Guest Post by Mark Nestmann
The state of online security is so dismal that it’s not a matter of if your identity will be stolen. The only uncertainty is when it will happen – and how often.
Welcome to what I call Hacker World, where malicious web-savvy thieves can steal virtually any asset, file false tax refund claims, and even steal your Social Security benefits.
Recently, I learned that I almost certainly had my identity stolen, for at least the second time. The first time that I know about was in the massive Equifax data breach in 2017.
This time around, it was stolen from Marriott International. Last December, Marriott disclosed that hackers penetrated the company’s Starwood guest reservation database and stole the personal data of as many as 500 million people.
Marriott says hackers accessed customer names, addresses, phone numbers, email addresses, passport numbers, and dates of birth – all information that can easily be exploited to impersonate someone. About 8.6 million encrypted payment card numbers and expiration dates were also exposed.
You might be surprised to learn that I’m not especially concerned about this latest breach. One big reason is that when I learned my data had been stolen from Equifax 18 months ago, I put a security freeze on my credit files.
A security freeze limits access to your credit report to only companies that already have you as a customer. If you have a security freeze in effect and a hacker penetrates a database to retrieve your personal information and succeeds in impersonating you, they’ll find it almost impossible to benefit financially from having your information.
They won’t be able to use the IRS’s notoriously insecure Get Transcript feature to obtain a bogus tax refund in your name. Nor will they be able to set up a fake account with the US Postal Service Informed Delivery service to acquire bogus credit cards with your name on them.
But I’ve also had a striking realization that has changed my attitude about computer security forever. Instead of assuming my data is safe in the hands of third parties, I take it for granted that it’s not.
I understand that hackers have access to data that I once believed was private and now realize my data might as well be pasted on the front page of The New York Times. That means I now assume that my Social Security number, my credit card numbers, my date of birth, etc. are now essentially public information.
I also grudgingly accept the fact that every database that stores this information has likely been compromised.
Finally, since I’m a US citizen, I understand that I have little or no legal recourse if this data is stolen, misappropriated, or shared on the dark web. For instance, I have no plans to sue Equifax for handing the data it has collected about me for decades over to hackers without my consent. I won’t sue because I can’t prove that Equifax personally damaged me financially through its depraved indifference to data security.
Of course, I don’t want to make it any easier for hackers than it already is. So I try to practice safe computing by taking precautions such as regularly updating software and operating systems and using a virtual private network.
I also am in the process of migrating bank and investment accounts to companies that take security seriously. For me, the tip-off to close an account is when a customer service representative asks for my social security number “for the sake of security.”
I’m even closing accounts that send a text message to my cellphone when I log onto the account. This type of authentication can be spoofed because it’s frighteningly easy to clone your cell phone SIM card.
A much better way to authenticate your account is with a physical device or card you must have in your possession to log in. This is the approach that Interactive Brokers uses to beef up account security.
If you don’t take any other precaution, though, at least put a security freeze on your credit files.
You’ll need to put a security freeze into effect with each major credit agency. Follow these links to get started:
Credit bureaus hate security freezes, because freezing and unfreezing accounts often requires the intervention of a customer service agent. And they can no longer sell your data to the highest bidder.
Instead, credit bureaus will try to persuade you to sign up for a “credit lock” and credit monitoring services. Essentially, you pay a monthly or annual fee (which is often waived) for the privilege of having the company who should be keeping your data safe notify you when they don’t.
Don’t be fooled. A credit lock is only an agreement between you and the credit bureau. You’re bound by the restrictions in the fine print of the agreement, rather than by your state’s security freeze law.
A good time to put security freeze in effect is today. Hackers certainly aren’t going to do it for you.
It is my sincere desire to provide readers of this site with the best unbiased information available, and a forum where it can be discussed openly, as our Founders intended. But it is not easy nor inexpensive to do so, especially when those who wish to prevent us from making the truth known, attack us without mercy on all fronts on a daily basis. So each time you visit the site, I would ask that you consider the value that you receive and have received from The Burning Platform and the community of which you are a vital part. I can't do it all alone, and I need your help and support to keep it alive. Please consider contributing an amount commensurate to the value that you receive from this site and community, or even by becoming a sustaining supporter through periodic contributions. [Burning Platform LLC - PO Box 1520 Kulpsville, PA 19443] or Paypal
-----------------------------------------------------
To donate via Stripe, click here.
-----------------------------------------------------
Use promo code ILMF2, and save up to 66% on all MyPillow purchases. (The Burning Platform benefits when you use this promo code.)
Great info in a timely article. Thanks for posting.
But, but online banking is so secure. I still write checks, BTW admin sending another 50 fiat your way.
Carry on. ….
Yeah, they also will unfreeze it after so long so you have to jump through a bunch of new hoops to get those things reinstated.
Its awful.
If you don’t already, create on-line accounts for all your credit cards. In the security section select email when ever a transaction is over $xx (I have mine set at $75) and also select email when there card isn’t present (internet or mail order sale). I caught a fraudulent one from Nordstroms, no too long ago.
It’s the CC co’s responsibility to ensure the transactions are legit. I refuse to do their job for them, especially w/ implied rent due from their use of my hardware -(same for banks, etc. that attempt to use my devices as part of their security responsibility; ie., 2-factor authentication). I am paying them 3% of every transaction for this service. Card gets hacked? So what … they send you a new one and cancel the charges. Inefficiency in the system … part of my effort to help collapse it.
When that credit bureau hack was announced a year or so ago, everyone I know ‘froze’ their accounts and sent $ to the co’s ‘for security.’ Screw that, not not my responsibility.
If you are on the web and beyond 14 years old (LOL) “they” (all the “theys”) have all your data and know where to find the rest – that’s a given.
i didn’t read the story so i don’t know which company it is but a couple of weeks ago one of the companies that stores multiple passwords for you so that you don’t have to remember different ones got hacked-
Well done Mark, an excellent post an d extremely good info. I am in UK and don’t seem to have suffered so far. I use a dongle with my HSBC account and of course credit card accounts are covered anyway. I will certainly try the suggestions you mention as every little helps. Best wishes.
My identity has already been stolen three times.
Not only were the thieves disappointed, one of them actually sent me five bucks…