After the Hack: Routine Credit Security Practices

In early September Equifax, one of the three primary credit reporting bureaus, disclosed a massive security breach. Key information such as Social Security numbers, dates of birth, addresses and credit card numbers were stolen, impacting roughly 143 million Americans. You are likely to have been affected.

Here are some practical suggestions for your security. The first section will cover a number of routine credit security practices that are always smart to do, but are more important now than ever. The second section will provide you with different approaches to protect yourself after the Equifax breach. This breach is a bigger deal than past ones, such as those at Yahoo, Target or the Department of Defense, due to the nature of the information that was stolen and the number of people impacted. (For more, see: Was I Hacked? Find Out If the Equifax Breach Affects You.)

​Routine Credit Security

  1. Check your free credit reports from Equifax, Experian and TransUnion by visiting annualcreditreport.com. This is a secure site and you are allowed to request all three reports once per year. We strongly recommend that you review one report every four months so that you can keep an eye on your files throughout the year. When reviewing your credit report, look for any open accounts that you do not recognize or old lines of credit that now show a balance. Reports also provide information needed to close any existing credit accounts you no longer need.         
  2. Scrutinize all of your credit card and bank statements closely for unauthorized charges or withdrawals. This is particularly important after the recent breach. Call your credit card company or bank immediately about any charges or withdrawals that you do not recognize. If your bank or credit card company offers to provide text alerts when an address change is requested or when large withdrawals are made, take advantage of their notification service. Also, if they offer two-factor authentication, an extra level of security, turn it on. 
  3. Opt out of new credit card offers. You can visit the following website to opt out of credit and insurance offers for the next five years (or even permanently). Doing this may reduce the risk that a thief gets hold of your pre-approved credit offers but you can still apply for any new credit card you desire by directly contacting the issuing company. The secure site for opting out is optoutprescreen.com. If you choose not to opt out, at least be careful to shred any paper credit card offers that you receive in the mail.
  4. Change your passwords now. Use difficult to guess passwords and update them frequently. Be particularly careful with your bank and credit card passwords - use different ones for different financial institutions. Do not use the same passwords for financial companies that you use for social media or online shopping. Keep track of your passwords in a password-protected document or by using a password manager.
  5. Limit the information that you share on social media. Do not provide your actual date of birth or full home address on social media sites. Do not make it easy for thieves to find your mother’s maiden name or any other information used for verification of your identity.
  6. File your taxes as early as possible. Since Social Security numbers were affected in the breach, there is a higher risk of tax fraud in the next few years. Tax identity theft happens when someone uses your Social Security number to apply for a tax refund. Consider filing your taxes as early as possible and pay close attention to any mail correspondence from the IRS. Note that the IRS never contacts taxpayers by phone or email. (For more, see: 5 Biggest Credit Card Data Hacks in History.)
  7. Be wary of any emails you receive. Be particularly careful with any emails that appear to come from one of your current financial providers (and especially Equifax) and that ask you to open an attachment or click on a link. That link may install malware on your computer. The best thing to do when you receive any suspicious email from a financial institution is to visit the company's website directly, using a secure computer, to access whatever you need from their corporate site, not via an email link.

After the Breach

I recommend that you choose one of the following two options:

Add a credit monitoring service: This will alert you if/when a new credit card or loan is opened under your name. Some individuals already have a basic monitoring service provided by their existing credit card company or memberships such as AAA. If you do not, there are a few options. You can go to an independent provider such as creditkarma.com to set up monitoring for free or you can subscribe to monitoring from one of the three primary credit reporting bureaus - TransUnion, Equifax and Experian. If you were impacted by their recent breach, Equifax will provide free credit monitoring for one year - after that they will charge roughly $20 per month. You can go to equifaxsecurity2017.com to see if you were affected and to sign up for monitoring.

Freeze your credit files: This is the more drastic step but worthwhile for many folks. Freezing your credit will not prevent a thief from accessing your existing accounts, but a freeze will stop anyone from opening new accounts in your name since lenders cannot check your credit. Typically, a lender does this when you apply for an apartment rental, open a new utility account, apply for a car loan or mortgage, or request a new credit card. If you are younger, you are more likely to want lenders to be able to check your credit than if you are older. Regardless of your age, if you are concerned about identity theft you should consider freezing your accounts. (For more, see: Identity Theft Protection Services: Worth Having?)

There are a few drawbacks. Once you freeze your files, it can take a few days to “thaw” them via phone or online and small fees may be charged.  Also, you will need to securely save the PIN number provided by each bureau when you add the freeze, as you will be unable to thaw your credit report without it. On a positive note, freezing your credit does not impact your credit score and does not prevent you from requesting your three free annual credit reports every year. 

Adding a credit freeze via the bureaus’ automated phone lines requires your date of birth, Social Security number, zip code and a credit card number to pay for the freeze fees. Fees for adding and lifting a freeze vary by state and generally range between $5 and $15 per bureau. Here are the phone numbers to call to add a freeze:

  1. Transunion: 888-909-8872
  2. Experian: 888-397-3742
  3. Equifax: 800-349-9960
  4. Innovis: 800-540-2505 (You may want to add a freeze at this lesser-known bureau, too.)

We have been tempted to freeze our credit in the past but have avoided taking this step until learning of this recent Equifax breach. If credit access is needed in the future, we will lift the freeze at the particular bureau that the lender uses for just a short time and then freeze our records again. We will save our assigned PINs from each bureau in a secure place as they will be required for future thaws.

Unlike monitoring or adding a freeze, we do not recommend adding a fraud alert to your credit files. By adding an alert, lenders are supposed to contact you before opening any new accounts but they are not legally required to do so. In addition, a fraud alert only lasts for 90 days at a time, which is insufficient.

At this point, you should assume that your personal information is in the hands of individuals who may want to use it for their own purposes. The prudent thing to do is to implement some or all of the security steps described above. When it comes to identity theft, ounces of prevention are worth tons of cure. (For more, see: 7 Ways to Protect Against Credit Card Hacks.)