More and more often, we are hearing about data breaches and hacks in the news. Often times, your personal identifying information, or PII, may be compromised or leaked through no fault of your own. And while this can be a serious matter, Amy Walls and Jag are going to have some fun today - explaining how you can be your own super hero in the event of a data breach.
Recently, the Oregeon DMV was hacked, compromising the drivers' licenses, photo, birth date, addresses, and last 4 social security digits of up to 3.5 million people. In another example, an software employee stole 33,000 credit reports and sold them for $30 each, netting anywhere from $50-$100 million for scammers.
First, we explain how these hacks happen, through data breaches, your own online activity, and even just plain theft of your wallet or phone. Amy shows us what these bad actors can do with your information.
Now, it's time to be your own super hero, by doing the following:
Through these strategies, you can fight "the never ending battle against cyber villains."
For more information contact Amy Walls and her staff at 503-610-6510 or click here Thimbleberry Financial.
Jon JAG Gay: Welcome in to ThimbleberryU. I am Jon "JAG" Gay, joined, as always by Amy Walls from Thimbleberry Financial. Amy, always good to be with you.
Amy Walls: JAG, it's always great to talk with you.
Jon: We're talking about data breaches today and being your own superhero post data breach. I love this topic.
Amy: Well, this topic, full and fair disclosure, is in honor of my now seven-year-old who turned seven today. Seven-year-old boys love their superheroes, and so I think our listeners can be their own superhero with this.
Jon: I love it and I love that your son has a birthday as we're recording this on July 5th because he gets fireworks the day before his birthday every year. That's fantastic.
Amy: Yes, we're up late.
[laughter]
Jon: As an advisor, you must hear these stories a lot, Amy, about data breaches. What's the goal of today's podcast?
Amy: Yes, you're so right. We've all been there, hearing so and so was hacked and knowing that our information was likely included. What we may not be as familiar with is actually being the victim of any sort of hack, whether it's credit cards being stolen, numbers being used or data stolen off of the web without your control. I've actually had it happen twice. Once in college, I didn't shred something properly, and then just a few months ago, after a trip, two of my credit cards had fraudulent charges on them.
Jon: Oh, wow.
Amy: Luckily, mine was easy to resolve, although the painful part of it was the automatic payments that were set up and trying to figure that out in the right way. I also know people who've been told by their large national bank that the bank can no longer protect them and they have to change institutions if they want protection.
Jon: Wow.
Amy: Because the hack has been that bad.
Jon: Of the bank as opposed to the individual account.
Amy: No, the individual account and that the person having unauthorized access has gotten so deep into the bank and that real person's account that the bank can no longer provide protection because it's looking real to the bank.
Jon: That is scary. I've seen it on my credit card, too. I'll get a text from my credit card or a notification in the app, "Hey, is this you?" "Wait. No, that's not it. That's not it." Usually, that's pretty easy to resolve, but you're right, if you have to change the credit card, then every automatic bill the whole month, you've got to go through the whole thing. That is not easy either. That bank stuff certainly is really scary.
Amy: Absolutely. Those are examples where it's not full-fledged identity issues, but just someone getting access to an account, a full-fledged identity attack, is much bigger. You asked what our goal was today. I'd love for our listeners to have a clear idea of what they can do to protect themselves when they hear they are part of or likely part of a breach and to have some fun with us today.
Jon: Yes, this is a serious topic. We got to keep it a little bit light for some balance here.
Amy: Absolutely.
Jon: Are there any recent incidents you can tell us about where that PII, that personal identifying information, but not the financial piece of it was stolen?
Amy: Yes. It was one of my thoughts in us talking about this today. In June, the Oregon Department of Motor Vehicles, the DMV announced that in May, they were hacked and personal identifying information was stolen. 3.5 million people are part of this breach.
Jon: Oh, wow.
Amy: They aren't the only institution that was hacked. In this case, the DMV doesn't have access to any financial information, so that wasn't stolen, but your foundational personal info that would let someone set themselves up to be you was stolen. Your driver's license info, your photo on your driver's license, your birth date, your address, addresses, the last four of your Social Security number. These are the types of information that was taken.
Jon: That part is scary, Amy, when you think about needing your driver's license for anything and setting something up and somebody could get into that. Wow.
Amy: Yes, it was big. We don't yet know the repercussions and honestly may never fully know, but a big fear in this kind of attack is that the attackers take out loans in the names of the victim. They have a lot of information in order to be able to do so and to say, "Hey, I'm Amy Walls." This is the norm of our digital age, and we can worry about it, or we can take action and be our own hero. In the past, we've talked about what we control, what we influence, and what we don't control and influence. We don't control this. Everybody is susceptible to it at this point, but what we can do is influence it. That's where I think we can become the superheroes.
Jon: Absolutely.
Amy: You asked for examples, another example would be a gentleman named-- Gentleman might be a strong, generous term. Philip Cummings. He stole 33,000 credit reports from the software company he worked for and sold them for $30 each.
Jon: Oh.
Amy: $30 each, it's a lot. It's a volume game for him. The scammers who bought the information net roughly $50 to $100 million from those same customers.
Jon: By having access to all of that information. Yes, I don't think gentlemen is a good word either.
Amy: [laughs]
Jon: All right, I'm imagining we're talking superheroes. I'm picturing my wife, who I've talked about previously in the podcast, flying through the sky as a superhero to fix this, come and tell me she's going to help. Before we focus on being our own hero, how is this done?
Amy: One, let's just say, I think to you and I and most of our listeners, this probably seems like a huge waste of effort to be on the end of trying to hack this stuff when that effort could be used for good. It's obvious, but, ouch, I just can't see using my time this way. How this is being done and I'm not an expert in this, I'm a financial planner, not a forensic scientist. Data breaches, like we said, it's nothing you did or that you have control over. It's someone hacking into another system. It might be checking before using a certain vendor to understand their security and what could be at risk that would be on file.
Then there are things just by us being online that we're susceptible to. Going to unsecure sites, malware that is put on our computers or phishing attempts, emails. I'm not talking about throwing your rod in the water.
Jon: This is a P-H, not an F, phishing.
Amy: Exactly. Phishing and spam emails that you click on a link, you click on a document, you respond to something that wasn't legit. We get many of those from Microsoft. Some of them look better than others, but we're very aware as a team that we don't want to click on anything. Then Wi-Fi hacking. An easy example of this is using the Wi-Fi at a hotel or airport and doing something with your credit card and someone could be, "listening, eavesdropping" in on that Wi-Fi, and now have access to that information.
Jon: That's a big one, Amy. Whenever I am traveling, I will try to use the 5G on my phone first. I'll only use the Wi-Fi if I can't get a connection. I take note if I'm on the Wi-Fi. I don't open my banking apps, I don't open my credit card apps, I don't need anybody seeing my activity over someone else's Wi-Fi network, for sure.
Amy: Absolutely. Yes, being secure is important in those situations. Then the third way is really theft. Having your credit card stolen, losing your phone, especially if you aren't protecting it with secure logins and you're leaving things open that people can get into stuff like your apps.
Jon: It's funny you mentioned the emails earlier. My wife works for a very large company, and she has gotten emails that look like it's from her IT department, but if anything looks just a little bit off, check with your IT department and make sure. I know a lot of our listeners work in this field, too, but they always make sure if something might be a little off. She actually was influenced and was going to buy one of those trendy new cold jugs to keep her water cold. I won't mention the brand name, and she thought she found one because they're really hard to find.
She said, "Oh, they were good, they got me. There was one letter off on the website and I clicked on it and there was a purchase." Fortunately, her credit card said, "Hey, this looks a little fishy. Was this you?" She's like, "It was me, but it's a mistake. It's a spoof website." "Okay. No problem. Taken care of." You can never be too careful.
Amy: Awesome.
Jon: These identity thieves, whether they're going new school through Wi-Fi, old school through stealing your cards or your phone or anything else we've mentioned, what are they doing with all this information when they get it?
Amy: Opening fraudulent cards. Loans in your name, for example. Making unauthorized purchases from existing accounts and then what they can do is turn around and sell those items. Accessing existing accounts again and transferring money.
Jon: Wow. Transfer money out of your account to their account.
Amy: To their account, doing it in a way that's untraceable. Money laundering is the movement of money through lots of small transactions, and it's very hard to unravel. That's something that they're doing. They're layering transactions on top of transactions to make it difficult to see. They can file fraudulent tax returns or steal tax refunds by pretending to be you. They can also-- I thought this one was funny. I hadn't heard of this one. When I say funny--
Jon: Funny odd, not funny haha.
Amy: Exactly. They can file fraudulent health insurance claims.
Jon: Oh, wow.
Amy: That one was new to me.
Jon: That is not one I would have expected.
Amy: No. It's very unusual, but you can see where money can come from. The money path on that. Then they can also take the info, and just like the non gentleman we named earlier, sell that info to thieves so that they can do all of the above things. Maybe your info's been sold to multiple people that are now trying to do these things.
Jon: All right, so now we've talked about the supervillains. Let's go back to the superheroes because as we alluded to earlier, they're much more fun. What can our listeners do to protect themselves, Amy?
Amy: Well, first let's unmask the invisible intruders.
Jon: All right.
Amy: We can do that by monitoring financial accounts and credit reports. Anybody can go to annualcreditreport.com. Now, this is an area where there's lots of places saying you can do this, annualcreditreport.com is the legitimate site. You can go there, and you can get your credit reports from the three bureaus and check them. Now, my recommendation for people is don't get them all at once, because you can get them once a year, but spread them out.
Jon: Oh, I like that.
Amy: You can go get Experian in January, and TransUnion in May, and Equifax in the fall. That way, you've got one coming every few months to check, and then can repeat that cycle so it's not just once a year for all three. In looking at that, you want to make sure that the checks on your credit are legitimate. Is someone trying to get in that you don't know about? If there is, you probably want to do something about that.
Jon: That is a brilliant idea. I never would've thought of that of, I just go online, it's once a year. I'll check it once a year, but by staggering the checks for all three, you can be on top of it every three or four months. I love that.
Amy: When you're doing that, you might also choose to ice out the enemy.
Jon: I like this.
Amy: I think this is my favorite of our superhero analogies here, and really that's freezing your credit. You can contact each of the bureaus by law, they have to allow you to freeze your credit. Now, there is freezing credit and there is locking credit. Freezing is actually the better, so when you freeze your credit, basically your credit can't be checked. The upside which I think is probably obvious to our listeners, in that, yay, nobody is going to get in and open a card in my name while I've got my credit frozen. However, there is a downside. You have to remember that you froze it, and you will need your password so it's going to be really important you save this information if you set this up.
Jon: Indeed.
Amy: Because if for example, you're going to take out a loan to buy a new car, you're going to need to remove that credit freeze before you do that. Give it a little bit of time. Another thing to note is insurance rates for things like auto insurance, home insurance can be based on your credit. If your insurance company can't access your credit report, your rates may go up. I suggest reaching out to your insurance company if you're thinking about freezing your credit to find out the consequence of that. Now, knowing what some people have gone through even the example of a bank saying, National Bank saying we can't protect you any longer, that kind of headache may be worth paying just a little bit more, an insurance costs for.
The alternative which is locking your credit that's easier to turn on and off, doesn't make as big of a difference. Insurance companies as I understand it will still be able to check your credit, but it's just not as safe. It's giving this sense that there is same level of security, but it is not as strong.
Jon: What about two-factor authentication, Amy? I know this is a big one. That's a big topic lately.
Amy: This is really putting on your two-factor armor,-
Jon: I like that.
Amy: -to shield your secrets.
Jon: I'm thinking of Captain America's vibranium shield. My wife and I are binging the Marvel movies.
Amy: My daughter would love to come over and join you for that.
Jon: [laughs]
Amy: In 2019, Alex Weinert, a Microsoft manager wrote in a blog post that MFA results in a 99.9% better likelihood that you won't be compromised.
Jon: MFA meaning multifactor authentication.
Amy: Absolutely. Using multifactor authentication is very, very smart.
Jon: That has been very useful for me in certain websites. Basically, if anybody listening isn't familiar with the terminology, it's you have to verify it's you when you try to log in with your password. It could be through an email, it could be through a text message. We're going to send you a message and a code to confirm that this is you. I've seen some websites just starting to get away from passwords in general, where log in with a one-time code. Hey, let me log into this and say, "I have an app to remember all my passwords, but sometimes I don't remember the passwords or I forget to update it in the app." So, "Oh, geez, I forget my password. Okay, text me a code, so it's going to my phone. It's definitely me logging in."
I'm starting to see more of that as well. Either way, your point is well taken, Amy or this Alex Weiner's point is well taken. Having to verify that it's you to log into whatever website or account you're trying to get into, makes it much, much, much harder to hack.
Amy: Absolutely. Again I think we have to present both sides. We're on the superhero side positive, it also makes you much better at keeping your phone or device charged, and keeping it with you.
Jon: Or if you're my mom who got locked out of her email and her Facebook, and it took me a really, really long time to get her back in, but I love you, Mom.
Amy: I was speaking to a family member there, too.
[laughter]
Amy: Our next superhero power is the power of the unbreakable code.
Jon: I like it.
Amy: This is about creating strong and unique passwords. Interesting statistic from Comparitech, only 45% of people change their passwords following a breach.
Jon: Wow.
Amy: That says there is a lot of opportunity to become our own superheroes. Interestingly, a 12-character password takes 62 trillion times longer to crack than a six-character password.
Jon: Whoa.
Amy: If it took one second to crack a six-character password, that would equal 2 million years to crack a 12-character password. These easy passwords that are easy to remember, they're not smart. It doesn't help. We want to have really strong complicated passwords. That's how you wear this power.
Jon: I love it. I will say that what prompted me to make things more secure was somebody spooked my Facebook page, and there was another John Gay out there requesting on my friends and I panicked. I got one of those password apps and made sure none of my passwords were stored in my browser on my computer. Made sure they're all specifically within this password app. Getting hacked once and spoofed on Facebook once was enough to put a scare into me, for sure.
Amy: Well, I'm glad to know you're part of the 45% of people who do change their passwords. We have an episode on that, right? Using a password vault.
Jon: Yes.
Amy: If our listeners are wanting to know more about that, they can definitely check that out. Another thing we can do is we can dodge the digital phantoms. We talked about this a little bit earlier. This is really about phishing, being vigilant, watching what's coming into your email before you click on it and really studying it. Not getting in the habit of just clicking through things and thinking they're legitimate. It's just really being on a alert that this information might come from another superhero. It might come from one of the villains.
Jon: The great way to do that, too is if a link looks a little strange or something looks funny, look at the "froms" field in the email, and then also feel free to mouse over but not click the link they're sending you. If it pops up where that thing is going, and it's going to abcxyz783.com as opposed to Amazon or whatever it might be, chances are that's not legit.
Amy: I love that. Yes, great explanation. We talked about using secure Wi-Fi networks, this is where we can fortify our digital fortress. Making sure that you are using your hotspot on your phone to connect. Maybe to your laptop if you're sitting in the airport. Those types of things so that you're not using Wi-Fi. Using a VPN in certain settings is a good idea. Layering your protection and using individualized ways to access the internet when you are in a public location.
Jon: Also making your Wi-Fi password at home secure, I would say as well. Don't have it be "JAG's Home" is your password. Have an alphanumeric password that you can send to your friends when they come visit but that it's not going to be easily hackable.
Amy: Same thing you can set up your family's password and you can set up a guest password.
Jon: A guest Wi-Fi network to log onto. Exactly, yes.
Amy: Absolutely. Then last thing I think on our superhero, the good guys we want to keep fighting this never-ending battle against cyber villains. To do that, keeping our software and our devices updated. Sometimes people think, "Oh, gosh, I have to re-log into stuff when I get an update," but those updates are actually helping keep you safe. They're fixing holes in security in many cases. Along with doing other fixes, your protective software that you may have on your computer may not work if you're not accepting updates.
Jon: The hackers and villains are always getting more advanced, so you got to rely on the good guys to stay one step ahead of them.
Amy: Absolutely.
Jon: All right, I feel like-- let me see if I can dig out some superhero music here.
[music]
Jon: All right, thank you for sharing the ways we can be our own superheroes and protecting our identities and information. Amy, I know identity theft isn't specifically what you do, but if somebody wants to reach out to you about financial planning what are the best ways to find you at Thimbleberry Financial?
[music]
Amy: They can find us online, and our website is secure, at thimbleberryfinancial.com or by calling us on the phone, also secure, (503) 610-6510.
Jon: Always a pleasure, Amy. We'll talk to you again in a couple weeks.
Amy: Sounds great, JAG.
Jon: Registered representative securities offered through Cambridge Investment Research Inc, a broker-dealer member FINRA/SIPC. Investment advisor representative, Cambridge Investment Research Advisors Inc, a registered investment advisor. Cambridge and Thimbleberry Financial are not affiliated.