Data hacking is so common that your reaction to news of the latest big bank or retailer caught in a compromised position might be to shrug. But now is no time to be complacent. Victims of a data breach are almost eight times more likely to be hit by identity fraud than those who aren’t targeted, according to Javelin Strategy & Research, a consulting firm in California. And although consumer protection laws usually limit your liability, thieves can create a passel of hassles for you, including bounced checks and overdraft fees if funds are stolen from your debit or checking account, hacked e-mail, and disrupted access to your rifled bank account until things get sorted out.
Luckily, you can turn the tables on hackers by messing up their plans to mess up your day. Use this handy guide to protect your money and reduce the annoyance of the rising pace of security breaches.
Credit- and debit-card account numbers are the preferred prize for hackers because they’re easy to use fraudulently. So get replacements for any cards caught in a breach. That will make it tougher for crooks to steal from you.
In the JPMorgan Chase hacking last fall, the bank reported that no account numbers were stolen. But the information the hackers did get—names, addresses, phone numbers, e-mail addresses, and the type of Chase business associated with each victim—was a valuable consolation prize. All of it can be used to trick people into giving more information in a practice known as phishing.
If a scammer finds out that you have a Chase Private Banking relationship, for example, he might send authentic-looking e-mail asking you to log on to your account and confirm your identity. But instead of linking to Chase’s legitimate servers, you’ll be directed to the scammer’s computer, which will collect your information.
So follow this blanket anti-phishing policy: Be suspicious of anyone initiating contact with you by e-mail, phone, regular mail, or in person to request private information. Also, never click on links in unsolicited e-mail or respond to pop-ups on your computer that request your username and password. Think the message is legitimate? Look up a customer-service phone number on your own and call.
Whether or not a breach captures your passwords for online accounts or e-mail, we think it’s worth changing them periodically. And don’t reuse passwords; if you do, hackers might get access to many accounts.
Compounding the problem is the fact that websites frequently let people use their e-mail address as their username. With that information, “hackers can drop the username and password into mining software to check 250 banks around the U.S. to see if and where they work,” says Al Pascual, a senior analyst at Javelin.
Create strong passwords by using at least eight characters; nine or 10 are better yet. Include at least one uppercase and one lowercase letter, a number, and a special character, such as #. Don’t use facts from your life that might be figured out easily, such as a pet’s name or your birth date.
Consider using an online password management service, such as LastPass, that generates and stores encrypted passwords. Consumer Reports tested LastPass and found it to be a good option. Alternatively, you can develop your own formula for creating passwords that will be easy for you to remember but difficult for anyone else to figure out. You don’t have to alert everyone you know when you change your primary e-mail address if you direct your new address to simply pull mail from your old one (go to “account settings” to do that). Never have the old address forward messages to the new one or a hacker with access to the old address could learn the new one.
A freeze essentially shut off access to your credit history by potential lenders. If a crook applies for a loan in your name, the creditor is less likely to approve it if she can’t see your credit file. Such new-account fraud is relatively uncommon. But freezes are generally recommended if your Social Security number is stolen because hackers can use it to open new credit in your name.
In fact, if your Social Security number was ever compromised in a breach, it can probably be purchased on the black market, making you vulnerable to new-account fraud forever. “Hackers often steal your identity by correlating data accumulated in one or more breaches with publicly available information that can be purchased from legal data brokers,” says Rob Neivert, chief operating officer of Private.me, a service that claims to allow people to surf the Web anonymously so that data about them can’t be sold to marketers—or to hackers.
A freeze slams the door on new-account fraud. You must request one with each of the big three credit bureaus for fees from $2 to $12 per freeze, per bureau, though they’re free for victims of identity theft. They can be temporarily lifted when you need to apply for credit yourself, for similar fees.
Don’t wait for your print statement to come in the mail; check the latest account activity by signing up for online access to your bank and credit-card accounts or by using a mobile-banking app. Yes, last year’s Chase breach proves that Internet banking isn’t hackproof, but “the convenience you get from banking digitally supercedes any security risk,” Pascual says. Smart-phone banking also allows you to watch your account in real time wherever you go.
Because daily monitoring can be tedious, automate some of the chore with account alerts that send e-mail or a text message when potentially fraudulent activities occur. With checking, for example, you can set alerts to trigger if there’s an outgoing wire transfer; credit-card alerts can set off alarms if an international charge is authorized.
For more detail on how to protect yourself in today's data-insecure world, check our Guide to Internet security.
Get free credit reports so that you can monitor them for fraudulent new accounts and incorrect information. Start with three free ones per year (from each of the big three credit bureaus) from annualcreditreport.com.
You’re also entitled to a free credit report from each bureau after you file a 90-day fraud alert, which you should do every three months if your financial information was stolen in a breach or you have a reasonable suspicion that you’re about to become a victim of identity fraud. These days, that’s the case for everyone. Opt for 90-day fraud alerts, not the seven-year extended fraud alert.
Contributing to today’s security problem is the fact that the magnetic stripe on payment cards is easily counterfeited. MasterCard claims that the new cards with an encrypted chip (EMV cards) have reduced counterfeiting by 60 to 80 percent. Virtual wallets, such as Apple Pay, Google Wallet, and Softcard, which use your smart phone to make payments, also provide better security than magnetic stripes, according to Pascual.
But there are limits on where you can take advantage of enhanced protections. The near field communication (NFC) technology that virtual wallets require is used by only 220,000 of the 12 million to 15 million U.S. merchants who accept plastic. And EMV readers are in short supply today. But MasterCard predicts that half of all merchants will have EMV and NFC terminals by the end of 2015.
Identity protection services can cost $110 to $330 per year, but you can do most of what they offer for little or no expense. If a breached retailer offers free credit monitoring, consider taking it. But beware that it could create a false sense of security because credit monitoring does nothing to stop fraud on your existing credit accounts. Also, don’t click on any links offering free ID protection. Such a deal could be a phishing attempt.
Financial institutions that give your money or credit to crooks usually won’t hold you liable for fraud losses, but you must report the theft promptly, and you might not get your money back immediately. By law, banks have 10 days to fix things if your bank account was breached, but most restore stolen bank-account funds almost immediately, according to Javelin.
Use antivirus, antispyware, and anti-phishing software and a firewall, not only on your personal computer but also on your smart phone and other devices connected to the Internet, and keep them up to date. Create a data-security file with all of your credit reports, freeze requests, breach notices, and suspicious mail in one place. Stop credit bureaus from selling your name to lenders who send preapproved offers that crooks can steal from your mailbox by going to optoutprescreen.com or calling 888-567-8688. Opting out should stop most offers, and it doesn’t cost anything.
—Jeff Blyskal (@JeffBlyskal on Twitter)
This article also appeared in the January 2015 issue of Consumer Reports Money Adviser.
Consumer Reports has no relationship with any advertisers on this website. Copyright © 2006-2015 Consumers Union of U.S.