The Equifax Breach: Minimizing Your Risk
By Matt Bennett
Equifax makes its money by selling your data to businesses trying to make a credit decision about you; consumers are not their primary customer base. In short — you are the ground beef, not the person buying the hamburger, and it shows in their attitude and response to this mess.
If someone asked me to write a movie script with some kind of worst-case cybersecurity scenario as the plot, I do not think I could come up with something much worse than the Equifax data breach. Probably you are already familiar with the details, but let me give a quick recap on what we know so far just in case:
· Data for approximately 143 million Americans was exposed to potential theft.
· This data include a lot of personal info, including Social Security numbers and home addresses.
· Over 200,000 credit card numbers were stolen, and some driver’s license numbers as well.
· This was likely caused by an unpatched Java framework (Apache Struts, if you are interested).
This is just what we know so far, and Equifax up until this point has been terrible — very little information disclosed, a shoddy website to check if you are one of the 143 million, and assorted nastiness from trying to surreptitiously limit victims’ ability to sue, to sketchy offloading of Equifax shares by executives just before the breach was announced. Equifax makes its money by selling your data to businesses trying to make a credit decision about you; consumers are not their primary customer base. In short — you are the ground beef, not the person buying the hamburger, and it shows in their attitude and response to this mess.
On another level, I think this breach should be a cautionary tale about how badly our consumer credit system is broken in this country and the lack of protection American citizens are provided about a thing (credit history and scores) which can have massive repercussions on someone’s economic well-being. However, right now I think it is more important to talk about how you can immediately take steps to protect yourself. This is not easy, because of the nature of the information disclosed, and how it is typically used. Things like Social Security and driver’s license numbers cannot be easily changed if at all — and other exposed information like prior addresses is a matter of personal history. Worse still, a lot of this information is used for identity verification — that it, these are the things that a website or customer support operator might use to identify you in the case that you had password problems and needed a reset. Just Google “social engineering password reset” if you want to stay awake tonight. This information is also some of the key items a criminal needs to open credit in your name — take a look at a credit card application and then compare that to the data exposed by Equifax. But OK, take some deep breaths and let’s talk about what you can do to protect yourself:
1. Assume you are at risk — don’t bother with the Equifax site because it has known weaknesses and additionally tries to sneak a waiver of your right to sue past you in its terms of service. Unless you have never had a mortgage, car loan, credit card, or bank account, just go ahead and assume you are one of the affected, which is highly likely, and move on.
2. Freeze your credit — all three of the major credit reporting agencies (Equifax, Experian, and Trans Union), plus the less well-known Innovis, offer the ability to freeze your credit, preventing anyone from pulling your credit report. This makes it really hard for a thief to get credit in your name, since whomever he or she is applying with is unlikely to approve credit without even seeing the report. Be warned that this is not typically free and the cost varies by state, from $0–15 per credit agency (disgusting, right?) but this is still pretty cheap insurance against identity theft.
3. Get in the habit of checking your credit report — this is about as much fun as going to the dentist to me, but it has to be done. The big three agencies are required to provide you with a copy of your credit report for free every 12 months, and www.annualcreditreport.com gives you access to all three reports. I suggest checking a different one every 4 months — since most credit events are reported to all three agencies, this gives you the best zero-money chance of catching a problem early.
4. Look at financial information at least once a week — use the app or the website to look at all your financial accounts for any activity you don’t recognize. A service like Mint.com might be useful here, if it will connect to all your accounts and pull data to one place. Set up text/email notifications where possible — credit card transactions over a specific amount, card not present transactions, billpay/money transfers, etc. Again, the sooner you know, the easier it will be to fix a problem.
5. Turn on two-factor authentication wherever possible — https://twofactorauth.org/ maintains a list of websites that utilize 2FA including banking and other financial sites. I’m at the point now where I am looking for replacements for banks and credit cards that do not support 2FA. I also give preference to sites which use things like software tokens (Google Authenticator) over SMS-delivered codes, which have been proven to be significantly less-secure.
6. Maintain other cybersecurity best practices. In addition to two-factor authentication above, you should be using hard to guess passwords, and not reusing them between sites. PIN or password protect your phone/tablet/computers. I still highly recommend a password manager like LastPass or 1Password to make this easy enough you will follow through. If a site asks you to create security questions, make up the answers so they can’t be guessed from scraping your social media accounts — even if you have to write the answers down somewhere it would be safer than using things I can go find on Facebook or Instagram.
The harsh reality is that this breach is going to create increased risk of identity theft for years to come, possibly for the rest of our lives if Social Security numbers continue to be used so widely in identity verification. You should rightly be furious as I am, and join me in advocating for change in the whole consumer credit system towards a system that protects American citizens instead of corporations. But at the same time, you need to accept the fact that you will need to be vigilant for years to come, and start to solidify new habits in that regard. Take steps now — there is no good or easy fix, but by staying alert you will be doing all you can to prevent becoming a victim.