multi-factor authentication Archives

Dear Liz: I was recently alerted that my Social Security number has been found on the dark web. My information was part of the AT&T breach that took place recently. I am no longer an AT&T customer and haven’t been for several years, but they have not made any contact with me. What do I do to keep myself safe and how do I get my information removed from the dark web? Why hasn’t AT&T reached out to me?

Answer: As a consumer, you don’t have much power. Companies often demand your personal data, such as Social Security numbers, before they’ll do business with you. Once your information is in their databases, you have no control over what happens to it. And if your information is leaked, there’s no way to remove it from the dark web.

You can’t even be sure how your information got there, given the sheer volume of database breaches in recent years. If you’re an adult with a Social Security number, chances are pretty good that number can be found on the black market sites where criminals buy and share information, says Eva Velasquez, chief executive of the Identity Theft Resource Center, a nonprofit that helps identity theft victims.

In other words, your data may have been compromised long before the latest incident, which AT&T says affected 73 million current and former customers. AT&T began notifying impacted customers via letters or email starting in April. Those customers should have received an offer for free credit monitoring.

There are a few things you can do to make yourself a bit less vulnerable to identity theft, such as putting freezes on your credit reports, not clicking on links in texts or emails if you didn’t initiate the transaction and using digital wallets or other secure payment methods.

Also, don’t be your own worst enemy. Beware of sharing personal information (birth dates, address, phone number, etc.) on social media. Consider limiting your audience to people you know and trust, Velasquez says.

The Identity Theft Resource Center also recommends using passkeys, a technology that replaces passwords, whenever you’re offered that option. If a passkey is not available, the center suggests using passphrases of 12 characters or more rather than shorter passwords. A passphrase is a sequence of words that can be personalized for easier memorization, typically with numbers added and a mix of capital and lowercase letters. The center gives an example of a passphrase for a 2015 University of Texas graduate: “H00kEmH0rns2015.” You’ll still need unique passphrases for every account and site. You also should turn on two-factor authentication or multi-factor authentication where available. This requires an extra step, such as getting a code on your phone or from an app, but this will make your accounts harder to compromise.

Dear Liz: I recently opened an account at a bank that boasted “multi-factor authentication,” but I looked into the claim and it turns out the bank is using passwords plus answers to security questions, such as the name of your first pet, as the “multi-factor authentication.” I expect you know that the real multi-factors are something you know, like a username and password, something you have, like a code that has been sent to your phone or email, and something uniquely inherent to you, like a fingerprint. Clearly, this bank is misrepresenting its “multi-factor authentication.”

Answer: If there was any doubt about how insecure security questions are, it should have been settled with the hack of the IRS’ Get Transcript service. The criminals gained access to 700,000 taxpayer accounts by correctly answering multiple questions with answers supposedly known only to the affected taxpayers. In reality, the answers to many security questions can be purchased from black market databases or simply found by perusing people’s social media accounts.

If your financial institutions are still using security questions to identify you, you should demand to know why. If the institution doesn’t offer at least two-factor authentication (a password plus a code), you should consider putting your money somewhere else.