Monday, November 6, 2017

Equifax Breach: Protecting Personal Information

Protecting Personal Information

Anyone can end up with their identity stolen, but there’s plenty you can do to help protect yourself from becoming a victim.

When a company you trust fails to secure your data, you can feel helpless and unsure of how to help protect yourself. After all, credit rating agencies take your most vital information without your permission. Implicit in this siphoning of your identifying information is that companies will guard your details like gold bars.

Then came the Equifax breach.

One of the big three credit agencies, Equifax should have known better. More than 145 million people had their data stolen. The barn door was closed after the cows got loose. The only thing that matters now: What can you do to help protect yourself?

First, use the tool Equifax created to check if you were affected by the breach. You’ll have to put in your last name and the last six digits of your Social Security number. If they say your information was stolen, it’s time to act. Even if you’re supposedly safe, following the tips below can help protect you from the next attack, although no one is completely impervious to data thieves.

According to CNBC’s Jim Cramer, a wealthy money expert with access to a bevy of top experts, victims of the attack may not notice anything out of the ordinary for months. But the thieves have everything they need to take out a line of credit, get a driver’s license or even become you. Your name could end up on a loan, along with your social security number, your birthdate, etc. His experts suggest calling your banks and creditors immediately, and adding a PIN number or secret word for an extra layer of verification. Tell them they are not authorized to create new lines of credit on your accounts without that PIN number or secret word you agree on

Expert Advice for Identity Theft Victims

Senior Spirit checked in with Mary Trapani, who became an identity theft expert after she and her husband endured years of difficulty after their own identities were stolen in April 2000.

It turns out that identity theft is common. A 2016 survey estimated 41 million Americans have had their identity stolen, making it imperative to put safeguards in place. The following tips come from Mary’s blog, where she posts advice for consumers.

What to Do Right Away:

  • Change every password. Look below for tips from Mary on how to develop a quick system that makes all your passwords easier to formulate and remember. There are also tips from the experts at wired.com on making your passwords as strong as possible.

  • Mary’s harrowing experience with ID theft led her to endorse IDShield. She offers information about the service at www.SoonerOrLater.biz. The service costs about $10 monthly for one person, or $20 for a family. IDShield claims to be unique in having private investigators on staff. The company says it monitors every scrap of data with your name on it. “In the event of a compromise, your personal IDShield licensed private investigator will work to uncover evidence, restore your identity and clear your record back to its pre-theft status,” according to the website.

  • Protect your computer and other devices with appropriate software.

  • Only visit websites that are safe. Your personal malware may have an option to only allow sites it deems safe. An easy guide is to check the URL: If a site starts with “https” instead of “http,” your data is secure.

  • Never give out your personal information over the phone or online, unless you initiated the contact.

  • Do not open suspicious emails, even on your phone. Never click on links or attachments in them, even when they make tempting offers. Even hitting “unsubscribe” could land you in trouble. Send them to spam.

  • Buy a basic shredder and use it for every document with your name on it.

Report the Problem

If you know that you have been affected in the breach, you’ll need to do more. You should report the theft to all of the following:

  • The Federal Trade Commission (FTC): 877-ID-THEFT (877-43-84338)

  • The Social Security Fraud Hotline: 800-269-0271

  • The Internal Revenue Service Tax Fraud Hotline: 800-829-0433

  • Your local post office

  • All of your financial institutions, including banks, creditors, mortgage companies and credit card companies

Do Your Homework

Finally, Mary reminds us there are some things we all should be doing as a matter of course.

  • Review your credit reports. This has gotten a lot easier with credit scores available from many banks, credit card issuers and money management services such as Mint. You can still get a free report straight from Equifax, Transunion and Experian once a year by requesting it.

  • Check credit card and bank statements every month for fees that look odd. It could be a small charge that appears every month, money going overseas or a charge to a company you’ve never heard of.

  • Check your Social Security Earnings and Benefits Statement yearly to make sure no one else is collecting benefits using your number. Mary knows from experience that if that happens, you may need a lawyer. Even with professional help, it is still a lot of work to undo.

  • Protect your Social Security number from being used fraudulently on a tax return. Get an IP PIN that you or your tax preparer will use on your tax return. Note that once you use it, you must continue to use it every time you file.

Create a Username and Password Scheme

You can benefit from Mary’s way to create and remember usernames and passwords. We’ve summarized the information from her blog on the topic.

Mary labels it “Nom de Persona,” which involves using the name and information of a figure other than yourself, whether real or fictional. It might be a public figure or someone from a movie. It’s quite handy if the person appears in Wikipedia, since you can use their middle name, mother’s maiden name, birth date, names of pets, favorite food … virtually anything to create usernames and passwords.

“My Persona is someone with whom I went to grammar school,” Mary says. “I have not seen her since eighth grade. But, coincidentally, later in life she became friends with someone I know through business. I keep up-to-date on events in her life and things she likes through that mutual friend. She has no idea I base my usernames and passwords on her and I have been doing it for about 15 years.”

One of the beauties of this scheme is that you can keep track of usernames and passwords in an Excel spreadsheet. Just remember that you don’t want to put, say, GeorgeWashington Martha1789CherryTree.

Instead, you’d put FirstnameLastname Wifefirstname Yearelected FamousActivity. That way, if the Excel csheet is accessed, the thieves will still be in the dark. Mary further suggests not labeling columns “Username” and “Password,” and only hinting at the website they unlock. Then they are safe enough to keep on a piece of paper in your purse or wallet.

Oh, and if everyone knows you are a huge fan of Paul McCartney, go with someone like Ozzy Osbourne or Big Bird.

Password Tips From the Pros

The computer geeks at WIRED contacted their favorite pros and came up with some great tips for password security. Some of them go against everything we thought we knew.

These quick changes are simple enough for anyone to do (unlike the 39 steps one site suggested). Knock off your most sensitive sites first, maybe one a day. In a week or a month, you can pat yourself on the back for a job well done!

A Clever Password is Not Enough

Nowadays, you know how vulnerable your information is on the internet. It’s just not enough to have the best passwords out there, especially for financial accounts, your email or anywhere else you access sensitive data.

Enter two-factor authentication. It’s a simple feature that demands more information than just your password. It requires both something you know, such as a password, and something you have, like your phone.

You enter your username and password as usual, and then it will ask for a code sent to your phone. The site denies account access until you enter the code. This is considerably more secure than a password alone, but not every site is enabled for two-factor authentication. Click here for a list of the most popular sites that offer two-factor authentication and how to set it up.

1. Longer, not more complex

“A longer password is usually better than a more random password,” says Mark Burnett, author of Perfect Passwords, “as long as the password is at least 12-15 characters long.” Mark says adding two letters to a password is the equivalent of mixing it up with alphanumeric nonsense. So you can forget the password that looks like you let a monkey loose on the top keys and just add two simple letters instead.

2. Mix it up

Looking at you, “11111111111.” Longer is better, but not if you only use a couple of characters. “We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers,” says Morgan Slain, CEO of SplashData, a password management company that puts out an annual list of worst passwords.

3. Let special characters be free

That’s right, quit bunching them up at the end like an afterthought, even if they were. Snuggle those pound signs and percent symbols right up next to letters and numbers somewhere in the middle of your password.

“Most people put capital letters at the beginning and digits and symbols at the end,” says Lorrie Faith Cranor, FTC Chief Technologist and Carnegie Mellon computer science professor. “If you do that, you get very little benefit from adding these special characters.”

4. No double dipping

Dang, that new password is a good one. It’s so perfect, so crack-proof that you decide to use it on more than one account. Bad idea!

“Even if you have an ‘unimportant’ password and an ‘important’ password tier, it’s very unsafe,” says Joe Siegrist, VP and GM of popular password manager LastPass. “It makes it way too easy for a hacker to attack one site and get your password to all the others.”

5. Enough with the changing

Bless the computer gods, the new decree is to stop changing your password every month or two. You never really changed them much anyway, did you? Most people put a “1” or a “2” at the end and called it good. Not!

"Frequent password changes are largely a waste of time," says Microsoft Research security expert Cormac Herley. "There’s no evidence that password changes improve outcomes.”

6. Stop worrying

If you’ve committed to best practices, the bad guys are probably going to go elsewhere.

"Ignore the stories about attackers doing billions of guesses and saying that the average password can be guessed in under a second: your bank is not going to allow an attacker to try 100 billion guesses," says Herley. "For your web passwords, you mostly have to worry about withstanding a few thousand guesses."

7. Add layers

Passwords are only one aspect of a coordinated defense.

“Don’t rely on passwords alone!” says Neil Wynne, a senior research analyst at Gartner who focuses on business security. “Passwords should not be considered sufficient for anything other than the lowest-risk applications.”

But you already knew that, didn’t you?


Sources

Here's How Many Americans Have Been Victimized by Identity Theft,” Time.com.

Nom de Persona: An Ultimate Plan for Usernames and Passwords,” Mary Trapani.

A (New) Word or Two About the Equifax Breach,” Mary Trapani.

Equifax: Take It Seriously and Act Now,” Mary Trapani.

Part Four – An Identity Theft Victim’s Tale Part 4 of 4: Smooth Sailing,” Mary Trapani.

7 Password Experts on How to Lock Down Your Online Security,” Wired.com.

Here's Everywhere You Should Enable Two-Factor Authentication Right Now,” LifeHacker.com.

Should I Buy from This Site? How to Know if a Website is Secure,” DigiCert.

Blog posting provided by Society of Certified Senior Advisors
www.csa.us