Professor Fraud on Equifax, How to Protect Your Identity
William Kresse, Assistant Professor of Accounting in the College of Business at Governors State University—known in the media as Professor Fraud ®—recently took time to talk with the GSU Newsroom about the Equifax security breach, division of labor in the dark web, and the future of online security. A frequently-seen media expert, he was featured on WGN when the story first broke in early September.
GSU Newsroom: I think most of us have heard that something big happened in regard to identity theft in recent weeks, but can you summarize it for anyone who might not know the whole story?
Kresse: Sure. So they hacked into the Equifax system and got information on approximately 143,000,000 Americans—and others—and the danger is that with this information being brokered out on the dark web, bad guys known as identity thieves can take the information and do any number of things. One is, if they've got information that leads to your checking account or credit card account, they can start withdrawing monies from your accounts and/or charging things to your credit card. The bigger fear is that they will take this information, and if you're a good credit risk, open credit cards in your name, take out loans in your name, things of that nature. There have been documented cases of people doing everything up to purchasing houses using stolen identities.
GSU Newsroom: Once the information has been stolen, what happens to it?
Kresse: Like any good industry, if you will, in the free market capitalist system, the identification theft and hacking industry is broken down into components. You've got one group that writes the code that can break into the system, and they sell the code to someone else—a hacker—who uses it to break into the system. They steal the stuff and then put this wholesale cache of identities on the market.Then others go in and buy portions of the lot and test them to see if they're good, because they can get a higher price if they can say they have one thousand identities and they've all been tested and they're all good. There's division of labor within the hacking community.
GSU Newsroom: How do they test identities?
Kresse: What the bad guys will do is, once they buy a cache of identities, they test them to see if they're good. They will run a $1 transaction through to see if the card or account is open. If it goes through, then they can sell it on the internet as a verified credit card number.
GSU Newsroom: When the subject of identity theft comes up, you often hear people say "Well I have bad credit—they can have it." Is there any safety in having a low credit score when it comes to situations like this?
Kresse: Actually, that's true. If you've got bad credit, the identity thieves will just move on. The joke is on them, because the credit card companies will deny them the loans or the credit. And so the thieves will move on to another victim. It's like the old joke with the two guys in the woods being chased by the bear and the one guy says, "Do you think we can outrun the bear?" and the other guy says, "I don't need to outrun the bear. I only need to outrun you." So you leave it up to the other guy to be victimized. There is some truth to that, but the other thing I'm seeing a lot are different folks saying you should immediately go and put a freeze on your credit report.
GSU Newsroom: Is that what people whose information has been compromised should do?
Kresse: As I teach my students in business law and accounting classes, the answer to most questions is: it depends. I would say for many students—if not most—they're at a point in their lives where they're making a lot of changes and transitions. They're applying for auto loans, they may be trying to get a mortgage, or even if they're renting, the landlord may seek a credit report. There are a lot of situations where they're going to need that credit information. If you put a credit freeze on and then ask the different bureaus to release it, they will do it. They'll give you a PIN by which you go online and release the information, but usually it costs you and those fees can add up. Plus, there's another thing to consider: who has the PIN? The same credit bureau whose database was hacked. Guess what? The bad guys can get the PIN, too. So there's relatively limited security in the credit freeze. So I am not one of those who says go run out and get a credit freeze right away. In fact, since the Equifax case broke, it's been very difficult because so many people are doing it. You can't get through on the phone lines. For most people, especially those who are actively using credit and need access to their credit scores, it's probably not necessary and can be a bit of a hassle, costly, and even risky.
GSU Newsroom: Who suffers the most in identity theft?
Kresse: Since identity theft has become so prominent, the folks who are really losing the money are not the consumers. Ultimately the banks and the credit card companies are the ones losing out, so they have put into place protocols to watch for identity theft. They've built algorithms where they will detect suspicious transactions, and before permitting a given transaction, they will make a confirmation with the account holder. So, the fear is not as bad now as it was in the past, and I suspect in the future will even be less so. Equifax says that they will provide one year of credit monitoring services to anyone who was compromised, so if anyone is using your information you will be notified for one year. After a year does the risk go away? No. The risk keeps going until you're dead, and maybe even beyond. As long as that information is out there, as long as the market continues to use personal identifying information, this information is going to be valuable to the bad guys. That may be changing in the future, though.
GSU Newsroom: How so?
Kresse: The introduction of the iPhone 8 and iPhone 10 may be the beginning of the end, because one of the features is the 3-D camera with facial recognition software. So we no longer need your social security number; we just need your face. They're also developing software where you hold it closer and it'll perform a retinal scan. That will be the identity of the future. You won't have to remember passwords or anything else. MasterCard is currently beta-testing a system in which when you make a credit card purchase online using a MasterCard, your webcam will activate and take a picture of your face. You'll line up your face in the square, and it will prompt you to blink to make sure you're alive. The system looks at the structure of your face, so even if you've changed your hair color, glasses, or whatever, it will recognize you unless you've had facial reconstruction surgery. This really is the identification of the future. When that takes over, you can worry less about your social security number and such being hacked.
GSU Newsroom: Until we reach that point, what advice can you offer to anyone trying to protect their financial security and identity?
Kresse: Number one, protect the assets you currently have. Regularly go online and look at your credit card accounts. Look at your bank accounts. Do it at least once a week. At this point, you might want to do it every other day just to be safe, and then if you see anything suspicious, report it. Even if it's a small dollar amount.
Number two, if Equifax wants to give you a free year of credit monitoring, go for it. Increasingly, one of the silver linings of [the increase in identity theft] is employers are providing credit protection as an employee benefit. If it's not available, then consider purchasing it through one of the companies out there. Professor Fraud ® doesn't endorse anyone, but there are companies out there that are very good at monitoring your history and activity on the web.
And number three, just always be vigilant, careful, and secure with your transactions. And be careful what you say on social media because there are bad guys around the globe who are monitoring social media to get the clues to break your identity.