Equi-Fail!

   Or maybe we should say Equi-Fiasco!

   By now you've certainly heard about the Equifax breach including leaked social security numbers and other personal information on over 143 million people.  And there's plenty more info to come with this one as the facts continue to get uncovered.

   I certainly don't mean to be jumping on the bandwagon here.  There has already been so much coverage of this breach, but it is a big deal.  And, while I've seen a number of articles on what to do now, I haven't seen any that really cover everything you must do to protect yourself.

   Let's do that now!

   The bottom line is this... it's 2017... no one can or will protect your personal information.  You must take appropriate steps to protect yourself.  And here they are... in no particular order... the top-10 things you should do to protect your personal and financial information:

1. If you have an account at any of the major credit bureaus, and particularly at Equifax, change your password now.  Just do it.
2. Use long complex gibberish passwords.  Extra credit: make your passwords an odd length like 15, 17, or even 31 or 33 characters - password cracking algorithms struggle with unusual numbers.
3. Use a password vault.  I've written about this many times.  It's time to do it!
4. Check your credit report.  This is simple and it's free.  You are entitled to one free credit report from each of the three major credit bureaus each year.  You can order them at this official website, annualcreditreport.com.  One way to do this is to get one report each 4 months.  Here is more info from the FTC and the US Federal Government site usa.gov.
5. Check your online accounts at any financial organizations including your bank(s) and credit cards. Make sure you have a valid email address in place for account recovery.  And... check that recovery email account.  If someone is going to use your SSN to attack you, they will go after your financial accounts.  They will try to take over those accounts by clicking the "forgot password" link and hoping you haven't set up your account recovery appropriately.
6. Get credit monitoring.  Yes, that's exactly the information that was stolen from Equifax.  And yes, Experian had a much smaller, but similar, breach in 2015.  That said, it's still a useful service.  Each of the 3 major credit bureaus offer this service: Equifax, Experian or TransUnion.  There are also private companies that offer similar services (more on that below).
7. Freeze your credit. A credit freeze simply prevents someone from pulling your credit report - meaning that they can't create any new accounts in your name.  Of course, it also means that you can't create any new accounts in your name! :-)  Well, you can but you'll need to pull the freeze off or create an exclusion for that new creditor.  It's easier than it sounds.  Also, most states have a set maximum cost for this, typically between $0 - $10 (to establish or remove a freeze at each credit bureau).  I won't go into detail in this post, but here are two great references on how to set up your credit freeze.
     The first of the articles does not mention the fourth credit bureau, Innovis.  Here's a link to the page to request a freeze from Innovis.  This credit bureau does not provide a full credit picture like the "big 3".  Innovis is most tightly tied to mortgages.  So a credit report from Innovis will not list your full credit picture.
   
8. You can also create a fraud alert on your credit accounts.  Note that this is different than a credit freeze.  A fraud alert also "freezes" your credit account, and adds the restriction that the bureau must directly contact you via phone (often a home phone) before granting credit.  Anyone can apply for a fraud alert - it's free - but it has a maximum of 90 days. You only need to apply at one credit bureau, and they have to contact the others.  You can manually renew it each 90 day.  However, if you can document that you've been the victim of identity fraud, then you can place a fraud alert that lasts for 7 years.  Here are the details on the FTC website.
9. Establish accounts at sites that depend upon your SSN like at the Social Security Administration (SSA) and the IRS.  The issue is that, using your ssn, an attacker can create an account in your name on the IRS or SSA websites and then receive or alter your personal information.  But not if you've already created your accounts!  I covered this at length in a previous post here.
10. Use multi-factor authentication.  I've covered this topic many times in the past including here and here.  There was a time when this was perhaps too complicated, but not anymore.  This is something everyone should use!

   I also want to comment on Identity Fraud services like Life-Lock and others.  First, these services do not prevent Identity Fraud.  They may help you go through some of the steps we've outlined above, like credit monitoring, credit freeze or fraud alerts.  But you can do those things yourself without paying an extra premium.  Perhaps the main value of these kinds of services is that if you are the victim of Identity Fraud, they will help you with the clean-up process.  I am neither for or against these services - you just need to understand what you are buying.  I do not personally use these services - I follow the steps I've outlined above.

   That's it! :-)  Do these things and you will be in very good shape.  Do just some of them and you will still be far ahead of the crowd.

   There's an old saying that I'll adapt here... The best time to make all these changes is 2 years ago.  The second-best time is today!

   One final thought... well-known security icon Bruce Schneier wrote a great post on this breach.  You can read it here.  In it, he makes a great point - that we are not Equifax's customers.  We, or more specifically our data, are the product!  I wrote about this idea here.