A cybercriminal's guide to protecting your identity

Timeline: Equifax data breach
Timeline: Equifax data breach

In September, Equifax announced a major security breach that exposed the personal information for about half of U.S. adults.

But most people didn't do anything to protect themselves. Some checked their credit reports and account statements. Fewer took steps to freeze their credit.

If you haven't detected any suspicious activity yet, it doesn't mean you're in the clear. The sensitive information stolen from Equifax could be used years from now. Criminals can use it to take over your credit cards, create entirely new accounts without you noticing, and open a loan in your name.

Related: Meet the man who used to steal your identity

The good news, if any, is that the Equifax breach might not increase the chance you'll become a victim of identity theft, experts say. But only because they believe all that information was already for sale.

"What's so damning about Equifax is that now all that information is consolidated. Every criminal who gets it knows it's correct," said cybercriminal Brett Johnson. He went to prison on charges of fraud in 2006 and served about six years. Now he works as a consultant and speaks to companies about the risk of cybercrime.

brett johnson
Brett Johnson served about six years in prison for committing identity fraud.

Identity theft is on the rise. About 6% of consumers were victims in 2016, according to a study from Javelin Strategy & Research. Two million more people were affected than during the previous year.

You could take your chances and do nothing. Or, you could do what you can to prevent your identity from being stolen.

Here's what Johnson suggests:

1. Freeze your credit reports

"Don't just place an alert. Freeze your credit, and do it now," Johnson said.

Putting a freeze on all three credit reports will block thieves from opening a new line of credit in your name, like a new credit card or loan.

Why is this important? To open an account, a criminal needs your name, Social Security number, date of birth, address, and driver's license number. All of those could have been exposed in the Equifax breach.

Thieves may need to go through the effort of creating a license in your name with their picture if they want to walk into a bank to open up an account. But all they need is the license number to open an account online, Johnson said.

If you do freeze your credit, you'll have to ask the credit reporting agencies to temporarily lift the freeze if you want to open a new credit card or loan yourself.

Related: Is locking your Equifax credit report good enough?

2. Freeze your kids' credit, too

Johnson also thinks people should freeze their kids' credit reports.

Your child's information probably wasn't stolen from Equifax. But it's "very likely a child's Social Security number is already out there," Johnson said.

Opening an account in a child's name could be more valuable for a thief because it could go undetected for years, until they're old enough to take out a student loan or open a credit card.

About 4% of identity theft complaints made last year concerned victims under the age of 20, according to the Consumer Sentinel Network.

To freeze your child's credit report, you may need to ask the credit bureaus to create a file for him or her first, and then immediately put a freeze on it.

Related: What to do if your identity is stolen

3. Monitor your accounts on your own

Freezing your credit reports won't prevent a thief from taking over one of your existing accounts.

Thieves can buy your credit card number, expiration date and security code as well as your name and address for $15, Johnson said. With that information, a thief can easily buy things online. (As a consumer, you won't be on the hook for those charges if you report it immediately.)

But things get tricky if a criminal has enough information to take over the account. First, they call the bank or credit card company to change the address and/or phone number on the account, Johnson said. That way, you might not be notified of out-of-the-ordinary charges. Then, they can request a higher income limit to be able to spend even more.

Related: 6 things Congress can do after Equifax

He suggests reviewing your credit reports every three months -- checking for new addresses, phone numbers, accounts and credit inquires. Keep track of your bank accounts and utility bills, too.

Johnson believes reviewing your accounts yourself is better than paying a service to do it. To make it easier, set alerts for charges as little as $0 if you can. That way you'll be notified of every charge. He also suggests using a password manager so that you don't end up using the same weak password for all your accounts.

4. Don't worry about scanning the dark web

Some credit monitoring services advertise that it will scan the dark web to see if personal information is for sale, but Johnson doesn't trust they can scan the whole dark web -- or even a majority of it.

"Just assume your data is already out there," he said.

Personal Finance


CNNMoney Sponsors