Monday, September 11, 2017

The Equifax Breach and Freezing Your Credit Reports

In the wake of the Equifax breach, I have received a number of questions about what happened and what we should do to protect ourselves from identity theft. Identity theft is a significant financial risk to retirement. Fraud risk is number 13 on "the list" (Retirement is Risky Business – Here's a List.)

The Problem

Identity theft can hurt us financially in several ways but the two aspects I'll discuss here are theft from an existing financial account (PayPal, credit cards, Amazon, a broker, etc.) and thieves creating new financial accounts in your name.

Here are two examples of theft from an existing financial account.

Three or four times a year I am contacted by one of my credit card companies to inform me that they have detected fraud in my account, often before I even see it. Their solution is to issue a new card with a new account number. That fixes one problem but causes others because three or four times a year I have to change my card number at places that store it like Netflix and Amazon. Another time, Amazon informed me that someone had ordered a $4,000 TV from my account but that they had stopped the order because it was clearly fraudulent.

Most of these incidents work out OK, except for the inconvenience, because my credit cards are insured against fraud by the issuer.

A lot of elder theft and fraud, however, is committed by family members. If a family member steals your credit card, Social Security check or ATM card, you probably won't be reimbursed unless you are willing to file legal charges against that family member. Sadly, you need to take extra precautions to protect your PINs, passwords and other vital information from family members. Remember that many of them will have physical access to your computer.

The second risk involves someone stealing your identity and opening a new account in your name. Unless you are vigilant, they can use these accounts undiscovered for some time and you will have the nightmare of proving you aren't responsible for the charges. The accounts they open could be anywhere from PayPal to a home equity loan.

Who Steals Your Identity?

Often, the hacker who steals your identity is not the person who steals your money. Hackers steal personal information and sell it to fraudsters over the Internet. (The magic of specialization.) Thanks to the Internet, the hackers and fraudsters can be anywhere in the world. Russia, North Korea, and Eastern European countries are common homes for this activity, but it happens everywhere.

What does this mean to you? It means that you can take extensive precautions to ensure that you protect your valuable identity information only to see the thieves just steal it from someone you do business with who also has your information. 

The latter is largely beyond your control. You can't control your personal information that Experian or Target keeps and has promised to protect.

Where Do Thieves Find Your Information?

They can look over your shoulder for your password while you log onto the Internet or enter your PIN at an ATM. They could steal your wallet. They can steal your credentials while you use a public Wi-Fi connection at a coffee shop (I use a VPN to protect against this.) They could hack into your computer. But, the least-cost approach is to steal millions of ID's at a time from places like Equifax, Target, and Yahoo.[1]

If bank-robber Willie Sutton were an identity thief, he'd explain his attacks on large companies by saying, "Because that's where your data is."

Why rob your home, steal your wallet or hack into your PC to steal one ID when a thief can hack Yahoo and steal millions?

If the Home Depot breach was a bank robbery, the recent hack of the credit-reporting agency Experian was like robbing the Federal Reserve.


Should you freeze your credit reports? Yup.
[Tweet this]


The Credit Reporting Agencies

There are three major credit reporting agencies, Experian, TransUnion, and Equifax. Most people have a file at all three, which should (but doesn't always) contain the same information about you. (You should check all three regularly at annualcreditreport.com to correct any discrepancies.)

In addition to the three major agencies, there are about 40 others[2], most of which specialize. You should focus on the top three (and perhaps Innovis.)

When you apply for a new credit card, an apartment lease, or a reverse mortgage, for example, the company accepting your application will first check your credit record. Unless you have frozen your credit report at the credit-reporting agency they choose to check, this will be done easily and will not be reported to you.

This simplifies your life but, unfortunately, it also simplifies the life of the thief opening an account in your name.

Freezing Your Credit Reports

You also have the option of "freezing" your credit reports at these reporting agencies. If you order the agencies (plural, it only makes sense to freeze all three) to freeze your reports, they will provide you with a PIN number to unfreeze the account when you need to.

The bad guys can't open an account in your name without your PINs. This is less convenient for you because you have to unfreeze your reports when you want to open a new account. (This is typically less inconvenient for retirees because we tend to open fewer new accounts.)

My reports have been frozen for years, so when I recently opened a new account the lender called me to tell me that he couldn't run a credit check because my credit report was frozen. I try to remember this and unfreeze the account when I submit an application, but I often forget.

I asked the lender which agency his company uses and was told Experian. I knew then that I only needed to unfreeze the Experian reports so I logged onto Experian.com, entered my PIN, and unfroze the account.

I could choose to unfreeze it for everyone or for one specific lender so I chose the latter. I could also unfreeze it until I chose to freeze it again or for a specific time period, so I chose to unlock my credit reports for this single lender at one agency (Experian) for five days, after which the account would once again be frozen to everyone.

Inconvenient? Yes, it cost me a few more days in the application process because I had forgotten about the freeze, but not nearly as inconvenient as identity theft.

Credit Monitoring Services

Many companies, including the reporting agencies, offer a service to monitor your credit report. Note that this is not the same as monitoring your credit accounts. After a breach, the hacked companies inevitably offer a year of free credit report monitoring service to help repair their image. "Free" is a fair price for this service and I generally take them up on it.

The problem with these services is that they won't notice a problem until your creditor reports it to the credit-reporting agency. (Again, they monitor your credit report at the agencies, not your actual Visa or PayPal accounts.) This is somewhat akin to checking the obituaries each morning to see if you're in them.

You may have seen a TV commercial that shows a bank being robbed while a security guard just watches. "Aren't you going to do something?" a customer asks while lying face down on the floor.

"Oh, I'm not a security guard," he responds. "I'm a security monitor. My job is to tell you when your bank is being robbed. By the way, your bank is being robbed."

The credit report monitoring services are even less useful. They tell you that your bank was robbed, not that it is being robbed.

Protecting Against Fraudulent Accounts

Though credit freezes won't stop the first problem I described, someone accessing your existing financial accounts, they can prevent someone from opening a financial account in your name.

I protect my existing accounts with two-factor authorization everywhere it is available.[3] I also set up email notifications on every financial account that offers them to immediately notify me of unusual transactions, like those for large amounts or charges outside the U.S. Lastly, I set up email notifications for accounts that don't offer this service at Mint.com.[4]

For the second risk, someone opening an account in your name, I highly recommend that everyone — especially retirees, since they open fewer new accounts and may be more financially vulnerable — freeze their credit reports at all major credit reporting agencies. It may cost a few bucks, depending on your state laws[5] and it will be a little inconvenient, but it is worth the effort.

Here are some directions if you choose to freeze your credit reports.
  • Assume that your ID has already been stolen. That's the safest assumption and it's probably true. Many IDs have been stolen and the thieves are waiting for someone to buy them. Maybe they just haven't gotten around to yours — yet. Once you accept this fact, you will focus more on how to protect yourself after your information has been stolen.
  • Log on to all three credit reporting agencies (links below under "References") and freeze your credit reports.[6-8] Follow their directions. You will need to provide a good deal of personal financial information to do this online so they can be sure that you are you, but you always have the option of calling the phone number they provide.
  • Don't do this, of course, over a public Wi-Fi network.
  • Request a freeze at the smaller agency, Innovis, because as the Washington Post asks, "Why not?"[9]
  • Some concerns have been raised regarding weak PINs provided the agencies and whether PINs were stolen in the Equifax breach.[10] Equifax says they were not, but not everyone is willing to trust Equifax' word right now. To play it safe, you might want to change your PIN if you already had one. Equifax says they will add that ability immediately and begin providing more random PIN numbers, as well. 
I'll be changing my PIN because, well. . ., "why not?"



REFERENCES


[1] 2017 Data Breaches - The Worst Breaches, So Far | IdentityForce®.



[2] Credit Reporting Agencies: Big 3 & Alternative Bureaus | WalletHub®.



[3] Two-factor authentication: What you need to know (FAQ) - CNET.



[4] Mint: Money Manager, Bill Pay, Credit Score, Budgeting & Investing.



[5] Details of credit freeze laws in all 50 states.



[6] TransUnion Fraud Alert



[7] Equifax Alerts



[8] Fraud Alert Center at Experian



[9] Innovis Security Freeze.



[10] After Equifax Breach, Here's Your Next Worry: Weak PINs, New York Times.



20 comments:

  1. Dirk, we froze our credit about 3 years ago, and it brings strong peace of mind when you hear about things like the Equifax breach. I also use a password keeper, which automatically creates complex passwords which I never have to remember.

    Cyber-security is becoming an increasing risk, but a few significant steps can go a long way to reducing your exposure. Great post.

    ReplyDelete
    Replies
    1. Thanks, Fritz. I, too use a password manager. They're a great idea. I also use a VPN. I use PureVPN but there are a few good ones. I think mine costs about five dollars a month.

      Delete
  2. Thanks for providing the links in one convenient location. It took me about 15 minutes to freeze my credit reports for all four services and there is no charge for residents of my state so it didn't cost me a dime.

    ReplyDelete
  3. Dick, do you mind sharing which password manager you use? They seem vulnerable to hacking too...

    ReplyDelete
    Replies
    1. Actually, that's a little more information than I'm willing to share, but you are correct, they are all vulnerable, as this post explains.

      Everything is vulnerable, including fingerprint scanners. The issue is the degree of vulnerability.

      Think about your home. There is little you can do to protect it from break-ins from a determined thief, short of hiring armed guards. You could say, "what the heck, anyone who wants to get in badly enough is going to succeed no matter what I do" and leave the doors unlocked for your own convenience. I suspect you lock your doors, though, and some of us install home alarms and video surveillance and strong deadbolts to at least make it more difficult to break in.

      Using a password like "password" or using the same weak password at multiple websites is like giving up and leaving the door unlocked. A password manager, while not impenetrable, makes it harder to break in.

      Two of the more popular password managers are Lastpass and 1Password, though a Google search will discover several good ones.

      Delete
  4. Someone noted on a different post that Experian's website is currently causing them problems establishing a freeze.

    According to Experian's website, "You can request a security freeze be added to your credit report by going online to Experian’s Freeze Center, by phone at 1 888 EXPERIAN (1 888 397 3742), or by mail to Experian Security Freeze, P.O. Box 9554, Allen, TX 75013."

    I would assume their hair is on fire and the website is suffering as a result. Snail mail might be the best option.

    ReplyDelete
  5. FWIW, Password Wallet, from Selznick Scientific Software, is worth considering, if you are more concerned with security and less concerned with convenience (always a tradeoff). All data is local on your device. Sync between devices can be via your local network, eliminating the traversal of outside networks. The software does not directly integrate with your browser, it simply uses copy & paste, when unlocked, then deletes the clipboard info. The encryption keys are 448 bit.

    ReplyDelete
    Replies
    1. Thanks. At last count that were approximately a bajillion password managers on the market. The differences are primarily in the features they offer, the platforms they support and the cost and not their security.

      I suggest you check reviews at reputable websites like The Best Password Managers of 2017 at PCMag.com. It's important that you have one; less important which one you have. The only feature I demand is two-step verification, which most offer. Many are free.

      Delete
  6. Great post, you gave me the push I needed to step up my security. Believe it or not, here in Canada it's not possible to freeze your credit reports. The best I can do is add a fraud alert to my accounts. Frustrating. As I use a lot of public wifi, I'm also going to add a VPN for a month as a trial run.

    ReplyDelete
    Replies
    1. Wow! Who knew there were things in Canada that aren't allowed to freeze?

      I think the VPN is a good idea for everyone but especially for those who use public wi-fi a lot. I found a good VPN for $5 a month that has never noticeably slowed my internet performance.

      I found fraud alerts about as useful as this bank monitor.

      Instead, I recommend that you use alerts at the websites for your credit cards and debit cards. Most will send you an alert if charges are made outside your country, exceeding a certain amount, etc.

      For cards and charges that don't offer alerts, I use mint.com. They generate the same alerts for just about any source of spending.

      Thanks for writing!

      Delete
  7. They seem vulnerable to hacking too...

    ReplyDelete
    Replies
    1. Peter, it is important to recognize that everything is hackable. If you don't want information stolen, don't put it on the Internet. Of course, that's getting harder and harder to avoid. You could also leave your front door open and argue that any lock can be defeated. You would be correct, but I'll bet you lock your doors, anyway.

      Delete
  8. Create your Social Security account before doing the freeze. Unfortunately, SS verifies your identity using a credit bureau. Wish I knew that before freezing my credit. Oops.

    ReplyDelete
  9. Create your Social Security account before doing the freeze. Unfortunately, SS verifies your identity using a credit bureau. Wish I knew that before freezing my credit. Oops.

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. This comment has been removed by a blog administrator.

    ReplyDelete
  13. This comment has been removed by a blog administrator.

    ReplyDelete
  14. This comment has been removed by a blog administrator.

    ReplyDelete
  15. This comment has been removed by a blog administrator.

    ReplyDelete