Anybody keen?Locking Credit Access?
I need some help with personal online security.
After the Optus breach in which I was personally unaffected, it made me think about my own online vulnerabilities. I have 2FA set up and unique passwords but after that I am at a loss. As @slymeat just pointed out, the fact they have such personal data accessible is the main issue, but its a bit late now....
It appears using identity theft to gain credit in my name is probably where I am most at risk. Having no debt and a good credit history would make it easy to get any form of credit.
Scott Pape was advising people to use an app “credit savvy” which can lock any credit applications. There is no cost to this app, which made me wary, apparently, they make their money through prospective credit leads? It is owned by CBA, not that gives me any comfort. Excerpt from his email below, yeah its longwinded.
I’m now involved in the Medicare debacle, further to this I have my elderly parents, also with medicare, who rely on me for anything remotely technical, worried that they can lose their money. Ironically the only online direct debit we both have set up is Medicare, I have had them using an isolated credit card for everything else.
So, I figure someone on here has a greater understanding than me, any advice on best practise and in particular how to lock credit access etc would be greatly appreciated.
Thanks
Email, Scott Pape, 3/10/22
Today I’m going to show you the exact steps that will stop scammers from running up credit in your name.
Best of all, it’s fast, easy, and free.Yet before I do, I want to take a moment to reveal the name of a company that made MILLIONS from the Optus Hack.
That company’s name is Equifax and they’re a credit bureau. This week, in a blind panic, Optus agreed to purchase 12-month subscriptions to Equifax’s ‘Credit Protect’ service for their most affected customers. This service sends an alert if your credit file is accessed (by a scammer applying for credit in your name using stolen docs), and it costs $14.95 a month per person.That’s not just a huge amount of dough for Equifax, it’s insanely great advertising to boot!
So let me square the ledger …
Equifax is the financial equivalent of Mark Zuckerberg. They hoover up your personal private credit information and sell it off to any financial institution they damn well please. Yet unlike Zuck, if you want to monitor who they’re pimping your private data out to, well, you have to pay them $14.95 a month*!
*Except you don’t.
I’m afraid Optus has been scammed again.
They didn’t need to pay Equifax all that money. There’s a much better workaround, and it’s free.
I want you to pay close attention to this, even if you aren’t an Optus customer. After all, just this week Standard and Poor’s came out saying that Aussie banks are among the most vulnerable to a cyber attack in the region because of their work from home policies and all the stuff they’ve got in the cloud.
Bottomline?
This isn’t the first mass hack, and it won’t be the last.
Now, I don’t think simply having an alert on your credit file provides you enough protection. Here’s the way I think about it: An alert is like having a security camera on your front door. You’ll get an alert that you’re getting robbed … but your TV still gets flogged!
If you are scammed – and one in four Aussies have been – it can take upwards of 30 hours to sort everything out, (most of which involves sitting in long telephone bank cues, listening to Daryl Braithwaite’s Horses. Instead, what you want is a big arse lock on your door that makes it impossible for the robber to get in your house.
Thankfully there is one app that will let you put a lock on your credit file.
That company’s name is CreditSavvy, and it’s a division of the Commonwealth Bank. (The fact that they’re owned by big yellow gives me a certain level of comfort … though I still wouldn’t trust them educating my kids).
Creditsavvy bills themselves like a fitness coach for debt, which in itself is kind of weird. Their schtick is that they calculate a personal ‘credit score’, which for me is about as useful as the score I give my four year old daughter’s nightly dance concerts:
“10 out of 10 Honey, BRAVO!”
In both cases we’re just needy adults desperately trying to keep your attention. (Credit Savvy makes its money by selling leads to finance companies to get you into debt).However, part of their app that I’m interested in allows you to lock your credit file with a swipe or click of a button.
So here’s what I want you to do, step-by-step to lock down your credit file so that scammers can’t rip you off.
Step 1: Download the Credit Savvy app (either in the Apple or Google app stores).
Step 2: Verify your details (I used my driver’s licence and Medicare card).
Step 3: Press “protect” from the bottom navigation.
Step 4: Press “Request a ban”. Credit Savvy will then let the other credit agencies know you’ve got a ban on your file within 2 business days.
Step 5: On the 16th day the Credit Savvy app will remind you that your pause is ending. When you get that alert – and this is important – click “ban my credit report for 12-months”.
And that’s it!
From then on if anyone tries to access your credit file, the Credit Savvy app will alert you. Though it will also be locked so the bank or financial institution won’t be able to access your file. However, this will not count against you. To be clear, it will not harm your ability to take out credit.
The recent security breaches at Optus and Medibank (and everywhere else we don’t know about) have highlighted how lax companies are with securing their data, and most importantly, they are lax in securing data that contains our personal details.
These data hacks also highlight how companies store details that they need not store—such as data used to prove our identity: drivers license, passport etc. There is absolutely no reason to store that data after the identity proof process has been completed.
Regardless, there is ABSOLUTELY NO reason to store any of our personal data unencrypted, yet it seems they all do exactly that. It’s well past the time these businesses get their act together.
I recently received yet another email from a company stating they have increased the requirements for passwords to be harder and hence everyone has to change their password.
They probably have a legal obligation to be seen to be doing something. Or are they just protecting their arses in case of a future data breach. They can then say publicly that they tried to do something pro-active.
Or maybe they have already had a breach and are trying to minimise damage!
But down to the point of this post:
The age or strength of a user’s individual password is not the concern WRT security breaches. The main concern is with what data companies are storing and how that data is stored.
ALL security breaches that have made the mainstream media have resulted from company issues: inadequate security measures or user error by an employee/contractor of the company that has been hacked.
Strong passwords do protect people imitating you and getting access to your account, but strong passwords are not the issue with systemic hacks.
So unless the companies tighten their own processes, having the strongest password means nothing. When the security breach occurs, the perpetrator will now just be in possession of a very strong password. It doesn’t bother them if it is the word “password” or some strong obfuscation like “I&765Hejh=33!@14klhphgK” as they will never actually have to type it anyway!!!
And as a word of warning: Assuming many people will start receiving emails as I did yesterday. NEVER click a link in an email asking you to change your password, or anything personal for that matter. That is one tried and true trick hackers use. ALWAYS log in to your account via a different means and use the processes contained within that site to change your credentials.
And to extend that warning: be vigilant of any link in any email. Email is easy to spoof (pretend you are someone else) and the links could be quite malicious.