The record number of data breaches in 2017 (1,579 publicly-reported breaches to be exact) and the sensitivity of the data stolen (especially social security numbers and passwords) have led many to wonder how to protect themselves. Since I work in the identity protection industry, my friends and family have asked what recommendations they should follow to secure their personal data. In this write-up, I'll share some basic information, options, and suggestions for what to do in the wake of a data breach.
Credit Card vs. Identity Theft, Understanding the Difference
First, let's distinguish credit card theft from identity theft. My credit card number is stolen reliably about once per year. It's a nuisance, but that is all. The bank eats all losses related to the theft and I simply get a new credit card number. But if a thief gets a hold of my SNAPD info (SSN, Name, Address, Phone number, and Date of birth) and applies for a credit card in my name—that is identity theft, and it is more difficult to remedy. I may not even realize it has happened until I try to buy a car and my loan application is denied because my credit has been ruined (after, for instance, a thief opened a credit card account with my information, racked up charges, and never paid the bill). I can't easily change my SNAPD info like I can a credit card number, so I must begin a long, painful process of trying to restore my good credit. Because my information is spread out across so many companies, it's on me as the victim to clean it up everywhere, and I may not be able to buy anything on credit until that's done.
How do you prevent identity theft from happening? Unfortunately, there is no silver bullet. Think of protecting your identity health like protecting your body health. To be healthy, you pursue a combination of diet, exercise, physical checkups, etc. The same is true with identity health. You must follow preventative steps to keep your information safe.
While the biggest breaches are months old, we aren't out of the woods yet. Perhaps we'll see better protections and systems put in place over time. But for now, your SNAPD info remains a bit like a credit password you cannot reset, putting you in a horrible position if it gets stolen.
There are many articles recommending consumers freeze their credit. This involves getting a pin number you can use to turn your credit off and on with the primary credit bureaus: Equifax, Experian, and TransUnion (Innovis, the fourth largest, is also sometimes included). While your credit report is turned off (frozen), any applications for credit (including those by thieves) will be denied. When you apply for something that requires a credit check (mortgage, car loan, cell phone account, etc.), you must unfreeze your credit before you apply and then turn it off again once the credit decision is made. You will pay a fee ($10 or so per bureau, depending where you live) each time you activate and deactivate the freeze, which state attorneys general are now successfully pressuring the bureaus to waive. Freezing your credit certainly seems like a good idea now that the most sensitive information for half of all Americans is known to be in the wrong hands. It is up to each person to decide whether the hassle and cost is worth it.
It is important to understand that even after freezing your credit at the primary bureaus (remember, no silver bullet), you may still be vulnerable to identity theft. There are other smaller and less frequently used credit bureaus. Also, freezing your credit will not protect against transactions that don't go through a credit bureau, which can include payday lending, tax filing, health care transactions, etc. That being said, don't let the presence of scary diseases stop you from taking basic health precautions that are within your control.
Credit and Identity Monitoring
Another option to consider is credit or identity monitoring services. Credit monitoring services, including some offered for free after a breach, will alert you when you have credit activity at the major bureaus. Identity monitoring services usually include credit monitoring, plus identity monitoring features such as monitoring the dark web for your information or alerting you to other important events that do not traverse the bureaus. Some identity monitoring services will also help you to resolve issues if you are exposed to identity fraud, and/or insure you against financial losses that may result from identity theft. It can be somewhat confusing because many offerings have the name "identity" or "ID" in them, including those that only provide credit monitoring. Make sure you read the full service offering and understand everything you are being provided. Full disclosure: I am an employee of ID Analytics, a Symantec company and receive a free subscription to LifeLock, an identity theft protection service, as an employee benefit.
To summarize: When considering ways to protect your personal data, good options to consider are freezing your credit, signing up for a credit or identity monitoring service, or both. If you choose either of these options, do not take the approach of just doing something for a few months until the current breach news dies down. It may take time for the stolen data to be sold and distributed, and the bad guys are aware that everyone is on guard when breaches are top headlines. There is a good likelihood that at least some fraudsters will wait until the news cycle moves on and people let their guard down, to increase the chances of their fraud going undetected. It is common to see a burst of fraud activity a year after a breach.
Digital safety also includes protecting your passwords and being aware of phishing/social engineering techniques.
You have likely heard a lot of advice about passwords that you are not following because it's not practical. For instance, we're told to use different passwords for every website, but now that we all have dozens (or hundreds) of logins, remembering separate passwords simply isn't possible. About half of consumers reuse passwords across sites and billions of passwords have been exposed in breaches.
In my opinion, the best way to solve for passwords is to use a password manager, such as LastPass, Dashlane, 1password, or Norton Identity Safe (compare features to pick the best one for you). With a password manager, you create one master password that unlocks access to all your other passwords, which it will auto-fill into web site forms for you or allow you to copy/paste whenever needed. I let the password manager generate and manage a different 16-digit complex password for each site (you must change your existing site passwords to get this benefit). It also stores other secret information for me, such as credit card numbers, family member SSNs, etc., making it a full-featured secure digital wallet. It allows me the convenience to copy/paste these values whenever needed across all my devices, along with the security of strong encryption.
At a minimum, take the time to create two reasonably complex passwords, one that you use for less secure sites (cat toy shopping sites, knitting discussion boards, etc.), and a second that you use for sites that must be secure (banks, retirement accounts, etc.). If thieves steal username and password combinations from less secure sites, they will try them at bank, investment, and email sites too. By separating those two categories of sites, you add some protection. A reasonably complex password should be 8-20 characters and include uppercase, lowercase, numbers, and special characters.
Phishing / Social Engineering
Phishing and social engineering fraud involves fraudsters trying to trick you into giving them your information willingly (under false pretenses). It may be a phone call where they ask for personal info or passwords, it may be an email with a link or attachment, or it may be a browser window that pops up from a web site you visit. The best general defense against this is to educate yourself. Consider taking an online mini-course to become familiar with the types of emails, pop-ups, and web addresses that are considered suspicious. If you're a novice, try AntiPhishing Phil. It's dated, but it's the best game I could find to teach some basics. Below are two other scenarios to be mindful of, which I have seen friends and neighbors fall victim to.
Do not click on or follow the instructions of any warnings saying your computer has been hacked, encrypted, is in danger, or instructing you to call a number for protection or more information. In my experience, 99% of the time, these are browser pop-ups trying to trick you into clicking something. Just turn off your computer and avoid that website. If you don't have a quality antivirus & security package installed, this is another important piece of protection.
Do not give any personal information or passwords over the phone (or in person). Good guys will never ask you for your password (though my cell phone company now asks me for a passcode I had to set up for service calls…sigh) and should not ask you for sensitive information like full SSN. I have had legitimate folks ask me for my SSN to look me up in their system, I simply ask them to look me up another way. Be very mindful of whether you initiated an email or phone call or if the other party did (other party = more risk). If the caller claims to be from an institution you do business with, but you doubt the legitimacy of the call, hang up and call the main number for the business to verify that they were in fact trying to contact you.
When it comes to digital safety, the good news is that I believe over time, more and more solutions will be created that move the burden of security away from individuals. New technologies show a lot of promise that trust can be built into the technology architecture itself. In the meantime, I hope this primer has been helpful.
Matt Lewis is Director of TechOps for ID Analytics, with more than 20 years of experience in software and technology operations. In this role, he leads the 30-person TechOps department whose philosophy for operational excellence is to build automation that runs the environment, continuously working to eliminate manual steps wherever possible.
Lewis has championed products which use analytics to protect companies from identity and credit card fraud, previously holding positions at HNC Software and FICO. Lewis holds a Bachelor of Science in Electrical Engineering from the University of California, Los Angeles (UCLA).