Following the Equifax data breach, what can you do to protect yourself?
You likely saw the news yesterday about the Equifax data breach compromising the personal information of as many as 143 million Americans. (If not, check out the details here: Giant Equifax data breach: 143 million people could be affected)
For those consumers wondering what they do now, unfortunately there’s not a whole lot you can do to preventatively protect yourself from this compromised information being used to compromise you as well. However, as companies, large and small, are compromised every day and many times they don’t even realize it, this is a great opportunity to consider your personal security practices. Here are some essential tips to help you better monitor and protect your personal security and mitigate your overall risk of a personal breach:
Stop using passwords, start using passphrases. Password length is becoming an increasingly important element to preventing password compromise. At minimum, set passwords 16 characters or more to protect important logins such as bank accounts, credit cards, and health records. Ideally, set passwords 30 characters or even 60 characters long if the website supports it! To make this easier, think of a sentence or phrase that can serve as your password, rather than a single word. Password managers are also an invaluable tool to simplify this by removing the need for you to memorize dozens of passphrases.
Make your strong passwords even stronger. Continue following the often iterated practice of mixing in capitals, numbers, and symbols into your passphrase, but use them in non-typical ways. For example, it is extremely common for the letter ‘a’ to be replaced by ‘@‘, and attackers know this. Use less common symbols like { < ; ~ and use them in ways which are not predictable by inserting the symbols into odd places without replacing letters.
Require a passphrase or fingerprint to unlock your computers and mobile devices. Your phone is a key to your entire digital life, often granting immediate access to your email and accounts through saved logins in mobile apps. Get rid of pin codes and pattern unlock, and even ditch fingerprint unlock if you're extra paranoid. Set a secure passphrase to access your phone and think twice before checking "Remember Login" on those sensitive apps.
Enable 2 factor authentication every where you can! If you’re not already familiar with 2FA, check out our blog article explaining 2 Factor Authentication and how to use it.
Never re-use the same password or pin number at multiple websites or for multiple accounts. As this breach shows, you should not rely on third parties, no matter how big or “trustworthy”, to protect your data including your password. If you use the same password at shopping.com that you use to login to your bank account and shopping.com gets breached, an attacker WILL test your password at every website they can think of and they WILL eventually try your bank account. If you re-used your password, now they’re in! Check out our past blog article for more on this: Have you been "pwned"?
Avoid emailing sensitive information. Emails are inherently insecure and tend to leave traces and copies in a lot of places. If you have to email your social security number, credit card number, or any other sensitive information, store it inside a securely encrypted file attachment or look for alternative ways to provide the information such as phone, in person, mail, fax (yes, really!), or secure dropbox/file drop services.
Monitor all of your bank accounts and credit cards on no less than a weekly basis for strange or unrecognized transactions. Additionally, most bank accounts and credit card online logins have the ability for you to set up email alerts for activity like new international charges and charges above certain amounts. Set these up and let the machines help you keep an eye on things. It is unfortunately becoming a common occurrence for financial accounts to be compromised, make sure you catch them quick!
Take advantage of official mobile apps from your banks and credit cards that you can get which sends you a push notification anytime there is a new charge or new activity on your account. I’ve personally caught fraud on my credit card real time on the first transaction when I’m sitting at a restaurant and all of the sudden my phone alerts to tell me that my card was just swiped in another country!
Keep an eye on your credit report and thoroughly review it at least annually. The credit bureaus are obligated to provide you with a FREE full copy of your report once per year with no detrimental impact on your credit score. (without having to sign up for any paid service) Check out annualcreditreport.com for more information. Also, many credit cards have added free features to monitor your report for you and present you with your credit score and a report of any changes on a monthly basis, which is a great tool to take advantage of as well.
Be more careful than ever of emails containing links and attachments. If you receive an email with an attachment that you didn’t expect, contact the sender via phone, text, or a separate new email to confirm that they sent it and that it is legitimate. If you get an email prompting you to click a link to login to your account - don’t click it! Instead, open up a browser and go directly to the website of the organization that supposedly sent you the email, log into the known and trusted URL that you type, and then see what the notification was about.
Consider freezing your credit with the 4 major credit bureaus. Freezing your credit prevents any potential creditors from viewing or pulling your credit unless you unfreeze or "thaw" it ahead of time using your personal PIN. While there are some fees associated with this and it can make it more of a hassle for you to legitimately apply for credit yourself, it is arguably the most effective preventative control in preventing identity theft. If you freeze your credit, also consider alerting ChexSystems of potential fraud in your name. ChexSystems is used by many banks to verify customers requesting a new bank account, so this can make it a little tougher for a criminal to open a new account in your name.
If you're eligible, get an IRS Identity Protection PIN The IRS offers the ability for certain consumers to create a six digit PIN number that must be provided with all of your tax filings to prevent fraudulent filings, but unfortunately today it's only available to those meeting certain eligibility requirements. Check out https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin for more information.
Hopefully these tips are helpful, please share with family and friends!
Michael Varian Managing Director - NorthSkyTechnology.com