Yesterday, I wrote about the Equifax breach and how genealogy can be tied to that breach in the article, Equifax Data Breach, Genealogy and You.
It appears that some folks may not realize how the combination of the Equifax breach AND your genealogy info can be tied together to compromise your online and financial security. I should have given a specific example. This is really, really important, so I’m writing an update today.
This situation is WAY MORE IMPORTANT than your genealogy itself.
I cannot believe those words just came out of my mouth.
It has also come to my attention that banks and other institutions may not use the same types of security smeasures around the world, so people outside of the US may not be familiar with how we do business here. However, in the past day, this breach has extended beyond the US, so please, read on no matter where you live, even if you read yesterday’s article carefully. There’s more you need to know today.
This breach doesn’t just relate to existing credit card accounts and establishing new accounts, but relates to your bank accounts, tax refunds and government services that you might apply for in the future, including Social Security and Medicare benefits. You don’t want some crook stealing your identity, filing for your taxes and applying for benefits, which means you can’t.
The Perfect Storm
Here’s an example of how this breach creates the “perfect storm,” for the crooks anyway, which is your worse nightmare come true.
In just three steps, made much easier by Equifax (thanks), your money can be gone.
Step 1 – In the Equifax breach, your social security number and address (along with other personal information like account numbers) was part of the information that was stolen.
Step 2 – Let’s say that at your bank, you use your social security number or your old street address as your password. Through the Equifax breach, the crooks now have that info, so they try both of those and voila, now they have progressed to your security questions, because the bank was smart enough to realize that the sign-in request was not coming from your home computer.
Step 3 – Let’s say you have established two security questions at the bank. Your questions are your mother’s maiden name, which is freely available in your family tree, and your grandmother’s birth location, which is also available in the same source.
Poof – the crook is in and your money is gone.
Yesterday, when setting up a credit freeze at one of the three credit reporting sites, six of the 8 security questions I could select from were genealogy related and readily available in online trees – surnames, middle names and birth locations. Obviously, they don’t know about online trees and how easy it is to obtain that information – and they need to fix that security loophole. Even if you don’t have an online tree, you may well be in someone else’s.
In some cases, security questions can be selected by you. Don’t just pick the easy ones you can remember. Pick something that absolutely CANNOT be found online in any way associated with you. Your first pet’s name, for example.
However, if your first pet was a goldfish named Goldie that you accidentally flushed down the toilet and you published a blog article about that traumatic event – that’s not a good choice either.
Your first boyfriend’s name? Did you marry him or someone with the same first name? Then not that either.
So, what to do if you don’t get to select your security question and it’s something like your mother’s maiden name?
Yep, tell a lie. It’s OK. Your children will thank you when you don’t have to live with them when you’re old and impoverished because your money was all stolen and your social security benefits too.
Make something up – but remember your lie or write it down someplace safe (i.e. not on a yellow sticky postit in the bottom of your keyboard at work) – because your access to your own account is tied to that information.
There’s all kinds of advice on password selection. Strong passwords require a lengthy string including upper and lower case of both alpha and numeric characters.
Of course, you can’t possibly remember these passwords, so you will write them down and that too can be stolen. But, chances are that password in your house is less likely to be compromised than information associated with you available online – at least in my house.
Password cracker software runs through thousands of possibilities in the blink of an eye. That’s why most sites today lock your account after some number of erroneous tries. Bummer if you’ve just made a mistake.
Don’t use the same password for multiple sites either. If a crook compromises one location, the first thing they are going to try is a second location.
Storing your password list in your cell phone probably isn’t such a good idea either. Someone asked about password “safes” offered by some vendors. I’ve never used them. Think about how attractive those would be for hackers. Use at your own risk.
Worse yet, personally identifying information, like what was obtained from the Equifax breach, is used to reset passwords, so you can easily see how a crook could use info they have obtained from Equifax to reset your passwords.
If your bank and brokerage accounts offer something called two factor authentication, that might be a good option. Two factor authentication requires information plus something you physically have, generally meaning your phone. Access to your account then requires both the password and pin or token issued from something physically in your possession. Yes, I know this is a huge pain. But having your identity stolen is a bigger pain that never ends and thanks to Equifax, more than half of the country is now at a much higher risk than ever before.
Back to the Equifax Breach
In addition to what I wrote in yesterday’s article, you need to know the following things:
- Even if the Equifax site tells you that your data has “probably” not been breached, don’t believe them. It has been discovered and reported by multiple news agencies (along with my personal experience) that if you enter the same data, exactly the same way, multiple times, the Equifax story changes relative to whether or not your data was breached. Do not take comfort if the site tells you that your data has not been breached. I don’t think they actually have a clue. Assume that it has been breached and take appropriate measures.
- Even if your credit has supposedly not been breached but your spouses has, much of your account information is the same, so consider your account breached too.
- Equifax says that this breach now extends to some people in the UK and Canada, but no further information has been provided. For safety’s sake, assume you are one of these people whose accounts have been breached.
- Equifax originally required you to waive your rights to join a class action suit in order to take advantage of their free credit monitoring for a year if they tell you your data has been breached. They have now recanted that position and their website now says the following as of noon today:
Options for Protecting Yourself
Because the Equifax breach has such long-term and permanent ramifications, meaning that while you can change things like your e-mail address and close a credit card account, you can’t easily change things like your name, address and social security number. Those are much more difficult and together, readily identify you as you – or the crook as you.
So, you need to accomplish multiple goals:
- Know if fraudulent activity has taken place
- Monitor to know if fraudulent activity is taking place
- Prevent crooks from obtaining credit in your name by using the credit reporting services
- Prevent bank accounts and other financial accounts from being compromised
- Protect your assets like tax returns, social security and other benefits for which you may today or someday be eligible
The bad news – there is no one single way to do all of this, so you’re going to have to make some decisions and take multiple steps.
I’ve compiled information in the following chart. Please keep in mind, I’m not a lawyer nor a CPA – so please educate yourself and only use this as a guideline – not gospel. Plus, things change and right now, Equifax is changing their story daily – and it takes days to sign up for their credit monitoring service. I was able to freeze my account yesterday.
In the article, Equifax Data Breach, Genealogy and You, I discussed Credit Monitoring Services, Credit Reports, Fraud Alerts and Credit freezes, sometimes called security freezes. The chart below represents my understanding of how these services work together to protect consumers.
|Safety Goals||Credit Report||Credit Monitoring Service||Fraud Alert||Credit Freeze||Comment|
|Has fraudulent activity already taken place?||Free once yearly for all 3 services, Equifax, Experian and Transunion||Typically a paid service that provides credit reports to you periodically. Sometimes provided for free when your data is known to have been involved in a breach.||Does not report past events||Does not report past events|
|Monitor to know if fraudulent activity is taking place||No, only deals with events that have already taken place||No, only deals with events that have already taken place||Free service for 90 days that requires a lender to contact you to verify your identity before issuing credit in your name. You must renew every 90 days.||Allows consumers to freeze their credit. Consumer must unfreeze when they are applying for new credit, then refreeze. You must freeze at all 3 agencies for this to be effective.|
|Prevent crooks from obtaining credit in your name through credit reporting services||No, only deals with events that have already taken place||No, only deals with events that have already taken place||Yes, but expires and consumer must renew every 90 days||Yes, doesn’t expire but you have to remove freeze when you want new credit. Must freeze at all 3 agencies to be effective.|
|Prevent bank accounts and other financial accounts from being compromised||Not related to bank accounts||Not related to bank accounts||Not related to bank accounts||Not related to bank accounts||Use strong passwords, change passwords often, do not use security questions where answers can be found publicly or in credit reports, read the links below to know what to look for|
|Protect your assets like tax returns, social security, etc.||Not related to this type of protection||Not related to this type of protection||Not related to this type of protection||Not related to this type of protection||Stay hyper-vigilant, file as soon as possible, read the links below to know what to look for|
You can read what the IRS says about identity protection at this link:
Here’s what the Social Security Administrations says about identity theft:
God forbid you ever really do need to change your social security number:
Here’s the FTC’s document about identity theft, what to do, how to report identity theft and a recovery plan.
From the FTC, signs and signals of identity theft.
Again from the FTC, a scam alerts site.
Please note that this situation is fluid. Educate yourself and follow this in a credible news source for developments that may change your remediation plans.
Thank you to people commenting on the original article and providing additional, useful information.
I apologize to my readers for this diversion these past few days with identity theft combined with genealogy. Unfortunately, because genealogists do share and as humans, we are inclined to use information we readily know, that means we’re vulnerable to the crooks – because our genealogy information is near and dear to us, and we remember it easily.
Fortunately, this is easy to fix by not utilizing our genealogy information that we so readily know.
I do love genealogy, particularly genetic genealogy, and I have absolutely no intention of giving it up. I am, however, now more vigilant. I’ve changed my personal security questions, or the answers, so that my family tree and blog articles don’t give me away.
I will be making sure that information from the past hundred years is marked as private. It not only puts me at risk, it puts anyone else in that same line of descent at risk too.
Keep in mind, there’s nothing you can do about someone else’s tree online that may include your grandmother’s birth location. This means that my preventative measure of making the last hundred years private in my tree may amount to closing the barn door after the cow has left.
I’ve frozen my credit, meaning I’ll have to unfreeze it when I apply for a loan someday for a new car. Maybe that means because of the inconvenience I’ll spend less. Hey, there has to be a silver lining someplace.
Here’s what I don’t want, for either you or me. I don’t want my legacy to be the grandma who had everything stolen and had to go and sleep on the park bench….you get the drift.
I hope you’ve found this helpful, and I sincerely hope I never feel compelled to write about something this serious again.
Let’s do everything we can to prevent that so we can get back to genetic genealogy. All of this bother is interrupting my research time!
Again, I’m not a lawyer or a CPA. I have no ties to the financial industry except for being a consumer. Use at your own discretion. Educate yourself. Consider this a resource, not gospel. Follow this developing story and make course corrections as needed. Changes are occurring rapidly. Presume the worst. It’s better than presuming the best and being wrong.