Equifax was hacked and the world changed. The old advice about protecting your personal information now seems quaint. The prudent thing to do today is to assume it’s out there. Regardless of whether Equifax’s broken security tool says that your data was compromised, it is now prudent to assume that it was. Heck, even if Equifax could somehow prove that your data was not taken in this latest data breach, it makes sense to assume that it was taken in a prior breach or will be taken in a future breach. And if your data wasn’t and won’t be taken from Equifax, it may be taken from any number of other sources. Equifax is only one of many companies that has been hacked… that we know about. We learned about the Equifax hack more than a month after it happened. How many successful hacks have happened that we don’t know about?
The Equifax hack is, to me, the mental tipping point. Regardless of whether my data was leaked, I’ve changed. I can’t go back to thinking that I’m safe because I don’t publicize my SSN, my date of birth, my credit card numbers… That thinking was always foolish, but it was easier than protecting myself.
The 1 thing you MUST do to protect yourself from the Equifax Hack
Equifax’s solution to the data breach is to offer everyone one year of protection via their TrustedID Premier service (see: Is the Equifax cure worse than the hack?). Trusted ID Premier offers a collection of services to help protect you from identity theft: credit monitoring, report lock, SSN monitoring, and identity theft insurance. Each of these are useful, but one year of protection is not enough. And, I’d argue that they’re not the top things you should do to protect yourself.
The Equifax solution assumes that our top threat is identity theft. A criminal can steal your identity and then open credit card accounts, take out loans, or use your identity to commit other crimes. And, to be sure, identity theft is a likely outcome of the Equifax Hack. But, most identity theft crimes take time and effort. The low hanging fruit is theft, not identity theft. With the right information, criminals can snatch your digital valuables in seconds.
Think about how easy it would be…
If a thief could gain access to your primary email account, then they would have the keys to your digital kingdom. Thanks to Equifax, they already know which banks you have accounts with. And with access to your email they can search your history for every type of account you have. Financial accounts, digital currency accounts, rewards accounts all have value. With any one of these it wouldn’t be hard to click the “forgot password” button to have a temporary password sent by email. Then, they’re in, and they can clean you out.
For the above reason, I believe that if you do nothing else to protect yourself, you must do this: protect your email account.
How to protect your email account
1. Change your password [Critical: If you do nothing else, do this]
Ideally you should use a strong password with a mix of characters, numbers, and symbols, but mainly you should make sure that your email password is different from all other passwords you use. If you use the same password on other sites, then there’s a good chance that your password is available to hackers. A good option is to use a password tool like LastPass to generate and protect your passwords.
2. Add 2-Step or 2-Factor Authentication [Extremely Important]
Using a strong password isn’t enough. Given enough information about you, a hacker may be able to click “forgot password” to get into your account. Or, you might accidentally fall prey to a phishing attack where the hacker makes it appear that your email program is asking for your password when in fact it is that hacker waiting to claim that information.
2-Step Verification generally works like this: The first time you try to log into your email from a new device, you’ll have to do more than just enter your password to get in. What the next step is depends upon which 2 factor options you pick and which are supported by your email service. A common (but not very secure) approach is to get a code via text message that you have to enter to get into your email. Since phone accounts can be easily hacked, you’re better off picking a different option.
Gmail offers a number of options including Voice or text message, Google prompt, Authenticator app, Backup codes, and Security Key. More about these in step 3…
3. Disable voice or text as a 2nd step option [Important]
SMS can be easily hacked. Phone numbers can be hijacked or forwarded without your permission. For these reasons, your phone number is not a great security option. That said, having your phone setup for a 2nd factor is much better than having nothing at all. Still, you might as well protect yourself!
In order to remove voice / text as an option, you’ll have to setup one or more other 2nd step verification options. See below for how to do this with Google email.
How to setup 2-Step Verification with Google
- Browse to your Google account (myaccount.google.com)
- Run the Security Checkup
- At the end, click the link for 2-Step Verification settings (alternatively, you can browse to: myaccount.google.com/signinoptions/two-step-verification, but it’s better to run through the whole security checkup)
- Turn on 2-Step verification and then select how you want to handle the 2nd step (the first step is entering you password. The second step can be something like a code sent to your phone or to an app, or something else.
- For my 2nd Verification step, I chose “Google prompt“. This way, when I log into Google from a new device, a prompt pops up on my phone asking me if I intended to do that. I just press yes. If you have an Android phone, you don’t need to install anything on your phone to make this work. If you have an iPhone, you need to install the Google Search app to make this work.
- As a backup, You can also setup Google Authenticator. Authenticator is an app that shows a code that can be typed in for the second verification step. It’s a bit more work than Google prompt, but it works with some other non-Google programs (such as LastPass). Note that I do not have to use this to log into Google from new devices. I use it only as a backup in case something goes wrong with the Google prompt. Also note that you can install an app called Authy instead. Authy works the same as the Google Authenticator app, but it has the advantage of being able to run on multiple devices. That can be critical if you lose your phone, upgrade your phone, etc. If you want to use Authy with Google, select Google Authenticator as your second step. Google will show a bar code. Use the Authy app to scan it.
- Another backup option available is Backup codes. These are one time use codes that you can use if you don’t have access to Google prompt or Google Authenticator. Obviously you should keep these codes somewhere safe. For save storage and retrieval, I use LastPass which has a “Secure Notes” feature. When traveling, consider printing a few of these codes and keeping them with you in case your phone gets lost or breaks.
- Once the above options are setup, remove your phone as a 2nd step option.
Everything else you ought to do
To protect your digital self, I think you ought to get insured, lock your doors, and watch for danger…
If something goes wrong you might as well have a way to get reimbursed for damages. For details about how to get free identity theft insurance, please see: Equifax Hack Rx: Free Identity Theft Insurance
Lock your doors
You can’t make it impossible to get hacked, but you can make it difficult. Each of the following are recommended:
- Setup 2 factor authentication for your email accounts as described above
- Setup strong passwords with all accounts. LastPass is a very well regarded password manager.
- Setup 2-factor authentication with other accounts that you care about. With these it should now be okay to opt for email as your second factor if you’ve taken the above steps to secure your email.
- Protect your home network. Make sure you have it encrypted and password protected.
- Use a VPN when outside of home or work. This will encrypt all traffic between your device and the internet. I like privateinternetaccess (~$40 per year) but free options exist.
- Consider freezing your credit reports. When seeking new credit, you’ll have to use a PIN to temporarily unfreeze your account. This would make it harder for a hacker to open credit in your name. Doctor of Credit has details here.
Watch for danger
Another way to help protect yourself is to proactively watch for evidence of hacking. This way you may be able to take action before the hackers have done too much harm. A number of services can be used to alert you to potential hacks:
- Monitor your credit. Get alerted to any changes to your credit report. This way, if someone tries to open a loan or credit card in your name you’ll know right away. For details about how to monitor all three credit bureaus for free, please see: Equifax Hack Rx: Free credit monitoring.
- Monitor your finances. If someone steals your credit card number or hacks into your bank account and starts spending your money, it would be great to be alerted right away. Mint is a popular (and free) tool that helps you keep track of finances across all of your accounts. Mint can be configured with Spending Alerts so that you’ll know when there are unusual or large transactions.
- Monitor your rewards. If you’re like me, you have airline miles, hotel points, bank points, store rewards, and more across dozens of websites. Many of these have poor security and can be easily hacked. AwardWallet can be used to monitor balances across almost all of these accounts. If you see your account balance unexpectedly drop, you’ll know something went wrong. Unfortunately this won’t give you real time monitoring so it may be too late by the time you discover a breach, but I think it’s better than nothing.
- Monitor your info on the internet. Two free services promise to scour the internet for evidence of your private information being traded on risky websites. If you have a Discover card, you can enroll in Discover Card SSN alerts. And if you have a Mastercard, you can enroll in Mastercard ID Theft Protection. Honestly, it seems unlikely to me that these services will really be helpful, but I don’t think it would hurt to sign up for either of them. The Mastercard option has the advantage in that it also offers Emergency Wallet Replacement and Expert Resolution Services.
It’s impossible to protect yourself from all possible cyber-dangers. Your goal, though, should be to take reasonable precautions. If you do nothing else, turn on two-factor authentication for your primary email address (the one that you use with your financial accounts, for example). Let’s at least make those hackers work for it. And if they meet resistance, maybe they’ll move on in search for lower hanging fruit…