What to REALLY do about the Equifax hack

If you are starting out in life, no matter what you do, you will need to have good credit. The first step to having good credit, even when you have no credit at all, is to prevent someone else from ruining it for you. I think we can agree if you end up with terrible credit, it should be a result of your own bad decisions.

There are two kinds of major hacks that will be reported as credit hacks in the press. The ones where they get credit card numbers, as with Target and TJ Maxx, don’t really matter to you personally as a consumer. And the ones like Anthem and Equifax, where they get permanent, identifying information should be treated as an emergency. These are deadly to your entire identity and the damage is permanent, which is why the year or two of credit monitoring they provide as a first line of defense is ultimately worthless. I’ll explain both hacks, but if you read nothing else here, know that signing up for the credit monitoring may stop some short-term credit damage, but it does nothing to prevent identity theft. Ultimately my recommendation is that you read this through now and take all the steps as a preventative. If you don’t care why, or don’t want to understand, and trust me completely/just want to cut to the chase, scroll to the end to the numbered steps. Steps one through three need to happen, in that order, immediately. Less than an hour for most people, maybe $40 if anything (depends on your home state), and you will have saved your future self a ton of time and pain.

This post should be the only article you need to read for some time to come, so reading this now will save you reading future hack headlines for a while.

Credit Card Hacks

When the hackers get credit card information and maybe your email, you should pay attention to your credit card statement. Verify all the line items on your credit card statement are recognizable. You should do this every month, but people get busy, maybe even check online as the month proceeds. Credit card thieves usually start with small charges, vending machines or take out food, maybe gas. Places where there’s no person on the selling side of the transaction, or someone young and inexperienced who has to handle a high volume of small transactions, as they may not follow a rigid protocol. If you see anything, call your credit card company and have the charges disputed.Ultimately bad charges will be covered by the credit card company, as long as you follow their procedure and timeline. (Pretty painless.) Your credit card company will also be very jumpy after a hack like this. If they call or email to verify any information other than specific new charges, I recommend hanging up and calling the number on your credit card or logging into the account directly. (The hackers will also be quick to start phishing for more information about you right after a hack, or sometimes before the hack is public knowledge, so fraudulent calls and emails will be on the rise.) Your credit card company will probably cancel your card and mail you a new one. This means you will not have a credit card for as much as a week, so it’s always a good idea to have second credit card. Leave it at home in a safe place and then it can also serve as a backup in the event of a lost wallet. Maybe have one or two small recurring charges go to it every month, or have it set up as the default card on one account you use regularly to make it useful in building your credit overall.

A word of warning about debit cards and safeguarding your bank account information: The previous scenario should make it clear why you need a credit card and should not use your debit card as a credit card. Use your debit card for ATMs only, and those ATMs should be ones you know and can trust. Debit card usage does not build your credit, and it leaves your bank accounts vulnerable in the event of a hack. Many banks will be helpful, but in some cases the money will not be replaced in your account until the investigation is complete. Closing a bank account and getting a new one opened is  a pain, so you don’t want to  go down that path after a hack. I’ve also read commentary that at this point in time we really shouldn’t even use paper checks because it exposes too much information. If you use your bank’s online bill pay, even when they need to send a physical check to make a payment it will be on the clearing house account, not yours. I don’t recommend signing up for the auto-pay with your bank account, either. Better to make an automatic payment within the bank site to achieve the same goal than run the risk the creditor makes a mistake and accidentally moves a decimal point one month—you’ll be out the cash while you fight to get it back. I also don’t like letting PayPal and similar accounts have bank information, but for some people it is unavoidable.

Identity Hacks

Here’s the really scary story: Once the hackers have this information it will be for sale forever. Just like mailing databases selling to catalogue companies, the hackers sell your file repeatedly. This information will include your current credit card information, your current address, all your past addresses, your social security number, maybe your driver’s license, your birthday, phone number, and any other names you have ever had. (You can get your credit reports for free from each of the three credit bureaus once a year. Do it once at least just to see how complete these reports are, and it’s smart to look at all three before a big purchase.) It doesn’t take much more effort for the criminals to sort that database by addresses and find out your relatives, your mother’s maiden name, and go to town on social media to dig up literally ever other single fact about you (including email). Once the thief has this information, they can apply for credit cards, student loans, health insurance, and mortgages in your name. Technology permits spoofing your phone and email, so once the criminal knows where you bank, it’s not going to be all that hard to click on “forgot my password” and access your accounts. Even if you see all this happening in real time, the reality is you can be locked out of your email in a second, and while you scramble to get that fixed, they are ripping through your accounts. Using your social security information, it’s easy to file early tax returns based on 100% fictional income and deduction information that request a refund, perhaps even in a state where you don’t live, and cash the check long before you and the government connect the dots. (People typically find out about this over a year later when the IRS comes after them for not declaring that refund on their tax return.)

Protecting Yourself

You need to do the first three right now, because the Equifax hack alone currently admits to about 50% of Americans being involved. Hackers never go away or give up going after big targets like this, and they are getting better all the time. There are basically two categories of protective actions: Lock the hackers out of the obvious access points as best you can, and limit details used in identity theft that you expose on social media.

1. Make an online Social Security account right now. You may not think you need it if you are over 65 and collecting, or aren’t yet earning money. But you are making this to block the hackers who we assume have everything they need to make this account. Once they are in there, they are going to be able to see all your prior income information with all the dangers of a whole new level of fraud and crime, and get them in a great position to take over your government benefits. This would be a nightmare to untangle, so just make the account to lock them out. (Although I would also add it’s smart to check your earnings each year are correctly reported in their files. Your benefits are ultimately based on your 30 highest earning years, and it‘s going to be really hard to fix a missed year or decimal error 20 years from now.) If you cannot make this account, you’re going to need to contact Social Security, because it should be very easy—any problems should be a big red flag. (BTW, make sure the older folks in your life know one thing: Social Security will NEVER call them when there’s a problem. Those calls are always frauds.)
2. Make online accounts with all three major credit bureaus and use them to permanently freeze your accounts (free as of 9/2018). You need the online accounts so you lock the thieves out, and you need the freezes so no one can borrow in your name. Do not sign up for the credit agency branded monitoring products, just do the one-time permanent freeze. They hide these links so they can sell you a bunch of other monitoring things, so the direct links you want are here: TransUnion, Equifax, Experian.
3. File identity theft at-risk affidavits with the IRS and your state income tax department (California is here). For reason, simply state you are part of the Experian 2017 hack.
4. Check your financial institution websites and enact all available security measures for investment, retirement, and bank accounts.
5. Remove your birthday and street address from all social media, like Facebook. Moms: If you are linked to your children, consider removing your maiden name from your profile.
6. Seriously consider limiting your profile to Friends only, all social media.
7. Review your friend list, be sure you really know everyone.
8. Be careful on LinkedIn in particular that you are linking to real people. You can do a reverse google image search on any profile photo and ensure the person is real. You’d be amazed how many invites I get from iStock model photos, and when I check the profiles I will see that several of my business friends are already linked to this imaginary person. You can report these fake profiles to LinkedIn quickly by reporting them as inappropriate. While we’re at it, if you don’t have a LinkedIn profile, you are making it easy for hackers to make one for you, so make one for yourself, with a photo, even if you don’t plan to use it just yet.
9. If you are internet famous, get your Twitter account verified. (That one is for you and your friends in Overwatch League and similar, @Jakeow.)
10. If a website asks for your birthday, usually because they want to send you rewards, have a fake internet birthday. (My mom came up with this one.) You just pick a day you can remember, and use it any time you are asked online for a non-financial or -health reason. Best of both worlds, you get the rewards with no risk.
11. Currently, there is no one-stop way to protect yourself from health identity fraud. It’s the most dangerous of all the frauds, because your records can end up with incorrect medical information about allergies or chronic disease that will lead to incorrect treatment in an emergency or slow your access to healthcare when seriously ill. Here’s what you can do:
    • Most doctors and dentists don’t ask for your social security number, but if you see it on a form, just leave it blank. You don’t need that floating around in odd places and they don’t need it to bill your insurance or take your credit card.
    • It pays to be loyal to a health system, so you are somewhat regularly seeing doctors who are looking at your record and discussing it with you so you can catch anomalies.
    • Use the electronic app from your health system. Epic and Cerner together hold over 50% of the Electronic Medical Record (EMR or EHR) market in the US, and while you can’t control the record, you can see much of the information and the health systems can pull information into the record from each other. For example, in San Diego, UC San Diego Health uses Epic, whose app is MyChart. Scripps Health recently switched to Epic, which is also used by CVS pharmacies, so one checkup and the doctor can get most of your local information consolidated as a good starting point.