Back to Index

RPF0482-Equifax_Breach


Transcript

Hey Cricket customers, Max with Ads is included with your Cricket $60 unlimited plan at no additional cost. "Sikes!" Max is the streaming platform where you can watch Scoob, Meg 2 The Trench, The Nightmare on Elm Street Collection, and so much more. "Remember me." Just log in with your Cricket username and password to experience Max on all your favorite devices.

"We never seen this before." Max, the one to watch for a good scream with Cricket. "Yeah!" Phone plan, streams, and standard definition. Programming subject to change. Fees, terms, and restrictions apply. See cricketwireless.com for details. Today on Radical Personal Finance, I am preempting the normal Friday Q&A show in order to talk about the recent awful Equifax data breach.

Welcome to Radical Personal Finance, the show dedicated to providing you with the knowledge, skills, insight, and encouragement you need to live a rich and meaningful life now while building a plan for financial freedom in 10 years or less. Today we need to talk about risk management, part of that avoid catastrophe component of the Radical Personal Finance, personal finance rubric.

Equifax has released your public data to hackers and we need to talk about what you can or should do about it. This week, actually last week, going on just over a week ago, Equifax came out and released the information that they had been hacked and a very serious hack.

They talked about the fact that almost 150 million people have had their personal data stolen from Equifax servers depending on the account, about 200,000 people's specific credit card numbers, and the data that has been released is extremely damaging. The data that's been released is very damaging because it includes not only your social security number but your name, your date of birth, your social security number, your address, your driver's license, etc.

This is probably the most damaging hack – sorry, the most damaging public data release of really almost any data. That's saying something. It's not necessarily the biggest. As of the moment, Equifax claims that the personal records of 143 million users in the United States, Canada, and I believe England primarily have been released.

So 143 million, that's not the biggest data breach. There was a few years ago a Yahoo data breach of about 500 million people's personal information and another one – I can't remember the exact number – a couple hundred million. Really damaging a couple years ago, the United States Office of Personnel Management released the records of over 200,000 US service personnel who had had security classification clearances with the US government.

They released all of that information through two hackers. But this particular hack is staggering with regards to its scale, the 143 million, and the depth of the information that has been released. Now specific information is still hard to find. Equifax waited about five weeks between the time that they discovered the hack and the time that they issued the press release on it.

So there is a significant amount of time that's elapsed there. That has been a cause for scandal among those who pay attention to these areas. There have been other causes for scandal as well. For example, three Equifax employees sold just under $2 million worth of stock after finding out about the – or excuse me, after the hack was disclosed.

Now of course, Equifax states that they weren't aware of the hack. They weren't aware of the breach. That is for any of us who have ever worked in a company and know how fast bad news travels in any company, in just the informal grapevine. That is very hard for any of us to believe.

But who knows? If it was insider training, they were acting on nonpublic information. I'm sure they'll be pursued. There was certainly a major outrage over that. The response by Equifax has so far been awful, absolutely awful. There's just been – it seems as though they've done almost nothing. Well, let me rephrase.

I watched the apology video by the CEO of Equifax that they posted on their website called Equifax Security 2017. I guess the only good thing I could say is that the CEO in that process looked sincere as he read from his teleprompter and he looked sincere. I know nothing about this particular CEO.

Times like this are when CEOs earn their money. They face a very difficult job where they're on the head – tip of the spear. They need to take responsibility for the actions of thousands and thousands of employees in their company. But at least you could say that his apology video seemed sincere.

But basically almost every other aspect of their response has been amateurish at best. The website that they published in order for people to go and use to check to see if they were impacted, of course, rather euphemistically named Equifax Security 2017 – excuse me. Equifax Security 2017 seems to have been just a complete – a completely bungled approach.

The technical people who analyze such things talk about the fact when it was published, it was just a basic WordPress site that didn't have the TLS certificates properly configured. It wasn't registered in the domain registration to Equifax. They published information as far as usernames that were just a nightmare.

Just this morning, I saw an article that the Equifax breach – sorry, the Equifax website in Argentina had access credentials that were lined up for an employee site that were in the – username was admin and the password was admin. Just complete lack of decent standards. It's not only Equifax that faces this problem.

Many large companies face this problem. So I want to be careful not to be too hard, but they certainly deserve to be kicked around a little bit at this point in time. Just the way they've handled things. I am so sick and tired of the way these companies handle these data breaches.

I've been involved and my accounts have been involved in a number of them over the past few years. And basically the standard rigmarole is a company trots out and says, "Oh, we're so sorry about this data breach." And then they offer you a free year of credit monitoring nonsense and that's what Equifax did, which is just absolutely absurd.

They come out and say, "Oh, we're going to offer you a free year of credit monitoring," when the reality is you can get free credit monitoring from just about anywhere. Almost anyone would give you a year of free credit monitoring as an introductory service. And what's most ironic is I think there are good indications to say that the Equifax – some of the Equifax data that was released seems to be the credit card numbers of people who were enrolled in Equifax's security monitoring, which is just one of the most ironic things possible.

Now, I'm painting with broad strokes. All of the statements that I have made thus far have been reported in reliable and semi-reliable news channels. But it's so early in the actual data that it's very possible that some of these things will turn out to be wrong. I have increasingly convinced that you can trust almost no reporting from anybody, no matter how well-intentioned, on any subject for months.

At the very least, years better. So we need to take all this with a grain of salt. I have a story that has just broken in the last week, and again, I'm behind because of being out with dealing with Hurricane Irma. I'm behind in reporting it to you. So this has been a huge story, and it is a nightmare.

It's a nightmare scenario. It's a nightmare scenario that you are affected by. Now, you say, "Joshua, why do you speak so confidently that I'm affected by it? How do I know if I'm one of the 143 million people?" Well, that's a good question. What you are supposed to do, according to Equifax, is to go to a website called EquifaxSecurity2017.com.

This is the website that Equifax has established to be their go-to website where people are supposed to go through and see about what the solutions are. It's called the Cybersecurity Incident and Important Consumer Information. You can go and see. It's a simple blog site that's been set up, and you can see some of the things that have been established by Equifax.

Again, that's where their little apology video is and all of their instructions. They have some information because as they published this, there was a severe reaction from the marketplace, as there should be, about even some of the things that Equifax was doing. When Equifax originally – and consumers being able to go and sign up for that free year of credit protection monitoring, blah, blah, blah, that Equifax is offering – there was language in that contract that indicated that if you joined the service, that you were waiving your rights to sue Equifax for damages as a result of the claim.

You were waiving your rights to sue them as part of a class action lawsuit as a result of the claim. You would, in theory, have the right to sue them individually but not as a result of the class action lawsuit. Well, who knows whether it was a mistake that it was in there or whether they just got caught trying to be greedy and get people to sign up for terms of service and stuff that nobody ever reads in the fine print.

But at least they backpedaled on that. They wound up saying, "No, this doesn't actually mean what it says," and they backpedaled still more. And they said, "Well, we're actually –" said, "Well, we're –" That's what happens when you lose your train of thought when trying to record a podcast and your children come and interrupt me.

The trials of a home broadcast studio. That's what happens. They got found out and they said, "No, we're not actually saying you have to waive your rights." And finally, the language was evidently completely stricken from the contract information. But back to the why do I say you're affected. This website in theory is supposed to see if you have been impacted.

There's a little button on the website that you can look to say potential impact and you can go and you can look to see if your personal information is potentially impacted. You can check potential impact by putting in your last name and the last six digits of your social security number into website.

Now, this is a very questionable thing. Again, the website was not well done and you're giving away your last name and the six digits of your social security number to a website where the security certificates at least initially were not adequately protected. And then it tells you either, yes, you have been impacted or no, you haven't been impacted.

But I have come to disbelieve the results even of that test based upon hearing and learning the results where people have been able to put out information where they put in random names. Somebody put in Trump as the last name and 1, 2, 3, 4, 5, 6 to be the last six digits of the social security number and it spat out that, yes, you have been affected.

So I now disbelieve and find the information that has been put out by this particular website incredulous. I am incredulous of it. I find it incredible or uncredible. And so I think it's best that you assume that your information is affected whether or not the Equifax website says that it has been.

Even if the number that they claim is accurate and I am doubtful, I'd be happy to be proven wrong, but I'm doubtful that's the number. I don't know how they – and they haven't released details on how they came up with these numbers and what – they haven't released details on what specific data has been disclosed.

They have been very non-forthcoming with information. There have been a couple of things that they're starting to release. But so far, I think there's good reason to doubt just about anything that they say probably because they don't know, not necessarily ascribing malicious intent or indicating that they're trying to intentionally lie.

I don't have any evidence of that. So I wouldn't want to allege something like that. But it's likely that everybody there is just scrambling, got caught with their pants down and has no idea what to do and how to improve the situation. So they're doing the best they can, but they're just probably utterly overwhelmed.

In a situation like this, I'm no data security expert. I don't even know how you would accurately verify the exact numbers of things that were affected. It takes a while to find a hack and then how do you know that you've actually found all of the files and the servers that were accessed?

And then you do a count on the records of those servers. So I'm sure they're doing their best to try to give accurate information, but I don't see any reason why you or I should take comfort in or believe that it is fully accurate information. The investigations will continue on and time will tell.

So I hope this gives you enough information to at least get a sense of it, a sense of what's going on. I'm giving very broad overviews. You can follow the news yourself and search out some of these details. I've published a few articles on my Twitter feed, twitter.com/JoshuaSheets, if you are interested in looking at some of those articles.

So what do you do? Well, I'll tell you that in just a moment, but I'll just share my personal frustration. I find the whole thing frustrating because – and I'm sure many of you do, so perhaps you'll just indulge me to speak for you. I find the whole thing deeply frustrating because I find the whole system of information, the way the information is sold, deeply frustrating.

Now, I want to be careful because there are certain good things that we can trace that have come out of the modern credit reporting and information reporting systems. Probably the biggest thing is that due to the availability of credit reporting agencies and the work that they do, it's brought about a modern economy in which people that have no personal acquaintance, people which have no personal relationship can do business effectively together.

By having somebody's profile, having their financial history, it allows a company, a credit card company that doesn't know you personally to lend money. And our entire economy runs on this. If these reporting agencies were to go away, our – it's not an exaggeration to say our economy would collapse.

We live in a debt-fueled economy wherein almost everything is done based upon this number, based upon your credit score, your FICO score, based upon the information that's in these credit reports. We buy houses with money we don't have that comes from a mortgage company that investigates our credit report to assure the lender that we are a reliable payer.

We buy cars with money we don't have for the same reason. We go out to eat and buy presents for our friends with money that we don't have that we use credit cards on. And at different times in the economic cycles, these numbers and these borrowed amounts increase and decrease.

But all of this fuels our economy. Our economy is hugely fueled by debt. Our government runs itself with money it doesn't have by thinking that somehow it's going to be able to extract higher amounts of taxation from our children and grandchildren. It's all a giant – to be charitable, it's all a giant Ponzi scheme and nobody has any idea how it will work out in the long run.

Individual people will have to face the consequences of actions. Speaking broadly, we live in a brave new world in which nobody knows how this will eventually end. Some people will argue that, yes, there are significant problems, but there may be possible escape routes. And other people will argue and say, well, there are no escape routes and we're doomed for significant problems.

But almost nobody will publicly argue with a straight face that everything is fine and we're doing a great job. Well, the credit reporting agencies are at the center of this. And so if there were to be significant changes by the credit reporting agencies, there would be a massive immediate effect on our broader economy.

So that is the good that credit reporting agencies do. I feel deeply frustrated with them because I don't want to be involved. I don't want to be involved anymore. And I've often struggled with how much to be concerned about the information that is gathered. I've often struggled with where is that line between appropriate caution and prudence and that line between caution and prudence and inappropriate paranoia.

It's very easy to move to an inappropriate level of paranoia. And I've often questioned that. But the reality is we live in a brave new world. We live in a world where the information that is available about you and me, the information that is being aggregated by almost every company we do business with is available.

Whether through so-called ethical and honest means or unethical and dishonest means, who knows? That information is available to anyone else in the world. That is fundamentally new. Solomon said there's nothing new under the sun. Well, I think there's probably ways to apply that. But I think this is something that's new under the sun.

Never before in the history of the world has there ever been a way in which someone on the other side of the world could find out every single detail about your life or my life through a computer screen at a cost, a financial cost of almost zero. And really the only cost is the time.

Now, to your and my shame, we publish most of the information freely available for other people to find. Here would be a simple example. You and I pull out our iPhone and snap a little picture of the dish that we've just pulled out of the oven. We made an apple pie and our lattice work on the top of that apple pie was particularly impressive.

So we pull out our camera and we snap a little picture and we crop it square and we adjust the color a little bit and then we click publish right to our Instagram account. Well, that picture has metadata that's associated with it. And if you are proficient with the appropriate programs, you can grab that picture right off of Facebook, right off of Instagram.

Actually, most of the time we tag ourselves in it so it properly appears right on the Instagram map or we check in at Shea Sheets or wherever, Shea, your house. And we check ourselves right in where we are. So it's right there publicly available. Anyway, you just grab the metadata from there and the XF data from that picture will disclose the exact GPS coordinates of where that picture was taken.

And then we publish that information. Well, it doesn't take somebody brilliant to go and just grab that right off of the picture. Now, you can cleanse that data from your picture and you should. You should never post a picture online that you have not wiped the metadata from. There are apps that are freely available on your phone.

There are apps that are freely available for your computer. And so you should never publish a picture online that doesn't have that metadata wiped from it. But of course you do. And of course I do because that's what we all do. We don't think twice about it. And it really in many ways doesn't matter whether you do or don't do because it's even worse.

You might carefully scrub all the metadata from any picture that you post online. And yet your buddy comes over, snaps a picture with their iPhone, and they publish and they tag you. And now that picture is online. And that's just the simple obvious example. It goes deeper and deeper and deeper.

I just was looking at Kim Jong-un fired off another nuclear missile this last week. There's an analyst that published right on Twitter right where he was standing, even though the North Korean government took great pains to try to conceal the location. But they grabbed a couple pieces of data from – one piece of data from a picture, and they showed how this was probably a caution sign that was on a tunnel.

And then they grabbed the profile of the road that it was on and analyzed that profile to get a position. And then they used – this particular North Korea analyst then used a YouTube video that was shot by a Japanese or Chinese tourist who was touring North Korea and had been published to YouTube to establish the appropriate distances and focused in – and published this publicly on Twitter – focused in and demonstrated right where Kim Jong-un was standing for that missile launch, even though the North Korean government had tried to conceal the information.

So in many ways, you're kind of doomed no matter how hard you try. But that's just an example of the information that's out there. Now, you pull this together with credit information, and the credit information contains almost everything that you do with your life. Your credit file contains the whole and complete picture of your life.

It contains your address, your current address. It contains the address of every address that you've lived throughout your adult lifetime. You may be fortunate enough that one or two of your childhood addresses is not there, but all the rest of them are right there. It contains the information of every single person – sorry, every financial account that you've had or that you have.

All of that financial account and information contains all of the data from every one of your spending transactions. Think what picture I could put together with that information. And there are lots of people who can gain access to it. And we're not even necessarily talking about state actors here.

When you start compiling that information, the financial information, with the information that a state actor or a very high-level, very competent non-state actor has, the National Security Agency from the United States records every single one of your phone calls. They log every single one of your text messages. All your phone calls and your text messages are scanned for keywords like "jihad" and "bomb" and "terrorist." Hey, good for you.

I just set off the NSA on you by saying those words. All of that information is carefully archived in mass data centers. All of your emails are carefully archived and scraped. Of course, Google is scraping them to sell you stuff, but then those emails are still stored and available for other people to go through.

And there sure doesn't seem to be any change on the horizon. After all, the new Apple iPhone X will carefully map the contours of your face and store that face print. Never mind the fact that Facebook already has a perfect face print on you that is superior to almost anything that state-level actors have.

The Facebook algorithms are so good that if your buddy publishes a picture from the random social gathering and your face is in the background, Facebook knows you were in that picture and they'll tag you and say, "Hey, would you like to tag your friend?" And of course, we help it all out by publishing these photos in high definition, high resolution with all of the appropriate metadata so that Facebook can scrape all the metadata as well.

Anyway, it's an endless loop when you get into it. This last year, I've read, I don't know, a half dozen, six or ten books on privacy and security and some of these things to try to get an accurate understanding of the world that we live in. But there seems to be no general outrage, no general perspective.

We all seem to have taken it as a matter of course that we're just going to give away our privacy and it's not a big deal. Well, that may be fine. We all say the number one objection is, "Well, I don't have anything to hide." The problem comes in and forgive me, this has turned into a little bit of a screed.

I'll get to the solutions in a moment. But the problem comes in when your personal opinions or your personal life or your personal political ideology or your personal religious ideology is out of step, is non-mainstream. You're on the wrong side of history. I find some of the news of the past couple of months very disturbing as far as the direction that some of the large companies that we do business with are taking with regard to the penalties for speech that is politically unpopular.

I will stop there lest this become an inappropriate screed and cease to be informational and focused on the Equifax data breach. But these things are deeply concerning. So I think you should bet that you have been affected by the Equifax data breach. And if in fact you have not, you will tomorrow be affected by the Experian data breach that's coming and by the TransUnion data breach that's coming and by the Social Security Administration data breach that's coming and by the Census Bureau data breach that's coming.

Because these things are not isolated incidents. If you haven't paid attention to this area, it's just because it hasn't affected you. You haven't been personally and just kind of ignored it. But this is nothing new. The target data breach that happened a couple of years ago is huge, was huge, huge.

And it's just the tip of the iceberg. So you have to operate under the assumption that all of the information is going to become public. And I believe you must. If you're going to be prudent and responsible, you must take action to protect yourself. And that's what I was saying.

This is new. This is fundamentally new. In the old days, it wasn't a huge deal. In the old days, it was no big deal that your mortgage was listed in the address of record. Your address was listed under your name in your local courthouse as part of the appropriate land filing documents.

And so if somebody was looking for you, there were private investigators that were looking for you, then that private investigator could figure out, well, what county does Joshua live in? And let me go down to the courthouse and search things out. But in order for somebody to find you, they had to expend time and money to do so.

That made the risk relatively small because in order for somebody to expend time and money to track you down, they probably had to have some decent reason. Maybe you owed them money or they were really interested in you for some reason. But what about today, somebody who tracks you down because you said something that they disagreed with online?

You posted something in a Facebook post. See, most people don't do it because most people are rational and thoughtful and they just unfriend you and move on. But there's a small portion of the population that doesn't stop with that. And so you should be concerned with that. You should be concerned with that, especially if you have an elevated risk profile because you are financially successful, you are a religious or political ideologue.

If you have any opinion that's out of the mainstream, no matter how well hidden that opinion is, if you do something that all of a sudden other people like and they think they're helping you and you publish something online, some cute little gif that you made and then all of a sudden you've got CNN knocking on your door saying, "Hey, you published this gif," and now all of a sudden your life is exposed.

Next thing you know, you've got the 4chan trolls doxing you, to use the language in the vernacular of today. Just ask any journalist who's held a politically strong opinion. Just ask anybody who's in the public eye and all of a sudden you realize this risk is historically new. This has not existed before.

Now, most of us are not in the public eye, so most of us don't face all of those risks, but your finances are a tempting and attractive target, and they always have been. But the ways of targeting you have changed. Yes, if you hired a house cleaner, that house cleaner could have had access to your information and could have possibly stolen something valuable from your house.

But today it's a lot better because if the housekeeper can just simply find out the proper numbers, the housekeeper can very quietly put themselves in a situation where they have the opportunity to take your money without you ever knowing it. These are historically new problems, and our current approaches to defense are woefully, woefully inadequate.

Some of the experts on security that I follow and read maintain that there is no personal solution that can be accomplished and that it has to be a regulatory governmental solution. Well, as somebody who has no confidence in governmental regulatory solutions having any positive effect and just simply making things worse, I kind of doubt that.

I have to acknowledge that maybe they're right. Time will tell. Time will tell us, see. But I can't point to anything that has gotten all that much better because of increased government regulatory oversight. And even if it did get better, I have no confidence whatsoever that it would actually affect things that are because the way that laws are written, at least in the United States and just about every other country, is the companies who are involved are the ones who write the laws.

They pass them along to their politicians. The politicians put them in under the politicians' name, and things get better for the companies. So what is your relationship with Equifax? This is what I find so obnoxious. When a company like Equifax comes out and says, "We're going to talk about protecting our customers' information.

We want to protect that." Well, here's the problem. You are not a customer of Equifax. You are the product of Equifax. You're the product that they sell to their customers. And just speaking in the simplest terms of the Equifax business model, they sell your information to a credit card company or to a lender who wants to lend you money.

So the customer of Equifax is the credit card company. The customer is the lender. That's why most often in Equifax's information on their website, for example, you can see in their information they refer to you as the consumer because you're not their customer. You're the product. And it's the same thing with, for example, social media.

You're not a customer of Facebook. You are the product of Facebook. You are what Facebook sells. If I as a marketer want to reach you, I buy you and your information from Facebook. You are not the customer of Google. You are the product that Google sells. They sell you and your data and your information.

And forgive me, I've gotten – as you could tell, I feel a little bit passionate about the subject. But I've again veered into the ditch of impassioned screeching rather than giving useful information. So what do you do? Let's talk useful and let me get back on track. Number one, your immediate action, as I have said on Radical Personal Finance since the very beginning of the show, is you must freeze your credit reports.

You must freeze your credit reports. You must freeze them for you, for your spouse, and for your children. The only action step that actually protects you from identity theft is for you to freeze your credit reports. You should do that with Equifax, Experian, TransUnion, and the new kid on the block.

Not necessarily new, but the fourth one that I'm now pursuing myself is Inovus. You must freeze your credit report. If you have not frozen your credit report, if that's not the case, you do not have another step that I'm aware of. You do not have anything else that will actually protect your identity from being used.

And even the frozen credit report doesn't stop all fraud. For example, it doesn't stop IRS fraud. It doesn't matter if you have LifeLock. It doesn't matter if you have Zander Insurance. It doesn't matter if you have Equifax credit monitoring or Experian credit monitoring or blah, blah, blah. All those things do is tell you that someone has stolen your identity and you get to go and check it out.

The only thing you can do to protect yourself is to establish a credit freeze. That's it. Now, this is nothing new. I've been saying this ever since I started. It's one of the ones that frustrate me as far as advertisers. I think there's value in having LifeLock. I think there's value in having Zander Insurance or whomever.

But the problem is those don't do anything to stop the theft in advance. A credit freeze is the only thing that stops the theft. And guess what? The credit agencies hate. They hate credit freezes. Why? Well, because it means that with a credit freeze, they can no longer sell your information to their customers.

They can no longer sell your credit file to the companies who are seeking to pre-screen you for credit offers. If the idea of a credit freeze is new to you, I want you to understand very carefully what it is. And I'll tell you that there are basically two people who it's not right for.

But if you don't fall into one of these two categories, you should have your credit frozen all the time. A credit freeze means that somebody who inquires of a credit reporting agency to gain access to your record, to find out what's in it, to find out do you pay your debts on time or do you not, how many debts do you have?

They cannot have access to that information unless the credit file is opened. And the only way to open it is for you to manually open it using the appropriate information, the private PIN code that you have been issued when you froze your credit. A credit freeze locks your credit file and it does so very effectively.

A credit freeze locks your credit file so that nobody can access it. That means that if somebody is in Sears trying to apply for a Sears Store credit card or a Target credit card and they're using your number, your name, your address, your social security number, your date of birth, it doesn't matter if they have all that information right, they still, when Target runs the credit application to pull your credit file, they're not going to have access to the file and they'll be denied.

That's what a credit freeze does. I have my credit frozen for years. I've frozen it, unfrozen it. If I ever needed access to the credit, I can easily unfreeze it. This is a simple thing to do and the credit companies hate it. Interestingly, Equifax has faced significant pressure because they wanted to have people sign up for their trusted ID program.

They wanted to have people sign up for their trusted ID premier, their Equifax security monitoring system, give you a free introductory year, bill you with a credit card, which will probably be released to the data thieves, bill you with a credit card, and then you'll continue to have access to it in the long run.

But that way they can still sell your information. Well, of course, consumer advocates for years have been talking about credit freezes. Equifax had an opportunity for people to do that. Their systems became overloaded. Those of you who've tried to do it electronically have probably experienced some problems. You can do it via the mail.

I'll publish directions on how to do it if you're having trouble with the electronic systems. But they were charging money for it. And that's a number of how much it costs. Change is based upon the state. In the state of Florida, I pay the maximum, which is $10. Every time I want to freeze or unfreeze, it costs me $10 with each of the credit agencies.

Well, finally, after huge pressure, Equifax has finally said, "Well, we're actually not going to make the charge. We're going to allow you to do it with Equifax for free." Well, fine. Good for them. They hate it, but good for them. So you need to freeze your credit. Every one of you listening, you need to freeze your credit.

Here is the only exceptions that I can think of for who shouldn't freeze their credit. If you are regularly, routinely, frequently making applications for credit and you have no intention of changing that behavior, a credit freeze will be unwieldy for you. An example would be if you are a travel hacker and you seek to establish lots of free travel for yourself by routinely applying for new credit cards with various airline mile bonuses and various hotel point bonuses, things like that.

And you're the kind of person who you'll apply for a half a dozen cards every few months. You will find the idea of a credit freeze unwieldy. It's just going to be too much hassle to deal with. Or let's say that you are somebody who is digging your way out of credit card debt.

You have many credit cards and you're trying to surf those balances. Once you get into the world of deep credit card debt, you need to do everything you can to keep your rates low and to keep your costs low. And if you have a good borrowing history, oftentimes you can surf your balances from card to card to card.

And companies will screen you for new applications. You usually get new 0% APR with 0% balance transfer fees offers while you're bouncing from card to card. And then they'll send you off for some of your existing cards if you surf a balance off of it and you have a $0 and they run your credit file and find out that you have a low balance.

They'll offer you another 0% offer. And some of the companies are very aggressive about it. So if you're in that process, you can't have your credit file frozen because you need to surf those balances until you get them gone. But if those situations don't apply for you, if you're not frequently, routinely, regularly applying for new lines of credit, there's no reason for you not to have your credit file frozen.

If you have your credit file frozen and you want to go and apply for, say, a mortgage, it's simple to do. You can actually unthaw your credit for a significant period of time. Let's say you're applying for a mortgage. You can unthaw your credit for a period of, say, three months.

That'll get you through the closing time, the mortgage application process, et cetera, and then it'll automatically close down after that. Or you can manually trigger the freeze and the thaw at any point. So freeze your credit. I will publish in the show notes two credit guides. One is Clark Howard who publishes great information on it.

And then the second is a few pages from previous Radical Personal Finance guests – well, Justin Carroll was previously the guest – from the excellent book called The Complete Privacy and Security Desk Reference by Justin Carroll and Michael Bazell. And both of them have – they published an excerpt from that book on how to actually establish a credit freeze.

And then their information was good and excellent. They published that as a PDF. I've linked that on my Twitter profile, and I will link that in the show notes for today's show. But I hope I've been clear enough. You need to freeze your credit. That's one thing you need to do, number one.

I encourage you to place a fraud alert on your account. Place a fraud alert on your account. A fraud alert will additionally bring scrutiny and carefulness to this scenario. By having a fraud alert on your account, it will establish other hoops. Again, this wouldn't be appropriate if you don't have issues, but the fraud alert will be helpful.

And if you are impacted, if you can prove that you're impacted especially, I would encourage you to take very careful care of making sure that you keep the details on this. And if possible, one of the things – I will release an episode of Justin Carroll and Michael Bezel's podcast that I listened to on this subject.

They did a good job and they talked about encouraging people to file a police report. I've seen some feedback that some people haven't been able to do that. Some people are trying to do that. I think it's a good idea. File a police report. If you're the victim of fraud – and guess what?

You are now the victim of fraud. That opens up other opportunities for you. Number one, you don't have to pay for the credit freezes and unfreezes, et cetera. That will be useful to you in other areas of planning as well. But place a fraud alert. Consider filing a police report on your credit accounts.

Next, you should immediately – if you don't do this every year on a regular schedule, you should immediately download all of your credit files from AnnualCreditReport.com. That's the official site that allows you once a year without cost to download all of your credit files. Download and review them carefully to make sure that nothing has changed.

Make sure that everything is just how it is. And that will also help you to have it in case somebody starts opening credit files in your name. That's valuable and important. Download your credit reports. Make sure you save those in a safe and secure location. Obviously, those should be saved in an encrypted file on your computer, password protected and fully encrypted.

This is a historically new time in our modern world. And what it means is you have to develop historically new skills such as being running – knowing what it's like to run an encrypted computer, knowing how to save files in an encrypted format. These are new skills that we all have to develop.

Next, I think you should consider changing all of your credit card numbers. I personally intend to do this. I personally intend to have all of my card numbers changed and new cards issued due to this breach. Equifax confirms their numbers. They confirm that 200,000 people have had their credit card numbers disclosed.

Now it seems like it's probably some of those people who had signed up – used those credit cards to sign up for accounts online, like credit monitoring. But I can't find good confirmation of that. So the point is that there have been credit card numbers that have been disclosed.

Obviously, there's a big difference between 200,000 credit card numbers disclosed and 143 million credit card numbers disclosed. But it doesn't cost you anything to have your credit cards reset with new numbers and it's fairly simple to do. It's a hassle because if you have things that are billed primarily to your credit cards, that means that you will need to – you will need to change the credit card numbers that are being used.

I think this is a really good time for you to establish a new cutout with your credit information and to use something like Privacy.com as your payment information. Privacy.com will be tied to your checking account, so it won't affect your credit card. But you can also do that for using a pseudo pay number or a blur credit card.

These are the three services that I think are currently the best. Some of your banks will offer you virtual credit card numbers for online transactions. I think it's a good idea and a new skill set that we need to apply consistently is to always use a new different credit card number for any kind of transaction that's being done.

The risk is too high and the value – and the tools are becoming simpler and easier. So at the very least, consider getting new credit card numbers. I don't think that's a mandatory piece of advice, but I think it's a good idea. I do think you must carefully watch your accounts.

If you are not in the habit of watching every transaction through your accounts, you must carefully watch them. And you need to make sure that you never use a debit card online, that you're always using a credit card online. Now, if you are committed to not owning a credit card, which by the way would be one way of getting out of the Equifax system, where I'm a little hypocritical and railing against Equifax but then continuing to have a credit card because, well, I can't get them to delete my file, which angers me.

But I'm still using their services, so I need to be careful and not be too strong in my comments against them. But if you are not using a credit card, you can at least use something – excuse me. If you are not using a credit card, you can at least use something like a privacy.com debit card, which will allow you to have some protection from using your direct debit card number online.

Or if you only use debit cards, make sure that you have segregated accounts and you have an account that you use the debit card for, and that's different from your main banking account. It's not a matter of the ultimate fraud protection. That's a question. Generally, banks are generous. Generally, there's good fraud protection on both debit cards and credit cards.

The functional problem if your debit card number is stolen is all the money is wiped out of your checking account right when your mortgage payment was being sent off. At least if the money is wiped on your credit card, you get the statement, you call the credit card company, you start the dispute process.

You're not out the money that you needed to make your mortgage payment to keep it current. But if your bank is slow to accept your dispute process, if the bank doesn't immediately refund the money that was taken from your checking account because you used a debit card online, now all of a sudden your mortgage payment might bounce, and that's a significant problem.

So pay careful attention to your transactions. Pay careful attention and scrutinize your transactions carefully. It would be a good idea for you to systematically update your online account login information. Each of your account logins for any online account should be a unique username that's not used anywhere else. If possible, a unique email address that's not used anywhere else.

This is easy with various services. The most common, simplest solution today would be the service called Blur at abine.com. It allows you to create a new masked email address for any online – for any application desired. And so each of your credit card companies or any online account should have a new and unique email address and unique and strong passwords across all of your accounts with two-factor authentication established.

I don't know if this particular piece of advice will have any impact because of the theft from Equifax. I don't see any reason why this particular advice would be connected to the Equifax, but it's important while giving advice that you recognize that these things are important because the next breach is not going to be from Equifax.

The next breach is going to be from your email provider or it's going to be from Apple and all of the logins that are saved on your Apple Safari passwords, et cetera. The Equifax breach is just the tip of the iceberg. It's the big, giant tip of the iceberg, but it's still just the tip of the iceberg.

There are about a bazillion more breaches coming because that's the world that we live in today. And so you need to develop new defense mechanisms, and there's no insurance you can buy for this. You got to do it yourself. Two more pieces of advice and I'm done for today.

Number one – next, you should consider filing your taxes as quickly as you can. Once you get the information, get your taxes filed as quickly as you can because with the theft of your credit information, that can have an impact with financial transactions. But you should be able to lock most of that down.

You should be able to lock most of that down with regard to your accounts. If your credit is frozen, somebody shouldn't be able to take information out in your name. And number two, you should have good protection for fraudulent transactions in your bank accounts and your credit cards. But one thing that's not affected by that is your filings with the IRS, and tax fraud is a huge deal.

Now, in the last few years, the IRS has been making a few changes. But still, if taxes are often filed on people with – where people steal your social security number, file taxes in your name. File a return that gets them money. That's the way that the fraud works is they file a return in your name.

They file a return that creates a refund, usually using something – some income numbers and some expense numbers that will qualify them for the earned income credit, which is a refundable tax credit where you get more money back from the US government than you put in. That's what the big one is, the earned income tax credit.

And that's what makes tax fraud profitable. And they can send it back and depending on the filing mechanism, they could get a debit card or a card with a loan from the person they were filing it with. The IRS will frequently send out the check. They'll frequently wire the money out.

And a few years ago, I mean there was a crazy, crazy numbers of tax fraud of money that was piled into inmates, currently convicted inmates who are currently in prison and the money that they were getting from the IRS through their tax fraud. Now, the IRS has been changing a few things.

For example, when you e-file information, they require you to use your previous year's AGI and they're trying to fight this. And I believe if memory is correct that the rates have come down a little bit. But this is a huge danger and you don't want to be embroiled in this mess if you can help it.

I've worked with a few people who are embroiled with disputes with the IRS over fraudulent returns that have been filed and it's a nightmare. You think it's a nightmare to keep your tax records clean now? Well, just start having fraudulent returns filed in your name, addresses messed up, all the stuff messed up.

It's a nightmare. So file your taxes as quickly as you can so that you can get in there first before somebody can use that for information. I have seen other consumer experts recommend that and it makes sense to me based upon the knowledge of this issue in this industry.

And finally, we come to phishing attacks. Phishing attacks are probably the biggest risk that we face. With this information, with this data that's been released, somebody can put together a phishing attack. They can create an email that will look very, very important to you, very, very tailored, custom tailored to you.

And they'll send it to you saying, "You need to change something. You need to adjust something. You need to fix something." They'll send that email to you and the email will contain a link and you'll click on it and then problems will ensue. Now, don't think that this can't happen to you.

I've heard of in studying this subject for the last couple of years, I have heard of successful phishing attacks happening to computer security experts, people who are laser focused, even people who work in the con-circurity world creating phishing attacks towards other people who get fooled from time to time.

You've got to be careful. Don't click on links. Don't believe anything that's sent to you. Don't believe emails that are sent to you by anybody. Just assume it's all wrong. If your people need to get a hold of you, they will in another means. Equifax will mail you. The IRS will send you mail and then you can research something and deal with it.

But don't click on links and don't fall prey to a phishing attack. An email masquerading as an official email that comes into your inbox. Now, we don't know how this information will be used. Once information is out on the open market, it's turned into data packages which are then sold and resold and can be resold a gazillion times.

And so there may be people that use the data in simple ways and they just try to apply for a credit card. Well, that may be simple. That may be easy to avoid. But if you're a high-profile target, there's no guarantee that this data can't be turned against you.

One of the most fearful books that I have read in the last few years was a Tom Clancy novel called "True Faith and Allegiance." It was published after his death by one of the authors who writes under the Tom Clancy brand now. It was published last year, this year.

No, last year, 2016. It's 2017 now. And it's called "True Faith and Allegiance." And the basic premise of the book is that based upon what's called the open-source intelligence, the freely available information that's freely available about you, a foreign hacker, a foreign entrepreneur used information from a data file that he was able to get access to and started selling that information to, in the plot of the book, terrorists who were interested in applying that information for their own purposes.

And they used that information for political ends. Now, I have not – that's not a spoiler – there was no spoiler alert needed. I haven't ruined the book for you. If you enjoy thrillers or if this is a subject of interest to you, read Tom Clancy. Read the Tom Clancy book called "True Faith and Allegiance." It's part of the Jack Ryan series.

And it will chill you because there's nothing in that book that you or I can't do. If somebody is out to target you, they could probably do this without a data breach. But if you're a high-profile person and now this data file is publicly available for purchase by the people who stole it on the dark web, now all of that information is possibly in the hands of a malicious person.

Thankfully, almost all of us – very few of us have anything to worry about with regard to that. But you should take it seriously and then think about what skills do you need to learn to protect yourself going forward. My friends, we are in new territory with this subject.

I do not know where that firm line is between how much is enough and how much is too much. I really do not and I don't know any way to answer the question. I have no idea how to know. You know, you just say, "Well, that's enough. I've taken enough steps.

What's enough?" I don't know. I really don't. Time will tell. I mean, I'm seeing things, reports of wire transfers and fraudulent transactions even this soon after the breach. I'm hesitant to believe things until more investigations are done. It's too new. I don't know what you should or shouldn't do.

I know you should freeze your credit. That's simple and easy. That's no brainer. You should do these things. You should watch your accounts. Well, that's simple and obvious. We all know that. Very few of us do it, but we all know that. Beyond that, what should you do? I have no idea.

I will continue to research the subject as I have in the last couple of years. I'll try as I am able to figure out how to answer them. If you have specific questions, call into a Q&A show and ask about techniques, and I'll tell you what I've learned. I fear that too much of today's show was a little bit of a screed, and again, I apologize.

But it's a subject that is legitimately new. These are risks that are legitimately new. All you need to do is just recognize. I expect in the coming years more and more of us will start to bear the brunt of the changing circumstances. All you need to do is just look at the stories of some of the reporters who were targeted during the recent U.S.

presidential election. Look at some of the accounts of what people face when they do something that's politically unpopular. I go back again to you shoot a lion on your safari in Africa and your life is destroyed. Just hold an opinion that's unpopular. I expect to be on the Southern Poverty Law Center hate group list at some point in the future.

Well, try booking things once you get on the Southern Poverty Law Center hate group list. Try booking things once an organization that's built starts to list you as an opponent for having an unpopular or unpalatable idea. This is a new era, and the Equifax breach should be a wakeful moment for you.

It should wake you up. Waking up, to borrow Sam Harris's line. I'll be back with you soon, and I wish you all a great day. This show is part of the Radical Life Media network of podcasts and resources. Find out more at Radical Life Media dot com. Struggling with your electric bill?

Get an energy assist from SDG&E and save. You may qualify for an 18% discount. Visit SDG.com/FERA to find out more.