In the Know - Cyber Security Update - Aftermath of Equifax
Eric Brown 09/12/2017
5 Minutes
iStock-518729653 (1).jpg

This week, instead of reporting five incidents of the previous week, I’m just going to focus on one, the Equifax breach. With over half of the adult population in the US impacted, it is likely that you, or someone you know is affected.
Over the next two weeks I’ll provide an overview of steps we can all take to tighten up our own security, starting with preventing unauthorized use of our personal information. Most of these solutions are free or low cost.
We’ll start with the most important items first and things that would ideally be done this week. If you are unable to, or are reading this at a future point in time, the items are still relevant and can be done anytime.
There are four credit bureaus, three that report credit and assign a score – Experion, Equifax, Transunion, and one, Innovus, that just reports on credit. We’re going to work with all of them to make sure that you have full control over your credit.

First things first:
1. Make sure you are on a secure network.
If you are on public wifi please consider using a VPN client. If you don’t have one here’s a good article on why they are important and which have favorable reviews: http://uk.pcmag.com/software/138/guide/the-best-vpn-services-of-2017
2. Virus/malware protection.
If you don’t have a solution yet, please download, install and scan your system for malware. The last thing you need is malware compromising your system while you are trying to improve your security posture. There are lots of options to choose from. My company represents two, (ESET & Kaspersky) If you want a 6 month trial of either of their products send me an email. Otherwise there are lots of options: https://www.tomsguide.com/us/best-antivirus,review-2588.html
 
Also, we’re going to be changing passwords and usernames. A password manager is highly recommended. Here are two articles I recommend reading on why a password manager should be used, and a review of password managers:
a. http://thewirecutter.com/blog/password-managers-are-for-everyone-including-you/
 
Now some of you are thinking, “I get it, I should have a complex password and username, but it’s a hassle and too much work. I just want to be able to log into the sites I want to log into without a bunch of extra steps.”
 
Your company IT department makes you change the password every 90 days and tells you not to write it down, so something like September2017! meets the complexity requirements of your office IT organization and since they make you change it every 90 days, it’s too hard to keep remembering unique passwords…so September 2017! Will turn into November2017! And so on and so forth…sound familiar? At home, the passwords don’t change as frequently and involve some combination of a family pet, a birthdate, a loved one or some favorite place or city. Am I pretty close?

NIST (National Institute of Standards and Technology) recently released some updated guidance on ways to improve password strength and make them easy to remember, and your IT organization will be catching up soon….an emerging trend is to not change passwords as frequently, but to have more complex meaningful passwords. For example: If your dogs name is Jake a complex password becomes: Jakechewedtheremote,AGAIN! A 26 character password is extremely hard to guess but very easy for you to remember. If 26 is longer than allowed, then this password becomes J@kectrAGAiN1. This is a 13 character password with symbols and a number. Mathematically easier for a computer to guess but will still take a really long time and very easy for you to remember.

If you must have only one password, make it a difficult one for computers to brute force!

Check out password difficulties here
https://password.kaspersky.com
 
To do this week: Time ~3 hours
1. Freeze your credit report:
It sounds drastic but isn’t that bad. Unless you are in the process of applying for new credit, or going through a transaction that requires creditors to access your report in the near future, freezing your credit is the best option.
A credit freeze allows you to seal your credit reports and use a personal identification number (PIN) that only you know and can use to temporarily “thaw” your credit when legitimate applications for credit and services need to be processed. The added layer of security means that thieves can’t establish new credit in your name even if they are able to obtain your personal information.  Fees vary by state: http://www.ncsl.org/research/financial-services-and-commerce/consumer-report-security-freeze-state-statutes.aspx

A freeze will not affect your credit score.

My personal experience with the four credit reporting bureaus:
(Note fees vary by state)
- Transunion – Cost $5 – Somewhat easy, clean UI, easy to navigate.  Creating an account is required (nice for quickly unfreezing later, a bit annoying now).  Password limit is is 14 characters (not great).  Was able to set a username/password for ease of use to unfreeze at a later date. Rating 3/5. https://freeze.transunion.com
- Experian – Cost $5 – most difficult. Unable to do online, cumbersome interface. Document upload didn’t work properly. Had to use phone option, will receive PIN by mail. Rating: 1/5. https://www.experian.com/freeze/center.html
- Innovis – Cost Free – Easy form to fill out to freeze credit report, confirmation sent by postal mail (slightly annoying and insecure). Rating 3/5. https://www.innovis.com/personal/securityFreeze
- Equifax – free – Easy to use. Not able to set a separate login/password. Rating 4/5. https://www.freeze.equifax.com
 
2. Check your cards for unauthorized access (reset username and password while checking each site).
3. Reset Passwords and Username (if able) on all financial websites.
Rather than using your name, nickname, or some combination of your name and birth year, try selecting a username that isn’t easily guessable. For example IUSM78YWH445 is a good username. When you use a password manager you are just going to be copying and pasting your username and password so choosing something random won’t make a difference.
4. Enable 2 factor authentication where possible
5. Request Free Credit Report - https://www.consumer.ftc.gov/articles/0155-free-credit-reports
6. https://Haveibeenpwoned.com – check your email address and old versions of your password on this site. It will tell you if your account is one of 4.7 billion that have been compromised in previous breaches.
 
Next week we’ll look at further ways to secure your accounts and protect your personal information.
 
A note about Equifax’s TrustedID Premier credit monitoring that is offered free. In my opinion, this is a little more than a finger in the dyke. At the end of the 1 year agreement the price becomes $19.99/month which is, in my opinion, an exorbitant price.

Breakdown of what is included in TrustedID Premier:
- Credit Monitoring at all 3 bureaus. While credit monitoring can reveal fraudulent attempts at new credit being opened in your name, this doesn’t prevent new credit being opened.
- Equifax Credit report lock – That’s a good offering, but it doesn’t do anything for the other three reporting bureaus (Experian, Inovis, and Transunion). A credit lock can be obtained directly with each bureau for a nominal charge.
- Equifax Credit report – This is something you are entitled to receive once a year, for free, from each of the bureaus.
- Equifax credit freeze – Freezing credit reports at just one bureau won’t do much. In order to prevent new lines of credit being opened in your name a credit freeze needs to be put in place with all four credit reporting bureaus.
- Social Security Monitoring – apparently Equifax has a service that monitors “the dark web” for the sale of social security numbers. It makes no claims that the service will be able to search all sites for card numbers.
- $1M Identity Theft Insurance (under written by a 3rd party) – good luck getting a penny out of that.

It appears that many of the credit reporting bureaus are in the credit monitoring business and offer similar services and pricing to Equifax. Unfortunately, there are no services that can prevent your credit from being stolen.
 
A few years ago, Lifelock’s CEO had his identity stolen 13 times after he claimed Lifelock would prevent identity theft. http://marketingshmarketing.net/post/130466094301/lifelock-marketing-fail-ceo-get-hacked-13-times
 



Related Posts

It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout.

Cole Goebel 26 March, 2024

Why Your Cybersecurity's Biggest Risk Likes Coffee Breaks: The Human Element

Discover how the human element can be the biggest threat to cybersecurity and how tools like…

Cole Goebel 19 March, 2024

Beyond Detection: Navigating the Aftermath of a Cyber Threat

Beyond Detection: Navigating the Aftermath of a Cyber Threat Detecting a threat is only the first…

Cole Goebel 29 February, 2024

The Best Network Security Tools for Businesses: A 2024 Guide

The Best Network Security Tools for Businesses: A 2022 Guide In today’s digital-first world,…