From the time the Equifax security breach news broke, experts have advised people to freeze their credit files.
Normally, this is one of the most effective ways to stop hackers from opening fraudulent accounts because lenders will not be able to see your credit reports, typically a requirement before they agree to issue a credit card or mortgage in your name.
However, the personal identification numbers Equifax once assigned these freezes were faulty. That’s changing for new freezes, but older PINs — which were designed as a password of sorts to be used for thawing a freeze — may still be susceptible to hacking.
Here’s why: The credit reporting agency until recently assigned PINs based on the date and time the freeze was enacted, making them an easy target for hackers.
Thieves use automated systems that can guess passwords and PINs, says Michael Kaiser, the executive director of the National Cyber Security Alliance. This means a known pattern makes it that much easier for hackers to crack your password and undo your freeze.
“They know what the PIN numbers are, they just have to associate them with you. That’s why this is such a weak system that they’ve created,” Kaiser says.
New way to generate PINs
Following the breach — and questions raised about the security of its PINs — Equifax said it would change the way PINs are generated:
“While we have confidence in the current system, we understand and appreciate that consumers have questions about how PINs are currently generated. We are engaged in a process that will provide consumers a randomly generated PIN,” the company announced this week.
Who should take action
This change won’t retroactively protect people who signed up for the credit freeze services before this week.
For people who have placed a freeze on their credit through Equifax or any other credit reporting agency, it’s important to change your PIN or password immediately. Consumers can request a new PIN at any time, which will be sent via mail, according to Equifax.
Kaiser advises following basic password wisdom: it should be easy to remember and hard to guess. In Equifax’s case the PIN is 10 digits, the same length as a telephone number.
A good PIN might be an old phone number of a relative or friend; one that’s burned into your memory, but not easily associated with you.
Avoid numbers with a high level of repetition, sequential numbers, or numbers associated with you — like your existing phone number or birthday.
In general, it’s wise to change any PIN that’s been assigned to you. This gives you another layer of protection in case the company who issued it gets hacked and PINs are compromised.