Back to Top

You've Been Equifaxed. Your Next 5 Steps.


It's been a week since we learned that between May and July, hackers gained access to sensitive information of as many as 143 million US-based people in the computer systems of Equifax, one of the US's three major, privately owned, credit bureaus. Names, Social Security numbers, addresses, birth dates, and in some cases, credit card numbers and driver's license numbers — all the information, and more, a criminal needs to commit identity theft.

Unless you are about to get a new identity through the Federal Witness Protection Program, or you do not live in the US, it is time to protect yourself. Here are five things you can do now to better protect yourself against identity theft:

Enroll with Equifax ⇒
Freeze your credit files ⇒
Monitor your credit reports and financial accounts ⇒
Use strong, unique passwords ⇒
Use two factor authentication (2FA) ⇒

Enroll with Equifax (optional)
Go to:

With the link above, Equifax will tell you if they think that you are among the 143 million US-based people impacted by the hacking event. After telling you this, Equifax will offer you a free year of their TrustedID Premier credit file monitoring and identity theft protection service. To enroll in TrustedID Premier, you'll need to give Equifax a lot of sensitive information, including your SSN — which many will understandably refuse to do given Equifax's less than stellar track record in safeguarding information. I did enroll as I figure Equifax, and now the hackers, already had this information, so why not benefit from the monitoring services and $1 million in identity theft insurance. I was told I would soon receive an email with links to complete the enrollment process, but three days on, I still have not received it.

TransUnion, another of the three major credit bureaus, offers a similar service to Equifax's TrustedId Premier service, however with fewer benefits at the no-fee level. It is called TrueIdentity and its key free feature is the ability to easily lock, or unlock, your TransUnion credit report, an alternative to the next entry on this list.

Freeze your credit files, aka placing a 'Security Freeze'
Go to: Equifax, TransUnion, Experian, Innovis

As it's name suggests, freezing your credit files at each credit bureau restricts most actors from accessing them (however, this excludes existing creditors and government agencies). And since most creditors and financial service providers will want to see your credit files before doing business with you, freezing your credit files makes it difficult for identity thieves to open new accounts in your name. The catch is that it usually costs money and time to start, and temporarily lift (should you actually be applying for new credit or opening a new financial account), a security freeze. But believe me, it is much less costly and time consuming than becoming a victim of identity theft.

You can use the above links to initiate a security freeze at each of the four credit bureaus — however due to high demand, there is a good likelihood that the credit bureau will ask you to mail in your request. That's what happened to me in the case of Equifax and Experian.

The cost to maintain a credit freeze varies by state, but most of the time it is a $5 to $10 fee to set it up, or temporarily lift it, at each bureau. But note that Innovis does not charge these fees and that TransUnion's TrueIdentity service offers a "credit lock" feature that is effectively freezes your credit report, but is free and more convenient.

See what a credit freeze costs in your state ⇒

Monitor your credit reports and financial accounts
Go to: (Equifax, Experian & TransUnion) & Innovis

Freezing your credit files prevents credit, loans, and services from being approved in your name without your consent at institutions you have not done business with in the past, but it does nothing to prevent fraud in your current accounts or at businesses with which you are already a customer. Therefore, you should review your monthly credit cards, banking, and investment account statements for any suspicious activity.

You should also review one of your credit reports quarterly, which you can do free as each credit bureau offers one free credit report annually. For example, you could get a credit report from Experian this month, a TransUnion report in December, an Equifax report in March, and an Innovis report in June (see links at top of this section to request your free annual credit reports from the four credit bureaus). If you discover suspicious or incorrect data on one of your credit reports, report it immediately.

Use strong, unique passwords, only reasonably possible with a password manager
I reckon the single most important piece of software on my computer, smartphone, and tablet, the one I would pay the most money for, is my password manager. The Wirecutter succiently summarizes the problems around Internet password security and how password managers solve them:

You have to deal with a staggering number of passwords nowadays. Each website you log in to requires one, and many apps do, too. So it’s not surprising that many people reuse simple, easily guessed passwords across multiple sites or keep their passwords written down on sticky notes next to their computer—and end up compromising their security. Luckily, it’s easy to increase your account security without needing to remember dozens of long strings of gibberish. Enter the password manager.

Why should you use a password manager?

Let’s say you use the same password for everything across the Web: Twitter, Facebook, your bank, Amazon—everything. And then Best Buy gets hacked, exposing millions of passwords, including yours. Now those hackers have access to your entire digital life, including your bank account, because you secured everything using the same string of letters and numbers. But even if you’re diligent enough to use a different password for each login, you might be using weak passwords because you want them to be easy to type. A determined hacker can easily crack them.

A password manager makes good security as easy as possible. All you need to do is remember one master password (make it a good one!), and the password manager handles the rest, generating and saving a unique password for every account you need across the Internet. In addition to encrypting these login credentials, it stores them locally and syncs them across your various devices, where they can automatically fill the form on any website.

My preferred password manager is 1Password, but other popular ones are Dashlane and LastPass. The Wirecutter thinks that LastPass is the best one for "most people," but that Mac and iOS users may appreciate the more powerful, and expensive, 1Password. 1Password's ability to support encrypted, cloud-based password "vaults" allows me and my wife to use 1Password to share our common login credentials across all of my devices (Mac, Windows, iOS, and Android).

Use two factor authentication (2FA) where possible
Strong, unique passwords are good step toward safeguarding your online accounts, but there is one more step you should take, particularly for your sensitive email, social media, and financial accounts — two factor authentication (2FA), and sometimes referred to as two-step verification.

Given time, a hacker can brute force her way into your account by attempting to guess your password until she gets it right, billions of times if necessary. That's why you should use 30+ character passwords instead of 8 character ones, and a password manager makes that possible. A second common way a hacker can get into your account, regardless of your length of your password, is if she can get you to download a keylogging virus program to your computer, allowing her to "see" what passwords you enter to gain access to each of your accounts. The use of 2FA will defeat these two hacker methods.

2FA works like this. You log into your account as normal with your password (the first factor of authentication), and then the website asks for a one-time code (the second factor of authentication) that is sent to you by text, email or phone call, or generated by an authenticator program on a local device, like your smartphone. So even if a hacker knows your password, she still cannot get into your account (so long as she does not also have access to your email or smartphone).

I would use 2FA wherever you can, but definitely on your most sensitive, most vital accounts, such as your email, and financial and social media accounts. You can quickly determine which of your accounts support 2FA with this website. Then it is a quick Google search to find the instructions on how to set up the 2FA for your 2FA-capable accounts. For example, google "two step verification Amazon" to learn how to set up 2FA on your Amazon account.

AlphaGlider clients have the ability to activate 2FA on their AlphaGlider Portfolio Dashboard account using the instructions on our Client Resources page. Unfortunately, TD Ameritrade Institutional's client portal does not offer 2FA yet, but I will notify my clients when it does.

One of the more popular smartphone-based 2FA code generators is Google Authenticator, but 1Password users should know that they can generate 2FA codes more quickly and conveniently within 1Password.


Copyright © 2017 AlphaGlider LLC. All Rights Reserved.
No part of this report may be reproduced in any manner without the express written permission of AlphaGlider LLC.