12
Aug 20

Why & Where You Should Plant Your Flag

Several stories here have highlighted the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. This post examines some of the key places where everyone should plant their virtual flags.

As KrebsOnSecurity observed back in 2018, many people — particularly older folks — proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — including everything from utilities and mobile phones to retirement benefits and online banking services. From that story:

“The reasoning behind this strategy is as simple as it is alluring: What’s not put online can’t be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don’t plant your flag online, fraudsters and identity thieves may do it for you.”

“The crux of the problem is that while most types of customer accounts these days can be managed online, the process of tying one’s account number to a specific email address and/or mobile device typically involves supplying personal data that can easily be found or purchased online — such as Social Security numbers, birthdays and addresses.”

In short, although you may not be required to create online accounts to manage your affairs at your ISP, the U.S. Postal Service, the credit bureaus or the Social Security Administration, it’s a good idea to do so for several reasons.

Most importantly, the majority of the entities I’ll discuss here allow just one registrant per person/customer. Thus, even if you have no intention of using that account, establishing one will be far easier than trying to dislodge an impostor who gets there first using your identity data and an email address they control.

Also, the cost of planting your flag is virtually nil apart from your investment of time. In contrast, failing to plant one’s flag can allow ne’er-do-wells to create a great deal of mischief for you, whether it be misdirecting your service or benefits elsewhere, or canceling them altogether.

Before we dive into the list, a couple of important caveats. Adding multi-factor authentication (MFA) at these various providers (where available) and/or establishing a customer-specific personal identification number (PIN) also can help secure online access. For those who can’t be convinced to use a password manager, even writing down all of the account details and passwords on a slip of paper can be helpful, provided the document is secured in a safe place.

Perhaps the most important place to enable MFA is with your email accounts. Armed with access to your inbox, thieves can then reset the password for any other service or account that is tied to that email address.

People who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control.

Secondly, guard the security of your mobile phone account as best you can (doing so might just save your life). The passwords for countless online services can be reset merely by entering a one-time code sent via text message to the phone number on file for the customer’s account.

And thanks to the increasing prevalence of a crime known as SIM swapping, thieves may be able to upend your personal and financial life simply by tricking someone at your mobile service provider into diverting your calls and texts to a device they control.

Most mobile providers offer customers the option of placing a PIN or secret passphrase on their accounts to lessen the likelihood of such attacks succeeding, but these protections also usually fail when the attackers are social engineering some $12-an-hour employee at a mobile phone store.

Your best option is to reduce your overall reliance on your phone number for added authentication at any online service. Many sites now offer MFA options that are app-based and not tied to your mobile service, and this is your best option for MFA wherever possible.

YOUR CREDIT FILES

First and foremost, all U.S. residents should ensure they have accounts set up online at the three major credit bureaus — Equifax, Experian and Trans Union.

It’s important to remember that the questions these bureaus will ask to verify your identity are not terribly difficult for thieves to answer or guess just by referencing public records and/or perhaps your postings on social media.

You will need accounts at these bureaus if you wish to freeze your credit file. KrebsOnSecurity has for many years urged all readers to do just that, because freezing your file is the best way to prevent identity thieves from opening new lines of credit in your name. Parents and guardians also can now freeze the files of their dependents for free.

For more on what a freeze entails and how to place or thaw one, please see this post. Beyond the big three bureaus, Innovis is a distant fourth bureau that some entities use to check consumer creditworthiness. Fortunately, filing a freeze with Innovis likewise is free and relatively painless.

It’s also a good idea to notify a company called ChexSystems to keep an eye out for fraud committed in your name. Thousands of banks rely on ChexSystems to verify customers who are requesting new checking and savings accounts, and ChexSystems lets consumers place a security alert on their credit data to make it more difficult for ID thieves to fraudulently obtain checking and savings accounts. For more information on doing that with ChexSystems, see this link.

If you placed a freeze on your file at the major bureaus more than a few years ago but haven’t revisited the bureaus’ sites lately, it might be wise to do that soon. Following its epic 2017 data breach, Equifax reconfigured its systems to invalidate the freeze PINs it previously relied upon to unfreeze a file, effectively allowing anyone to bypass that PIN if they can glean a few personal details about you. Experian’s site also has undermined the security of the freeze PIN.

I mentioned planting your flag at the credit bureaus first because if you plan to freeze your credit files, it may be wise to do so after you have planted your flag at all the other places listed in this story. That’s because these other places may try to check your identity records at one or more of the bureaus, and having a freeze in place may interfere with that account creation.

YOUR FINANCIAL INSTITUTIONS

I can’t tell you how many times people have proudly told me they don’t bank online, and prefer to manage all of their accounts the old fashioned way. I always respond that while this is totally okay, you still need to establish an online account for your financial providers because if you don’t someone may do it for you.

This goes doubly for any retirement and pension plans you may have. It’s a good idea for people with older relatives to help those individuals set up and manage online identities for their various accounts — even if those relatives never intend to access any of the accounts online.

This process is doubly important for parents and relatives who have just lost a spouse. When someone passes away, there’s often an obituary in the paper that offers a great deal of information about the deceased and any surviving family members, and identity thieves love to mine this information.

YOUR GOVERNMENT

Whether you’re approaching retirement, middle-aged or just starting out in your career, you should establish an account online at the U.S. Social Security Administration. Maybe you don’t believe Social Security money will actually still be there when you retire, but chances are you’re nevertheless paying into the system now. Either way, the plant-your-flag rules still apply.

Ditto for the Internal Revenue Service. A few years back, ID thieves who specialize in perpetrating tax refund fraud were massively registering people at the IRS’s website to download key data from their prior years’ tax transcripts. While the IRS has improved its taxpayer validation and security measures since then, it’s a good idea to mark your territory here as well.

The same goes for your state’s Department of Motor Vehicles (DMV), which maintains an alarming amount of information about you whether you have an online account there or not. Because the DMV also is the place that typically issues state drivers licenses, you really don’t want to mess around with the possibility that someone could register as you, change your physical address on file, and obtain a new license in your name.

Last but certainly not least, you should create an account for your household at the U.S. Postal Service’s Web site. Having someone divert your mail or delay delivery of it for however long they like is not a fun experience.

Also, the USPS has this nifty service called Informed Delivery, which lets residents view scanned images of all incoming mail prior to delivery. In 2018, the U.S. Secret Service warned that identity thieves have been abusing Informed Delivery to let them know when residents are about to receive credit cards or notices of new lines of credit opened in their names. Do yourself a favor and create an Informed Delivery account as well. Note that multiple occupants of the same street address can each have their own accounts.

YOUR HOME

Online accounts coupled with the strongest multi-factor authentication available also are important for any services that provide you with telephone, television and Internet access.

Strange as it may sound, plenty of people who receive all of these services in a bundle from one ISP do not have accounts online to manage their service. This is dangerous because if thieves can establish an account on your behalf, they can then divert calls intended for you to their own phones.

My original Plant Your Flag piece in 2018 told the story of an older Florida man who had pricey jewelry bought in his name after fraudsters created an online account at his ISP and diverted calls to his home phone number so they could intercept calls from his bank seeking to verify the transactions.

If you own a home, chances are you also have an account at one or more local utility providers, such as power and water companies. If you don’t already have an account at these places, create one and secure access to it with a strong password and any other access controls available.

These frequently monopolistic companies traditionally have poor to non-existent fraud controls, even though they effectively operate as mini credit bureaus. Bear in mind that possession of one or more of your utility bills is often sufficient documentation to establish proof of identity. As a result, such records are highly sought-after by identity thieves.

Another common way that ID thieves establish new lines of credit is by opening a mobile phone account in a target’s name. A little-known entity that many mobile providers turn to for validating new mobile accounts is the National Consumer Telecommunications and Utilities Exchange, or nctue.com. Happily, the NCTUE allows consumers to place a freeze on their file by calling their 800-number, 1-866-349-5355. For more information on the NCTUE, see this page.

Have I missed any important items? Please sound off in the comments below.

Tags: , , , , , , , , ,

122 comments

  1. I tried so sign my 18 yo son up for SSA account; but it would not let me because he has no credit file. I called and was told the same thing. not sure how this makes sense. so I have to get him a credit card to create a SSA account???

    • You may need to go in person to your local SS office. It’s a pain, but I wasn’t able to make an account online because I had freezes with all of the credit bureaus, and it seems they use that to authenticate. I visited my local SS office and they helped me with the process. They also have a help page at https://faq.ssa.gov/en-us/Topic/article/KA-01699

      I hope this helps! Good luck!

  2. This is great stuff. While I had freezes at all the places you mention, I did not have accounts at the credit bureaus.

    One you might add is state Departments of Revenue. At least in Georgia, I was able to create one.

  3. “these protections also usually fail when the attackers are social engineering some $12-an-hour employee at a mobile phone store.”

    Salary is not equal to intellect. I worked at a shop where the $50 an hour payroll manager gave away executive salaries to a phishing scam that asked him to alter the direct deposit to a Walmart account. He did this twice and gave away 70 thousand dollars. Salary does not equate intelligence.

    • That was more of a comment on the reality that while mobile store employees typically don’t make much money, they have a good deal of power to ruin your financial and personal life, and are susceptible to bribes or other forms of coercion by SIM swappers. This is not an uncommon occurrence by the way.

      • I agree completely. For the amount of power / responsibility they have, they are sadly underpaid and under trained.

    • I can top them both.

      Our HR manager emailed a spreadsheet containing the full information of every US employee – 1500 people – to an AOL address.

      This, despite knowing the CEO for many years and knowing that he loathes email from any provider, avoids it all like the plague and barely even uses his corporate account.

      So now I automatically submit IRS Form 14039 with my taxes every year.

  4. Warning; Make sure pop up blockers are disabled *before* you visit the NCTUE freeze website. NCTUE delivers the pdf containing your freeze pin through a pop-up. Without it, you can’t unfreeze your report.

    • I found that out the hard way. Had to mail in a request for a new PIN. I hope they respond.

      • Same here. I didn’t have Adobe Acrobat installed, by the time I loaded it I’d timed-out on their website. Hence, no PIN accessible to me. Now submitting written request and identity documents via US mail to get PIN. Time consuming, but better safe.

  5. This is great stuff. While I had freezes at all the places you mention, I did not have accounts at the credit bureaus. really like this post.

  6. What about social sites ? Facebook? I have never signed up nor use Facebook – i wonder if it would be a good idea to at least create an account ? Brian ?

    • So personally I wouldn’t worry as much about Facebook or social media sites, for a few reasons.

      The first reason is that if someone creates a Facebook account using your details, they don’t then get access to more information about you by doing so – which they do if they make, for example, a tax account in your name and then download your previous returns.

      The second is that although Facebook’s rule is “one account per person”, they can’t really enforce that. The biggest risk of someone making a Facebook account in your name is probably that they will add your friends and loved ones, and then scam them by pretending to be you. But even if you make your own account and add everyone you know, that doesn’t stop anyone from making another account in your name, and if they use the same photo etc then most people aren’t going to realise the difference.

  7. Great article. Could you create a summary/bullet list with each place and their website so people could grind through them all easily?

  8. Brian, I’m a big fan, been following you for years. I took your advice a few years back and froze all of my Credit agency accounts. The pain came when I tried to get cable (Cox), and rent an apartment in Virginia. No one could see anything. (yes, I unlocked the accounts), first a temp unlock and then a permanent unlock. Any ideas? Have you heard of this before?

    • I’ve never heard of that. Basically, if you have a freeze on your file, the best thing to do *before* you go to set up new cable, utility or whatever, is to thaw the account. Preferably 24H before you need to use it. And maybe for a day or a few days afterwards. You can sometimes learn from the company in question which bureau they use and only thaw for that bureau alone. The main issue is there may be a lag time between when you apply for whatever you’re seeking and when they check your credit.

      The freeze is very good at blocking any kind of credit checks. Because of that, it requires people who freeze their files to plan ahead a bit. It may help also if you communicate to whoever you know wants to check your file that your credit is frozen and that you will thaw it on request.

  9. One of the problems of MFA that I have NEVER seen documented is that when you back up your (in my case iPhone) your Google Authenticator and associated data is NOT (Repeat NOT) backed up.

    So when your phone dies and you dutifully restore your (encrypted) backup, all your MFA data is gone. And it’s a bastard to recover all that.

    It stopped me using MFA until there is a good, recoverable solution available.

    • Here are two ways around this problem:
      1. Use Authy rather than Google Authenticator. Authy lets you store an encrypted backup on their server. It works on tablets, and they also have a PC version (Windows, Mac, or Linux). Using your phone number (and a setting on the phone app to “Allow Multi-Device”, which I immediately disabled afterward), and your backup password, you can get a copy running on multiple devices.
      2. When you first set up TOTP at a site, there is a QR code and an alternative (manual) code. (Some sites make you click on a link to expose the latter.) Print out that code and/or store it in a password file. (NOT the same file as your passwords!) The codes are all you need to recover from a lost/dead phone. Unfortunately, there’s no way I’m aware of to get the code after setting up a site. I realized this after setting up a few; had to disable and re-enable them to get/store the code.

      I’ve never seen (2) clearly explained either. I guessed that this was the case and tried it out by adding a new site using one of my existing codes and comparing to the original. The timed codes were identical. I also repeated the experiment, intentionally entering the wrong site name when prompted for the logo/name, to see if those mattered for the code. They don’t.

      • The majority of services also generate backup codes when you set up MFA, which you should store somewhere safe (and recoverable/offline) as they will allow you to log back in and disable/re-setup MFA if you lose access to your token.

        But yeah, also, just use Authy and set it up on all your devices so you can access it wherever you are.

    • Don’t use Google Authenticator, use LastPass Authenticator which uses the same OTP algorithm as Google Authenticator. It’s available for iPhone, Android, Windows. It backs up the codes to the cloud . So if you phone craters, is lost or stolen or replaced, you can easily recover by adding the app to your new phone and enter your LastPass password.

      You could also screen print the initial QR code to set up later, but too much hassle to most.

      https://lastpass.com/auth/

    • I feel your pain.

      I have 21 entries in my Google Authenticator.

      The best cover is to print backup code(s) for each account. I store them in a safe.

      Each site with 2FA I’ve seen, and I’ve seen a lot of my own plus my IT clients’ sites, displays backup codes.

      I NEVER save them on the computer but print them.

      Also, some sites like gmail let you have multiple methods of 2-step verification, e.g., Google Authenticator, the Google app (but it’s known to track you a lot so I’d stay away from it), a YUBI USB key (highly recommended but they cost $30-$50; don’t use Google’s crappy USB key found to suck), PAPER BACKUP CODES, and multiple phone numbers if you want.

      Ideally, don’t use any phone number, but you better still have THREE or more methods for 2FA (e.g., paper backup codes, Google Authenticator, Yubi key). No phone number, no SIM card attack, no cell store bribery.

      To be more practical, you can use a phone number.

      You can even add your or a relative’s LAND LINE number and specify voice to get a call with an automated voice reading your temp code.

      SUMMARY
      – have a minimum of three 2FA methods (Google Authenticator, USB Yubi key, paper backup codes); if you lose access to two, your still got one!

      – ideally, don’t use a phone number

      – if you must use a phone number, consider a landline

      – if you must use your cell number, at least put a “passcode” on your cell account so in-store on phone tech support must hear you say this passcode to help you; that way even if a ID thief walks into mobile phone store with fake IDs, you should be protected, though I don’t know if bribery can bypass this.

      PAPER BACKUP CODES ARE A BIG DEAL.

      • I have a landline for a number of reason, as well as cell phone, I use the landline number for authentication since most accounts I only access from home. Admittedly it’s a little clunky to use, but it works.

    • @Graham,

      LastPass Authenticator can emulate Google Authenticator, MS Authenticator, etc. and also backs up to the cloud. So if your smartphone is lost, stolen, upgraded, etc. you can simply install the app on your new phone, log in and all the OTP for each site are synched/replicated onto your new phone(s). I think it’s still free. I switched from Google & MS Authenticators some time ago and have used it for several years without an issue on multiple phones. Check it out.

      https://lastpass.com/auth/

    • Authy backs up your MFA tokens. I dumped Google Authenticator for Authy for this reason.

    • Buy a ‘burner phone’ at Target or Walmart and use it for MFA instead of your smartphone. The primary reason for doing so is in case your smartphone gets stolen, the thief cannot use your MFA settings to hack into your accounts.

  10. I had a poor credit status about 3 weeks ago and I was really frustrated because I needed to buy a house for my family but could not get approved for a loan. i was referred to [SECRETACCESS99@GMAIL.COM] by my loan officer and to my surprise my credit was improved to excellent in 1 week. ACETEAM all the , DEBTS, EVICTION, REPOSSESSIONS, SCHOOL LOANS etc, and increased my score up to 800. You can also call if you need your credit fixed.

    • Wow, so all you had to do was send your Full name, City and State of birth, home address, phone numbers, SSN, DOB, CC numbers and you were fixed up?

  11. So, as per your statement: “Note that multiple occupants of the same street address can each have their own accounts.” If that’s true, then what difference does it make if one signs up for Informed Delivery or not? Some guy in Russia could sign up for my address’ Informed Delivery in San Bernardino…they can’t prove you aren’t living there, and so if multiple people can sign up for the same address, doesn’t it mean that, as usual, the Post Office’s system is dangerously exposed?

    • When I tried to sign up for USPS Informed Delivery® a year or so ago I was not able to sign up online. Instead I had to print out an application form with a bar code and physically take it to the PO and show my DL as ID for verification. I don’t specifically remember if I had already frozen my credit bureau accounts before then, but very likely had and didn’t want to pay the $10 to unfreeze (now free). So in the end it was a good thing, because the barrier to entry will be too high for others to gain access.

      Only problem was the first clueless postal clerk that claimed ignorance of such a program, when though there were about six posters and info cards on the counter within arm’s reach of where he was standing, which I pointed to. In any case I was helped by one informed clerk who had to go retrieve their portable POS (Point of Sale) barcode scanner to complete the enrollment process. She was very cheerful and helpful.

      So now I get an email of front scans of inbound mail almost daily around 9AM of today’s snail mail. About 10% of the time the email contains no images with some type of excuse, but no explanation. (late mail?) Another 10% of the time the mail does not show up that day, but within a day or two thereafter. If you have mail stolen from you mailbox, which happened to a relative, it’s useful to know what was taken.

      P.S. Don’t worry about the Russians so much, more the Chinese. They’ve been tracking all of us for as long as technically possible, e.g. free smartphone flashlight apps sent info back to China before that was included as part of the standard operating systems. Now perhaps TikTok & Zoom.

  12. Thank you Brian. As always, solid advice. I will be sharing this URL on my Facebook page as well as with my neighbors.

  13. The burden of protecting harvested data should lie with those who choose to put that data out there, i.e., put the data at risk.

    The idea that Jane Doe Public, age irrelevant, can predict the next moves the bad guys are going to make is unrealistic. Not even the cyber professionals can predict the next breach. If that were true, we wouldn’t be here discussing it.

    Example: Equifax put my data at risk without my permission. During the forty- plus years I operated an ag trucking company not once did my banker rely on an Equifax report. In fact, the only time Equifax was ever mentioned was when he called me to tell me my file had been merged with another one. The other person’s file had a totally different address, name spelling, and social security number, but yet the files had been merged. That person also had a great deal of debt in the collection stage. ‘Aha!’, I said, ‘that explains why I am getting a bill from a health spa 250 miles away.’ I still got the go ahead to buy whatever piece of equipment it was that I was buying at the time. Many months later, after wasting way to much of my valuable time trying to fix the Equifax screwed-up, I passed the info on to my state’s attorney general. One phone call from that office and Equifax fixed the mess in my file.

    If these agencies, and the big entities that believe they are invaluable to the consumer, cannot guarantee they are going to protect our data, they have no business putting it out there.

    • I agree with Kim. The companies that create this problem by permitting significant financial transactions without properly vetting the customer should be required to provide restitution in full, and pay significant punitive damages (perhaps $100,000 per party per case). When large companies are forced into bankruptcy through bad data practices, they will stop.

  14. Excellent advice. I would add three things:
    1. Wherever possible with accounts that allow MFA, instruct the company that all requests to change or disable MFA on your account must be made in writing and be accompanied by a notarized copy of your driver’s license.
    2. Most of the major cellular carriers will allow to to specify that all changes to your account must be made in person and show 2 forms of ID.
    3. Never use your primary email addresses as logins. I believe we are past the time when unique passwords are sufficient. I have created a unique email address for each online account I have.

  15. It does not appear to be possible to “plant your flag” at Transunion without paying $30/month.

    • Since a law a couple of years ago, it should be free to place a credit freeze at all three bureaus. Transunion would certainly try to push you to buy some other services as well, but I believe this FAQ page makes it clear the freeze is free: https://www.transunion.com/credit-freeze#faqs

      • Ah, but that’s not what we’re talking about here. I do have the freeze in place with Transunion. But the subject is “planting the flag”: getting a userid and password at a site to prevent malefactors from preempting your ability to do so. And I haven’t found a way to do that (other than for the very limited purpose of placing/lifting a freeze) at Transunion without paying.

    • Larry: It is free. You are on the paid site is all. Try the above link.

      I will note this about Transunion – not impressed with their authentication. Five years ago I froze my account at Transunion, per Brian. Forgot I had an account created – so I created a new one. No problems. Site asked me for the typical stuff – address, SSN, etc. The only verification though was three innocuous security questions from my file. No challenge. No enter your old password or PIN. Not impressed.

  16. Brian:

    Thanks for taking the time to pull all of this together.

    Fortunately, everything you listed I’ve done as I’ve followed your site for years.

    That said, I never itemized it all on one place myself.

    Having this is VERY helpful when assisting others in this endeavor.

    Keep up the GREAT work.

  17. The best way I know how to establish credit for someone is to go a legitimate loan company and ask to borrow $100 – 300 using an another to cosign. After getting the loan (don’ spend the money) pay it back plus the interest just after 30 days. Do this 2-3 times and you will have established a nice credit record.

  18. The headline should be fixed (it says “Why & Where You Should You Plant Your Flag”, seems should be such as “Why & Where You Should Plant Your Flag”).

    I only posted because I didn’t see that anyone else posted that, but I only hastily looked through the comments, apologies if redundant.

  19. The problem I have with MFA is that it totally stops my aged father from accessing his own accounts, and I do not live close enough to him to assist all the time. He’s fine with a username and password, though they are woefully insecure, but add in a third factor that has to be done in a timely manner and it is a no go. For that matter, I found the same thing with younger employees in our office. They all refused to use MFA and they also use very insecure passwords. If I make MFA not optional I have to troubleshoot a bunch of logins every day. I saw a statistic somewhere that 50% of help desk support calls are for password resets.

  20. Different way of thinking, create em before they do it for you. I like it.

  21. Just filled out the NCTUE freeze report with my current address, it froze my account, and the printed confirmation gave the address of my parent who died many years ago. WTF? How to fix this, I wonder?

  22. When I established my security freezes back in 2017, Equifax did not require an account. Now they do, so I just set one up. I entered all of the required data, including my cell phone number, and received (a) a verification pass-code sent to my phone, and (b) an e-mail indicating that my account had been established.

    The next day I tried to log into my Equifax account, but repeatedly got the following error message: “We are temporarily unable to complete this request. Please try again later.” There was no further explanation, and the next day I got the same message. Thinking that I might have entered an incorrect password, I tried using account recovery, but it produced the same error message.

    I e-mailed Equifax about this, but receive no response. So, I ended up calling Equifax. The representative told me that my phone number was not recorded, and that was preventing me from logging into my account (this despite the fact that Equifax had previously sent a verification code to that very phone). She entered my phone number into my account, and from that point on, I was able to gain access.

  23. Hey Brain, this is really an amzing content, the idea of presentation and the topic that you choose is really awesome. I was following you from many time. With the name Dpboss we are working on an industry where the process of betting industry is changed.

  24. Are there classes or trustworthy people who can walk seniors through all this flag planting? Seniors w/o tech sense need this the most but have no idea where to start.

  25. Definitely important even for business branding with online profiles.

  26. This may seem silly, but they only want a cell number for authentication and where I live we do not have cell service. I have a cell phone but would have to drive ten minutes to use it. Sites don’t offer work arounds, to my knowledge.

    • Most sites will let you use a Google Voice number if they insist on SMS as their “multifactor” (keep in mind that SMS is not really a secure second factor, but…).

      If you have a US based phone number, you can sign up to get a free Google Voice number.

      SMSs to Google Voice can be retrieved via Email / Web (which I presume you can access from your cellular-inhibited location).

      Note: some services are somewhat flaky wrt sending SMS messages to Google Voice numbers, so this isn’t necessarily a great approach. I have one bank where I’m basically able to log in 1 day out of 4 because of this. (My bank isn’t US based, but I’m pretty sure it’s more of a property of their SMS->Google Voice bridge than a generic SMS->US number bridge — although I could be wrong. This is within the North American Numbering Plan…)

  27. Hey Brain, this is really an amzing content, the idea of presentation and the topic that you choose is really awesome. I was following you from many time. With the name Indian we are working on an industry where the process of betting industry is changed.

  28. While I agree with some of this — the credit freezes, primarily — I consider this post to be a form of fear-mongering. And advice based on fear is not advice; it’s more like panic.

    My two biggest concerns in regards to having my data held online are 1) the security and privacy of those systems, and, 2) the ability of the humans within that organization to not fall prey to social engineering.

    When I say “security and privacy,” I’m referring less to what the entity claims, and more to their public-facing, actual architecture. The entity almost always touts how secure and private it’s systems are. I believe these assertions to be largely overblown. And when I say “social engineering,” I mean both training regarding and actual testing of the humans’ in this regard. Again, I believe these things are not happening with any consistency, and/or with the assistance of an outside organization that is both trustworthy and capable.

    A third concern is that how I define “security” or “privacy” probably differs from how the entity in question defines those words. Yes, a so-called “security policy” or “privacy policy” can provide some insight. But are these entities really doing what they claim to be doing, and in a meaningful, verifiable and legitimate way?

    And beyond even these three points is the reality that data on one site is usually shared with one or more “third parties” or “partners.” How many times have we been witness to these entities failing to secure our data? I beliieve this very blog has made multiple reports of such incidences.

    Further, as far as I know this article didn’t even delve into how people typically are very lax when it comes to “doing security.” I mean, the vast majority of people nowadays carries around with them so much of their personal, banking, etc. information in a desireable little package that is easy to spot, often gets left behind somewhere, and is usually transmitting/receiving wireless signals all of the time.

    This all reminds me of when Angelina Jolie had a double-mastecbomy, in part because she had the gene for breast cancer. Just to ensure she’d never get breast cancer, she had her breast removed. Oh yeah…she won’t let cancer steal her breasts! Maybe she should have had other body parts removed so she could ensure she’d never get those cancers, too.

    Fear-mongering, perhaps at it’s worst.

    With all due respect to Mr. Krebs, I won’t be following these recommendations. I consider the chance of any one person’s online data getting hijacked, or having someone impersonate them in the creation of a new online account, to be pretty slim. And so I won’t be putting out MORE personal information online just on the off chance that someone will somehow in some way grab my personal data and do it for me.

  29. I don’t think creating an account at Experian mitigates the vulnerability with their freeze PINs, unless you sign up for their paid monitoring service. Even with a registered account, Experian still uses the PIN (without being logged in) to unfreeze credit reports.

  30. While the task is onerous and the terms are unnerving, some accounts include activity notifications which are well worth the effort. When fraud occurs, a quick response greatly reduces the damage. Our Federal and credit agencies could do a lot more here. Thanks for this resource!