Tag Archives: Data Breach

How to Freeze Your Credit

The recent Equifax data breach exposed the personal identifying information of at least 143 million U.S. consumers, which has led to a wider interest in placing a “security freeze” on credit reports (a.k.a. “freezing your credit”).

A security freeze prevents new credit accounts from being opened using your personal information, unless you lift the freeze in advance of applying for credit. This is accomplished using a PIN that either you or the credit bureaus create when placing the original freeze. This means that a freeze can stop an identity thief from creating new lines of credit, even if they already have all of your information.

A credit freeze is an important tool in preventing one type of identity theft, but does not prevent existing accounts from being accessed with stolen credentials, fraudulent credit or debit card transactions, employment or medical identity theft, or the filing of fraudulent tax returns. In other words, even after you place a security freeze, you still have to remain aware of the risks of identity theft.

There are three major credit bureaus and one minor. Here is where to go for each one, as well as some notes (information is accurate as of 10/2/2017, but websites may be updated in the future):

TransUnion: https://www.transunion.com/credit-freeze/place-credit-freeze2

Notes: use the “Click to initiate freeze process” link (last item under the “How Do I Decide What to Do?” table). Note that a “lock” is different from a freeze; what you want is a freeze. TransUnion requires you to create an account with a password, then you can place the freeze and create your PIN. To temporarily lift the freeze, log in at https://freeze.transunion.com.

Experian: http://experian.com/freeze

Notes: Experian is probably the easiest of the four to use, with the “Add a security freeze” option prominently displayed. You can create your own PIN, or have the site generate one for you. You can also choose whether to print your receipt or have it emailed to you. Double-check that your email address is correct if you choose this option! Visit the same site to temporarily lift the freeze.

Equifax: https://www.freeze.equifax.com

Notes: creates a “one-time PDF” which contains your PIN (the site generates it for you). Make sure you’ve got a PDF reader installed beforehand so you can view the file (Adobe and Foxit are popular free choices). Visit the same site to lift a freeze.

Innovis: https://www.innovis.com/personal/securityFreeze

Notes: Innovis sends your PIN via postal mail around 10 business days after you place the freeze. To lift the freeze, visit the same website and follow the instructions.

Anthem Data Breach: Let the scams begin

News of the massive data breach at insurance giant Anthem Inc. isn’t even a week old, and already the phishing scams have begun.

Phone calls and emails are already circulating that claim to represent Anthem and offer free identity theft protection to victims of the breach. These calls and emails are not from Anthem, but scammers attempting to obtain personal and financial information.

Anthem has stated that they will contact customers affected by the breach by mail over the next couple weeks.

That means postal mail, friends. The kind that’s on paper and comes in an envelope, delivered by that person your dog completely freaks out at six time a week. The letters will give you information on identity theft protection, as well as the next steps you should take.

If someone calls you on the telephone, they’re not from Anthem.

If you get an email message, it’s not from Anthem.

If you get a text message, that’s not from Anthem, either.

If some weirdo shows up at your door, they’re not from Anthem.

Okay, I don’t really think that last one is going to happen, but you never know. I’m trying to me preemptive, here.

Watch your mailbox if you’re a former or current Anthem (or Wellpoint) customer. The old-school mailbox. Any other communications that claim to be from Anthem are fraudulent.

You can also get information online here.

Data breach at Anthem, and it’s a bad one

Yesterday, health insurance leviathan Anthem Inc. announced that its databases had been hacked, and “tens of millions” of current and past customers (including Wellpoint customers, Anthem’s predecessor) could be affected.

This one is much worse than any of the major retail breaches you’ve heard about, because this time the hackers took names, Social Security numbers, dates of birth and addresses.  In other words, this means identity theft.

The retail breaches were irritating, sure. Your debit card might suddenly stop working, or you’d notice a fraudulent charge on your statement and you’d have to wait a few days to get that reversed. The stores would sign you up for free identity theft protection, which didn’t really help because it doesn’t block fraud on card transactions anyway. But you’d end up with a new debit or credit card.

The thieves in the Anthem breach didn’t get any credit card, debit card or account numbers, but the information they did take is exactly the information required to create false identities.

This could be much worse than not being able to use one of your cards for a couple weeks.

Anthem says it will notify affected customers by mail if their information was one of the affected accounts. When they offer free identity theft protection, this will be the time to take them up on it.

If you get a letter saying yours was one of the affected accounts, I would also recommend placing an identity theft alert or security freeze with the big three credit bureaus (Experian, Transunion, Equifax).

Maybe it’s time for “security freeze” to be the default setting for everyone, all the time. What happens after the single year of protection Anthem will (most likely) provide runs out? It’s not like the people who will end up buying this stolen data can’t just wait it out until after the protection expires. Maybe Anthem owes all of its customers free lifetime protection. Words like “very sophisticated external cyber attack” imply that the breach was unpreventable, but was it? We don’t know, and we might not ever.

At any rate, if you’re a current or former Anthem (or Wellpoint) customer, watch your mailbox for notification that your information has been compromised.

Sources:

Your card information has been stolen

Okay, so I can’t say for certain that you specifically have had your debit or credit card information stolen in a retail data breach.

But let me ask two questions:

  • Do you have a debit/credit card?
  • Do you ever use it to buy things in a store or restaurant?

If you answered YES to those, most likely one or more of your cards has been accessed during a data breach at some point.

If it hasn’t happened yet, it will. This is the world we live in right now.

Perhaps raising the stakes for retailers would help—I was not aware until recently that, for the most part, merchants bear none of the financial burden when their security practices lead to a massive data breach that exposes ten of millions of consumers’ card data to bad people. So they continue to allow single-authentication access to their point-of-sale machines, continue to use “password1” and “abc123” as their access codes, continue to just leave things as they are, because there is no reason not to.

So who pays for your replacement card? Who reimburses you for those fraudulent charges? Your bank or credit union do.

And then you pay for them, because this is a hard-and-fast rule of financial institutions: when they lose money, they will try to recover it from another source. So maybe a loan rate creeps up by a twentieth of a point, or a fee that used to be $2 is now $2.50. These may be tiny changes, but they still represent money you could have kept in your pocket.

Of course, financial institutions can be hacked, too. It happens. And those institutions pay for card reissue and reimbursement when it does. But it’s so much easier to mount a point-of-sale hack. Data breaches wouldn’t be such a common problem if it was too difficult—despite the word “hacker,” these criminals are not geniuses. There are too many of them.

The Credit Union National Association (CUNA) has mounted a campaign called “Stop the Data Breaches.” It’s worth a look.

Shouldn’t retailers bear some responsibility for data security, with as much consumer data as they handle every second?

It seems fair.

What can consumers do about data breaches?

Home Depot, come on down. You are the next contestant on The Security Is Not Right!

Okay, so maybe that’s not confirmed just yet, and Home Depot is staying sort of quiet because they don’t want everybody to stop buying things from them, but Krebs has a pretty good hunch, and his hunches usually turn out to be right. Like Dumbledore.

But even if it turns out the breach was from somewhere else, it still leaves a question hanging in the air: what do we, as consumers, do about point-of-sale data breaches?

The first step is to not freak out about identity theft. I’ve always maintained this distinction, and it’s very relevant here: the theft of debit or credit card information is NOT the same thing as identity theft.

With your card credentials, thieves can make fraudulent charges (at least until your card processor realizes what’s going on and blocks transactions). Without your Social Security number and date of birth, they’re not going to be able to open new accounts or any of the other actions associated with identity theft.

[Optional Cynical Rant: This also goes to show something about the corporations hit by these data breaches: when they so-magnanimously promise they’re going to give all their customers “twelve months of FREE identity theft protection” against any identity theft that results from the data breach, they already know they won’t have to deliver anything, because nobody is going to have their identity stolen with just a card number, expiration date, security code and their name. You can’t commit identity theft with only those details.]

Okay, so you’re not freaking out about identity theft, but you’re still freaking out about the possibility of fraudulent charges. You have my permission to do so. Fraudulent charges are, at best, still a major irritant that can cause you to be late paying bills and other hassles. You don’t want them to happen at all if you can help it.

You could stop paying with cards altogether, sure. Start carrying cash for every single transaction. Like grampaw done. But remember that cash has its own set of disadvantages. If you lose it, it’s gone. If someone steals it, it’s gone. You can’t buy anything online with it. You can’t buy anything on credit with it. Heck, it’s dirty.

So if that’s not your favorite option, what’s left?

Being vigilant.

(Like I’ve been saying for years.)

First, don’t give your information to someone just because they ask, whether in person, by telephone, email, text message, instant message, semaphore, telegraph or cave painting. That’s RULE ONE for the prevention of all forms of fraud.

Second, for every card you have, credit or debit, have online access and check it regularly. Your debit cards are issued by your credit union or bank—they will be happy to set you with online banking. Use a good password, follow RULE ONE, and check your accounts regularly. Sometimes they will catch fraud first, sometimes you will.

If you’ve shopped at a store that has its customers’ data compromised, look through your account history online and make note of when you used your card at that retailer, and be extra-watchful.

Third, be prepared if you’ve used a card at a retailer that was compromised. Have another form of payment handy, because if your card issuer detects possible fraud, they will probably deactivate the affected card immediately. If they don’t have a chance to notify you, and you’re already trying to make a purchase with that card, your transaction could be declined. And if you were trying to buy something important (like, I dunno….GAS) you could end up stranded (or at least white-knuckling it while you drive home on fumes…I’m not going to confirm whether I speak from harrowing personal experience or not).

Don’t freak out, follow RULE ONE, be vigilant and be prepared. That’s what you can do about data breaches as a consumer.

Further reading/sources:

New phishing attack poses as PayPal email…

…and it’s convincing.

I mean, I hate to sound almost impressed by some cruddy email scammer, but as far as “click here to log in and verify your account” phishing attempts go, this one is devoid of broken English, and uses information taken from a recent data breach at eBay to ratchet up the realism by using the target’s actual name. If there is a spectrum of phishing attacks that ranges from “laughable” to “frighteningly realistic,” this one falls much closer to the latter than the former.

The Consumerist blog has a full article that discusses it in greater detail. I strongly suggest you read it. In the example they use, the recipient only used that email address for eBay and PayPal, which added to the realism. It’s a good idea to have separate email addresses used only for online transactions because it helps weed out phishing (if you get a message on your OTHER account that supposedly comes from PayPal, you know it’s fake right away). However, as soon as there is a data breach, your specific-purpose email address can be targeted as well. My guess is that this guy is going to start seeing a ton of spam hitting his eBay/PayPal-only email, and he’ll have to abandon it for a new one.

At its core, this phishing attack was just another “click here to verify” attempt, but by using data from a breach, its success rate is bound to be higher than usual. It’s why you can never stop paying close attention to everything you click on.

Toward a definition of identity theft.

The other day I heard a warning that having someone steal your checkbook is the “worst form of identity theft.”

Honestly, I’m not entirely sure that is identity theft.

I suppose I’m something of a purist in this case. To me, “identity theft” occurs when someone obtains your personal identifying information without your permission, and uses it to open new financial accounts, obtain credit, medical services or employment, or evade arrest.

To me, someone just swiping your checkbook and passing checks all over town falls under the umbrella of simple “theft.” I suppose on some level the thief is implying that he or she is you, but credit is not being obtained in your name in this case. It’s sort of like someone just stealing your cash. The thief doesn’t have your Social Security number or date of birth, all he has is your checkbook. Once those stop working, he’ll abandon them.

Not that having your checkbook stolen isn’t a massive headache. I’m not saying it’s something to take lightly at all. It’s just that I don’t think it constitutes identity theft per se.

I also don’t believe that simple credit card theft usually equals identity theft. Once again, the thief may be implying that he or she is an authorized user of your credit card, but that’s as far as the crook is taking things. They’re not changing your address so you don’t get the bills, they’re just burning through your card for a couple days until they max it out.

Once again, it’s a pain for the victim, but it’s not quite identity theft.

My parents were among the victims of the Heartland Payment Systems data breach back in 2008. Their credit card (which they had used once at a restaurant) suddenly showed two charges of $850 at an electronics store in California. One call to the credit card company was all it took—I don’t even think my dad had to finish his sentence before the customer service person said, “Yes, there was a data breach…aaaaaand you’re all fixed.” There was no need to place alerts on credit reports or anything. A crook had used their credit card numbers, they called the company, problem solved. In a case of true identity theft, it would have taken a lot more than one phone call to remedy the situation.

Again, I’m not saying this type of theft can’t be a hassle, because it can be. I guess I’ve just been seeing the term “identity theft” get thrown around a lot, and it seems useful to place a few limits on the term, if only for clarity.

One final point: you’ll never hear me use the phrase “ID theft” as shorthand for identity theft. Your ID is a card with your picture and information on it. Your identity is all the non-public personal information about you—date of birth, Social Security number, credit reports, etc.

To me, “ID theft” sounds like somebody just stole your driver’s license. Of course, identity theft could involve someone stealing your ID (and then manufacturing a new one with their picture and your information), but “ID theft” is a term that obscures rather than illuminates.

Stay Vigilant

Nobody is ever 100% safe from fraud, scams or identity theft. Even if you’ve done everything possible to prevent becoming a victim, it can still happen.

Take, for example, the data breach at Heartland Payment Systems a few months ago. Through no fault of their own, thousands of people experienced unauthorized use of their credit or debit cards. It wasn’t that they fell for a phishing email or a fake phone call. They simply made a purchase or two at a store or restaurant that used Heartland as their card processor.

However, there is no reason to panic. By taking simple steps to stay safe on your end, you can drastically reduce your chances of becoming a victim of fraud.

The key is to be informed and vigilant. Know what the threats are, know how to spot a scam and keep a close watch on your financial statements, and you’ll be miles ahead of where the crooks would like you to be.

That’s why REGIONAL Federal Credit Union is bringing you this new website. We believe that education is key to achieving financial security and independence.

It’s not all doom and gloom, though. In fact, it is my aim to make this site as entertaining as possible (despite the admittedly bone-dry seriousness of this first post). I’ll be posting some Video Dispatches from the FPU very soon. Be sure to check those out. There’ll be enough weird props, strange pop culture references, silly music and bad acting for everyone, and you’ll learn something, too.

I’ll be learning, too. After all, there are new variations on these scams popping up all the time. It will be a chore to keep up, but I will do my best. In the meantime, questions, comments and suggestions are always welcome! Use the comment function below, or email me directly at cturpen@regionalfcu.org. Also be sure to follow the FPU on Twitter (@fraudprevunit). I’ll be posting tips and updates there as well.

And always remember: stay vigilant.