A three-step process to put your financial info on lockdown. Cover your bases on all forms of financial information theft, for the long-term.
It’s been just under a week since Equifax casually mentioned it had allowed hackers to view a potential 143 million individuals’ sensitive financial information, including social security numbers. We talked about potential remedies in last week’s post, The Equifax Breach And What You Need To Do About It. However, the Equifax breach is only one example of a myriad of ways hackers can worm their way into your life and take money out of your pockets. The Equifax debacle seems like a good reminder to take inventory of our general approach to financial information protection, and we’ll cover that today.
There are a few major ways that hackers attempt to take your money.
- Open new accounts in your name. To do this, they need access to your social security number. Sometimes they need other forms of identification, but you can often open credit cards online with as little as the SS# and a matching address on file.
- Use Your Credit Cards. To do this, they need your credit card number. Sometimes they need the CV number on the back, though not always.
- Transfer Money From Your Bank and Brokerage Accounts. To do this, they must have your login information. Most banks will require two-factor authentication meaning they must also have access to either your email or a phone number attached to the account.
As you think about those strategies, it quickly becomes apparent where your weak points are. The information they need can be gained either from you, or the people you have given the information to such as restaurants, stores, and credit bureaus. While you can’t control how carefully outside vendors treat your data, your strategy for protection can involve shoring up your personal defenses so you are not accidentally divulging key information to unsavory characters, and carefully monitoring indicators available to you such as your credit report and credit card statements to determine whether a vendor has been negligent in doing the same.
Freeze Your Credit And Check It Annually
Freezing your credit will make it very difficult for anyone to open new accounts in your name, even if they have your social security number. A credit freeze prevents any new vendors from being able to access your credit. Existing vendors will still be able to access your credit. It’s unclear to me whether a hacker could open a Chase credit card if you already had a different Chase credit card open, making Chase a vendor who can still access your credit during a credit freeze.
For this reason, I would still recommend checking your credit report annually via one of the three free reports you are authorized by law to view each year at the official multi-agency site. The freeze will prevent most attempts from achieving success, and your annual monitoring will catch the very unlikely scenario in which somehow an unauthorized account sneaks through.
To freeze your credit, you will have to approach each of the three major credit agencies directly. There is a fee, usually about $10, to freeze your account at each agency. In light of the Equifax breach, Equifax is waiving its freeze fee for the next 30 days. When you freeze your account, you are giving a PIN number. To thaw your account, it takes just one phone call, but you must have your PIN. Thawing may require an additional fee to the tune of $10, but that depends on what state you are in and what agency you are thawing with. The thawing process takes just a few minutes, but Equifax’s site recommends you give yourself 3 days before you need vendors to be able to access your credit as some states have specific procedures for a thaw.
For highly sensitive requests requiring your social security number, I always recommend visiting the site directly rather than clicking a third party link. For this reason, I will not include the link here and encourage you to visit each agency’s site directly to get started.
Quick Tips: Multiple folks are reporting that it has been a pain to try and implement a credit freeze right now. All three agencies’ systems are overloaded. You may want to try again in a week’s time. Equifax is currently waiving its fee to freeze for the next 30 days. And for those who have a mortgage or other item for which they will need their credit reports soon, consider placing a free 90-day fraud alert with the agencies for now and then freezing once your transaction is complete.
Set-Up An Expense Monitoring Dashboard
One of the quieter pieces of news in the Equifax breach was that the hackers absconded with the credit card numbers of more than 200,000 people. Freezing your credit won’t do much good when these guys are buying Gucci bags on the credit card you legitimately opened yourself. The credit card companies have sophisticated fraud alert systems in place, but it’s scary how sophisticated some fraudsters are.
Gone are the days when someone takes your credit card and stupidly starts charging up a storm of multi-hundred dollar Rolexes online, triggering every fraud alert at your credit card company.
Hackers will often do a test purchase to test the waters. They may purchase from the same place you do – say, Amazon – and send your shipment to a completely random address, then wait a few weeks to see if any issues crop up or if you report an unauthorized charge on the card. Scammers may even send mystery packages to your address, testing whether you are at home regularly or whether they may be able to send someone physically to pick-up fraudulently charged packages at your address, as was hypothesized to be the motive in this victim’s case. In short, it means you will want to do your part as well.
What can you do to keep your finances on lockdown?
You can set up a single pane of glass from which to review all your credit card charges each month. This way, you will be able to pick up unrecognized charges immediately and take action.
The system can be anything you want. You can walk through your mailed paper statements. You can build yourself a spreadsheet. I personally like to use a free service called Personal Capital for both net worth and expense tracking. (More on how I use the service over here.)
The visualizations and drill-downs it provides are perfect for fraud monitoring but also for expense-optimization, which is also important to the FIRE goal. With Personal Capital, I can hone in on a problem spending category or compare the trend in my spending month over month and note lifestyle inflation creeping in as well as where it’s coming from. Your monthly monitoring thus kills two birds with one stone: not only does it allow you to catch fraudsters early, but it also gives you regular feedback to get ahead in your FIRE goals and snowball your nest egg.
I’m a big believer in making monitoring as frictionless as possible. If I had to gather statements manually for all my accounts by hand every month, odds are I’d find myself skipping more months than not. I might even fall off the wagon completely after a month or two. For me, a technologically-enabled solution is perfect.
Of course, you will have to determine whether you are comfortable with another vendor holding on to some of your information. My accounts all have two-factor authentication, as yours probably do. That means even if someone somehow hacked the company’s vaults and pulled that information, they would need access to your email or phone number in order to truly gain access. It would also be pretty quick to spot in your monthly check-ins (thank goodness you now have a regular monitoring system, right?). The way I think about it, I am adding one vendor to the dozens I’ve probably shared information with (i.e. e-commerce companies I’ve purchased from) for the much more important task of monitoring potential issues that could cost me hundreds or thousands of dollars, and I’m doing it with a vendor who manages billions of dollars in assets and has invested heavily in security.
Obviously not a guarantee of safety, but the safest way to protect ourselves is to never go out in the world, have credits cards, or purchase and share our information with any vendor, ever. All else is a calculated risk.
Go To The Root Source To Avoid Phishing Attempts
For extremely sensitive information, such as forms that will require your social security number, make sure you search for and visit the website at its root source rather than clicking a third-party link. For example, you get an email supposedly from Citi or Chase saying there was a suspicious charge. Click this link to be taken to a page which gives you more details. Instead of clicking the link, visit Chase.com or Citi.com.
If you receive a telephone call from a credit card company or bank representative and they begin asking for more information, tell them because of the sensitive data requested you will want to call them back through the main line. Then go on the website or look on the back of your card and get through the directory to the relevant department. Tell them your issue, and proceed with peace of mind knowing you are talking to an official representative.
Bonus: Make sure you use a different username for your financial accounts than you use for your email address. Hackers know that many folks are lazy and use the a similar ID for email and for bank accounts, which makes phishing half-successful before they even begin. Ideally you’d have different ID’s for each vendor – I realize there is a trade-off between security and your ability to remember all this stuff and actually access your accounts when you need to. Certainly we all can at least avoid the email/bank ID combo.
It is an unfortunate circumstance that our role as stewards of our money also requires us to become amateur security guards. Fortunately, a few basic habits and routines can go a long way towards safeguarding our assets from would-be thieves.
You have worked so hard to build the nest egg that you have. A few steps to protect it today will yield dividends in the future, in peace of mind as well as protected dollars.
Are there other strategies you have found useful for financial security lockdown? Share your thoughts below.