172: Equifax Aftermath - Should You Freeze Your Credit To Protect Against Identity Theft?

Welcome to Money For the Rest of Us, our personal finance show on money, how it works, how to invest it and how to live without worrying about it. I’m your host, David Stein. Today is episode 172, titled “Should you freeze your credit?”

About a week ago I got an e-mail from Tom. He’s a long-time listener of this show, and a member of Money For the Rest of Us Plus. He wrote:

“In today’s world, the sad reality is just as we manage things like security risk through diversification, we must manage the risk created by hackers or identity thieves. I view this simply as another risk to be managed by anyone with assets worth hacking. Like most ideas, a personal experience prompted this one – someone filed a tax return using my name and social security. Fortunately, the IRS caught it, but it proved to be quite a hassle.”

Three days after I got that e-mail from Tom, one of the three major U.S. credit reporting agencies, Equifax, announced what has to be the largest data breach in U.S. history. How many consumers were impacted? 143 million. Can you imagine that? 43% of the U.S.

My son, he called me up a few days later and he says “What’s the chance that I am impacted by this credit breach?” I said 43%. And what was lost? Names, social security numbers, birth dates, addresses, in some cases driver’s license numbers, credit card numbers of approximately 209,000 U.S. consumers. It’s absolutely amazing… But it’s not the first time.

Data Breaches

In 2015 Experian disclosed that their systems had been hacked… 15 million social security numbers. This is for individuals who had applied for financing through T-Mobile. 2013, Equifax, Transunion said hackers stole celebrity credit reports. Target, 2013 holiday season – 40 million credit and debit cards of shoppers were stolen.

Have you been a victim of one of these breaches? I have, numerous times. So many that I couldn’t even remember. The first time, I do remember; you always remember your first time… June 2007, I get a letter from the state of Ohio saying my data probably had been stolen. They had that tape that was stolen out of an intern’s car, a backup tape. This was 10 years ago. I guess they had backup tapes for tax data in the back of an intern’s car. That was a common practice, apparently, to take tapes home for safekeeping.

That was the first time I was signed up for a credit monitoring service, because my data had been hacked. Now, nothing came of it, but that was the first time my name and social security number was out there in the hands of criminals. A year or so later the police showed up at our door, I wasn’t home. Woke LaPriel up, it was early morning. He was just checking on her, because somebody had called the police. They had gotten an e-mail that we were stranded, LaPriel and I, in Europe; had a serious medical condition, didn’t have any money, because our money had been stolen, and that we needed our friends on LaPriel’s hacked Yahoo! e-mail account to wire some money to save us from our plight.

In 2013, a different type of identity theft, or at least data breach… We were traveling in Europe; my son left his backpack unattended for a little bit, he forgot. We saw it on the security camera. A trucker at a truck stop picked up the bag. We lost a laptop, an iPad, a camera… But hardware with sensitive data on it.

In 2015 my health insurance, Anthem Blue Cross announced 80 million members’ information – names, birth dates, social security number. Again, my data – gone, out there.

In 2015 I’m in Brooklyn, I’m using my debit card, my number gets stolen and I get signed up for some subscription service; I don’t remember what it was… I called the bank and they were able to reverse it. But this happens, and it brings up the question “How much data has been stolen?” So I looked it up. The Identity Theft Resource Center – they track security breaches. They’ve been doing it since 2005. The number of breaches – this is from January 1st, 2005 through September 5th, 2017. So it doesn’t include the Equifax data. It’s released every week, and I guess we’ll see the new numbers later today. But through last week, the number of breaches – 7,873. How many records? 907 million records are out there. So many… It’s amazing.

Things that they track are social security numbers, credit and debit card numbers, e-mail passwords, protected health information, driver’s license… It’s incredible what’s going on. The 2017 Javelin Identity Fraud Report – they do this once a year. Javelin’s a research outfit; they took this over from (I believe) the Federal Trade Commission in 2003… So they’ve been doing this report based on a survey of 5,028 adults. Now, these aren’t data breaches, this is actual fraud, where money was stolen.

An Increase of Fraud

In 2017 the study estimates 6.15% of U.S. consumers were impacted by fraud. That’s up from 5.3% in 2015. Two million more victims. The thieves stole 16 billion dollars. They classify the different types…

Here’s a type of fraud that’s up 40% year over year – card not present fraud. Basically, that’s where they steal credit card numbers to buy things. That’s what it is, the card is not present… Online purchases to buy things – up 40% in 2016. Al Pascual – he’s the Research Director and Head of Fraud and Security at Javelin Strategy and Research. He said:

“The criminals are getting better at committing this fraud (card not present). The reason is more and more credit cards have EMV chips; they’re chip-based, so it’s essentially impossible to counterfeit those.”

Another type of fraud is new account fraud. That doubled last year. That’s where criminals open a new credit card account using your name. They just simply buy stolen information – your date of birth, your mother’s maiden name, social security number.

Another type of fraud is account takeover fraud. That’s where they use your stolen information to access your account. It could be your bank information, or they could have a new card sent to them. This account takeover fraud last year was up 61% – 2.3 billion dollars stolen.

Another type of fraud – I hadn’t even heard of this fraud… Mobile phone hijacking. Thieves go to the store, or they call online they have a new phone, and they convince AT&T, T-Mobile, Verizon to transfer the phone — they impersonate you, and then they can take over their phone. And why would they do that? Well, then they can intercept e-mail, text messages, often times particularly for bank accounts, or other secure accounts; if you have double authentication, where they text you a code to verify that… They can take over your bank account.

Here’s an article that Tom sent me, and this absolutely dumbfounded me. The New York Times article from August 2017. This is mobile phone hacking – in this case they’re targeting individuals in the Bitcoin community and taking over their mobile phone number and then accessing their Bitcoin that is stored on wallets on their phone.

Joby Weeks (Bitcoin entrepreneur) says “Everybody I know in the cryptocurrency space has gotten their phone number stolen.” Weeks lost his phone number, and a million dollars’ worth of virtual currency late last year.

Last week I was visiting with the branch manager at the bank where I host my business accounts,and I asked her, “How often are people stealing/breaking into people’s online bank account and stealing money? Because I’ve heard it’s happening quite frequently.” She says in her branch – she’s been there 2,5 years – it’s only happened once. It was a couple from California, so it wasn’t even anyone locally. But she was actually more worried about debit card fraud, particularly something I’d never heard of either – thermal imaging.

Apparently, when you put in your PIN at an ATM, particularly if it’s plastic keys or rubber keys, there’s a heat signature that’s left. Somebody can come right after you with their phone (or some other device) and they can see where there are some heat signatures and see where you pressed, and they can steal your PIN. Then if they can get the ATM card, or some other way of getting it, they can steal your money.

Now, the way to protect against that, from what I saw on the internet, is when you’re putting in your PIN, make sure your fingers touch a bunch of different keys, or are resting on the keys, so then there’ll be a heat signature on all the keys. But that’s what this branch manager was worried about.

The American Bankers Association does a deposit account fraud survey every two years. They’ll be doing another one this year. This is data from 2014 – 1.9 billion dollars in losses, but 66% were debit card fraud… So a PIN or an ATM combined. Something related to a debit card. Or like in my case in Brooklyn – my debit card number was stolen by a sniffer embedded into the ATM. I stuck my card in, and there was some malware on the ATM that stole the number.

So 1.9 billion dollars in losses, 66% debit card, 32% was check fraud, and only 2% was attributed to online banking electronic transactions, such as wires or ACH – somewhere where they’re compromising the password, or there’s some type of wire fraud.

How to Proceed

So what do we do? Well, I’m convinced that if your data has not been compromised, it will. There’s just so much data out there, and I was thinking about a metaphor… It reminded me – in 2003 one of my former partners… I was in Seattle, and a partner called on my cell phone, and we got in a conversation and we got to talking about spam, which was still fairly new; there were not very good spam filters, and we would get all of this e-mail from really trashy websites. And I remember this partner was thinking it was something he had done, that somehow he individually was attracting this type of attention, but it just became overwhelming until spam filters got better.

We’re seeing the same thing with mobile phones. There is software out there that can mimic any mobile phone number. And maybe you’ve been caught up in this – somebody rings you from a mobile phone number that looks really close to your number. Maybe the area code and the first three digits are the same, and you pick up and it’s some recording about winning a trip to Orlando. It’s gotten so rep– I got two calls yesterday from fake calls. I don’t pick up anymore. So we learn to adapt…

In terms of data breaches/identity fraud, we’ve just gotta learn to adapt. Your data will more than likely be compromised… And there’s so much data out there. One of my questions was what’s this data even worth? And I found a site, LogDog (who I had not heard of); they’re an identity theft app… There’s an underground economy where you can buy stolen data, stolen e-mail accounts, stolen social security numbers, or information for social media profiles, dating sites… Kind of amazing.

This was interesting… So the credentials for a dating site on the black market is worth more than a social security number. eHarmony login credentials – $10. That’s what it’s worth. I think this is 2016 data. A credit card number or a social security number – it’s only worth a dollar. Amazon credentials – 70 cents. PayPal credentials are worth from $1 to $80. What’s interesting is as more and more data gets out there, that it’s actually worth less, just because of sheer supply versus demand.

So what are some of the things you can do to protect yourself? Well, first use a password manager like LastPass, 1Password, Dashlane… I admit, I only started using one of these about a year ago. My sister-in-law convinced me to start. Now, I didn’t feel as bad about that after reading that Lorrie Cranor, who was formerly the Chief Technologist at the Federal Trade Commission – their job is to protect consumers from online crimes – she just started using one of these password managers in late 2016. She said: “I’ve been advocating password managers for years, but I’d never actually tried one.”

Lujo Bauer – he’s a security researcher and associate professor at Carnegie Mellon University – says “Password managers are not a magic pill, but for most users they’ll offer a much better combination of security and convenience than they have without them. Everyone should be using one.” This is from a consumer reports article, and I’ll link to this article, as well as others that I’ve mentioned in the episode, and you can get that at moneyfortherestofus.com. Or if you’re a member of my free weekly Insider’s Guide, you will have gotten those show notes, along with really the best writing I do each week. I write an essay each week, something along the topic of that week’s episode, but it’s not exactly the same; it’s different, and it only goes to members on that e-mail list, so sign up for that at moneyfortherestofus.com, or as a U.S.-based listener, you can text the word “insider” to the number 44222.

But these password managers – they use what’s called AES-256 encryption. This is the same sort of encryption that the Federal Government uses to protect classified information, so it’s well-tested and your passwords are often stored by these password managers either on your computer or in the cloud… But it’s another level of protection, so you’re not using (like I did for many years) the same password for everything because you didn’t feel like writing it down or memorizing it. Now I use a password manager…

Another thing you can do is what I did just yesterday – I went online to my phone company for my mobile phone, and I put extra security… An extra password/passcode on there so if somebody goes into the store or they call up AT&T and try to impersonate me to steal my phone number, then they have to provide an extra passcode that only I remember.

But there’s a trade-off between convenience and security. I mentioned I was at the bank, speaking with the banker. I didn’t wanna be there. In fact, I’d been there three times already that week, because that bank won’t let me send a wire. I needed to wire some money out; they only let me do it in person. Not even at the window. I have to talk to a banker. They call them the bankers… I mean, they’re the branch manager, but… You have to talk to the banker in order to wire money. Now, I can tell you this bank probably has very little wire fraud, because you have to show up in person in order to wire money. Now, I only use this bank because I can’t get an online business account.

For our household account we use an online bank. In that case, I do my wire online, they text me a confirmation number, and then I can get my wire sent out. But again, if somebody stole my phone, then they could intercept, and if they had the password to my bank account, then they could steal my money. But again, the incidence of that happening is actually much less than debit card fraud or other fraud related to your data being compromised or breached by a credit reporting agency or a retailer. That’s where most of the fraud is occurring, where you don’t have control of that.

There’s things you can do on your own, but if some entity loses your social security number or your other information, you’re exposed. Somebody could open up an account in your name; somebody could take over one of your accounts. That’s the risk… So that’s why I did probably the most extreme thing you can do.

If somebody actually opens an account in your name, you could put a fraud alert on your — in fact, you call up one of the credit reporting agencies, and by law they have to contact the other two agencies, and there’s a fraud alert on your account, it’s good for 90 days… So if there’s any suspicious activity or additional activity, you’re notified and they’re notified. That’s one thing you could do if there has been fraud, but you have to renew that every 90 days.

You can have a credit monitoring service, pay $10-$30, and they’ll monitor for any suspicious activity on your account. That’s $10-$30/month. But I went all-in. If you look at the title of today’s episode “Should you consider a credit freeze?” and that’s what I did. A credit freeze prevents a new creditor from getting access to your credit report. So if somebody’s trying to open an account in your name, a new credit card, for example, the credit card company can’t get access to your credit report, so they’re not going to issue credit in your name.

Now, there are some drawbacks, because it’s not just credit card companies that might be accessing your credit. If you’re renting a new apartment or if you’re setting up phone or electrical service, sometimes employers will run a credit check. But once it’s set up, it’s frozen, and you do it individually with each company, you can freeze and unfreeze your credit. Sometimes there’s a delay of several days, which in some regards is a discipline, because it gives you control… There is a level of inconvenience, but it gives you that protection.

It was really easy to do, I was surprised. I went online to Equifax… I didn’t even check Equifax to see if my data was compromised, I just assumed it was, so I went right to credit freeze on Equifax. It took about 5-10 minutes. I did the same thing with Experian; it took just a few minutes. They charged $6, and the fee depends based on what state you live in, but sometimes there’s a modest fee. Transunion was also free to set up… And that way, I’m protected. I’m not planning on borrowing any money or renting an apartment, so I can have some additional protection there. I think that’s a good thing.

Now, four states remove your credit freeze automatically after seven years. That’s Kentucky, Nebraska, Pennsylvania and South Dakota… But the rest of them don’t. And this doesn’t impact your credit score. All the research I did says this doesn’t impact your credit score, so your existing creditors can continue to report your pay history… But it does protect you, because your credit is frozen. Nobody can access that credit report and open up an account. I think that’s the better thing to do that — I mean, I guess you could do credit monitoring, but I’m kind of cheap, I don’t want to pay for it.

Now, Equifax will pay for credit monitoring for the next year if I sign up, so you’ll have that. Usually, when there’s a data breach, that’s what they provide you – the credit monitoring type service.

If you’re a victim of identity theft in the U.S., the U.S. government has a very helpful website with steps you can take. You can go to IdentityTheft.gov and it’ll walk you through all the steps, depending on the type of identity theft that occurred – whether it was a credit card, social security number, or things like that. That’s IndentityTheft.gov.

That’s this week’s episode. I would assume that your data has been breached, so you have to protect yourself. I have elected to do a credit freeze, but you can do a credit monitoring… But there’s a trade-off – how much inconvenience do you want to have? In my case, for example for my banks, I don’t have double authentication, so they’re not texting me a code in order for me to log on to my bank, because if I do that, then services that I use such as Mint, or QuickBooks – they don’t work if you have to get sent a code every time you log on… So I have elected convenience there, willing to take the risk, because most of the bank fraud has been related to wire fraud or debit accounts being compromised; it’s not been necessarily stolen passwords.

There’s a risk, but when it happens – and I talked to my about this, what happens when somebody does steal your money from the bank; their fraud department will research it, but generally speaking, you’ll get the money back, so you’re protected that way. It ends up just being a major inconvenience if you’re a victim of identity fraud, so the level of protection you want to do kind of depends on how much inconvenience you want to give up now in terms of accessing your accounts vs. later sort of sorting out the whole mess when it does occur.

Everything I’ve shared with you in this week’s episode has been for general education only. I’ve not considered your specific risk profile, I’ve not provided investment advice. This is simply general education on money, investing and the economy. Have a great week!