Between May and July of this year 143 million people in the U.S. may have had their names, Social Security numbers, birth dates, addresses and even driver's license numbers accessed. In addition, the hack compromised 209,000 people's credit card numbers and personal dispute details for another 182,000 people. What bad actors could do with that information is daunting. All told, as much as 44 percent of the US population will feel the impact of this breach for years to come, especially when it comes to their Social Security numbers. “When this type of stuff happens…" says Alex McGeorge, the head of threat intelligence at the security firm Immunity. “Your Social Security number doesn’t change, so this data is going to get resold on the black market and hold its value for a while." Assuming data was stolen by criminals and not a nation state, experts predict that it will circulate for years.
"Equifax will tell me if there's a problem."
No. And it will be hard to prove that someone is taking out a loan in your name 15 years down the line is because of this. But it could happen.
Brian Kerbs writes, "I have repeatedly urged readers to consider putting a security freeze on their accounts in lieu of or in addition to accepting these free credit monitoring offers, noting that credit monitoring services don’t protect you against identity theft (the most you can hope for is they alert you when ID thieves do steal your identity), while security freezes can prevent thieves from taking out new lines of credit in your name."
Q: What’s involved in freezing my credit file?
A: Freezing your credit involves notifying each of the major credit bureaus that you wish to place a freeze on your credit file. This can usually be done online, but in a few cases you may need to contact one or more credit bureaus by phone or in writing. Once you complete the application process, each bureau will provide a unique personal identification number (PIN) that you can use to unfreeze or “thaw” your credit file in the event that you need to apply for new lines of credit sometime in the future. Depending on your state of residence and your circumstances, you may also have to pay a small fee to place a freeze at each bureau. There are four consumer credit bureaus, including Equifax, Experian, Innovis and Trans Union.
Con artists may try to take advantage of the #Equifax breach by contacting you, claiming to be Equifax or your bank. Be careful.
Equifax's site used to set up credit account monitoring in the wake of last week's security breach is also vulnerable to hackers, ZDNet has learned.
In the aftermath of the breach, the going recommendation has been to set up alerts and freezes on any and all credit accounts. Countless are thought to have flocked to the websites and the credit rating agency phone banks to protect themselves from hackers.
The problem is that that Equifax's site used to set up alerts on individual's credit rating history (which we are not linking to) can be easily spoofed, according to a security researcher.
The site is used to request a 90-day fraud or active duty alert for credit report holders — thought to be the majority of Americans. But vulnerabilities in the site can allow hackers to siphon off personal information of anyone who visits. The repair website is also vulnerable to a cross-site scripting (XSS) attack, which lets an attacker run malicious code on a legitimate website or web application, such as Equifax's site.
If unable to freeze credit, PRBC is a consumer credit reporting agency, more commonly referred to as a credit bureaui in the United States. It is similar to the other four U.S. credit bureaus (Equifax, Experian, TransUnion and Innovis) in that it is an FCRA (Fair Credit Reporting Act) compliant national data repository. However, PRBC differs in a few distinct ways. Consumers are able to self-enroll and report their own non-debt payment history to PRBC. They can build a positive credit file based on alternative data, such as timely payments for bills such as rent, utilities, cable, telephone, and insurance that are not automatically reported to the other bureaus. PRBC's service is offered free of charge. When someone takes out a loan, the lender or merchant will pay a fee to PRBC so they can see his or her alternative credit rating.
If you see any items on your credit reports that you don’t recognize, contact the creditor and the reporting bureau immediately. You’ll need to follow steps to report the potential identity theft and get the account removed from your credit report. Visit www.identitytheft.gov to get started on a plan to remedy this issue.
Make a plan to file your taxes next year. It’s possible that the Equifax hackers will sit on Social Security numbers until tax filing season. Then they’ll try to use your tax information to file for a tax return in your name before you can. The best way to beat this tactic is to file your taxes as early as possible.
Run a cheap tablet specific to financial applications. Do not browse the web. Check it with https://www.fcc.gov/smartphone-security
The following companies offer identity theft insurance some as part of a homeowners policy, some as an endorsement and some as stand-alone coverage:
ALLSTATE INSURANCE
AMERICAN FAMILY
AMERICAN INTERNATIONAL GROUP
CHUBB GROUP OF INSURANCE COMPANIES
ENCOMPASS INSURANCE
ERIE INSURANCE
FARMERS GROUP
FIREMAN'S FUND
LIBERTY MUTUAL
NATIONWIDE
STATE FARM
TRAVELERS INSURANCE
USAA
WEST BEND MUTUAL
Keeping your Social Security number secret may not be enough to protect you from identity theft. According to a new study, a crook need only figure out where and when you were born–information often easily found on social networking sites like Facebook–to guess your number in as few as 1000 tries. Those individuals particularly at risk were born in smaller states after 1989, when receiving a Social Security number at birth became the norm. The researchers found visual and statistical patterns in publicly available SSN data, showing that “a strong correlation exists between dates of birth and all 9 SSN digits.” They were able to develop a prediction algorithm that “exploits” the fact that individuals with similar birth dates who registered in the same state “are likely to share similar SSNs,” the study says.
Social Security numbers were never meant to be used for widespread identification. They were conceived solely to track taxes and benefits. But as more banks, credit card companies, and government agencies have used them as proof of identification, Social Security numbers have become a key instrument used to fake another's identity. To help credit bureaus spot fraud, the Social Security Administration (SSA) publishes all records for deceased Social Security holders, as well as publicly describing the method for assigning numbers in various states. But researchers have now found that this very information opens the door to guessing someone's number.
Here's how Social Security numbers work: Every Social Security number starts with three digits known as an "area number." Smaller states might have only one, whereas New York, for example, has 85. The next two digits are "group numbers," which can be anything from 01-99, but don't correspond to anything specific. The last four digits, the "serial number," are assigned sequentially.
On the surface, the process seems like it would lead to randomized–and thus secure–numbers. But it doesn't. When economist Alessandro Acquisti and computer scientist Ralph Gross of Carnegie Mellon University in Pittsburgh, Pennsylvania, compared SSA's public death records with birth data, they found that area numbers are not rotated until all 9999 serial numbers have been assigned. So instead of each of New York's 85 area numbers being the possible starting three digits for any Social Security number on any given day, Social Security numbers are assigned essentially in order: 576-32-0001 is followed immediately by 576-32-0002, etc. That means a potential thief can narrow down a number simply by knowing the date (often some 6 to 11 weeks after birth) on which one received it. After 1989, individuals started receiving Social Security numbers at birth, rather than at their discretion (often when they began their first job), so pinpointing these people's numbers is especially easy, says Acquisti.
So easy in fact that Acquisti and Gross were able to do it themselves. Using fairly standard computer algorithms, the duo predicted the first five digits of Social Security numbers for people born after 1989 44% of the time on the very first try. On a handful of attempts, they managed to get all nine digits on the first try, but at the very least they could predict the full numbers of 8.5% of those born after 1989 in fewer than 1000 tries, they report online today in the Proceedings of the National Academy of Sciences.
Such statistics, says Acquisti, mean that a computer-savvy attacker could simultaneously test numbers on credit applications easily accessible online and harvest some 47 numbers per minute. "Information that is publicly available is enough to predict Social Security numbers with a degree of accuracy which is quite concerning," he says.
The threat is real, agrees information privacy expert Chris Hoofnagle of the University of California, Berkeley. "Using Social Security numbers for both identification and authentication is no longer tenable, because possession of the number–unlike a fingerprint–offers no verification of identity," he says. It is also clear, says Hoofnagle, that years of consumer education to teach people not to share their Social Security number isn't adequate when one can simply predict a number.
When one or two attempts are sufficient to identify a large proportion of issued SSNs’ first five digits, an attacker has incentives to invest resources into harvesting the remaining four from public documents or commercial services,” the authors conclude.
“Maybe no one single piece of that information in itself is personally identifiable, but when you start linking the pieces of information with even a little bit of context, you can with a high degree of probability identify someone personally,” says Helen Nissenbaum, a professor of media, culture, and communication at New York University, who did not work on the study.