in Cybersecurity

If you think this sort of research is too hard, relax. It’s easy. A simple search using the name of the item in question as well as terms like “compromise,” “privacy,” and “breach” is a good place to start.

For example, maybe you’re thinking about giving someone a credit monitoring gift that protects them from fraud. You might do the following searches:

  • “Equifax hacked”—About 901,000 results (0.58 seconds)
  • “Experian hacked”—About 128,000 results (0.63 seconds)
  • “TransUnion hacked”—About 62,800 results (0.37 seconds)

Now, bear in mind, many of the search hits on Experian and TransUnion (both of which offer sophisticated monitoring programs) come by way of obligatory mentions in the coverage of the Equifax compromise.

You’re Still Not Safe

Let’s say you get a connected cam to monitor an aging parent. There are some basics to consider. You’ve got to assume, for example, that Mom may not want to be the star of a Russian reality TV show called something along the lines of “Stupid Americans I Have Hacked.” But you also have to assume it could happen.

If you did your homework right, you know there’s been a problem with many plug-and-play webcams involving the use of manufacturer default passwords.

Checking for known security issues or a history of poor security is important, but there is still more work to be done before Cyber Monday to make sure you’re not giving someone a gift that robs them blind, opens them up to public ridicule, or simply embarrasses them.

The Most Important Question

That camera with seemingly perfect security you got your mom could become a live feed to her own version of The Truman Show for an avoidable reason: the cam wasn’t patchable. This means that when a security flaw is discovered, there is no way to protect the cam because it cannot receive security patches.

You’ve read privacy policies online and have made sure the product you’re thinking about doesn’t get significant revenue by selling data collected from this or that smart device, but the item also needs to be patchable.

Many companies do a very good job. Contrary to the folklore about planned obsolescence at Apple, the company is excellent at supporting older devices and operating systems, and it is a top player when it comes to security patches.

Let’s focus on gadgets. If the connected device you’re considering is not properly maintained after the launch of later generations of that product or a related service, keep looking for a device that does.

And ask, Is this connected device patchable?

This Cyber Monday, the only way to find those errant jelly beans mentioned above is to do the requisite research.

While nobody has the time to read every news item about product security, with the holiday shopping season upon us, it’s imperative to think about cybersecurity basics.

Data breaches and other compromises are the third certainty in life, right behind death and taxes. The simplest way to avoid falling prey to products and services that offer shabby or nonexistent cybersecurity? Don’t buy them.

If you fear your information has been compromised through an unsecure device, review your credit report for any suspicious activity. You can get your credit report for free through Credit.com.

Image: istock

The post Tips for Buying Safe Connected Devices This Cyber Monday appeared first on Credit.com.

Uber Data Breach Impacts 57 Million — Here’s What You Need to Know

uber data breach hack
iStock

Some 57 million Uber users’ personal information was exposed in October 2016 when the car-hailing company experienced a cyber attack, the company announced Tuesday — more than a year after the occurrence of the incident. 

Some 57 million Uber users’ personal information was exposed in October 2016 when the car-hailing company experienced a cyber attack, the company announced Tuesday — more than a year after the occurrence of the incident. 

Bloomberg reported the company paid $100,000 to the hackers responsible for the attack to keep the breach private.  

What happened? 

Dara Khosrowshahi, Uber’s new CEO who was appointed by the board in August, said in a statement that two people outside the company “inappropriately accessed user data stored on a third-party cloud-based service that we use.” 

The attackers stole data of the 57 million people across the globe, including their names, email addresses and mobile phone numbers. About 600,000 U.S.-based drivers were among 7 million Uber drivers whose license numbers and names were exposed in the breach. 

The data breach was the latest in a string of high profile cyber attacks that weren’t revealed until months or years later.  Fortunately, it doesn’t appear that Uber users have to worry about any of their financial information being exposed. Khosrowshahi said no evidence indicated that trip location history, credit card numbers, bank account numbers, or dates of birth were stolen.  

What was done? 

After the attack happened, Uber “took immediate steps” to safeguard the data and blocked further unauthorized access to the information, according to Khosrowshahi. The company identified the hackers and made sure the exposed dada had been destroyed. Security measures were also taken to enhance control on the company’s cloud storage. 

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.” 

The company let go two employees who led the response to the incident on Tuesday, according to the statement. Uber is also reporting the attack to regulatory authorities.  

What can you do? 

Uber said no evidence shows fraud or misuse connected to the data breach.  

If you are an Uber rider…

The company said you don’t need to take any action. Uber is monitoring the affected accounts and have marked them for additional fraud protection, Khosrowshahi said. But you are encouraged to regularly monitor your credit and Uber accounts for any unexpected or unusual activities.

If anything happens, notify Uber via the Help Center immediately. You can do this by tapping “Help” in your app, then “Account and Payment Options” > “I have an unknown charge” > “I think my account has been hacked.” 

If you are an Uber driver…

If you are affected, you will be notified by Uber via email or mail and the company is offering free credit monitoring and identity theft protection.  

You can check whether your Uber account is at risk here 

Check out our guide on credit freezes and other steps you can take to protect your identity if personal information is compromised in a data breach.

The post Uber Data Breach Impacts 57 Million — Here’s What You Need to Know appeared first on MagnifyMoney.

7 Ways to Protect Yourself as You Shop for the Holidays

Here are nine ways to protect yourself while shopping this holiday season.

The holiday season is an enormous economic event, so much so that the National Retail Federation estimates that holiday shopping represents as much as 30% of a retailer’s annual sales. But as a consumer, increased spending can leave you more vulnerable to theft and fraud.

However, there are steps you can take to guard against theft. Here are seven ways to protect yourself as you shop for the holidays.

1. Pay with a Credit Card

Stolen cash isn’t easily recovered, and a thief could use your debit card to empty your bank account. Credit cards offer better protection.

Even if your card is stolen, federal law dictates that you can’t be held liable for more than $50 in charges. That liability drops to $0 if you report the card’s loss before fraudulent charges occur or if it’s your card number, not your physical card, that was stolen. Many credit card issuers will automatically waive the $50 no matter the scenario.

2. Use a Virtual Card Number Online

Some credit card companies offer virtual card numbers, which can keep your information safe as you shop online. These temporary 16-digit numbers are linked to your account, but allow you to set predetermined spending limits and an expiration date. If a thief gets ahold of your virtual number, your exposure is limited and you won’t have to go through the hassle of canceling and replacing your card.

There are third-party virtual card providers out there if your credit card company doesn’t offer this service, but their quality may vary and they will require you to sign up for a separate service.

3. Protect Your Account Logins 

Your accounts are only as strong as your password. Use different passwords for every account; this way, if one of your passwords is compromised, your other accounts will still be safe. Many online retailers (including Amazon) now offer two-factor authentication, which gives you an additional layer of security when you login. 

4. Shop with One Account

It’s more difficult to track your spending when you use multiple credit cards or bank accounts. You should limit your holiday shopping to one account, which makes it easier for you to identify unauthorized charges.

5. Shop at Secure Websites

Be careful about the websites you visit. You should only make purchases at trustworthy retailers. Also, check for the secure padlock icon and an “https” at the beginning of the retailer’s web address, both of which indicate that the site is encrypted. This makes it more difficult for hackers to steal your information.

6. Monitor Your Accounts

You should be closely monitoring charges on your account all year long. While many financial institutions now offer account monitoring, their systems aren’t foolproof. Make sure to carefully read over your monthly statements to identify unauthorized charges.

7. Monitor Your Credit Report

Credit card numbers are replaceable, but if thieves get hold of really important information—like Social Security numbers, birthdates, and addresses—you could become a victim of identity theft. Check your credit report regularly to make sure no one is opening fraudulent accounts in your name. You can see your credit report for free at Credit.com.

Image: Eva-Katalin

The post 7 Ways to Protect Yourself as You Shop for the Holidays appeared first on Credit.com.

Can You Hack-Proof Your Personal Email Address?

This simple trick can help reduce spam and add an additional layer of protection against phishers and identity thieves.

How would you feel if the digital “you” were deleted? The common wisdom in cybersecurity circles is that if you think it can’t happen to you, it probably will. Consider Mat Honan’s story.

“First my Google account was taken over, then deleted,” Honan wrote. “Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages.” Honan’s AppleID was used to remotely delete all the data on his iPhone, iPad, and MacBook.

“My accounts were daisy-chained together,” Honan confessed. Sound familiar? Most people have to authenticate via daisy-chain. Even if you have everything segregated and use multi-factor authentication, chances are good that your personal email address is used to log in to most of the places you go online.

If a hacker gains access to your personal email account and, like most people, you’re lax when it comes to personal cyber hygiene, it could be game over for you—not only with regard to your data, but for whatever assets and accounts you manage online.

Can Your Personal Email Be Hack-Proofed? 

The short answer is no. Hacks and data breaches are the third certainty in life, right behind death and taxes. In fact, the most likely reason you haven’t been hacked yet is that there is a staggering number of sitting ducks out there. Needless to say, however, there is no safety in numbers. Hackers become more efficient all the time. 

While there is no silver bullet to our collective vulnerability, brothers Steve and Robert Yoskowitz think they might be able to help with Joinesty, a Chicago-based digital security startup that recently released an interesting Chrome extension.

Like LastPass and other password managers, Joinesty allows users to change passwords for everything they access online. Login credentials are automatically generated and easy to manage.

What makes Joinesty different is that they also let users create unique email addresses (to be forwarded in real time or delivered in daily digest form) for everything they access online, thereby shielding their personal email address from prying eyes.

In addition to email management, Joinesty lets users know about deals that are available at over 7,500 merchants in real time.

“The feature injects into Google so users can see what deals are available within their search results,” CFO and co-founder Steve Yoskowitz told me. “As cybersecurity and privacy become everyday and every-person concerns, we are trying to create an environment of security appealing to a demographic which may not know how much they need it, while targeting the interactions and online behavior that expose users the most.”

Before you decide that Joinesty is an advertising vehicle disguised as a cybersecurity solutions company, I asked about revenue, which is subscription based. Users can choose between monthly or annual subscriptions at $6.99 a month or $41.99 a year.

“The pillars of the Joinesty brand are trust, transparency, and simplicity,” Yoskowitz told me.  “We structured every aspect of our platform around these pillars, including our revenue model.”

Why Personal Email Addresses?

Nobody needs a disquisition on the dangers of using the same password for different accounts and services, though the number of consumers who still do it is alarming.

Instead, how about a quick lecture: According to one recent survey, more than 80% of people 18 and older re-use the same password across multiple accounts. The most popular password in 2016 was “123456.” For less than $1,000, hackers can buy a machine that has the capacity to test billions of passwords per second. Effect: You are vulnerable. Password managers work, so use one. (End of sermon.)

Actually, it’s not quite the end of the sermon. Because lousy password hygiene is so prevalent, you need to know if your personal email address been leaked in a data breach or, better yet, just assume that it has been. Haveibeenpwned.com is one place to go if you’re curious.

Personal email addresses present a huge vulnerability for most people and an infinite number of clear-sky lines of attack for hackers.

A recent data sample found that in the United States there are an average of 130 accounts assigned to a single email address. We’re talking about newsletters, e-commerce site, banks, gyms, portals to your medical records and healthcare coverage, investments, car loans, credit cards, and—as Matt Honan knows all-too-painfully well—social networking sites.

Your personal email address is one of your most visible forms of personally identifiable information (PII), and yet many websites require it. If your email is commandeered, whoever has control of it is just a few clicks away from taking control of your finances and anything else they might care to target. Think of your email address as a much less secure version of your Social Security number—especially if you have bad password habits.

I asked Yoskowitz about the use of personal email addresses as a login credential. After a quick scan of the top 210 Quantcast sites, he found that only 26 had no login. “Two had a username—instead of email—for logging in, so roughly 86% currently require email for login,” Yoskowitz told me.

Fewer Opportunities to Click and Get Got

So, is Joinesty addressing the personal email problem or taking advantage of it? Does the solution open up new vulnerabilities? Is this merely a ploy to sell ads and profit off our collective cyber-insecurity? 

The first thing you need to know is that Joinesty offers something of value.

It is not tokenization per se, but it’s like it in that Joinesty replaces PII (in this case your personal email address) with equally valid but non-identifiable data.

“We retain the purposes and benefits of tokenization allowing the user to retain all the functionality of giving out their personal email—logging into their accounts, receiving deals—without that email address having any inherent value to hackers because of its unique one-off nature.” 

Parting shot from my book Swiped: When creating an account on sites that allow a non-email login name, let your spirit fly. Be creative (but store it somewhere on a cheat sheet that resides on an encrypted memory stick). You might even consider using a long-and-strong password as your login name if the site will allow it.

image svetikd

The post Can You Hack-Proof Your Personal Email Address? appeared first on Credit.com.

5 Ways to Keep Your Personal Health Information Safe

4 Things About You Your Doctor Doesn’t Need to Know

Did members of the royal family go under the knife at an upscale London plastic surgery clinic? A recent hack at London Bridge Plastic Surgery may reveal the answer to that—and many other questions you never thought to ask.

Setting aside the obvious follow-up questions (Do you care? Is it any of your business?) and regardless of your curiosity about seeing the picture proof of royal rearrangements, you should be paying attention. The hack speaks to our collective vulnerability when it comes to protected health information (PHI).

What Happened

The hacker collective known as The Dark Overlord took responsibility for the royal family’s data grab. The group’s responsibility was confirmed by The Daily Beast after a reporter at the site reviewed both in-progress and before-and-after photographs of family members’ physical enhancements.

You may remember The Dark Overlord: it was behind an October hack that featured threatening texts sent to parents of school-age children in several states and voicemails left by victims being dumped online. The group was also behind a notorious Netflix-related hack. It memorably stole the fifth season of Orange Is the New Black from Larson Studios and released the first episode even after having received about $50,000 in Bitcoin to not do so.

As reported by Variety, The Dark Overlord had decided that its victims were in breach of contract. Specifically, “Larson Studios was in great delinquency of the agreement after sources confirmed law enforcement cooperation,” the group claimed. “Our agreement provides us the right to execute harmful action against any client who defrauds our agreement.”

Why It Matters

Did you notice how The Dark Overlord called the studio its “client”? I have long said that while we have day jobs, all of us collectively are hackers’ day job. Their sole objective in life is to seep their way into the assets of our identity. Always remember that your personal information is an asset with real, assignable value.

The Dark Overlord is not alone in viewing its victims in this transactional way. Hackers are in it for the money. Bigger operations offer customer service–style communication to make the ransom/payoff part of the process a high-touch consumer experience.

You may think, “This can’t happen to me.” But how do you know? Consider how your medical provider stores your PHI. Have you ever seen a physical file? Do you know where it’s stored and who has access to it? That sort of physical information is vulnerable. It could easily be stolen or

duplicated. What about electronic data? Everyone knows that just because an entity stores information digitally doesn’t make it secure from compromise.

5 Steps for Keeping Your PHI Safe

Security is complex and requires constant maintenance. Here are five steps you should take to keep your personal health information safe from hackers and other no-do-gooders.

  1. Ask if your medical provider implements a data security solution. While it may seem like a simple question, many providers don’t have a clue about data security. The only way to find out if yours does is to ask.
  2. Find out if your medical provider uses a vendor. If your medical provider uses a vendor, get the name and check out its reputation online.
  3. Ensure that your medical provider double encrypts your PHI. Your doctor may not know whether your PHI is double encrypted—especially if they use a vendor as their data security solution. Either way, push the point. The only way we all become more secure is if we all demand a high data-security IQ from our peers and service providers.
  4. Inquire about who has access to your PHI. By asking this question you may be pointing your provider to safer records. Only your doctor and other medically trained staff with a reason to be looking should have access to your PHI.
  5. Locate where your PHI is stored and how it moves around. Does your medical provider use a cloud server or onsite hardware to store your PHI? How are the servers connected to the network? Is there a secure network used solely for PHI and another for less sensitive traffic or smart devices used in the office?

We All Have Something to Lose

Granted, you may not have had any work done at a fancy plastic surgery clinic, but you’ve probably been to a doctor—and most likely at least once for an ailment that you’d rather not have broadcast to others. The victims of the data breach at London Bridge Plastic Surgery are just like you and me for that reason, even if they are royal. We all have something to lose: our privacy.

The sensitive data theft lottery definitely discriminates—high-end targets pay upper-class ransoms—but you can’t rely on your relative obscurity to protect your PHI.

As far as plastic surgeons getting compromised goes, this isn’t the first time a high-profile doc has gotten rolled for photographs and other PHI. And it probably won’t be the last, which should be reason enough to get you to call your doctor and ask how your information is protected.

If your protected health information or other personally identifying information gets hacked or leaked, it could negatively affect your credit score—and your ability to apply for a mortgage, personal loans, or credit cards. Keep an eye on your credit score by regularly reviewing your credit report for free on Credit.com.

Image: istock 

The post 5 Ways to Keep Your Personal Health Information Safe appeared first on Credit.com.

5 Ways an Identity Thief Can Use Your Social Security Number

Man's hand holding Social Security card. Computer theft on laptop.

Having your Social Security number or card stolen isn’t quite like getting your bank account information taken—though granted, both are stressful experiences. The major difference is that you can get a new bank account number, while the Social Security Administration very rarely issues new Social Security numbers.

Why You Need a Social Security Number

If you’re unsure what an SSN is, the Social Security Administration loosely defines it as a nine-digit number for identity-tracking purposes. Whenever you start a new job or apply for government benefits, you need your Social Security number: it will be used to verify your identity and record earnings. You can locate your Social Security number on your Social Security card—if you can’t find your card, make sure you reach out to the Social Security Administration directly.

How Social Security Number Theft Occurs

How someone finds out and steals your identity (or Social Security number) can happen in a variety of ways. They could gain your Social Security number by exploiting data breaches, sifting through the trash for personal documents, or using any number of other approaches. The thieves can then sell your identity to the highest bidder on the dark web.

What Happens When Someone’s Identity Is Stolen

Once an identity thief has your Social Security number, they can commit all sorts of financial fraud with it, potentially leaving you on the hook for their misconduct.

Look at it this way: Social Security numbers are wrapped up in most aspects of Americans’ lives—employment, medical history, taxes, education, bank accounts, and so on. Below is a list of just a few things someone can do with your SSN if they get their hands on it.

1. Open Financial Accounts

Your Social Security number is the most important piece of personal information a bank needs when extending you credit or opening an account. With that number, a thief can get credit cards or loans, and when it comes time to repay them, they won’t, damaging your credit in the process. Those missed payments are tied to your Social Security number, so they’ll end up on your credit report and could impact your ability to apply for any type of loan or new account in the future.

Once you spot suspicious transactions, you can use your credit scores and credit reports to detect fraud and put an end to it. Unfortunately, it could take years for the fraudulent information to be removed from your credit report and, as a result, for your credit scores to recover.

2. Get Medical Care

Someone using your Social Security number could also undergo medical treatment, effectively tainting your medical records. Inaccurate medical records can have deadly consequences—for example, imagine what could happen if you received treatment based on a false history listing the wrong blood type. Additionally, it’s possible for thieves to poach your health insurance coverage, which could leave you in a bind when you need it.

3. File a Fraudulent Tax Refund

Taxpayer identity theft is a growing problem. Identity thieves use stolen Social Security numbers to get a fraudulent refund, which then delays any refund the victim is rightfully owed. In 2016, the IRS identified $227 million lost in fraudulent tax returns, and this issue is bound to become even more problematic in the wake of massive data breaches like the 2017 Equifax hack.

So the sooner you file your taxes, the more likely you’ll get your refund before an identity thief has an opportunity to take advantage of your stolen identity. You’ll know someone stole your identity if your return is rejected as a duplicate—then you get to start the process of resolving the fraud and, if necessary, getting the refund you deserve.

4. Commit Crimes

Getting your Social Security number might just be a fraction of the thief’s crimes. If the identity thief gets arrested for another crime and gives your Social Security number to law enforcement, you’ve become tangled in their criminal history. Their criminal record could prevent you from getting jobs or interfere with anything else that requires a criminal background check.

5. Steal Your Benefits

A thief could also use your Social Security number to file for unemployment or Social Security benefits, depleting those resources and preventing you from accessing that assistance when you need it later on.

How to Find Out If Your Social Security Number Has Been Stolen

Thieves can operate under your identity for years without discovery, and some of these crimes are very difficult to detect. One of the best things you can do is regularly check a free credit report. Review your credit report thoroughly for unauthorized accounts or public records not related to you. These red flags could indicate clerical errors or identity theft. Either way, you want to watch out for it and act as soon as you see something suspicious. You can also check out these other ways you can find out if you’re a victim of identity theft. 

Image: istock 

The post 5 Ways an Identity Thief Can Use Your Social Security Number appeared first on Credit.com.

Why Spam Is More Dangerous Than Ever

Can I Deal With a Debt Collector Over Email?

Spam is supposed to be a thing of the past, but it’s not—and today it comes weaponized with manifold data-grabbing threats—from ransomware to keystroke recorders and beyond. Your email has never been more dangerous.

There was a time in the early 2000s when email spam and malicious botnets were viewed as mere nuisances. A confident Bill Gates waved it away at the 2004 World Economic Forum in Davos, Switzerland: “Two years from now, spam will be solved.” The technical community was on the job—it had spam’s number.

Unfortunately, it was a repeating number.

Today, criminals are spreading evermore malicious forms of email spam, and the number of spam emails is still robust. Though not at early-days numbers, spam accounts for more than half of all email traffic.

Multi-Tiered Attacks

Spambots are multitaskers these days. First, they trawl the internet for email addresses. (Yes, emails are sensitive information for this reason.) Next, they compile a gargantuan mailing list. Final step: they send your grandmother an email that promises to solve her male-pattern balding.

That is, unless that email offers her a discount on a medication that she takes, and she clicks a link that downloads software that exfiltrates all her user credentials.

Onliner is an especially pernicious spambot. Crafted to bypass many types of spam filters, Onliner specializes in the delivery of messages containing malicious attachments. It may name the IRS, hotel chains, or delivery services as the sender. The social engineering is nuanced, designed to trick the recipient into clicking on the attachment, thus triggering a copy of the Ursnif Trojan to install. Ursnif then swiftly steals account logins, credit card details, and other personal information.

There are others. We know about Onliner because its creators neglected to lock down a server, which allowed access to Onliner’s master mailing list of 711 million email addresses.

“What this tells us is that the spamming industry is alive and well and continues to adapt to produce a steady stream of profits,” observes Christian Lees, chief security officer at threat intelligence company InfoArmor. “Email continues to be an efficient attack vector. A high percentage of major data breaches are directly sourced via email.”

Stunning Advancements

Some historical context is helpful in understanding just how far spam and botnets have advanced. When Bill Gates spoke at Davos, spamming was carried out manually, and spammers had to actually rent or steal time on physical servers housed at hosting companies. Meanwhile, botnets were comprised of PCs surreptitiously infected and controlled by script-kiddie hackers out to make a name for themselves.

Today, spam delivery has become highly automated, thanks to the wide availability of resilient botnets for hire. Instead of having to bother with hosting services, spammers retain the services of a botnet operator who is in command of tens of thousands of infected PCs, supplemented with tens of thousands more virtual instances of computing devices.

These virtual bots represent stunningly clever use of public cloud computing resources, such as Amazon Web Services, Microsoft Azure, and Google Cloud. Botnet operators can now spin up hundreds of thousands of virtual bots cost-effectively and in the public cloud, which is why we now experience periodic surges of garden-variety advertising spam.

Wide-Open Attack Vector

Understandably, spambots are of acute concern to financial services companies, health care businesses, and other vertical industries that do business with their consumers online. These organizations recognize the “potential for losing their credibility,” says Giovanni Verhaeghe, product strategy director at VASCO Data Security. “Customers are wondering which messages are fake and which ones are really sent by the bank.”

Most organizations today filter email aggressively. But as Onliner makes clear, filtering is not enough. Email remains a wide-open attack vector that criminals continue to successfully exploit. The very existence of spambots reminds us that each individual bears the burden for staying alert, reducing their digital footprint whenever the opportunity to do so presents itself, and responding quickly if their email is hacked.

What does this mean for you? First: it’s time to dial back on convenience and use multi-factor authentication whenever it’s offered. And for sure it’s time to stop sharing every detail of our digital lives. Companies can help by providing efficacious employee training and encouraging a security-first culture. Employees need to be continually reminded of the spam threat. Spearphishing has never been more nuanced. “Trust but verify” should be everyone’s watchword these days.

Someday our technocrats may “solve” the spam problem, as Bill Gates predicted. But it won’t be tomorrow.

Image: istock 

The post Why Spam Is More Dangerous Than Ever appeared first on Credit.com.

Are Your Connected Devices Safe?

phone-bill

The number of Internet of Things (IoT) devices in use is forecasted to hit 8.4 billion this year. That’s more than the human population on planet Earth. And with successful attacks like Mirai (which was the malware used in the 2016 Dyn cyberattack) already a part of the IoT story, there’s plenty to worry about.

It’s crucial we give this latest market exuberance a brief time-out. Unfortunately, the chances of that happening are fairly unlikely. So, what to do between now and the next zero-day exploit?

I’m specifically recommending a cyber “time-out,” and not a “breather” or any other term signifying a pause or cessation of activity. IoT technology is in its infancy and growing faster than projected. And it’s flawed.

Connected devices have not been around very long, and yet they’ve already managed to cause no end of trouble—whether we’re talking about hijacked baby monitors, IP cameras, or exercise trackers that broadcast granular details about your sex life to anyone who might be curious about it.

We need a time-out to think through and implement best security practices for the IoT market.

Are Connected Devices a Cyber Catastrophe Waiting to Happen?

With total spending on IoT or connected devices pegged to hit $2 trillion this year, the market is undergoing a period of staggering growth.

IoT is increasingly present in daily life. It can be found in kitchen appliances, cars, health care equipment, toys, exercise gear, and peripherals like watches and monitors. It’s in security systems and many of the creature comforts populating our homes.

On all fronts, the upside is impressive. Consumers get to shop for a whole new universe of things they never knew they wanted, and manufacturers are increasing their revenues. In case you don’t have the figures handy, the revenue target for 2017 represents 31% growth over the previous year.

Sounds great, right? But while everyone benefits from the hunger for next-generation, hyper-connected everything, consumers may lose sight of the security pitfalls associated with them. At the risk of being a killjoy, I believe it doesn’t just seem reasonable, but absolutely essential, to assume many new devices currently hitting the IoT market aren’t cybersecure.

So, while the boom in connected devices looks like a win for everyone, it’s not. When consumers connect new devices to the Internet, their attackable surface expands. Data is being moved around. New doors are opened.

Even the most cursory look backward reveals the likelihood of future attacks.

New Products, Better Prospects?

Nest is a popular smart home player in the IoT sector. The company just released some new devices, including home security cameras, which made me wonder about the lessons learned from recent zero-day fails.

In the Persai/Mirai catastrophe, IP cameras and routers were hijacked and roped into a botnet that hackers used to launch a massive distributed denial of service (DDoS) attack against Dyn, which routed traffic for major websites. The sites affected by the attack included The New York Times, HBO, PlayStation, Etsy, Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, and PayPal.

The Dyn attack was the direct result of rushing connected devices to market. IoT devices were sold to consumers with default passwords that many people never bothered to change (some don’t permit passwords to be changed), security taking a backseat in the race to the marketplace. While there was little to no issue with the affected devices on the consumer end, the hackers were able to use all those points of contact to launch the crippling attack on Dyn. And yes, that attack affected everyone. A back-of-the-napkin estimate on total cost is in the billions, not millions, of dollars.

In addition to Nest, I reached out to other IoT device manufacturers this week to hear what they’re doing to protect consumers in the wake of the Dyn attack and the mad rush to cash in on the robust market for connected devices. Of the 10 companies I contacted, only three got back to me.

Both Nest and Vivint (a leader in smart devices with excellent security) responded with answers that were music to my cyber-paranoid ears, though I’ll spare you the details. The same was not true of the third response, which came from a Honeywell representative: “I’d need quite a bit more time to fact check answers through our various businesses given the breadth of your questions.”

My questions:

There have been many instances of cams with factory-default passwords getting hacked—do new [Honeywell] cam products require the end user to create a secure password before they will function? Do they allow the consumer to create a password? What security measures were designed into the product?

What measures have been taken to protect other smart home products from hackers?

These questions are elementary. One has to suspect the reason so many companies failed to reply is that they don’t have great security built into the design of their products.

The takeaway here is simple, but important. When you are shopping for a connected device, security should be the first thing you ask about—even before checking out proffered features. The future is as safe as you make it.

Image: istock

The post Are Your Connected Devices Safe? appeared first on Credit.com.

The Guide to Freezing and Thawing Your Credit Report

iStock

The recent Equifax data breach that exposed the names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers of about 44 percent of the current American population has many consumers now rushing to freeze their credit scores. However, many consumers may not grasp what that really entails.

In a recent survey by CompareCards.com, a subsidiary of MagnifyMoney’s parent company, LendingTree.com, 78 percent of respondents said they had never put a freeze on their credit reports.

When you freeze and thaw your report, you are preventing anyone else from opening a credit account under your name without your knowledge. It’s a smart way to defend yourself against some cases of identity theft. Massive data breaches like the one that hit Equifax are stark reminders of the importance of protecting sensitive information from potential fraudsters, but that doesn’t mean you should wait until your information is compromised in a data breach to act.

“We should all be vigilant,” says Eva Velasquez, president of the Identity Theft Resource Center. “Being vigilant about your identity is just a part of the world that we live in. If being involved in a data breach is the catalyst that brings that to the top of your mind, then we can see that as a positive.”

What a credit freeze does — and doesn’t — accomplish

A credit freeze, or security freeze, is a tool consumers can use to restrict access to their credit reports. The freeze makes it harder for criminals to commit financial fraud using your information.

The freeze seals your credit reports so that new requests won’t be processed without your approval. You will need to use a personal identification number — only you will know it — to lift or thaw the freeze before creditors can again have access to your credit report. A freeze adds a layer of security, since most creditors won’t extend new credit without seeing your report.

You will need to request a credit freeze with each of the big three reporting bureaus — Equifax, TransUnion and Experian — for the freeze to have the biggest impact.

Freezing your credit report will NOT:

  • Impact your credit score
    • A credit freeze will have no impact whatsoever on your credit score. Freezing your credit will neither raise nor lower your score.
  • Restrict existing creditors’ access to your report
    • Your current creditors, government agencies or debt collectors acting on behalf of those parties will still have access to your credit report if you freeze it.
  • Keep you from opening new credit
    • You will still be able to use your credit report to do things like open a new credit account, apply for a mortgage, rent an apartment or take any other action that calls for a credit check. But you’ll need to lift the temporary freeze before lenders can gain access to the report. If you know you’ll be doing any of those activities, you can temporarily lift the freeze for a certain party or a length of time, but it may cost you money to do so.
  • Prevent a criminal from committing fraud involving your existing accounts.
    • Freezing your credit report won’t prevent you, or any would-be thieves, from using your existing credit accounts. You will still need to vigilantly monitor all of your personal bank, credit and insurance accounts for fraudulent transactions or other signs of fraudulent activity.
  • Stop you from receiving prescreened credit offers
    • Freezing your credit report won’t stop lenders from sending you prescreened credit offers, as they prequalify new customers using a “soft pull.” A soft pull doesn’t show up on your credit report or harm your credit score. Banks buy the names of people who meet their credit criteria from credit bureaus to create their prequalification lists. So when you are prequalified, it just means you’re on a list somewhere. If you want to stop receiving such credit offers, call 888-5OPTOUT (888-567-8688) or ask to be excluded here.
  • Protect you from all forms of ID theft
    • A credit freeze can help to prevent financial fraud, but it will still leave you vulnerable to many other kinds of fraud. When criminals obtain important and sensitive information like your Social Security number as they did in the Equifax breach, they can use this data to commit criminal, medical, tax and employment theft, too. For example, a thief could use your Social Security number to file a tax return and claim a fraudulent refund, or use your personal information to obtain medical care or employment without your knowledge. Remain vigilant to protect yourself from other forms of fraud. Pay careful attention to any mail or phone calls from a medical office, government agency or other entity. They may be reaching out to verify your identity or report that someone else is attempting to commit fraud in your name.

How to freeze your credit report

You must go through a separate process with each of the three major credit bureaus to freeze your credit report.

Equifax

Equifax Complete Advantage Plan You can freeze your Equifax credit report online, by phone or by mail.

  • Online: In a statement issued in The Wall Street Journal on Sept. 27, Equifax said it would offer a new service that permanently allows consumers to lock and unlock their credit reports for free. The service is set to debut by Jan. 31, 2018.

    In the meantime, you can still freeze your Equifax score the traditional way, by visiting the Equifax security freeze site. You will first need to fill out a form with your personal information, then make any payment required by your state. Equifax’s site may be experiencing high traffic as a result of the recent breach, so it may not be able to process your request right away. If that is the case, try one of the other methods or try again online in a day or two.

  • Phone: Call 1-800-685-1111 (New York residents call 1-800-349-9960), and you should be connected with an Equifax representative who will verify your personal information and assist you with your credit freeze request.
  • Mail: Request your credit freeze by certified mail. If you’re a victim of identity theft, this is the channel you will need to use; your request must be submitted in writing with relevant documents, like a police report or other documented proof of theft, to have your fee waived. Write a letter to the reporting agency requesting the credit request and send it to the following address: Equifax Security Freeze/P.O. Box 105788/Atlanta, GA 30348

TransUnion

TrueIdentity You can freeze your credit TransUnion report online, by phone or mail, or by using TrueIdentity,

  • Online: Go to the TransUnion security freeze site. You will need to log in or create a TransUnion account before you can submit your request online.
  • Phone: Call 1-888-909-8872 and a TransUnion representative should verify your personal information and assist you with your credit freeze request.
  • Mail: Request your credit freeze by certified mail. Write a letter to the reporting agency requesting the credit request and send it to the following address: TransUnion LLC/P.O. Box 2000/Chester, PA 19016
  • TrueIdentity: TransUnion offers a free credit report monitoring service called TrueIdentity. The service allows users to lock and unlock their credit report with a swipe on their mobile device or a click online. It gives access to unlimited TransUnion Credit report refreshes, and alerts you if an entity pulls your TransUnion credit report.

Experian

Experian You can freeze your Equifax credit report online, by phone or by mail.

  • Online: Go to the Experian security freeze site. Select “add a security freeze,” then “apply online” and you’ll be redirected to a form requesting your personal information. Submit the form and make any payment required by your state to freeze your report.
  • Phone: 1-888-EXPERIAN (1-888-397-3742). Press 2 to be guided through prompts to request a security freeze.
  • Mail: Request your credit freeze by certified mail. Write a letter to Experian requesting the credit request and send it to the following address: Experian Security Freeze/P.O. Box 9554/Allen, TX 75013

How to thaw your credit report with each agency

Equifax

You can temporarily thaw your Equifax credit report via mail, online via Equifax’s security freeze site, or by calling 1-800-685-1111. (New York residents dial 1-800-349-9960.) Send mailed requests to the following address:
Equifax Security Freeze/P.O. Box 105788/Atlanta, GA 30348

TransUnion

You can temporarily thaw your TransUnion credit freeze by mail, online or via TransUnion’s credit freeze site, or by calling 1-888-909-8872. Send mailed requests to the following address: TransUnion LLC/P.O. Box 2000/Chester, PA 19016

Experian

You can temporarily thaw your Experian credit report by mail, online via Experian’s security freeze site, or by calling 1-888-397-3742. Send mailed requests to the following address:
Experian/P.O. Box 9554/Allen, TX. 75013

How much a credit freeze will cost you — by state

The protection isn’t free. Each time you freeze your report, temporarily lift a freeze or permanently end one, you may have to pay a fee. In the wake of the Equifax hack, consumer advocacy groups and some lawmakers have renewed their efforts to allow data breach victims to sign up for free credit freezes in their states.

“It is outrageous that the credit bureaus charge us fees to prevent identity theft when we didn’t even give them permission to collect our information in the first place,” Mike Litt, a consumer program advocate with the U.S. Public Interest Research Group, said in a statement a little over a week after the Equifax data breach was made public.

Sens. Elizabeth Warren (D-Mass.) and Brian Schatz (D-Hawaii) introduced the Freedom from Equifax Exploitation (FREE) Act on the same day. The act is intended to make actions related to freezing credit reports free for all consumers nationwide.

Until the proposed act wends its way through both houses of Congress, the amount you may pay to freeze, thaw or permanently end a credit freeze will vary from state to state and may be up to $10.

There is a silver lining for some. If you can present documentation showing you are a victim of identity theft at the time you place a freeze on your credit, most states will waive fees.

You can check what your state will charge you for each action below. Multiply the amount by three because you will need to pay each credit bureau.

In a Sept. 15, 2017, statement addressing the recent breach, Equifax said it would waive security freeze fees for all consumers through Nov. 21 and refund those who have paid to place or remove a credit freeze since 5 p.m. on Sept. 7, just after the breach was announced.

Nearly every state has legally identified definitions of a “protected consumer,” which may be a minor, an elderly citizen, a service member, a spouse of a victim of ID theft, a medically incapacitated person or some other distinction. Depending on the state, a protected consumer may pay a different amount or have his or her fee waived. The National Conference of State Legislators has more information on whom each state counts as a protected consumer, here.

State

Consumer Category

Freeze

Thaw

End Freeze

Alabama

Victim of ID theft

free

free

free

Senior (65+)

free

$10

$10

All other consumers

$10

$10

$10

Alaska

Victim of ID theft

free

free

free

All other consumers

$5

$2

free

Arizona

Victim of ID theft

free

free

free

Protected Consumer

free

n/a

free

All other consumers

$5

$5

$5

Arkansas

Victim of ID theft

free

free

free

Senior (65+)

free

$5

free

All other consumers

$5

$5

$5

California

Protected Consumer

$10

n/a

$10

Minor <16

free

n/a

free

Senior (65+)

$5

$5

$5

All other consumers

$10

$10

$10

Colorado

Victim of ID theft

free

free

free

All other consumers

free

$10

$10

Connecticut

Victim of ID theft

free

free

free

Protected Consumer

free

free

free

All other consumers

$10

$10

$10

Delaware

Victim of ID theft

free

free

free

Protected Consumer

free

free

free

Senior (65+)

$5

free

free

All other consumers

$10

free

free

District of Columbia

Victim of ID theft

free

free

free

All other consumers

$10.00

free

free

Florida

Victim of ID theft

free

free

free

Protected Consumer

free

n/a

free

Senior (65+)

free

$10

free

All other consumers

$10

$10

$10

Georgia

Victim of ID theft

free

free

free

Minor < 16

free

n/a

free

Senior (65+)

free

$3

$3

All other consumers

$3

$3

$3

Guam

Victim of ID theft

free

free

free

All other consumers

$10

$10

$10

Hawaii

Victim of ID theft

free

free

free

All other consumers

$5

$5

$5

Idaho

Victim of ID theft

free

free

free

All other consumers

$6

$6

$6

Illinois

Victim of ID theft

free

free

free

Minor < 18

$10

n/a

$10

Senior (65+)

free

$10

free

Active duty military member

free

free

free

All other consumers

$10

$10

$10

Indiana

Victim of ID theft

free

free

free

Protected Consumer

free

n/a

free

All other consumers

free

free

free

Iowa

Victim of ID theft

free

free

free

All other consumers

$10

$12

$12

Kansas

Victim of ID theft

free

free

free

All other consumers

$5

$5

$5

Kentucky**

Victim of ID theft

free

free

free

All other consumers

$10

$10

$10

Louisiana

Victim of ID theft

free

free

free

Protected Consumer

free

n/a

free

Senior (62+)

free

free

free

All other consumers

$10

$8

free

Maine

Victim of ID theft

free

free

free

Protected Consumer

free

n/a

free

All other consumers

free

free

free

Maryland

Victim of ID theft

free

free

free

Minor < 16

$5

n/a

$5

All other consumers

$5

$5

$5

Massachusetts

Victim of ID theft

free

free

free

Protected Consumer

free

free

free

All other consumers

$5

$5

$5

Michigan

Victim of ID theft

free

free

free

Protected Consumer

free

n/a

free

All other consumers

$10

$10

$10

Minnesota

Victim of ID theft

free

free

free

All other consumers

$5

$5

$5

Mississippi

Victim of ID theft

$10

free

free

All other consumers

$10

$10

$10

Missouri

Victim of ID theft

free

free

free

All other consumers

$5

$5

free

Montana

Victim of ID theft

free

free

free

All other consumers

$3

$3

free

Nebraska

Victim of ID theft

free

free

free

Minor < 16

free

n/a

free

All other consumers

$3

$3

free

Nevada

Victim of ID theft

free

free

free

Senior (65+)

free

free

free

All other consumers

$10

$10

$10

New Hampshire

Victim of ID theft

free

free

free

All other consumers

$10

$10

$10

New Jersey

Victim of ID theft

free

$5

$5

All other consumers

free

$5

$5

New Mexico

Victim of ID theft

free

free

free

Senior (65+)

free

free

free

All other consumers

$10

$5

$5

New York

Victim of ID theft

free

free

free

Protected Consumer

free

free

free

All other consumers

free

$5

$5

North Carolina

Victim of ID theft

free

free

free

Spouse of ID Theft Victim

free

free

free

Minor < 16

$5

n/a

$5

Senior (62+)

free

free

free

All other consumers

free

free

free

North Dakota

Victim of ID theft

free

free

free

All other consumers

$5

$5

free

Ohio

Victim of ID theft

free

free

free

All other consumers

$5

$5

$5

Oklahoma

Victim of ID theft

free

free

free

Senior (65+)

free

$10

free

All other consumers

$10

$10

$10

Oregon

Victim of ID theft

free

free

free

Minor < 16

free

n/a

free

All other consumers

$10

$10

$10

Pennsylvania**

Victim of ID theft

free

free

free

Senior (65+)

free

$10

free

All other consumers

$10

$10

free

Puerto Rico

Victim of ID theft

free

free

free

Senior (65+)

free

$10

free

All other consumers

$10

$10

$10

Rhode Island

Victim of ID theft

free

free

free

Senior (65+)

free

free

free

All other consumers

$10

$10

$10

South Carolina

Victim of ID theft

free

free

free

Protected Consumer

free

n/a

free

All other consumers

free

free

free

South Dakota**

Victim of ID theft

free

free

free

Minor < 16

$5

n/a

$5

All other consumers

$10

$10

$10

Tennessee

Victim of ID theft

free

free

free

Minor < 16

$10

n/a

$10

All other consumers

$7.50

free

$5

Texas

Victim of ID theft

free

free

free

Protected Consumer

free

n/a

free

All other consumers

$10

$10

$10

Utah

Victim of ID theft

free

free

free

Minor < 16

free

n/a

free

All other consumers

$10

$10

free

Vermont

Victim of ID theft

free

free

free

All other consumers

$10

$5

$5

Virgin Islands

Victim of ID theft

free

free

free

All other consumers

$10

$10

$10

Virginia

Victim of ID theft

free

free

free

Protected Consumer

free

n/a

free

All other consumers

$10

free

free

Washington

Victim of ID theft

free

free

free

Senior (65+)

free

free

free

All other consumers

$10

$10

$10

West Virginia

Victim of ID theft

free

free

free

All other consumers

$5

$5

$5

Wisconsin

Victim of ID theft

free

free

free

Minor < 16

free

n/a

free

Medically incapacitated and not an ID theft victim

$10

n/a

$10

All other consumers

$10

free

free

Wyoming

Victim of ID theft

free

free

free

All other consumers

$10

$10

$10

Sources: Consumersunion.org Transunion.com NCSL.org

When a credit freeze makes sense — and when it doesn’t

You should freeze your credit report when you are in danger of financial or identity fraud.

Eva Velasquez, of the Identity Theft Resource Center, says consumers should consider freezing their reports if they are victims of identity theft or at an increased risk of having their information misused for identity theft because of lost or stolen items.

Consumers might also consider a credit freeze “if their personal information, specifically their Social Security number, is compromised in some way, like in that of a data breach,” says Velasquez.

Freezing your report is an important consumer protection you can and sometimes should take advantage of as a general consumer. However, there are several occasions when you may not want to freeze your credit.

  • You are planning to open a new line of credit (credit card, mortgage, etc.) in the near future.
  • You work for a company that requires a regular background check or access to your credit report.
  • You regularly open new accounts with financial institutions.

Ultimately, if you are not in danger of ID theft, the decision to freeze or unfreeze your credit report depends on whether or not you’re willing to go through the inconvenience and cost of unfreezing and refreezing each time an entity you approve of wants access to your credit report. If you want a more convenient way to monitor use of your credit report, you may want to consider placement of a credit fraud alert instead of the freeze, as explained below.

Pros and cons of freezing your credit report

Pros:

  • Locks your credit report
    The most obvious benefit you’d get from freezing all of your credit reports is an additional layer of protection. Only you can permit a lender or other entity to receive your full, detailed credit report. You’ll have the opportunity to verify a request’s legitimacy before anyone can obtain your report.
  • No impact on your credit score
    Neither freezing nor thawing your credit report will affect your credit score. Your credit score is impacted by positive or negative activity on your end. Adding protection is considered a neutral action.
  • Generally free for ID theft victims
    If you’re a victim of ID theft, you won’t be required to pay any fees to freeze, thaw or lift a freeze on your credit report in most states. However, you may need to provide additional documentation proving the theft and submit your request in writing.

Cons:

  • Need to plan before opening a credit line
    The added protection comes with the added inconvenience of freezing, or thawing your credit report when you need to apply for credit. This will take just a bit of forethought and may cost you up to $10 each time you thaw your report. You may take several minutes to complete thaw requests for all three bureaus online, which will make it a little more difficult to apply for a credit card in the checkout line. You can manually refreeze your accounts or set your request to automatically do so on a certain date.
  • Fees, unless you’re a victim of ID theft
    Each action — freezing or lifting a freeze — may cost you $3 to $10 in many states. The cost is often tripled, as it’s necessary to freeze or thaw all three of your credit reports if you are unsure which bureau the entity requesting your report will use. The cost may be high for some consumers. Freeze and thaw your reports wisely, and ask the requesting entity which bureau it uses to avoid paying unnecessary fees whenever you can.

An alternative to freezing your credit report

If you don’t think you are in immediate danger of ID theft, you can opt for less-drastic protection and set up a credit fraud alert with all three bureaus instead. When you have the alert set, all lenders attempting to pull your credit history will see a flag on the reports, alerting them to verify your identity before extending credit.

The entity is not required to go through additional verification, but the warning puts it at that entity’s discretion. You will still be able to apply for credit whenever you’d like, and won’t need to remember a PIN to unlock your credit report.

Additionally, fraud alerts are temporary. In most cases, you will be required to renew the alert in 90 days.

The post The Guide to Freezing and Thawing Your Credit Report appeared first on MagnifyMoney.

Post Equifax: Will Free Credit Freezes Help?

freeze your credit

When Equifax announced the historic data compromise that exposed the sensitive personal information of up to 143 million consumers, the company said victims would have access to credit freezes for a month free of charge. This was not exactly a solution to the fresh hell it had just announced.

Frankly, it seemed like a relatively cheeky move considering the staggering number of people who had just learned that they will be looking over their shoulders for a virtual mugger for the rest of their lives. I wouldn’t be surprised if Saturday Night Live re-creates Equifax’s offer of free credit freezes (for a whole month!) as a classic schoolyard drama featuring a bully holding a stolen bike in front of its owner and offering to give it back for a hefty fee.

My first thought was definitely not, “That seems fair.”

And while I can’t speak to whether there was any discussion of sketch comedy in their process, the Identity Theft Resource Center (ITRC) seems to have had a similar reaction. It launched a change.org petition that urged Experian, TransUnion, and Equifax to let consumers freeze, thaw, and refreeze their credit files, free of charge, once per year.

Sadly, this is not a solution either.

The Legislative Angle

Senators Elizabeth Warren (D-MA) and Brian Schatz (D-HI) recently introduced legislation that would force the Big Three credit bureaus to provide more robust solutions to the 24/7 identity-theft quagmire we now inhabit thanks to the Equifax breach.

One of the main provisos was a legislative version of the ITRC petition: Give all Americans access to free credit freezing (and unfreezing) for life. Additionally, the bill would force the credit bureaus to reimburse any fees collected for freezes purchased after the Equifax compromise was made public.

“Credit reporting agencies like Equifax make billions of dollars collecting and selling personal data about consumers without their consent, and then make consumers pay if they want to stop the sharing of their own data,” Warren said when announcing the bill.

The Freedom from Equifax Exploitation Act is a move in the right direction, a roadmap for the Big Three to provide consumers with more robust fraud protections as well as an additional free annual credit report. (One free report is already a consumer right in the United States. You can check your credit report for free at Credit.com.)

That SNL sketch encapsulates the feeling of the Freedom from Equifax Exploitation Act: credit bureaus shouldn’t be able to profit off the fear generated by their failures to protect our sensitive data.

Freezes Aren’t the Answer

While it is good to get those freezes (if you can figure out how to set them up), a credit freeze is by no means the be-all and end-all answer to the “What now?” reality of 143 million consumers.

Credit freezes do not mitigate all threats.

First of all, you are still vulnerable to attacks on existing accounts. Two easy ways to help diminish this threat is by setting up transaction alerts and opting for two-factor authentication wherever it is offered.

You are also more susceptible to spear phishing emails and texts now, since fraudsters now know where you bank, where you have debt, and who financed your car. They no longer have to guess which bank you use, thereby making the whole process of defrauding you much more expedient—a real win for scam artist productivity. Employment and tax fraud as well as medical/healthcare fraud are also real concerns after the breach.

The best course of action given all these variables is to change the way you think about your vulnerability and practice the Three Ms, which I discuss in my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves.

  1. Minimize your exposure. Don’t click on suspicious or unfamiliar links; don’t authenticate yourself to anyone unless you are in control of the interaction; don’t over-share on social media; be a good steward of your passwords; whenever offered, opt for 2-factor authentication; safeguard any documents that can be used to hijack your identity; and freeze your credit.
  2. Monitor your accounts. Check your credit reports religiously; keep track of your credit scores; review major financial accounts daily if possible (better yet, sign up for free transaction alerts from financial services institutions and credit card companies); read the Explanation of Benefits statements you receive from your health insurer; and seriously consider purchasing a sophisticated credit- and identity-monitoring program.
  3. Manage the damage. Make sure you get on top of any incursion into your identity quickly and enroll in a program where professionals help you navigate and resolve identity compromises—oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions, and employers.

The Three Ms are not a solution to the threat of scams in the wake of the Equifax hack, but they are a lifestyle change that can help fend off the inevitable attempts to exploit your identity for ill-gotten gain.

Image: istock

The post Post Equifax: Will Free Credit Freezes Help? appeared first on Credit.com.