At this point, I’m fairly sure that if a hacker doesn’t have my personal information, it’s because they just don’t want it. The Equifax breach was the largest ever, and it was preceded by a Blue Cross/Blue Shield breach in which I know my information was taken. I’m not at all confident there won’t be future breaches, so the question is what we as individuals can do about it.
We don’t know exactly what information was stolen from Equifax, but the fallout for individuals is likely to center around 3 areas as follows:
- Identity Theft
- Account Fraud
- Theft of Information
In the rest of the post, I’ll take a look at each of these issues and outline a few steps you can take to protect yourself.
While there are several types of identity theft1, the type we’re focused on is identity theft to commit financial fraud. In this type of fraud, criminals use your confidential information to open credit accounts in your name and draw on those accounts. If you are concerned your information has been compromised and you might be at risk, you have a couple of options to protect yourself, and they include:
Freezing Your Credit– freezing credit keeps most entities from accessing your credit report, and without a credit report it is extremely unlikely that a creditor would open a credit account. If you don’t need to access your credit report very often, freezing credit is likely the best option for you to protect against identity fraud. When it comes to freezing credit, there are a couple of things to bear in mind as follows:
- When you freeze your credit, each credit bureau will issue a PIN. Make sure to keep that PIN in a place you can find it, as the PIN is required if you ever want to unfreeze your credit.
- Your credit report is now used for more than just obtaining credit. It isn’t uncommon for employers to require credit reports for prospective employees, and any entity extending credit to you – such as utilities and cell phone providers – will likely access your credit report as well. So, you may find yourself unfreezing your credit more than you anticipate.
- Cost to freeze and unfreeze credit varies from state-to-state, and the cost in Georgia is $3. Information on the cost and laws in all states for credit rules is here.
- You’ll need to freeze credit at each of the 3 credit bureaus, and contact information for each credit bureau is below.
- Equifax, and there is no apparent way to contact them by phone to place a freeze
- Experian, or call 888-397-3742 and choose option 2
- Transunion, or call 888-909-8872
Placing a Fraud Alert on Your Account – placing a fraud alert on your account isn’t as fool-proof as freezing your credit. If you place a fraud alert on your account, creditors are supposed to take extra steps to confirm your identity. Unfortunately, alerts only last 90 days and they must then be renewed. If you have been the victim of identity theft and have filed a police report, you can request an extended fraud alert, which lasts 7 years. If you have an extended fraud alert, creditors are required to contact you by phone before opening any new accounts.
To place a fraud alert on your account, you can contact one credit bureau and they are required to contact the other two credit bureaus. Phone numbers at which you can reach the credit bureaus to place fraud alerts are as follows:
Equifax – 800-525-6285
Experian – 888-397-3742
Transunion – 800-680-7289
Credit Monitoring– institutions that want access to our credit information are the primary customers for the credit bureaus, not consumers. Still, the bureaus have found a way to generate a bit of profit from consumers via selling credit monitoring. Freezing your credit and monitoring your accounts regularly (more on that below) largely eliminates the need for monitoring. Additionally, if you are willing to take the time, you can put together a do-it-yourself solution to credit monitoring. Still, if you aren’t going to freeze your accounts and you know you’re not likely to regularly review your credit account statements and don’t want to monitor on your own, consider credit monitoring.
Independent ratings on credit monitoring options are difficult to find – likely because most consumer advocates don’t think monitoring is worth the cost. This Nerdwallet article offers an overview of how to monitor your credit on your own, as well as what to look for should you decide to use a credit monitoring service.
Account Fraud – We classify account fraud as fraud involving one or more existing accounts. Most frequently, the accounts are credit card accounts and aside from protecting your credit card information and practicing good online security (covered below), the most effective step you can take is to review your account activity monthly or even more frequently (I review our checking and credit card accounts weekly when I reconcile them). If you decide to monitor your credit as well, you can keep an eye out for any unexpected balance changes on charge accounts.
The good news is your liability is limited to $50 should someone use your credit card fraudulently, and you have no liability if you report the loss or theft of a card before it is used. If the card number is stolen – via skimming, for example – you also have no liability.
Debit card limits can be higher if you fail to report the loss or theft and have received a statement showing the fraudulent transactions. More detail on these limits is available at the FTC website here. Additionally, bear in mind that even if the bank does cover your loss due to debit card fraud, it may take a bit to do so. For these reasons, I prefer using credit cards as opposed to debit cards.
The rules are less clear cut when it comes to protections for deposit and brokerage accounts in cases of online fraud or forgery. Here again, generally the more quickly you notify the institution of any fraudulent activity, the less likely you will be liable. Additionally, your institution should have a clear cut policy on how account holders are protected, so be sure to check on their policies.
Theft of Information
The Equifax breach provided hackers with a trove of information they can use to attempt to collect more information from victims. If someone typically uses his social security number as a password, the hackers may be able to use that to log in to other websites. Additionally, hackers might use information on the accounts a person has to generate e-mails impersonating those institutions that require logging in to reset a password.
Providing a full rundown of good IT security is beyond the scope of this article, but there are a couple of steps you can take that greatly reduce your chance of being a victim of online financial fraud. They are as follows:
Use a password manager and use unique, strong passwords for every website – password managers are programs that typically integrate into your browser and generate and store unique passwords for every website. The passwords generated are random, so a hacker couldn’t use personal information obtained about you to guess your password. Additionally, because the programs can generate unique passwords for every website, even if a hacker does manage to guess your credentials on one site, they won’t be able to use those credentials to log in to other sites.
We use Macs in the office, and two of the most popular password managers are OnePassword and LastPass. Both have desktop and mobile versions, so we can access our credentials and log in from our desktops, tablets and phones.
Set up two-factor authentication if a website supports it – two-factor authentication requires a step beyond simply entering a username and password to log on to a site. The second step might be an additional item of information – a challenge question for example – or it might require authentication with another device like your cell phone. Assuming the answers to the challenge questions are known only to you and wouldn’t be information a hacker is likely to find, they provide a good bit of security. If that isn’t the case however, consider using one time access codes sent to your cell phone as the second authentication factor if that is an option.
Secure your cell phone with a passcode or PIN – mobile account hijacking in which thieves take control of your cell phone number and account is on the rise. This happened to the Chief Technologist at the FTC, and she wrote an account of her experience here. Securing your cell phone is doubly-important if you use your phone as part of two-factor authentication. To reduce the chance of account hijacking, the major carriers allow you to establish a secondary PIN or passcode that is required before any changes can be made to your account.
While it isn’t possible to eliminate the possibility of financial fraud, taking the steps above should greatly your risk.
1. Identity theft to commit financial fraud is the most common motivation for identity theft, but criminals also steal identities to receive medical services and to conceal their actual identities.
Minerva Planning Group is a fee-only financial advisory firm based just outside Atlanta in Decatur. You can contact them here.