Updated 9/28/2017 – New developments added at end of this article.
Updated 9/29/2017 – More things to worry about and how to protect yourself from them.
This is the longest article I have ever written for this blog – I apologize that it’s not exciting and full of cool pictures. It’s dry, potentially boring, and really important information for you to know. Please read it.
Equifax spilled the beans. I mean, ALL the beans. One Hundred and Forty-Three Million pots of beans. YOUR beans to be exact.
By now, news articles about big data companies being hacked are unnervingly common, but Equifax? One of the “Big Three” credit monitoring institutions in the world left the gate open. What’s worse, is that they had the opportunity to lock the gate months before someone walked in and just helped themselves to YOUR personal, private, critical, personally identifying information. They were warned that their systems were vulnerable, notified that a patch was available, and just stood by and did nothing.
Then, they waited months before telling 143 Million potential victims that their data was “in the wild,” and watching their stock value plummet from $142 to $95. Months, during which some of their corporate executives dumped $1.8 Million worth of their personal Equifax holdings. But, they say they weren’t aware of the data breach when they sold. And, I trust them! Don’t you?
I was part of the Home Depot data breach after which my credit card was misused and had to be replaced, and even my former employer let someone in the back door that stole a few hundred thousand “personal records.” I have been offered so many “free credit monitoring” services that right now, as I write this, I have two running concurrently. Every month, I get two reports that “No unusual activity has been reported with your accounts.” Doesn’t that just make me all warm and fuzzy and secure feeling? Frankly, NOT!
I guess taking advantage of easy credit, the convenience of online banking, and the ability to shop from my smart phone naturally comes with an inherent risk, but in those cases, it is a risk that I have chosen to take. A risk that I grudgingly but willingly signed up for by providing certain companies, institutions, and financial providers with my personal information in order to benefit from their services.
But Equifax and their ilk are different. Behind the scenes, they have been tracking the minute details of my personal financial life, accumulating mountains of information about who I pay and how often, what accounts I hold, and where I live now and have lived for years in the past, my current and past phone numbers, and of course, my social security number, birth date, answers to security questions, and more. All this, neatly collected information, all in one place and ALL accumulated without my express or even implied permission!
Now the worst has happened. The one agency that overlords all my credit history and personal details has left the door unlocked and allowed someone to just waltz in and take it all. As of now, and for the rest of my financial life, I am more than ever at risk for identity theft, pilfering of my accounts, and the ruination of my carefully constructed “good name.”
What are they offering as compensation for their utter and total incompetence? One year of “free” credit monitoring, of course. And what company will they use to provide this “valuable” service? Why, their own subsidiary Trusted ID Premier.
So, I have suggested to my friends signing up for Equifax’s free year of credit monitoring and placing a “Fraud Alert” on your credit report at all 3 agencies using TransUnion.
I still stand by both suggestions, and performing the TransUnion Fraud Alert process has proven to be simple once the site is accessed. If you have not yet placed the Fraud Alert on your credit report, all security information sources that I trust to give unbiased and accurate information regarding this protection agree that it is a prudent step. If ever you DO start to see untoward activity in your file, you can always escalate it to a “Credit Freeze.”
As for Equifax and their offer of free credit monitoring, I have attempted to sign up for their service, and have received spotty and, frankly, as of yet, ineffective service through them. In light of their original malfeasance, including the facts, that they had the software patch and were aware of the vulnerability months before the actual attack, and that their Corporate Exec’s cashed out some of their stock just before the breach was publicly announced, I am not surprised. If they ever do get it in place, it will just be another emailed monthly report.
They have proven, so far, to be engaged in a massive internal campaign to put out the giant fire they have ignited in their own hallways, and have mostly left us, the consumers, hanging out to fend for ourselves. I acknowledge that with a potentially impacted population of 143 million people, they must surely have their hands full. I recognize how difficult it is to crank up a response organization, provide phone banks staffed with effective contacts, and rewrite and reconfigure software and servers to accommodate what must be a veritable flood of angry consumers. I am not defending them, just stating reality. Their website is replete with piles of corporate speak, in an attempt to look like they are concerned about you and me.
So, for now, I have to consider that they (Equifax) will not be an effective ally in your attempts to protect what is yours. I suspect that they will, as a company, actually and surprisingly survive this debacle, unless someone mounts a very effective class action, from which I suspect we as individuals will never see any compensation. All we can hope for is that their entire bunch of miscreants find themselves unemployed, and hopefully unemployable in the data field for as long a time as their greed and stupidity leaves us exposed; which, by all accounts, is our entire lifetime. As of this post, their Chief Information Officer and their Chief Security Officer have “retired.” How convenient.
The hard truth, according to most of my research, is that this breach only serves to reinforce a difficult conclusion. All of us, everyone in the world, and especially anyone in the USA that has ever walked past a computer, let alone touched one, can no longer have any reasonable expectation of privacy or of having a “secure” identity. Ostensibly, your “personally identifiable” details are for sale on dozens of websites in both the public and “dark” net right now as you read this. One trusted source claims that an individual “personal record” can be purchased for pennies, if the buyer is willing to “buy in bulk.”
What this means, for those who do not yet grasp the gravity of this fact, is that your name, social security number, address, email accounts, phone numbers, birth date, DL Number, and your mother’s maiden name and the name of your first grade teacher are all packaged up in a nice digital bundle, available to anyone with a few cents to “invest” in a future business opportunity. Consider also, that Eastern European, Pacific Rim, African, and Far East countries are populated by literally millions of unemployed youth, all of which share the American dream of “get rich quick.”
Their avenue to personal wealth may, very likely, involve sharing yours. Russia, Ukraine, China, Vietnam, and India, just to name a few, have governments that firmly and rightly believe that the future success of their economies relies on having a certain percentage of tech savvy citizens. Hence, technical education in computer programming, network administration, and digital security is often readily available, and often virtually free in any one of the government subsidized technical colleges. This is not to discount the proliferation of these kinds of jobs here in America, where, although the education may be more costly, a rising population of potential hackers grows exponentially.
Additionally, in many of these countries, organized crime has found it profitable to open attractive “gaming parlors,” giving street kids access to banks of computers, networked world-wide with splashy and engaging game play, which are actually underground hacking schools, where older and experienced hackers and thieves recruit them to staff their armies of brute force identity thieves under the guise of challenging games. So, they grow their own, without the need of even a bit of formal education. What is most clever and simultaneously obvious, is that these recruits are financially rewarded when they win; whether that is in a first person shooter victory, or in a successful draining of another victim’s bank account.
Just in case you think this is far fetched, they regularly hold “competitions” where a group of kids, supplied with a raft of random email addresses compete to guess user passwords in the least amount of time. Prizes are given for first through third, most emails hacked in a given time period, and most difficult password cracked.
So, what to do. First, know that at least in some way, you are protected by the very fact that the proliferation of readily available personal data gives you a certain anonymity. In other words, you are just another face in a very huge crowd. When a potential thief buys millions of personal records at one time, it lessens the chances that they will target you individually, if for no other reason than random chance. It’s as if someone were to buy all the keys to all the houses in your entire city or town. With so many houses to chose from, what are the actual chances that they will visit you. But, sophisticated computer algorithms do serve to narrow their choices to “houses” more likely to contain valuables, taking into account such factors as houses occupied by people who own multiple residences, pay high personal property taxes, or own expensive pets.
A very successful private investigator friend of mine once confided that many people who attempt to change their identities to hide from creditors or the law, might move cross-country, adopt new names, and abandon all their old ties, but often register / license their pets’ in their new locations using the same names. And, since dog licenses are a matter of public record, it’s a simple matter to electronically search for someone who has recently applied for and purchased pet registrations for “Schatzie, Bruiser, and Duke.” Just such simple techniques serve to pinpoint the more lucrative victims from lists of millions of purchased names. Indeed, there is a viable industry in taking those massive information dumps and sorting, sanitizing, and prioritizing them and then reselling the “purified” list for a much higher price. “Cleaners” believe that they are not even criminals, as they never attack anyone’s accounts, hack anyone’s emails, or steal anyone’s identity. All they do is provide a data processing service. In their view, what someone does with the information they provide is not their concern or their liability. “I didn’t know he was gonna shoot someone. I just sold him a gun.”
Lest you think that this kind of activity is way too time consuming to be profitable, keep in mind that there are millions of people who literally have nothing better to do all day than sit in front of a computer and hope to score. It is no different than the thousands of retirees who sit all day at thousands of small town casinos playing the nickel slots. Every jackpot, however small, puts them ahead of where they were just microseconds before they pulled the handle. But, in one way, it’s even better for the hometown hackers. Playing the slots requires active participation. Every pull requires that you insert another nickel and spin the wheels. But, like eBay, as a hacker once you put an item up for auction, all you have to do is wait for someone to bid. So, you can spend your day creating hundreds of neat little data packages, loose hundreds of search bots to mine for lucrative future victims, and deploy massive sorting schemes that work while you sleep. Soon, you can have thousands of items up for auction to the highest bidder and, ostensibly, keep your hands somewhat clean at the same time. And, if their victims are you and me, here in the good old USA, what chance do our authorities have of finding and prosecuting a clever tweener in Kiev?
To be pro-active in your own protection, I suggest that you do some relatively simple things. First, and foremost, reduce your exposure.
Close inactive accounts that you no longer use. If you can, consolidate those scattered old 401k’s and old savings accounts that have low balances at diverse institutions. Close little-used checking accounts and Christmas Club and Kid’s Savings Plans. Stop writing checks and mailing them or handing them to people. Check fraud is one of the most commonly used and easy, low-tech avenues of theft. On one piece of paper, you are distributing your name, address and phone number as well as your bank branch and checking account number for anyone who sees it. Equipped with a smartphone, anyone can instantly snap a picture of your check, take it home, and begin a leisurely search for what they can steal from you. Although it may seem that transitioning to an online bill pay system actually might increase your risk by putting more of your information “out there,” the opposite is true. Most bills are paid by electronic transfer of encrypted data, where the account and personal information is never aggregated and exposed to the real world.
I DO recommend that you distribute your banked savings among 3 accounts; one at your “regular” bank where you keep your checking account, one in an online-only bank, and one at a local credit union. That way, no one particular disaster can clean out all your cash. Even if the Federal banking system is hacked or brought down by terrorists, chances are you can still walk into your local credit union and get some cash in an emergency. Although IF the Fed is hacked, getting some cash may be your last worry.
Next, reduce your number of credit cards to what you really need (using “balance transfer” that so many cards offer you can possibly even net a few rewards dollars or points), and keep only two. One for physical shopping at stores, restaurants, and in the “real world” and one used exclusively in the digital world, for bill paying and online shopping. Once your two cards are set up, use the card provider’s services to notify you of certain activity. For instance, set it up so you get an email or a text message anytime your “real-world” card is used for a phone, online or foreign transaction. Or, be notified if your “online” card is used to make a purchase over a certain relatively small amount. Credit card thieves don’t actually steal your card anymore. They steal your account number and supporting data and “burn” a duplicate card onto an old gift card’s magnetic stripe and sell the “clone.” Since the potential buyer wants proof that the card is valid, many sellers prove viability by buying a small amount of fuel at a gas pump. If it goes through, the buyer pays for the card. Typically $25-$50. That’s why most credit card companies now allow you to set up a text message or email notification anytime your card is used at any gas station. Simple.
Further, STOP using your debit card for ANYTHING except getting cash out of the teller machine, and that only when you really have to. Your debit card contains the data that provides a direct path into your checking (and often “linked”) savings accounts. Furthermore, debit transactions are not afforded the same level of protection that actual credit card transactions are granted by law. For instance, if something unauthorized is purchased with a credit card, you have a right to “dispute” the transaction, and you do not have to pay the amount until the dispute is resolved. Debit transactions occur immediately upon sale. The money is vacuumed from your account, and you will play hell getting it back if it’s fraudulent.
Even mistakes cannot be unwound readily. A while back, I was at a point of sale and mistakenly handed the clerk my debit card, which she ran through her little desktop credit card terminal for a $150 purchase. Unfortunately, she stuttered on the little rubber Chiclet keys and typed in $1500 instead of $150. When the tiny terminal spit out the receipt to sign, she immediately realized her mistake, and “reversed” the transaction by using the card to issue a “refund.” When she attempted to re-run the card for the correct $150 amount, it was declined for insufficient funds. I had to use my credit card to pay, and I left with three receipts; the original debit card mistake for a $1500 “purchase,” a refund slip for $1500, and a credit card slip for $150.
Subsequently, I found out a very interesting and disturbing fact about debit card purchases. If your account has sufficient funds to cover the “sale,” even if it is a wrong amount, the money is removed from your account the instant the merchant’s terminal flashes “Approved.” Conversely, a subsequent refund takes 4 to 10 days to process and return the money to your account. So, it takes only an instant for an error to reduce your account to virtually zero, and a week to 10 days to get your money back if it’s an error, or worse yet, an unauthorized transaction. Meanwhile, unless you rush to the bank to shore up your balance, all your subsequent checks will bounce. And, if you have “overdraft protection” and a linked savings account, it too can be decimated, and you will pay dearly in bank fees for the privilege. Of course, you may argue to get them refunded, but at that point you are begging them just to give you back your own money.
On that note, I strongly suggest that you do NOT “link” any of your accounts together, and never allow your bank to set up overdraft protection. Of course, you have to be vigilant to keep your account current and funded, but in case of a mistake like the one above or in case of theft, the spread of damage is limited to one account alone.
So, if you don’t want to get heavily involved in online bill pay through your bank, get yourself a credit card that offers significantly liberal rewards for all your purchases, and use it to pay all the bills you can. Some utility companies actually allow credit card payments for things like water or power or gas if you pay online. But, be careful of two things; one be sure they are not using an expensive third party or that they charge a hefty fee for using credit, and be aware that if your “online-use” credit card IS ever compromised and you have to call the issuer to report fraud, that card number will immediately become invalid and it will take as long as a week to get a replacement card. During that time, you can’t make any online transactions, and all the “scheduled” payments you have set up to pay your monthly bills will bounce. Then, once your new card arrives, you will have to go online and change your card information for all the merchants that have your card information “on-file.” Personal experience tells me that it really pays to keep a list of all those merchants.
Next, although it is in itself a risk, keep a certain amount of cash on hand to run things with in the event of an emergency. How much you keep depends, of course, on a number of factors, not the least of which is how much cash you can afford to keep out of circulation, just sitting around in case you need it. I have a good friend that keeps $10K around just in case. Nice if you can do that, but probably more than you need. I won’t go into how to protect your stash in case of home invasion, you will have to find the “perfect” hiding place for yourself.
This little cushion is to keep your boat afloat in case something causes you to be unable to access your bank. Floridians are finding out right now how hard it is to get money from your bank account during a ten-day power failure. Hopefully, you will never have to see how difficult it is to get the money back into your account if someone uses your identity to remove it. Meanwhile, you may not be able to buy groceries without a stash of cash.
Lastly, there are some obvious protections that you should consider mandatory. With the meteoric rise of opiate addiction in every neighborhood, crimes of opportunity are rising at an astronomical rate. Mail theft is one such crime, so take a hard look at how difficult it is for someone to steal your mail. If you do not have a secure mail drop, such as a mail slot in a house door or a securely locked curbside mailbox, fix that now. If you live in a neighborhood with “community mailboxes,” get a P.O. Box at your local post office. Keys for Community Mailboxes are readily available for sale online. A heroin addict doesn’t really care that mail theft is a Federal crime.
Of course, you can significantly reduce your mail theft exposure if you move all your sensitive information to online statements and mailings, so that very little useful information can ever be stolen out of your mailbox, but that just shifts your exposure from physical to digital, so it’s your call which realm you feel more comfortable in.
If you chose to go almost all digital and online, well then, we’re back where we started. Hackers probably already have all the information they need to pretend to be you and access your digital life. But, you can do two things to armor your defenses.
First buy and use a comprehensive password storage program that does not keep your data in the cloud, and that can be run on any computer you plug it into because it can be run entirely off a USB stick. Then, use it to create and store complex passwords for ALL of your sensitive accounts and data. Of course, the data will be heavily encrypted on that USB stick, and completely dependent on your “Master” password. Use something horribly obscure and arcane, but easy for you to remember. I know, that sounds like an oxymoron, but experts suggest that you combine the first letters of all the words in a meaningful personal phrase and then add a significant number at the beginning or the end. For a less than perfect example; “MHALLIFWWAS86509+602” Mary Had A Little Lamb…… the zip code of your very first house and the area code of your first phone number. Don’t use THAT nursery rhyme phrase though, the hackers know that one already.
If, God forbid, you get burgled, or your hard drive vaporizes your operating system, or you have to abandon home for some reason like a flood and you are without your computer, if you have that little USB thumb drive, any library or motel business room computer can open your digital world again. You can get access to your accounts, transfer money, pay for stuff, and access your emails from anywhere that has a working PC. You could buy a $200 Wal-Mart laptop and be working in minutes. Clone that USB drive periodically and keep the clone in a safe place away from your computer and securely hidden.
It may also be viable for you to clone your whole computer, either physically or virtually in case your primary machine becomes inaccessible or useless. If you keep a digital clone of your computer on a portable hard drive, you can transfer your whole digital image back onto a replacement and be back in business in no time. Or, when you retire an old machine, reformat it to be just a simple emergency access device for running just your essential finance and personal applications, so you can be connected until your primary machine is repaired or replaced.
These are but a few suggestions for navigating the complex digital persona we all now possess, either by choice or by force. These are not the only solutions, nor all the answers. Some people take a different path and keep everything “in the cloud” and access it by smartphone rather than a PC. Recently, I jumped into the pool with my phone in my pocket. I was glad I had redundant PC access, but your needs may vary. If you DO chose smartphone exclusively, I suggest Apple’s iPhone, strongly locked and encrypted, as Apple has proven itself to be virtually impenetrable if lost or stolen.
Lastly, the best prevention to losing track is keeping track. Set up access to that simplified group of accounts that I suggested above, and check them frequently for unusual activity. Pull your free credit reports 3 times a year, putting the next eligible date on your digital reminder calendar and shred it when you determine it is still secure. Place a Fraud Alert on your credit report every 90 days like clockwork. Keep critical accounts locked behind complex passwords and don’t use the same password for any two accounts. Or, just spend all your money now, and have nothing for anyone to steal. I hear James Bond’s Aston Martin is for sale. Good luck and happy bidding.
Updated 9/28/2017 – New developments;
Well, my confidence is fading fast that Equifax will be able to be of any help to you or the other 143 million consumers they screwed with their malfeasance.
After applying on their website for the free credit monitoring they are offering as (inadequate) compensation through their “Trusted ID Premier” product, I waited nearly 2 weeks to be notified as to how to complete the process. Over a week after I originally submitted my request for a Trusted ID Premier account, I received an email from them titled “Important Information About Your TrustedID Premier Activation” which included the following sentences;
“We recognize you may not have received your activation email for TrustedID Premier. We apologize for the delay and assure you we are working diligently to send your activation email as quickly as possible. … We appreciate your patience, and please know we are doing everything we can to make the experience faster and more convenient for everyone. ”
and so I have patiently waited for the follow-up, which arrived yesterday.
Titled “An update from Equifax,” it included a link “To verify your identity and activate your product, please click the link below: ”
This is the result of clicking the link for the last two days now;
A picture is worth a thousand words. Protect yourself, they are not going to be much help.
Updated 9/29/2017 – More Important Information regarding TAXES;
The next thing you need to worry about is your upcoming tax filing, both state and Federal, because armed with your Social Security number and a little bit of easily obtainable information, a criminal can fraudulently file a tax return, pretending to be you, and have YOUR refund sent to his bank account. By the time you file your taxes officially, your refund is already in the hands of an identity thief. While it is not a simple process for them, tax fraud like this is an extremely popular and rapidly expanding scam netting millions of dollars for thieves.
Even if yo are not targeted personally, the IRS fears that the process of verifying identities for refunds may delay some refunds for as long as 12-14 months after you file. So, right now, change your deductions if you think you will be getting a big refund, and put the money you are not paying in taxes away somewhere. If, when you are filing your taxes, you actually owe the IRS (and State), you are not a lucrative target for scammers. Of course, when that tax bill comes due, you have to have the money on hand to write that check, so don’t spend it!
Actions you take right now may save you a bunch of aggravation and explaining come tax season next April. DO it!