No gimmicks. No commitments. Take 60 seconds to discover whether you were impacted or not.
The Equifax breach is dominating news headlines this week. I have a number of thoughts, opinions, etc. on this event and on how it was (mis)handled. Securing critical data is a big part of my career focus, so this is particularly close to home for me. However, now is not the time to go after Equifax for their security practice. That fish will wait secure in the barrel until the right time comes. For now, let's focus on what YOU need to do today to protect yourself.
The horror stories about how poorly this process was executed are all over the Internet, but I'm happy to report that discovering whether or not your data was stolen - however difficult it was just 48 hours ago - is now a very simple and straightforward affair. It does NOT involve signing up for a pay service any more. It does NOT involve handing over your credit card any more. It uses two pieces of information to identify you and tells you immediately whether or not you may be impacted. No commitments. No shady sign-ups. No signature on some unenforceable verbiage that declares you cannot sue Equifax in the future.
Having said this, this discovery will require you to submit a very sensitive piece of data (part of your SSN) over the Internet, so there is something specific you need to do to ensure spying eyes don't have a shot at stealing it.
Let's get into it.
1) Go to http://www.equifaxsecurity2017.com.
This is the dedicated web site Equifax put up to handle the traffic for this event, since their regular web site would not be able to handle it.
Once the site loads in your browser, the key here is to double check, make sure that your connection is secure, SSL encrypted. To do that, once the page loads, look at your web browser address bar, to the left of the "http" at the beginning. You should see a closed lock icon and/or the word "Secure" being displayed. Here's what mine looks like (I use Chrome):
If the lock icon is open, or if you see a red "x" or other warning, close your browser. Make sure it is upgraded to the latest version and try again. If the problem persists, try a different browser.
The main web page features the latest news and updates on this breach, and various informational links.
2) Scroll to the bottom of the main page and click the "POTENTIAL IMPACT" button.
You will be taken to a new page.
3) Scroll to the bottom of this second page and click the "CHECK POTENTIAL IMPACT" button.
You will see a simple page with this small dialog embedded:
STOP!
Do not do anything more before you check the SSL security state in your browser's address bar as described above.
4) Re-check your browser's SSL status, make sure it still indicates a secure connection.
If the browser indicates secure, you're good to go.
5) Enter your information and click "Continue".
Hopefully you get good news. My wife and mother got good news, but I did not. At this point, whether you were impacted or not, the site will prompt you to enroll in their (now completely strings-free) complimentary protection program.
At this point, I cannot tell you whether to enroll or not. You need to decide that for yourself. On the one hand, they offer a year of free credit reports, monitoring and even a cool $1 million in identity theft insurance. On the other hand, this is yet another system (seems to be a separate stack/database from the core bureau infrastructure) that your information will go into run by the same company that lost it the first time.
If it helps, I went ahead and signed myself up.
ADDENDUM
If you were impacted and you decide NOT to sign up for the new protection service, there are other steps you can take to better protect yourself, as recommended by the FTC:
The most obvious step is to keep a super-close eye on your credit cards and bank accounts. If you don't make it a habit to dissect your spending vs. budget per month, just a couple minutes eyeballing your monthly statement is far better than doing nothing.
Familiarize yourself with the three credit bureaus: Equifax, Experian and TransUnion. Make sure your contact information - phone and mailing address - are up-to-date and correct on your bureau accounts. If they detect fraud, you want those messages coming to you ASAP.
Pull your credit report. It's important to know the current state of your credit report, as a "baseline" to compare against in the near future. Having this will make it much easier to spot problems. You can do this once per year for free at http://www.annualcreditreport.com.
Consider placing a credit freeze on your bureau accounts. This will stop anyone from applying for a new account under your name, although it will not stop thieves from attacking existing accounts.
Place a fraud alert on your credit accounts. You only need to do this with one of the bureaus and it will automatically propagate to the other two. This will ensure that creditors will take extra care when handling any major account transactions, make them more inclined to contact you directly.
This last one is a bit scary, but has to be mentioned. The FTC recommends that you file your taxes as early as possible next year. Thieves may attempt to file a refund return on stolen Social Security numbers. I'll be sure to blog out a reminder around the first of the year to remind folks about this.
If you do discover that you are the victim of fraud, report it immediately at http://identitytheft.gov and begin the recovery process.