You should assume that criminals have your private information – credit card numbers, date of birth, Social Security number, etc. If they did not already have this data from hacks at Target, Home Depot, Yahoo, and other institutions, they almost assuredly have some of your private information following the Equifax breach. “But wait,” you say, “the Equifax website indicates that “Based on the information provided, we believe that your personal information was not impacted by this incident.””
Here’s the dirty secret that has become abundantly clear in the past week: Equifax still does not know the entirety of what information was stolen or who was impacted. Type in your last name and last six digits of your Social Security number on the Equifax website and you’re likely to get different answers on different days. Or just randomly make up a name and 6 digits and you will see how phony the answers seem to be.
So our advice is not to bother visiting the Equifax website. Determining whether you were impacted is not reliable (you almost assuredly were) and the credit file monitoring service is a weak form of security that is likely to provide a false sense of safety.
What are the actions that you should take?
1) Freeze your credit.
Consider the following analogy. You have three doors to your house – one each in the back, front, and on the side. Freezing your credit at all three agencies is like locking and bolting all three doors to your house. Alternatively, activating the monitoring service offered by Equifax is like leaving all your doors unlocked and getting an alarm if an intruder tries to enter your home. But only if that intruder tries to enter the side door – not back or front. And only after the intruder has already left the area.
Establishing a credit freeze is an absolute must. It was a critical protection step for every person before the Equifax hack and remains a critical step afterwards. A credit freeze is the most secure and robust way to lock down your credit. Yes, there can be a cost but it’s a nominal expense for the security and the peace of mind. In Georgia, anyone under 65 years old has to pay $3 to lock their credit at each bureau (free for anyone over 65). In some states like South Carolina, it is free for everyone. We wrote this article back in April 2014 explaining how the freeze works and providing instructions on how to establish a freeze at each credit bureau. Read it and use it as a resource.
2) Review your credit report.
Notably, this is not advice to review your credit score – this is advice to review your credit report. You can have a great credit score but still have unauthorized activity on your credit report. There is one place and only one place to do this for free: annualcreditreport.com.
The key in reviewing the report is to look for accounts, names, addresses, or hard credit inquiries that you do not recognize. Check your reports at least once a year and if you see something you don’t recognize, it’s time to do more digging or call the credit bureau. There is some helpful information here about reviewing your report.
3) Use complex passwords and a password manager.
Do yourself a favor and don’t make it easy for criminals to get into your online accounts with or without your data. Given the growing number of separate passwords we all have today to access email, bank accounts, frequent flier accounts, credit cards, social media, and beyond, there are effectively only three options for password management:
- Use the same or similar password for every account and just remember it/them.
- Use unique, complex passwords and write them down on paper that you carry with you or leave at your home.
- Use unique, complex passwords and store them in a secure password manager.
The first option is like owning 25 adjacent rental properties and using an identical key for each property. Imagine that you use the same password for Amazon, your health insurance website, and your bank account. If your credentials for just one of those three accounts gets hacked and in the hands of criminals, it’s the equivalent of them all being hacked.
The second option is little better. But most people who go this route are still using shorter, easy to hack passwords rather than complex 15 symbol passwords like g53D3a!dD2pOc$q. Additionally, they either leave the written passwords in a location at home and so cannot access accounts when they are away or carry the passwords in a wallet or purse which makes them far more susceptible to theft or loss. They also don’t change passwords regularly.
Using a password manager makes it simple and convenient for you to create unique, complex passwords and then change them, regularly. Rather than repeat the why and how of password managers, here is an Astute Angle post we published in 2014 about using a password manager and a recent Wall Street Journal article about creating secure passwords.
Also, a few reminders about passwords:
- Don’t base your password on personal information—such as the name of your pet or your company.
- Don’t use a word found in the dictionary as your password.
- Avoid substituting numbers for letters, for example: using a zero for the letter “o” or a one for the letter “i.” These substitutions are well known and predictable.
- Don’t use your UserID as your password.
- Don’t use simple number sequences like “12345” or a series of duplicate numbers like “11111.”
- Change your password frequently, and don’t “recycle” a password you’ve used somewhere else.
4) Ramp up mobile device security, install anti-virus and anti-malware software on your computer, and exercise extreme caution before clicking on email links or opening attachments.
We wrote this Astute Angle post in 2016 about staying safe online with many tips and important resources. Re-read the post and ensure that you’re still following all the key safety rules.
5) Use multi-factor authentication.
OK, this is covered in step 4 but it is important enough to highlight by itself. Multi-factor authentication is security that requires more than a single method of authentication – such as a password – to verify a user’s identity. It can be something you have (like a cell phone to receive a 6-digit code each time you login), something you know (like “the street you grew up on” security questions that go beyond a password), or something you are (like a retinal scan, voice recognition, or a fingerprint).
More and more websites are adopting multi-factor authentication but it has to be turned on. And you should turn it on for any site that offers this added protection. Notably, Charles Schwab has two different forms of multi-factor authentication available:
- A soft token which creates a single-use numeric password that you use in addition to your usual password when logging into your account. This protects the security of your accounts, even if someone else has correctly guessed your existing login ID and password.
- Voice identification which, once established, allows Schwab to authenticate you in a phone conversation by having you say the phrase, “At Schwab, my voice is my password.” This avoids the step of Schwab authenticating you by other personal information like a Social Security number or date of birth which a criminal may already have.
Either or both of these can be activated by calling Charles Schwab at 1-800-515-2157.
6) Minimize your risk of tax ID theft.
In 2015, 1.4 million people were impacted by tax ID theft. Tax ID theft is a rapidly growing form of crime that criminals can more easily employ when they have your Social Security number. The way it works is that someone uses your Social Security number to file a tax return on your behalf and claim a fraudulent refund. Now that your Social Security number may be in the hands of bad people, you should be more aware of the threat.
There are three ways to minimize the risk:
- Do not overpay your taxes. If you receive a big refund every year, you are exposing yourself to this risk more than you should. While you will still receive the refund from the IRS, it will be delayed by months and will require hours of effort to get it. Do yourself a favor and avoid over-withholding.
- File your taxes in a timely manner. Admittedly, this is not always practical. But the earlier you file your taxes, the less opportunity there is for someone else to file on your behalf.
- Apply for an Identity Protection PIN (an IP PIN). This is a six-digit number assigned to taxpayers that prevents criminals from filing a tax return with just a Social Security number – they also need the associated IP PIN or the return will be rejected. Unfortunately, not everyone can apply for an IP PIN right now – only people invited by the IRS to apply or residents of Florida, Georgia, and the District of Columbia. If you live in one of those places, we encourage using this IRS link to apply for your IP PIN.
At RPG, we take security and privacy very seriously. We recognize that, sometimes, that can be annoying. It may be annoying to have to go through our secure vault to access files. It may be annoying that we will not send account numbers over email or that we ask you to securely upload files to our vault rather than send them as attachments. It may be annoying when we call you to ask if the email you sent us was really from you or if you intended to send the attachment. Unfortunately, we live in a world today where these steps and others like them are a necessary precaution to help keep you safe.
It is also unfortunate that a lot of private data is exposed to bad people and with each security breach, it is more and more likely that bad people have some of our data. While you can rely on institutions to protect that data, you also have a responsibility to protect yourself. The steps we recommend above are largely just reminders of items that we have promoted in the past but they are important enough that we bring them up again.
Should you have any questions about security, steps we take to ensure privacy, or anything related, please do not hesitate to reach out to us.