Several stories here have highlighted the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. This post examines some of the key places where everyone should plant their virtual flags.
As KrebsOnSecurity observed back in 2018, many people — particularly older folks — proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — including everything from utilities and mobile phones to retirement benefits and online banking services. From that story:
“The reasoning behind this strategy is as simple as it is alluring: What’s not put online can’t be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don’t plant your flag online, fraudsters and identity thieves may do it for you.”
“The crux of the problem is that while most types of customer accounts these days can be managed online, the process of tying one’s account number to a specific email address and/or mobile device typically involves supplying personal data that can easily be found or purchased online — such as Social Security numbers, birthdays and addresses.”
In short, although you may not be required to create online accounts to manage your affairs at your ISP, the U.S. Postal Service, the credit bureaus or the Social Security Administration, it’s a good idea to do so for several reasons.
Most importantly, the majority of the entities I’ll discuss here allow just one registrant per person/customer. Thus, even if you have no intention of using that account, establishing one will be far easier than trying to dislodge an impostor who gets there first using your identity data and an email address they control.
Also, the cost of planting your flag is virtually nil apart from your investment of time. In contrast, failing to plant one’s flag can allow ne’er-do-wells to create a great deal of mischief for you, whether it be misdirecting your service or benefits elsewhere, or canceling them altogether.
Before we dive into the list, a couple of important caveats. Adding multi-factor authentication (MFA) at these various providers (where available) and/or establishing a customer-specific personal identification number (PIN) also can help secure online access. For those who can’t be convinced to use a password manager, even writing down all of the account details and passwords on a slip of paper can be helpful, provided the document is secured in a safe place.
Perhaps the most important place to enable MFA is with your email accounts. Armed with access to your inbox, thieves can then reset the password for any other service or account that is tied to that email address.
People who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control.
Secondly, guard the security of your mobile phone account as best you can (doing so might just save your life). The passwords for countless online services can be reset merely by entering a one-time code sent via text message to the phone number on file for the customer’s account.
And thanks to the increasing prevalence of a crime known as SIM swapping, thieves may be able to upend your personal and financial life simply by tricking someone at your mobile service provider into diverting your calls and texts to a device they control.
Most mobile providers offer customers the option of placing a PIN or secret passphrase on their accounts to lessen the likelihood of such attacks succeeding, but these protections also usually fail when the attackers are social engineering some $12-an-hour employee at a mobile phone store.
Your best option is to reduce your overall reliance on your phone number for added authentication at any online service. Many sites now offer MFA options that are app-based and not tied to your mobile service, and this is your best option for MFA wherever possible.
YOUR CREDIT FILES
First and foremost, all U.S. residents should ensure they have accounts set up online at the three major credit bureaus — Equifax, Experian and Trans Union.
It’s important to remember that the questions these bureaus will ask to verify your identity are not terribly difficult for thieves to answer or guess just by referencing public records and/or perhaps your postings on social media.
You will need accounts at these bureaus if you wish to freeze your credit file. KrebsOnSecurity has for many years urged all readers to do just that, because freezing your file is the best way to prevent identity thieves from opening new lines of credit in your name. Parents and guardians also can now freeze the files of their dependents for free.
For more on what a freeze entails and how to place or thaw one, please see this post. Beyond the big three bureaus, Innovis is a distant fourth bureau that some entities use to check consumer creditworthiness. Fortunately, filing a freeze with Innovis likewise is free and relatively painless.
It’s also a good idea to notify a company called ChexSystems to keep an eye out for fraud committed in your name. Thousands of banks rely on ChexSystems to verify customers who are requesting new checking and savings accounts, and ChexSystems lets consumers place a security alert on their credit data to make it more difficult for ID thieves to fraudulently obtain checking and savings accounts. For more information on doing that with ChexSystems, see this link.
If you placed a freeze on your file at the major bureaus more than a few years ago but haven’t revisited the bureaus’ sites lately, it might be wise to do that soon. Following its epic 2017 data breach, Equifax reconfigured its systems to invalidate the freeze PINs it previously relied upon to unfreeze a file, effectively allowing anyone to bypass that PIN if they can glean a few personal details about you. Experian’s site also has undermined the security of the freeze PIN.
I mentioned planting your flag at the credit bureaus first because if you plan to freeze your credit files, it may be wise to do so after you have planted your flag at all the other places listed in this story. That’s because these other places may try to check your identity records at one or more of the bureaus, and having a freeze in place may interfere with that account creation.
YOUR FINANCIAL INSTITUTIONS
I can’t tell you how many times people have proudly told me they don’t bank online, and prefer to manage all of their accounts the old fashioned way. I always respond that while this is totally okay, you still need to establish an online account for your financial providers because if you don’t someone may do it for you.
This goes doubly for any retirement and pension plans you may have. It’s a good idea for people with older relatives to help those individuals set up and manage online identities for their various accounts — even if those relatives never intend to access any of the accounts online.
This process is doubly important for parents and relatives who have just lost a spouse. When someone passes away, there’s often an obituary in the paper that offers a great deal of information about the deceased and any surviving family members, and identity thieves love to mine this information.
YOUR GOVERNMENT
Whether you’re approaching retirement, middle-aged or just starting out in your career, you should establish an account online at the U.S. Social Security Administration. Maybe you don’t believe Social Security money will actually still be there when you retire, but chances are you’re nevertheless paying into the system now. Either way, the plant-your-flag rules still apply.
Ditto for the Internal Revenue Service. A few years back, ID thieves who specialize in perpetrating tax refund fraud were massively registering people at the IRS’s website to download key data from their prior years’ tax transcripts. While the IRS has improved its taxpayer validation and security measures since then, it’s a good idea to mark your territory here as well.
The same goes for your state’s Department of Motor Vehicles (DMV), which maintains an alarming amount of information about you whether you have an online account there or not. Because the DMV also is the place that typically issues state drivers licenses, you really don’t want to mess around with the possibility that someone could register as you, change your physical address on file, and obtain a new license in your name.
Last but certainly not least, you should create an account for your household at the U.S. Postal Service’s Web site. Having someone divert your mail or delay delivery of it for however long they like is not a fun experience.
Also, the USPS has this nifty service called Informed Delivery, which lets residents view scanned images of all incoming mail prior to delivery. In 2018, the U.S. Secret Service warned that identity thieves have been abusing Informed Delivery to let them know when residents are about to receive credit cards or notices of new lines of credit opened in their names. Do yourself a favor and create an Informed Delivery account as well. Note that multiple occupants of the same street address can each have their own accounts.
YOUR HOME
Online accounts coupled with the strongest multi-factor authentication available also are important for any services that provide you with telephone, television and Internet access.
Strange as it may sound, plenty of people who receive all of these services in a bundle from one ISP do not have accounts online to manage their service. This is dangerous because if thieves can establish an account on your behalf, they can then divert calls intended for you to their own phones.
My original Plant Your Flag piece in 2018 told the story of an older Florida man who had pricey jewelry bought in his name after fraudsters created an online account at his ISP and diverted calls to his home phone number so they could intercept calls from his bank seeking to verify the transactions.
If you own a home, chances are you also have an account at one or more local utility providers, such as power and water companies. If you don’t already have an account at these places, create one and secure access to it with a strong password and any other access controls available.
These frequently monopolistic companies traditionally have poor to non-existent fraud controls, even though they effectively operate as mini credit bureaus. Bear in mind that possession of one or more of your utility bills is often sufficient documentation to establish proof of identity. As a result, such records are highly sought-after by identity thieves.
Another common way that ID thieves establish new lines of credit is by opening a mobile phone account in a target’s name. A little-known entity that many mobile providers turn to for validating new mobile accounts is the National Consumer Telecommunications and Utilities Exchange, or nctue.com. Happily, the NCTUE allows consumers to place a freeze on their file by calling their 800-number, 1-866-349-5355. For more information on the NCTUE, see this page.
Have I missed any important items? Please sound off in the comments below.
Thank you for keeping everyone informed.
Here are a few more to consider:
401(k) account, brokerage accounts, utility accounts (especially mobile phone accounts), and any other crucial accounts.
A new one offered by many Clerk of Courts nationwide – register for a free property fraud alert. Register your name and versions of your name in the county or counties where you own property. If there is a change to official public records, you are notified. Great tool to monitor for property fraud/theft.
On many of the government websites, you cannot create an online account if you have a credit freeze in place. I have not planted my flag on these sites due to the belief that if I can’t create the account due to the credit freeze, neither can the crooks. Is this a false sense of security?
It’s a soft credit pull so you shouldn’t need to unfreeze. I just set up an account with Social Security and my credit freezes weren’t an issue.
That’s not what the Social Security site says: “You cannot create a my Social Security account online if you have a fraud alert on your credit report. You first must ask our Identity Services Provider to remove the alert.”
Source: https://faq.ssa.gov/en-US/Topic/article/KA-02711
Fraud Alert is when you have had identity theft on your credit profile not when you freeze your credit profile. Not sure how the IRS/SSA handles frozen account, but it is not the same as a Fraud Alert.
That would seem peculiar, since a credit freeze is the more “extreme” option. When criminals misused my information, I was told to use either a “lightweight” fraud alert or the more serious credit freeze. I opted for the former and found that I cannot create an SSA account. If I can still create such an account with a credit freeze in place, what good is the credit freeze to me? I have no credit cards or bank accounts anyway.
Credit freeze and fraud alert are two different things. A freeze stops most places accessing your details. A fraud alert sets a flag so that anyone who accesses your details is warned that someone may be trying to open a false account. In other words a freeze is mostly a preventative measure, a fraud alert is a post event measure.
Correct. And the real difference is while entities are supposed to honor your request to verify your permission to open a new line of credit if you have a fraud alert, they aren’t required to do so. A freeze takes that decision out of their hands and puts it in yours.
Andrew is right. I recently created an account with SSA, with no concern with my requested credit freeze.
I’ll have to try this again !
I tried this early last year and the SSA website would not let me create the accout.
A few hours on hold after calling SSA and the agent said that my credit checks where frozen and preventing the process.
I thought that was good enough.
I then checked my online account with Experian and saw only the DOJ was succesful (clearance screening). The SSA credit pull failed.
Update: I went to SSA.gov and I found that I could create an account even though all my credit is frozen (The four major credit bureaus).
I only had to answer the verification questions.
Like many big websites, not all of the pages are up to date. They may claim they check, but obviously they don’t now.
While they used do a check, they must have quit doing so. More and more people are freezing their credit. They probably got tired of the phone calls to see what’s up. The website did not tell you why the verification failed.
Thanks for another great and informative post.
What about all those ex-pats who’ve been living outside the USA for years or even decades and don’t make regular trips back to the Sates? Should they be concerned?
Yes. We should be.
I fully expect that someone is abusing some of my information somewhere/somehow.
Heck, they could probably still abuse the information of people who have died until that information propagates thoroughly.
They also abuse the information of children….
What about Lexis Nexis?
I would have include credit card accounts , even if you still pay with a personal check when have a paper statement sent by US mail to your home address.
Another great article that I forwarded to my family members.
I found that the California DMV had canceled all online accounts in February, so I recreated my account.
I also had trouble at irs.gov, so I started the process of re-establishing that account.
My ISP cox.net STILL doesn’t offer two-factor authentication on their online accounts.
I use KeepassXC on Linux for my password manager. Works great on my Linux laptop and 10 year-old Dell media computer.
Keep up the good work. I will happily send you another donation for next year in December.
login.gov is used for some US government services.
I get the impression it’s intended as a unified login for government services. IRS and Social Security don’t use it, but Homeland Security switched from their own internal system for TSA PreCheck/Global Entry accounts.
Equifax actually does the right thing when you create an account; you can see your report, score, history, and set up account freezes.
Experian just dies on any browser after attempting to create an account.
Trans Union appears to have multiple high cost products you can sign up for to see your report etc. Perhaps there’s a small print free signup, but it’s not easily visible.
Glad you mentioned USPS Informed Delivery.
AnnualCreditReport.com is where you’d go to get your free reports:
https://www.annualcreditreport.com/index.action
On TransUnions site, you can login to perform a freeze/unfreeze here:
https://service.transunion.com/dss/login.page?PLACE_CTA=TransUnion:PHP:Login
Not sure why Brian did not provide links for all the bureau’s nor for IRS.
People from other countries need the relevant information for these.
I appreciate this article a lot, and thus I think “this list” needs to fan out accordingly.
Also, I think that one shouldn’t necessarily give out real information. My mother’s maiden name could also be “guKei2oh” (from pwgen). As long as my document trail allows me to recover it at the relevant moment, this could vastly improve the decoupling of the different account security questions. After all, password reuse is strongly discouraged, isn’t it?
Agree – never provide truthful answers to these silly questions.
I have an app that periodically requires I answer one of the questions and yeah, its a pain to look up the answer but not as painful as someone else gaining access!
Can you please update your article with the actual links to the services mentioned? Just saying “you should establish an account online at the U.S. Social Security Administration” doesn’t help me one doesn’t know where to go for creating an accouont at US SSA.
Sure. Here’s the SSA link to mySocialSecurity: https://www.ssa.gov/myaccount/
Thank you Krebs, but is it possible to update the links for all the sources please? Here’s another example, each of the credit bureaus offer their fluffy stuffs to “sell” you, I wish the link goes straight to the one where you have a right to obtain without any additional charges.
Yes, I’ve done that, thanks.
I’m uncomfortable letting Chrome’s password manager do password management for me. That’s besides the disadvantage when using another browser.
Look up the instructions online to turn password saving off in any browser you are using. The “vault” that they keep the password in, is not secure, and not encrypted either; or at least it wasn’t last I checked. It just isn’t worth it, when a password manager, that is also free, can do it for you, and cannot be compromised unless you have a key-logger malware on your device, recording your master password.
A good file cleaner can delete these passwords from the vault if you close all browsers and run the cleaner. I am only familiar with CCleaner, but I recommend getting an installation file from around 2015, because the new app has changed for the worse since Avast bought out Piriform. Some people recommend bleach bit, but I really don’t know its full capability yet.
I would never ever use Chrome for that. Zero trust. Burned.
New ones for me were USPS and NCTUE. Went 1/2, though, in instituting a setting up an account for the former, and instituting a freeze for the latter.
1. USPS. Didn’t work the first two times, but weirdly did on the third. The first two times I received two different reasons why they couldn’t create my account each time. The first time, the USPS site said it wasn’t working (i.e. site issues). The second time, it said my address wasn’t eligible for the service, although it had said it was on a previous screen. Even weirder, on the second attempt it said the username I was attempting to create was no longer available even though my first attempt to set up an account failed and the username had been available then (at least according to the site). On the third attempt, though, it allowed me to create an account and went through some voodoo internal process to determine if I was eligible to verify my identity with a OTP to mobile phone, which I was. No idea how they made that determination, but glad to have (finally!) finished the process
I have had questionable service and poor experiences with my local Post Office, and it seems that extends to anything at the national level as well.
2. NCTUE. You cannot place a freeze if you don’t a have a record, which I didn’t. Once I gave up on the web form, I had a great experience with the support center rep, who was very cordial, professional, and explained why he couldn’t help me (i.e. I don’t have a report, although I likely should have based on the potential reasons for my not having one).
NCTUE freeze site:
https://www.exchangeservicecenter.com/freeze/#/
Guess who has been working to get rid of the United States Postal Service and has been for years and years?
All the funding cuts have an effect, just like in any other large organization.
I’d add Credit Karma to this list
Yes, the step directly before freezing your credit.
I am waiting for MFA to get the kind of exposure that it deserves.
We have 1099’s that are victims of phishing attacks that would ***mostly*** not happen were they to apply MFA on personal email accounts…
Alas – the Great Wall of Culture manages to get in the way of this and the business refuses to embrace this as a policy.
Sorry to interfere with an USA problem.
Why is it still so easy to make so much harm with just a social security number?
I don’t think you have the equivalent in Europe.
It remembers me the problem with credit card, we have chip on them for 30+ years.
Is it not just because improving all this is very expansive?
Because there is no way to sue banks, gov… for doing nothing?
Thanks, just try to understand.
All stores and banks are fully converted to Chip-N-Pin in my area, and I live in the sticks (USA); but problems still exist because if a merchant doesn’t have the chip reader then the mag stripe is still accepted and is still on the cards. So that is where a lot of compromises happen in the US that I know of. The US has such a large economy that converting was very expensive and is allowed to continue at a snail pace until it is complete – which it will someday in the not far off future – at that time maybe they will finally ban mag stripes, and the readers will be gone – but in my area, where I shop, I only see chip readers now – gas stations may be an exception though.
Guess who has been trying to get rid of the U.S. Social Security system and has been at it since it was created under President Franklin Delano Roosevelt in the 1930s?
Do you think it’s an accident Trump has attempted to ram through a first step towards undermining it, by proposing the payroll tax cut, which is designed to fund the social security benefits?
It won’t succeed, but that’s the mentality. In other words, anything that causes chaos in that kind of system, or weakens it, whether or not it is actually engineered by the opponents themselves, is then cited as evidence the system is flawed!
See also: “It is just a Ponzi scheme,” another line of attack that is practically incoherent, but deployed anyway.
It has all the classic earmarks of a Ponzi scheme. With the falling birthrate it will grow even more difficult to maintain the facade of viability.
…don’t forget e-verify…
…many employers use that pre-employment to make sure you’re a “documented” person…
Yeah, except planting your flag at e-verify doesn’t prevent someone else from doing the same (or at least it didn’t as of a few weeks ago):
https://krebsonsecurity.com/2020/07/e-verifys-ssn-lock-is-nothing-of-the-sort/
…yes, but if you lock your info then it can’t be verified by someone else unless it’s unlocked…
…multiple records is still an issue – but maybe dhs will fix that soonish…
Just checked the three main credit bureaus. Trans Union is unbelievably difficult. After an hour I now have accounts on all three. Only one offered a pin. None offered MFA (beyond SMS). How is it 2020 and these sites are so bad?
Went to my state’s DMV site. Does not require a password. You simply enter certain pieces of personal information and you can change addresses etc. It’s pathetic. Here it is 2020 and these people still are not taking data security seriously. Won’t say which state it is but frankly the entire state’s data security is horrific.
I’ve tried to enroll in USPS Informed Delivery, but I found the process very confusing. I have a verified identity, so no one can steal my identity and monitor my mail. I am still not sure, however, that I can monitor my own mail delivery, due to the circular application process which alternately tells me I am enrolled and then not enrolled. I tried the USPS chat service but was informed no one was available — at all. Welcome to Trumpworld.
I would recommend that everyone try and enroll anyway, since it will prevent others from monitoring your mail, and you will be able, if you successfully enroll, to monitor the arrival of your mail-in ballot. What a mess.
…on the other hand, if you get registration to work the daily Informed Delivery is nice to see what’s coming that day. those of us that have rural boxes or port office boxes like that feature…
Very much so!
Mr. Krebs/fellow educated readers, regarding bank accounts, what would you consider to be the minimum security features a bank should be offering its customers. My mom’s bank doesn’t even offer 2FA. Any suggestions?
Ask your banker what online security features they offer and which they recommend you implement (i.e. withdrawal alerts, 2FA). At a minimum you should have those two.
Thanks Jobani. That’s what I figured. Thanks very much for confirming that for me.
This is so depressing. So many places to give our data to, so they won’t let someone else impersonate us, but we are providing everything they need to do so. One of these gets hacked (Equifax) and all sense of security about jumping though all these man made hoops crashes. And how many more will there be?
I appreciate all your advice, always great information. But it’s to much to expect most people or even 5% to do all this Plant your flag stuff. It’s so depressing. I don’t want to play human anymore.
The Consumer Financial Protection Bureau publishes a yearly “List of Consumer Reporting Companies.” This list features dozens of companies which create reports used to make informed decisions about providing you with credit, employment, residential rental housing, insurance, and in other decision-making situations. Some companies allow you to place a security freeze.
You may access the latest CFPB list here: https://files.consumerfinance.gov/f/documents/cfpb_consumer-reporting-companies-list.pdf
Thank you for this. I have been looking for this. I think I’m covered, except the DMV. I don’t think the michigan DMV has a portal, but I’ll look into it.
I set up my USPS account for informed delivery. Problem is that it is address (not name) centric — the daily email I get shows photos of ALL the mail pieces delivered to my address.
Reply to self for clarification: “all the mail pieces” = for all family members / anyone who had this address in the past.
My bad — delete “anyone who has this address in the past”.
Another site to plant a flag: id.me
It can be used by the Veterans Administration and Social Security Administration without creating accounts at those sites.
I have freezes everywhere but Inovis and ChexSystems. I noticed the following statement on the ChexSystems website:
YOU SHOULD BE AWARE THAT USING A SECURITY FREEZE TO CONTROL ACCESS TO THE PERSONAL AND FINANCIAL INFORMATION IN YOUR CONSUMER REPORT MAY DELAY, INTERFERE WITH, OR PROHIBIT THE TIMELY APPROVAL OF ANY SUBSEQUENT REQUEST OR APPLICATION YOU MAKE REGARDING A NEW LOAN, CREDIT, MORTGAGE, INSURANCE, GOVERNMENT SERVICES OR PAYMENTS, RENTAL HOUSING, EMPLOYMENT, INVESTMENT, LICENSE, CELLULAR PHONE, UTILITIES, DIGITAL SIGNATURE, INTERNET CREDIT CARD TRANSACTION, OR OTHER SERVICES, INCLUDING AN EXTENSION OF CREDIT AT POINT OF SALE.
I’m specifically concerned about these transactions with a freeze:
1) digital signatures
2) internet credit card transactions
3) extensions of credit at point of sale
Does anyone have experience with a ChexSystems freeze? Does it indeed block these three transactions
A freeze has no impact on existing accounts, including any lines of credit you may already have open. If you have a freeze in place and wish to open a new line of credit — say at a department store — you will need to thaw the freeze or lift it entirely. Thawing is fairly easy, and you can specify the date(s) of the thaw, which can be anything from 24 hours to longer. But yes, having a freeze in place necessarily limits your ability to instantly sign up for credit on a whim. That’s kind of the whole point.
I’m not aware of a freeze impacting any kind of digital signatures, whatever that refers to.
I don’t know how you do it, but another timely piece. Right on and informative. Good work. And, more places to look for information online. Instead of consolidating defendable positions, we seem to be spreading it to lower our defenses. And the changes are not sent to the consumer? Interesting. And a shame really. But, cutting the doldrums of August, what better to do, set up you defenses again, or go to the beach while you can?
Super interesting information. It’s always a good idea to protect yourself online.
I’ve used CreditKarma for a couple of years now. I get both my Transunion and Equifax scores from it.
I also have credit freezes on both my Transunion and Equifax accounts. Somehow, CreditKarma is able to get my updated scores regardless of my freeze being in place. This seems to be a backdoor to me.
Similarly, I have a freeze in place at Experian. I get my Experian FICO score using my AMEX app. However, the AMEX app is unable to get my updated score unless I first unfreeze at Experian.
I could be wrong, but it doesn’t seem to me that providing FICO scores through your credit card company is a back door around a freeze because it can’t be used to open a line of credit. It’s personal information you don’t want accessed, sure, (and maybe some crazy cybersecurity breach vector, no idea) but it’s not an avenue for ID theft, which is what the freeze protects.
I went to create an account for my 18 yo son on SSA, and it won’t let me because he has no credit history. huh???? I actually called them up to confirm this was the case – it is.