Eric Brown: 0:05

You're listening to the Audit presented by IT Audit Labs.

Mandi Rae: 0:14

Welcome to the Audit by IT Audit Labs. We are here again to talk about personal information security in a modern era. Joining me is the IT Audit Labs crew. Hi guys.

Nick Mellem: 0:31

Hey Mandy, hey Mandy.

Mandi Rae: 0:33

So, Eric, where did we leave off last time?

Eric Brown: 0:37

We were talking about cell phones and your cell phone number and treating that as if the cell phone number was PII, not using that as a way to identify yourself in public, like at a coffee shop or something along those lines, where those retailers are using that to identify you as a consumer, are using that to identify you as a consumer and use that to get into your rewards program or something like that.

Eric Brown: 1:10

So we were saying that you could use an alternative phone number through, like a Google Voice, for instance, or from a service that, like Burner, would provide you with a cell phone number that you could either keep permanently or semi-permanently or something that you could delete frequently. And now, with VoIP services voice over IP services, like Microsoft Teams, for instance, for businesses they provide phone numbers for your business. So if, for instance, your business was getting a lot of spam calls to a particular phone number, it's pretty easy to just get a new VoIP number associated with your business, not like the old days where you had to get a POTS line from the cellular or the not cellular but the phone company and then they'd come in and punch it down to the 66 block and it was a whole production, but now it's pretty easy. It's you know minutes instead of weeks.

Mandi Rae: 2:22

That's great to hear. It's something you can do much like I think of on my cell phone, how I can block a specific caller. Being able to do that for this line sounds like it'd be beneficial as well.

Eric Brown: 2:34

Yeah, you know, I think along the not to belabor the cell phone number thing, but it's kind of a it gets into a slippery slope of you want to be reachable but at the same point in time you want to be a little bit protected. So something like putting your phone number on your dog's collar is one that is in that gray space, right, you want to be able to be reached in the event that the dog is missing. In the event that the dog is missing, but at the same point in time the dog being maybe out in public at a dog park off leash somebody could get access to that phone number and then you'd potentially receive some unwanted calls or texts. If that was your main number, maybe you want to think about putting that on what I would consider like a Google voice number, which could be a semi-public number but not your main number.

Mandi Rae: 3:34

That is how I get on my dates. I just take Rex to the dog park off leash. He's running around advertising. My phone number Does it work. It does. Dudes love dogs, kind of like chicks love babies, right oh, that's like really extreme blind dating, but that wasn't funny. I should make my own reality show like dog park dating. So we're going to edit that part out. And what?

Nick Mellem: 4:06

That's awesome.

Mandi Rae: 4:08

What are we?

Eric Brown: 4:09

going to talk about now. Mandy's using the podcast to troll for dudes.

Mandi Rae: 4:15

I mean, I'm thirsty. So this is why I communicate with the editor, though Am. I turning red.

Eric Brown: 4:28

Yeah, so that's interesting, mandy, Good luck at the dog park. Let's talk about credit and protecting your credit, because I think we look at pieces of information that we treat privately or publicly, and one of the most private pieces of information that we have is our social security number, and that social security number, issued at birth or close to birth, follows us for the rest of our lives and unfortunately, those social security numbers are used by companies and other entities to identify us, and the reason why it's problematic is, as we know, we can be subject to having that information compromised and then be the subject of a either tax fraud or somebody's filing fraudulent taxes in our name or opening credit in our name, I think. I think some of the more egregious ones are where people get a hold of someone's child's social security number and then open up credits in that child's likeness and start doing malicious things with that child's social security number. It's really hard to come back from an information breach of this sort, right where your credit is stolen. It usually requires quite a bit of work to find out where all of the fraudulent credit reports were opened or not reports, but all the fraudulent credit was opened and then close them and then keep yourself protected going forward.

Eric Brown: 6:30

So, as we go around and we do these talks, the simplest way to solve for this problem is to freeze your credit, and you can do that directly with the credit bureaus. So there are the three credit bureaus that most people know about, and that's Experian, equifax and TransUnion. And then there's a fourth bureau and the name of that bureau is Inovus, and if you ever get in the mail the pre-approvals so if you pre-approve for a car or you might see some of the extended warranty things for your car or things like that those are usually coming from data that Inovus has collected and sold. So we like to advocate for freezing your credit with these four bureaus, freezing your credit with these four bureaus Experian, equifax, transunion and Anovus and you can freeze the credit directly with those bureaus and that's the best way to do it. When you go into those bureaus to freeze your credit pretty simple process Takes maybe five to ten minutes each. You'll want a password manager when you do it because they're going to ask you some questions like what was the name of the street you grew up on or who was your childhood best friend, and, as we know from our previous episodes, we never answer those Truthfully. We make up an answer and we put that answer in the password manager. That way, if that information is out in our social media profiles, it doesn't matter the name of my street, because the answer to my secret question is made up. So, anyhow, we store that information in password manager. Usually there's a pin associated with it. When I froze mine years ago, they would mail you so out of band, send you a pin number that you get on like a little postage card size document, and then you'd use that to log into the account. I think it's all online, but anyhow, those are the four bureaus.

Eric Brown: 8:45

In addition to freezing your credit, and one other point on the freezing your credit, there are services that will offer to lock your credit or they'll use some other term that means the same thing, term that means the same thing and usually those are a paid service. Or they're offered by companies to you after your data has been breached. So as part of their breach mitigation, you'll get a letter that says oh, we think your information has been compromised. Here is a service that we're paying for you for a year to protect your credit. That's all well and good. However, we don't recommend going through a third party. Usually the third party is a subcompany of one of these credit bureaus it's much better to just freeze the credit yourself, and the reason for that is then you directly control the freezing or unfreezing, or they call it thawing. So freezing and thawing your credit.

Eric Brown: 10:03

So if your credit's locked with these four bureaus and you want to get a new loan, let's say you're going to get a car, you go into the dealership or you work with your bank and they're going to run a credit check on you and that'll come back with a credit score and your credit worthiness for them to evaluate if you're responsible enough to repay the loan or your debt to income ratio is low enough that you can take on a new loan. At any rate, they will typically work with either one or two bureaus to score your credit, depending on where you are in the country. These entities tend to be geographic and I forget exactly where those lines are, but Experian may be more in the Midwest, transunion on the West Coast, equifax East Coast it's not clear cut like that, but there is some geographic distribution and I may not have those geographies exactly right, but that's the theory of it. So if you're in the Midwest you're going to get a car loan. You can just ask them which bureau do you work with? They say Experian. Okay, you can then just reach out to Experian and then for a period of five days you could thaw your credit and that would thaw it for anyone running a check against you running a check against you.

Eric Brown: 11:40

I like to advocate, if you're interested in your credit score increasing or staying high, one of the things to do is to limit the credit polls against your score. So every time there's a credit, every time your credit is checked, it decreases your score. So every time there's a credit, every time your credit is checked, it decreases your score. And the reason I guess the theory behind that is the credit agencies look at that as a way that you're trying to go out and get a loan and that would negatively impact your credit score. But anyway, you can unfreeze it.

Eric Brown: 12:13

I would say, if you're strategic about it and you want your credit score to be as high as it can be which is 850, is to bundle your pulls in a short period of time. So if you know you want some sort of home equity line of credit, you want a car and you want that new refrigerator from Home Depot. All these things are going to require a credit hit. Do them all in a short period of time rather than spreading them out over months. Of course, we can't help it when the refrigerator breaks and we need a new one and we want to get that Home Depot credit card for the free interest. Don't stress yourself out about it. But if it works out great, bundle it and then you've just left that freeze open or that thaw open for a short duration of time. The reason why I like to advocate for that is it's then it just automatically closes. You don't have to think about it.

Eric Brown: 13:17

Unfortunately, the way credit was built is these you know our credit is inherently open, so if someone has access to your social security number, they can potentially open credit in your name without you even knowing about it. So one of the ways to check that is a free annual credit report, and that won't give you your credit score, but it'll tell you all of the open sources of credit that you currently have and ones that you've previously had. One of the big factors to increasing your credit score is that factors into your credit worthiness is your on-time payments. Your credit report will show you how many on-time payments you've had. They drop off after a period of I think it is it's either three, five or seven years, where, if you had some unfortunate late payments, that drops off after a period of time. If you had a bankruptcy, that drops off after I believe it's seven years. Different things impact your credit score. You can take a look at that annual credit report. You can take a look at that annual credit report. Make sure that if there is a late payment on there, sometimes you can negotiate to have it removed. If there's things on there that don't look right, you can work with the entity to have them investigated and removed. But it's just something to stay on top of removed, but it's just something to stay on top of.

Eric Brown: 15:01

Nowadays, with mobile devices and how connected we are, you can tie your credit cards to your like a mobile app and then anytime a transaction is made, you'll get a notification that you know you just spent twenty dollars in Home Depot or whatever.

Eric Brown: 15:16

And that's kind of a good way to to always be monitoring what's happening with charges against you or your family members, because then if something doesn't look right, you can catch it right away.

Eric Brown: 15:31

And then, along those lines'd also advocate to use a credit card in those instances instead of a debit card. So if you use a debit card and that number is captured or stolen, that's direct access to your bank account and that can be pretty impactful if the thieves hit your daily withdrawal limit or make charges that deplete that bank account before you notice it. So if you use credit card, that's going to hit your credit and you can work with that credit card company to say that your credit card was stolen or the number was stolen or what have you, and then those charges mitigated without it impacting your ability to pay your rent mortgage. What have you? Not that if you have a debit card, you can still work with them to get that money back if it was fraudulent, but the money is still out of your account and the money that you're expecting to be there to pay a bill might not be. There Any thoughts or questions on that that you guys have personally experienced.

Nick Mellem: 16:47

I did want to jump in and just bring up it was interesting that you brought up locking your kids kids credit um, just an interesting thought, but I know I had experience with helping my parents and it's just a key point to bring up helping.

Nick Mellem: 17:00

You know people like grandparents or our parents that might not be so familiar with these um the credit bureaus and how the process would be of blocking it. I actually sat down with my parents this is maybe four years ago now or so and they created a free account on all three of them and we locked it and they were locked. I don't know how long they've been locked it's been three or four years but they just bought a house this year and the bureau came back and said your credit's frozen or locked, so can you unlock your Experian account so we can do your credit pull? I thought that was cool, that was working. I had forgot right when we did it a while back and it came back that that it was locked, so I thought that was neat that that happened was it hard to set up the locks for them or the freezing the credit?

Nick Mellem: 17:48

for example, on experian, when you create your account they have like a page and it's just a big lock button and you just press, hold down on it and like the switch goes and then it locks and it might really take like five minutes, but you flip the switch right, it's a tangible thing. You see it lock and then you're good. So yeah, it was very easy. It might have taken us an hour to do all of it, just them setting up their passwords and you know how that goes making sure they're using strong passwords and getting the password manager set up so they don't I don't get that call saying they forgot their password and we'll you know.

Eric Brown: 18:23

So that helps out big time sure, there's a interesting story about um, the ceo of, about the CEO of, LifeLock, and this is going back a couple of years maybe close to a decade or so where, in order to advertise for his company, he gave his social security number out in public, like put it on billboards might've been on the side of vehicles or something I forget, but definitely published it out in marketing material to say, hey, I can put my social security number out there and my company is so good that it will prevent credit being opened in my name. The funny part of it is, I think his identity was stolen I don't know, it was like 10 or 15 times something like that and credit was opened in a variety of different places. I think it was like cell phone accounts, maybe some loans, other things like that. But the point being that you know LifeLock advertises that they can lock your credit as a service. It's not the same thing as going in and freezing your credit directly with the bureaus.

Kyle Rosendahl: 19:47

Yeah, and I know when I talk to people about Things like this and freezing your credit, it doesn't necessarily protect you from people collecting your social security number right. They're still out there looking for that info. They're still looking to get your HIPAA information. They're still going get it. There's another step in the way for them to be able to get money from having that information right. So it puts a barrier in place that prevents them from collecting monetary value from your information, which is is really good, and and one of the questions I always get from people when I talk to them about freezing their credit is like well, what do I do when I want to apply for a loan? What happens when I want to get that credit card?

Kyle Rosendahl: 20:44

And really the sites make it pretty easy to do. As Nick was saying, a lot of them have just like a button you can push on your phone or on the app, or even with some of the older people I've spoken to about this who aren't necessarily comfortable going to a website and typing their information in or doing those sorts of things, right, you can do it over the phone with pretty much all of the bureaus and set that up and set up your private pin and do all of those things kind of via a phone. So if you want to call and just talk, right, there's other options for people who might be slightly less tech savvy when it comes to the internet. So it makes it kind of a no-brainer in a lot of ways, honestly.

Mandi Rae: 21:21

Yeah.

Eric Brown: 21:22

Well, I think that's all I had on that topic. I can't think of anything else that we've talked about recently related to credit theft. I think it's just one of those things. It's just that diligence to sit down, schedule some time to go in and do these things and then same thing with the password manager. If you can get in five a day, whatever it is, just continue to make forward progress. I think that's the best way to do it. It can seem kind of daunting if you have hundreds of different passwords you want to put in the password manager or have to set aside a lot of time to do this. Credit reports and locking of credit If you just set you know, maybe plan locking one or two a week, get that annual credit report and review it with your family, you'll be in good shape.

Mandi Rae: 22:20

Those are all great points, and this concludes our series on personal information security in a modern era. Many thanks to Eric Nick and Kyle for helping lead us through. Thanks to Eric Nick and Kyle for helping lead us through. If you'd like more information on locking a minor child's credit, we did recently have a blog posting about that. It'll give a website with some resources and how to make that happen. For more information on anything else cybersecurity related, please visit our website at wwwitauditlabscom. We're also on all the socials and we hope to see you again on our next episode. Bye, guys.

Kyle Rosendahl: 23:07

Bye, thank you.

Eric Brown: 23:12

IT Audit Labs assesses security, risk and compliance. Our threat assessments find the soft spots before the bad guys do. Whether you are looking for a point solution or a broader security program, contact IT Audit Labs to reduce your organizational risk.