UPDATE 10 JUNE Re DHS Breach: The Department of Homeland Security (yes, the Department of Homeland Security) is just now (June 2015) getting around to notifying victims of a breach of one of its own background check vendors, which was first discovered in September 2014. In this case, the DHS is offering various credit monitoring products as well as self-help tips. Interestingly, the DHS had previously been breached, in 2013, again through a hack of a vendor that "process(es) personnel security investigations....As a result of this vulnerability, information including name, Social Security numbers (SSN) and date of birth (DOB), stored in the vendor’s database of background investigations was potentially accessible by an unauthorized user. " In 2013, claiming nothing was actually mis-used, as far as it could tell, DHS only gave victims tips on rights to a free credit report and fraud alert. Fool me twice, shame on me?
ORIGINAL POST: 8 June: If you shop with credit or debit cards, have health insurance (recent breaches at Premera, Anthem and CareFirst, pay taxes (IRS breach), work for the federal government (OPM breach), or (fill in blank) you’re at risk of a data breach.
To make matters worse, much worse, any data breach bill likely to pass Congress is weaker than most existing laws and would eliminate any stronger state laws. Our recent data breach testimony to Congress is here. Our group letter opposing weak federal data breach and data security proposals is here. Illinois PIRG’s blog urging their governor to sign a tough new state law championed by Attorney General Lisa Madigan is here.
Of course, perhaps in a very weak effort to deflect blame from his agency, IRS chief John Koskinen recently told Congress that the IRS wasn’t actually breached. Hunh? The argument goes something like this: thieves obtained personal information somewhere else online, and only then used it to dupe the IRS into letting them in, so this somehow was not actually a “breach” and not the agency’s fault. That’s just a variant on the noted Bart Simpson defense: (I Didn't Do It, Nobody Saw Me Do It, There's No Way You Can Prove Anything!).
Why didn’t the IRS have better defenses against fraudsters, such as serious multi-factor authentication?
The lesson, however, is that with so much information about you already available on the Internet, even enough to spoof the IRS, it’s best to protect yourself better (although data collectors need to do a much better job). It is best not to select easy-to-google security questions like “Where were you born?” or to answer “Pizza” to the weak question “What is your favorite food?” -- as apparently 20% of you do.
Concerns Grow: One recent survey by Telesign found:
- "80 percent of consumers worry about online security.
- 45 percent are extremely or very concerned about their accounts being hacked.
- In the past year, 40 percent of consumers experienced a security incident (received a notice that their personal information had been compromised, had an account hacked or had a password stolen) and 70 percent changed their passwords in response."
What can you do to protect yourself? First, we agree with security expert Brian Krebs that the security freeze is your best protection against new account identity theft. The title to today’s post over at his authoritative “Krebs On Security” is “How I Learned to Stop Worrying and Embrace the Security Freeze.”
We worked on the first security freeze law, in California, and then promoted it nationwide, state by state, with a model data breach notice and security freeze law, written with Consumers Union (now Consumer Reports) and also promoted by many state AARP chapters. Between 2005 and 2009 a version was passed by nearly every state, forcing the credit bureaus to eventually provide the freeze everywhere. If a thief applies for a new account in your name, but your credit report is “frozen,” creditors will simply not open a new account. A security freeze offers peace of mind, although unfortunately it comes with a modest cost as well as requires planning (if you want to apply for credit, you need to selectively or temporarily unfreeze your credit reports). Instead of seeking to overturn strong state breach laws, Congress should be working to make security freezes easier to use and free. A few states offer free security freezes for identity theft victims or senior citizens. Learn more here from Consumers Union.
The Federal Trade Commission has posted a set of identity theft tips for federal OPM breach victims. The FTC tips can apply to anyone, since there are breaches here, there and everywhere. They recommend you take the free credit monitoring being offered as part of most remedial packages offered by breached entities. We won’t disagree, as long as you follow these rules:
- Never, ever agree to pay for credit monitoring as it simply isn't worth it, even when packaged with other "important protection" products;
- Understand that credit monitoring does nothing to protect you from existing account fraud (you need to verify your balances regularly); and
- Understand that credit monitoring does not actually prevent new account fraud. It only “warns” you after new accounts have already been opened in your name.
We also remind you that bad guys will take advantage of the tons of information now available in a two-second google-search or for sale on an underground network (these networks are generically called the “darknet”).
They’ll contact you and try to impress you with what they already know (“come on, I know so much, I must be legitimate”), so that they can get more. This is called a social engineering or “phishing” scam. If someone calls you and says “I am from your bank,” hang up and call the number on your card, not the number they give you. And certainly don’t click on any links in any email “from your bank.” More of our advice on phishing is here.
Remember that a bad guy with some information about you wants to phish for even more to fill in the blanks. In the meantime, use different passwords for different accounts, and keep them robust, not simple. Use 8-12 characters minimum, and combine numbers, upper and lower case letters and where allowed, special characters (such as &, %, $, #). Use two-factor authentication when offered.
Of course, as the recent IRS breach demonstrates, a lot of this information is already readily available, so data collectors also need to do a much better job defending the gates and policing their networks. And while some of these bigger breaches have been linked to sophisticated state-sponsored hackers, variously said to be in China, Russia or even North Korea, remember that other thieves, including very unsophisticated thieves, will take advantage of heightened consumer worrying to ramp up their own crude phishing scams. After all, it’s easier to steal from you than to rob banks directly.