As we all know by now, the Equifax breach exposed the credit reports of over a 140 million Americans. What are in these reports? They include the credit histories of consumers along with their social security numbers. That makes this breach particularly painful.
The breach has also raised the profile of the somewhat mysterious big three national credit reporting agencies or NCRAs — Experian and TransUnion are the other two. Lenders use NCRAs to help them decide whether to approve credit for auto loans, mortgages, home improvement, and of course new credit cards.
NCRAs Are Supposed to Protect Against Identity Theft
Let’s say the Equifax hackers go into phase two of their business plan, likely selling personally identifiable information (PII) to cyber gangs and others who will directly open up fake accounts. Of course, the stolen social security numbers makes this particularly easy to attempt.
The bank or other lender extending credit will normally check the identity and credit worthiness of the person by contacting the NCRAs, who under red flag rules are supposed to help lenders spot identify theft. Often times (but not always), the cyber thieves will use a different address than the victim’s when applying for credit, and this anomaly should be noticed by the NCRAs, who have the real home address.
The credit report should in theory then be flagged so future lenders will be on alert as well, and the financial company originally asking for the report is also warned of possible identify theft for the credit application.
I am not the first to observe that the irony level of the Equifax breach is in the red-zone – like at 11 or 12. The NCRAs are entrusted with our most personal financial data, and they’re the ones who are supposed to protect consumers against identity theft.
Unfortunately, an NCRA hacking is not a new phenomenon, and the big three have even been the target of class action suits brought by affected consumers under the Fair Credit Reporting Act (FCRA). To no one’s surprise, the legal suits have already begun for the Equifax breach – the last count puts it at 23.
What Consumers Should Do
While we hope that red flags have been already placed on affected accounts, it’s probably best to take matters into your own hands. The FTC, the agency in charge of enforcing the FCRA, recommends a few action steps.
At a minimum, you should go to the Equifax link and see if your social security number is one that’s been exposed. If so, you can get free credit monitoring for a year — in short, you’ll know if someone tries to request credit in your name.
(Yes, I just did it myself, and discovered my number might have been compromised. I went ahead and subscribed for the credit monitoring.)
If you’re really paranoid, you can go a step further and put a credit freeze on your credit report. This restricts access to the credit report held by the NCRAs, and in theory, should prevent lenders from creating new accounts. Normally, this would be a charge, but Experian graciously arranged to freeze the reports for free after outraged consumers protested.
None of these measures are fool proof, and clever attackers and thieves can get around these protections.
Online Protection With The Troy Hunt Course
Besides social security numbers, the hackers hauled away a lot of PII – names, addresses, and likely bank and credit card companies. As far as I can tell, passwords were not taken by the Equifax hackers.
Obviously, social security numbers are the most monetizable, but the other PII is still useful, particularly in phishing attacks. Readers of this blog know how we feel on the subject: any online information gained by hackers can and will be used against you!
So we should all be on alert for phish mails from what may appear to be our banks and other financial companies, and we should be wary of other scams.
That’s where the indispensable security expert Troy Hunt can help us all! His Internet Security Basics video course is a favorite of ours because it breaks down online security into a series of simple lessons that non-technical folks can quickly understand and take action on.
I draw your attention to Lesson Three, “How to know when to trust a website”, which will be incredible helpful in helping you avoid the coming wave of online scams.
Let’s not waste a crisis: it’s probably also a good time to review and change online passwords and understand what makes for good passwords. Troy’s Lesson Two, ‘How to Choose a Good Password” we’ll bring you up to speed on passphrases and password managers.
The Equifax breach is as bad as it gets, but let’s not make it worse by letting cyber thieves exploit us again through lame phishing emails.
Learn how to protect yourself online with security pro Troy Hunt’s five-part course.