Equifax customer information leak

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
User avatar
Alexa9
Posts: 1365
Joined: Tue Aug 30, 2016 9:41 am

Re: Equifax says info stolen. What's my best course of action?

Post by Alexa9 » Fri Sep 08, 2017 9:35 am

Use Mint to track all your credit cards in one place. Get new numbers, change passwords. Even if someone does use your card you're protected. I would use the strongest usernames/passwords on your bank and brokerage accounts.

FrugalConservative
Posts: 30
Joined: Thu Aug 17, 2017 9:44 am

Re: Equifax says info stolen. What's my best course of action?

Post by FrugalConservative » Fri Sep 08, 2017 9:38 am

rickberg wrote:
Fri Sep 08, 2017 9:29 am
Enrolling into their free monitoring will exclude you from any future class action lawsuits.
And what type of payout does one expect when the pool of plaintiffs is north of 100 million? :oops:

TTBG
Posts: 94
Joined: Sun Nov 09, 2014 8:16 pm

Re: Equifax customer information leak

Post by TTBG » Fri Sep 08, 2017 9:41 am

So Equifax is saying that their executives were not aware of the breach when the executives sold their stock. In other words, one of the 3 major credit bureaus in the US discovered a breach potentially affecting 143 million people, and they didn't bother to inform the CFO for more than 3 days after it was discovered?

billthecat
Posts: 207
Joined: Tue Jan 24, 2017 2:50 pm

Re: Equifax says info stolen. What's my best course of action?

Post by billthecat » Fri Sep 08, 2017 9:45 am

FrugalConservative wrote:
Fri Sep 08, 2017 9:38 am
rickberg wrote:
Fri Sep 08, 2017 9:29 am
Enrolling into their free monitoring will exclude you from any future class action lawsuits.
And what type of payout does one expect when the pool of plaintiffs is north of 100 million? :oops:
Same as always - about $7.95, roughly five years from now, provided you successfully jumped through all the hoops designed to trip you up.

Da5id
Posts: 2035
Joined: Fri Feb 26, 2016 8:20 am

Re: Equifax customer information leak

Post by Da5id » Fri Sep 08, 2017 9:47 am

TTBG wrote:
Fri Sep 08, 2017 9:41 am
So Equifax is saying that their executives were not aware of the breach when the executives sold their stock. In other words, one of the 3 major credit bureaus in the US discovered a breach potentially affecting 143 million people, and they didn't bother to inform the CFO for more than 3 days after it was discovered?
While I'm pretty cynical, I have my doubts here. Normally senior insiders have to decide far in advance to sell company stock and sell on a schedule using 10b5-1. Is it known that they didn't do so here?

User avatar
DaftInvestor
Posts: 3934
Joined: Wed Feb 19, 2014 10:11 am

Re: Equifax says info stolen. What's my best course of action?

Post by DaftInvestor » Fri Sep 08, 2017 9:48 am

billthecat wrote:
Fri Sep 08, 2017 9:45 am
FrugalConservative wrote:
Fri Sep 08, 2017 9:38 am
rickberg wrote:
Fri Sep 08, 2017 9:29 am
Enrolling into their free monitoring will exclude you from any future class action lawsuits.
And what type of payout does one expect when the pool of plaintiffs is north of 100 million? :oops:
Same as always - about $7.95, roughly five years from now, provided you successfully jumped through all the hoops designed to trip you up.
I remember the first Poland-Springs class-action lawsuit (the one that first stated that the source of water wasn't always from a spring in Maine) - the payout to the person who first put forth the suit was something like $10,000 - the lawyers got millions - as customers we got $5 coupons good on Poland Spring water.
My guess is, if there is a class-action lawsuit, it will probably simply give us all free monitoring (which is what they are already offering). I can't imagine much else given - perhaps there will be a pay-out to any Identity-theft victims as a result of the breach.

User avatar
triceratop
Moderator
Posts: 5258
Joined: Tue Aug 04, 2015 8:20 pm
Location: la la land

Re: Equifax customer information leak

Post by triceratop » Fri Sep 08, 2017 9:49 am

Da5id wrote:
Fri Sep 08, 2017 9:47 am
TTBG wrote:
Fri Sep 08, 2017 9:41 am
So Equifax is saying that their executives were not aware of the breach when the executives sold their stock. In other words, one of the 3 major credit bureaus in the US discovered a breach potentially affecting 143 million people, and they didn't bother to inform the CFO for more than 3 days after it was discovered?
While I'm pretty cynical, I have my doubts here. Normally senior insiders have to decide far in advance to sell company stock and sell on a schedule using 10b5-1. Is it known that they didn't do so here?
Yes, the original Bloomberg reporting noted that this was outside of the schedule declared on any 10b5-1 filings.
"To play the stock market is to play musical chairs under the chord progression of a bid-ask spread."

User avatar
dmcmahon
Posts: 1870
Joined: Fri Mar 21, 2008 10:29 pm

Re: Equifax customer information leak

Post by dmcmahon » Fri Sep 08, 2017 9:54 am

TheTimeLord wrote:
Fri Sep 08, 2017 9:05 am
Sheepdog wrote:
Fri Sep 08, 2017 8:51 am
bberris wrote:
Fri Sep 08, 2017 8:47 am
sid hartha wrote:
Fri Sep 08, 2017 8:03 am
I am starting a company to rate the credit raters. Equifax will not be getting a very good rating.
But you have to give them high marks for waiting 9 weeks to release the news.
Just in;
Equifax executives sold stock after data breach, before informing public http://www.marketwatch.com/story/equifa ... op_stories
This was out there, apparently sale was not that long after breach discovered and company claiming the execs involved were not aware. If the amount of money involved is the $1.8 million (over 4 execs) I have seen reported I am inclined to believe them because you would have to be total moron the risk having the Feds make an example of you for that sum.
Well, the way these clowns operate, we can't rule out total moron can we?

User avatar
flamesabers
Posts: 1721
Joined: Fri Mar 03, 2017 12:05 pm
Location: Rochester, MN

Re: Equifax customer information leak

Post by flamesabers » Fri Sep 08, 2017 9:59 am

The website says my information may have been compromised. My enrollment date for TrustedID Premier is 9/11/17.

User avatar
deanbrew
Posts: 1260
Joined: Wed Jul 21, 2010 12:05 pm
Location: The Keystone State

Re: Equifax customer information leak

Post by deanbrew » Fri Sep 08, 2017 10:04 am

The website says I was impacted and let me enroll in the protection plan. When I entered my wife's info, it says she is probably impacted and can enroll after 9/13/17.
"The course of history shows that as the government grows, liberty decreases." Thomas Jefferson

User avatar
dmcmahon
Posts: 1870
Joined: Fri Mar 21, 2008 10:29 pm

Re: Equifax says info stolen. What's my best course of action?

Post by dmcmahon » Fri Sep 08, 2017 10:06 am

My worries go beyond credit though. Freezing credit reporting is straightforward. But if they have your name, address, data of birth, SSN, and DL#, I don't see how any of your bank and brokerage accounts are secure. This is exactly the information you have to give on the phone to transact business. A determined crook could go as far as forging a DL with their own picture on it, then going in person to some branch of your bank in another town and cleaning out your account. Am I just being paranoid?

Worst of all, those pieces of info are either impossible to change, or extremely difficult to change. I don't even know if you can get a new DL# without a big hassle, unless you move to another state. In the other breaches you could change your password or take some other action to restore the security of your account. Here, not so much.

ikowik
Posts: 117
Joined: Tue Dec 23, 2014 6:52 pm

Re: Equifax customer information leak

Post by ikowik » Fri Sep 08, 2017 10:07 am

My credit reports have been frozen for a while. This morning I tried to see if I was affected at Equifax by clicking on the link at their website. Brought me to a page asking for name and SSN; Mozilla Firefox brought up a warning that this site might be fraudulent!! Phishing attack??!!
I just closed everything down and did not proceed, will try again with a different browser tonight. Unless everything appears clean, I will wait a few days to proceed with checking.

User avatar
VictoriaF
Posts: 18318
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Equifax customer information leak

Post by VictoriaF » Fri Sep 08, 2017 10:07 am

The dates received from Equifax represent the order in which people have checked the site. Early birds got 9/11, today they are giving 9/14. Later we will have later dates.

I have developed this hypothesis from observing the dates of comments in Brian Krebs's blog and here. I am removing it, because it has been disproved by data points below.

Victoria
Last edited by VictoriaF on Fri Sep 08, 2017 11:04 am, edited 2 times in total.
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

dodonnell
Posts: 413
Joined: Wed Oct 29, 2008 6:48 pm

Re: Equifax customer information leak

Post by dodonnell » Fri Sep 08, 2017 10:08 am

tj218 wrote:
Thu Sep 07, 2017 8:54 pm
VictoriaF wrote:
Thu Sep 07, 2017 8:48 pm
susa wrote:
Thu Sep 07, 2017 6:43 pm
fposte wrote: ...slightly weird, in that the way they tell you whether your info was involved or not is by telling you when you'd be allowed to enroll (for reasons I'm not clear on it's staggered by date).
Got a future date with the instruction to return ON or After that date to the same web address.
A commenter on the Brian Krebs's article suggests that the link for entering the last 6 digits of the Social Security Number and Last Name, and the non-informative response resemble a phishing attack.
Wayne, September 7, 2017 at 8:55 pm

Same here. That non-informative response reminded me of what happens when you visit a phishing site. How sure are we that the attackers aren’t still in control and have engineered this request for our last name and the last 6 digits of our SSN?
Wayne, September 7, 2017 at 9:07 pm

Same here; it didn’t report on whether I’d been affected, but just told me to come back on 9/12. That sort of non-informative response troubles me; it’s what I’d expect to see from a phishing site. How certain are we that the Equifax hackers aren’t still in control and harvesting our last name and the last six digits of our SSN?
Victoria
I foolishly did put the info in on this and got a date (9/13) but unless if this is a second, unrelated group that is doing this hack I don't see why the people who have our data would need any digits of our SS. It's probably legit.
Finally, got around to this. Appears to be crap:
  • -Im affected
    - wife is affected
    - son, daughter affected
    - my deceased father (2007) affected
    - my deceased grandmother (1980) affected
    - ... over a dozen made up SSNs (but valid sequences) with last name same .... all affected
    - made up lastnames with valid sequence, but made up SSNs ... all affected
google captcha is locking me out now with 2nd order captcha tests
... maybe the default is "affected" when they can't do the db lookup because they are overwhelmed right now.

littlebird
Posts: 1376
Joined: Sat Apr 10, 2010 6:05 pm
Location: Valley of the Sun, AZ

Re: Equifax customer information leak

Post by littlebird » Fri Sep 08, 2017 10:13 am

playmisty wrote:
Fri Sep 08, 2017 9:28 am

As for what else to do, given the scope of the breach, I would guess that the recent years' tax return frauds will only escalate. Maybe try and file your taxes as quickly as possible? Maybe the IRS will come up with a new verification method for filing taxes?
Well one thing I'm doing this year, which will keep down my anxiety if nothing else, is ensuring that I'm going to owe the IRS money, and not be owed a refund. Of course, this is fairly easy for me, as a retiree with a modest taxable income, and the near certainty of owing less than the amount that would incur a penalty in any event. I can handle this pretty easily by not taking my RMD until Nov. to allow me to pay some withholding if needed due to capitol gains harvesting.

User avatar
CAsage
Posts: 931
Joined: Sun Mar 27, 2016 6:25 pm

Re: Equifax customer information leak

Post by CAsage » Fri Sep 08, 2017 10:13 am

Looks like freezing your credit at the three (4?)major bureaus is the right thing to do . Question - since they charge a fee for CA, is that a one time thing, or is it annual? I honestly do not foresee needing more credit cards or loans ... and yes, writing to our governmental officials to stop for-profit agencies from pimping our personal data to open accounts we don't want or did not ask for sounds good.

Edit: Frozen! Equifax quick,easy, free (!?); kept a confirmation printout. Experian charged $10, and set a PIN to unfreeze later if needed. Transunion put me through multiple pages to set up an account, then asked me to call... many digits later it succeeded also with a $10 charge and a PIN. I think my protection spells for the day have been cast.
Last edited by CAsage on Fri Sep 08, 2017 11:02 am, edited 2 times in total.
Salvia Clevelandii "Winifred Gilman" my favorite. YMMV; not a professional advisor.

Rupert
Posts: 3287
Joined: Fri Aug 17, 2012 12:01 pm

Re: Equifax says info stolen. What's my best course of action?

Post by Rupert » Fri Sep 08, 2017 10:18 am

dmcmahon wrote:
Fri Sep 08, 2017 10:06 am
My worries go beyond credit though. Freezing credit reporting is straightforward. But if they have your name, address, data of birth, SSN, and DL#, I don't see how any of your bank and brokerage accounts are secure. This is exactly the information you have to give on the phone to transact business. A determined crook could go as far as forging a DL with their own picture on it, then going in person to some branch of your bank in another town and cleaning out your account. Am I just being paranoid?

Worst of all, those pieces of info are either impossible to change, or extremely difficult to change. I don't even know if you can get a new DL# without a big hassle, unless you move to another state. In the other breaches you could change your password or take some other action to restore the security of your account. Here, not so much.
A little bit paranoid. While it's not impossible that your hypothetical scenario could happen, that would be much more work than the average criminal who buys stolen identity information on the internet is willing to do. They tend to commit much easier, less labor-intensive crimes, such as using your info to buy cellphones and opening new credit card accounts in your name, etc.

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Equifax customer information leak

Post by Mudpuppy » Fri Sep 08, 2017 10:20 am

AAA wrote:
Thu Sep 07, 2017 7:30 pm
I went to their dedicated website, www.equifaxsecurity2017.com, "to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection." After entering my information, it brought up a window telling me that I could enroll in the service they're offering on such-and-such a date. There was no explicit statement of whether my information had been impacted or not. So I should assume that since they're offering to sign me up that it has? Not a very clear or straightforward process. Anyhow, as I have the files already frozen, I am not in a hurry to use their service.
That website just goes so counter to the core of everything I teach about avoiding phishing scams, that I'm having great difficulty believing it's actually legitimate. But given all the other hairball things Equifax has done in cybersecurity, having a website that looks like a scam also wouldn't surprise me. Even if it proves to be legitimate, since it seems to only be signing people up for Equifax's own ID theft monitoring service, it's a useless site.

End result: I'm not using that site. I don't need Equifax's ID theft monitoring service and the site is just a little too odd for trustworthiness.

Edit: Also, similar to the Anthem and OPM breaches, there is probably not an immediate danger of the stolen credentials being used. In this big of a data dump, the likely targets were people with "state secrets" for purposes of "influence" in relationship to espionage. The average Jane and Joe will likely have a few weeks/months before they convert the data into a money trove by selling chunks on the dark-web. And I'm in California which means legally, to comply with California legislation, Equifax will have to snail mail me a letter if I have been impacted by the breach. I can wait for the letter to find out if I'm impacted. It will join my letters from Anthem and the IRS in the "notified of potential ID theft" folder.
Last edited by Mudpuppy on Fri Sep 08, 2017 10:27 am, edited 1 time in total.

User avatar
Raybo
Posts: 1623
Joined: Tue Feb 20, 2007 11:02 am
Location: San Francisco
Contact:

Re: Equifax says info stolen. What's my best course of action?

Post by Raybo » Fri Sep 08, 2017 10:22 am

I have my credit locked. I didn't see anything about the breach including my code for unlocking my credit report. Does anyone know if such information was taken?
No matter how long the hill, if you keep pedaling you'll eventually get up to the top.

User avatar
VictoriaF
Posts: 18318
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Equifax customer information leak

Post by VictoriaF » Fri Sep 08, 2017 10:26 am

Mudpuppy wrote:
Fri Sep 08, 2017 10:20 am
That website just goes so counter to the core of everything I teach about avoiding phishing scams, that I'm having great difficulty believing it's actually legitimate.
I agree with you. But I also had experience after the OPM breach when they sent email with a link to click on. To be clear, people were told to click on a link sent in an email, and the destination was not even the OPM but its contractor. It does not make it right. But it indicates that breached organizations panic and commit further imprudence.

With this particular Equifax case, there have been so many data points that clicking on their link and providing the required information seems safe.

Victoria
Last edited by VictoriaF on Fri Sep 08, 2017 10:27 am, edited 1 time in total.
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

User avatar
neurosphere
Posts: 2884
Joined: Sun Jan 17, 2010 1:55 pm

Re: Equifax customer information leak

Post by neurosphere » Fri Sep 08, 2017 10:26 am

Mudpuppy wrote:
Fri Sep 08, 2017 10:20 am
End result: I'm not using that site. I don't need Equifax's ID theft monitoring service and the site is just a little too odd for trustworthiness.
At least there is a direct link to that site from the main Equifax page. But perhaps hackers now have taken www.equifax.com too? :|

User avatar
TheTimeLord
Posts: 5284
Joined: Fri Jul 26, 2013 2:05 pm

Re: Equifax customer information leak

Post by TheTimeLord » Fri Sep 08, 2017 10:26 am

Material Guy wrote:
Fri Sep 08, 2017 9:25 am
Simple question that does not seem to have been addressed anywhere:
Why was the information on the Equifax servers NOT ENCRYPTED?
I assume it was encrypted at rest, have you seen reports to the contrary?
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Equifax customer information leak

Post by Mudpuppy » Fri Sep 08, 2017 10:30 am

neurosphere wrote:
Fri Sep 08, 2017 10:26 am
Mudpuppy wrote:
Fri Sep 08, 2017 10:20 am
End result: I'm not using that site. I don't need Equifax's ID theft monitoring service and the site is just a little too odd for trustworthiness.
At least there is a direct link to that site from the main Equifax page. But perhaps hackers now have taken www.equifax.com too? :|
Potentially, but you missed the other part of my reply: "Even if it proves to be legitimate, since it seems to only be signing people up for Equifax's own ID theft monitoring service, it's a useless site."

I find no value in Equifax's ID theft monitoring service and that's all the website seems to be doing. So it's useless to me.

Rupert
Posts: 3287
Joined: Fri Aug 17, 2012 12:01 pm

Re: Equifax says info stolen. What's my best course of action?

Post by Rupert » Fri Sep 08, 2017 10:37 am

Raybo wrote:
Fri Sep 08, 2017 10:22 am
I have my credit locked. I didn't see anything about the breach including my code for unlocking my credit report. Does anyone know if such information was taken?
This is what Brian Krebs (Krebs on Security) says about that:

"Several readers who have taken my advice and placed security freezes (also called a credit freeze) on their file with Equifax have written in asking whether this intrusion means cybercriminals could also be in possession of the unique PIN code needed to lift the freeze.

So far, the answer seems to be “no.” Equifax was clear that its investigation is ongoing. However, in a FAQ about the breach, Equifax said it has found no evidence to date of any unauthorized activity on the company’s core consumer or commercial credit reporting databases."

User avatar
TheTimeLord
Posts: 5284
Joined: Fri Jul 26, 2013 2:05 pm

Re: Equifax customer information leak

Post by TheTimeLord » Fri Sep 08, 2017 10:37 am

Mudpuppy wrote:
Fri Sep 08, 2017 10:30 am
neurosphere wrote:
Fri Sep 08, 2017 10:26 am
Mudpuppy wrote:
Fri Sep 08, 2017 10:20 am
End result: I'm not using that site. I don't need Equifax's ID theft monitoring service and the site is just a little too odd for trustworthiness.
At least there is a direct link to that site from the main Equifax page. But perhaps hackers now have taken www.equifax.com too? :|
Potentially, but you missed the other part of my reply: "Even if it proves to be legitimate, since it seems to only be signing people up for Equifax's own ID theft monitoring service, it's a useless site."

I find no value in Equifax's ID theft monitoring service and that's all the website seems to be doing. So it's useless to me.
The irony of a company who just lost your data offering you their credit monitoring services free for one year as essentially a loss leader full well knowing this information is likely to lie dormant for a period of time should not be lost on anyone. If I want credit monitoring I think I would pick someone else even if there was s fee involved. My plan is to freeze my credit then in a month pull my credit report and look for any unauthorized accounts that may have surfaced.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Equifax customer information leak

Post by Mudpuppy » Fri Sep 08, 2017 10:39 am

dmcmahon wrote:
Fri Sep 08, 2017 12:56 am
Isn't the bigger danger that the information will allow them to access your existing accounts? Forge documents in your name and use them to clean out an account at your bank in person? File fake tax returns? It's mind-boggling. Freezing your credit reports seems a completely inadequate response.
Social engineering attacks against existing accounts should be a strong concern. Several banks seem to be doing a better job of countering social engineering, even if that means making legitimate customers feel like they have not received good customer service because the bank is not sure they're the legitimate account holder.

The real social engineering problem lately is cell phone numbers. It doesn't take much to walk into a cellular store, pretend to be you, and port your number to a new, "upgraded" phone. If you're lucky, they just want the phone itself and will instead add lines on your plan. If you're unlucky, they want your number so they can get the secondary authentication text messages that your existing accounts send to your cell phone number to "verify" that you are you.

For tax returns, you should be able to use this incident to request a PIN number to file your returns. The IRS is also getting stronger detection algorithms there too. My 2016 tax return got snagged up for 4 months because the IRS flagged it as potentially fraudulent. There was nothing really unusual about the return (no refundable credits, no massive deductions, <$1000 return due), but my SSN was compromised in the Anthem breach.

Da5id
Posts: 2035
Joined: Fri Feb 26, 2016 8:20 am

Re: Equifax customer information leak

Post by Da5id » Fri Sep 08, 2017 10:41 am

triceratop wrote:
Fri Sep 08, 2017 9:49 am
Yes, the original Bloomberg reporting noted that this was outside of the schedule declared on any 10b5-1 filings.
Wow. This seems unusually dumb given how obvious and easy to discover the sale is. Can't go under the radar selling if you are an insider, it will be in an SEC filing.

Tadpole
Posts: 36
Joined: Sun Oct 11, 2009 4:28 am

Re: Equifax customer information leak

Post by Tadpole » Fri Sep 08, 2017 10:42 am

It gets worse. If you put in six numbers and it allows the enrollment instead of the wait unit the 13th type message, the enrollment page asks for full name, full SS number and address.

Who trusted these people with our personal data in the first place? Does the government report SS numbers to the credit bureaus the second someone gets a SS number? For example, when we moved we gave a forwarding address to the post office. Does the post office report our new address to these non-government credit bureaus?

User avatar
TheTimeLord
Posts: 5284
Joined: Fri Jul 26, 2013 2:05 pm

Re: Equifax customer information leak

Post by TheTimeLord » Fri Sep 08, 2017 10:43 am

Mudpuppy wrote:
Fri Sep 08, 2017 10:39 am
dmcmahon wrote:
Fri Sep 08, 2017 12:56 am
Isn't the bigger danger that the information will allow them to access your existing accounts? Forge documents in your name and use them to clean out an account at your bank in person? File fake tax returns? It's mind-boggling. Freezing your credit reports seems a completely inadequate response.
Social engineering attacks against existing accounts should be a strong concern. Several banks seem to be doing a better job of countering social engineering, even if that means making legitimate customers feel like they have not received good customer service because the bank is not sure they're the legitimate account holder.
Help me to understand the danger to existing accounts. My understanding is the real danger in identity theft is from accounts being open in my name I am unaware of as opposed to hacking existing account where my assets have guarantees.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]

new2bogle
Posts: 1261
Joined: Fri Sep 11, 2009 2:05 pm

Re: Equifax says info stolen. What's my best course of action?

Post by new2bogle » Fri Sep 08, 2017 10:43 am

When I put in my SSN or my wife's, the website says "It may have been impacted". Notice the "may" vs. what OP has written.

I suppose there is no difference as to what to do. Freeze credit reports? Is this being offered for free now?

User avatar
TheTimeLord
Posts: 5284
Joined: Fri Jul 26, 2013 2:05 pm

Re: Equifax customer information leak

Post by TheTimeLord » Fri Sep 08, 2017 10:44 am

Tadpole wrote:
Fri Sep 08, 2017 10:42 am
It gets worse. If you put in six numbers and it allows the enrollment instead of the wait unit the 13th type message, the enrollment page asks for full name, full SS number and address.
Which the hackers already have if reports are correct.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]

User avatar
VictoriaF
Posts: 18318
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Equifax customer information leak

Post by VictoriaF » Fri Sep 08, 2017 10:47 am

TheTimeLord wrote:
Fri Sep 08, 2017 10:43 am
Help me to understand the danger to existing accounts. My understanding is the real danger in identity theft is from accounts being open in my name I am unaware of as opposed to hacking existing account where my assets have guarantees.
I open an account as TheTimeLord in Minsk, Belarus. I link the Minsk account to TheTimeLord Vanguard account. Then I transfer money from the Vanguard account to the Minsk account. Then I empty my Minsk account and disappear.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

jasc15
Posts: 372
Joined: Wed Dec 19, 2012 1:36 pm

Re: Equifax says info stolen. What's my best course of action?

Post by jasc15 » Fri Sep 08, 2017 10:49 am

ved wrote:
Fri Sep 08, 2017 9:30 am
Pajamas wrote:
Fri Sep 08, 2017 9:16 am
thangngo wrote:
Fri Sep 08, 2017 9:10 am
The C-suite at Equifax also sold their shares after they know about the breach and before the information could reach the public. Is this insider trading?
Certainly would appear to be, at least based on the limited information that is currently public.
Executives / officers of publicly traded companies have to disclose their share purchases/sale plans to SEC in advance. So, if this was part of their scheduled transactions, it may not be nefarious. Though, they should have seen how bad the optics would be and cancelled those transactions (if they are allowed to do it).
"None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans."
https://www.bloomberg.com/news/articles ... cyber-hack

Is this what you mean?

User avatar
dmcmahon
Posts: 1870
Joined: Fri Mar 21, 2008 10:29 pm

Re: Equifax customer information leak

Post by dmcmahon » Fri Sep 08, 2017 10:50 am

Mudpuppy wrote:
Fri Sep 08, 2017 10:39 am
The real social engineering problem lately is cell phone numbers. It doesn't take much to walk into a cellular store, pretend to be you, and port your number to a new, "upgraded" phone. If you're lucky, they just want the phone itself and will instead add lines on your plan. If you're unlucky, they want your number so they can get the secondary authentication text messages that your existing accounts send to your cell phone number to "verify" that you are you.

For tax returns, you should be able to use this incident to request a PIN number to file your returns. The IRS is also getting stronger detection algorithms there too. My 2016 tax return got snagged up for 4 months because the IRS flagged it as potentially fraudulent. There was nothing really unusual about the return (no refundable credits, no massive deductions, <$1000 return due), but my SSN was compromised in the Anthem breach.
A few years ago my return got complex enough that I've used an accountant ever since. They file electronically on my behalf and take care of anything like that now.

I hadn't heard about the cell phone idea - wow. This is why I like the old-fashioned two-factor via a physical device. But very few organizations, including Vanguard, seem to use them.

Broken Man 1999
Posts: 1170
Joined: Wed Apr 08, 2015 11:31 am

Re: Equifax customer information leak

Post by Broken Man 1999 » Fri Sep 08, 2017 10:51 am

VictoriaF wrote:
Fri Sep 08, 2017 10:07 am
The dates received from Equifax represent the order in which people have checked the site. Early birds got 9/11, today they are giving 9/14. Later we will have later dates.

Victoria
No, at least not in my case. I received a 9/11 date this morning. One minute later, at the most, wife received a 9/13 date.

Perhaps they (Equifax) are just assigning randomly to balance demand when customers return to complete sign-up.

Broken Man 1999
“If I cannot drink Bourbon and smoke cigars in Heaven than I shall not go. " -Mark Twain

User avatar
TheTimeLord
Posts: 5284
Joined: Fri Jul 26, 2013 2:05 pm

Re: Equifax customer information leak

Post by TheTimeLord » Fri Sep 08, 2017 10:51 am

VictoriaF wrote:
Fri Sep 08, 2017 10:47 am
TheTimeLord wrote:
Fri Sep 08, 2017 10:43 am
Help me to understand the danger to existing accounts. My understanding is the real danger in identity theft is from accounts being open in my name I am unaware of as opposed to hacking existing account where my assets have guarantees.
I open an account as TheTimeLord in Minsk, Belarus. I link the Minsk account to TheTimeLord Vanguard account. Then I transfer money from the Vanguard account to the Minsk account. Then I empty my Minsk account and disappear.

Victoria
And that is not covered by Vanguard's cyber policy if you have followed the steps that have laid out for securing your cyber access? If that is true sounds like I should move all my holdings from Mutual Funds to ETFs to take advantage of the protection offering by the 2 days to settle transactions.
Last edited by TheTimeLord on Fri Sep 08, 2017 10:54 am, edited 1 time in total.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]

sixtyforty
Posts: 208
Joined: Tue Nov 25, 2014 12:22 pm

Re: Equifax customer information leak

Post by sixtyforty » Fri Sep 08, 2017 10:52 am

VictoriaF wrote:
Fri Sep 08, 2017 10:07 am
The dates received from Equifax represent the order in which people have checked the site. Early birds got 9/11, today they are giving 9/14. Later we will have later dates.

Victoria
Not necessarily. I checked mine this morning and got 9/14. My wife checked 2 hours after me and got 9/13.
"Simplicity is the ultimate sophistication" - Leonardo Da Vinci

User avatar
flamesabers
Posts: 1721
Joined: Fri Mar 03, 2017 12:05 pm
Location: Rochester, MN

Re: Equifax customer information leak

Post by flamesabers » Fri Sep 08, 2017 10:53 am

Broken Man 1999 wrote:
Fri Sep 08, 2017 10:51 am
VictoriaF wrote:
Fri Sep 08, 2017 10:07 am
The dates received from Equifax represent the order in which people have checked the site. Early birds got 9/11, today they are giving 9/14. Later we will have later dates.

Victoria
No, at least not in my case. I received a 9/11 date this morning. One minute later, at the most, wife received a 9/13 date.

Perhaps they (Equifax) are just assigning randomly to balance demand when customers return to complete sign-up.

Broken Man 1999
I also got a 9/11 date this morning.

Rupert
Posts: 3287
Joined: Fri Aug 17, 2012 12:01 pm

Re: Equifax customer information leak

Post by Rupert » Fri Sep 08, 2017 10:54 am

TheTimeLord wrote:
Fri Sep 08, 2017 10:43 am
Mudpuppy wrote:
Fri Sep 08, 2017 10:39 am
dmcmahon wrote:
Fri Sep 08, 2017 12:56 am
Isn't the bigger danger that the information will allow them to access your existing accounts? Forge documents in your name and use them to clean out an account at your bank in person? File fake tax returns? It's mind-boggling. Freezing your credit reports seems a completely inadequate response.
Social engineering attacks against existing accounts should be a strong concern. Several banks seem to be doing a better job of countering social engineering, even if that means making legitimate customers feel like they have not received good customer service because the bank is not sure they're the legitimate account holder.
Help me to understand the danger to existing accounts. My understanding is the real danger in identity theft is from accounts being open in my name I am unaware of as opposed to hacking existing account where my assets have guarantees.
In this particular case, data thieves may have stolen your credit history (including the names of all present creditors), in addition to your personal identifiers. If they know you bank with Bank of America they could theoretically use your identifiers to access your account there. Targeted phishing attacks are a real concern going forward.

User avatar
TheTimeLord
Posts: 5284
Joined: Fri Jul 26, 2013 2:05 pm

Re: Equifax customer information leak

Post by TheTimeLord » Fri Sep 08, 2017 10:56 am

sixtyforty wrote:
Fri Sep 08, 2017 10:52 am
VictoriaF wrote:
Fri Sep 08, 2017 10:07 am
The dates received from Equifax represent the order in which people have checked the site. Early birds got 9/11, today they are giving 9/14. Later we will have later dates.

Victoria
Not necessarily. I checked mine this morning and got 9/14. My wife checked 2 hours after me and got 9/13.
Did it actually say anything about if your information had been impacted because the message I got just gave me an enrollment date for TrustedID Premier where a friend's specifically said he may have been impacted and provided them an enrollment button immediately.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Equifax customer information leak

Post by Mudpuppy » Fri Sep 08, 2017 10:57 am

TheTimeLord wrote:
Fri Sep 08, 2017 10:43 am
Mudpuppy wrote:
Fri Sep 08, 2017 10:39 am
dmcmahon wrote:
Fri Sep 08, 2017 12:56 am
Isn't the bigger danger that the information will allow them to access your existing accounts? Forge documents in your name and use them to clean out an account at your bank in person? File fake tax returns? It's mind-boggling. Freezing your credit reports seems a completely inadequate response.
Social engineering attacks against existing accounts should be a strong concern. Several banks seem to be doing a better job of countering social engineering, even if that means making legitimate customers feel like they have not received good customer service because the bank is not sure they're the legitimate account holder.
Help me to understand the danger to existing accounts. My understanding is the real danger in identity theft is from accounts being open in my name I am unaware of as opposed to hacking existing account where my assets have guarantees.
Take the coordinated ATM attack that happened in several major cities a couple years back. Now, that was due to information gathered from ATM skimmers, but it shows the elaborate extent to which a money-motivated criminal ring is willing to go to get more money. In that attack, the criminal ring had countless copies of ATM information and needed to convert it to cash. They hired many "money mules" to take replicated ATM cards to banks in a coordinated two-hour window. Every money mule was instructed to go to specific banks in a specific time window so they could maximize the amount of money withdrawn across the cities before the authorities could realize something unusual was happening. As I recall, the overall haul was in the order of millions of dollars. Similar attacks happen on a much smaller scale on a regular basis, for skimmed ATM cards, skimmed credit cards, and wire fraud.

Now let's abstract that to this breach. It includes SSNs, driver's license numbers, addresses, and so on. Now instead of a money mule with a replicated ATM card, they need money mules with fake driver's licenses (has your name, number, address, but the money mule's photo) and fake SS cards. They go to the bank and initiate a wire transfer or get a money order. They might first go for the low-hanging fruit and try calling over the phone to see if they can initiate a transfer that way, although many banks won't do phone-based wire transfers these days to avoid this sort of fraud.

The key thing is that the money mules don't mind being photographed or video taped. So having the bank property under surveillance is not a deterrent for these sorts of criminal rings.

User avatar
TheTimeLord
Posts: 5284
Joined: Fri Jul 26, 2013 2:05 pm

Re: Equifax customer information leak

Post by TheTimeLord » Fri Sep 08, 2017 10:58 am

Rupert wrote:
Fri Sep 08, 2017 10:54 am
TheTimeLord wrote:
Fri Sep 08, 2017 10:43 am
Mudpuppy wrote:
Fri Sep 08, 2017 10:39 am
dmcmahon wrote:
Fri Sep 08, 2017 12:56 am
Isn't the bigger danger that the information will allow them to access your existing accounts? Forge documents in your name and use them to clean out an account at your bank in person? File fake tax returns? It's mind-boggling. Freezing your credit reports seems a completely inadequate response.
Social engineering attacks against existing accounts should be a strong concern. Several banks seem to be doing a better job of countering social engineering, even if that means making legitimate customers feel like they have not received good customer service because the bank is not sure they're the legitimate account holder.
Help me to understand the danger to existing accounts. My understanding is the real danger in identity theft is from accounts being open in my name I am unaware of as opposed to hacking existing account where my assets have guarantees.
In this particular case, data thieves may have stolen your credit history (including the names of all present creditors), in addition to your personal identifiers. If they know you bank with Bank of America they could theoretically use your identifiers to access your account there. Targeted phishing attacks are a real concern going forward.
But who is liable for that unauthorized access and/or transfers? Because if individuals are and not the institutions it seems like you should be moving your accounts to other institutions and closing existing accounts.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]

User avatar
TheTimeLord
Posts: 5284
Joined: Fri Jul 26, 2013 2:05 pm

Re: Equifax customer information leak

Post by TheTimeLord » Fri Sep 08, 2017 11:01 am

Mudpuppy wrote:
Fri Sep 08, 2017 10:57 am
TheTimeLord wrote:
Fri Sep 08, 2017 10:43 am
Mudpuppy wrote:
Fri Sep 08, 2017 10:39 am
dmcmahon wrote:
Fri Sep 08, 2017 12:56 am
Isn't the bigger danger that the information will allow them to access your existing accounts? Forge documents in your name and use them to clean out an account at your bank in person? File fake tax returns? It's mind-boggling. Freezing your credit reports seems a completely inadequate response.
Social engineering attacks against existing accounts should be a strong concern. Several banks seem to be doing a better job of countering social engineering, even if that means making legitimate customers feel like they have not received good customer service because the bank is not sure they're the legitimate account holder.
Help me to understand the danger to existing accounts. My understanding is the real danger in identity theft is from accounts being open in my name I am unaware of as opposed to hacking existing account where my assets have guarantees.
Take the coordinated ATM attack that happened in several major cities a couple years back. Now, that was due to information gathered from ATM skimmers, but it shows the elaborate extent to which a money-motivated criminal ring is willing to go to get more money. In that attack, the criminal ring had countless copies of ATM information and needed to convert it to cash. They hired many "money mules" to take replicated ATM cards to banks in a coordinated two-hour window. Every money mule was instructed to go to specific banks in a specific time window so they could maximize the amount of money withdrawn across the cities before the authorities could realize something unusual was happening. As I recall, the overall haul was in the order of millions of dollars. Similar attacks happen on a much smaller scale on a regular basis, for skimmed ATM cards, skimmed credit cards, and wire fraud.

Now let's abstract that to this breach. It includes SSNs, driver's license numbers, addresses, and so on. Now instead of a money mule with a replicated ATM card, they need money mules with fake driver's licenses (has your name, number, address, but the money mule's photo) and fake SS cards. They go to the bank and initiate a wire transfer or get a money order. They might first go for the low-hanging fruit and try calling over the phone to see if they can initiate a transfer that way, although many banks won't do phone-based wire transfers these days to avoid this sort of fraud.

The key thing is that the money mules don't mind being photographed or video taped. So having the bank property under surveillance is not a deterrent for these sorts of criminal rings.
The question isn't about theft, it is about who is liable for unauthorized transfers from your accounts. What is an individual's actually liability in case of such theft.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]

User avatar
dmcmahon
Posts: 1870
Joined: Fri Mar 21, 2008 10:29 pm

Re: Equifax customer information leak

Post by dmcmahon » Fri Sep 08, 2017 11:01 am

Mudpuppy wrote:
Fri Sep 08, 2017 10:57 am
Now let's abstract that to this breach. It includes SSNs, driver's license numbers, addresses, and so on. Now instead of a money mule with a replicated ATM card, they need money mules with fake driver's licenses (has your name, number, address, but the money mule's photo) and fake SS cards. They go to the bank and initiate a wire transfer or get a money order. They might first go for the low-hanging fruit and try calling over the phone to see if they can initiate a transfer that way, although many banks won't do phone-based wire transfers these days to avoid this sort of fraud.
Is there anything we can do to prevent this?

Grt2bOutdoors
Posts: 18602
Joined: Thu Apr 05, 2007 8:20 pm
Location: New York

Re: Equifax customer information leak

Post by Grt2bOutdoors » Fri Sep 08, 2017 11:04 am

dmcmahon wrote:
Fri Sep 08, 2017 10:50 am
Mudpuppy wrote:
Fri Sep 08, 2017 10:39 am
The real social engineering problem lately is cell phone numbers. It doesn't take much to walk into a cellular store, pretend to be you, and port your number to a new, "upgraded" phone. If you're lucky, they just want the phone itself and will instead add lines on your plan. If you're unlucky, they want your number so they can get the secondary authentication text messages that your existing accounts send to your cell phone number to "verify" that you are you.

For tax returns, you should be able to use this incident to request a PIN number to file your returns. The IRS is also getting stronger detection algorithms there too. My 2016 tax return got snagged up for 4 months because the IRS flagged it as potentially fraudulent. There was nothing really unusual about the return (no refundable credits, no massive deductions, <$1000 return due), but my SSN was compromised in the Anthem breach.
A few years ago my return got complex enough that I've used an accountant ever since. They file electronically on my behalf and take care of anything like that now.

I hadn't heard about the cell phone idea - wow. This is why I like the old-fashioned two-factor via a physical device. But very few organizations, including Vanguard, seem to use them.
The one's that do use these physical devices like RSA want $25 for them, of course you the customer will have to pay for it.
"One should invest based on their need, ability and willingness to take risk - Larry Swedroe" Asking Portfolio Questions

JGoneRiding
Posts: 1069
Joined: Tue Jul 15, 2014 3:26 pm

Re: Equifax customer information leak

Post by JGoneRiding » Fri Sep 08, 2017 11:04 am

So i am already signed up for Experian protect my ID due to a much smaller security breach, which scares me more bec it may have been more intentional. Does anyone see a need for more protection? I am going to add fraud alerts but freezing has always seemed like a lot of bother.

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Equifax customer information leak

Post by Mudpuppy » Fri Sep 08, 2017 11:05 am

dmcmahon wrote:
Fri Sep 08, 2017 10:50 am
A few years ago my return got complex enough that I've used an accountant ever since. They file electronically on my behalf and take care of anything like that now.
Seeing as I spent over 4 hours on the phone with the IRS to get the potential ID theft cleared up (~1 hour to prove identity, ~3 hours to get my refund issued), I would have loved to have let someone else make the call. But I don't think an accountant would have been authorized to respond to the IRS "we've detected potential ID theft" letter (4883C). The letter said only an authorized power of attorney with a Form 2848 on file with the IRS could respond to the letter on your behalf, and then they still encouraged you to be present for the call. The letter further stated that anyone who filed the return on your behalf but is NOT an authorized power of attorney could not respond to the letter for you. They could be present on the call, but you had to make the call.

It's better to get a PIN from the IRS as soon as you have a legitimate cause to request one. This breach would be a legitimate cause. I should have done that after the Anthem breach and saved myself the trouble. Here's the IRS site: https://www.irs.gov/identity-theft-frau ... ection-pin

User avatar
TheTimeLord
Posts: 5284
Joined: Fri Jul 26, 2013 2:05 pm

Re: Equifax customer information leak

Post by TheTimeLord » Fri Sep 08, 2017 11:05 am

dmcmahon wrote:
Fri Sep 08, 2017 11:01 am
Mudpuppy wrote:
Fri Sep 08, 2017 10:57 am
Now let's abstract that to this breach. It includes SSNs, driver's license numbers, addresses, and so on. Now instead of a money mule with a replicated ATM card, they need money mules with fake driver's licenses (has your name, number, address, but the money mule's photo) and fake SS cards. They go to the bank and initiate a wire transfer or get a money order. They might first go for the low-hanging fruit and try calling over the phone to see if they can initiate a transfer that way, although many banks won't do phone-based wire transfers these days to avoid this sort of fraud.
Is there anything we can do to prevent this?
All the banks I deal with that aren't online have scanned my driver's license and it pops up on there screen with my account information so I am not sure how a fake driver's license matters today. Just trying to understand the mechanics and liabilities of this situation.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Equifax customer information leak

Post by Mudpuppy » Fri Sep 08, 2017 11:12 am

TheTimeLord wrote:
Fri Sep 08, 2017 11:01 am
The question isn't about theft, it is about who is liable for unauthorized transfers from your accounts. What is an individual's actually liability in case of such theft.
A personal banking account will have fraud protections in place. The ones who should be really concerned as are (edit: typo fix) the ones who have business banking accounts established under their SSN, instead of establishing an EIN for the business and using that for the account. Banks do not provide fraud protection for business accounts. The businesses are expected to maintain their own insurance for such potential issues, but many small businesses or people using business accounts for rewards (but having those accounts actually hold private assets) do not have such insurance. Even major corporations with insurance can find their losses would exceed insurance coverages.

And that's also a concern for personal banking accounts. If the fraud is on a wide enough scale to exceed what the bank's fraud protection insurance can absorb, bad things can happen for all account owners, not just the ones affected by the fraud. Liquidity issues are not just caused by panicked customers making a run on the bank.
dmcmahon wrote:
Fri Sep 08, 2017 11:01 am
Mudpuppy wrote:
Fri Sep 08, 2017 10:57 am
Now let's abstract that to this breach. It includes SSNs, driver's license numbers, addresses, and so on. Now instead of a money mule with a replicated ATM card, they need money mules with fake driver's licenses (has your name, number, address, but the money mule's photo) and fake SS cards. They go to the bank and initiate a wire transfer or get a money order. They might first go for the low-hanging fruit and try calling over the phone to see if they can initiate a transfer that way, although many banks won't do phone-based wire transfers these days to avoid this sort of fraud.
Is there anything we can do to prevent this?
Short of turning off wire transfers entirely for your account, there's not much you can do to prevent it. You can detect it quickly though. Monitor your accounts closely. If they're forced to use a money order or cashier's check because you've turned off wire transfers, you might be able to catch it quickly enough to reverse it by using close monitoring.

User avatar
flamesabers
Posts: 1721
Joined: Fri Mar 03, 2017 12:05 pm
Location: Rochester, MN

Re: Equifax customer information leak

Post by flamesabers » Fri Sep 08, 2017 11:14 am

TheTimeLord wrote:
Fri Sep 08, 2017 10:56 am
sixtyforty wrote:
Fri Sep 08, 2017 10:52 am
VictoriaF wrote:
Fri Sep 08, 2017 10:07 am
The dates received from Equifax represent the order in which people have checked the site. Early birds got 9/11, today they are giving 9/14. Later we will have later dates.

Victoria
Not necessarily. I checked mine this morning and got 9/14. My wife checked 2 hours after me and got 9/13.
Did it actually say anything about if your information had been impacted because the message I got just gave me an enrollment date for TrustedID Premier where a friend's specifically said he may have been impacted and provided them an enrollment button immediately.
After I first entered my information the site told me I might have been impacted by the breach. From there I clicked on the enrollment button where it gave me the date of 9/11 to enroll in TrustedID Premier.

Locked