Hackers Steal More Social Security Numbers
Jon Healey / Los Angeles Times (TNS)
Another day another massive data breach claimed by hackers. Days after a T-Mobile breach revealed the personal information of about 53 million people, a hacking group known as ShinyHunters announced it was auctioning 70 million sets of sensitive data. allegedly stolen from AT&T.
The information offered for sale was similar in both cases, including full names, addresses, dates of birth and social security numbers. In short, this is the foundation of identity theft.
AT&T responded on Friday by questioning the claim of the prolific ShinyHunters cabal, stating that “[b]According to our survey today, information that appeared in an internet chat room does not appear to be coming from our systems. “
Regardless of where the data comes from, however, if valid, it could be a nightmare for anyone whose sensitive information is exposed. Here’s a quick guide to the risks you might face and some of the things you can do to protect yourself.
What are the risks ?
Social security numbers are widely used by the federal government, banks, investment firms, government benefit programs, and insurers to verify your identity. Your stolen social security number can be used to open fraudulent credit card accounts, misappropriate or fraudulently collect benefits, and commit workplace fraud, among other forms of deception. Add your name, date of birth, and email address (which the ShinyHunters claim they stole as well), and it’s a lot easier for someone to pretend to be you.
Identity thieves could use this information to target both you and the banks, insurers, and other businesses you do business with. For example, they could use it to make phishing emails more realistic, helping persuade you to give out additional sensitive information such as a password or personal identification number (PIN). Or they could use it to trick your bank into allowing it to change your account password, thereby giving it access to your money.
T-Mobile’s breach also exposed the phone numbers, device IDs and SIM card numbers of more than 13 million of its current customers. This creates an opening for at least one other malicious possibility: a SIM swap attack. This is where someone persuades your mobile carrier to port your number to another device, which they then use to attempt to access accounts that you have linked to your phone number.
It is more and more common for people to use their cell phone numbers to verify their identity, for example when they log into their online bank account or when they want to reset their password. But that convenience can backfire if your number is hacked and then used to steal your identity online.
Why Do Phone Companies Want Your Social Security Number?
Because it’s the easiest way to check your credit score. Companies like AT&T and T-Mobile want to know if you’ve ever paid your bills on time before agreeing to provide you with an account or sell you a phone in monthly installments. And the major credit rating agencies use Social Security numbers to match people with their credit histories.
“The SSN is the only unique universal identifier for the entire population,” said Francis Creighton of the Consumer Data Industry Association, which represents credit bureaus. “There is nothing else that can replace it on the market today.”
Social Security numbers also help guard against people who file fraudulent credit reports, Creighton said. And while there are ways to build a credit score that don’t rely on your Social Security number, he said, the first step is for a lender or service provider not to ask for it. . You cannot be coerced by a telephone company or other private sector company to reveal your number, but in California and most other states, the company can refuse to serve you as a result.
Once you pay for your new phone or change carriers, your mobile phone company will no longer file reports about you with the credit bureaus, Creighton said. Nonetheless, the hackers behind the latest T-Mobile breach were able to steal the social security numbers of former T-Mobile customers that the company was keeping for some reason.
Over the past decade, tech companies have developed alternative ways of identifying people to help protect against identity theft, said André Ferraz, CEO of Incognia, one of those tech companies. Ideally, Ferraz said, companies would supplement identifiers that cannot be changed, such as Social Security numbers, with identifiers based on a person’s unique behaviors, which change over time. Unfortunately, these solutions have not yet been widely adopted.
How do you protect yourself?
The best thing you can do is freeze your credit reports, which will prevent anyone from opening a new account. It is free to place a gel and lift it for your own needs. But you need to contact each of the three major credit bureaus individually, which you can do online. Cyber security expert Brian Krebs also suggests freezing credit files kept by a handful of smaller specialist agencies. You should also check your credit score regularly, which is a good way to spot fraud once it happens.
Credit and identity checking services, which typically have a monthly fee, can also help uncover the work of identity thieves. They provide tools to prevent you from phishing and other forms of hacking, combined with analytics services that look up your social security number or email address in places online that it doesn’t belong to.
T-Mobile is providing two years of McAfee’s monitoring service free of charge to anyone affected by the breach. He has put together a website suggesting more steps people can take to prevent fraud. Anyone with a smartphone would be advised to take them:
– Create a PIN code for your mobile phone account to provide an additional layer of security against unauthorized changes to your account, such as malicious SIM swap. If you are a T-Mobile customer and have a PIN code, set a new one.
– Activate T-Mobile’s “takeover protection” feature, which provides an additional layer of protection in addition to the PIN code. Verizon goes one step further, automatically blocking SIM swaps by shutting down both the new and existing device until the account holder looks into the existing device.
– Change the password you use to access your online mobile phone account. Changing passwords periodically is a good practice for all of your accounts. And if you’re having trouble remembering dozens of passwords, try a password manager app that can track them for you.
On the bright side, two-factor authentication is becoming the norm online, which improves security on the web. But too many sites encourage you to make that second factor a text message to your phone number, which encourages SIM swap fraud. If possible, use an authenticator app instead.