the rum soaked fist: internal martial arts forum

[everything]

Equifax hack means 140 million USAmericans have had their SSNs, DOBs, etc. stolen. Plus some other nationals have had data stolen.

You can go to identitytheft.gov for more info/steps.... you should do that right now if you have not.

[Steve James]

Try here. https://www.cnet.com/how-to/equifax-bre ... on-hacked/
https://www.cnet.com/how-to/equifax-breach-find-out-if-you-were-one-of-143-million-hacked/

[Dmitri]

It was over a month ago... About the only thing you can (need to) do now is freeze your credit.

[Steve James]

You can freeze your credit reporting, true. But, you won't be able to get more credit, if you need it. I.e., if you do, and you're planning to do anything that requires a credit check, you'll have to unfreeze it. Even so, the procedure is for the client to request that the reports be frozen. They crediting agencies will then give you a passkey or code that will allow them to identify you when you want to unfreeze it. If someone's had your identity for a month, probably longer, he's probably used it. So, check your current credit report right away.

There are companies that check whether your information is being passed along on "dark" web sites. On the bright side, the fact that equifax reported it means that they'll probably end up paying for any damages. Well, unless 45 plans to change consumer protections. Equifax even offers to give you credit protection, but you'll have to sign a release stating that you won't join any class-action suit.

[Steve James]

RE: those agencies:

You’ve heard the advertisements, and you’ve read the news reports. Sign up for a credit monitoring service and you’ll be protected from corporate database hacks like the massive one that hit credit reporting company Equifax this summer — news of which broke Thursday.

It does sound good. After all, knowing when somebody else tries to do something with your personal data is a good thing, right?

It is, but by the time your personal data has been compromised — like it was for almost 150 million Americans who had Social Security numbers, credit card numbers, driver’s license numbers, birth dates and addresses exposed in the Equifax hack — you’ve already missed your best opportunity to protect yourself. And the vast majority of credit monitoring services don’t really provide you with protection where you’re most vulnerable. They also can get you a false sense of security.

So what is credit monitoring? For a monthly fee, one of the monitoring companies will scan your credit file and let you know if they see any suspicious transactions. If you made them, you’re good to go. If you didn’t, you can start the process of fighting identity theft.

But you only have certain kinds of protections based on the monitoring you get — and you might not even have much protection at all. The best monitoring programs watch for activity through all three of the major credit bureaus, while others (including most of the free or low-cost ones) usually monitor just one. Note that Equifax is offering free monitoring for all Americans for one year, but only through their bureau. But no matter what kind of credit monitoring you have, it does nothing to tell you about (or stop) fraud from happening on accounts you’ve already opened.

For example, a credit-monitoring service would warn you that somebody opened a new credit card with your personal information, but it wouldn’t tell you that somebody ripped off the electronic data in the credit card you already have and was using it to make purchases. Monitoring also doesn’t track fraud outside some very specific parameters. If a crook uses your Social Security number but with a different name or address, you usually won’t be notified.

Your goal should be to do a much better job protecting your data before you become a victim, and locking down access in places where thieves could find a way in. You can do that yourself, without the help and expense of a credit monitoring service — and give yourself real peace of mind instead of relying on somebody else.

1. Start by requesting your credit report from each of the three credit bureaus: TransUnion, Experian and Equifax. Stagger the requests so that you’re doing one every four months, which will give you a very good top-level view of your credit. One important thing to keep in mind is that the reports you get from each of the bureaus this way are informational — not the actual ones lenders use when considering you for a loan or line of credit. These ones usually only go back two years, while the real-deal reports evaluate seven years of your credit life.

2. Make a plan for reviewing every bill that comes into your house, either by mail or through email. When you get credit card or mortgage statements, medical bills or other sensitive material, review it carefully to check for errors and then shred it.

3. Be much more aware of email security. The easiest way for a data thief to take control of your identity is to get in through your email. He or she can then change passwords at will, and get in through the front door, so to speak. Make sure you have two-factor authentication — a password and some other form of verification — set up on every account.

The Equifax hack is a particularly bad one because the giant credit reporting company has personal information on virtually every American consumer in its files. If you applied for a credit card or loan, your information is in there — and about half of Equifax’s data was exposed. You can go to EquifaxSecurity2017.com to check and see if your information has been compromised, but it wont be clear until much farther down the line just how many people will be victimized due to this hack. The data thieves had access to the information all summer, and now that the theft has been publicized, they’ll likely wait things out until the free monitoring period is over in a year.

As a part of their response to the hack, Equifax is offering credit monitoring to anyone in its database, but how much trust do you want to put in that now? You need to be using your own tools.

The most powerful one? A total credit freeze. It takes time and some back-and-forth with the three credit bureaus, but for a small fee, you can completely restrict access to your credit report. Nobody will be able to open credit in your name, or even check your report to offer you a deal on a credit card. You’ll have to manage the freeze manually, and lift it when you actually need to apply for a credit card or loan, but with it in place you’ll be able to have that part of your personal data locked down.

The FTC has a nice introduction to credit freezing here https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs, and you can get a detailed game plan in my forthcoming book, Your Score.

Knowing the ins and outs of the credit industry is not only Anthony Davenport’s job; it’s his passion. His firm helps manage and protect the credit and identities of some of the highest profile entertainers, professional athletes and ultra wealthy individuals in America. All that he has learned will be compiled in "Your Score: An Insider’s Secrets to Understanding, Controlling, and Protecting Your Credit Score," to be published in January 2018 by Houghton Mifflin Harcourt.

[everything]

Thanks for the updates. The freezes, unfreezes, and the reports are a little bit of a pain, but nothing compared to if someone really has stolen your identity.

The US AG already said the language about not being in a class action suit is unenforceable. (edit: NY AG)

[everything]

It does seem twisted to end up paying the company that was hacked to track for problems for your ID that was stolen from THEM, though. Surely there is a better way? But it doesn't seem like it.

[Snork]

It's being reported that the security PIN assigned by Equifax when you "freeze" your credit is simply a timestamp: https://twitter.com/webster/status/906638411930497029

So about as secure as the rest of Equifax, which is to say, not at all.

[Dmitri]

It's being reported that the security PIN assigned by Equifax when you "freeze" your credit is simply a timestamp: https://twitter.com/webster/status/906638411930497029

So about as secure as the rest of Equifax, which is to say, not at all.

WTF... just... wow.

[everything]

awful. thanks for posting this update, though.

I'm pretty ambivalent about their one year free offer now. they seem like complete imbeciles judging from the available evidence, so how can anyone trust them. UGH.

is there a way to permanently delete your info from one of these "agencies"? not sure there is any evidence that experian or transunion are any better, but equifax surely seems incompetent to handle such important tasks?

[Steve James]

is there a way to permanently delete your info from one of these "agencies"?

They're the ones that keep your credit records. Afa security, it's about the people. I.e., someone eventually has access to your information or to the servers that contain them. That is the weak link.

[middleway]

I am going through training on the GDPR (general data protection regulation) here in the uk. Under this you have the 'right to be forgotten' and the 'right to be deleted'. I believe the USA has similar rights. But companies can still hold your data if it is used in the carrying out of their duties to you as a customer...There is alot of 'grey area' in this world it seems.

[Steve James]

If you use cash, you won't need credit. If you buy a house, that can be a problem. In the United States there are laws that allow you to tell agencies not to share your info. The solution will be to improve and secure the identification process. Some have suggested a national I'd card that's encrypted. But many people don't trust the government.

[Snork]

It's being reported that the security PIN assigned by Equifax when you "freeze" your credit is simply a timestamp: https://twitter.com/webster/status/906638411930497029

So about as secure as the rest of Equifax, which is to say, not at all.

UPDATE: It now is (allegedly) the case that Equifax have (finally) started to derive their security PINs from a random number generator.

Unfortunately, it appears their credit monitoring website is vulnerable to cross-site scripting: http://www.zdnet.com/article/equifax-freeze-your-account-site-is-also-vulnerable-to-hacking/
So if anyone does choose to use it, be careful not to visit it by clicking on a link in an email you have received, or from a website... especially on mobile devices it can be difficult to tell if it is legit or not.

I can only imagine Equifax's IT guys are frantically thumbing through an "information security for dummies" book as they try to deal with this situation.

[Steve James]

So if anyone does choose to use it, be careful not to visit it by clicking on a link in an email you have received, or from a website

Good advice. Go direct to the main site. Btw, Experian.com will scan the "dark web" to see whether your email account appears. But, then it will offer to scan for your ss#, medical records, etc., for a fee -though they'll give you a 30 day trial.

Equifax, however, has said that it will let you know if they find that your data has been compromised. I think they'll have to give everyone affected something for free.