Equifax hack

[George the original one]

Everybody checked whether their credit info was hacked out of Equifax?

In defense of my credit, it's probably time to lock that down. Am now weighing pros/cons of:
1) 90 day fraud alert

• no brainer

• free

2) credit freeze

• expense

• retired, so less need to unfreeze

3) Extended fraud alert (renewing every 7 years)

• extra paperwork

4) Getting fresh bank accounts before doing the above

[cmonkey]

Given 143 million people are affected, I think its safe to say we are all affected. Their site tells me that I am.

Here's how to freeze your credit. Seems like a good response to this if you do not have any need of new accounts at least for the interim.

This is pretty crazy, though. A definitely changing out of the CC's is in order at the very least. What can you do about your SSN and DL number though?

[SavingWithBabies]

A previous employer got hacked and released much of the same information. I had a couple years of LifeLock for free. No problems so far.

I think it actually helps that the scale is so huge -- one person in 143 million. Will they try to use your data for fraud?

I'd do the smart things but so far in my experience no problems.

[Chris]

Not sure there is any good remediation you can do for this. The monitoring that Equifax is offering is probably worthless (how much do you trust Equifax at this point?). Since consumers aren't liable for fraudulent CC charges, I wouldn't change any CC numbers just yet. A credit freeze is ok, since it prevents new pulls of your credit report, and can't be unfrozen without a PIN. But what's the policy for recovering a lost PIN? They ask you your SSN and birthdate? The hackers already have that info.

From Equifax's perspective, we're all just a collection of data fields (name+SSN+DoB+addresses). I don't see how they will be able to protect against fraud if the thing they use to authenticate you are all the data they have about you has been stolen. The main problem is that your SSN is treated like a password... a password that you can't control.

So yeah, at this point, I think the biggest thing preventing identity theft based on this attack is the fee to unfreeze frozen credit reports. If that hackers decide to monetize the data they've stolen, it will be easier to do so with the reports that are not frozen. But if you are being targeted, it probably doesn't matter.

[George the original one]

As you say, Chris, fraudulent CC charges aren't much of a concern. Bigger concern is your debit card!

Really, though, I think the insidious nature of this particular hack is the potential for future abuse, 2, 3, 5 years down the road. After all, the criminals know the accounts are likely to be frozen for 6-12 months, so they can afford to sit on it. Your info is effectively more wide open than ever before because this batch contains enough information to duplicate your entire financial identity and it can't be taken back.

[George the original one]

What can you do about your SSN and DL number though?

SSN = screwed. Driver's license, however, can be changed. At least I've heard it can be changed in some states. Worth checking!

Edit: Here's what Oregon says... implies fraud has to take place first before a new number can be issued.

You may be eligible for a new driver license or ID card number if your name and number have been used fraudulently. To apply submit at least one of the following documents:
A police report or a letter on police letterhead;
A report or letter from a credit card company, credit reporting bureau or financial institution;
A report or letter from the Oregon Department of Revenue or the Internal Revenue Service;
A document issued by a Court; or
A letter from a District Attorney.
You must include:
A signed statement explaining what happened and why you need a new number;
Your contact information, including a daytime phone number; and
 A completed application

[SavingWithBabies]

Looks like you can change your SSN but only after you have been subjected to identify theft:

https://faq.ssa.gov/link/portal/34011/3 ... ity-number

We can assign a different number only if:

* Sequential numbers assigned to members of the same family are causing problems;
* More than one person is assigned or using the same number;
* A victim of identity theft continues to be disadvantaged by using the original number;
* There is a situation of harassment, abuse or life endangerment; or
* An individual has religious or cultural objections to certain numbers or digits in the original number. (We require written documentation in support of the objection from a religious group with which the number holder has an established relationship.)

@George One upside though with multiple years is that hopefully this breach was big enough that now SSN and such data is now regarded as tainted and no longer usable as a secret. It might take a bit of time for that to happen. There will definitely be people/organizations that don't get the memo though.

[cmonkey]

Really, though, I think the insidious nature of this particular hack is the potential for future abuse, 2, 3, 5 years down the road. After all, the criminals know the accounts are likely to be frozen for 6-12 months, so they can afford to sit on it. Your info is effectively more wide open than ever before because this batch contains enough information to duplicate your entire financial identity and it can't be taken back.

+1

I think this is bigger than anyone is realizing. This info is now out FOREVER. An appropriate response is probably lifetime credit monitoring and lifetime freezing of credit reports. If you need a new loan just unfreeze for a small window of time and then refreeze. With the kind of net worth floating around on these forums, these are small fees to pay for some protection.

[bryan]

An interesting thing about identity theft fraud is that now with Bitcoin et al a fraudster can quickly cash in/out into such useful, fungible assets. For example, ta might steal someone's identity, open lines of credit, and quickly end up with BTC (high assurance of settlement, fungible) thanks to having access to a global market (better margins) that accepts usage of BTC directly and not intermediaries like banks. Good or bad?

[slowtraveler]

How the hell do they not have a lawsuit for insider trading?

The executives cashed out stock the week before sharing the news, well after the hack itself happened.

[Scott 2]

I've had my credit frozen for several years now. Other than putting a stop to any credit card points churning games, I haven't seen a down side. I also haven't had a reason to try unfreezing.

I also pull my credit report multiple times a year and monitor my accounts typically weekly.

I've had various credit monitoring protections due to prior breaches over the past five years or so. They've never done anything useful that I am aware of.

This is going to keep happening. Your data is going to be out there. Get used to the new normal. Lock things down and monitor them.

[jennypenny]

It's hard for me to get worked up over the Equifax breach since they did SQUAT when OPM was breached. Granted, it was only 22 million people, but it included background and fingerprint information. If my fingerprints are out there, what's the point of changing my SS number?

If you do change accounts, pick a bank that has a good reputation for how it handles ID theft and fraudulent accounts. Chase has a good reputation, Wells Fargo not so much.

[slowtraveler]

Seriously considering freezing credit, though it makes credit card bonus sign ups less realistic due to fees.

[Kriegsspiel]

It's hard for me to get worked up over the Equifax breach since they did SQUAT when OPM was breached. Granted, it was only 22 million people, but it included background and fingerprint information. If my fingerprints are out there, what's the point of changing my SS number?

If you do change accounts, pick a bank that has a good reputation for how it handles ID theft and fraudulent accounts. Chase has a good reputation, Wells Fargo not so much.

IIRC, the "they" that breached the OPM was the Chinese military, I always figured they were looking for people to turn, not identities to steal. But this recent hack could have been by identity farmers who actually want to do that.

I think it's pretty fucking outrageous that you have to PAY a company to STOP setting up lines of credit in your name (I never paid them to opt in), but that's what I'm likely going to do.

[Farm_or]

What site / company do you use to monitor your credit?

[SavingWithBabies]

A good read on this subject is How I Learned to Stop Worrying and Embrace the Security Freeze by Brian Krebs. It was published in June of 2015 and applies just as much today. It also links to Are Credit Monitoring Services Worth It?.

If you’ve been paying attention in recent years, you might have noticed that just about everyone is losing your personal data. Even if you haven’t noticed (or maybe you just haven’t actually received a breach notice), I’m here to tell you that if you’re an American, your basic personal data is already for sale. What follows is a primer on what you can do to avoid becoming a victim of identity theft as a result of all this data (s)pillage.

Krebs is an authority in the tech security field.

[cmonkey]

Equifax is now allowing 30 days of fee-free freezing of credit reports. This is assuming you can even get it to work though, their system is being flooded at the moment. In fact I can't freeze at either of the either two either so best wait a while. They will likely extend the 30 day free.

Does anyone recommend any credit monitoring service? Once a year from annual credit report is no longer good enough for me.

It also links to Are Credit Monitoring Services Worth It?.

Just saw this bit in that link which is good to know and I think would be adequate going forward.

Normally, I place fraud alerts on my credit file every 90 days, as allowed by law. This step is supposed to require potential creditors to contact you and obtain your permission before opening new lines of credit in your name. You merely need to file a fraud alert (also called a “security alert”) with one of the credit bureaus (Equifax, Experian or Trans Union). Whichever one you file with is required by law to alert the other two bureaus as well.

Most consumers don’t know this (few consumers know the names of the three main credit bureaus), but there is actually a fourth credit bureau that you should alert: Innovis. This bureau follows the same rules as the big three, and you may file a fraud alert with them at this link.

Fraud alerts last 90 days, and you can renew them as often as you like (a recurring calendar entry can help with this task);

[suomalainen]

@cmonkey - source?

Meaning, are you suggesting that Equifax will pay for freezes at the other two agencies also?

[cmonkey]

@cmonkey - source?

Meaning, are you suggesting that Equifax will pay for freezes at the other two agencies also?

Here.

Not at this time, but you might expect it in the near future. Lots of ticked off people.

[Scott 2]

I've been happy with Mint for monitoring. I also log into the important accounts every month or two, get emails on transactions or changes, use two factor authentication when available, strong passwords, etc.

I did have a credit card stolen about a year ago. The fraudulent transactions came at midnight, the night before I was leaving on a trip. They were local to my hometown. The credit card company alerted me to the first one. As soon as I got their email, I denied the transaction, logged in to find a second one, and got on the phone at 1 in the morning to dispute the charge and cancel the card.

Vigilance over your data is the price of playing in our modern digital economy.

IMO my most "at risk" account is the debit card. I limit that balance to a few hundred dollars and am very selective about where I use it. Almost exclusively it is in well secured ATMs for cash. If I did not have reason to spend a few hundred in cash each month, I would cancel the card.