What you need to know going forward after the Equifax hack

Minimize exposure, monitor accounts, manage damage to avoid future breaches

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Every­one knows a mos­qui­to bite doesn’t real­ly start itch­ing until the dam­age already has been done, and the same goes for many kinds of iden­ti­ty-relat­ed crimes. With news of the recent Equifax breach con­tin­u­ing to sur­face, what do you need to know now to lim­it your exposure?

Equifax has esti­mat­ed the hack impacts 143 mil­lion peo­ple, most­ly in the Unit­ed States. (That’s almost half the U.S. pop­u­la­tion!) The thieves stole names, Social Secu­ri­ty num­bers, birth dates, address­es and driver’s license numbers.

Adam Levin, chair­man and co-founder of Credit.com and Cyber­Scout (for­mer­ly IDT911)

Each item of per­son­al­ly iden­ti­fi­able infor­ma­tion (PII) is like an ingre­di­ent for a recipe. The more ingre­di­ents you have, the more recipes you can pre­pare. Sim­i­lar­ly, the more pieces of PII exposed, the more kinds of fraud thieves can commit.

The prob­lem with freez­ing your cred­it report

The New York Times report­ed still more bad news in the wake of the Equifax announcement.

The cred­it freeze ser­vice the cred­it bureau offered (orig­i­nal­ly offered for a fee until it final­ly decid­ed to pro­vide it for free for 30 days) gen­er­at­ed PINs that were based on the time and date the PIN was cre­at­ed. These PINs are required to release the freeze when­ev­er you need to grant access to your cred­it files in con­nec­tion with a loan, an apart­ment rental, or a job appli­ca­tion (where per­mit­ted by law). Unfor­tu­nate­ly, they’re laugh­ably easy for a hack­er to guess before then.

The big­ger prob­lem is that a freeze needs to be in place at all three report­ing agen­cies in order to be effec­tive. As cred­it expert John Ulzheimer told The New York Times, putting a freeze on your cred­it with only one report­ing agency is “like lock­ing one of three doors in your house and leav­ing the oth­er two unlocked. You’re hop­ing the thief stum­bles on the locked door.”

Types of fraud to be aware of

The hack­ers also made off with 209,000 cred­it card num­bers and 182,000 cred­it dis­pute doc­u­ments con­tain­ing per­son­al­ly iden­ti­fy­ing information.

In August, there was a spike in cred­it card fraud, accord­ing to the New York Post. It seemed odd to secu­ri­ty experts at first, since cred­it card fraud typ­i­cal­ly increas­es around the hol­i­days. The Equifax news seems to pro­vide an expla­na­tion for the sta­tis­ti­cal odd­i­ty. “We saw a 15 per­cent increase in the over­all fraud attempts in our sys­tem in August, which is an unusu­al time of year to see such a spike,” said Liron Dam­ri, co-founder of Forter, a fraud-pre­ven­tion ser­vice for online retailers.

But the threat goes way beyond maxed-out cred­it cards, fraud­u­lent cred­it appli­ca­tions, and tax-refund fraud. With Depart­ment of Motor Vehi­cle infor­ma­tion also in play, the risks are ele­vat­ed. A fake ID made out in your name could cause you to get arrest­ed for an out­stand­ing war­rant. In the realm of iden­ti­ty-relat­ed fraud prod­ucts, a fake driver’s license is a lux­u­ry item for sure, but it’s still one that could hurt you if a scam­mer pro­vides your infor­ma­tion on a fake license the next time they’re pulled over for speed­ing or col­lared for a crime.

And then there’s the seri­ous risk of med­ical-iden­ti­ty fraud. Con­sumers could see delays in pre­scrip­tion ful­fill­ment because of fraud­sters using their health care infor­ma­tion. Worse, con­sumers may not be cov­ered for health care expens­es until they are able to prove they are who they claim to be using the same infor­ma­tion that the crooks used—a frus­trat­ing and often com­pli­cat­ed process.

Legal reme­dies 

One can only assume there will be law­suits galore. In fact, one enter­pris­ing per­son already has auto­mat­ed the process. A robot lawyer is on the case, allow­ing con­sumers to auto­mat­i­cal­ly file a claim against Equifax in small claims court.

Accord­ing to the Verge, con­sumers are still able to join class-action suits while pur­su­ing a small claims court remedy.

Even if you want to be part of the class-action law­suit against Equifax,” the Verge report­ed, “you can still sue Equifax for neg­li­gence in small claims court using the DoNot­Pay bot and demand max­i­mum dam­ages. Max­i­mum dam­ages range between $2,500 in states like Rhode Island and Ken­tucky to $25,000 in Tennessee.”

Pro­tect­ing your­self now

To say that the Equifax PIN assign­ment process was incom­pe­tent is an under­state­ment. Nev­er­the­less, it is a teach­able moment. While it’s OK to hope that your ser­vices and ven­dors will do things right, you need to stay vig­i­lant. And this should go with­out say­ing: If you can change pri­va­cy and authen­ti­ca­tion set­tings on a prod­uct or ser­vice, do it. If that’s not pos­si­ble, per­haps you should con­sid­er find­ing a new ven­dor or service.

The eas­i­est way to pro­tect your­self, in my opin­ion, is by using a sys­tem called the “Three Ms.” The Three Ms is the cen­ter­piece of my book, Swiped: How to Pro­tect Your­self in a World Full of Scam­mers, Phish­ers and Iden­ti­ty Thieves, and the approach con­tin­ues to be the best way to keep your per­son­al­ly iden­ti­fi­able infor­ma­tion from being used in iden­ti­ty-relat­ed crimes.

And they are sim­ple: 

  1. Min­i­mize your expo­sure. Don’t authen­ti­cate your­self to any­one unless you are in con­trol of the inter­ac­tion, don’t over­sshare on social media, be a good stew­ard of your pass­words, safe­guard any doc­u­ments that can be used to hijack your iden­ti­ty, and freeze your credit.
  2. Mon­i­tor your accounts. Check your cred­it report reli­gious­ly, keep track of your cred­it score, and review major accounts dai­ly if pos­si­ble. (You can check your cred­it report for free at Credit.com.) If you pre­fer a more laid-back approach, sign up for free trans­ac­tion alerts from finan­cial ser­vices insti­tu­tions and cred­it card com­pa­nies, or pur­chase a sophis­ti­cat­ed cred­it- and iden­ti­ty-mon­i­tor­ing program,
  3. Man­age the dam­age. Make sure you get on top of any incur­sion into your iden­ti­ty quick­ly, and enroll in a pro­gram where pro­fes­sion­als help you nav­i­gate and resolve iden­ti­ty compromises—oftentimes avail­able for free, or at min­i­mal cost, through insur­ance com­pa­nies, finan­cial ser­vices insti­tu­tions, and HR departments.

Your chances of  ‘get­ting got’

Scam­mers pay around $30 per com­plete ID dossier on the black mar­ket. With 143 mil­lion pack­ets avail­able through the Equifax breach, that’s more than $4 bil­lion worth of infor­ma­tion. Though it may not seem so at first glance, this could actu­al­ly be good news for you: Your chances of “get­ting got” decrease with an increase in avail­able targets.

Odds aside, though, Equifax is not the first, nor will it be the last, breach of note. Being pre­pared and alert is still the best rem­e­dy, because breach­es have become the third cer­tain­ty in life—right behind death and taxes.

A final tip: Check with your insur­ance com­pa­ny, finan­cial ser­vices insti­tu­tion, or employ­er. You already may have access to iden­ti­ty pro­tec­tion and res­o­lu­tion ser­vices, which is your best bet when it comes time to nav­i­gate the iden­ti­ty theft quagmire.

Full dis­clo­sure: Cyber­Scout spon­sors Third­Cer­tain­ty. This sto­ry orig­i­nat­ed as an Op/Ed con­tri­bu­tion to Credit.com and does not nec­es­sar­i­ly rep­re­sent the views of the com­pa­ny or its part­ners. 

More on iden­ti­ty theft:
Iden­ti­ty Theft: What You Need to Know
3 Dumb Things You Can Do With Email
How Can You Tell If Your Iden­ti­ty Has Been Stolen?