Protecting yourself after the Equifax personal information leaks
The Equifax leak of our personal information is particularly harmful; it makes identity theft of most credit holding Americans trivially easy for the rest of their lives. Not for just one year, but until we pass away. The problem is that the information leaked is all the personal details that do not change. Steve Rubin of Pheonix, AZ wrote about the best step by step guide to how we should react that I have seen so far; I have made a few edits based on my own experience.
Here it is, in ten steps (follow them in order). The first few won’t seem to be directly related, but they create the foundation for what you need to have in place in later steps.
1. Don’t get angry (that comes later). Find a comfortable place to work and maybe get yourself a snack.
2. Set up a password manager, if you don’t already use one. I’m not going to get into password theory too much, but you should be using passwords of at least 16-20 characters long and thus you won’t be able to remember them all. Steve uses 1password and is happy with it. I use KeePassX and MiniKeePass from the KeePass family. KeePass (http://keepass.info/) or 1Password (https://1password.com/) are best of all; and LastPass (https://lastpass.com) is also very good but be aware it’s encryption is private and may or may not be secure (though may people and organizations I trust swear by LastPass). Any of the three is vastly better than no having secure passwords in a vault/manager.
3. Secure your primary email address(es). You have to be sure that you can receive communications safely. Set a strong password. Enable two factor authorization (2FA). Save the credentials in your password manager. A secure email address where you can receive verification codes is needed later; you need to prevent anyone else taking control of your email address long enough to intercept verification codes sent to the email address(es).
4. Secure your mobile phone. Set a strong password. Use Touch ID if you have it. This is where those 2FA codes are going to be sent, so you have to be sure that is completely safe too. Save the credentials in your password manager. Edit: I do not recommend any biometrics as a credential, as it is way too easy to spoof them, strong passcode to get into the phone is much better. A secure phone number where you can receive verification text messages is needed later; you need to prevent anyone else taking control of your mobile phone long enough to intercept verification codes sent to the phone number(s).
— the next few steps will need the prior ones completed first, so review 1-4 and make sure you have that all in set up —
5. Make sure you have control of your Social Security account. Go to https://www.ssa.gov/ and create an account. Choose every security option it gives you. Save the credentials in your password manager. This agency is likely to use texts, emails, and US postal mail to verify you are who you say you are; plan on it taking several days, but you can press on while you wait…
6. Make sure you have control of your IRS account. Go to https://www.irs.gov/individuals/get-transcript and create an account. Choose every security option it gives you. You don’t actually need to get the transcript at the end (but you can); you just want the account controlled. Save the credentials in your password manager. This agency is likely to use texts, emails, and US postal mail to verify you are who you say you are; plan on it taking several days, but you can press on while you wait…
7. For every bank account, credit card, or other financial account you have, log in and make sure you have a strong password set. Save the credentials in your password manager. Then, go through all the alert options and use them! Get used to receiving lots of emails confirming that transactions are actually yours. That’s your new normal. Assume any bank issued PINs are compromised and change them. Don’t forget 401K, IRA, Stock Trading Accounts, and even Airline/Hotel frequent flier programs.
8. Are there any new credit cards that you NEED to apply for, insurance policies you are planning to open, or utilities you have to set up? Want a new phone? Anything else that might at all trigger a credit check. Do it now. Then come back to this list. I’m not suggesting doing anything you wouldn’t have done anyway, but if you were two days away from applying for a fancy new credit card, it will be easier to deal with before you lock things down.
9. Set up a schedule for getting your free annual credit reports. Look them over for errors and report any that you find. You get one free from each major agency per year. A possible schedule might be SEP 10 Experian, JAN 10 Transunion, MAY 10 Equifax (and fee free to hope that Equifax doesn’t exist in eight months…). Set annual calendar alerts and act on them when they come up. The official site is https://www.annualcreditreport.com – be wary of spoof sites and even sites run by the credit reporting agencies themselves that do nothing but try to pressure you into buying their commercial offerings (most of which are a rip-off).
10. Set up fraud and security alerts. The upside is that this should mean that a credit agency has to contact you (preferably by phone) before taking an action on your credit history. So if someone tries to use your information, you’ll receive a phone call, thus it should be obvious if the inquiry is on your behalf or not.
The downside is that you have to renew it every 90 days. At the moment, there is no way around this hassle.
You need to contact one of the three major agencies and they will inform the other two. You want an Initial Fraud Alert. It should be obvious that Equifax is a lost cause, so use Experian or Transunion:
https://www.experian.com/fraud/center.html
https://www.transunion.com/fraud-victim-resource/place-fraud-alert
You also should contact ChexSystems. They deal with new checking/savings accounts, and you don’t want someone else opening one in your name. You want to Place A Security Alert. https://www.chexsystems.com
11. BONUS ITEM. Contact your state’s Attorney General and/or members of Congress. Equifax has to be brought to task for this failure (AG), and the rules about how credit works and identities are verified need to be completely rebuilt (Congress).
What about identity/credit monitoring? Equifax is going to be giving away a year of monitoring. That’s standard procedure for these breaches, and when it’s a standard breach that’s a mediocre response. Remember the difference in the type of information, though? This is not a standard breach, so it’s a nearly irrelevant response. You also may (it’s unclear) forfeit your right to join a class action lawsuit if you accept it.
Identity monitoring is really insurance. They promise lots of things, but they can’t prevent anything. They can only react. If you feel more comfortable having that insurance, so that you have a team available to help you in case your identity is compromised, then feel free to get one of these products. But you may want to look for one that isn’t run by one of the credit agencies or their subsidiaries. That seems like a conflict of interest to me.
What about credit freezes? Unless you live in a state that has laws making these free, I don’t recommend them. The biggest problem is that all of the information needed to call a credit agency and unfreeze has been leaked, so you’ll probably just be wasting your money! You can read more about what these are at https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs