This last week, AT&T notified 73 million of its current customers of a cyber-attack where personal information was found on the dark web. 65.4 million former account holders were also affected. That’s one in five Americans….
Here is what was breached:
- Social Security Numbers
- Four-digit pins
- Perhaps full names, email addresses, mailing address, phone numbers, dates of birth, and AT&T account numbers.
If you were affected, you should have been notified already by AT&T. As a long time AT&T customer, I received an email on Saturday that my information was included in the breach. They assured me that they had launched a “robust” investigation.
Cyber security breaches seem to be the norm these days. How greatly it affects us personally sometimes depends on how seriously we take these possibilities. And let’s be honest, most of our full names, email addresses, mailing addresses, phone numbers and dates of birth already existed on the dark web, before this breach. If you do not believe it, it is certainly easy enough to verify yourself.
But my alarm was raised when they stated what was positively breached were social security numbers. With the ease of identity theft, and my background knowledge and work experience with a major credit bureau, my credit has been locked down for years.
AT&T could change the four-digit pins, but they cannot do anything regarding your personal social security number. To have the social security number, date of birth, full name, full address in hand, identity theft potential is exorbitant.
Here are four common sense implementations for your practice, as well as you personally.
LOCK CREDIT BUREAUS.
You should do this immediately regardless if you are or have been an AT&T customer. There are three primary credit bureaus: Experian, Equifax and TransUnion. Each credit bureau has their own website. If you do not already have a profile generated with the bureau, use the links I provided to freeze your credit.
Most of the excuses I have heard regarding freezing credit is the same excuse I hear when I see large amounts of money in a big box bank with no potential interest earning. “I just haven’t got around to it.”
Recovering from identity theft losses is time consuming, of mental and emotional energy. When someone steals an identity, credit cards can be charged monumental amounts, bank account funds drained, houses purchased, exotic vacations taken, and so much more. In each of these examples I have known someone who had their identity stolen. And the one common factor was they did not have their credit locked.
I learned about the house identity theft years ago, when my Mom was in ICU and it was her doctor’s partner. He got a phone call from the title company in a city 948 miles away about whether he was going to be able to make the closing the following week. That was the first clue, he said, that he knew his identity had been stolen. He had no idea how his personal information had been breached and I talked to him then about locking his credit. That was fourteen years ago.
Last year, I saw him again. He is a well-known cardiologist in the area and for being such a smart man, he squeamishly told me that the same thing had happened again. I was stunned. But then followed it up with my usual question, “Have you kept your credit locked?” I am sure you can guess his answer without me actually writing it here.
His face told the energy sapping time as he recounted what he had to do to recover his identity that time. It was much more cumbersome than the first.
Scrambling to close accounts and open new accounts, having cash stolen, filing with the credit bureaus about negative lender ratings, purchase power being remanded because of credit negativity. The Federal Trade Commission (FTC) estimates six months (200 hours) of work to recover from identity theft. Six months vs. a few minutes of credit locking.
When your identity is stolen, you have to prove to the defrauded lenders that you are not responsible for the debt that occurred. That is a process.
A couple of years ago, I bought a leather couch. I love taking advantage of 0% interest offers, paying a set amount monthly. That way, my savings account continues to earn interest. And typically, when calculating the monthly amount, I take the months provided, subtract a month, then divide by the months to get what I want deducted monthly, paying it off a month early, as a safety net. The furniture store was offering an in-house 0% interest plan. They needed my social security number to process the credit app. By the way, I never write my social security number down ever, on anything. I do not control what happens to the paper after I have given it. I verbally gave her that information as she keyed it into the terminal.
I asked what bureau the store was processing the application through. She replied and I told her to wait a second. I pulled up the bureau on my phone, logged in, unlocked my credit, then told her to proceed. I was approved then I relocked my credit. All that was done while I was standing there, and it was so easy.
If needed, you can also set a specific period of time to lift a credit freeze, in case you are shopping for a car, for instance. Just because you have frozen your credit, does not mean you will never have fraudulent credit card charges. You will still need to oversee them in a timely manner and diligently.
In a side note, please also consider having this discussion with the elderly in your family. They may be stubborn and not understand the necessity but locking down their credit prevents opening new unneeded credit cards in their name.
Please protect your social security information and lock your credit. It is a gift you will give your business as owners, a gift you will give your family, but most of all, a gift you will give yourself by caring for yourself.
STRONG PASSWORDS.
I am often amazed at how easy some passwords are when working with clients. ALL financial institution logins and passwords must be complicated – your bank, your credit cards, your merchant card services, your outside services, your insurance companies, your online products – EVERYTHING.
Yes, they are often more difficult to remember. I use a password vault for all my passwords, and I highly recommend Keeper or Bitwarden. Here are a few suggestions in creating the passwords:
- Never ever use dictionary words. Why? Because the password breaking programs using dictionaries is the least difficult to break.
- Never use names (family or pet) or birthdays or anniversaries, even if that is the only way you can remember your anniversary! Why? For the same reason as above.
- If the requirement is 10-20 characters, maximize the characters and use 20. Most users will stop at 10 because that is the minimum required. I never want to create a minimum requirement for any financial institutions or anything that I want protected. Minimum effort to protect my hard earned business revenue and my hard earned wages is destined for failure.
- Use a wide variety of what is available. Pay attention to the directions of the site. If the site states you may use the following characters, use the following characters, along with upper and lower case letters and numbers.
- Do not forget to save the new passwords in your password vault. This is an amazing feature that eliminates the necessity of remembering every single password. Side note: be sure to leave the password vault’s password with your other financial records and will. In case something were to happen to you, then your loved ones will be able to take care of your financial concerns without added stress. More about this in a future blog post.
Password cracking compromises user passwords. Once in, hackers can do anything they want to do because they have free reign. The very harsh reality is you may institute complicated passwords and still be hacked but at least you did what you needed to do. It was not because of something you did not do.
TWO FACTOR AUTHENTICATION.
Though more often considered an exterior buttock’s pain, the two-factor authentication now being embraced by financial institutions helps protect against unwanted intrusion. The two-factor authentication is activated when someone logs in from a different IP address than in the past. It recognizes it as a potential threat and will text the account owner with a passcode, which then must be entered into the website page.
Did you know that Facebook has two factor authentication? I strongly recommend implementing the two-factor authentication whenever it is available. It is available to keep your protected information protected.
EMAILS FROM AT&T.
I do not know if this has happened yet, but I would imagine some creative hacker will start sending emails that look like they are from AT&T about the breach. Something that looks truly authentic with a click here for more information on how your information was compromised.
One security site I researched stated that 82% of all data breaches come down to avoidable human errors – like easily guessable passwords and other poor security practices. NEVER EVER click on an email link, even if it looks authentic.
Most email providers have well established spam controls but you must still be hypervigilant. Most of the phishing emails, if you move the mouse pointer to the “link” it will state the link address, sometimes at the bottom of the window. But the best precaution is to delete that email, open a browser window, enter the URL of the “alleged” email sender, and see if there are any messages. Better yet, pick up the phone and call. Most of the valid entities want to know of any phishing activity with their name on it.
Summary.
Sometimes we can chalk up negative experiences to not knowing what we do not know. In the early days of passwords, this was truer. But now, now it is different. We are aware of the potential cost and yet will have a variety of excuses to not take action. Actually, that is sadly true of any task avoidance that crosses our paths.
Do not avoid this one. Please take action. There is too much to risk. Get ‘er done.