The Busy Executive's Guide to Personal Information Security, Part 2 of ?

 It was, of course, bound to happen. As soon as I published the The Busy Executive’s Guide to Personal Information Security the first person I showed it to said “but what about...”. Of course, there are a lot more things you should very seriously consider. The two that came up in that discussion are covered here. If you have additional tips that I hadn’t thought of, or questions about other steps, let me know.

Freeze Your Credit Reports

Most countries have some form of credit rating system. In the U.S. we have three credit bureaus with a not-altogether stellar record of keeping your information secure, nor a particularly inspiring track record of keeping bad guys from using it. If you want to change how they protect it, you need to begin by finding someone to vote for on November 3, 2020 who cares about such things. I’ve not heard anyone really pay much attention to it though, but you should definitely vote anyway. 


However, if you want to control how the information is used you can do that by freezing the reports. Naturally, there is no one-stop shop for this. You need to go to each bureau and do it separately:


Experianhttps://www.experian.com/freeze/center.html is the website where you manage its freezes. It’s not a very pretty process, but you go to the same place to unfreeze the report. To unfreeze you must remember a PIN that you create when you freeze it. I recommend using a password manager, such as 1Password, to generate a random PIN and store it in a secure note. To change the freeze state of your report you set a date by which to unfreeze and re-freeze the report. That means it must stay unfrozen for at least the rest of the current day. This is a pretty big hole that Experian surely is not working on fixing.


Equifax allows you to create an account which makes it a little easier to freeze and unfreeze your report. Equifax also requires you to set a date to unfreeze and freeze your report, so, again, you have to leave it exposed to fraudsters for far longer than is advisable. 

Figure 1 Equifax website for unfreezing a credit report.


Transunion, by far, has the best user experience for freezing or unfreezing your credit report. Through the trueidentity.com website you can lock your credit report and with a click, unlock it for as short or as long a period as you want, then click to lock it again. Transunion is the only bureau that provides its product (you, as it is your data they make money selling) with the ability to only expose the credit report for the amount of time necessary. 

Figure 2 Lock and unlock your report easily on the True Identity website.


Yes, it is a pain in the neck to keep your credit report frozen. It becomes an even bigger pain in the neck because most lenders are not content with accessing one of your reports. They want all three. After all, you’re paying for the credit checks one way or the other, so why not. 


Nevertheless, I keep mine frozen/locked constantly for several reasons. First, it keeps the credit bureaus from making money selling MY data to hucksters on a daily basis. Second, it keeps shady people, like Good Chevrolet in Renton, WA, who tried to pull a credit report on me when I tried to pay cash for a car, from succeeding in getting my data. Third, well, let’s just say that after Equifax and Experian were both breached someone tried to use my data that was stolen in the breach to file fake unemployment benefit claims. All in all, it is well worth it. 

Port-out Protection

The second additional thing you should absolutely consider is protecting your mobile phone service. Obviously, you have set it up to be used as a second authentication factor on sites that offer no other option. Other sites will automatically use it as a second factor, even if you do not configure it to do so. Phone companies have a checkered past protecting against Subscriber Identity Module (SIM) swapping, however. 


If you recall, SIM swapping is where a criminal convinces your carrier to associate a SIM they own with your phone number, so that they get your one-time passwords sent to them. This can take two forms: they can convince the carrier to let them port the number to a different carrier, or they can convince them to simply associate a new SIM with your number while keeping it on the same carrier. 


While it has not proven fool-proof, all three major carriers now offer some form of “port-out protection”. Here is the information from each of the major carriers on how:


T-Mobile  - Go to https://www.t-mobile.com/customers/secure for the information. You may also call 611 and request “NoPort” protection, which is not a setting they surface in any of their websites. Allegedly, it requires you to go into a store to authorize porting out your number. 


AT&T - Go into your account and add “Extra Security”. It allows you to create another password/PIN code that’s required to port the number to another carrier. 


Verizon - Dial *611 from your mobile phone and ask for a Port-Out Freeze. You may also ask for an “Administrative Lock”, which should prevent any changes from being made to the account. 


As always, I strongly recommend writing down any of the additional passwords you create during this process in a password manager. If your normal password is your dog’s name, having your pet goldfish’s name as the port-out PIN is probably not your best strategy.


A word of caution, however. As you probably recognize by now, all these protection measures (with the possible exception of Verizon’s Administrative Lock) are designed to prevent moving the phone number to a different carrier. However, many of the SIM swapping attacks I’ve worked on involved binding a new SIM from the same carrier to the number targeted. Port-Out Protection will NOT prevent that attack! It is a very incomplete solution, but it satisfies what the carriers were required to do under regulatory pressure. Unfortunately, legislators, who can actually require stronger protection, seem to have failed to realize this limitation and there is precious little legislative movement on the issue. The carriers are left only incentivized to make it more difficult to move your number to another carrier (a practice they strenuously opposed in the first place) but not actually required to provide you with better controls against within-carrier SIM swapping. As a result, we are still largely beholden to how well the carriers train their customer support staff in detecting SIM swapping attacks. 


Based on what I have seen in the past six months, their track record continues to be somewhat checkered. 

Comments

Popular posts from this blog

MFA Post 5: Time-based One-Time Passwords (TOTP)

MFA Post 7: Other Contact Mechanisms (Email, Phone,...)

Electric Car Charger Basics