The Equifax Data Breach: What To Do Now

News broke this week of yet another major data breach. Equifax, one of the main credit reporting companies, was hacked back in July and sensitive personal information for more than 143 million Americans was exposed. If a credit report has ever been run for you, chances are strong that your data has been compromised in this hack. The three big credit agencies have a very high duty to keep customer information safe, and they failed outright.

According to Equifax the data breach lasted from mid-May through July. Hackers accessed names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people.

Equifax has set up a website so that people can check and see if they have been hacked. I strongly urge against this. Equifax’s website is filled with security holes. Their executives reportedly sold Equifax stock in the five weeks between the discovery of this data breach and notifying anyone about it.  Equifax is also pushing their own credit monitoring service. Why trust someone twice with your valuable information? This is like asking the guy who robs you at gunpoint to watch your kids for you. 

Here’s what the FTC suggests you should do to protect yourself after a data breach:

  • Check your credit reports from Equifax, Experian, and TransUnion — for free — by visiting annualcreditreport.com. Accounts or activity that you don’t recognize could indicate identity theft. Visit IdentityTheft.gov to find out what to do.
  • Consider placing a credit freeze on your files. A credit freeze makes it harder for someone to open a new account in your name. Keep in mind that a credit freeze won’t prevent a thief from making charges to your existing accounts.
  • Monitor your existing credit card and bank accounts closely for charges you don’t recognize.
  • If you decide against a credit freeze, consider placing a fraud alert on your files. A fraud alert warns creditors that you may be an identity theft victim and that they should verify that anyone seeking credit in your name really is you.
  • File your taxes early — as soon as you have the tax information you need, before a scammer can. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Respond right away to letters from the IRS.

How Not To Get Hacked – Six Easy Steps

There’s been a lot of talk about Russian hackers these days, and while the thought of getting hacked by the Russians (or anyone else) often conjures up thoughts of Jason Bourne, most incidents of hacking are actually much less sophisticated. Let’s face it, hackers, like us, often take the easy way out and go for low-hanging fruit. The good thing about this is that it’s relatively easy to avoid getting hacked. What follows is a simple primer – how not to get hacked – six easy steps.

How Not To Get Hacked Step 1:

Create Strong Passwords

The first and most important rule is to never use the word “password” for your password. Don’t use these passwords either:

  • 123456
  • 123456789
  • qwerty
  • 1111111
  • 123123
  • qwertyuiop
  • 123321
  • 666666
  • 1q2w3e4r5t
  • google

These were the most commonly hacked passwords in 2016.

What all of these have in common is that they are painfully obvious. It is very important to choose your passwords carefully. Don’t use the name of your dog or cat or children. All of these are easily guessed. Strong passwords are cryptic – a meaningless string of numbers, letters, and characters. It’s also important to not use the same password for everything. Your Gmail or Yahoo password shouldn’t be the same as your Facebook password and that shouldn’t be the same as your bank password. Imagine if you were one of the billion or so Yahoo users who were hacked! The hackers would suddenly also have access to your bank account and your social media presence. They could learn everything about you at once.

Check HERE to see if any of your email account passwords have been compromised. If they have (and they probably were), make sure you go change the passwords at the sites where you have an account (or you set up an account eons ago).

How Not To Get Hacked Step 2:

Stop Trying To Remember Passwords…Get A Password Manager

As a website designer I need nearly 1,000 passwords in order to get my work done. Even if I had a meaningful and secure logical way of producing passwords, I would never remember them all. For the past 4 years I’ve been using LastPass. Basically LastPass creates extremely complex passwords (more than 20 characters if I want) and then remembers them whenever I go to a website. All I have to do is create one very long strong password that works as a master password. The master password will then unlock a secure, encrypted vault that contains each unique password for all of your accounts. Password managers also integrate seamlessly into Web browsers, so you can quickly log into any of your accounts from any of your devices. The basic version of LastPass is actually free. If you want to use LastPass on your mobile devices, then all it costs is $1/month.

How Not To Get Hacked Step 3:

Use Two-Factor Authentication

Two-factor authentication requires you to enter a password and choose whether to receive a second code via email or your cell phone.  Then, that second code is either texted to your cell phone or sent to your email so that further authentication steps will be required. The exact methods may vary, but two-factor authentication is a much more secure way to prove that you’re you.

How Not To Get Hacked Step 4:

Be Wary of Public Wi-Fi

If you take the right steps to secure your Internet connections, you will probably be okay with public wi-fi. However, avoid doing the following things while on public wi-fi:

  • Don’t check email.
  • Don’t access your bank accounts.
  • Don’t shop online.

In general, whether on public wi-fi or not, seek out websites that start with https:// instead of http://. That extra “s” is a critical level of security. Legitimate shopping, bank, and email websites all use SSL encryption.

For more information about the danger of public wi-fi, check out Norton’s post on the risks of public wi-fi.

How Not To Get Hacked Step 5:

Be Defensive and Watch Out for Phishing Tactics

Spoofs are cyber criminals who try to steal passwords from people who actually know how to come up with complex passwords. This is also called phishing. They’ll get you to click on a link leading to a spoofed website that looks exactly like the one at which you have an account. When you “log in” to the spoofed website, your user log-in credentials are stolen. Do not click on the link. Instead delete the phishy email.

How Not To Get Hacked Step 6:

Trust Your Instincts

If an email or website seems suspicious in any way, delete it or don’t visit it. Many of the attacks – an email phishing campaign for example – attempt to take advantage of our caution and reason by appearing to come from an authoritative source – like our banks, credit card companies, or even the IRS. But in reality, most of those entities will mail you multiple letters before any action is taken. If something – even mailed to you – looks suspicious, pick up the phone and call your bank. Don’t use the number on the suspicious mailing or email.

How To Avoid Phishing and Spear Phishing

Phishing is when someone sends you an email that looks like it came from a bank or service you trust. They try to get you to open an attachment that compromises your device or to click on a web link and to sign in on a malicious website.

Spear phishing is the same as phishing, except the email you receive is especially crafted just for you. The attacker has researched you well and knows who your friends, family and associates are. They may know who you work for and what you are working on. The phishing email received in a spear phishing campaign looks much more authentic, appears to come from someone you know and may refer to something you are working on. Spear phishing attacks have a much higher success rate.

Follow these two simple rules to avoid a phishing or spear phishing campaign:

  1. Never open an attachment unless you are 100% certain that someone you trust sent it to you. If you have any doubt at all, pick up the phone and call the person.
  2. Never click on a website link unless you are 100% certain that the person or organization that sent it to you is someone you trust. When you do open the link, check your browser location bar at the top for the following:
    • The location should start with https://
    • The part after https:// should be the domain name of an organization you trust. For example, it should say paypal.com and not paypal.com.badsite.com. Everything from the first forward slash to the final forward slash in the location should be a name that you trust.
    • The https:// part should be green if you are using Chrome and it should also say “Secure” to the left.

If you receive an email that looks suspicious in any way, just delete it. Then pick up the phone and call the person who sent it to you. They may not know their email account has been hacked.

How To Avoid Social Engineering

Social Engineering is what happens when someone phones you and pretends to be an organization or individual that you trust. They will try to get sensitive information out of you including passwords, usernames and a description of systems that you have access to.

This kind of attack is common and is used to commit tax refund fraud. It is also used to gain access to your bank accounts. You will even find attackers trying to get access to your workstation by telling you that they have found something wrong and asking you to install their software to fix it.

You can use a simple technique to avoid social engineering scams. Usually the individual will claim they’re from a reputable company or organization. Simply hang up, find the organization’s central number, call back and ask for that individual or someone in the same role.

Using the callback method is an effective way to defeat social engineering.

Staying Safe Online: The Connect4 Cyber Security Survival Guide

Today I’m publishing a guide that I hope will help improve your personal online security. This guide focuses on the basics – how to reduce the life-altering risks we face as we navigate the internet.

This is a Cyber Security survival guide. I’m going to start by giving you a clear picture of the current state of Cyber Security. Then I’m going to prioritize what you should be protecting. I’m going to focus on the biggest risks and I will explain how to reduce the risk for each category.

If you find this useful, please go ahead and share it extensively.

Current State of Cyber Security

Would you believe it if I told you that there’s a 66% chance that your data has already been stolen and will be stolen again and again? Unfortunately, it doesn’t matter whether you use secure passwords, two-factor authentication, are young or old, or which websites you visit or businesses you do business with. At various points in your life, your data will be stolen. And in all likelihood, it will be stolen repeatedly.

Today, 64% of Americans have already had their data stolen through data breaches. That is almost 2 out of three people.

In the past 3 years we saw the first data breach of more than 1 billion user accounts with the Yahoo breach. That breach affected 1 in 7 people on our planet! In the United States, the OPM breach included the data of our top spies, including their fingerprints and personal data. Even our intelligence services can’t protect highly confidential personnel data.

Data has been stolen from private companies, intelligence agencies and the military. Even cyber security companies have had their data stolen.

How Data Is Stolen

Even if you use a strong password, two factor authentication and best practices for security, your data will still be stolen because the companies whose services you use in some cases will fail to protect their own networks and systems.

How to Prioritize What to Protect

If data breaches are the new normal and if you accept the premise that they are inevitable and unavoidable, the problem we need to solve in our personal and business lives becomes “How do I reduce the risk and the impact of a breach?”

It’s helpful to start this conversation by trying to prioritize what we need to protect. I’m focusing on the really important, upper level things and this is my prioritized list so it’s possible your list could be in a different order.

  1. Information about us that could help criminals target us in the real world.
  2. Our financial means – savings accounts, ability to borrow, and our assets.
  3. Sensitive personal information – medical records, tax data and other private data.
  4. Our ability to earn an income through our reputation and our ability to provide products or services to people.

Preventing Criminals from Targeting Us in the Real World

In most of the developed countries, it is rare to hear stories of real-world targeting of individuals through information they have ‘leaked’ into the cyber realm. But in developing countries where there’s a greater disparity of wealth, or if you happen to be a superstar or athlete in a developed country, it might be good to:

  • Never show high value items (like jewelry or cars) online.
  • Share your location in general terms, and if you want to share a specific location, do it after you have left that location.
  • Don’t share information that may indicate when or how much you’ve been paid.
  • Consider making social profiles only available to people you have approved.
  • If you work for someone or some entity with access to highly confidential information, avoid disclosing who your employer is and what your job title is. This includes public websites like LinkedIn.

Protecting Your Financial Means

I’m not concerned with credit card fraud in this section. That risk falls on the vendor and transactions can be reversed. Instead, I’m focused on the kind of risk that can have a permanent impact on your financial well-being.

If an attacker is able to authorize a wire transfer from your savings account, they can empty your bank account and the funds may never be recoverable. This risk applies to savings accounts, checking accounts and investments like brokerage accounts and money market accounts.

If they are able to borrow in your name, it can permanently damage your credit score and your ability to borrow money to buy a home, for example.

I suggest taking the following steps to reduce the risk of large scale financial fraud:

  1. Make a list of savings and investment accounts. Audit each account to determine how you prove your identity when transferring funds and get a clear idea of what an attacker would need to do to commit fraud on each account.
  2. Implement any additional security provided by your banks or brokerages:
    1. callback to a predetermined number.
    2. authorization from multiple parties prior to transferring funds.
    3. two factor or hardware-based authentication.
    4. limiting transaction size when not in person.
    5. real-time alerts.
  3. Monitor account statements weekly. Make this a routine.
  4. Place a credit freeze on your credit report if you are in the U.S. This restricts access to your credit report and makes it difficult for thieves to open up accounts in your name.
  5. Place a fraud alert on your credit report – also if you are in the U.S. This lasts 90 days and forces businesses to verify your identity before issuing you credit.

In all of these cases above, if you are able to choose a password, choose one that is complex (more than 12 digits and including uppercase, lowercase, numbers, and other characters), and use a password manager.

Protecting Your Sensitive Information

Sensitive data that you need to protect includes your medical data, tax data, and social security number. There are two surprisingly easy ways of protecting this information.

First, try to avoid creating data about yourself. If it doesn’t exist, you don’t need to protect it. You will frequently find forms that ask for your social security number or equivalent. Most of the forms don’t actually require it. Don’t provide it if it’s not required.

Second, the best way to protect data is to delete it. Once again, if it doesn’t exist, it doesn’t need to be protected. Don’t hoard sensitive data. When you do need to store and protect your sensitive data, encrypt it and use strong device passwords.

Protecting Your Ability to Earn an Income and Protecting Your Reputation

Most of us rely on some type of IT infrastructure to earn a living. Whether you are an architect, photographer or computer programmer, it is important that you secure the systems you use. Here are a few tips to secure your own systems and the services you use:

  • If you have a WordPress website, make sure that you have a malware scanner and firewall in place, and look into upgrading your security by using SSL.
  • Use a password manager like Last Pass to automatically store and generate long complex passwords that are different for each system you access.
  • Secure your phones, tablets, laptops, and PCs by using disc encryption when available and use complex passwords for device access.
  • Avoid adding data to systems that you need or use.
  • Enable two-factor authentication on all systems or services you use.
  • Keep backup drives in a secure place and destroy sensitive data that you don’t need. Never simply throw backup devices in the trash without either using a secure wiping software or physically destroying them with a large hammer.
Protecting Your Online Reputation

If you use social media, never simply ‘Share’ or retweet someone else’s post until you have fully read it, understood it and also understand any context around it. If you accidentally share something that is highly controversial without fully understanding what you’re sharing, you may find your professional reputation severely damaged.

Secure any social media accounts that you own. If your account is hacked, it may be used for spam which could damage your online reputation.

Secure any websites that you own. If your website is hacked, it will damage your search engine ranking and infuriate your customers if their data is stolen. This can have a severe impact on your reputation. If you use WordPress, install Wordfence which will help prevent a hack.

When installing apps on your smartphone, avoid apps that are aggressively viral. Some apps gain access to your contacts list and can SMS, private message or email your contacts a message from you that suggests they also sign up for the service.