Worried about the Equifax breach? Tips for banks, consumers to respond, prevent future frauds
Friday, September 15, 2017
Posted by: Brian Monroe
By Brian Monroe
September 15, 2017
While cybersecurity experts are quick to point out that data breaches happen “all the time,” the Equifax incursion is not a cyber event easily dismissed by simply changing your Yahoo! email password or getting a new Target credit card. To read the main ACFCS story on the brief, please click here.
This hack can’t be considered the largest ever – Yahoo! achieved that title a year ago this month with the staggering loss of details on 500 million accounts, as well as social media dinosaur Myspace gushing the usernames and passwords of 360 million accounts last year. Yet what sets this cyber event apart from all others is the depth of information hackers captured.
In targeting Equifax – part of the three main credit reporting bureaus – the group snared data on 143 million people, including names, Social Security numbers, birth dates, addresses and in some cases, driver’s license numbers, more than enough to create fake identities or bust into current ones. For a bit of context, the entire population of the United States is 323 million.
The unknown group also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people, including some residents of Canada and the United Kingdom, according to the company.
Sobering figures indeed, with some experts saying nearly everyone in this country should be worried about stolen credit and debit card accounts, or individuals attempting to run up massive loans in their name, for the rest of their lives.
In tandem, banks face new challenges to protect customers and protect themselves in the wake of such a burgeoning breach.
So here are some tips for consumers to consider to better safeguard their financial future, along with important ways banks can better help shield clients and, most importantly, be cognizant of new vulnerabilities and attack vectors potentially coming in the future – including targeted spear phishing attacks trying to dupe top leadership and impersonate cyber defenders.
For consumers to protect themselves:
- Find out if your information was exposed. Visit the Equifax Security site (https://www.equifaxsecurity2017.com/) and click on the “Potential Impact” tab and enter your last name and the last six digits of your Social Security number. Your Social Security number is sensitive information, so make sure you’re on a secure computer and an encrypted network connection any time you enter it. The site will tell you if you’ve been affected by this breach.
- Whether or not your information was exposed, U.S. consumers can get a year of free credit monitoring and other services. The site will give you a date when you can come back to enroll. Write down the date and come back to the site and click “Enroll” on that date. You have until November 21, 2017 to enroll.
- You also can access frequently asked questions at the site.
- If you had an account with Equifax, change the password. You should never re-use the same password for multiple sites, but if you did, change those passwords as well.
- Check your banking and credit card accounts regularly. Even if your accounts appear safe now, criminals may wait several months and then act when your guard is down.
- Criminals also don’t always take large amounts first. In some cases, for days, or even weeks, they will make small, $1 or $2 charges to see if the credit or debit card is active and the person is paying attention, before attempting to pull out the money in larger amounts. If you see a small charges as a murky “fees” and your bank doesn’t recognize them, that could be the precursors of a major attack.
- Obtain a free copy of your credit report. You are allowed to request a free report annually from each of the three credit reporting agencies.
- Sign up for credit monitoring from the credit reporting agencies, which charge a fee to watch your credit report and alert you to changes to the accounts listed on your credit report. Due to multiple complaints, Equifax has changed some conditions on their offer: now consumers signing up for credit monitoring do not waive any rights to take legal action, and the offer will not automatically renew in 12 months for a fee.
- File a credit freeze, also known as a security freeze, with each credit reporting agency. This will block criminals from opening a credit card or other line of credit in your name. Equifax announced that freezing your credit with their service is now free.
- Place a fraud alert on your credit file. To do this, you need only call one of the credit reporting agencies; the agency you call is then required to inform the other agencies of the alert. A fraud alert can prevent a criminal from opening a line of credit in your name, because the business must verify your identity before issuing the credit. Fraud alerts stay on your credit file for 90 days. After the 90 days have passed, either renew the alert or consider placing an extended fraud alert on your credit file.
- File your taxes as soon as possible each year. This will prevent criminals from filing a false tax return in your name and stealing your refund.
- Be alert for possible phishing emails. If a bank or credit card company requests account information or asks you to click a link, do not respond. Instead, sign into your account in a separate browser and confirm any requests.
- Also be warry of another form of this scheme called vishing as it comes through your phone. If you get a call from your bank, talking about the breach and wanting you to update username and password information over the phone, even they seem to know everything about you, including recent transactions, don’t do it. A bank will never call you to update information.
- Check out as many sources as possible on protecting yourself from identity theft and becoming part of the solution, rather than the problem. Sites including https://www.operationstopit.org/ allow victims to find ways to respond and prevent future attacks as well as liaise directly with law enforcement to help stop criminals.
For banks to help protect consumers:
- Consider sending an email to all clients letting them know about the breach and how to protect themselves. In the email, ask clients to see if their information was compromised by checking on the Equifax site, and, if so, raise the financial crime risk score of those customers to better tune monitoring systems.
- Include in the email that clients should immediately contact the bank if something strange happens in their account, as so many transactions could be happening, a cyber thief stealing a few hundred or even a few thousand dollars might not trip a banks fraud or AML alert monitoring systems.
- Banks should consider broadly tweaking alert monitoring thresholds for customers, either lowering transaction alert figures or creating scenarios for alerts if U.S. customers all of a sudden start transacting or wiring funds, or pull funds out of ATMs, in known hacker havens like Russia, Eastern Europe, certain parts of Asia and the Middle East.
- More broadly adopt two-factor authentication to prevent a hacker from moving funds more easily. At the same time, banks should consider creating more sensitive automated fraud alerts to customers to prevent customer funds being lost, and also make sure those alerts get to internal bank fraud and AML investigators to see if more customers are being victimized.
For banks to help protect themselves:
- Banks should consider either sending a companywide email, or doing live training, for staff at all levels to be more aware, and thoughtful, about any unknown emails that seem to be coming from customers, third-party vendors, staffers or even top leadership and IT professionals as they may actually be from fraudsters.
- Banks should also give targeted training to executives, the “C-suite,” that they could get more emails, seemingly from individuals in their bank or even friends and relatives, that contain malware links. So if they get an unexpected email, even with accurate personal details, asking to check out pictures from a recent vacation, or look at a spreadsheet for an upcoming meeting, send the emails to IT first to ensure they are valid.
- With the depth of details available from the Equifax breach, hackers could send a detailed believable email from a top-ranking bank officer to send high-value wires to certain companies or even act like a company’s cybersecurity officer, directing employees to download a new security update, but which is really malware or ransomware.
- So banks should consider giving training to individuals in their finance, wire, billing and invoicing departments to be ready for scams. The bank could also create a system to double check all emails from executive or finance higher-ups if there are certain changes, such as higher amounts, new wire instructions or new foreign locales.
- Company-wide training should also include not clicking on links to upgrade cybersecurity protocols, even if they seem to come from the IT person. In most cases of networking institutions, IT can do much or all of that behind the scenes, and would only need a user to reboot their computer.
- In that same vein, banks should warn staffers not to click on any links, even if they seem to come from a company offering a free seminar, webinar or in-person event on cybersecurity as during times when breaches are making headlines, they have used that tactic to successfully install malware or ransomware on corporate systems.
U.S. Federal Trade Commission
Identity Theft Resource Center and Executive Director Neal O’Farrell