Note: this writing has been updated with new information August 25, related to the credit bureaus; August 29, 2024 relating to Login.gov, August 31 related to credit bureau fraud alerts.
After being notified by Have I been Pwned that my social security number and other information has been stolen yet again, it was time to up my game when it comes to securing who I am. Especially when using two online tools that checked my data in the NPD breach and discovering that the records contained my Social Security number, phone numbers, Date of Birth (not always accurate), and address for every address I have lived at for over 30 years.
All information that can be used to not only get a credit card or bank account, but that can be used to create an account at the major credit bureaus. Enough information to steal who I am.
My SSN had been stolen previously from an ATT hack, which I’ve still never forgiven ATT for. That came with a year of credit monitoring, which I am using. I also have alerts at Credit Karma, my banks, my credit cards, and so on so that any activity triggers a text or email.
I also set up two-factor authentication at every online site I access. My geeky sites, such as this weblog, my domain manager, and my server company, as well as my ID.Me login all require the use of an authenticator app. My bank, credit cards, insurance companies, and so on use token notification: either sending a code to may email, or sending a text message to my phone.
In the last week, I took the extra step I should have taken a while back, and froze my credit reports at the four credit bureaus.
Yes, four.
I’m covering all these steps I’ve taken the last few days so that folks can check their own security procedures.
First of all: commonsense
The greatest weapon you have to protect yourself is your commonsense.
If a person calls up claiming to be a relative in jail, hang up. If you get an email with a link, don’t click it. If someone comes to your door and asks for private information, shut the door. Your bank may call you, but they won’t ask you for your account number. IRS doesn’t call…they write scary things to you in a letter.
(And I was just reminded of all those online quizzes at Facebook and elsewhere asking all sorts of information such as what’s the color of your car. Avoid these like the plague.)
Don’t post personal information online, and also tell your kids not to. Folks on TikTok don’t need to know everything about you or your family. As the California AG’s office notes: be mysterious in your social media accounts.
More importantly, talk with your family and friends to ensure they know to hang up, not post, don’t click, and shut the door. Go ahead, be annoying. Become a downright nag about it. A little annoyance with you is better than the heartbreak of having one’s live savings cleaned out.
Secondly, alert, alert, alert
Your banks, your credit cards, much of your online life comes with the ability to set alerts. A $10.00 charge on this credit card, alert. A new hard pull on your credit report, alert. A $23,000 charge from France…oh heck yes, alert me.
One good place to set up general alerts is Credit Karma. You’ve probably used this site in order to check out your credit score or see your credit report. The site also gives you the ability to set up alerts for almost every aspect of your credit report and your credit life.
You can also set up alerts at your bank, with your credit cards directly, even many of your social media accounts come with the ability to set security alerts.
Any chance you have to set an alert, set the alert. It might get noisy at times, but if you can catch a fraudulent charge or action as soon as it happens, you could stop any further damage from happening.
Once we’ve got the commonsense thing down, and hung alerts everywhere, time to bring up the big guns.
Freeze your credit reports
I rewrote this section after getting new information, August 25, 2024, and added a fraud alert section on August 31.
It used to be difficult to freeze and unfreeze your credit reports, but no longer. You can sign up for an account at Equifax, Experian, and Transunion and turn credit freezes on and off. You can even turn a credit freeze off temporarily if you’re in the market for a new loan or credit card.
Each credit bureau will confirm your identity one of two ways. The first approach is you’ll have to go through a security gauntlet to sign up for an account, with many questions about past addresses and phone numbers. Oddly enough, considering my memory is the absolute worst in the world, I can actually recognize that phone number I used to have back in 2011.
The second approach is to send you a code as a text message to the phone number they currently show in your credit report. This latter takes a lot less time, and is more secure. After all, the NPD breach exposes most of the data you’ll use to answer security questions.
Once you have an account with the credit bureau, you can set up an account freeze. This will prevent any financial institution from gaining access to your report, and will stop someone else from applying for a loan or credit card in your name.
The account freeze is one advantage to getting an account at the credit bureaus. Another advantage is you’re making it difficult for someone else to do the same. Nowadays, the hacks are exposing multiple addresses and phone numbers, and the security gauntlet may not be as good as it once was.
As I discovered with the NPD breach, all the addresses and phone numbers I’ve had for the last 30 years were exposed with my Social Security Number. This is almost enough to actually create an account at each of the four credit bureaus. And once created, it would be extremely difficult to prove I wasn’t the person who created them.
(I say almost because the bureaus do ask questions related to other information, such as your mortgage payment, not included in the NPD break. We hope.)
By creating accounts at the credit bureaus you stop or at least slow down someone else from doing the same. And by freezing your credit reports, you can stop anyone from opening up a new loan or credit card in your name.
When you do sign up for an account at each bureau, be wary of being hooked into paid products. Experian, in particular, will attempt to get you to sign up for a paid account. When signing up for the account, make sure to select the option saying you don’t want a paid account, or access the service account to access your credit report or freeze it.
You might feel completely safe in freezing your credit reports. Sadly, all of the credit bureaus have security issues, so even if you freeze your reports, you’ll still need to keep checking them. Often. Or set up those alerts discussed earlier. None of the bureaus have the absolute best safety precautions in place to keep someone from taking over your credit bureau account. The hackers are bypassing two-factor authentication, for instance, by calling in, answering some security questions, and then changing the account email and phone.
You can slow this down by ensuring you turn on two-factor authentication or two-step verification, as an added protection against online access. In addition, if the account allows you to set up a pin, do so, and ensure the pin is kept in a safe location. Finally, if the account allows you to set up challenge questions, set up as many as you can with the most obscure answers. Just make sure you print this information out for your lock box, so you don’t forget.
Lastly, only ChexSystem (discussed later) supports a freeze pin—a pin number you must know in order to remove a freeze. The other credit bureaus rely on two-step verification for online access. However, as mentioned earlier, they may also offer some additional security measures, such as an account pin, or security questions that aren’t on your credit report. If given an option, pick everything.
If you do all of this, and your credit bureau account still gets hacked, contact the company and get it unhacked. Unfortunately, this process isn’t simple. And file a complaint with the Consumer Financial Protection Bureau. Bluntly, in my opinion, the companies want their security to be a little leaky, so they can sell you expensive protection services. The companies won’t change until forced by law and regulation.
Update: you can also check your credit report frequently at the Big three. You get six free credit reports from Equifax annually. Experian supplies daily refreshes of your credit report and score. Transunion is slow as a dog—a really old and very tired dog, but your credit report refreshes weekly. And you can access all of your credit reports weekly at Annual CreditReport.com. If you don’t want to use credit card monitoring or Credit Karma for alerts, than do check your reports. Or do both—it doesn’t take that much time.
Update: You can also add a Fraud Alert to your credit report. All you need to do is establish it at one bureau, and it propagates to the others. I found that it was easiest to set and maintain at Transunion. The site is slow, but easy to use.
Fraud alerts are good for one year, and you can only set it if you know your data has been exposed. For instance, because my data was exposed because of the AT&T breach and the NPD breach, I was at risk for fraud. If you’re the actual victim of identity fraud—someone has actively tried to impersonate you—you can set a fraud alert that lasts for seven years. You will need to have filed an identity fraud report. And if you’re Active Duty military, you can set a fraud alert for one year to protect your financial accounts while you’re deployed.
Turn on Two-Factor Authentication
If you’re going to sign up for an account at the credit bureaus, you’re going to need to become familiar with two-factor (or multi-factor) authentication. Usernames and passwords are pretty much useless to protect online accounts now, but the added benefit of two-factor authentication can stop someone from hacking your accounts using your login.
Two-factor authentication requires a second authentication method in addition to providing a username and password. Typically, you don’t have to use the two-factor authentication every time you access a site. If you’re using your home computer, you can tell the site that the computer you’re using isn’t publicly accessible and to remember the authentication so you don’t have to go through that step again. Note, though, some companies will just make you go through the authentication hoop every time. Don’t get annoyed: they’re only trying to protect you. And, frankly, if you’re given this as an option, take it.
Two-factor authentication can take multiple forms
- A onetime code that you keep and use each time
- A list of codes that you can use to access an account, though each code in the list can only be used once
- Biometrics, such as fingerprint or face print
- A hardware key
- A knowledge check
- The use of an authenticator app, such as Google Authenticator
- Having a single-use code generated and sent to you either via email, phone call, or text
The many different types can be grouped into three major categories:
- Something you know
- Something you are
- Something you own
Something you know encompasses both the single and multiple onetime codes and the challenge questions.
A onetime security code is fairly rare, but it is an extra layer of protection I was given when freezing my credit reports. The important thing about onetime security codes is don’t lose it and keep it safe. Think printing it out and putting it in a lockbox. Or storing it on your computer or phone, if, and only if, your computer and phone are encrypted (they probably aren’t).
A list of security codes is frequently a backup item for other forms of two-factor authentication, and helpful if you lose the phone or other device you normally use for two-factor authentication. Again, like with the onetime code, keep the list secure and safe.
You’re aware of the knowledge check. To create an account at one of the credit bureau, you’ll go through a knowledge check about past addresses, phone numbers, and employers. A knowledge check can also include a question/answer you provide when signing up for the account as a backdoor into the account if somehow you can’t get in using your regular two-factor method. Sometimes, you’ll get both a knowledge check and another two-factor method, just to be extra safe.
Something you are is your fingerprint, your face, your eyes, even your voice. Biometric security. If done right, the approach is very secure. Unfortunately, it isn’t always done right. For instance, fingerprint readers on smartphones can be problematic to use, and face recognition can actually be fooled by photos.
One of the more common forms of biometric security is the type of security that login services such as Login.gov and ID.me incorporate. In this case, you’ll upload your official photo identification, perhaps accompanied by a video selfie, and sophisticated software compares the two. The data is then compared to that contained in the photo identification service, such as a state DMV to ensure you’re you.
One of the issues with this form of biometric identity proof is that, as Login.gov discovered, it can be problematic with Black people–leading to failed verification and making access to services more difficult. This slowed up the release of this form of biometric identity proofing in Login.gov until just this year.
The something you own can be both the most secure two-factor authentication and the least secure authentication.
A hardware key is a USB device that you must plug into the computer or smartphone in order to access the device and/or secure account To break into your device or account, someone would need actual physical possession of the key, which makes it a very secure approach. Unfortunately, very few web sites support the use of a hardware key (usually labeled as device authentication).
Authenticator apps are installed on either a computer or smartphone, and generate a time-limited code that you can use with the online site. Typically, the app is stored on your phone and a connection between the site and your phone is made when you scan in a QR code the online site provides. This form of authentication is very secure, because you have to have physical access to the device. But if the authenticator app company suggests storing the info in the cloud, just say no (Google).
The concerning issue with authenticator apps is if your phone is stolen or breaks. To ensure access to the authenticator app, follow whatever steps the app recommends to be able to restore the app to a new device, or to shut down the app if your phone is stolen.
Lastly, the most common of the two-factor authentication approaches, but the least secure, is the email or text message (SMS) with a single use code. It’s simple, it’s efficient, it’s easy to use, and some sites give you the ability to set up a second alternative number just in case something happens to your phone. Or the site may provide the ability to get the code via email or phone number.
The reason this form of two-factor authentication is not as secure as others is that that text messages, in particular, are generally not encrypted. Someone could intercept the text and have access to the security token. In addition, someone could hack into your email app and access your emails. The concern about security is such that many companies refer to text-based authentication as two-step verification, not two-factor authentication.
However, this simple form of two-factor authentication (sorry, snobby companies, but this is what it is) stops the vast majority of hacks into a person’s account. As an article in ZDNet notes, someone who goes through the extraordinary effort to get both your password and intercept your authentication code is really targeting you, and you may have a bigger problem that can’t be solved with two-factor authentication.
The trick to making text-based authentication secure is to keep your smartphone secure. This means following the commonsense recommendations, earlier. This also means not installing an app from a company you don’t know, and could also include installing security software on your phone.
Whatever the approach a site offers, select the most restrictive and secure authentication they support. If they only provide two-factor authentication with text messages or email, this approach is still vastly more secure than just using a password.
Do remember that if you change phones, ensure your authenticator app is copied over before disabling your old phone. And if you change your phone number, make sure to temporarily disable two-factor on your sites and then re-enable it with the new number if you’re using text-based authentication. Or overlap the phone numbers for a couple of days, or have codes sent to your email address, instead (if this is an option).
And don’t lose that hardware key or those codes.
OK, we’ve got the two-factor thing down. Time to move on. Earlier I mentioned four credit reports. This leads us to ChexSystem.
Obtain your ChexSystem disclosure and score reports, and then freeze ChexSystem
This was a new one to me, and I bet it’s a new one to you, too.
Freezing your credit score doesn’t do you any good when it comes to identity thieves opening up a bank account, such as a checking account. Banks don’t access credit bureau reports when they open a new account.
Most banks do use another system: ChexSystem. This system only tracks your bank activity, such as if you’ve bounced a check, and so on.
You can create an online account for ChexSystem just as you can for the three credit bureaus. Be forewarned: just like them, you’ll have to go through the security question gauntlet, and too bad for you if you can’t remember the address you lived at 20 years ago. Not only do you have to have information about former addresses, they’ll ask knowledge questions such as what was the nearest major highway to a former home.
Once you’ve set up an account at ChexSystem, immediately ask for the Disclosure and Score reports. This will let you know how the banking world sees you, and it will also let you know if someone has already set up a fake bank account in your name and done something they shouldn’t have.
Once you’ve asked for the reports, freeze your account. When you do so, any bank opening up an account for someone using your information will likely check with ChexSystem. When they can’t get the ChexSystem report, they’ll either decline to set up the account, or ask you for a lot more identification. We hope.
ChexSystem will post you a letter within the system confirming the freeze and providing a one time code—a very, very long onetime code—you’ll have to use to remove the freeze. Print that letter out, and put it in your lock box or other safe storage.
You can also ask for a security alert at ChexSystem. This is just an extra step to let them know you’re at risk because of stolen identity information, or you’ve been a victim of identity theft.
Update: Setting a security alert at ChexSystem does not propagate to the other credit bureaus. You’ll need to also set up a fraud alert at one of them to cover Equifax, Experian, and Transunion.
OK, this takes care of credit and banking systems. What about systems unique to you? Starting with your Social Security Number?
Update: Wait, there’s even more credit reporting agencies. Links in the sources.
Self-Lock your Social Security Number
The first step in keeping your Social Security Number is secure is not to give it out. Unless it’s absolutely essential to get a needed service (such as a credit card or loan or job), you should not give out your SSN. If you doctor’s office asks for it, leave the answer blank. They do NOT need your SSN. Unfortunately, as happened with me, I had to give my SSN to ATT for a cellphone account many years ago, and the idiots kept it in a database that was then breached.
So, what else can you do to protect your SSN? You may not be aware that you can create an online Social Security account. Creating a Social Security account allows you to access information about your earnings or current benefit amount, as well as set the bank for direct deposit if you’re receiving payment. Social Security has security precautions in place, including rigorous two-factor authentication using either Login.gov, or ID.Me, both of which support a variety of sophisticated two-factor authentications.
Once you’ve created your online SSN account, and set up two-factor authentication with your preferred login organization, your account should be secure against other online access. However, there is an extra step to prevent someone from using your SSN to apply for a job. This is known as self-locking your Social Security number.
To self-lock your Social Security number, you’ll need an account at E-Verify. You’ll have to run through the set up of an amazing number of challenge questions in order to create the account. Once you’ve created the account, you can self-verify whether you can work for a US-based company, or you can lock your Social Security Number.
Locking your SSN at E-Verify keeps anyone from using your SSN when applying for a job with an employer who uses the E-Verify system. Even you won’t be able to use it for a job, unless you unlock it, first.
Finally, if you want to go a step further, you can block all electronic access of your Social Security account. You do this by calling Toll Free 1-800-772-1213 or at the SSN TTY number at 1-800-325-0778. To unblock it, you’ll have to call and be prepared to prove who you are. This is likely to entail a trip to the nearest Social Security office.
Update: You can also ask Social Security to put a Direct Deposit Fraud Prevention block on your account, which will prohibit anyone, including you, from changing your Direct Deposit banking info. In addition, if someone were to hack your account and change it, you’ll now get a letter from Social Security notifying that the Direct Deposit bank account and/or your address information has been changed online, and what to do if you didn’t initiate this change.
And remember: a government agency, bank, or credit card company will never contact you directly and ask for your SSN or other pertinent information. Only give this information out if you call the agency or financial institution yourself, and use a phone number you know is legit.
Speaking of Login.gov and ID.Me
Update August 29:
What I wrote about locking up your credit bureau accounts applies to Login.gov and ID.Me: create accounts and then lock them using the strictest two-factor authentication you both can support.
Even if you don’t need these now as a way to log into federal or state agencies, creating the accounts will prevent someone else from fraudulently creating ones using your stolen identification.
Yes, according to the /IdentityTheft/ reddit subgroup, folks have used stolen personal data to create these accounts to then sign up for benefits. Normally, you’ll need to provide a copy of your state driver’s license to secure account access AND a video selfie to verify it’s you. Even generative AI Imaging would have trouble with this—especially if the image of the DL is compared to the image on record.
Further research revealed the process Login.gov does to authenticate your DL:
After you provide us with this identity evidence, we attempt to validate it against various authoritative sources. We use third party identity proofing services to assist us with this validation. For instance, if you submit an image of your driver’s license from your state of residence, we’ll compare the information on it to the authoritative data from your state Department of Motor Vehicles (DMV), Motor Vehicle Administration (MVA), or equivalent state agency to ensure that you exist in those records. We’ll also use technology to look for certain security features on the driver’s license to ensure that it’s not fake.
Unfortunately, Login.gov did NOT support true biometric security until recently. It used LexisNexis to verify the DL information. Login.gov just implemented true biometrics and is currently testing it, but for now, it isn’t using the strictest security.
Still, it doesn’t cost anything to create an account at these two important login services, and you’ll need them to create an account at Social Security and the IRS, as well as for other services such as FEMA assistance, and unemployment.
The best approach to lock in Login.gov and ID. me is the following:
Use Login.gov to create your Social Security account, and ID.me to create your IRS account, discussed next. But once you’ve created your ID.me account and attached it to IRS, also attach it to your SSA account. I have found that SSA allows you to attach both, and ID.me is currently the most secure. But using Login.gov attaches your Login.gov account to SSA, and ensures someone else doesn’t get there first.
Update: If you’re getting a tax refund, file early. Or get an IP Pin.
Unfortunately with the NDP data breach and the exposure of our Social Security Numbers, we need to file our tax returns so someone else can’t swoop in and get our tax refunds.
A better approach is to get an IP Pin, which is an extra layer of protection. The easiest way to do so is to create an IRS account using ID.Me for account login. Once you have the account, sign up for the IP Pin, and then check your account annually to see the new IP Pin value. IRS generates new IP Pins every year.
Use the IP Pin on your forms or when asked for it using online tax filing systems. Think of it as two-factor authentication for your tax refund.
Look out for Change-of-Address scammers
The US Post Office has a lot of problems, but one that can really bite you in the butt is scammers can get your name and address, and mail a change-of-address card, diverting your mail to their address.
Unfortunately, I found out about this one from a neighbor on Nextdoor. When her husband’s obituary appeared online, they set up a fraudulent change-of-address card for him. It was only when the postal delivery person asked her about it that she was able to discover this scam.
When you fill out a change-of-address form online, you have to verify your identity by providing a credit card that receives a temporary charge. But if the change-of-address card is mailed in, this identity proof isn’t required. USPS does send a confirmation letter to both your old address and your new. However, these could easily get missed if you’re not expecting them.
Another way to help catch this scam, is to sign up for Informed Delivery at the USPS. Not only can you use Informed Delivery to see what kind of mail is coming to you each day, if a permanent change of address form is submitted for someone who has an Informed Delivery account, the account is suspended temporarily until you receive instructions from USPS how to set up Informed Delivery for your ‘new’ address. A suspension of Informed Delivery is a heck of an alert that something is wrong.
Update: An additional security measure you can take is to opt out of receiving credit card and other offers in the mail. The FTC provides information about how to do so (link in sources).
Oh, and you can also set up two-factor authentication (two-step verification) with USPS: choosing either email or a text message for authentication.
Seriously, two-factor everything
I can’t repeat this one enough: two-factor or two-step everything you possibly can. Though the NPD data breach didn’t expose your credit cards or bank accounts, you can’t take the chance some other data breach didn’t expose these. And bluntly, it’s just the smart thing to do.
Most sites that allow you to create an account should be implementing two-factor (or multi-factor) authentication. Some, such as streaming services, may not because of difficulty in allowing access to the services via so many streaming devices. In this case, use Paypal to pay for the service, because Paypal has very rigorous security authentication.
Another neighbor on Nextdoor noted their account at their Medicare Advantage plan company was hacked, so two-factor your health insurance company accounts, and if you’re on Medicare, two-factor Medicare (look for account settings).
Two-factor your car and home insurance, your credit cards and bank, your Paypal account… everything you need a password for. And always choose the strictest form of authentication both you and the company support.
Let’s be honest: chances are you’re either using the same password for multiple accounts, or using a password manager app. Well, these apps have been hacked in the past, and will be hacked again. Two-factor authentication is that extra, necessary step to protect your accounts.
So make sure you two-factor your Google account if you use Google apps, and make sure you do the same with Apple if you’re using Apple products.
If you’re not getting text messages with codes frequently enough to be annoying, or having to access an authenticator app all the time, or asked for your authentication constantly, you’re not protected enough.
And whatever you can lock, lock.
Good Luck
I use should and could throughout this piece, but note that none of these precautions are guaranteed to protect your identity. Too many companies have too much of our information and could care less if hackers get it.
But using everything in this (continuously updated) writing is going to make it difficult for someone to bypass the security barriers and should send out all kinds of alerts if they do.
Most of the recommendations here and elsewhere aren’t difficult to implement. Our online identities aren’t difficult to monitor, either. Just set aside a bit of time each week to touch base with your credit reports, either directly in the credit bureau, or in your credit card or bank account if they provide credit monitoring. You can use CreditKarma, too, to check out Equifax and Transunion. Be sure to check out each alert you get and maybe once a month log into the IRS and SSA or other government agency you have an account with.
If things go foobar, don’t panic, your life is not over, and there are steps you can take. At the first hint of identity theft, file a report with the FTC’s IdentityTheft organization and follow their recovery plan.
Sources
Inside the “3 Billion People” National Public Data Breach
National Public Data Breach: 2.7bn Records Leaked on Dark Web
Hackers may have stolen your Social Security number in a massive breach. Here’s what to know.
NPD Published its own passwords
NPD Check tool, to see what data has been exposed – What did I say earlier about not giving out your SSN? Do NOT give your Social Security number with this tool, it works without it.
A more detailed NPD Check tool, that displayed my addresses for every state I entered. A better tool and it doesn’t ask for SSN. But don’t bother signing up for the service—it can’t clean you data from the dark web.
California AG’s office Top ten tips to protect your identity
The FTC Online and Identity Security web site
Use Two-factor Authentication to Protect Your Accounts
What Is Two-Factor Authentication (2FA)? How It Works and Example
Why You Should Stop Using SMS Two-Factor Authentication [Updated 2023
Multi-factor authentication: How to enable 2FA and boost your security
Reddit post on what happens when your credit bureau account is hacked, and why two-factor authentication is so important. However, even if 2FA, the credit bureau security systems are lax and people can still hack your account. Even recently. So monitor your credit reports frequently. If the credit bureau does give over your account to someone else, file a complaint with the Consumer Financial Protection Bureau.
Do you need mobile security software?
FCC: PDF with tips on securing your smartphone
How to place or lift a security freeze on your credit report from USA.gov.
The Consumer Financial Protection Bureau note on Chex Systems.
Update: There’s more than ChexSystems. The CFPB has a list of the companies. And Reddit has a how-to in how to freeze them, including LexisNexis, which I had no idea was in the credit reporting business. Thanks to Vox for this eye opener.
Create your Social Security online account
Create a Medicare online account
Creating a Social Security online account (PDF)
How to Spot an Imposter Social Security Social Media Account
IRS: Get an Identity Protection (IP) Pin
Creating your login.gov account
How Login.gov verifies your identity
A 2022 story about the issues of Login.gov using LexisNexis
USPS Informed Delivery sign up page
FTC: What To Know About Prescreened Offers for Credit and Insurance
And a whole lot of people are out for NPD blood
