Friday, September 8, 2017

Equifax breach exposes 143 million to identity fraud

Updated to add a link to Equifax's official incident response website, https://www.equifaxsecurity2017.com/ . Fake sites and phishing email are already appearing, by criminals attempting to deceive and defraud worried consumers. Also updated to add a comment about identity theft potentially leading to tax fraud.

This breach is likely to be in the news for a while, and the effects will linger long after the media moves on.

Between mid-May and the end of July 2017, criminals accessed sensitive information on a website owned by financial credit reporting bureau Equifax. According to the company, personal information for approximately 143 million US consumers was compromised. An undisclosed number of Canadian and UK residents were also affected. This being a credit bureau - a company whose primary business is keeping track of consumers' financial identities - the information stolen was significant: social security numbers, birth dates, and addresses. In some cases, driver's licenses, credit card numbers and specific details related to dispute documents were also compromised.

For perspective, 143 million is more or less the same number as every working-age human in the United States.

I do not plan on going into how it happened - Brian Krebs did an excellent job of that. My goal is to provide my readers with advice on what to do now.


Risk: stolen credit card numbers could be used fraudulently


The compromised information included credit card numbers for over 200,000 US consumers. These card numbers could be used to make fraudulent purchases.

To be honest, this is the least of my worries. Credit card fraud, on existing accounts, is fairly easy to resolve. US consumer protection laws limit your individual liability, and most credit issuing banks further limit your liability for fraud to zero. Since the banks are on the hook for fraudulent use, they have gotten very good at detecting and stopping fraudulent charges.

My standing recommendation is, use a dedicated credit card for recurring transactions, and a separate card for in-store and online shopping. While I do not know the circumstances around the card numbers stolen from Equifax, I rarely hear of a card number being stolen from a recurring payment processor (i.e. someone you have given your card to once, that automatically uses it for a monthly bill). By using separate cards for recurring and ad hoc transactions, a stolen card number usually means simply discarding the compromised card and adding a new one to your wallet, versus having to update each and every recurring utility and merchant.

Also take advantage of transaction alerts offered by many banks. An email, text message, or mobile app alert for every transaction (or every transaction over a certain dollar amount) is a convenient way to detect fraudulent charges in near-real-time. In fact, I have had cases where my bank alerted me to charge I did not recognize, and by reporting it as fraudulent the transaction was blocked even before the merchant shipped the product. Credit fraud nirvana: I'm out nothing, the bank is out nothing, the merchant is out nothing, and the criminal gets nothing!


Risk: stolen information could be used to open new credit accounts


The information Equifax has about consumers is the same information often used to confirm their identity when opening new debt accounts (credit cards, store cards, car loans, etc.) While resolving fraud on an existing account is fairly straightforward, resolving fraudulent accounts - especially accounts you may not even know exist - is a much bigger challenge. And unfortunately, that is a very real concern with this breach.

If you have not done so already, establish a security freeze, or an initial fraud alert, on your credit report with each of the four credit bureaus (yes there are four - Innovis is a lesser-known credit bureau).

An Initial Security Alert is good for 90 days, so must be renewed every 3 months. If you know you have been the victim of identity theft, and have a police report to document the event, you can instead request an Extended Fraud Alert, which would be good for 7 years. An Extended Fraud Alert requires sending an affidavit referencing the police report number, along with a copy of a government-issued identification card (passport, drivers' license, military ID card) and a copy of a current utility bill, to any one bureau. That bureau will notify the others.

Each bureau also offers a longer 12-month Active Duty Alert for servicemen and women deployed in the US Military. Again, you only have to notify one bureau, and that bureau will notify the others.

A more permanent solution is a Security Freeze (sometimes called a Credit Freeze). Where a fraud alert tells would-be creditors to take extra steps to verify your identity before issuing credit, a security freeze makes it impossible for a creditor to retrieve your credit report. The downside is, a credit freeze may cost you a nominal fee. This fee varies from state to state; in Texas, it costs $10 per credit bureau to place a freeze - and another $10 per bureau to list the freeze (the fee may be waived in certain cases).

Whether you choose a Fraud Alert or a Security Freeze, the following links take you to each of the credit bureaus. Keep in mind that you only need to request a Fraud Alert at one bureau - each bureau will share fraud alerts with the others. A Security Freeze on the other hand must be requested at each bureau.
As a side note, while each bureau will share your request for a fraud alert with the others, Equifax is very likely overloaded right now. You may find it more productive to set a fraud alert through one of the other bureaus.


Risk: stolen information could be used to unfreeze your credit


Establishing a fraud alert or a security freeze greatly reduces the chances a criminal can use your information to open new lines of credit in your name. However, the information stolen from Equifax is to a great degree also the information necessary to unfreeze your credit. By reviewing your credit report regularly, you stand a reasonable chance of detecting and acting upon any fraudulent accounts.

Under US law, you are entitled to review your credit report from each credit bureau, free of charge, once per year. The various bureaus generally have similar information about you although on occasion an account or credit inquiry will show up on one and not another. Since the information the bureaus collect overlaps, you can stagger them - review Experian in January, Trans Union in May, and Equifax in September for example.

There are lots of fake sites trying to make a buck off of a free report (or worse, steal your identity). The safe location to request your credit report is:



Risk: stolen information could be used to impersonate you to your bank


Your username, password, and multifactor authentication prove your identity to websites, but customer service representatives often do not ask for your password for telephone or in-person service. Just like the information stolen from Equifax is essentially the same information used to prove your identity to a new creditor, it may also be the same information your existing banks rely on to prove your identity.

A number of banks offer an extra level of protection, such as a separate PIN or password for customer service. Take advantage of this.


Risk: stolen information could be used to impersonate you to your telephone provider


Two-factor authentication - logging in using a password plus an extra step - is becoming more and more common, but a large proportion of sites that support 2FA do it by way of a code sent by SMS (text message). SIM card swapping is a technique where a criminal pretends to be you, and convinces a cell phone provider to switch your phone number to their phone, resulting in 2FA codes being sent to them instead. The information taken from Equifax could be used to trick your cell phone provider into migrating your phone number to a crook.

The best defense against this risk is to use stronger forms of multifactor authentication. Authenticator apps (Google Authenticator, Duo, RSA Token, Microsoft Authenticator), product-specific mobile apps such as used by a variety of banks, and physical multifactor devices such as Yubikey or smart cards, are far harder for a criminal to defeat.

Not all banks and service providers support these stronger forms of authentication though. Major cell phone carriers have recognized the risk of SIM card swap attacks and now allow you to put a PIN or password on your customer service account, so a criminal cannot (in theory) conduct any customer service action without knowing that password. I say in theory because it is ultimately up to the individual customer service representative to honor the password, and a determined attacker will keep calling back until they convince someone to take action without the pasword, but putting a password on your account makes you a more difficult target and a crook will more often than not move on to easier prey.


Risk: stolen information could be used to file fraudulent tax returns.


If a scammer has enough information about you, they can file a return using your social security number, but put in bogus income and withholding information to result in a significant refund due. Unless something about the return stands out, the IRS processes it as a valid return, leaving a mess to clean up with you file your genuine return later.

The single best defense against a crook filing a fraudulent return in your name, is for you to file first. By law, most employers, charities, and financial institutions must provide your tax paperwork to you by January 31.

A very good second step is to request what the IRS calls an "Identity Protection PIN" or IP PIN. This is essentially a password that goes along with your Social Security Number to identify you to the IRS; once you request an IP PIN, the IRS will not accept a tax return using your SSN unless it also includes your IP PIN. Note that the IRS has not made this available to everyone; currently eligible include residents of Florida, Georgia, and the District of Columbia, along with individuals who were previously victims of tax return fraud.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen