As you almost certainly know by now, the credit bureau Equifax suffered a massive hack this year, exposing the confidential information of some 143 million Americans.
But security researcher Brian Krebs says the smart money is to just assume that your information is out there — assume you’ve been hacked or otherwise compromised, and then act like it.
“We have no business using these static identifiers — name, date of birth, social security number, mother’s maiden name, address, previous address, phone number — all these things that don’t change about you, or that are available in these databases that have been hacked six ways from Sunday,” Krebs said on the latest episode of Too Embarrassed to Ask. “Even if we forget about all the times this data has been hacked, it’s broadly available for sale in the cybercrime underground.”
“We should behave as if our information is already compromised,” Krebs added. “We don’t need some stupid website from Equifax to tell us yes or no. If the answer is ‘no,’ it’s the wrong answer.”
On the new podcast, Krebs explained how to set up a “credit freeze,” which he recommends doing at the three major bureaus — Equifax, Transunion and Experian — as well as Innovis, a “distant fourth” that aggregates and sells the data from others.
“You either call them on the phone, or you go to the website and you say, ‘I’m going to freeze,’” Krebs said. “You give them all the personal information that was compromised in the Equifax breach, answer four authentication questions, and they’re supposed to freeze your file. After the Equifax breach, at Equifax and almost all of the other bureaus, their ability to do this for you online completely failed because they were all overwhelmed.”
Despite the hassle — it’s worth doing, Krebs said. But consumers should keep two things in mind: If they want anyone to be able to check their credit — when obtaining a loan, for example — they’ll need to “thaw” the freeze in advance to make the credit report visible to outsiders again; also, the credit bureaus only make money when your credit is not frozen, so they may try to deceive you into doing something different.
“What is most frustrating about this is, now, in the wake of the Equifax breach, when people go to place a freeze, the bureaus go ‘Oh, you really don’t want that! I know you said you wanted that, but what you really want is a little less restrictive. You want to use our credit lock service,’” Krebs explained. “Which everyone is starting to conflate with the freeze. As far as I can tell, they are different things.”
Have questions about the Equifax hack that we didn’t get to in this episode? Tweet them to @Recode with the hashtag #TooEmbarrassed, or email them to TooEmbarrassed@recode.net.
If you like this show, you should also check out our other podcasts:
- Recode Decode, hosted by Kara Swisher, is a weekly show featuring in-depth interviews with the movers and shakers in tech and media every Monday. You can subscribe on Apple Podcasts, Spotify, Pocket Casts, Overcast or wherever you listen to podcasts.
- Recode Media with Peter Kafka features no-nonsense conversations with the smartest and most interesting people in the media world, with new episodes every Thursday. Use these links to subscribe on Apple Podcasts, Spotify, Pocket Casts, Overcast or wherever you listen to podcasts.
- And finally, Recode Replay has all the audio from our live events, such as the Code Conference, Code Media and the Code Commerce Series. Subscribe today on Apple Podcasts, Spotify, Pocket Casts, Overcast or wherever you listen to podcasts.
This article originally appeared on Recode.net.