What You and the Government Should Do in Light of Equifax’s Data Breach
A few days ago news arrived that Equifax’s security had been breached and that approximately 143 million people were affected. Equifax waited more than a month to publish the data breach. If your personal information was stolen, Equifax’s delay in notifying the press granted the perpetrators enough headway to cash out your data in the Dark Web and to erase any evidence connecting them.
If you are a working citizen or legal resident who has had credit reports issued—in order to gain employment, to rent or to buy living spaces—it is likely that you will be impacted. If it did not directly “touch” you, it probably did to one of your relatives, acquaintances, or someone you know. It is a matter of time until it makes its way to you.
What You Should Do
1) Get A Copy Of Your Credit Report
Since Equifax appears to have difficulty in answering whether your data was part of the breach or not, get a full copy of your credit report and review all of your current data. Do not wait for them to give you the news or waive your rights by signing up for their TrustedID Premier membership details. Based on the way that this event unfolded and the time that Equifax waited to notify the press, there could be credit or loan applications initiated on your behalf—by a stranger.
2) Freeze Your Credit
You might be able to freeze your credit for free if you use the Equifax website’s statement indicating that you may be a victim of the data breach. In any case move fast, before you see yourself involved in the process of proving that someone else is impersonating you, just as Amy Krebs did in 2013 thru a nightmare of legal affairs that lasted several months of her life. When interviewed by the Forbes magazine, Amy recalled,
“I had to prove who I am, I had to go through court, I had to go through grand jury, I had to give testimony. I am very fortunate in my case that I had someone to point to. Sometimes, people aren’t as fortunate.” (’Someone Had Taken Over My Life' by Forbes).
Indeed, a security freeze is what the FTC recommends as a result of Equifax’s incident. It can be done in one day, it does not have negative consequences on one’s credit score and it generally does not hinder students from getting Direct Stafford Loans (particularly if the educational institution that the student belongs to has previously requested other loans on his or her behalf). It may have an impact on private or Direct PLUS loans. However, a temporary freeze lift is available for emergencies.
On the bright side, this is a golden opportunity to petition the United States’ government for executive action to tighten the loosening grip of our national creditors. If millions of users freeze their credit within the next few weeks the impact will be unprecedented. It will give us--American consumers--they right to avoid a scenery in which unknown entities own our information and can impersonate or incriminate us in unfathomable crimes.
3) Monitor Your Credit
Signing up for a credit monitoring service ten years ago seemed unnecessary. Today, the growth in security breaches makes it a wise move. While a security freeze prevents new inquirers from accessing your credit file for seven years, it does not prevent criminals to gain access to your file from authorized creditors. This is a risk that credit monitoring helps mitigate. Use your judgement in choosing a provider. Chances are that if you signed up for a AAA yearly membership you already have complementary ProtectMyID Essential or CreditCheck Select and merely need to complete the registration to receive the benefits. Note that CNBC forewarns on using Equifax’s TrustedID service.
4) Tell The I.R.S.
Now that your Social Security Number and the rest of your personal details might be circulating “out there,” you must alert the Internal Revenue Service. Otherwise, your tax return could end up in someone else’s bank account—this actually happened to a personal friend. Download, complete and mail the Identity Theft Affidavit Form 14039 to the closest IRS location, so that they require confirmation of identification to access or to file a tax return on your behalf.
5) Tell The F.T.C.
Read the FTC’s Identity Theft Recovery Steps and learn all of your options. Then follow with a report of the incident. Formally reporting Identity Theft with the FTC is beneficial for statistical research and for our government to understand the gravity of the issue, so that they—hopefully—allocate more funding to fight it. It is additional documentation for a police report--should you proceed to freeze your credit and want to avoid the fees.
What Our Government Should Do
What the United States’ government should do is not “rocket science.” The technology is available, already in use and definitely affordable by the hyper-wealthy creditors that spend so much on aggressive advertisement each year and so little to protect our privacy and our personal data. Our government should mandate multi-factor authentication (MFA) in order to grant any credit or to open any loans, or to offer online banking services over the Internet. While there is no guarantee that MFA is tamper-proof, it makes it harder and costlier for remote attackers to abuse Personally Identifiable Information (PII) that they can steal by breaching the security of online institutions. Our taxpayer-funded National Institute of Standards and Technology (NIST) institution states,
“Stopping all online crime is not a realistic goal, but simple steps can massively reduce the likelihood you’ll be the next victim.” (Back to basics by NIST).
Shall our government “walk the talk”?
The Root Cause: PII Is The Bounty And SSNs The “Holy Grail”
The problem is older than we think and overlooked by the Banking Industry. This summer, I went to Cambridge (Massachusetts) and had the amazing honor to meet in person one of my teachers from the CyberSecurity Certification program that I took in 2016 at the Harvard Extension. Professor Scott Bradner--legendary pioneer of the ARPANET, who made significant contributions to the IETF, served as a board member for ARIN, the IETF, and the Internet Society among others—and I, had an engaging conversation on the familiar topic of CyberSecurity.
We spoke about the rise in Identity Theft--that Scott foresaw a decade ago. In 2009, he published Guessable SSNs—but is that the real problem? at NetworkWorld, trying to create awareness and to reveal the actual “root cause” of the issue. Scott explained that a Social Security Number “was designed to disambiguate between people, not serve as proof of identity” and that,
“the basic idea that a credit card company would grant credit to someone just because they produced a string of digits that hundreds of organizations legitimately store and thousands of people have legitimate access to is absurd” (Guessable SSNs by Scott Bradner).
He demonstrated in his article how the approach used in generating SSNs was flawed and how the banking industry—oblivious to it—embraced it without questioning it, thereby inheriting its flaws. He suggested that the government should actually publish everybody’s names and SSNs so that creditors are forced to establish a more secure system to grant credit. And while Scott’s suggestion is controversial to some, many of us realize that at least, enforcing multi-factor authentication is now a necessity.
Not Convinced? Here's A Personal Story
Earlier this year I was alerted by one of my credit monitoring vendors about changes in my credit score. When I checked my profile I discovered that a new account was opened in my name through a branch of the Synchrony Bank in Florida. I immediately called them and--to their credit--they had already flagged the account. They claimed that they tried to call me to confirm the information in the application and not receiving my feedback caused them to halt the process, blocking the criminals from accessing the credit line.
The eerie side of the story was how that credit line was opened. According to the credit reports and what the credit bureau representatives told me, they used my name, an old phone number and an old mailing address. They did not use my SSN, which corroborates how dangerously easy is to obtain credit in the United States. The feeling of what lawbreakers can do is uncanny. I have a friend who went to court to prove that a $20,000 loan issued in his name was not his.
As a result of my own story and the stories of others, I advise caution with online retailers that advertise instant approval for credit card applications. This is how I suspect that it happened in my case. I found one place (an online shopping account) storing old contact information—the same information provided to Synchrony for the credit line. Based on my personal research, that particular website—the online shopping portal of one of the largest department stores in the United States—advertised instant approval credit card offers from the Synchrony bank. I suspect that the security of the site was breached--potentially, by insiders.
Because no LAPD detective ever followed up with me after I filed the police report, and because I have no “tangible” evidence spelling how the fraud took place, I am not making a formal statement to accuse that retailer, or to publish its name. In the end, a name is irrelevant when the threat of Identity Theft through credit card applications or credit card purchases online exists everywhere. Still, I will “echo” what the officer—who processed my report at the station—said about Identity Theft,
“It happens so often...Yours is the ninth Identity Theft report that I have processed in the past four hours after I started my shift today. You are the lucky one that did not lose any money. The others did; some lost a lot...”
Sometimes, paranoia pays off.
About Arleena Faith
Arleena Faith studies Computer Science at the Harvard University Extension School, Harvard University, Cambridge, Massachusetts. Twice NASA intern and graduate from the NASA Community College Aerospace Scholar (NCCAS) workshop (Fall 2014), Arleena is interested in a diversity of Technology topics that range from CyberSecurity to Data Science.