Consumer Reports has no financial relationship with advertisers on this site.
If you haven't already, the first, best, and fastest way to protect yourself from the Equifax data breach is to place a security freeze on your credit files at the big three credit reporting bureaus.
"A security freeze is the nuclear option of credit protection. It gives maximum protection," says Matt Schulz, a senior security analyst at CreditCards.com.
You can do this by contacting each bureau either through their website or through the customer service number. Depending on where you live, there may be a fee for placing the freeze.
The company, however, said this week it would not charge for credit freezes for those affected by the breach.
The massive data breach, announced Thursday by Equifax, involves the potential compromise of the personal data of 143 million consumers, including names, addresses, Social Security numbers, and birth dates.
Anxious consumers have since flooded Equifax's website and customer service lines, and many had trouble determining from the site if their information was among the data that had been stolen.
Late Friday, Equifax said in a news release that it was fixing its website so customers could more easily determine if their information had been compromised. The release also specified that the binding arbitration clause and class-action waiver were only applicable to the credit monitoring services, and did not apply to the data breach.
Equifax later dropped the restrictions for the free credit-monitoring service as well, claiming that customers who sign up because of the data breach are not subjected to the clause and would not be prevented from joining class action suits.
Many details about the data breach are still unclear, but the potential consequences for consumers are severe.
"In total, the data elements breached provide a toolkit for financial fraud," says Beth Givens, executive director of the Privacy Rights Clearing House, which has tracked data breaches since 2005.
Identity thieves can link this information to "over a billion passwords stolen elsewhere to piece together a more complete profile of you" to commit financial crimes, says Avivah Litan, a security analyst at Gartner, a technology research firm.
In addition to the credit freeze, there are four more steps to put an iron wall around your money.
Activate Two-Factor Authentication
In today's world of digital crime and internet fraud, two-factor authentication is an important extra layer of safety. It requires not just a password but a second element, such as a code texted to your smart phone, which you have but a crook can't easily get. Set up and activate two-factor authentication on all of your existing mobile banking, savings, credit card, home equity line of credit, and other financial accounts that offer it.
Most banks that offer mobile banking also authenticate the device you use to access your account, says Doug Johnson, senior vice president of payments and cybersecurity at the American Bankers Association.
Banks with the most cutting-edge security, such as USAA, use yet another factor, biometric authentication, which verifies your identity by using your fingerprint or voice print, or through facial recognition–which criminals can't easily fake.
Maximize Your Mutual Fund Security
Although the Securities and Exchange Commission requires mutual funds companies to identify, detect, and respond to red flags of identity theft, unlike FDIC-insured banks, these investment firms aren’t required to restore assets stolen by hackers.
You should call your 401(k) plan provider and other investment managers to learn their fraud protection policies, as they can vary from company to company. If your investment company doesn't explicitly reimburse stolen funds, consider moving your money elsewhere.
To get protection, Vanguard requires (and Fidelity requests) that you follow certain safeguards, which you should be doing anyway, including regularly reviewing your account statements and promptly reporting any errors or suspected fraud; keeping up-to-date security on any computer or other device you use to access your account (firewall, antispyware, and antivirus software); not responding to, clicking a link in, or opening an attachment in an e-mail that you suspect might be fraudulent and that requests personal financial information; and using two-factor authentication.
Place a Fraud Alert on Credit Reports
A fraud alert is different from a credit freeze. The fraud alert is a notice on your credit report that warns both current and prospective lenders that they must take reasonable steps to verify your identity before granting credit, such as a new credit card or loan, or extending credit on an existing account.
You need to request a fraud alert at one of the big three credit bureaus, which will then pass it on to the other two, and separately place another alert with Innovis. An alert lasts 90 days. If you’re an ID-theft victim, you can get a fraud alert that stays in place for seven years. But you may be better off with the 90-day alert, because that allows you to get a free credit report from each of the four credit bureaus each time you renew the alert, which means you can get up to 16 free reports per year.
Secure Your Smartphone + Email
How you manage your smartphone and email accounts can be critical to your online security. Your phone is where all your second-factor text message codes are sent and where your mobile banking and other money apps live. Email is where your financial institutions send alerts and password reset links.
Hackers can highjack your phone and access important information, but "it's difficult, and if you take only one extra step, a hacker will pass you up and try elsewhere," says Roger Entner, founder of Recon Analytics, a telecom research firm. Here's how you can make your phone and email harder targets:
- Activate two-factor authentication on your email account. When you log into your email on an unfamiliar computer or phone, you'll get a text with the necessary code to complete login. A hacker would need that code, too, but can't get it without your phone. Better yet, download an authenticator app such as Google Authenticator or Microsoft Authenticator, which generates these codes without the need for texts, which can be intercepted.
- Use a password management app such as LastPass on your computer's browser and on your phone, advises Russell Vines, Consumer Reports' director of information security. LastPass creates and plugs different passwords into each of your accounts when you log in, so you don't have to invent and keep track of dozens of passwords. This eliminates the temptation of using the same password for multiple accounts, which can provide a master key for hackers.
- Never click unsolicited, unexpected, or suspicious-looking links sent to you by email or text. They could download malware capable of spying on your phone or personal computer activity.
- Follow other security tips for your phone's specific operating system using the FCC Smartphone Security Checker, a customizable interactive tool.
Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2017, Consumer Reports, Inc.