|
Vonklaus - the link you posted with the details is coming up with errors in viewing for me, FYI. Technically, you've clearly got an understanding of the fix, so I won't waste a lot of time on that. I wanted to speak to the rest though, as I've had personal experience with identity theft in the past few years. Really, anyone should just operate from the assumption that their SSN is compromised. Too many places have used them and too many places either don't even realize when they've been hacked or hide that fact when it's discovered. Her son should do the stuff written below whether they actually got his info from that folder or not. (Also, they did freeze the payment they made to the scammers, right?) First off, do check if your local police have a place to file a report online. My local police dept. has a website where you can report identity theft and immediately get a report number and printout. If someone uses their information to file a fraudulent tax return, they'll need that report as part of their package to substantiate the issue to the IRS. If you want to do IC3, too, that's fine--but get the traditional police report (and don't wait until some problem comes up as a result of the breach). It is a good idea to build a narrative with corroborating evidence--the IRS was apologetic to me, but having a evidence of a reported incident and efforts to follow up is a nice preventive to potential pushback at a later date from a private entity that wasn't careful. I'd also recommend filing a tax return early, as soon as they receive their W2. Fraudsters try to get their fake returns in before the legitimate one, because the IRS will issue their refund without questions unless you've already filed. Getting access changed for all of their accounts is a first step, but I would recommend also getting 2-factor set up for any account it's available for. 2-factor makes any future breaches that much easier to mitigate. Additionally, they should check any account settings for additional recovery emails or in email accounts settings for any forwarding addresses added to the account. All the remediations in the world don't help much if they can still trigger a change in a few months by getting the password reset sent to fuckingscammers@dickheads.com. This should additionally include making sure that anyone they have an account with has a fraud notice and ID check that doesn't rely on information in their credit report. For instance, my security question answer to "What is your mother's maiden name?" is to the effect of "a(DH?BMBNOrcumb#72tT". Use a password manager to keep those straight (I just keep them in the Notes field and cut and paste as necessary). The son should have a fraud freeze with the credit agencies, so that they can't use the experian report to create new accounts, and he should make sure he's changed his passwords (if there was a folder of his on the computer with his job search files, it is also likely he's used it for browsing and there could have been passwords saved somewhere). I'm not sure what his concern is professionally, but he could contact his company's information security office about potential safeguards. I've had no other identity theft issues from my information being out there aside from the fraudulent tax return, which makes sense. The IRS cut the douches a check for $8582, which, had they not fat-fingered the 16-digit prepaid Visa card number they tried to have it deposited onto, would have been a much more lucrative payoff than trying to run a couple of fraudulent credit card charges that Visa would quickly flag. Once you've triaged actual account access, keeping the credit agencies locked down is really the main thing to keep an eye on, since that would flag any attempt to use the information further. They should be reasonably vigilant, but my experience has not been that this was an apocalyptic meltdown of my financial identity and taking reasonable precautions while hardening their accounts should give them some peace of mind. I've heard mixed reports of Lifelock's effectiveness, but if they're anxious types Lifelock won't hurt them--it just might not be more than a placebo against worry. |
i realized this earlier in the day, your comment only became visible to me in the last 10 mins pr so. i noticed replies ceased several hours ago and emailed HN support.
the link had been flagged by several users and was restored by dang a few minutes ago. i dont have infor but i assume it was the horrible title which i submitted after charring out on mobile 3 or 4 times, amd i didnt want to rewrite/lost the original post which has since been restrictured.
thanks again dang, and also i appreciate this write up as there wasn't much on HN about dealing with this. it ia clearly written up exatensively in the media but there is so much spam and incorrect info i looked here for better reaources and experiences like yours as there are technical, financial and privacy considerations and as any good security professional knows, missing even one thing can have huge consequences.