The state of online security is so dismal that it’s not a matter of if your identity will be stolen. The only uncertainty is when it will happen – and how often.
Welcome to what I call Hacker World, where malicious web-savvy thieves can steal virtually any asset, file false tax refund claims, and even steal your Social Security benefits.
Recently, I learned that I almost certainly had my identity stolen, for at least the second time. The first time that I know about was in the massive Equifax data breach in 2017.
This time around, it was stolen from Marriott International. Last December, Marriott disclosed that hackers penetrated the company’s Starwood guest reservation database and stole the personal data of as many as 500 million people.
Marriott says hackers accessed customer names, addresses, phone numbers, email addresses, passport numbers, and dates of birth – all information that can easily be exploited to impersonate someone. About 8.6 million encrypted payment card numbers and expiration dates were also exposed.
You might be surprised to learn that I’m not especially concerned about this latest breach. One big reason is that when I learned my data had been stolen from Equifax 18 months ago, I put a security freeze on my credit files.
A security freeze limits access to your credit report to only companies that already have you as a customer. If you have a security freeze in effect and a hacker penetrates a database to retrieve your personal information and succeeds in impersonating you, they’ll find it almost impossible to benefit financially from having your information.
They won’t be able to use the IRS’s notoriously insecure Get Transcript feature to obtain a bogus tax refund in your name. Nor will they be able to set up a fake account with the US Postal Service Informed Delivery service to acquire bogus credit cards with your name on them.
But I’ve also had a striking realization that has changed my attitude about computer security forever. Instead of assuming my data is safe in the hands of third parties, I take it for granted that it’s not.
I understand that hackers have access to data that I once believed was private and now realize my data might as well be pasted on the front page of The New York Times. That means I now assume that my Social Security number, my credit card numbers, my date of birth, etc. are now essentially public information.
I also grudgingly accept the fact that every database that stores this information has likely been compromised.
Finally, since I’m a US citizen, I understand that I have little or no legal recourse if this data is stolen, misappropriated, or shared on the dark web. For instance, I have no plans to sue Equifax for handing the data it has collected about me for decades over to hackers without my consent. I won’t sue because I can’t prove that Equifax personally damaged me financially through its depraved indifference to data security.
Of course, I don’t want to make it any easier for hackers than it already is. So I try to practice safe computing by taking precautions such as regularly updating software and operating systems and using a virtual private network.
I also am in the process of migrating bank and investment accounts to companies that take security seriously. For me, the tip-off to close an account is when a customer service representative asks for my social security number “for the sake of security.”
I’m even closing accounts that send a text message to my cellphone when I log onto the account. This type of authentication can be spoofed because it’s frighteningly easy to clone your cell phone SIM card.
A much better way to authenticate your account is with a physical device or card you must have in your possession to log in. This is the approach that Interactive Brokers uses to beef up account security.
If you don’t take any other precaution, though, at least put a security freeze on your credit files.
You’ll need to put a security freeze into effect with each major credit agency. Follow these links to get started:
Credit bureaus hate security freezes, because freezing and unfreezing accounts often requires the intervention of a customer service agent. And they can no longer sell your data to the highest bidder.
Instead, credit bureaus will try to persuade you to sign up for a “credit lock” and credit monitoring services. Essentially, you pay a monthly or annual fee (which is often waived) for the privilege of having the company who should be keeping your data safe notify you when they don’t.
Don’t be fooled. A credit lock is only an agreement between you and the credit bureau. You’re bound by the restrictions in the fine print of the agreement, rather than by your state’s security freeze law.
A good time to put security freeze in effect is today. Hackers certainly aren’t going to do it for you.