Equifax Hacked

[edjr 5,567]

I wasn't affected, the wife was.

 

Sure you weren't

[Hardcore troubadour 12,656]

I wasn't affected, the wife was.

The mailman or the credit thing?

[penultimatestraw 473]

This is one dude's solution to the hack. Sounds like a PITA:

Equifax. How big of a deal is it? Well, I'm actually posting, so that should tell you right there...

 

Basically, if you are in the US and not dealing with a major weather event right on top of you, this is what you should be working on. Now!

I've spent the last 48 hours combing over security blogs, legal and financial advice threads, news reports, etc. I'll try to step through what's known at this point and what you can do. It's a VERY long post and working through all the steps may take you a few hours. Or you may have your identity compromised.

I do this (web security) for a living, so I at least sort of know what I'm talking about. Hopefully, having a step by step guide will make it easier for some people to get a handle on what's happening.

Sites are (unfortunately) breached all the time, so what's different now? Quite simply, it's the nature of the information that was compromised.

For most "normal" breaches, a list of usernames and passwords are taken. You find out that your ABCCorp account was compromised, change the password everywhere you are using that username/password combination (you shouldn't ever be reusing passwords, but I know that's a tall order for some people), and move on. That's easily changed information.

What appears to have been taken from Equifax is nearly immutable information:

Name - changeable fairly easily, but even if you wanted to, it will still be tied to your old name in most cases

Social Security Number - very hard to change, pretty much only after identity theft has definitely occurred, and it will still connect to your original number anyway

Birth Date - immutable

Address - changeable, if you feel like moving, but your old addresses are kept in your records, so that doesn't help much

Driver's License Number - changeable, but there is hassle and likely a fee

Credit Card Numbers (it appears that a relatively smaller number of these were compromised) - easily changed; interesting that in this situation it's one of the less dangerous items that got out

Other "Personal Identifying Information" (also a relatively small number of these) - without more detail we don't know exactly what this is, but I'll speculate security questions and such

Everything that is commonly used to verify identity is there. By way of analogy, this like having the keys to your front door, the code to the alarm system, and the location and combination to your safe. You're totally vulnerable.

But maybe I wasn't affected? Assume you were. Equifax is one of the three big agencies, so they almost certainly had your information, and nothing in the details suggests this was only a partial breach. Start with US population, subtract minors and those with no (or too old) credit history, and that leaves about 200 million people. The breach is reported to have affected 143 million. Do you want to take a 70% chance? And no, I don't care what their official site tells you.

Scared yet? Good. I'm conveying the scope of the problem.

So what can you do? There are some steps you can take to limit your risk with regard to financial and tax fraud, so I'll focus there.

Here it is, in ten steps (follow them in order). The first few won't seem to be directly related, but they create the foundation for what you need to have in place in later steps.

1. Don't get angry (that comes later). Find a comfortable place to work and maybe get yourself a snack.

2. Set up a password manager, if you don't already use one. I'm not going to get into password theory too much, but you should be using passwords of at least 16-20 characters long and thus you won't be able to remember them all. I use 1password and I'm happy with it.

3. Secure your primary email address(es). You have to be sure that you can receive communications safely. Set a strong password. Enable two factor authorization (2FA). Save the credentials in your password manager.

4. Secure your mobile phone. Set a strong password. Use Touch ID if you have it. This is where those 2FA codes are going to be sent, so you have to be sure that is completely safe too. Save the credentials in your password manager.

5. Make sure you have control of your Social Security account. Go to https://www.ssa.gov/ and create an account. Choose every security option it gives you. Save the credentials in your password manager.

6. Make sure you have control of your IRS account. Go to https://www.irs.gov/individuals/get-transcript and create an account. Choose every security option it gives you. You don't actually need to get the transcript at the end (but you can); you just want the account controlled. Save the credentials in your password manager.

7. For every bank account, credit card, or other financial account you have, log in and make sure you have a strong password set. Save the credentials in your password manager. Then, go through all the alert options and use them! Get used to receiving lots of emails confirming that transactions are actually yours. That's your new normal.

8. Are there any new credit cards that you NEED to apply for, insurance policies you are planning to open, or utilities you have to set up? Want a new phone? Anything else that might at all trigger a credit check. Do it now. Then come back to this list. I'm not suggesting doing anything you wouldn't have done anyway, but if you were two days away from applying for a fancy new credit card, it will be easier to deal with before you lock things down.

9. Set up a schedule for getting your free annual credit reports. Look them over for errors and report any that you find. You get one free from each major agency per year. A possible schedule might be SEP 10 Experian, JAN 10 Transunion, MAY 10 Equifax (and fee free to hope that Equifax doesn't exist in eight months...). Set annual calendar alerts and act on them when they come up. The official site is https://www.annualcreditreport.com

10. Set up fraud and security alerts. The upside is that this should mean that a credit agency has to contact you (preferably by phone) before taking an action on your credit history. So if someone tries to use your information, you'll receive a phone call, thus it should be obvious if the inquiry is on your behalf or not.

The downside is that you have to renew it every 90 days. At the moment, there is no way around this hassle.

You need to contact one of the three major agencies and they will inform the other two. You want an Initial Fraud Alert. It should be obvious that Equifax is a lost cause, so use Experian or Transunion:
https://www.experian.com/fraud/center.html

https://www.transunion.com/fraud-victim-r…/place-fraud-alert

You also should contact ChexSystems. They deal with new checking/savings accounts, and you don't want someone else opening one in your name. You want to Place A Security Alert. https://www.chexsystems.com

11. BONUS ITEM. Contact your state's Attorney General and/or members of Congress. Equifax has to be brought to task for this failure (AG), and the rules about how credit works and identities are verified need to be completely rebuilt (Congress).

What about identity/credit monitoring? Equifax is going to be giving away a year of monitoring. That's standard procedure for these breaches, and when it's a standard breach that's a mediocre response. Remember the difference in the type of information, though? This is not a standard breach, so it's a nearly irrelevant response. You also may (it's unclear) forfeit your right to join a class action lawsuit if you accept it.

Identity monitoring is really insurance. They promise lots of things, but they can't prevent anything. They can only react. If you feel more comfortable having that insurance, so that you have a team available to help you in case your identity is compromised, then feel free to get one of these products. But you may want to look for one that isn't run by one of the credit agencies or their subsidiaries. That seems like a conflict of interest to me.

What about credit freezes? Unless you live in a state that has laws making these free, I don't recommend them. The biggest problem is that all of the information needed to call a credit agency and unfreeze has been leaked, so you'll probably just be wasting your money! You can read more about what these are at https://www.consumer.ftc.gov/articl…/0497-credit-freeze-faqs

[Strike 3,979]

You can't make this stuff up:

 

http://www.politico.com/story/2017/10/03/equifax-irs-fraud-protection-contract-243419

 

 

:banghead:

[pt_mck 7]

https://www.cnbc.com/2017/10/04/someone-dressed-like-the-monopoly-guy-is-photobombing-the-senates-equifax-hearing.html

 

[giraldi02 470]

Guess the Consumer Financial Protection Bureau has more important things to do than protecting consumer's finances.

https://www.reuters.com/article/us-usa-equifax-cfpb/exclusive-u-s-consumer-protection-official-puts-equifax-probe-on-ice-sources-idUSKBN1FP0IZ

 

Mick Mulvaney, head of the Consumer Financial Protection Bureau, has pulled back from a full-scale probe of how Equifax Inc failed to protect the personal data of millions of consumers, according to people familiar with the matter.

 

[Cdub100 3,382]

Guess the Consumer Financial Protection Bureau has more important things to do than protecting consumer's finances.

https://www.reuters.com/article/us-usa-equifax-cfpb/exclusive-u-s-consumer-protection-official-puts-equifax-probe-on-ice-sources-idUSKBN1FP0IZ

 

What does this mean, "according to people familiar with the matter."

[Cloaca du jour 2,064]

Hope they fix my credit score

[edjr 5,567]

again?