Equifax Data Breach Requires Action

While most of us have been watching the path of Hurricane Irma, another big news story this past week warrants your attention.  Last week, Equifax announced that a “Cybersecurity Incident” had exposed names, Social Security numbers, birth dates, addresses and, in some cases, driver’s license and credit card numbers, from a whopping 143 million Americans.  We have already received e-mails from clients who have been affected, and expect to receive more since this will likely affect about half of the country.

In fact, this is another massive data breach reminding us how vulnerable we are to thieves seeking our personal information and identity. “Incident” sounds a bit tepid for the magnitude of this particular breach.

Are You Impacted?

To find out if your information has been compromised, check the potential impact on the Equifax website: https://www.equifaxsecurity2017.com/potential-impact/

You should do so for all of your household members, including your underage kids.  In the event that you or one of your family members are affected, Equifax offers to enroll you for free credit monitoring, which they will provide for one year.  I’m generally not a fan of paying for identity theft insurance or credit monitoring services, but there’s no reason not to take advantage of Equifax’s free offer. A credit monitoring service won’t prevent fraud from happening, but WILL alert you when your personal information is being used or requested.  The service includes identity theft insurance, and it will also scan the Internet for use of your Social Security number—assuming you trust Equifax with this information after the breach.

It may take a few weeks before the service becomes effective.  In the meantime, I recommend you plan to monitor transactions on your bank accounts and credit cards.  The credit card companies typically do a pretty good job of catching fraudulent activity quickly and shutting it down, but your own diligence is essential.

Unfortunately, the free credit monitoring service has issues.  According to credit expert John Ulzheimer “You’re only going to get it free for one year” and chances are, your liability is going to last longer. Additionally, it “only applies to your Equifax credit report, and not your credit reports at Experian and TransUnion. That’s like locking one of the three doors to your house.”

I suspect that once the extent of the breach is ultimately revealed, Equifax will highly likely extend the free credit monitoring service period.

How Are YDFS Clients Protected?

Withdrawing funds from a custodian (such as Charles Schwab) account is not possible simply with your login.  This set-up provides higher security than a retail bank or other brokerage account, where a thief could hack your username/password and access your funds.

Without signed documentation and verbal confirmation, funds withdrawn from custodian accounts can only be sent via check to the address of record on the account, or via an electronic transfer to a bank account that has been authorized with previously signed documentation. All wire transfer requests require verbal confirmation before any funds leave your account.

Also, all withdrawals from custodian accounts are seen on the same or next business day by your YDFS team so we can be on the lookout for unusual activity.

If You’re a Victim of Identity Theft

If you’re a victim of this (or any) breach, here’s what to do. The whole process takes about an hour to complete:

  • Contact one of the three credit bureaus Equifax (800-766-0008), Experian (888-397-3742) and TransUnion (800-680-7289) to put a free fraud alert on your credit report. Under Federal law, each is obligated to notify the other two. The alert makes it harder for an identity thief to open more accounts in your name, but experts note that alerts usually just slow down the process of criminals opening accounts in your name; they don’t prevent it. The alert lasts 90 days, but you can renew it, and the alert entitles you to a free credit report from each of the three companies.
  • File a complaint with the Federal Trade Commission and print your Identity Theft Affidavit. Use that to file a police report and create your Identity Theft Report.
  • Place a credit-freeze on your credit file, which generally stops all access to your credit report. Unfortunately, you need to contact all three companies to freeze your file. Here are the links: Equifax; ExperianTransUnion. Important note about a freeze: If you need to access credit, you have to unfreeze your records, which can take a few days. The availability of a credit freeze depends on state law or a consumer reporting company’s policies. Some states charge a fee for placing or removing a credit freeze, but it’s free to place or remove a fraud alert. You can sometimes get this service for free if you supply a copy of a police report (which you can probably file and obtain online) or affidavit stating that you believe you are likely to be the victim of identity theft.
    Another advantage: each credit inquiry from a creditor has the potential to lower your credit score, so a freeze helps to protect your score from scammers who file inquiries.

Best Practices to Employ

According to pros like Ulzheimer and professional hacker Kevin Mitnick, the question is not if your information will be compromised, but when. Criminals are actively stealing your passwords, buying and selling your data and reading your emails. There is no single way to protect your coveted identity, but here are eight best practices to employ to keep the criminals at bay.

1) Protect your information:

  • Refrain from providing businesses with your social security number (SSN) just because they ask for it. Give it only when required. In an antiquated practice, doctors, dentists and some lawyers routinely request your social security number for billing (and collection) purposes. Refuse to do business with professionals who insist on supplying your social security number without a true need to know. Medicare recipients take note: your SSN is printed on your current Medicare card, so be careful with it! The process of changing the cards will take some time, but it is in the works.
  • Don’t give personal information over the phone, through the mail or on the Internet unless you have initiated the contact or you know with whom you are dealing. This is especially important to communicate to older relatives or friends, who are prime targets of fraudsters.
  • Beware of over-sharing on social media, where criminals are finding treasure troves of information. Because they are explicitly targeting children under the age of 18, it’s important for parents to talk to their kids and explain why it is so dangerous to share too much personal information online. Share your vacation photos & experiences AFTER you’ve returned home.
  • Update your passwords so they are difficult to hack. NY Daily News found the top ten worst passwords to include: 123456, password, baseball, football, etc. Others have started to use encrypted password managers where you enter one login/password and they manage all your other passwords for you.
  • Review your banking transactions online or on your statements to look for transactions you didn’t make. Report any suspicious activity to your bank promptly.

2) Protect your Password: You know the drill; you should be changing logins and passwords every few months, and sign up for two-factor authentication (where your cell phone is your 2nd device used to authorize access) for those sites that are used frequently.

3) Shop carefully: Stop sending your credit card information over unsecured wireless networks, and when making purchases, use a credit card, which has more fraud protections under federal law than debit cards or online payment services. Free (public) Wi-Fi hotspots are prime targets for banking and credit card information theft. Never do your personal or business banking over these hotspots.

4) Review credit card statements: Before you pay, be sure to spend a few minutes to verify that there are no fraudulent charges. While you’re at it, enroll in your credit card’s notification program, where the company alerts you to charges over a set amount.

5) Review your (and your kids’, for reasons mentioned above) credit report (free) every 12 months at annualcreditreport.com. You want to make sure that nothing fishy has cropped up. If you find an error, report it immediately and stay on top of the process.

6) Protect your Social Security account from identity theft by claiming your record at https://www.ssa.gov/myaccount/. Two-factor authentication will prevent others from attempting to steal your social security identity and records. Do it before they do.

7) Avoid maintaining large balances in checking or savings accounts with a debit card attached: Keep larger account balances in brokerage accounts or accounts without debit and/or check writing features.

8) Opt out of pre-approved credit card offers: ID thieves like to intercept offers of new credit sent via postal mail.  If you don’t want to receive pre-screened offers of credit and insurance, you have two choices: You can opt out of receiving them for five years by calling toll-free 1-888-5-OPT-OUT (1-888-567-8688) or visiting www.optoutprescreen.com. Or you can opt out permanently online at www.optoutprescreen.com.  To complete your request, you must return a signed Permanent Opt-Out Election form, which will be provided after you initiate your online request.

It’s important to remember that breaches like these have happened before and will happen again.  Taking preventative measures like those listed above limit the potential damage of such events.  Please contact us if you have any further questions or concerns regarding this topic.

If you would like to review your current investment portfolio or discuss any other financial planning matters, please don’t hesitate to contact us or visit our website at http://www.ydfs.com. We are a fee-only fiduciary financial planning firm that always puts your interests first. If you are not a client yet, an initial consultation is complimentary and there is never any pressure or hidden sales pitch. We start with a specific assessment of your personal situation. There is no rush and no cookie-cutter approach. Each client is different, and so is your financial plan and investment objectives.

Protecting Yourself From Identity Theft

We’re hearing a lot more about identity theft these days—from hackers stealing credit card numbers from big banks and retail stores to individuals opening up credit card or bank accounts in your name, which they can use to write bad checks or make expensive purchases.  Criminal identity thieves may also take out a loan in your name for a car or even a house, and some have managed to receive Social Security benefits or tax refunds that rightfully belong to others.

In some cases, when arrested for some other crime, hackers have helpfully provided a victim’s name to the arresting officers, showing the police a falsified driver’s license with that person’s number and their picture.  They post bail and skip town.  When their victim doesn’t show up for a court date he was never informed of, he could be arrested.

How do you protect yourself?

According to the National Crime Prevention Council, the biggest threats are coming from places that might surprise you.  A study by Javelin Strategy and Research found that most identity thefts were taking place offline, where someone managed to steal your credit cards, or found social security information or credit card information in a dumpster, or filed bogus change of address forms to divert a victim’s mail to their address, where they can gather personal and financial data at their leisure.  Even more surprising, 43% of all identity thefts were committed by someone the victim knows.

An organization called IdentityTheft.net estimates that over 10 million people are victimized by identity theft each year, although that number may be boosted by the aforementioned mass hacking incidents.  The Council and IdentityTheft.net say that you do a reasonable job of protecting yourself by taking a few common sense steps that make it much harder for someone to make purchases in your name or withdraw funds from your accounts:

•    Never give out your Social Security number, and don’t carry your social security card, birth certificate or passport around with you.
•    Copy your credit cards and your driver’s license, and put the data in a safe place, to ensure you have the numbers if you need to call the companies.
•    When you use a credit card to buy something in a retail store, take the extra copy of the receipt with you and shred it.
•    Create complicated passwords for your online bank and investment accounts, and don’t write them down on hard copy paper.  Try not to use the same password for every website you access.  (Can’t remember 50 complicated passwords?  A free program called LastPass lets you save all your user names and passwords in an encrypted format, so you only have to remember a single strong pass phrase.  You can also store security questions and answers.)
•    Don’t let anyone look over your shoulder when you’re using an ATM machine.
•    Be skeptical of websites that offer prizes or giveaways.
•    Tell your children never to give out their address, telephone number, password, school name or any other personal information.
•    Make sure you have a virus and spyware protection program on your computer, and keep it updated.
•    Check your account balances regularly to make sure no unexplained transactions have occurred.

These simple precautions will keep you safe from many of the criminal efforts to hack into your life.  If you feel like you need additional protection, there are a variety of protection services on the marketplace, which basically all do the same thing: they regularly monitor your credit scores, looking for changes and odd debts that might be a clue that someone has stolen your identity, and check public record databases to see if your personal information is compromised.  Some will prevent pre-approved credit card offers from being sent to your mailbox, patrol the black market internet where thieves buy and sell credit card numbers, and the fancier services will provide lost wallet protection, identity theft insurance and keystroke encryption software.

Which are the best?  A research organization called NextAdvisor has recently evaluated and ranked eight of these services with costs ranging from $20 a month down to $7 a month.  The top rated was IdentityGuard (premium service price: $19.99 a month) which offers the most complete protection, including the aforementioned fancier services.  But seven of the protection systems, including TrustedID, AARP (a white-labeled version of TrustedID), LifeLock Ultimate, PrivacyGuard, IDFreeze and LegalShield all received good ratings; only Experian’s ProtectMyID was negatively reviewed for being expensive and only monitoring one credit reporting service.

Do you really NEED these services?  Possibly not.  However, with the growing publicity around identity theft, these firms have become very aggressive in their marketing efforts.  What they don’t tell you is that you can do many of the things they do on your own.  Every quarter, you can review one of your credit bureau reports for free, or—and this is easier—simply look at your statements and balances every day.  The more sophisticated services are a fancy replacement for promptly notifying your bank when a credit card is lost or stolen, or when a strange charge shows up because Citibank or the Target department store was using weak security protocols.

In the near future, as more transactions take place using thumb prints or other biometric security data, we may look back on this period as the Wild West of data security, a strange unsettling time when people had to worry about their lives being hacked by strangers.  Your goal is to arrive safely, un-hacked, at that more secure period in our cultural evolution.

If you would like to discuss protecting your money and your identity, please don’t hesitate to contact us or visit our website at http://www.ydfs.com. We are a fee-only fiduciary financial planning firm that always puts your interests first.  If you are not a client yet, an initial consultation is complimentary and there is never any pressure or hidden sales pitch.

Sources:
http://www.ncpc.org/cms-upload/prevent/files/IDtheftrev.pdf
http://www.ncpc.org/topics/fraud-and-identity-theft/tips-to-prevent-identity-theft
http://www.identitytheft.net/
http://www.cracked.com/article_19973_the-8-creepiest-cases-identity-theft-all-time.html
http://www.nextadvisor.com/identity_theft_protection_services/index.php?a=2&kw=mididx2+identity%20theft%20prevention&mkwid=pK49zV76_pcrid_5328142234_pkw_identity%20theft%20prevention_pmt_be_pdv_c_

In The Land of Password Management, RoboForm is King

Over the years, I’ve made tens of “Cool Tools” presentations (and the like) around the country and the list of tools has varied widely as time went by.  While many of the tools make it into my presentations once or twice within a span of a few months, one staple that continues to garner the largest audience interest is an inexpensive password manager and form filler known as RoboForm.  It continues to surprise me how many people still aren’t using one of these great productivity boosters.  If you’re not taking advantage of a password manager in this internet age, let me tell you that you’re wasting precious time and probably taking unnecessary security risks.

I’ve been a user of RoboForm for several years now.  In fact, I first reviewed and raved about RoboForm in an article published a few years ago.  RoboForm remains my number one must-have application on every computing platform I own or use regularly and it is the first application I install when I move to a new operating system or get a new device.  While there are several password managers out there, both free and paid versions, nothing I’ve tried comes close to the versatility and power of RoboForm.  It cannot be ignored that, in this day and age of key loggers and identity theft, having a secure repository of personal information is essential.

I decided to review the current beta 7.0 version of RoboForm since it’s the first real upgrade in recent years.  Actually, it’s not a major upgrade; it’s more of a renovation.  I’ve been using the latest version for a couple of months now and I like the new features and enhancements.

Background

For those of you that are new to password management programs and form fillers, here’s a little background on their capabilities:

As time goes by, we accumulate more and more user ID’s, passwords, secret questions and phrases, software installation keys, personal identification information, credit card and bank account numbers, website addresses, secret notes, etc. (need I say more?), all of which we need to store and retrieve securely.  While a variety of methods have been devised and employed to accomplish this task, most are barely secure and totally inconvenient or incompatible with the wide variety of devices and platforms currently available.  RoboForm aims to be your single and most secure repository to store all this information within (yet another) master password protected and encrypted database.  Think of RoboForm as your hardened safe to store all this info which can only be opened with the correct combination (i.e., the master password).

In addition, many applications, web sites and other secure network gateways require us to change our passwords periodically and utilize strong replacements with a variety of formats and requirements.  Thinking of and remembering these changing passwords can drive one crazy and, as a result, many of us resort to easy-to-hack passwords and storage methods just to keep us sane.  RoboForm steps up here with a powerful password generator that meets a variety of criteria required by the site or the application.

Getting Started and Working with RoboForm

Downloading and installing RoboForm version 6.x (a free trial version good for storing up to 10 passwords is available at http://www.roboform.com) is quick and quite easy.  Whether you’re using Internet Explorer, Firefox, Google Chrome or one of the many available mobile platforms, RoboForm integrates nicely and stands ready to store your user ID’s, passwords and other personal data each time you access a site.  The only thing you need to get started is to specify the master password to be used to lock all of your secret information once RoboForm starts memorizing.  Naturally, with a variety of military strength encryption schemes (no fewer than five encryption algorithms are available) to secure your database, you don’t want to forget the master password once you’ve specified it.  Even RoboForm technical support will not be able to figure out your password if you forget it.  And of course, your master password should be very strong and long because it unlocks your most valuable data: your personal information and passwords.  RoboForm stores all of this securely and locally, unless you decide to use RoboForm online (discussed below.)

Visit a web site, enter your user ID and password and, depending on the options you specify, RoboForm will pop up and offer to store them in what’s called a “passcard.”  The passcard is capable of storing numerous fields.  So, if you need to enter more than just two pieces of information to log in, RoboForm can handle the job.  If you are setting up your online access for the first time, RoboForm helps you generate and store a password based on a variety of security criteria, characters, length, etc.  Thereafter, whenever you visit that site, RoboForm will offer to fill in the user ID, password and other information assuming that you’ve unlocked the database with the master password.  One available setting determines how much time you have before the master password “times out” and is required to be re-entered.  This way you don’t have to enter it each time you summon RoboForm to populate your login information or web-based form.  Since you don’t have to subsequently type in the secure information, key loggers installed without your knowledge cannot capture your valuable data.

The other powerful capability of RoboForm is an online form filler.  When you set up RoboForm, you have the option to set up profiles with your name, address, phone numbers, credit card numbers, banking information, etc.  Anytime you encounter an online form for e-commerce or other sites, RoboForm will pop up and offer to populate the relevant information on the form.  If you set up multiple profiles (e.g., one for home, one for work, one for your spouse), you can choose amongst them, choose amongst credit cards to use or choose which address to use.  This is a huge time saver since RoboForm’s built-in intelligence is programmed to recognize and remember the most common field types used on the web.  To the extent that it doesn’t, you can right-click on the form and have RoboForm save the form information for future use.  I find this capability quite handy for repetitive surveys over time, forms that require shipping and billing data, and sites that request recurring demographic data.

Have you ever been frustrated after spending a lot of time on a site completing an online form or long text box and then find out that the site timed out or couldn’t save your info?  You’ll find that saving the data in RoboForm first before submitting it can save you quite a bit of aggravation.  Just bring up the page again and let RoboForm re-populate it.

RoboForm can also securely save and store free-form bits of information known as “safenotes.”  I’ve used safenotes to store software installation keys, combinations for safes and locks, Wi-Fi network names and keys, PIN’s, frequent flier numbers, and other confidential personal or financial information.

As mentioned above, RoboForm is available on most computing and mobile platforms including the PC, iPhone, Windows Mobile, Palm, BlackBerry, Android, and Symbian.  A version known as RoboForm2go works on a USB thumb drive and enables you to plug in and out of any PC without having to install the program and move your passwords onto someone else’s PC.  Another available piece of software, known as GoodSync, keeps your RoboForm information synchronized between different platforms and locations.

RoboForm Online

Over the past year, RoboForm has been beta testing a version of RoboForm online which optionally allows you to synchronize your passcards and safenotes to a secure server.  Accessing these very secure items online requires you to register with and to log into the site (free) with a secure password.  Actually opening the secure items prompts for your RoboForm master password to be entered, thereby enabling two levels of password security.  This service has been a godsend for me on numerous occasions where I was away from my PC and didn’t have my laptop or RoboForm2go USB thumb drive with me when I needed a login ID and password.  The site functions much like the desktop version of RoboForm and assists you with automatically logging into sites that you’ve saved in RoboForm.

RoboForm Online gives you the added flexibility of synchronizing your passcards and safenotes over the internet across multiple devices.  This is a very powerful and much needed capability, though I can understand many people’s hesitation to surrender and trust their most sensitive passwords and personal information to a third party server.  My only comment is that RoboForm has the highest levels of security and encryption implemented and, with two levels of password protection, I feel reasonably secure about putting my data out there.  Besides, your online ID’s and passwords are by definition already stored on many servers in the cloud which can be equally hacked by determined thieves, albeit one at a time.

Version 7 Enhancements

One of the most significant enhancements in this version 7.0 beta is the capability to save and fill ID’s and passwords in Windows (WIN32) applications, not just online passwords.  In addition, when saving an online form, the details are now displayed for you so you know exactly what is being saved.  Furthermore, this occurs in a non-obtrusive tool-bar rather than the old pop-up box, thereby streamlining the web browsing experience.  Logging into widely known and popular websites automatically downloads site icons to make the related passcards more visually appealing and easier and faster to recognize.

Another significant enhancement for devices equipped with a fingerprint reader is the capability to enter the master password via a finger swipe.  The fingerprint device stores your master password in a secure area on the device.  This secure area becomes accessible to RoboForm only after you slide your finger and it is then authenticated against the fingerprint stored on the device.

A release date for version 7 has not yet been announced.

RoboForm Criticisms

RoboForm is not without its shortcomings and share of quirks.  For example, more and more sites are switching to an Adobe Flash version of their login screen to raise security.  RoboForm cannot currently handle most of these sites.  On those sites, you have to perform a manual RoboForm lookup and type in your ID and password yourself.

On some sites, such as American Express, RoboForm inexplicably stops working properly. This requires you to have RoboForm fill out the form (but not submit it) and then you manually click on the submit button.  In this case, you can re-memorize the site information in RoboForm and fix the problem for future visits.

As sites become more sophisticated with additional levels and types of authentication (e.g., captchas, pointing and clicking your PIN on an onscreen keyboard à la ING Bank, rotating challenge questions, etc.), this renders RoboForm unable to do anything more than show you your credentials to be manually entered.  I’m not sure how or if RoboForm can be enhanced to overcome and automatically populate these additional safeguards, but it sure would be nice if they figured out a way to do so.

Whenever you change the master password, your passcards and safenotes should inherit and respond only to the new password.  However, I’ve had a few occasions where a passcard would only open up with the old password.  Finally, I’ve had occasions where I’ve had to inexplicably remind RoboForm where my data directory resided.  Fortunately no data has ever been lost.

Options & Recommendations

The paid version of RoboForm, known as RoboForm Pro, is about $30 for the first license and less for additional licenses.  An enterprise version is available and significant discounts are available for large license purchases.  During various holidays throughout the year, a 20% discount can be found on the website.  Even without the discount, for this price, you can count on saving yourself tons of frustration and aggravation compared to using manual or spreadsheet password management and form filling.  Buying multiple licenses at the same time (whether or not on the same platform) will likely save you money compared with buying them over time.

I also highly recommend the powerful GoodSync software if you plan to sync your data or files across multiple platforms or devices.  GoodSync is one of the most powerful file synchronization tools available and is also one of my most frequently used cool tools to keep data in sync.

For those who prefer free versions of password management tools, of course the Internet Explorer and Firefox password stores are available, though they are significantly less capable than RoboForm.  The popular open-source password manager applications KeePass and LastPass are also free but, in my opinion, not as convenient as RoboForm.  If you’d like additional information about password managers including the five most popular ones, visit http://lifehacker.com/5042616/five-best-password-managers.

I welcome your feedback and questions about RoboForm or other password managers. Please feel free to write me at shf@ydfs.com.

Sam H. Fawaz, CFP®, CPA works with Y.D. Financial Services in Canton Michigan and Franklin Tennessee and has been helping clients with financial planning and financial planners with technology solutions for over 20 years. He has been writing about tax, financial planning and technology solutions for over fourteen years.  He can be reached via e-mail at shf@ydfs.com or at (734) 447-5305 with any questions.  You can follow Sam on Twitter at http://twitter.com/themoneygeek or at his blog at http://themoneygeek.com.  His company website is at Y.D. Financial Services, Inc.