Yesterday, I wrote about the Equifax breach and how genealogy can be tied to that breach in the article, Equifax Data Breach, Genealogy and You.
It appears that some folks may not realize how the combination of the Equifax breach AND your genealogy info can be tied together to compromise your online and financial security. I should have given a specific example. This is really, really important, so I’m writing an update today.
This situation is WAY MORE IMPORTANT than your genealogy itself.
I cannot believe those words just came out of my mouth.
It has also come to my attention that banks and other institutions may not use the same types of security smeasures around the world, so people outside of the US may not be familiar with how we do business here. However, in the past day, this breach has extended beyond the US, so please, read on no matter where you live, even if you read yesterday’s article carefully. There’s more you need to know today.
This breach doesn’t just relate to existing credit card accounts and establishing new accounts, but relates to your bank accounts, tax refunds and government services that you might apply for in the future, including Social Security and Medicare benefits. You don’t want some crook stealing your identity, filing for your taxes and applying for benefits, which means you can’t.
The Perfect Storm
Here’s an example of how this breach creates the “perfect storm,” for the crooks anyway, which is your worse nightmare come true.
In just three steps, made much easier by Equifax (thanks), your money can be gone.
Step 1 – In the Equifax breach, your social security number and address (along with other personal information like account numbers) was part of the information that was stolen.
Step 2 – Let’s say that at your bank, you use your social security number or your old street address as your password. Through the Equifax breach, the crooks now have that info, so they try both of those and voila, now they have progressed to your security questions, because the bank was smart enough to realize that the sign-in request was not coming from your home computer.
Step 3 – Let’s say you have established two security questions at the bank. Your questions are your mother’s maiden name, which is freely available in your family tree, and your grandmother’s birth location, which is also available in the same source.
Poof – the crook is in and your money is gone.
Yesterday, when setting up a credit freeze at one of the three credit reporting sites, six of the 8 security questions I could select from were genealogy related and readily available in online trees – surnames, middle names and birth locations. Obviously, they don’t know about online trees and how easy it is to obtain that information – and they need to fix that security loophole. Even if you don’t have an online tree, you may well be in someone else’s.
In some cases, security questions can be selected by you. Don’t just pick the easy ones you can remember. Pick something that absolutely CANNOT be found online in any way associated with you. Your first pet’s name, for example.
However, if your first pet was a goldfish named Goldie that you accidentally flushed down the toilet and you published a blog article about that traumatic event – that’s not a good choice either.
Your first boyfriend’s name? Did you marry him or someone with the same first name? Then not that either.
So, what to do if you don’t get to select your security question and it’s something like your mother’s maiden name?
Yep, tell a lie. It’s OK. Your children will thank you when you don’t have to live with them when you’re old and impoverished because your money was all stolen and your social security benefits too.
Make something up – but remember your lie or write it down someplace safe (i.e. not on a yellow sticky postit in the bottom of your keyboard at work) – because your access to your own account is tied to that information.
There’s all kinds of advice on password selection. Strong passwords require a lengthy string including upper and lower case of both alpha and numeric characters.
Of course, you can’t possibly remember these passwords, so you will write them down and that too can be stolen. But, chances are that password in your house is less likely to be compromised than information associated with you available online – at least in my house.
Password cracker software runs through thousands of possibilities in the blink of an eye. That’s why most sites today lock your account after some number of erroneous tries. Bummer if you’ve just made a mistake.
Don’t use the same password for multiple sites either. If a crook compromises one location, the first thing they are going to try is a second location.
Storing your password list in your cell phone probably isn’t such a good idea either. Someone asked about password “safes” offered by some vendors. I’ve never used them. Think about how attractive those would be for hackers. Use at your own risk.
Worse yet, personally identifying information, like what was obtained from the Equifax breach, is used to reset passwords, so you can easily see how a crook could use info they have obtained from Equifax to reset your passwords.
If your bank and brokerage accounts offer something called two factor authentication, that might be a good option. Two factor authentication requires information plus something you physically have, generally meaning your phone. Access to your account then requires both the password and pin or token issued from something physically in your possession. Yes, I know this is a huge pain. But having your identity stolen is a bigger pain that never ends and thanks to Equifax, more than half of the country is now at a much higher risk than ever before.
Back to the Equifax Breach
In addition to what I wrote in yesterday’s article, you need to know the following things:
- Even if the Equifax site tells you that your data has “probably” not been breached, don’t believe them. It has been discovered and reported by multiple news agencies (along with my personal experience) that if you enter the same data, exactly the same way, multiple times, the Equifax story changes relative to whether or not your data was breached. Do not take comfort if the site tells you that your data has not been breached. I don’t think they actually have a clue. Assume that it has been breached and take appropriate measures.
- Even if your credit has supposedly not been breached but your spouses has, much of your account information is the same, so consider your account breached too.
- Equifax says that this breach now extends to some people in the UK and Canada, but no further information has been provided. For safety’s sake, assume you are one of these people whose accounts have been breached.
- Equifax originally required you to waive your rights to join a class action suit in order to take advantage of their free credit monitoring for a year if they tell you your data has been breached. They have now recanted that position and their website now says the following as of noon today:
Options for Protecting Yourself
Because the Equifax breach has such long-term and permanent ramifications, meaning that while you can change things like your e-mail address and close a credit card account, you can’t easily change things like your name, address and social security number. Those are much more difficult and together, readily identify you as you – or the crook as you.
So, you need to accomplish multiple goals:
- Know if fraudulent activity has taken place
- Monitor to know if fraudulent activity is taking place
- Prevent crooks from obtaining credit in your name by using the credit reporting services
- Prevent bank accounts and other financial accounts from being compromised
- Protect your assets like tax returns, social security and other benefits for which you may today or someday be eligible
The bad news – there is no one single way to do all of this, so you’re going to have to make some decisions and take multiple steps.
I’ve compiled information in the following chart. Please keep in mind, I’m not a lawyer nor a CPA – so please educate yourself and only use this as a guideline – not gospel. Plus, things change and right now, Equifax is changing their story daily – and it takes days to sign up for their credit monitoring service. I was able to freeze my account yesterday.
In the article, Equifax Data Breach, Genealogy and You, I discussed Credit Monitoring Services, Credit Reports, Fraud Alerts and Credit freezes, sometimes called security freezes. The chart below represents my understanding of how these services work together to protect consumers.
|Safety Goals||Credit Report||Credit Monitoring Service||Fraud Alert||Credit Freeze||Comment|
|Has fraudulent activity already taken place?||Free once yearly for all 3 services, Equifax, Experian and Transunion||Typically a paid service that provides credit reports to you periodically. Sometimes provided for free when your data is known to have been involved in a breach.||Does not report past events||Does not report past events|
|Monitor to know if fraudulent activity is taking place||No, only deals with events that have already taken place||No, only deals with events that have already taken place||Free service for 90 days that requires a lender to contact you to verify your identity before issuing credit in your name. You must renew every 90 days.||Allows consumers to freeze their credit. Consumer must unfreeze when they are applying for new credit, then refreeze. You must freeze at all 3 agencies for this to be effective.|
|Prevent crooks from obtaining credit in your name through credit reporting services||No, only deals with events that have already taken place||No, only deals with events that have already taken place||Yes, but expires and consumer must renew every 90 days||Yes, doesn’t expire but you have to remove freeze when you want new credit. Must freeze at all 3 agencies to be effective.|
|Prevent bank accounts and other financial accounts from being compromised||Not related to bank accounts||Not related to bank accounts||Not related to bank accounts||Not related to bank accounts||Use strong passwords, change passwords often, do not use security questions where answers can be found publicly or in credit reports, read the links below to know what to look for|
|Protect your assets like tax returns, social security, etc.||Not related to this type of protection||Not related to this type of protection||Not related to this type of protection||Not related to this type of protection||Stay hyper-vigilant, file as soon as possible, read the links below to know what to look for|
You can read what the IRS says about identity protection at this link:
Here’s what the Social Security Administrations says about identity theft:
God forbid you ever really do need to change your social security number:
Here’s the FTC’s document about identity theft, what to do, how to report identity theft and a recovery plan.
From the FTC, signs and signals of identity theft.
Again from the FTC, a scam alerts site.
Please note that this situation is fluid. Educate yourself and follow this in a credible news source for developments that may change your remediation plans.
Thank you to people commenting on the original article and providing additional, useful information.
I apologize to my readers for this diversion these past few days with identity theft combined with genealogy. Unfortunately, because genealogists do share and as humans, we are inclined to use information we readily know, that means we’re vulnerable to the crooks – because our genealogy information is near and dear to us, and we remember it easily.
Fortunately, this is easy to fix by not utilizing our genealogy information that we so readily know.
I do love genealogy, particularly genetic genealogy, and I have absolutely no intention of giving it up. I am, however, now more vigilant. I’ve changed my personal security questions, or the answers, so that my family tree and blog articles don’t give me away.
I will be making sure that information from the past hundred years is marked as private. It not only puts me at risk, it puts anyone else in that same line of descent at risk too.
Keep in mind, there’s nothing you can do about someone else’s tree online that may include your grandmother’s birth location. This means that my preventative measure of making the last hundred years private in my tree may amount to closing the barn door after the cow has left.
I’ve frozen my credit, meaning I’ll have to unfreeze it when I apply for a loan someday for a new car. Maybe that means because of the inconvenience I’ll spend less. Hey, there has to be a silver lining someplace.
Here’s what I don’t want, for either you or me. I don’t want my legacy to be the grandma who had everything stolen and had to go and sleep on the park bench….you get the drift.
I hope you’ve found this helpful, and I sincerely hope I never feel compelled to write about something this serious again.
Let’s do everything we can to prevent that so we can get back to genetic genealogy. All of this bother is interrupting my research time!
Again, I’m not a lawyer or a CPA. I have no ties to the financial industry except for being a consumer. Use at your own discretion. Educate yourself. Consider this a resource, not gospel. Follow this developing story and make course corrections as needed. Changes are occurring rapidly. Presume the worst. It’s better than presuming the best and being wrong.
I receive a small contribution when you click on some of the links to vendors in my articles. This does NOT increase the price you pay but helps me to keep the lights on and this informational blog free for everyone. Please click on the links in the articles or to the vendors below if you are purchasing products or DNA testing.
Thank you so much.
DNA Purchases and Free Transfers
- Family Tree DNA
- MyHeritage DNA only
- MyHeritage DNA plus Health
- MyHeritage FREE DNA file upload
- 23andMe Ancestry
- 23andMe Ancestry Plus Health
- Legacy Tree Genealogists for genealogy research
Thank you, Roberta! This was timely and very important!
Thank you. I have been hacked and will take as many precautions as possible to fix this. This is my 2nd one. I am still cleaning up the Yahoo break they took so long to tell people about. I appreciate your diligence.
Both of these blogs have been very helpful! Thanks for your knowledge.
Another tip: Credit cards used online are subject to being compromised. Therefore, do not use a credit card online that is from your banking institution. We use a single card, an American Express card, for every online transaction. Amex informs use via email when each and every online transaction occurs. If it was not us, we can stop it immediately. Further, they have on a couple of occasions detected attempts at fraudulent activity and have issued a new card with no action required on our part.
Is this some kind of flim-flam? I try the sites mentioned and I never can get to a “list” where I can see if my security has been breached!
It’s not a list. At the Equifax link, you click on the tab that says “Potential Impact” and it prompts you to enter the last 6 digits of your SS number and your last name.
Roberta. You are so right and EVERYONE should heed your advice. As a retired software geek, I foresaw these events 40 years ago when I got my first ATM cards. I have lied to every bank and financial insitution about my mothers maiden name since then. For certain ethnic groups the advice is even MORE important as large percentages of our mothers share common maiden names. I would add that having multiple email addresses for different things and a total reliance on a secure PASSWORD generating program like 1PASSWORD or LASTPASS is essential.
Roberta, a workaround that I read about for answers to security questions: add a string of letters to the end of the answers. Maybe the first letter of the first five words in a favorite song. A thief may know my mothers maiden name, but not Jonesascys.
Someone else that I know uses song lyrics.
Thank you so much for this and your previous post, Roberta! I think I would have ignored the dire situation we are all in if you had not explained it so well to all of us. <3, Lou
I always make up my own answers to security questions! ALL security questions!! So the answers to the same questions are different at every site, and none of them are “correct.”
Your opening statements are the very reason, I have a different Birthday and mother’s maiden name that I use for security questions and to set up on-line accounts. It is a security question, not a federal investigation. Make up something that only you know and that cannot be found on-line somewhere.
Thanks ever so much for taking all the time and effort to put this information together. On behalf of all the people who will benefit from your doing this–THANK YOU!
I’m now a Targaryen on my father’s side and a Baratheon on my mother’s side. 🙂
In all seriousness, thank you for this important update.
I was one of the hacked and really appreciate this!
My own update.
Obtaining the free credit reports: Transunion went fine and was easy. Equifax system said it was down, but now the free reporting agency thinks I already received that one and I’m not eligible for another years. I’ve complained, but doubt much will be done. Experian is a nightmare and is making me write to them, hardcopy, and send documents including SS#, drivers license and more, such as utility bills and a mortgage statement. I tried to upload those files, but they said they couldn’t upload the files. What a nightmare.
Regarding the credit freeze: I was able to freeze my Equifax account. My husband put a lock on his account there, thinking it was the same thing. I have not been able to clarify the difference. I was not able to freeze or even access my information at Experian, because I am having to send them documentation by mail, but my husband was able to lock his account at Experian. I put a lock on Transunion because, according to their CSR agent, the difference is that you can unlock easily and for free, and existing creditors can see your account, but no new ones can. My husband froze his Transunion account.
All I can say is that this is a horrid mess for the consumer and the only company I feel even remotely good about is Transunion whose website has worked well, it’s intuitive and they have been very nice and accommodating. Equifax created this nightmare and Experian has created their own.
Please keep in mind, this situation continues to unfold and your decisions may need to be different from mine, and you may receive different information from the companies. You need to make the best choice for yourself in your own circumstances.
After reading your article, I attempted to access the security questions for my credit card, but was unable to figure out how to get to them. They do not make it easy.
Secondly I agree that two factor authentication is a good idea but I have a problem. I do not have cell phone reception at home, so I tried to use my landline number but they would not accept it because it was not a cell phone number. A Catch 22 situation.
They can’t use a landline number because they can’t message you through a landline. And you’re right, they don’t make it easy.
Tried to put a credit freeze this morning with Equifax. Aside from the fact every time I tried, it did not complete (too many people at once trying to do the same?) I just do NOT understand why the information requested to freeze/unfreeze your credit there is the exact same information that has been hacked, meaning anyone who has access to your information also has access to freezing or unfreezing??? There was no different information requested to verify who you are or PIN generated or secondary authentication available or anything. Am I MISSING something??? Congress needs to make a requirement that Equifax offer free monitoring for LIFE, not for a year. That is the LEAST they owe us.
If you get through to Equifax to do the freeze, they will issue you a pin number, to your e-mail. You MUST have that pin to unfreeze the account. So yes, the crooks could freeze your account, but why would they want to do that. Your pin is require to unfreeze, and only the person receiving your e-mail would have that, not the crooks. And I agree with you 100% about what Equifax owes everyone. I think freezes/unfreezes should be free everyplace in light of this and Equifax should have to reimburse everyone who had to pay to freeze their accounts due to their malfeasance.
There is updated detailed information provided at these links.
Perhaps this is a good reason to have a PRIVATE tree, rather than a public one. Thank you for providing this info, Roberta.
Most places that display trees provide the ability to selectively mark people as private. I have my tree set so they living people and those deceased but born within 100 years are also private.
Roberta, yesterday I received an email from info at equifaxbreachsettlement.com. I had to search my brain to remember if this was legitimate or a fishing scam and vaguely remembered your covering this. Apparently, after your two articles, I signed up, and yes, my data was in the breach. The email reads, in part, as follows:
“You filed a claim in the Equifax Data Breach Settlement and chose to receive free, three-bureau (Equifax, Experian, and TransUnion) credit monitoring from Experian for four years. Implementation of the Settlement was delayed by appeals; however, the Settlement is now effective because appellate courts have affirmed it. This email provides additional information about the services provided by Experian as part of the Settlement and how you can enroll.
“You are receiving free membership in Experian IdentityWorks℠ for four years. You must enroll by June 27, 2022.
This service is free for you and provided as a Settlement benefit. You do not need to provide any payment information to enroll and you do not need to cancel the service when it ends. We encourage you to enroll today.”
This explanation is then followed by an activitation code and instructions on how to sign up, as well as a summary of the service.
I think I received the same email but deleted it because I receive so much spam and assumed it was too. How ironic.