What you can do after the Equifax Hack.
Equifax got hacked. They say 143 million accounts had data stolen. Let’s be honest: That basically means every adult who has ever had any kind of credit in the USA has had compromising information stolen. This includes the kinds of personal details used to open accounts in your name: Birthdate, Social Security Number, Drivers License Number, Current Address, Previous Address, etc. They haven’t announced yet (as far as I know) but they also store tons of very detailed information including loan balances, payment amounts, and other very detailed information that is used to verify your identity.
What is more concerning however is that this information can also be used to empty your bank and stock accounts. Much of this information is used by banks to verify who you are when you call in, such as when you forgot your password and need it reset. Equifax has the kinds of information that is used for security questions – mother’s maiden name, which street did you live on in the past, where you met your spouse, etc. Other than Facebook, Google, and the FBI they probably know the most about you.
How can you protect your accounts?
My biggest concern is that people will use this information to try to gain access to your financial accounts. You should immediately review each of your account providers’ security options and enable any higher levels of security that are available.
For example, does your bank offer 2-factor authentication? This is where they text or email a code to you that you then enter along with or after your password when logging in. Or it may be a key card that has a list of keys on it like a decoder ring. Or an app you install on your smartphone such as Google Authenticator or Interactive Brokers’ Key
All of these steps would slow down and frustrate a would-be attacker, but they are not foolproof. Text messages and email are especially weak. The same information stolen by Equifax could be used to hijack your phone number or email account depending on your security questions. Someone can use a new phone, call up your phone provider, and try to get the number transferred to their phone using your information. There are steps phone companies take to protect against this, but they aren’t foolproof. Do not rely on SMS/text message 2-factor, but it is better than nothing. If your financial institution doesn’t offer anything more advanced than that, consider moving to one that takes security more seriously, especially if you have serious money.
Security questions were originally supposed to help people reset their passwords by asking questions probably only you or someone close to you know the answer to. Now everyone knows the answer to these questions.
As frustrating as it is, you should now consider security questions to actually be additional passwords. When you create an account and set up your security questions, do not answer the questions truthfully. If the question is “Where did you meet your spouse?” set the answer to something like “I like ice cream.” Even if an attacker knows where you met your spouse, they would not be able to gain access to your account.
Unfortunately, this means you have to remember yet another password. It’s a pain in the ass. But that’s what you need to do these days.
How can you prevent new credit in your name?
The best way that I know of to prevent someone from opening a credit account or taking a loan in your name is to freeze your credit reports. When you freeze your credit reports, if someone applies for a loan in your name and the lender checks your credit through any of the major credit agencies, the check will not go through. It will also inform the person doing the check that the credit report is frozen. This raises a red flag to the lender and they most likely will not proceed. They may investigate the person applying, but there is no guarantee.
This costs $10-30 per credit reporting agency. The big ones are Equifax, Experian, and TransUnion. Any time you really do need to apply for an account, you will want to ask the lender which credit agency they use. Just tell them “I froze my credit reports to prevent fraud and I need to know which agency you use so I can unlock the report when I apply.” They’ll say “We use TransUnion” and you’ll then go to TransUnion’s site and unlock your report. After you are done applying for credit, you’ll need to pay a fee again to lock your report.
Always keep on top of your accounts. You should do this anyway as you are tracking your spending and net worth closely. Make sure there are no unexpected withdrawals from any of your accounts.
Just like how Congress required credit reporting companies to provide us with a free credit report each year to verify they are accurate, I suspect this is going to have to be expanded at some point to be unlimited access for consumers. We need to be able to monitor that these are accurate and no new accounts are created without our knowledge. I also think we probably need the right to lock our credit reports at any time for free or at least require our permission to release our credit report anytime someone tries to check it.