If you're like me, you spend a lot of time on your computer. For many of us, it's our job. I'm guessing, like me, you spend much of that time online. Protecting your personal information online is a concern for most of us. Whether you're shopping on Amazon or using Google to search for something, cyber thieves are lurking.
It seems like there is a new security breach that gives thieves access to our personal information almost every week.
You remember the 2017 Equifax breach, right? Cyber thieves hacked into the Equifax database and accessed personal information of over 144 million people. If I recall, it was the largest breach of its kind. Even if that's not the case, that's a huge number.
My wife and I were both compromised in the breach. The sick feeling of being violated was palpable at the time. Our first reaction was knee-jerk – panic. Do we cut up all our credit cards? Change bank account numbers? Take all our money out until we figure out what's going on?
All of those things went through our minds. There were two things we realized we could do.
- Put a credit freeze on at the three major credit bureaus
- Make sure we were using a password manager
- Use multifactor authorization
I'll talk more about these things and share some ways the cyber thieves gain access and a simple way to stop at least one of those ways.
Gaining personal information via skimming
Maybe you've heard of skimming. I hadn't until it happened to me. Skimming happens when a thief installs a lookalike card reader over the top of the existing ATM reader. Yes, they're that smart and devious. They also put devices inside gas pumps. Often, tiny cameras get installed that, unless you're looking, you would never see. I used to use my bank card a lot (some of you right now are already questioning my sanity).
My wife and I are very diligent about checking our bank and credit cards online. Cathy was looking at our bank account and noticed a couple of charges that looked strange. The first was a $918.00 charge at the Post Office (who spends that kind of money there?). The second charge was a $230.00 cash withdrawal. We rarely make those kinds of withdrawals and always talk to each other about it when we do.
We immediately called our bank, who promptly shut down the card.
How they did it
As it turns out, the ATM I used had a skimmer device on it. The thieves got my card number and, more importantly, my pin number via the skimmer. They used that information to recreated my bank card, complete with the card number AND the PIN!
In addition to the skimmer for the card, these crooks also install lookalike keypads to capture your PIN. Gas stations are a prime target for these keypads. They secretly installed cameras over the keypad. The next time you're pumping gas, take a look at the keypad. Take a look around the upper edges and look for tiny holes. If you see any, don't use that pump. If you have the remotest doubt, don't take the chance.
The bank's remedy
Fortunately, the bank put the money back and sent us a new card overnight. They must have increased the security on our account. Shortly after, I went to use the card again and they had blocked it.
When I called, they said they noticed potentially nefarious activity and froze the account. Good for them! As it turns out, those charges were legit.
- Check the card reader – Before you put your card in an ATM, check the reader. Grab it, try to pull it off, move it left and right. If it moves, don't use it. Notify the bank branch immediately.
- Check the keypad – Same deal. Before using, wiggle some of the numbers. Grab it on the edges and see if it moves. If it does, see #1.
- Check for cameras – Take a look above the keypad. Look for tiny holes that look out of place. They may be on top, on the sides near the top, or even above on the border of the machine. If you see anything that looks suspicious, don't use it.
The video below does a great job of showing you how this works and what to do about it.
The Equifax breach
Equifax called their security breach in March 2017 minor. From May to July 2017, the breach quickly turned into a major compromise. Equifax didn't come clean about it until September 2017. They took a beating in the media and with the public for the delay.
If you're a glutton for punishment and want to relive the timeline, you can find it in this Wikipedia page. There was a lot published during the succeeding months about how to protect your information. Credit freezing was tops on the list.
Many of you who found their information compromised took action. Others did not. Like anything of this nature, that's a personal choice. Cathy and I froze our reports. We didn't want to take any chances. Granted, nothing is foolproof. We feel it's the best thing we can do until news comes out that tells us they found the thieves and retrieved our information.
We aren't holding our breaths.
Thieves buy and sell personal information like this all the time. Even if they found the original culprits, there's no telling where the information is now. So we keep the credit freeze on as an insurance policy.
Protect personal information with a credit freeze
I'll give you a rundown of the process of freezing your reports from each of the three major credit bureaus – Equifax, Experian, and TransUnion. It's one of the best ways to protect personal information from hackers.
Equifax set up a special website for customers to see if they got hacked. Millions went to this site when Equifax finally decided to disclose the breach.
Here's the link – 2017 Cybersecurity Incident & Important Consumer Information. One of the things you'll notice when you get to the site is an announcement of a settlement Equifax reached. in a class-action lawsuit. The Washington Post did an analysis of the settlement if you want to dig deeper.
What if you weren't compromised?
I've talked to people who say they have no plans to apply for cards, so there's no reason to worry. I disagree! Hackers don't care whether you're applying for credit or not. All they care about is getting your information.
Look at the numbers in the Equifax breach – over 143 million! That could be you! Freezing your report locks the door to the hackers (again, to the extent it can). So if you haven't done this, here are the first steps.
Go to the link above. When you get there, here's what you will see”
Click on the Equifax link and follow the instructions.
It's a pretty simple process. They ask for identifying information. Once verified, you can complete the form.
They will establish a PIN number when you're done and send it in the mail. Make sure to keep that in a safe place.
If you want to unfreeze your report, you will need the PIN.
I'll tell you how to unfreeze shortly.
Click the Experian tab from the Equifax page (see above screenshot) and it takes you to this page:
Click the add security freeze tab to get started. When you click, you move down the page and hit the apply online button.
Similar to Equifax, you complete a form to identify yourself. Once verified, you're good to go.
Transunion is probably the simplest of the three.
Click their name on the Equifax page and here's where you go:
Transunion has a service called TrueIdentity that helps manage your Transunion account. They make it very easy to freeze or unfreeze your account. Once your account is set up, you can freeze and unfreeze your account as needed. You can also add premium services if you wish.
If for whatever reason you need to unlock the reports, the process is fairly simple. Why unlock? If you apply for a mortgage, refinance, switch credit cards, or apply for new cards, they need to access your credit reports.
If you're applying for credit, ask the company what credit bureau they use. Lenders often use one or two. Some use all three. Once you find out, you can go to that agency and unfreeze your account. They will ask you if this is a temporary or permanent freeze.
I'd suggest you make it temporary. In most cases, you can unfreeze it for a day or two at the most. Be sure to tell the lender you're unfreezing the reports for one day only. If they need longer, they will tell you. In my experience, that's all they need. They will run the report on the same day.
Doing this gives you access when you need it and protects you when you don't.
Here's how easy it is at TrueIdentity:
The image is from my account. As you can see, I have it locked. To unlock, click the button.
It's that simple.
Password manager services are online programs that set up a secure vault to store all passwords. There are free and paid versions of these services. Free versions usually cover one device (laptop, desktop, iPad, etc.). The paid versions often cover multiple devices.
When you set up your account, you will create a master password that logs you into your account. Most providers help you create a secure password upfront.
How they work.
When you sign up for an account, the program will analyze all of the passwords stored on your computer. The system then should generate a list of sites and passwords.that list includes a password strength rating and recommendations for which ones need changing. The exercise was an eye-opening experience for me. I had zero strong passwords.
Embarrassingly, most of my passwords were slight variations of the same core. That's a big no-no! Those are easier to hack.
LastPass.com is the service I use. Their system can update each site with a weak password with a new, and much stronger one. I have LastPass generate my passwords to be sure they meet the test.
You can also choose to enter your own manually. Of course, LastPass determined I'm not very good at that. I now have them generate all of my passwords. You choose the number of characters you want in your passwords (8, 10, 12, with/without #s, characters, etc.). Once you change and store passwords, you can get a browser extension for whatever browser you use to access your websites.
Hackers place software on computers that pick up passwords when you type them in. Password programs prefill usernames and passwords, so you don't have to type anything. Using this feature takes away one option hackers use.
When I go to a new website to create an online account, I use LastPass.com to generate my passwords. It automatically stores the new website login and password in my vault. The next time I go to that website, a number appears on the plugin in my browser. The number lets me know there is a website stored in my vault with a username and password. Depending on the site, the login information may already be auto-filled into the login box. Here's what it looks like in Chrome – . The number 1 tells me there is one website with this URL in Lastpass. The password appears as a series of black dots. It is never visible.
I realize all of this sounds complicated, but they make it pretty easy. And when it comes to your online security, you are the only one that can protect yourself.
It's worth the effort.
Three Services to Consider
Most, if not all of these password managers allow you to sign up for a free trial. Check them out and you will find one you like.
Here is a Consumer Reports article that reviews password managers.
Another thing to do to help protect your personal information is multi-factor authentication. Set up two-factor or multi-factor authentication.
Multi-factor authentication requires more than one security check to make sure you are who you say you are before logging into your accounts. You can choose to have a verification code sent via text or email. Enter that verification code you into an authorization box on the site.
Why is this important?
Even if a hacker could steal your login information, including password, they would be unable to get into your account without your authorization code. Though nothing is foolproof, it's about as good as it gets. I use my cell phone rather than an email. Why? Hacking email is more accessible than texts. A cell phone is in my hand. These authentication codes are only good for a few minutes, adding another layer of protection.
I have two-factor authorization set up for all my websites that carry personal or client information, including my password manager. I highly recommend it.
Cybercrime is a major threat to all of us. My wife works in the intelligence community for a government contractor. I have a friend who is an FBI agent. Another friend is a retired special forces guy who works for a government contractor. They operate securely as well.
(What can I say. We live outside of Washington, DC)
To the person, they tell me the number one security threat they deal with on a day to day basis is cybersecurity. I trust these folks to take care of the big issues. It's on each of us to take steps to protect our own information.
Let's face it, most of us aren't targets. However, the places online that store our information are very much targets. The cyber thieves are working day and night to get to that information.
Following these steps can at least lock the door to some of these places.
Freeze your reports. Use password managers. Check for skimmers before using an ATM. To the extent possible, don't use bank cards. Credit cards have much better fraud protection.
Pay them off every month like they are a checking account. Check for cameras at the gas pumps.
These are some simple steps to take on your own. We're very glad we did. You will be too.
Now it's your turn. Have you had your bank or credit card hacked? Did your info get compromised in the Equifax breach like mine? Do you use a password manager? Let me know in the comments.