On this blog we often talk about ways to keep your network secure to protect your proprietary and sensitive information. It’s easy to lose sight of the fact that major corporations face the same challenges, just at a much larger scale. For a lot of major corporations, though, their proprietary information is often their customers’ data, including identifying information and financial information that can be used to scam or steal from their users. You may have heard about the massive T-Mobile data breach in 2021, which wasn’t even isolated to the data of their customers.
Network Security and User Data
Credit fraud is quickly becoming recognized as a network security problem, for two reasons: 1) attacks on vendors and stores often involve typical cyber attacks and network security issues, and 2) the credit reporting systems are a kind of social/technological network in themselves, as are the (“dark net”) networks that resell stolen data.
If we can trust the hacker who claimed to have stolen the data in the T-Mobile breach, they performed a routine attack on T-Mobile’s network and were able to exfiltrate social security numbers, dates of birth, and other important information. If the attack was orchestrated in this fashion, it underscores the need for effective antivirus and proper authentication schemes if you don’t want the same thing to happen to your company. One would think that large corporations would be better at securing customer data, but they are under a greater threat of attack, and as a kind of ground zero for exploits, would be the kinds of networks where “zero day” exploits are commonly unearthed.
Reactive Credit Security
Over the past couple of decades, it has become clear that having total security for our identifying information is not actually possible. Many reports about the T-Mobile attack just happen to mention the fact that social security numbers and birth dates are basically public knowledge at this point. While they used to be considered obscure enough to be used as a unique authenticator, they no longer hold that power. After a series of large data breaches (sometimes by the credit bureaus themselves), enough private data has been leaked to defraud just about anyone.
As part of the T-Mobile breach response, for instance, something like 50 million current, former, and potential customers of theirs have access to McAfee’s ID Theft Protection Service for two years. Credit monitoring tools like this one can help you manage your reputation when fraudsters try to use your identifying information to steal from financial institutions.
Similarly, Credit Karma is a free tool that you can use to check your credit and keep an eye on any new requests for credit or other abnormalities, as well as access tips about how to improve your credit score. Many Identity Theft Protection tools include “Dark Web Monitoring,” which lets you know if your information has been stolen, hopefully before it has been used; you can then change card numbers, passwords, etc. to head off the fraudsters. This type of protection may be available through your credit card company, which is very convenient.
Credit Freezes: Proactive Security for your Credit
Proactive measures are becoming more widely available too, and are better at preventing fraud than ever before. You can now contact one of the three credit rating bureaus to enroll in Fraud Alert, which gives you a free copy of your three credit reports and makes it harder for someone else to open an account in your name; Fraud Alert and Extended Fraud Alert make businesses more scrupulous in verifying your identity when issuing credit in your name.
Since 2018, the credit bureaus have allowed people to proactively freeze or lock their credit for free, to make sure that nobody can use their information to open new credit. If you freeze your credit, but then you know that you are going to open a new line of credit or shop for a mortgage, you can unfreeze your credit in anticipation of that. This way, you can hopefully prevent all fraud of this kind in the first place, since your credit is, by default, frozen when you don’t need new credit.
It takes a few extra steps when you need that new account, but it’s much more proactive than the other methods. By “few extra steps,” I mean that it really is quite inconvenient: to freeze (and unfreeze) your credit, you have to do it with each of the three bureaus separately. Each bureau will use its own login information, so make sure to have your password manager handy when setting up your accounts.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team