This week's alarming cybercrime news is the Anthem breach, where possibly 80 million sensitive customer records were snatched from America's second largest health insurance company.
It's ugly news. Healthcare record storage is where we're flat-out vulnerable, yet there's little we can do to protect our information when it's in someone else's hands.
With no encryption, the thieves were able to essentially lift the lid on the candy jar and make off with fistfuls of names, birthdates, physical/email addresses, Anthem medical IDs (used for logging in at Anthem, among other things), and Social Security numbers.
So what the hell are we supposed to do?
Millions of people are wondering the same thing, and it seems like every day there's a new security problem somewhere, putting us at risk of identity theft, using our names for fraudulent Apple transactions, and worse.
It's time for us to get ahead of the doofuses screwing around with our private information. One good way to do this is to take steps to protect yourself -- especially if you're in the Anthem victim pool.
1. Enact a credit freeze ASAP. And a fraud alert.
Not many people know that they can place a "security freeze" on their credit. A security freeze is different from a fraud alert -- which you should also do. A security freeze is one of the top ways to prevent identity theft: no one can check your credit without your permission, and if someone tries to do something without your consent to your credit, you find out, and the criminals are blocked.
It's not free: it usually costs around ten dollars (and you have to do it at each credit agency's website, Experian, TransUnion and Equifax, who don't make it easy). It will cost you another ten dollars to lift the freeze, which is what you'll do when you apply for credit cards or loans in the future.
Look, I'm making a security freeze fiesta easier for you:
- Experian: experian.com/freeze/center.html
- TransUnion: transunion.com/securityfreeze
- Equifax: freeze.equifax.com
Here are the links you'll need to set fraud alerts:
- Experian: experian.com/fraud
- TransUnion: fraud.transunion.com (more info here)
- Equifax: alerts.equifax.com
2. Activate two-factor authentication (aka 2FA) everywhere you can.
More sites are starting to offer 2FA, and that's a good thing: Twitter, Apple, Google, Microsoft, Facebook, and Amazon all do, as do some banks and credit cards.
Two-factor is simply when a second step is added in the login process.
For instance with Google and Twitter's 2FA, after you login normally, a code is sent to your phone via text, voice call, or their mobile apps -- it's easy, and worth the peace of mind.
3. Change passwords and login usernames with all accounts associated with your Anthem account.
Anthem has an email address connected to your account, and need to consider that address as a target for thieves from now on.
Change your Anthem password and the passwords for all other accounts that use the same password -- but you have to make them all different passwords from now on.
Make a list of all the accounts also linked to that email address, and change those passwords as a precaution; if that email address is a login (user name) on any accounts, you should change that, too.
Some things can make this process much easier, like setting up a password manager -- not your computer or browser remembering your passwords, that's easy to hack. I rely on 1Password and Abine's Blur.
Yes, it's a massive chore an inconvenience. Be angry at Anthem.
4. Set alerts on your charge accounts.
Anthem said credit card information wasn't stolen in the heist, but you're better safe now than sorry later. More importantly, the thieves got everything they need to ruin your credit and run up your cards -- so you should do two things that are specific to all your credit cards.
Notify each card that you are the victim of a massive data breach. Your credit card's customer assistance may be idiots in their response to you, but you need to get your warning on the record in case anything comes up later.
Next, set up an alert on your credit card for unusual charges. Gas station charges, or charges out of the country, or charges over a certain amount.
Each card will have different options, just pick something. Then get in the habit of logging in and checking your accounts every few days for fraudulent activity.
5. Learn about phishing, now, and don't click links that don't look right.
The information stolen about you will be used for phishing, eventually, by someone. There are helpful, easy info guides on how to spot phishing in Microsoft's How to recognize phishing email messages, links, or phone calls, and Google's About Phishing. Just take a minute to read them, you'll be glad you did.
Take it seriously if your accounts start asking for passwords you know you didn't initiate, or if you start getting account recovery emails about an account that is yours. Beware of account recovery emails for accounts you know are not yours: these are probably fake ("phishing") emails designed to trick you into clicking links and entering passwords, and might get you hacked.
6. Keep an eye on the trash, sent and spam folders in your email account.
Anthem's account password reset (when you forget your username or password) relies on either your email address or your member number.
When someone malicious starts stealing your accounts and resetting your passwords, one thing they'll do is get into your email account without your knowledge, and set a filter so that any emails notifying you about changes to online accounts will bypass your inbox -- so you don't see what's happening.
Watch your email account's spam, sent and trash folders for unusual activity, and if your trash or spam folders magically empty themselves, change your email password immediately (on the spot), and go into lockdown mode on all of your critical accounts.
7. Keep account reset links handy, just in case.
If you get hacked, the first thing you should do is see what accounts you can access, reset the passwords where possible, and check all the settings carefully.
Next, contact websites where you have accounts that you can't reset the passwords on, and follow the respective recovery processes. Many online services have online forms you can fill out or procedures for you to follow when you've been hacked or locked out of your account.
Google is not known for customer service -- but don't forget, neither is Yahoo, Hotmail, or any other "free" online business. But you'll have to put up with them to get your accounts back; here's a short list of forms and phone numbers to get you started.
- Amazon: When signed in, use Help > Contact Us
- Apple: Reset your Apple ID password at iforgot.apple.com/password/verify/appleid or find your Apple ID at iforgot.apple.com/appleid
- eBay: 866-961-9253-Tell them you'd like to talk about "Account - Someone has used your account"
- Facebook: facebook.com/hacked
- Google: google.com/accounts/recovery
- Microsoft (Outlook, Xbox, Hotmail, and so on): account.live.com/acsr
- PayPal: 1-888-221-1161 (outside US call 1-402-935-2050)
- Twitter: support.twitter.com/forms/hacked
- Yahoo: help.yahoo.com/kb/helpcentral or 1-800-318-0612
Whatever you do, don't feel overwhelmed or get upset -- be methodical. With the ridiculous state of today's information security, you're far from alone.