ON JUNE 15, THE NEWS was broken by The Oregonian of a massive hack at Oregon’s Department of Motor Vehicles, apparently leading to the theft of sensitive details about most of Oregon’s 3.5 million holders of a driver’s license or ID card. Incidents like this, along with the huge 2017 Equifax hack, give criminals cheap and easy access to key personal information that many organizations routinely use to verify our identities and screen our credit applications.
That kind of data make it a breeze for crooks to appropriate your identity for the purpose of opening credit accounts in your name. It also makes it simple for criminals to open a bank or investment account in your name, one which they control and which could potentially be linked to your existing, legitimate accounts. Once linked, they quickly transfer out funds you might never see again.
I’ll wager more than a few HumbleDollar readers and authors, as well as folks they know, have been victims of crimes involving identity theft. Cybercrime today seems unstoppable, but the worst thing you can do is ignore the risk and hope you won’t be affected. Hope is not a plan.
My daughter, an Oregon resident, just asked me what she could do to protect her identity, money and sensitive accounts from security breaches. My response: Three simple steps can help you avoid the worst consequences of identity theft and an assortment of cybercrimes.
1. Freeze your credit reports at Equifax, Experian and TransUnion until you next need credit. It’s been nearly a decade since I froze ours at the big three credit reporting companies, after a security incident at a nonprofit where we volunteered regularly. Today, it’s simpler to both freeze and temporarily unfreeze credit files when you need access to credit. While your files are frozen, it’s much harder for someone to use your stolen identity to open a fraudulent account in your name.
2. Enable two-factor authentication (2FA) on all sensitive online accounts. This technology makes it extremely difficult for thieves to log into your account, even when they’ve guessed your password or acquired it through phishing or a big hack. There are several 2FA technologies in wide use today. Some types are more secure, but enabling any 2FA on your key accounts is far better than no 2FA at all.
The most important accounts to protect with 2FA are your Apple, Google or Microsoft ID accounts, email accounts which receive password reset links, cellular service provider accounts, and banking or investment accounts.
3. Check your bank and brokerage balances monthly, and your credit reports annually. When you suffer an identity theft crime, your chances of recovering any lost money, or reversing unauthorized credit account charges, rise a lot if you catch and report it early, as one couple learned.
Yes, if you want to improve your investment behavior, it’s best to automate your financial life, so you can ignore what Mr. Market is doing each day to your investments, as Rick Connor noted recently. Still, for security purposes, it’s wise to glance monthly at your accounts to see if there’s been a sudden, unexpected drop in your balance or some other suspicious activity. To check for fraudulent new accounts, it’s also good to review your free credit reports each year.
Thanks for the tips. It’s one of those tasks we shouldn’t have to do, but the “black” hats always seem to be steps ahead of the game. Like you, I froze my credit reports years ago. Whenever 2FA is available, I’ll set it up. I wish a few more financial companies I use would do it, but it seems to be getting better. I do check our bank account more frequently than once a month, but I keep to a monthly schedule for credit cards and investment accounts. Some of the other readers’ tips were good as well and some I hadn’t thought of before. I believe the big 3 credit reporting companies are still offering a free weekly report through the end of 2023.
These are some great tips. Having had our credit card compromised twice in the last year, I’d also add the following to protect that form of hacking/theft:
Do you have suggestions for how to use 2FA on joint accounts? And in the event of one account owner passing? And in the situation where one account owner not being as “tech savy” as another?
While you can securely share login credentials with another user of most good password managers, for a partner who avoids technology the simpler solution might be written instructions for getting into your password manager account, which are kept at home under lock and key.
Good points and a timely reminder! Allow me to add a few more.☺
Create the SSA and IRS accounts before placing freezes.Chex systems needs a freeze too as its also used by Banks and CU.Put a password on your mobile voice mail box.Add a security phrase or 2FA with wireless providers to thwart SIM swaps.Get off of Windows 7 and 8.Use a local not cloud-based password manager such as KeePass.Establish a passphrase with close family to stop A.I. voice mimicking ransom attacks. For example, “My door is a jar” or “My mom is a car”Treat ALL phone calls, emails and text messages from the Treasury, SSA,IRS or FBI as frauds.
I have read that KeePass is technically difficult to set-up and maintain. Can you recommend another local based manager or would they all be similar?
I’ll let our HD KeePass users address this. I have one friend who’s a fan and said it was some work to set up but we’ve not discussed specifics.
if you use a good cloud based password manager you can reduce your risk with a very long master password (ideally a memorable pass phrase) and with 2FA in the password manager.
One can also block electronic access to ones Social Security information by contacting the SSA, and use the Identity Protection PIN Opt In Program with the IRS. Filing tax returns early also diminishes risk of fraudulent returns.
David, thanks for this—very helpful and important.
Another easy step I like: enable an email alert any time there is a charge to your credit cards.
I’d never thought about using 2FA with email accounts which receive password reset links. I can see how it makes sense but I log into and out of my email countless times a day so the hassle factor would be significant. But maybe I’m missing something….
2FA with email is most useful in preventing someone from adding your account settings to a mobile or desktop mail client or logging in for the first time from an unfamiliar browser. That avoids a 2FA prompt every time you check mail. When you apply a browser update you may see another 2FA prompt.
Eventually industry standard passkeys will give us a more secure solution with less hassle, but those will take years for broad adoption.
Thanks for some very useful ideas or reminders for all of us!
David, the possibility of ID theft is one of those ever-present low-level tensions in my brain. You’ve been good to give regular reminders to us to be smart about protecting ourselves. Thanks.