Equifax hack, security, ransom: long post

Kentuckienne

Supporting Vendor
Oct 9, 2016
2,601
886
Middle of nowhere (kentuckianna)
Parrots
Roommates include Gus, Blue and gold macaw rescue and Coco, secondhand amazon
I was one of the people affected by the Equifax security breach. It's been a lot of work. In case anyone wants to know what to do to protect your identity, here are some suggestions.

1. Sign up for the credit monitoring and protecting services available for free right now from Equifax
2. Check the security of your email accounts - make sure you have good passwords and backup phones/email accounts.
3. Set up 2-factor authentication where possible.

How are you supposed to do all that?

Go to the site: https://www.equifaxsecurity2017.com/

The https part is important, and be sure to type the name correctly. People are already putting up phishing websites with variations on that name. Once you go there, follow the instructions - give your last name, and the last six digits of your social - and they will tell if if you are affected by the security breach. You probably were.

If they say you are affected, follow the steps to enroll in the identity protection they offer. They made the process as confusing as possible. I had to check my info first, then wait a day to come back and enroll. Once I enrolled, I had to wait for an email saying I was enrolled. Which actually does nothing unless you do the next steps.

I had to go BACK to the site, and actually sign up for the credit protection. You can get a copy of your credit report and put a freeze on your file. In theory, this means no one can issue any credit cards, approve loans, etc. unless you go and lift the freeze. They used to charge for putting the freeze on but aren't doing that right now. I signed up for all the protections I could get from Equifax, then went to TransUnion - through the link on the Equifax site - and checked my credit report there. TransUnion also lets you see your credit score, and you can sign up to have them email you any time something happens with your credit file.

You get a free credit report a year from each of the main bureaus, and I usually stagger them out to check one every four months. Right now they seem to be letting you at least look at them online for free.

That's step one!

Now: on to securing your email accounts.

Email is security for everything nowadays. You use an email address as an Apple ID, to get apps, music, etc. Many websites ask you to log in with your email address. What happens if someone hacks your email address? They can log on as you. They will do that, and not just steal but worse - lock you out of all your accounts.

Example: You log on to eBay with your AOL email. Your AOL email account has security: if someone tries to change the password from the web, they will send you an email saying "someone asked to change your password, if it was you click here". Most sites also ask you for a back-up email address, and they send the warning here.

Let's say that Evil Jim Brown bought your AOL email address and password from an online store. Yes, those exist, it's part of the dark web. EJB goes to AOL, logs on as you, and changes your password. Now he can check your email and you can't. Then he goes to eBay and logs in with your AOL info. Now he can change all sorts of stuff on your eBay account, like buy a lot of things to have shipped to a different address.

Say he goes to Amazon, and tries to log in as you. Says he forgot his Amazon password. Amazon say, OK, we'll send you a link to reset it. They send the link to the AOL account. Now EJB has the link to change your Amazon password, which might be linked to a credit card or bank account, and he can get that information too.

Evil Jim Brown goes on a hacking spree, using one piece of information to get another, and along the way he changes all the passwords he can, locking you out of your accounts. Then you get an untraceable phone call, demanding you pay a ransom in bitcoin or he'll delete everything.

It's a win-win for EJB. If he can get into an account that is associated with your bank or credit card, he can buy things with your money. If he can't spend any of your money, he can lock your accounts so you can't get to your email any more. The pictures of the grandkids? Your Flickr account? It will all be gone unless you pay up.

I told you all that to incentivize you to set up 2-step authentication for your online accounts. It's a PITA.

I have a lot of email addresses so it was a real pain for me. Some are old ones, because I changed my name a couple times, and I keep those to forward to the new addresses in case some stray email from an old friend comes in. Some are for work. Some for Wikibeaks. Since I'm the only employee of the various businesses I use additional addresses like info, help, customer service, etc. and check them all.

Luckily most of them are with Google. I logged on to one of my Google accounts, went to account settings, security checkup. Google verified my phone number by sending a text to it, then asked me to verify my back-up phone, back-up email address, shows me a list of devices that have logged on with my info, asks me some security questions and so on. Then it offers 2-factor authentication.

The way that works, is ... say I log on to my Gmail account from a new computer. I have my userID and password, so no problem. But I've turned on 2-factor authentication. So before Google logs me in, it sends a text message containing a six-digit code to my phone. (If you don't do text, it will call your phone and read you the number). I have to put that number into the box on the computer screen before Google will let me log in.

This way, if Evil JB does get my email password, he can't log in because he doesn't have my phone in his possession. My email is safe and can't be hacked.

But what if you lose your phone, or get a different number?

There are two other ways to get the 2-factor codes beside text or phone call. You can ask for back-up codes during the set-up process, and Google will give you ten codes that can each be used one time to log in. Print those and keep them somewhere safe. Also, there is an Authenticator App for iPhone and Android. To set that up, you have to download and install the app...then hold your device up to the Google screen to scan the bar code it's showing you during setup...then the app on your phone or tablet will display a six digit code, and you type that into the computer screen. Now 2-factor identification is set up. If you have to log on from a different device, you won't be able to do it unless you have access to the phone, the printed codes, or the authenticator app.

Of course you will have to then sign in again on every device, like all your computers and phones and tablets. Which is a royal PITA. But you only have to do that once, and then Google remembers that device in the future. So it's a few days of pain in exchange for rock-solid security. It's the best way you can protect yourself from so much hurt online.

I know that's a lot of technical detail, and I actually left out most of the details. The screens are pretty straightforward and will walk you through the process. If you do have any trouble or need help, just ask. I'll be glad to assist. Just don't tell me, or anybody else here, your passwords and email addresses!

It's just getting worse and worse out there. The identity thieves are very sophisticated, and there are actual marketplaces where bad guys can place orders for info for people living in particular places, with particular credit cards, income levels, etc. and there's nothing you can do about that. But if you secure your email, you have done a lot to prevent them from using the information they steal. They won't be able to change any of your passwords remotely and hold them for ransom, or steal you blind.

Please set aside some time this week to secure all your accounts. Just ask if you have questions, you can get through this.

At least go make sure you have good passwords - long ones, with a combination of upper case, lower case, numbers, characters...for example, KentuckienneWritesInfuriatinglyLongPostsAll2017! would be dang near uncrackable. But "password" or "12345678" was probably cracked last year and they just haven't done anything yet with the stuff they stole from you.
 

Kiwibird

Well-known member
Jul 12, 2012
9,538
60
Parrots
1 BFA- Kiwi. Hatch circa 98', forever home with us Dec. 08'
Great reminder to switch up the passwords on some of my accounts! Hubby is a tech guy so he takes care of our online security, but it's great to have others be informed. We are also looking into identity theft insurance through our insurance provider.

While I am signed up for credit monitoring through a third party (credit karma), I haven't even visited Equifax's website since the breech. My husband told me not to sign up for anything through Equifax about monitoring your credit or protection after the breech because once you do, you waive your right to pursue legal action or receive settlement if a class action lawsuit is brought against them or you personally suffer damages. He apparently went through and read all the fine print a day or two after the breech that you agree to before signing up for their damage control and decided not to. Plus, how trustworthy can they be to protect you now when they allowed one of the largest data breeches in history to happen?
 
OP
Kentuckienne

Kentuckienne

Supporting Vendor
Oct 9, 2016
2,601
886
Middle of nowhere (kentuckianna)
Parrots
Roommates include Gus, Blue and gold macaw rescue and Coco, secondhand amazon
  • Thread Starter
  • Thread starter
  • #3
Great reminder to switch up the passwords on some of my accounts! Hubby is a tech guy so he takes care of our online security, but it's great to have others be informed. We are also looking into identity theft insurance through our insurance provider.

While I am signed up for credit monitoring through a third party (credit karma), I haven't even visited Equifax's website since the breech. My husband told me not to sign up for anything through Equifax about monitoring your credit or protection after the breech because once you do, you waive your right to pursue legal action or receive settlement if a class action lawsuit is brought against them or you personally suffer damages. He apparently went through and read all the fine print a day or two after the breech that you agree to before signing up for their damage control and decided not to. Plus, how trustworthy can they be to protect you now when they allowed one of the largest data breeches in history to happen?
Equivalent changed their tune. Immediately after the hack, they had that you-can't-sue-us language up, but that made news headlines and they fell all over themselves taking it back and saying sorry. Then they stepped on their own...tails and linked to a fake site that someone had put up to show how easy it was to phish them!

I like the security of a credit freeze, and getting the link to Transunion was a plus.
 

SailBoat

Supporting Member
Jul 10, 2015
15,698
4,303
Western, Michigan
Parrots
DYH Amazon
Aaaa, something more to add to the needed to do yesterday list!


Question: So, why is the Cloud so safe, or is?


And, as David stated: Oh whoop, I made the list!
 
Last edited:

Aquila

New member
Nov 19, 2012
1,225
0
Philadelphia
Parrots
Sydney - Blue Front Amazon
Gonzo - Congo African Grey
Willow - Cockatiel
RIP:
Snowy, Ivy, Kiwi, Ghost - Parakeets
Berry - Cinnamon GCC
I'm not sure if I was affected by the breach since the site has been down periodically, but I've monitored my credit for a while without issue. I'm also heavily into IT stuff so I'm not really that concerned.

Jokes on them anyway, my credit is terrible!
 

Most Reactions

Latest posts

Top