by Dave Moore, CISSP
10/08/2023
Last week, I discussed how private information customers gave to certain Oklahoma banks, including MidFirst and Bank of America, was stolen by Internet criminals. Information given to almost every college and university in the State was also stolen, including name, date of birth, address, phone number, contact information, Social Security number, student ID number, “other information” and “certain school-related records.”
This creates a full-on bona fide identity theft crisis that cannot be minimized or ignored. Hundreds of businesses, government institutions and schools across the USA have had the personally identifiable information (PII) of millions of their customers stolen. The bad guys have already used this information to steal tons of money, and are set to steal a whole lot more.
My recommendation from last week: close accounts at known compromised institutions. The bad guys already have your information for that institution; it may only be a matter of time before they decide to use it. If your car suddenly burst into flames and burned to the ground, all on its own, would you buy that same car, again? Setup new accounts at institutions that are not affected by the MOVEIt hack.
Possibly the most critical piece of PII stolen is the Social Security Number. An SSN allows an Internet crook to easily build a profile on a victim, and start setting up phony accounts in the victim’s name, while at the same time making themselves the beneficiaries of those accounts. These accounts can include checking and credit card accounts, “store” accounts (like Lowes, WalMart, Home Depot, etc.), car loans, mortgages, and the list goes on and on. This is an identity theft road I have been down with clients before, and trust me, this is not a road you wish to travel.
The first line of defense you absolutely must setup is a freeze (not a “lock”) on your accounts at all four major credit reporting bureaus; yes, there are four, not three. The four major credit bureaus are Equifax, TransUnion, Experian and Innovis. Making sure you have locks in place at all four bureaus will go a long way in preventing the bad guys from setting up phony financial accounts. You will also notify all four bureaus you are an identity theft victim, which, if you got a letter from your bank or any other institution alerting you they had been affected by the MOVEIt breach, you are.
First, order and download credit reports. There is one, and only one official place on the Internet to get free credit reports, and that’s at annualcreditreport.com. Click the “Request your free credit reports” button, and get to work. They only cover Equifax, TransUnion and Experian, but that’s OK. Do this at least once a month to see if the bad guys are trying to mess with you.
Visit Equifax at equifax.com/personal/credit-report-services/credit-freeze/ and click the “Place a security freeze” button. Fill out the form and follow the instructions. Then, visit equifax.com/personal/credit-report-services/credit-fraud-alerts/ and click the “Place an alert” button to create a Fraud Alert. Again, fill out the form and follow the instructions.
Click the “Add a freeze” button at transunion.com/credit-freeze and do the same thing. The TransUnion freeze process will also let you place a Fraud Alert.
Next stop is experian.com/freeze/center.html to click “Create a free account” to implement the freeze, and then visit www.experian.com/fraud/center.html to set the fraud alert.
Finally, fill out the form at innovis.com/securityFreeze/index to setup an Innovis credit freeze. Visit innovis.com/fraudActiveDutyAlerts/index to get the fraud alert going.
Next week: placing fraud and identity theft alerts with government agencies.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or www.internetsafetygroup.org