Equifax breach…so now what?

Posted: September 14, 2017 by Malwarebytes Labs

Who here is scrambling around in the aftermath of the recent breach at Equifax to figure out if you’ve been compromised? Who here is wondering what to do about it if you are? If you’re one of the 143 million Americans whose data was accessed by cybercriminals, then you probably raised your hand.

Even if you weren’t one of the 143 million, you might still want to take some precautions. You could instead be part of the millions of folks who’ve had their data stolen over the course of online history. Basically, if you have a social security number, have ever run a credit check, or have a pulse, you should listen up. Why? Two words: identity theft.

The Equifax breach gave criminals access to vital personal information, including names, social security numbers, birthdates, addresses, and in some cases, driver’s license IDs and credit card numbers. And here’s just a slice of what those jerks can do with that data:

The better question might be, who isn’t? Don’t worry about verifying if your data was stolen-assume it was stolen. This is a decent rule of thumb even before the Equifax breach, but even if that thought never crossed your mind, it’s pretty impossible to verify whether you’ve been impacted at the moment.

The Equifax verification site is currently not returning accurate information. And if you try calling the company now, you might be met with some long waiting times to receive frustratingly vague answers. So if you want to act quickly (and we recommend you do), just bypass the first four stages of grief and go directly to acceptance.

What we do know: Those affected by the breach are predominantly from the US, but there are people from Canada and the UK impacted as well. Some methods that work in one country may not work in others, so please keep in mind that this article is aimed at our US readers. International readers can find some additional information about what to do here.

Our recommendation is to freeze your credit immediately with all four of the major credit bureaus. By freezing your credit, you’ll prevent criminals from trying to open up new accounts in your name-all of your current credit cards will still work. You’ll only need to consider unfreezing your credit if you want to apply for a loan, open a new credit card, or make any type of purchase that requires a check on your credit.

Three things you’ll want to know before contacting the credit bureaus.

One: You’ll want to pull a credit report. You can get a free report here. It doesn’t matter if you’ve already frozen your accounts, you can still monitor using the free tool. We recommend you pull only one report now, another one in four months, and the third in another four months. It’s not foolproof, but it will allow you to see different reports throughout the year to track any potential changes.

Two: the cost is minimal. While reports have varied-Equifax is offering their credit freeze for free, but it’s pretty hard to get through to them-freezing credit usually only costs a one-time fee of $10 per bureau. That’s 20 or 30 bucks for a whole lot of peace of mind.

Three: You must set or receive PINs when freezing your credit. Save these in a secure location, whether that’s using a password manager or physically storing the printed PIN paper someplace safe and out of sight.

Where to go to freeze your credit

The use of additional monitoring services is entirely up to you. The biggest issue is that both legitimate companies trying to help and scammer companies trying to trick will over-hype the danger of identity theft in order to make a sale. Please make sure that you do your homework and research on these companies before signing up blindly out of fear.

When looking up information about how to protect yourself in situations like these, look to sites like the Federal Trade Commission or other technology publications such as Wired, The Verge, or Vice’s Motherboard, as they won’t be trying to upsell you to credit protection you may or may not need. The wrong company might actually hurt your ability to stave off ID theft.

We wish we could say that the above advice is going to save you from all the dangers associated with this breach. For credit theft, you are covered, but for all the other threats associated with scammers or fraudsters looking to capitalize on this situation, here are some additional guides on how to avoid their traps.

Be on the alert for credit scams or any related terms. You’ll see these in emails, ads on social sites or games, and even physical mail to your home. These attacks are part of what we refer to as social engineering, and they will run rampant for many months and years to come. Always be skeptical, and if you’re not sure about something, ask a professional.

Since your data was most likely taken, that means your numbers will be shared even more than they already are today. Calls and texts from unknown numbers, numbers with similar area codes, or numbers very similar to yours should be treated as potential scams.

You might think that the National Do Not Call Registry would protect you from this. Sadly, it does not. It offers protection from legitimate companies trying to solicit your business. It does not offer protection against scammers. (Because why would criminals follow the law, anyway?)

The my Social Security account (https://www.ssa.gov/myaccount/) allows you to keep track of the social security funds you’ll be collecting in the future. Although it was not affected by the Equifax breach, it’s good practice to get this account set up in your name, as someone else could easily grab it and you’d be locked out of your future payments. One caveat: If you want to set up this account, you’ll need to do it before you freeze your credit. (Otherwise they can’t confirm your identity through the account.)

Ensure you’re using smart password strategy (complex, do not repeat them, do not use the same one across multiple sites/services, etc.) and if available, enable two-factor authentication (2FA) on every account possible. You can check the 2FA availability on your sites and services here.

While your current accounts shouldn’t be impacted by this breach, it’s never a bad idea to keep an eye on your bank accounts and credit cards for larger purchases. For accounts rarely used, you could set alerts to $1 so you’re notified the second any transaction happens. For regular accounts, set the alerts to a dollar amount that would seem out of place for that card, whether it’s $20 or $500.

A common attack vector with credit/personal data breaches is to purchase new phone accounts through your provider, with your account! Once criminals have your info, they’ll call up the phone company and say they want to add a new line but don’t have a PIN number. If you haven’t set up a PIN number with your phone company already, they have no way to verify your account. So guess what? BAM! There’s a new phone on your bill. In order to protect yourself from this type of attack, go ahead and set up a PIN with your provider.

File these as soon as possible next year! For multiple years we’ve heard about victims of tax return fraud, wherein a scammer using your personal information files YOUR return before you can. So don’t wait on this one.

If you’re affected by the Equifax breach, you have a heightened risk of becoming a victim of identity theft. But at this juncture, the point is moot. Since it’s difficult to discover a definitive answer, it’s best to assume you are and deal with the fallout.

We’ve given you some direction on what to do to avoid identity theft and credit fraud, and we hope you take a deep breath, crack your neck, and get to work nailing your personal info down. One new credit card created by an attacker in your name is going to cause a massive headache. Better to stay ahead of it than spend the next month trying to convince a bank that you didn’t open an account. Good luck, be vigilant and stay safe.

The Malwarebytes Labs team