The string of data breaches recently are alarming. Target, Home Depot, JP Morgan Chase, and EBay all were hacked. Update: perhaps the biggest hack of all came more recently with Equifax (see my posts on how to protect yourself from the Equifax hack & Equifax class action settlement details and Equifax claim amendment email).
Serious stuff, but the damage was fairly limited to email addresses (at best) and credit card numbers (at worst). I changed my EBay login credentials and kept an eye on the credit card I had used at Home Depot. Inconvenience? Absolutely. But in the grand scheme of life – not that big of a deal.
The Anthem hack of 80 million current and previous customers is a different story altogether. The fact that it was so deep (names, Social Security numbers, DOB, addresses, email addresses, employment information, income data, and more) and so easy (Anthem didn’t even encrypt their data!) is absolutely frightening. This is, by far, the largest and most serious data breach in history.
Armed with that amount of personal information, there is really no end to what hackers could do with it and when they could use it. Outside of changing your identity and/or Social Security number, those who were hacked (myself included) will have to spend a lifetime looking over their shoulders.
If you weren’t a part of this hack, first, consider yourself lucky. Second, recognize it’s time to take action immediately. Anthem proved to all of the bad guy hackers out there just how easy, how deep, and how valuable hacking medical data can prove to be. This public knowledge will lead to an exponential growth in medical data hacking attempts and undoubtedly some successful breaches. You may have dodged the bullet this time, but do you know how safely all of the companies you have ever entrusted your personal information to are safeguarding it? Frightening thought, isn’t it?
This Anthem situation has made me very angry at the lack of control we as consumers have over our data. And I wanted to write this article to help you get some of that control back. Some of this may be pertinent reminder, but all of this should be heeded.
Protect your Credit and Identity
If a hacker has your Social Security number, it’s probably only a matter of time before they try to open a fraudulent account with your identity. You can’t control that. However, there are things that you can do to control how easy it is for them to successfully get that account approved and go on a shopping spree, in your good name. I highlighted, in great detail, how Anthem victims can protect their identity, which applies universally to other companies as well. Techniques include:
- Setting up an initial fraud alert (lasts 90 days)
- Setting up an extended fraud alert (lasts 7 years)
- Closely and frequently monitoring your credit reports (Credit Karma offers free continuous credit report access to TransUnion and Equifax and free credit monitoring as well. You’ll have to pay for these things elsewhere)
- Monitoring bank, credit card, financial, and medical statements closely for unusual activity
- Submit your tax return quickly to help protect yourself from e-file identity theft fraud
- Submit a credit freeze (the most fail-safe option). Note: a credit freeze is similar to a credit lock, but with more consumer protections. And as of September 21, 2018, all Americans can get free credit freezes (and thaws).
- Get free identity theft protection. Credit Sesame offers $50K in free identity theft insurance with their basic account. Check out my Credit Sesame review for more info.
- Create critical government account logins before hackers do.
Protect your Login with Smarter Passwords
We’ve all seen dozens of articles cautioning that you change your password from something as common as abc123 to something much more random (with a combo of characters and numbers and case-sensitivity) and 100% unique to that account. Yet people don’t. Why? Lazy? Uninformed? I don’t know. Hopefully YOU are neither.
Make your passwords both random and unique per account, people. If just random or just unique to an account, it doesn’t quite cut it.
For example, with the EBay breach – login credentials were hacked. Had you used the same email/password pairing on any other account – including banks, Paypal, investment, medical, or other accounts – those accounts could have also been hacked. That’s why it is important to have passwords that are unique per account.
Separately, if passwords are unique, but still lazily common (i.e. abc123) or easily guessable (i.e. your pet’s name), then you are also susceptible.
Set Up 2-Factor Authentication
Two-factor authentication (aka 2-step authentication) is still relatively new in the security world, but it’s gaining a lot of popularity.
The basic premise is this: a hacker might be able to get your login and even your password, but if they ALSO aren’t in the same room as you or they don’t have access to the device you are logging in with, then they can’t get in to your account.
Usually, this is done through sending a unique authentication code through a mobile device via text message, a security key via USB, or via email.
You typically have two options on when you want to require the authentication:
- With each login: this could be a hassle because it requires you have access to email or another device to log in. However, it could be great if there are people whom you live with who can’t be trusted to your accounts (unfortunate, but it does happen).
- Only when the account does not recognize your computer or device (i.e. logins from a new device to confirm that you, in fact, are the one trying to log in from that new device)
A year ago, I switched over my Google account to 2-factor authentication. And just this past week, I noticed that Vanguard started offering 2-factor authentication – which helps me sleep a lot easier at night.
For any account with information you would not want disclosed to others or actions that could be taken that you wouldn’t want (i.e. a bank transfer to an unidentified 3rd-party in Nigeria), I highly recommend setting up 2-factor authentication.
Avoid Phishing Scams
Anthem victims are being bombarded by phishing attempts, designed to look like they came from Anthem itself, seeking out more information to help offer credit protection services. This is quite common when a security breach happens. Anthem has stated they will snail mail customers with further information.
Phishing is also quite common even when there hasn’t been a data breach. Plain and simple, phishing is frustratingly still an effective hacking strategy. In fact, it is suspected that the Anthem hack was created through a successful phish attempt by hackers. Here are some tips to avoid getting hacked by phishing emails:
- If you don’t recognize the email sender, don’t open the email.
- If you do recognize the email sender and they are asking you to log in to your account, don’t click on the link. Just type the website’s URL into your browser manually, and log in that way.
- If the email content looks suspicious, even if you recognize the sender, don’t click the link.
- Never download anything you are not expecting to be sent to you.
- Never reply to an email with personal or financial information.
Credit Cards vs. Debit Cards
Credit cards versus debit cards is something that is often debated, but 63% of millennials do not have a credit card, opting for debit cards or cash instead.
Outside of some clear perks like giving you an opportunity to build a stronger credit history and getting cashback rewards, there is one huge security benefit that is relevant here: credit cards offer more consumer protection than debit cards.
I was a victim of debit card theft, and it sucked. Because it was an ATM withdrawal, I had to go through my bank for reimbursement. They did not make it easy on me and did not refund the full amount, leaving me at a loss of $50.
Under federal law, your personal liability for fraudulent charges on a credit card can’t exceed $50. But if someone fraudulently uses your debit card, you could be liable for $500 or more, depending on how quickly you report it. And while the investigation is under way, you could be out the needed funds in your account. It’s a lot less stressful to have someone else’s money (credit provider) be stolen versus your own (bank account).
Watch out for Mail Identity Theft
Everyone should sign up for USPS Informed Delivery ASAP in order to protect yourself against mail identity theft. When you sign up for Informed Delivery, you can digitally preview actual photographic images of letter-sized mail pieces that are in the process of being sent to your address or P.O. Box through email notifications, an online dashboard, and mobile apps.
This way you know what to expect to receive in the mail, and if anything doesn’t make it to your mail box.
Demand Better Security Protections
My final recommendation for protecting your credit is to demand better security protection from the companies that you work with. As a country, we give way too much undeserved benefit of doubt to companies to protect our information, that they have not deserved.
There’s two ways to do this:
1. Vote with your business
Do your homework.
- Is data encrypted?
- What securities does the company have in place?
- Does the company offer 2-factor authentication?
If they don’t, take your business elsewhere. And be very vocal to the company you are leaving why you are taking your business elsewhere. Write to executives, wage a social media campaign, these irresponsible companies need all of the social pressure they can get to start taking this shit seriously. Remember, even if you are not a current customer, your data is probably still a part of their database (as was the case with Anthem).
If you do not have a choice (as I did not with Anthem as my employer’s preferred insurer), urge your employer or government to take action by switching to a new provider.
2. Demand political action:
Anthem, with all of the sensitivity of data that they are responsible for, did not even encrypt the data. Why? There’s no legitimate reason other than that they simply were not required to, and opted to avoid the tiny cost to protect their customers and their reputation. The mentality to not encrypt data was the same mentality that resulted in the need for the Clean Water Act – utilities with no regard to public or environmental safety would simply dump toxic waste into a nearby watershed to save money versus paying for proper disposal. Don’t think for a second they didn’t know better.
Think of all the billions this will cost Anthem. Actually – it won’t cost Anthem a penny – they will cover the cost by jacking up our rates. Thanks, guys.
Cyber security is not just a personal threat, it threatens our entire economy. And as consumers, we don’t always have a choice on which companies we are customers of. As such, there are a few simple, low-cost things that should be required from companies that want to do business in the United States that maintain a customer database with sensitive personal information:
- Customer databases must be encrypted
- Those with access to databases should have 2-factor authentication so they can’t be so easily hacked through successful phishing attempts
- Companies should offer customers 2-factor authentication
Failure to do so by a specified date should result in hefty fines or an inability to continue doing business.
These are three extremely simple and cost-effective security measures that every company should eagerly want to implement tomorrow. The impact of not doing so and getting hacked creates exponentially higher monetary losses for the costs to cover PR, identity protection services, lawsuits, fines (thankfully, a number of lawsuits against Anthem have already been launched), and more.
We need protection laws. RIGHT NOW is the perfectly ripe time to demand action from the FTC and from Congress.
Do you have any other suggestions on how individuals can protect their identity? Add to the comments.