OPM breach and credit freeze

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
Topic Author
VictoriaF
Posts: 18984
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

OPM breach and credit freeze

Post by VictoriaF » Fri Jun 19, 2015 12:22 pm

Many Bogleheads are current or former Federal employees affected by the recent OPM database breach. I have received an offer to enroll in the protection offered by CSID which includes not just credit monitoring but also monitoring of malicious sites that sell identity information as well as the identity protection insurance.

When I have first heard about the breach I decided to freeze my credit which would also severely limit my ability to sign for new credit cards and collect travel bonuses. But the CSID protection seems powerful enough to spare extreme measures on my part.

I'd like to know:
1. How reputable and effective CSID is?
2. Should I rely on CSID, or also freeze my credit as Krebs on Security recommends?

Thank you,
Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

User avatar
nedsaid
Posts: 12788
Joined: Fri Nov 23, 2012 12:33 pm

Re: OPM breach and credit freeze

Post by nedsaid » Fri Jun 19, 2015 12:50 pm

I am amazed at how little reaction there has been to this massive credit breach. Were I affected, I would consider whatever measures available to protect my data, my finances, and my identity.

I was joking with my father the other day. He is changing banks and was working with Social Security to change his direct deposit information. I joked that his deposit should be direct deposited to China as it was only a matter of time until the Chinese hackers got ahold of it anyway. Just save them the trouble.

I cannot imagine a more devastating data breach than this. I hope current and former federal employees will make this an issue and demand this to be fixed. Unfortunately, the horse is out of the barn. Hopefully the employees unions are raising a stink over this. Folks just seem to be accepting this.

Were I in that situation, I would consider drastic changes like a name change and a Social Security number change. I would put whatever security measures on my personal assets that I could.

There also should be massive lawsuits over this. Employee unions, are you listening?
A fool and his money are good for business.

User avatar
Topic Author
VictoriaF
Posts: 18984
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: OPM breach and credit freeze

Post by VictoriaF » Fri Jun 19, 2015 12:54 pm

As I was reading about the protections offered by CSID, I came across their CyberAgent that "Monitors thousands of websites, chat rooms, forums and networks, and alerts you if your personal information is being bought or sold online."

To enable monitoring, I have to provide them with the information to monitor, including up to:
- 5 bank accounts
- 5 credit/debit cards
- 3 email addresses
- 2 medical ID numbers
- 3 telephone numbers
- 1 driver's license
- 1 passport number
- 1 Social Security number

This sounds great, but I am concerned about providing all this information to an internet site that also can be hacked. Should I enter my information for monitoring?

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

User avatar
nedsaid
Posts: 12788
Joined: Fri Nov 23, 2012 12:33 pm

Re: OPM breach and credit freeze

Post by nedsaid » Fri Jun 19, 2015 1:05 pm

I looked at the CSID website and it looks impressive. The big thing to me would be this firm's reputation. Hopefully some folks will weigh in. It is hard to know who can be trusted and who cannot. I would consider signing up but I sure would check things out. It sounds like you have to give out a lot of personal information.

As sad as it sounds, maybe governments and companies will have to go back to locked and fireproof cabinets and paper and manual files for the most sensitive information. Not very efficient, but I am losing confidence that electronic information can be protected. I also wonder why everything has to hooked up to the internet. It seems that we are just asking for trouble.

Hope this works out for you.

Best wishes,

Ned
A fool and his money are good for business.

User avatar
Topic Author
VictoriaF
Posts: 18984
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: OPM breach and credit freeze

Post by VictoriaF » Fri Jun 19, 2015 1:12 pm

nedsaid wrote:I looked at the CSID website and it looks impressive. The big thing to me would be this firm's reputation. Hopefully some folks will weigh in. It is hard to know who can be trusted and who cannot. I would consider signing up but I sure would check things out. It sounds like you have to give out a lot of personal information.
Thank you, Ned,

My reason for starting this thread is to solicit recommendations from Bogleheads who are familiar with CSID and to help current and former Federal employees making practical decisions. I have enrolled in the CSID service immediately, because the offer came in an unencrypted email, and I was concerned that if my email were intercepted, someone could have enrolled on my behalf.

But now that I have the CSID services I need to make additional decisions, such whether to provide my information to their CyberAgent.

Victoria
Last edited by VictoriaF on Fri Jun 19, 2015 1:13 pm, edited 1 time in total.
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

User avatar
TimeRunner
Posts: 1575
Joined: Sat Dec 29, 2012 9:23 pm

Re: OPM breach and credit freeze

Post by TimeRunner » Fri Jun 19, 2015 1:13 pm

My approach is to ignore the CSID offer. Our credit has been frozen since 2007, and I agree with Krebs. Also, as mentioned on another thread, it would be proactive to change all your security challenge questions on websites, especially banking, financial, health, and any site storing your payment (CC, debit card) info. (Yes, it's a PITA, but not so bad as one-bite-at-a-time.) Enable two-factor authentication where offered. Expect the OPM information to be exposed sooner or later.
One cannot enlighten the unconscious.

rkhusky
Posts: 7597
Joined: Thu Aug 18, 2011 8:09 pm

Re: OPM breach and credit freeze

Post by rkhusky » Fri Jun 19, 2015 1:19 pm

Frankly, I am hesitant to give my info to these third parties, which as you said, could also get hacked. As part of an insurance company breach I was offered credit monitoring from one of the three credit bureaus. Since they already have all my info, I didn't have to provide anything extra.

I imagine that as these breaches become more prevalent, the whole notion of authentication over the Internet will have to change. Perhaps we will have to go back to snail mail or showing up at a brick and mortar bank.

I hope that they don't go to some biometric method over the Internet. Because if that gets hacked (i.e. your biometric code gets replaced by someone else's), you won't even be able to prove that you are you anymore.

Edit: I didn't change a single password that I wasn't planning to change anyways. Why would my insurance company have the password to my Bogleheads login anyway? If someone uses my identity for a credit card, it will be on the credit card company to prove that it was me that opened it.

Edit2: Perhaps it is a good thing that all these massive breaches are happening. If all our personal information is in the public domain, then banks, credit card companies, etc will have to use something else besides this information for authentication.
Last edited by rkhusky on Fri Jun 19, 2015 1:28 pm, edited 1 time in total.

retiredjg
Posts: 38476
Joined: Thu Jan 10, 2008 12:56 pm

Re: OPM breach and credit freeze

Post by retiredjg » Fri Jun 19, 2015 1:26 pm

Glad to see this thread and looking forward to responses. I got my notification from OPM this morning. Not sure what I'm going to do either.

mickens16
Posts: 340
Joined: Wed Apr 06, 2011 8:52 am

Re: OPM breach and credit freeze

Post by mickens16 » Fri Jun 19, 2015 1:35 pm

I'm still waiting for my notification, but will definitely be monitoring this thread.

User avatar
Topic Author
VictoriaF
Posts: 18984
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: OPM breach and credit freeze

Post by VictoriaF » Fri Jun 19, 2015 1:39 pm

I went to Krebs' web site to check if he has any specific recommendations with respect to CSID. In the 15 June 2015, article Catching Up on the OPM Breach he has acknowledged "18 months of free credit monitoring through CSID" but did not get into further details. His article ends with a recommendation "If you’re affected by these breaches and wondering what you can do to protect yourself besides signing up for credit monitoring services, please see this story."

The referenced story is How I Learned to Stop Worrying and Embrace the Security Freeze from 8 June 2015 (but he has been recommending credit freeze in numerous earlier posts).

So far, it seems that the freeze recommendation wins.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

User avatar
steve roy
Posts: 1723
Joined: Thu May 13, 2010 5:16 pm

Re: OPM breach and credit freeze

Post by steve roy » Fri Jun 19, 2015 1:47 pm

The wife and I own two-fers in the "victims of hackery" department.

SHE was a victim of the OPM breach. We were BOTH victims of the Anthem (Health Insurance Company) breach.

The result? We had some unkonwn entity e-file for a federal income tax refund using my Social Security Number. The result is we still haven't gotten a largish tax refund after months of delay. We've filled out IRS paperwork, and are waiting ... waiting ... waiting ...

FedGuy
Posts: 1262
Joined: Sun Jul 25, 2010 3:36 pm

Re: OPM breach and credit freeze

Post by FedGuy » Fri Jun 19, 2015 2:17 pm

I filed an "affidavit of identity theft" (or some similar title) with the IRS. At least, I faxed it to the number given; I haven't heard anything back yet, but I'm not sure I'm supposed to.

I tried to freeze my credit and was disappointed to learn that it requires payment of a fee. I understand that the fee is fairly nominal, but shouldn't OPM be covering that? I'm certainly more interested in that than in 18 months of credit monitoring (since I've been using credit monitoring for years anyway, given all the hacks out there). I plan to discuss with my union rep, but I'm not holding my breath.

User avatar
Topic Author
VictoriaF
Posts: 18984
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: OPM breach and credit freeze

Post by VictoriaF » Fri Jun 19, 2015 2:25 pm

FedGuy wrote:I filed an "affidavit of identity theft" (or some similar title) with the IRS. At least, I faxed it to the number given; I haven't heard anything back yet, but I'm not sure I'm supposed to.
Did you file it because of the OPM breach, or because you had previous identity issues with the IRS?
FedGuy wrote:I tried to freeze my credit and was disappointed to learn that it requires payment of a fee. I understand that the fee is fairly nominal, but shouldn't OPM be covering that? I'm certainly more interested in that than in 18 months of credit monitoring (since I've been using credit monitoring for years anyway, given all the hacks out there). I plan to discuss with my union rep, but I'm not holding my breath.
This is a good point. The letter I received from the OPM includes this information:
OPM wrote:Additional Information

As a reminder, you should follow the below routine precautionary measures to help protect your identity and personal affairs:

- Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.

- Request a free credit report at http://www.AnnualCreditReport.com or by calling 1-877-322-8228. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax, Experian, and TransUnion – for a total of three reports per year. Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, http://www.ftc.gov.

- Review resources provided on the FTC identity theft website, http://www.identitytheft.gov. The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.

- You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Simply call Trans Union at 1-800-680-7289 to place this alert. TransUnion will then notify the other two credit bureaus on your behalf.
Note that they recommend a fraud alert and don't mention the possibility of a credit freeze.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

supertreat
Posts: 328
Joined: Sat Nov 03, 2007 11:57 pm

Re: OPM breach and credit freeze

Post by supertreat » Fri Jun 19, 2015 2:37 pm

I've frozen my wife and I's credit and also purposefully adjust my W-4 the last quarter to not get any tax return. Keeping my fingers crossed.
Assets - Liabilities = Equity + (Income - Expenses)

Browser
Posts: 4857
Joined: Wed Sep 05, 2012 4:54 pm

Re: OPM breach and credit freeze

Post by Browser » Fri Jun 19, 2015 2:42 pm

steve roy wrote:The wife and I own two-fers in the "victims of hackery" department.

SHE was a victim of the OPM breach. We were BOTH victims of the Anthem (Health Insurance Company) breach.

The result? We had some unkonwn entity e-file for a federal income tax refund using my Social Security Number. The result is we still haven't gotten a largish tax refund after months of delay. We've filled out IRS paperwork, and are waiting ... waiting ... waiting ...
Just one question. Isn't there any way you can avoid tax refunds in the first place? I always took great pains to minimize or end up with a balance owed. I know it can't always be avoided, but I always thought it foolish to let the government have my money interest-free for months. Now it looks like it's possible someone will have it forever...
We don't know where we are, or where we're going -- but we're making good time.

User avatar
TimeRunner
Posts: 1575
Joined: Sat Dec 29, 2012 9:23 pm

Re: OPM breach and credit freeze

Post by TimeRunner » Fri Jun 19, 2015 2:47 pm

VictoriaF wrote:Note that they recommend a fraud alert and don't mention the possibility of a credit freeze.
Without getting banned for politics, all I'll say is that telling 14 million people to remove themselves from the credit/loan/dossier system is not something that would have gone over well with the White House, Wall St., Main St., or Mainstream Media, "where seldom is heard a discouraging word...."

Don't let $30 or so of credit freeze fees stand in the way of proactive action. Don't fall on your sword.

Also, to clarify on previous post, I'm suggesting you change your website security challenge question ANSWERS to non-predictive non-truthful ones, not change all your website passwords (although you are welcome to do so at any time).

Take care of yourselves yourselves as much as you can under the circumstances.
Last edited by TimeRunner on Fri Jun 19, 2015 2:49 pm, edited 1 time in total.
One cannot enlighten the unconscious.

scone
Posts: 1457
Joined: Wed Jul 11, 2012 4:46 pm

Re: OPM breach and credit freeze

Post by scone » Fri Jun 19, 2015 2:48 pm

I think it would be foolish to rely on anything coming out of OPM-- they are going to be in massive CYA mode going forward. I would be shocked at the staggering level of incompetence, if I hadn't seen similar things going on in other organizations.

I think you also need to assume that if you have been hacked, any other person who shows up in your database record is at risk as well. And you don't know how far back that database reaches, either. So the potential number of people who could be affected might be in the millions, or even tens of millions.

So you might want to think about people to give a heads up.

I have several family members with secret or top secret clearance, and/or active military, so I'm just going to assume I've been hacked. And I'm an Anthem hackee too! So my DH and I have locked our credit, closed down all unnecessary accounts, and generally circled the wagons. That might not help, really, but it makes me feel better.

Isn't it wonderful how technology makes life so much more convenient? :oops: :( :shock: :annoyed
"My bond allocation is the amount of money that I cannot afford to lose." -- Taylor Larimore

diasurfer
Posts: 1839
Joined: Fri Jul 06, 2007 8:33 pm
Location: miami-dade

Re: OPM breach and credit freeze

Post by diasurfer » Fri Jun 19, 2015 2:57 pm

steve roy wrote:The wife and I own two-fers in the "victims of hackery" department.

SHE was a victim of the OPM breach. We were BOTH victims of the Anthem (Health Insurance Company) breach.

The result? We had some unkonwn entity e-file for a federal income tax refund using my Social Security Number. The result is we still haven't gotten a largish tax refund after months of delay. We've filled out IRS paperwork, and are waiting ... waiting ... waiting ...
How do you know one lead to the other? Lots of people are victims of IRS refund theft without having a known electronic breach. It's a quite common crime here in Miami, which seems to be the capital of fraud. A local insurance agency was running the scam!

As a Fed employee, my wife just received the CSID offer today. She forwarded the email to me about an hour ago. I suppose we've had a fatalist view about it - if it's going to happen, it's going to happen. We've got a protection offer letter from the Anthem break-in too. I've often felt like I should use a password manager, and then I read about a password protection company getting hacked. We had a burglary about 7 years ago in which our passports and social security cards were stolen. And still, AFAIK, we've never had identity theft issues.

Probably I'm being too laissez faire about it, but if I worried about everything I could be worried about, I'd have ulcers and no hair. But thanks for starting the thread. I'll be monitoring the advice but doubt I'll be doing anything other than paying the normal amount of attention to our accounts.
nedsaid wrote:Folks just seem to be accepting this.

Were I in that situation, I would consider drastic changes like a name change and a Social Security number change.
Correction: ulcers, no hair, and a new name.

TSR
Posts: 823
Joined: Thu Apr 19, 2012 9:08 am

Re: OPM breach and credit freeze

Post by TSR » Fri Jun 19, 2015 3:23 pm

I'm a federal employee/presumptive victim of the hack. I do not currently plan on taking advantage of the free monitoring. Instead, I intend to continue looking closely at my various accounts and then otherwise sticking my head in the sand. My rationale is somewhat fatalistic, as discussed above. First, I do not believe that anyone's social security number is private anymore in this information age. Second, I don't believe that these are the acts of identity thieves so much as government actors. That doesn't mean that some of the information won't get sold to cover that government actor's tracks, but I still don't know what effect it will have once sold -- it's not like your bank or the TSP is going to start cutting checks and sending them to unknown mailing addresses just because someone shows up with a name and a social security number. I do think the threat of false tax returns is real and significant, but I'm not sure how much effort I'm willing to take to guard against that threat.

I'm not saying this is the best response, and I'm open to other (perhaps better) ideas, but this is my current response.

User avatar
Topic Author
VictoriaF
Posts: 18984
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: OPM breach and credit freeze

Post by VictoriaF » Fri Jun 19, 2015 3:30 pm

I was on the phone with Vanguard's security department. Before I left for two months, I have placed a web block on my account, because if something happened to it during my absence, I would not see an alert and would not be able to react for a very long time. In order to remove the web block, I had to answer a series of multiple choice questions. The problem is that some of the correct answers could be derived from my information in the OPM database and others could be guessed. The Vanguard representative has offered to add an Enhanced Security Password (ESP) that I would have to produce every time when I call them (in addition to other authentication). ESP would only be used when I call Vanguard, it does not work with the online account.

I asked if Vanguard can put a note on my account that I am a victim of the OPM breach, but the representative said that they don't do it.

I used this opportunity to change my Vanguard password and security questions.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

User avatar
Topic Author
VictoriaF
Posts: 18984
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: OPM breach and credit freeze

Post by VictoriaF » Fri Jun 19, 2015 3:40 pm

diasurfer wrote:Probably I'm being too laissez faire about it, but if I worried about everything I could be worried about, I'd have ulcers and no hair. But thanks for starting the thread. I'll be monitoring the advice but doubt I'll be doing anything other than paying the normal amount of attention to our accounts.
I had a similar attitude for a long time, assuming that most people are less prudent on the Internet than I am and therefore I am relatively safe. Recently (before the OPM breach) my attitude has changed. I have elevated my cybersecurity and identity protection to the same level as my health and money. Health, money, and identity are a three-legged stool on top of which one builds his life. If one of these legs is broken the life collapses.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

Statch
Posts: 103
Joined: Mon Apr 08, 2013 2:23 pm

Re: OPM breach and credit freeze

Post by Statch » Fri Jun 19, 2015 4:22 pm

I got the email from OPM yesterday, and I am so dismayed that they chose to put the CSID offer in an email with a link to a site that then asks for all that very important personal information. How are we supposed to distinguish that from a phishing attack? I looked online and found that it came from the email address it's supposed to come from, but that could be hacked too.

I am debating whether to accept the offer and give them that info. This has all happened so fast that I just don't trust that they are set up to handle it all. I hadn't thought about the need to register with them to make sure someone else doesn't use the PIN number they gave me. The offer of $1 million in liability is apparently good even if you don't register, but how would I prove that any breach came about as a result of this hack?

I can't believe the totality of the information about me that the hackers have. They could do almost anything with my accounts and/or identity if the reports are true. It definitely is a kick in the butt to do something about starting to use LastPass. (I saw their breach story but from what I can tell, it still looks like a good bet to use.) I had not previously thought about a credit freeze, so thanks for posting about that. Looking forward to see what others post about this.

User avatar
Topic Author
VictoriaF
Posts: 18984
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: OPM breach and credit freeze

Post by VictoriaF » Fri Jun 19, 2015 4:34 pm

Statch wrote:I hadn't thought about the need to register with them to make sure someone else doesn't use the PIN number they gave me.
That was the reason for my immediate registration. Now, I am pausing to decide whether to provide any additional information, e.g., for their monitoring of the online markets selling identities.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

gkaplan
Posts: 7034
Joined: Sat Mar 03, 2007 8:34 pm
Location: Portland, Oregon

Re: OPM breach and credit freeze

Post by gkaplan » Fri Jun 19, 2015 4:53 pm

I received the OPM email about fifteen minutes ago.
Gordon

User avatar
Topic Author
VictoriaF
Posts: 18984
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: OPM breach and credit freeze

Post by VictoriaF » Fri Jun 19, 2015 4:56 pm

gkaplan wrote:I received the OPM email about fifteen minutes ago.
If you decide to register, note that it may take a few minutes (e.g., 10 minutes) after you enter your PIN and prove that you are a human to get on the site. Do not refresh or otherwise try to accelerate it.

Good luck, Gordon,

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

robert88
Posts: 366
Joined: Tue Nov 25, 2014 6:27 pm

Re: OPM breach and credit freeze

Post by robert88 » Fri Jun 19, 2015 5:18 pm

There is a great deal of unwarranted paranoia in this thread. The information that the media has described as being stolen would simply be far too valuable for anyone to waste it filing fake income tax returns.

mnaspbh
Posts: 204
Joined: Fri Sep 09, 2011 12:26 pm

Re: OPM breach and credit freeze

Post by mnaspbh » Fri Jun 19, 2015 5:37 pm

VictoriaF wrote:
Statch wrote:I hadn't thought about the need to register with them to make sure someone else doesn't use the PIN number they gave me.
That was the reason for my immediate registration. Now, I am pausing to decide whether to provide any additional information, e.g., for their monitoring of the online markets selling identities.

Victoria
I'm not sure what good "monitoring of the online markets" would actually do, or how they'd do it without actually buying the info themselves (and hence driving up the value of said data, which increases the value of future attacks, which makes them more likely, which makes more people need their services... :shock: ). If they alert you that yep, your data is in a dump that's getting sold, how is that actionable? It's not like they can make the buyer not use it...

I assume that all stolen data has been sold within 24 hours of a breech. I hope that a combination of frozen credit and diligence on my part will be sufficient to reduce the likelihood of bad outcomes due to repeated data thefts.

User avatar
Topic Author
VictoriaF
Posts: 18984
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: OPM breach and credit freeze

Post by VictoriaF » Fri Jun 19, 2015 5:52 pm

robert88 wrote:There is a great deal of unwarranted paranoia in this thread. The information that the media has described as being stolen would simply be far too valuable for anyone to waste it filing fake income tax returns.
The OPM databases contain a wide variety of data. Some of these data are of the national level significance. Other data are sufficient for impersonating an individual on the IRS site, Credit Reporting Agencies' sites, and other financial sites. "Paranoia" is an unsubstantiated or exaggerated concern, which is not the case for those affected by the OPM breach.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

supertreat
Posts: 328
Joined: Sat Nov 03, 2007 11:57 pm

Re: OPM breach and credit freeze

Post by supertreat » Fri Jun 19, 2015 5:53 pm

robert88 wrote:There is a great deal of unwarranted paranoia in this thread. The information that the media has described as being stolen would simply be far too valuable for anyone to waste it filing fake income tax returns.
Please elaborate on your point.
Assets - Liabilities = Equity + (Income - Expenses)

User avatar
Topic Author
VictoriaF
Posts: 18984
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: OPM breach and credit freeze

Post by VictoriaF » Fri Jun 19, 2015 5:55 pm

mnaspbh wrote:I'm not sure what good "monitoring of the online markets" would actually do, or how they'd do it without actually buying the info themselves (and hence driving up the value of said data, which increases the value of future attacks, which makes them more likely, which makes more people need their services... :shock: ). If they alert you that yep, your data is in a dump that's getting sold, how is that actionable? It's not like they can make the buyer not use it...
It's a good point.
mnaspbh wrote:I assume that all stolen data has been sold within 24 hours of a breech. I hope that a combination of frozen credit and diligence on my part will be sufficient to reduce the likelihood of bad outcomes due to repeated data thefts.
It depends on who possesses the data. If it's a nation state interested in spying, it will use the data to blackmail individuals. If it's a nation state that has recently been sanctioned for taking a part of its neighbor's territory, it may use the data for a large-scale attack. Only if the attackers are regular criminals they are already selling the data.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

robert88
Posts: 366
Joined: Tue Nov 25, 2014 6:27 pm

Re: OPM breach and credit freeze

Post by robert88 » Fri Jun 19, 2015 6:57 pm

VictoriaF wrote:
robert88 wrote:There is a great deal of unwarranted paranoia in this thread. The information that the media has described as being stolen would simply be far too valuable for anyone to waste it filing fake income tax returns.
The OPM databases contain a wide variety of data. Some of these data are of the national level significance. Other data are sufficient for impersonating an individual on the IRS site, Credit Reporting Agencies' sites, and other financial sites. "Paranoia" is an unsubstantiated or exaggerated concern, which is not the case for those affected by the OPM breach.

Victoria
It sounds like you're saying that the hackers won't provide sufficient protection for the stolen OPM data, but I don't know why you would jump to that conclusion.

Lynette
Posts: 1889
Joined: Sun Jul 27, 2014 9:47 am

Re: OPM breach and credit freeze

Post by Lynette » Fri Jun 19, 2015 7:09 pm

.....
Last edited by Lynette on Sat Jan 12, 2019 5:02 am, edited 1 time in total.

rkhusky
Posts: 7597
Joined: Thu Aug 18, 2011 8:09 pm

Re: OPM breach and credit freeze

Post by rkhusky » Fri Jun 19, 2015 8:05 pm

I'm not sure why people think that OPM has their passwords in some sort of database. The only reason you would have to change passwords on Vanguard is if your password is based on some aspect of your life, which is a major no-no. Passwords should be nearly random.

stan1
Posts: 7733
Joined: Mon Oct 08, 2007 4:35 pm

Re: OPM breach and credit freeze

Post by stan1 » Fri Jun 19, 2015 8:15 pm

rkhusky wrote:I'm not sure why people think that OPM has their passwords in some sort of database. The only reason you would have to change passwords on Vanguard is if your password is based on some aspect of your life, which is a major no-no. Passwords should be nearly random.
Vanguard has security questions based on personal information, such as grandmother's first name or the street you grew up on. That information might be on someone's SF-86. Most questions only ask the employee to go back at most 10 years (so you don't have to list every place you've lived since you were born).

One thing to be very careful about is very customized spear phishing attacks along the lines of:
Hello stan1,
This is your former neighbor Mary Smith. We sure had some good times on Honeysuckle Lane! How's your brother John doing? We just got back from a wonderful trip and wanted to share some photos with you. Just click here!
A great way for an adversary to try to gain a foothold.

rkhusky
Posts: 7597
Joined: Thu Aug 18, 2011 8:09 pm

Re: OPM breach and credit freeze

Post by rkhusky » Fri Jun 19, 2015 9:31 pm

stan1 wrote: Vanguard has security questions based on personal information, such as grandmother's first name or the street you grew up on. That information might be on someone's SF-86. Most questions only ask the employee to go back at most 10 years (so you don't have to list every place you've lived since you were born).

One thing to be very careful about is very customized spear phishing attacks along the lines of:
Hello stan1,
This is your former neighbor Mary Smith. We sure had some good times on Honeysuckle Lane! How's your brother John doing? We just got back from a wonderful trip and wanted to share some photos with you. Just click here!
People really use real answers to those security questions?

People should know not to click links in emails. In any case, I've never seen one of those fake emails that looked right.

User avatar
steve roy
Posts: 1723
Joined: Thu May 13, 2010 5:16 pm

Re: OPM breach and credit freeze

Post by steve roy » Fri Jun 19, 2015 10:14 pm

Browser wrote:
steve roy wrote:The wife and I own two-fers in the "victims of hackery" department.

SHE was a victim of the OPM breach. We were BOTH victims of the Anthem (Health Insurance Company) breach.

The result? We had some unkonwn entity e-file for a federal income tax refund using my Social Security Number. The result is we still haven't gotten a largish tax refund after months of delay. We've filled out IRS paperwork, and are waiting ... waiting ... waiting ...
Just one question. Isn't there any way you can avoid tax refunds in the first place? I always took great pains to minimize or end up with a balance owed. I know it can't always be avoided, but I always thought it foolish to let the government have my money interest-free for months. Now it looks like it's possible someone will have it forever...
The Mrs. and I were chatting about this tonight. We'll be changing what we have withheld so that this doesn't happen again. Until now, we've engineered things so we got a bit of a refund, but the last few years refunds have gotten larger and we haven't changed anything. (Lazy, I guess.)

But that was then, this is now. Now it stops.

FedGuy
Posts: 1262
Joined: Sun Jul 25, 2010 3:36 pm

Re: OPM breach and credit freeze

Post by FedGuy » Fri Jun 19, 2015 10:27 pm

VictoriaF wrote:
FedGuy wrote:I filed an "affidavit of identity theft" (or some similar title) with the IRS. At least, I faxed it to the number given; I haven't heard anything back yet, but I'm not sure I'm supposed to.
Did you file it because of the OPM breach, or because you had previous identity issues with the IRS?
Because of the hack. One of the pages I looked at--possibly the FTC page that you referred to in your post--suggested doing it if you think your information might have been stolen.
VictoriaF wrote:Note that they recommend a fraud alert and don't mention the possibility of a credit freeze.
Right, but a credit freeze seems like a good idea.

I enrolled in the CSID thing, but declined to provide information about my bank account and all that. That just felt like potentially compounding the problem to me.

stan1
Posts: 7733
Joined: Mon Oct 08, 2007 4:35 pm

Re: OPM breach and credit freeze

Post by stan1 » Fri Jun 19, 2015 11:11 pm

rkhusky wrote:
stan1 wrote: Vanguard has security questions based on personal information, such as grandmother's first name or the street you grew up on. That information might be on someone's SF-86. Most questions only ask the employee to go back at most 10 years (so you don't have to list every place you've lived since you were born).

One thing to be very careful about is very customized spear phishing attacks along the lines of:
Hello stan1,
This is your former neighbor Mary Smith. We sure had some good times on Honeysuckle Lane! How's your brother John doing? We just got back from a wonderful trip and wanted to share some photos with you. Just click here!
People really use real answers to those security questions?

People should know not to click links in emails. In any case, I've never seen one of those fake emails that looked right.
I guess you pass the test. I'd guess a very small percentage of the user population uses false answers to security questions. As for spear phishing the whole point is to use real personal information to make the email look more credible. Absolutely it will increase the likelihood of someone clicking on it carelessly or out of curiosity.

Cash
Posts: 1465
Joined: Wed Mar 10, 2010 10:52 am

Re: OPM breach and credit freeze

Post by Cash » Sat Jun 20, 2015 6:17 am

steve roy wrote:
Browser wrote:
steve roy wrote:The wife and I own two-fers in the "victims of hackery" department.

SHE was a victim of the OPM breach. We were BOTH victims of the Anthem (Health Insurance Company) breach.

The result? We had some unkonwn entity e-file for a federal income tax refund using my Social Security Number. The result is we still haven't gotten a largish tax refund after months of delay. We've filled out IRS paperwork, and are waiting ... waiting ... waiting ...
Just one question. Isn't there any way you can avoid tax refunds in the first place? I always took great pains to minimize or end up with a balance owed. I know it can't always be avoided, but I always thought it foolish to let the government have my money interest-free for months. Now it looks like it's possible someone will have it forever...
The Mrs. and I were chatting about this tonight. We'll be changing what we have withheld so that this doesn't happen again. Until now, we've engineered things so we got a bit of a refund, but the last few years refunds have gotten larger and we haven't changed anything. (Lazy, I guess.)

But that was then, this is now. Now it stops.
That's not quite how it works. The fraudsters don't submit your actual numbers...how would they get that? Instead, they submit fake returns with fake numbers, but with your identifying info. Regardless of whether you are owed a refund, you wouldn't be able to file because they've already filed a fake return. The best way to beat them is to file as early as you can. But sure, maybe it's better to owe money (or to owe nothing) than to be owed money. Either way, you will need to notify the IRS.

Cash
Posts: 1465
Joined: Wed Mar 10, 2010 10:52 am

Re: OPM breach and credit freeze

Post by Cash » Sat Jun 20, 2015 6:18 am

Statch wrote:I got the email from OPM yesterday, and I am so dismayed that they chose to put the CSID offer in an email with a link to a site that then asks for all that very important personal information. How are we supposed to distinguish that from a phishing attack? I looked online and found that it came from the email address it's supposed to come from, but that could be hacked too.
My employer explicitly said not to click on the link, but rather to go to the website directly by entering it into your browser.

User avatar
Topic Author
VictoriaF
Posts: 18984
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: OPM breach and credit freeze

Post by VictoriaF » Sat Jun 20, 2015 6:22 am

Cash wrote:
Statch wrote:I got the email from OPM yesterday, and I am so dismayed that they chose to put the CSID offer in an email with a link to a site that then asks for all that very important personal information. How are we supposed to distinguish that from a phishing attack? I looked online and found that it came from the email address it's supposed to come from, but that could be hacked too.
My employer explicitly said not to click on the link, but rather to go to the website directly by entering it into your browser.
I did not click on the link and went to the web site directly. But I suspect that numerous other recipients of the email have clicked. Some of their employers did not warn them, many of them are retirees, most are not trained in cyber security, all are anxious about this breach.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

User avatar
Blues
Posts: 1765
Joined: Wed Dec 10, 2008 11:58 am
Location: Blue Ridge Mtns

Re: OPM breach and credit freeze

Post by Blues » Sat Jun 20, 2015 7:35 am

Haven't been contacted (yet) but have opted for setting up the "fraud alert" (which I believe covers at least 90 days by the three credit monitoring agencies). Not sure what further steps we will take if / when we are contacted.
“Tactics without strategy is the noise before defeat.” - Sun Tzu | "Everybody has a plan until they get punched in the mouth." - Mike Tyson

skepticalobserver
Posts: 1019
Joined: Tue Jul 29, 2014 11:29 am

Re: OPM breach and credit freeze

Post by skepticalobserver » Sat Jun 20, 2015 9:17 am

Yesterday morning I emailed CSID and asked if a credit freeze would interfere with what they offer. No reply.

I don’t think there’s a substitute for the credit freeze. Once CSID, or LifeLock for that matter, detect fraudulent activity the horse is out of the barn. Note that you can institute a freeze with CheckSystems and by doing so block the fraudulent opening of a bank account

FlyerJack
Posts: 20
Joined: Fri Feb 27, 2015 4:56 pm

Re: OPM breach and credit freeze

Post by FlyerJack » Sat Jun 20, 2015 9:47 am

[Edit - deleted. Feel free to delete this post.]
Last edited by FlyerJack on Tue Nov 22, 2016 7:17 pm, edited 1 time in total.

User avatar
Blues
Posts: 1765
Joined: Wed Dec 10, 2008 11:58 am
Location: Blue Ridge Mtns

Re: OPM breach and credit freeze

Post by Blues » Sat Jun 20, 2015 10:13 am

skepticalobserver wrote:Note that you can institute a freeze with CheckSystems and by doing so block the fraudulent opening of a bank account
If one institutes a freeze with ChexSystems do they still have to do the same with the three major credit monitoring services (Trans Union, Experian, Equifax)?
“Tactics without strategy is the noise before defeat.” - Sun Tzu | "Everybody has a plan until they get punched in the mouth." - Mike Tyson

skepticalobserver
Posts: 1019
Joined: Tue Jul 29, 2014 11:29 am

Re: OPM breach and credit freeze

Post by skepticalobserver » Sat Jun 20, 2015 10:42 am

I would recommend instituting a freeze with the three major services well as CheckSystems. The cost is minimal.

A while back I went to open a CD at a local bank and they ran an Equifax report in addition to CheckSystems. I suppose each service flags different behavior.

User avatar
Blues
Posts: 1765
Joined: Wed Dec 10, 2008 11:58 am
Location: Blue Ridge Mtns

Re: OPM breach and credit freeze

Post by Blues » Sat Jun 20, 2015 10:44 am

skepticalobserver wrote:I would recommend instituting a freeze with the three major services well as CheckSystems. The cost is minimal.

A while back I went to open a CD at a local bank and they ran an Equifax report in addition to CheckSystems. I suppose each service flags different behavior.
Thank you. I think I'll do so. :sharebeer
“Tactics without strategy is the noise before defeat.” - Sun Tzu | "Everybody has a plan until they get punched in the mouth." - Mike Tyson

stan1
Posts: 7733
Joined: Mon Oct 08, 2007 4:35 pm

Re: OPM breach and credit freeze

Post by stan1 » Sat Jun 20, 2015 11:54 am

FlyerJack wrote:I'm a current federal employee, although I have not received anything from OPM regarding the breach. My impression is that it affected everyone, but it sounds like they are being more selective in their notifications.

I put a 90-day fraud alert on my credit report -- very easy to do -- and am considering a freeze. Will OPM pay the (nominal) fees for credit freezes? Did you do have to do separate freezes for the different credit bureaus? I'm also not sure how that relates to a credit freeze through ChexSystems, if at all.
No, OPM will not pay for the freeze. Note that a data breach is different than identity theft. Your data can be breached without your identity being stolen, and your identity can be stolen through methods other than a data breach. In some case you can get free credit freezes in identity theft situations -- but again a data breach is not identity theft. Consumer advocates should be fighting for free freezes/unfreezes for everyone in all states.

I am not aware of a service that will freeze new requests for credit at all 3+ credit bureaus.

westie
Posts: 494
Joined: Thu Jan 19, 2012 8:00 am

Re: OPM breach and credit freeze

Post by westie » Sat Jun 20, 2015 12:24 pm

I'm a retired federal employee and have received no notification of any kind regarding the breach. Have all those notifications been completed? What specific information was breached, personal information doesn't tell you much.

retiredjg
Posts: 38476
Joined: Thu Jan 10, 2008 12:56 pm

Re: OPM breach and credit freeze

Post by retiredjg » Sat Jun 20, 2015 12:51 pm

westie wrote:I'm a retired federal employee and have received no notification of any kind regarding the breach. Have all those notifications been completed? What specific information was breached, personal information doesn't tell you much.
I read the notifications should happen by the 20th (today). However, I'm not sure if that meant "in the mail" or "person has been notified". I got mine by email yesterday morning (sent late on the 18th). I wouldn't be surprised if something shows up in snail mail this week.

So I'd think you should have yours by mid next week if you are going to get one assuming that OPM has a current mailing address.

However, since these things tend to be "ongoing" and new stuff is discovered from time to time, I don't think not hearing by mid next week means much long term. There could be another round of notifications that start later.

I don't have a lot of knowledge of what "personal" information is involved. However, background checks apparently figure into this breach. When they do a background check, they want to know everything - every address you've ever lived, your relatives names, all your accounts, all your schools, etc. This could be handy if someone wants to get around your security questions - a lot of which are things like "the name of your elementary school", "your mother's maiden name", "where did you meet your spouse".

I don't recall ever putting my first pet's name on the background check forms though so maybe I'm safe. :happy

Post Reply