International broadcast journalist, podcaster and blogger.
In light of the personal information of more than 143 million Americans being stolen in the Equifax breach, security expert Mark Nunnikhoven talks about the impact this could have on us and gives advice on what we should do right now to avoid a nightmare down the road. The repercussions of this breach aren’t limited to fraudulent use of your credit card; they can be much worse. By acting immediately, they don’t have to be.
So let’s get Charged Up! about learning how to protect our identities.
Jenny Hoff: First of all, Mark, thanks so much for joining me today.
Mark Nunnikhoven: No. Thank you for having me, Jenny. I appreciate it.
Hoff: First, tell us a little bit about your background in security.
Nunnikhoven: Sure. I’ve been in the cybersecurity for quite a long time so I’m coming up on my 20-something but I won’t specify how many years in the IT industry. But by training, I’m actually a forensic scientist. I’ve done a lot of network investigation, criminal cases, nation, state, the investigation stuff, because I used to work for the Canadian government for about 10 years.
Hoff: Wow. OK. So you have lived the life of an investigator of some sort for a long time.
Nunnikhoven: Yeah, I very much so. I spent the last six years at Trend Micro, helping understand how cloud technologies are changing security and the companies’ approach to security. So it’s a really exciting shift but very much the same issues.
Hoff: Yeah, I’m sure. That is what I want to talk about today, how companies are protecting our information or not protecting our information and what kind of rights and capabilities we have in that situation. Obviously, the Equifax hacking scandal is on a lot of people’s minds, especially the 143 million, I believe, whose personal information was compromised. So first off, what does it mean if we find out we are one of those people whose information was compromised?
Nunnikhoven: I think right off the bat, it’s important to say it’s 143 million US consumers with an unspecified number of people affected in the UK and in Canada. So it’s actually larger than the initial 143 million. Not that we needed to be worse but what it means with the information is compromised is Equifax has stated that your Social Security Number, your birthdate, your full name, your address, and some other contact information has been accessed by an unknown cybercriminal. So now, they have that information and the unfortunate problem here is that these are all core identity information. You are highly unlikely to change your name. You can’t change your Social Security Number. This is core identity information that is now in the hands of a criminal who can use that for malicious activities.
Hoff: All right. So it is something to be worried about, for sure. It’s not something that people think, “Well, it’s probably not going to really affect my life so I can go on with it.”
Nunnikhoven: Absolutely. So the comparison I’ve been using is when your credit card number is stolen, it’s unfortunate but you end up not being out of pocket. So you are not liable for the charges as long as you’ve taken some reasonable precautions. So basically, if you didn’t give your number away, the impact is going to be minimal. It’s annoying, don’t get me wrong. You’re going to have to get a new credit card, potentially sign an affidavit that you didn’t make those charges and of course you’re going to have to go update your Netflix account and all the other things that automatically billed your credit card. But at the end of the day, it’s going to take you a couple of days and you’ll go on your life like it never happened. With this information being stolen, there is a significantly high risk of identity theft. So the criminals who eventually end up buying this information from whomever stole it could potentially walk into a financial institution that you’ve never done business with and open accounts in your name. They’re like you in the real world and putting your reputation, your financial livelihood or your financial health at risk.
Hoff: Wow. OK. I’ve interviewed people before who used to buy these types information about people and they used it to open accounts, buy cars, and buy houses. I mean, I’m not just taking out credit cards but actually buying huge assets and living for years off the identity of somebody else. First, I do want to get into what we can do to protect ourselves and what we can do to minimize the harm that could come to us from this. But first, I want to talk about what kind or recourses do we have? This is a situation where Equifax has your information. If you ever opened a bank account or you’ve ever had a credit card, even if you didn’t explicitly say, “Yes, Equifax, you can have my information,” they have your information. If you rent or buy a house or anything like that. What recourse do we have now with the expectation that they should have protected that information? I know you can get free credit monitoring for a year but if you do that, does that preclude you from a lawsuit? Can you talk about what you know about that?
Nunnikhoven: Yeah, for sure. Of course I’ll give you the standard disclaimer. I’m not a lawyer, thankfully. But in my experience working with companies who respond to breaches working with people impacted by breaches, there’s a couple of things. Within Canada and the UK, for consumers, there’s very strict regulation around handling privacy information and the laws in those countries lay out the implications from a breach. In the United States, there’s actually 50 different data breach regulations and that’s around notifying but there is a sort of a smattering of legislation that lays out what companies are required to do to protect your information. So the reality, what ends up happening within the United States is, there will be quite a few lawsuits and we’ve already seen the class actions starting to be filed. But at the end of the day, that’s not really going to do much to compensate you or to fix the core issue here which is the fact that you’re at a very real risk of identity theft. It’s one of these scenarios here. You pointed out in the question, I think it’s really a key thing that people need to understand is that you are not a customer of Equifax. You’ve not voluntarily provided the information to them so you are sort of dealing with the fallout of somebody else’s decision and it’s this one step removed. You chose to do business with the bank or business with the car dealership and they had to use Equifax or did use Equifax in order to verify your identity. So it is a very tricky situation for consumers as far as the larger fallout. I’m sure at this scale, we tend to see reaction, I think, from that level as well to either introduce stricter regulations or to impose penalties under some statute that they will figure out applies here.
Hoff: But at the end of the day, the person that’s going to have to deal with identity theft is you, correct?
Hoff: You have to deal with that yourself. Could you walk us through what happens when your identity is stolen, if I found out my identity has been stolen or my numbers have been stolen? First off, let’s talk about a credit freeze versus credit monitoring. Do I need to do that immediately so that they can’t go on some spree and buy stuff up off my name? What do you recommend?
Nunnikhoven: I don’t want to say advantageous but really, but we’re in a better position than most when it comes to identity theft because your identity hasn’t yet been stolen. So you’re not finding about this a year later or a couple years later like some of the horror stories you find, that we know that there is this potential and it’s very, very real so you want to do that credit freeze. You want to contact Equifax, ironically enough, Experian, TransUnion, and Inovis. Those are the four major credit reporting bureaus. You want to put what’s called a security freeze. Essentially what that is, is nobody can check your credit in order to take out more or to do anything that it would downstream from that without your permission, without verifying through you.
So it’s a minor inconvenience for you if you do want to go make a major life purchase but the protection it affords is well worth the small fee that the company is most likely to charge. That’s step one. That’s the best thing you can do. The second thing, and I know this is a bit controversial given the relationship but Equifax as part of this breach is offering free credit monitoring as well as identity theft insurance service or protection service, they’re phrasing it. Now, that monitors the activity on your reports to see if there is anything anomalous. So if all of a sudden you’ve already got a car loan but somebody takes out two more or applies for a second mortgage or a third mortgage or something like that, this is the groundwork that you can do on your own but is really difficult. So as an American citizen, you’re actually entitled to one free credit report a year. Go through a government website to get that but for active monitoring against identity theft, you need to be looking constantly. So the offer of a free year service from Equifax is quite good. If you don’t want to trust them, you can sign up with either one of the other four credit regulation or monitoring bureaus. They provide very similar services. That’s just going to give you that extra peace of mind that the freeze is in fact working and then you also want to contact your financial institutions. So whoever you do regular business with, you want to let them know that this is something you’re aware of, you’ve taken the extra steps of putting a freeze on, you have monitoring in place but you want to find out what their specific guidance is for your situation, and that gives you an extra level of assurance. If something does happen, you can at least point back and say, “Look, I took every reasonable step to prevent this from happening.” You’ve got an extra level of security but also covering your rear-end in the event of the unlikely outcome of having your identity stolen after these steps.
Hoff: OK. So that’s a lot of work even at the beginning. I want to go into what happens when your identity is stolen if you don’t take these steps. But first step, you recommend a credit freeze and using a credit monitoring service. I think there’s also private companies that will offer those things for you and they’ll even help you if your identity is stolen, correct, that you can pay a little bit higher of a fee too but that’s what their job is?
Nunnikhoven: Yes, that’s correct.
Hoff: OK. So credit freeze and credit monitoring and contact the banks that you work with and make sure you let them know what you’ve done and what other recommendations do they have to make sure that you’re alerted if anything were to crop up involving your credits that you would not be comfortable with. OK. If you don’t do these things and your identity is stolen or you’ve done it and still your identity is stolen and somehow being used, what is the process like after that to restore your identity?
Nunnikhoven: I think the easiest way to describe it is a nightmare because unfortunately, now, somebody has assumed your identity. You see it in sci-fi movies every once in a while where there’s a clone and they’re like, “Who’s the right one? Which one do we go with?” That’s exactly the scenario that you’re now in. This criminal has stolen your identity and they say they’re you. They come to the bank and they’re saying, “I’m Jenny,” and you show up and you say, “Well, no. I’m Jenny.” Now it’s a she said-she said which one do they believe. It’s a lot of leg work for you. You’re going to have to provide as much evidence as you possibly can so this is old legal agreements, proof of address, other identifying documents like your passport, your birth certificate, everything you can get your hands on and you’re going to have to end up going to your financial institution, to the credit reporting bureaus, to a bunch of other people on this chain to prove that you’re you and that you didn’t take the actions that the criminal did. Now, it’s possible to get through this and people do but it’s a long and onerous path.
Hoff: Yeah. As you said, it’s a total nightmare. We’ve done stories in creditcards.com about this and it’s very frustrating because you did nothing wrong. In this situation, you weren’t even being careless with your information. It was not protected as it should have been and it was vulnerable and somebody got to that information and now it’s going to show up somewhere on the black market online and people are going to be able to buy this information and to use it against you. So that is my follow-up question. How seriously do we need to take this?
Nunnikhoven: I think absolutely, you need to take this serious. There’s a very high risk of identity theft. The good news is the steps we outlined previously are not that difficult. So putting a credit freeze is a couple phone calls, taking advantage of the offer from Equifax or signing up for third-party identity theft protection and credit laundering is 15-20 minutes, talking to your bank is maybe another half-hour to hour. It’s not a lot of work but it’s something that you should do very, very quickly. So if you take those steps and take them immediately, then you’ve done all that’s reasonable to protect yourself against this threat. But if you don’t do that, you’re in for weeks, months, maybe even years, of trying to get your own identity back if a criminal decides to try to steal it.
Hoff: With each of the credit bureaus, do you need to do a credit freeze or would doing it with one of them be enough?
Nunnikhoven: You need to get to each of them is my understanding, simply because depending on who’s doing the credit check, they’re going to use a bureau. So if they’re using bureau A and you only put a freeze on B, they’re going to get the results back and be able to go forward. Best case scenario, take one out of all of them.
Hoff: It cost money per month but that is a cost that you feel is worth spending?
Nunnikhoven: Yes. One of the challenges in information security in general is we always try to quantify risk and say, “Well, this is theoretically possible but how likely is it to happen?” In this case, we know for sure that criminals have their hands on this data. So we know the threat is likely because this is out there. There are criminals who have this. Well, they may have been able to get this or it is likely that somebody is going to get hacked down the road and they’ll find your security number and your name and your date of birth. We know for sure criminals have this. We know from experience looking at other thefts of data this scale, that the next step is the criminals are looking to monetize this information. The way they monetize it is to sell it to people who are then going to use it for things like identity theft.
Hoff: OK. So if you go and check and you can check on Equifax, I believe, to see if you were one of the people whose information was compromised and if you find out that you were, then you’re rest assured that that information will be sold at some point to somebody looking to do something nefarious with that information. So you need to protect yourself immediately before that takes place.
Nunnikhoven: Absolutely. And I would further that to Equifax has updated their offer of credit protection and ID theft protection to all US consumers. So even if you aren’t impacted by this breach, you can take them up on a year’s free worth of monitoring which can put any lingering doubts to rest after you’ve checked that you were not affected.
Hoff: OK. Great. So now we’ve talked about what you can do in this situation specifically but the truth is we do put our information out there every day, some of us, if we shop online or we sign up for things online or we do anything online that requires Social Security Numbers or credit card numbers, et cetera. In this case, it wasn’t our fault. We had nothing to do with this. In some cases, we are putting our information out there, trusting that the companies are keeping it secure but we’re voluntarily giving that information. What mistakes do people often make when it comes to digital financial transactions and trusting that their information is safe?
Nunnikhoven: Yeah. I think the first thing to be clear about is that a lot of the stuff is far more complicated than it needs to be from a user perspective. So the normal advice we give people of looking for certain clues in their browser. Looking for similar information in different places is really difficult for people who aren’t conducting these types of transactions regularly. But I think one of the biggest no-nos people have is they don’t realize that attackers are not just going to pull information from one place. So they’re going to get something like the information from this breach and they’re now going to go look at Facebook. They’re going to look through Google and search your name to build out a more complete profile.
One of the biggest \u2018I can’t believe this happens regularly’ for me is the question of security questions. So if you’ve forgotten your password, you can respond to a couple of security questions and you’ll get access to a digital account that you’ve opened. The problem is the answer to these security questions are very commonly things that we share freely online. So your first school or your first teacher’s name or where you lived when you were born or whatever the case may be. This is the stuff we regularly volunteer in our Facebook profiles or on other social networks. Criminals don’t just steal one thing. They steal one thing and then they automate harvesting other sources to get more information on you. One of the techniques that they used to exploit that is then once they know more about you, they’re going to try to do what’s called a phish. They’re going to send you an email that’s crafted to look like it’s from your bank or from your social network or your email provider and they’re going to want you to click through on that and then enter your credentials into their site which looks exactly the same as the one you’re used to. And a lot of people just blindly trust it and go forward because it looks like a really legitimate email you would get from your bank saying you need to be worried about identity theft and we saw some weird activity, “Click here to verify that it was in fact you that made this purchase.” We all know this is a major issue with the Equifax hack so we say, “OK. That’s legitimate. I’m going to click on it.” And lo and behold, I’ve just given the attacker my banking credentials. That’s a common technique where they’re abusing the trust because they’ve built the appearance of legitimacy because you’ve given away so much information.
So you really want to be aware of where you’re giving information and who has access to that. But also anytime anyone asks for more information, you want to make sure that you’re actually giving it to the people you think you are. So in that case of “click here to enter your bank credentials,” you want to open up your own browser window and use your bookmark or manually type in your bank’s URL to go in and log in there. You don’t want to trust that link from the email because you know the attackers are trying to misdirect you.
Hoff: OK. And then when it comes to social media, little things like where on Facebook, they ask you to fill out all the schools that you went to and the jobs that you had, et cetera. Do you recommend just absolutely not putting that information out there?
Nunnikhoven: That was the original approach that a lot of security professionals took, and realistically I don’t think that’s feasible. I think people want to share. They want that connection on Facebook. I think you need to look at the flipside when somebody is asking you as a security question where was the first school or where did you get your degree or something like that, whether you have to answer that truthfully. The security question is simply making sure that your pre-registered answer is working or it matches to the answer you just gave. So if it asked you and says, “Where was your first job,” you don’t have to put your first job. You can put in your own special pass phrase or you could put in a random collection of letters and numbers that you’ve recorded somewhere else securely. I think that’s a far more realistic approach simply because it’s unlikely you’re going to have to need to use that security question whereas in a place like Facebook, entering where you’ve worked or where you went to school as you connect with other people from your past or with similar interests.
Hoff: OK. So the better thing is to just don’t answer those questions honestly, just give whatever answers you want that you will remember or that you have recorded somewhere and that way you don’t have to worry that your information is being copied from your Facebook or your Twitter account back onto the bank information they want for the security questions.
Nunnikhoven: Yeah. Absolutely. So really, it’s understanding why the security questions are being asked and there tends to be about 20 questions that are standard that applications will pick from, but understanding that all they are to do is match up answers you gave previously with new ones. So you want to secure the answers to those, the random answers you’re giving in something like a password vault where it’s encrypted on your local system or in some other secure manner. That’s a far more practical way of approaching it. That way, you’re not exposing yourself.
Hoff: All right. And what are some other ways that we can protect ourselves when we’re shopping online or when we’re going from social media to go into our bank account information. Obviously there’s nothing foolproof but when it comes to keeping sensitive information private, what are some ways that we can do that are realistic that we will actually do?
Nunnikhoven: I think one of the easiest things to understand is that you’re going to share information online. It’s a question of what can people do with that information. The easiest experience is saying if you’re going to share pictures of your children or not. Well, once it’s shared online, yes, you can restrict the access on Facebook but you’re trusting somebody with that information, and that’s not necessarily a bad thing. It’s just something you should be doing explicitly. You should understand the risks that you’re potentially opening yourself or your family up to. But the very basic security hygiene can go a long way to protect you. So you want to be using a different passphrase at every site that you join or every application you use and again, tools like a password manager really help you out there. It’s a piece of software that securely saves your passwords and you pick one complex passphrase that opens it up and it manages all your passwords. So I don’t know my Facebook password. I don’t know my Twitter password. I know my master password for my password manager and it knows those passwords. This way, if any one site is hacked, it’s isolated to that site. Nobody can use that username and password and then go log into other sites. It’s a good way to reduce the impact of an inevitable breach.
Hoff: OK. What if your computer gets stolen? Is it something that you have to worry about or you set it up so that no matter what, you always have to punch in that one password to access the others?
Nunnikhoven: Yes. That’s the way these things work by default. So anytime I pass a wave, like I go to a different window, the password manager locks. Anytime the computer is locked, the password manager locks. They’re very paranoid pieces of software, which is a good thing. Because you only have to type that one password in, you get really good at typing that passphrase very, very quickly. So it’s not nearly as burdensome as typing a different password or passphrase every site you go. But if your system is stolen and we see this far more with mobile phones, there’s a very real risk that more likely you forget your phone somewhere. These modern phones or modern Android, modern Apple phones are encrypted by default. As long as you have a strong passphrase on those as well. So ideally not a PIN. So not just numbers but an actual password or passphrase. Those are going to be secured as well if you lose them and you want to take the same precautions on your laptops.
Hoff: OK. What about just using your thumbprint. Is that good enough?
Nunnikhoven: The thumbprint is nice in the implementation of that, it’s in addition to a password. So when it can’t read your thumb properly, it’s then going to pop up and ask you for your passphrase. It’s not ideal necessarily because if you put your evil hat on, there’s a whole bunch of ways that people can get your thumbprint and activate things. But realistically, it’s a good compromise and I think that’s the reality of information security. It’s a series of pragmatic tradeoffs. You want things to be usable. You don’t want to spend a minute unlocking your phone for a five-second check of whether your Uber showed up or not. The fingerprint is a good compromise, where now, as we’re seeing from the most recent announcements from Apple, your face can be a good compromise. But really, it’s some logical awareness of where your data is, what the risk is. We saw that in the implementation for mobile phones, your ability to lock them remotely or to wipe them remotely in the event that you lost them. Both Android and Apple offer that. If you think you lost your phone, you can log into a central website with your credentials and erase the phone. So now, there is no risk even though the device is lost and while that’s unfortunate, data is safe because it’s been destroyed.
Hoff: What about saving our passwords on our computer to the different sites that we log into regularly? It’s way more convenient but is that just a really bad idea?
Nunnikhoven: It’s mixed, to be honest. I strongly prefer a third-party password manager and there’s a number of really good commercial ones as well as open source ones available. What those do is very similar to the ones that are built into your web browser but they maintain it for other applications as well and they have a little stronger security around them because they’re completely isolated from the web browser. It’s not the worst thing in the world but you are also opening yourself up to some vulnerabilities in that software, and the browser does a lot of things that are very complicated and we see a lot of vulnerabilities published for them. My recommendation would be to use a third-party standalone piece of software called a password manager.
Hoff: OK. For how long should we be monitoring our credit now after this breach? What are some signs that our information has been compromised or used badly?
Nunnikhoven: I would say that general good hygiene in today’s world is to be monitoring your credit regularly in general. As I mentioned earlier, U.S. citizens get one free report a year by the government. That’s a good thing to be doing. So an annual check. Is there anything odd on my report? How am I doing credit-wise is always a good thing to know as well. But that annual checkup just like going to the doctor is a good thing because then if there’s any discrepancies, you can contest them within a couple of months. Realistically, signs that your information are being used nefariously, if the criminal is really good, as far as good in the manner effective, it can be very difficult to tell. You might not know until you go to get more credit or until you do your annual check. We see this with credit card fraud all the time. Criminals that don’t know what they’re doing will go right out of the gate and try to make a massive purchase because they’re hoping that your card hasn’t been reported stolen but that a lot of the time will trigger a fraud alert, whereas criminals who have that nefarious aspect are going to make small little charges that nobody will really notice. Nobody notices a 20 cent charge out of place on their credit card. They just figure it was another fee from someone else down the line. But then they’ll slowly increase the value until they’ve got some confidence that they can make those larger charges. It can be very difficult but you do want to closely monitor your financial statements. You want to check to see if there’s anything out of place. And if there is, you want to report it immediately to the appropriate financial institution.
Hoff: So the answer is forever.
Hoff: Just one year isn’t enough. This information can be used in 20 years because your Social Security is not going to change. Your name is probably not going to change, and that information can be used for a long time. So that one free credit report a year helps. If you can afford to pay for a credit monitoring service, perhaps just long term, that might also be a way to ease your mind. Finally, what gets you charged up about taking action to keep your personal information private in the wake of breaches like these that can cause people a lot of anxiety?
Nunnikhoven: I think the awareness. One of the biggest challenges for security professionals is you feel like you’re screaming into the void about the risks in the digital world. I think seeing a lot of people actively concerned, actively seeking out new information about how they should handle their digital lives, that’s a really positive thing because it’s not a binary decision. It’s not a “I shouldn’t share anything” or “I should share everything.” What we need to get into habit of doing is understanding that we have multiple digital identities and far more comfortable sharing intimate moments or reflections or photos of my family with my close circle of friends where with colleagues I might share a little more, with the general public I’ll share a different type or a different view of myself. But the fact that people are asking these questions like, “How do I properly manage myself online? How do I take some basic steps to make sure that I’m not just leaving everything public,” I think that’s really exciting. That’s definitely what gets me charged up.
Hoff: Fantastic. Mark, great conversation, great information. Thank you so much for taking the time to share your advice with us. I really hope people take this to heart. It’s annoying and it’s a nuisance but take those actions so that we don’t have to deal with really, as you said, a nightmare later on down the road. Mark, thanks so much.
Nunnikhoven: Thank you.
See related: Charged Up! podcast: Credit 101