Jon Healey / Los Angeles Times (TNS)
Another day, another massive data breach claimed by hackers. Days after a security breach at T-Mobile exposed the personal information of around 53 million people, a hacking group called ShinyHunters announced that they were auctioning 70 million sensitive pieces of information that were allegedly stolen from AT&T.
The information offered for sale was similar for both violations, including full names, addresses, dates of birth, and social security numbers. In short, it’s the foundation of identity theft.
AT&T responded on Friday with doubts about the prolific ShinyHunters cabal’s claim, stating that “[b]According to our investigation today, the information that emerged in an internet chat room does not appear to have come from our systems. “
However, regardless of where the data came from, if valid, it can be a nightmare for anyone whose sensitive information is exposed. Here is a quick guide to the risks you may face and some of the steps you can take to protect yourself.
What are the risks?
Social Security Numbers are widely used by the federal government, banks, investment companies, state benefit programs, and insurers to verify your identity. Your stolen social security number can be used to open fraudulent credit card accounts, divert or fraudulently collect benefits, and commit fraud in the workplace, among other things. Put in your name, date of birth, and email address (which the ShinyHunters allegedly stole too) and it’s a lot easier for someone to impersonate you.
Identity thieves could use this information to target both you and the banks, insurance companies, and other companies you do business with. For example, you could use it to make phishing emails appear more realistic and trick you into revealing additional sensitive information such as a password or a personal identification number (PIN). Or they could fool your bank into changing your account password to give them access to your money.
The T-Mobile violation has also exposed the phone numbers, device identifiers, and SIM card numbers of more than 13 million of its current customers. This creates an opening for at least one other malicious possibility: a SIM swap attack. This is where someone is persuading your carrier to transfer your number to another device, which they then use to try to break into the accounts you have linked to your phone number.
It is more and more common for people to use their mobile phone number to verify their identity – for example, when they want to log into their online banking account or want to reset their password. However, that convenience can backfire if your number is hacked and then used to impersonate you online.
Why Do Phone Companies Want Your Social Security Number?
Because it’s the easiest way to check your creditworthiness. Companies like AT&T and T-Mobile want to know if you’ve paid your bills on time before agreeing to give you an account or sell you a phone in monthly installments. And the major credit rating agencies use social security numbers to match people to their credit history.
“The SSN is the only unique universal identifier for the entire population,” said Francis Creighton of the Consumer Data Industry Association, which represents the credit bureaus. “There is nothing else it can replace in the market today.”
The social security numbers also help protect yourself from people creating fraudulent credit reports, Creighton said. And while there are ways to get a credit score that doesn’t depend on your Social Security number, the first step is for a lender or service provider not to ask for it. You can’t be compelled by a telephone company or other privately owned company to give you your number, but in California and most other states they can refuse to serve you.
However, once you’ve paid off your new phone or switched operator, your wireless company will stop filing reports about you with credit bureaus, Creighton said. Even so, the hackers behind the recent T-Mobile breach were able to steal Social Security numbers from former T-Mobile customers that the company was clinging to for some reason.
Over the past decade, technology companies have developed alternative ways to identify people to help protect against identity theft, said André Ferraz, CEO of Incognia, one of those tech companies. Ideally, Ferraz said, companies would supplement identifiers that cannot be changed, such as social security numbers, with identifiers based on a person’s unique behavior that evolves over time. Unfortunately, these solutions are not yet widely used.
How do you protect yourself?
The best thing you can do is freeze your credit files to prevent anyone from opening a new account. It’s free to place a freeze and raise it for your own needs. But you have to speak to each of the three big credit bureaus individually about what you can do online. Cybersecurity expert Brian Krebs also suggests freezing the credit files that are held by a handful of smaller, specialized agencies. You should also do regular credit checks, which is a great way to spot fraud after it happens.
Credit and identity surveillance services, which typically charge a monthly fee, can also help uncover the work of identity thieves. They provide tools to protect you from phishing and other forms of hacking, combined with scanning services that look up your social security number or email address in places on the internet where it doesn’t belong.
T-Mobile is offering McAfee’s surveillance service free of charge for two years to anyone affected by the breach. It has set up a website that suggests further steps people can take to protect themselves from fraud. Anyone with a smartphone would be smart to take them with them:
– Create a PIN for your mobile phone account to provide an additional level of security against unauthorized changes to your account, e.g. B. a malicious SIM exchange. If you are a T-Mobile customer and have a PIN, set a new one.
– Activate the T-Mobile “Protection against account transfer” function, which offers additional protection in addition to the PIN. Verizon goes even further and automatically blocks SIM swaps by shutting down both the new and existing devices until the account holder gets involved with the existing device.
– Change the password you use to access your mobile phone account online. Changing passwords regularly is a best practice for all of your accounts. And if you’re struggling to remember dozens of passwords, try a password manager app that can keep track of them for you.
On the other hand, two-factor authentication is becoming the standard on the internet, which improves security across the web. But too many websites encourage you to turn this second factor into a text message sent to your phone number, promoting SIM swap fraud. If possible, use an authentication app instead.