I was recently the victim of an SSN doxxing + identity theft attack. In the process of securing myself as best I could from said attack, I followed the steps below.
I learned a bunch of this over the past couple of days, through a combination of research & knowledgeable friends & contacts, many of whom were unfortunately speaking from experience.
Much of what is described below can be used as a preventative measure as well as defensive once an attack is occurring / has occurred. I recommend the preventative route: don’t let this shit happen to you.
Note: It took me about 18 hours of work to get my accounts in relative security. Most of it could be done online or via phone, but some in-person visits were also required. It’s worth the investment. We live in a dangerous world.
Secure your accounts
- Use long, random passwords with numbers and special chars (!@#$%) on everything. I recommend storing your passwords in LastPass or 1Password. Ideally use only passwords these apps generate for you. A good password has more than 20 characters of which at least a third are numbers and special characters. By nature, a password you can remember is likely not secure enough
- Never use the same password twice. I’m serious
- Enable Two-Factor Authentication (2FA) on everything that allows it. I recommend using Authy or 1Password to store said 2FA credentials. Using SMS for 2FA is also a viable option, so long as your phone doesn’t get hacked.
- Security questions like “What is your mother’s maiden name” are a huge weak link. Assume anyone can figure out your mother’s maiden name or your best friend’s name. It’s good to enable these questions, but use diceware password generators like xkcd password to fill the answers with gibberish words (eg: your mother’s maiden name should be something like “amicably coventry dresser pluto grackle wailing”). 1Password can also generate diceware passwords.
To jog your memory, here are some of the accounts you’ll want to make sure to secure with especially strong passwords + 2FA:
- LastPass and/or 1Password. Since it’s storing your other passwords, it needs to be super duper secure
- Email accounts: If a hacker has access to your email account, they can basically reset any of your passwords
- Domains, especially if your email is hosted on a domain. If a hacker can change your DNS/MX settings for your domain, they can change your email, then do the attack above
- Landline, internet, and cellphone providers. UPDATE: Put your cellphone providers on high alert and if possible ask them to permanently disable call & text messaging forwarding so attackers can’t redirect your phone number as a way to gain access to your 2FA credentials.
- Apple ID, especially if you use iMessage & get text messages as a mechanism for 2FA
- Banks & other financial institutions: Credit cards, brokerage accounts, Paypal, etc…UPDATE: Also check that your mailing addresses haven’t been compromised or changed.
- Online payroll / tax / etc providers. Anything with your earning statement, tax returns, etc. (eg. Intuit, ZenPayroll, etc…)
- Online bill pay or related services (eg. online rent payment, utilities, etc)
- Insurance provider websites (health, car, home, rental)
- Shopping sites (Amazon, etc…) or anything that might store your credit card
- Social Network accounts (Facebook, Twitter, LinkedIn, Skype, etc…) which can be used to fish for other passwords or socially engineer attacks
- If you’re a developer, any code repos (Gihub, AWS, etc). Make sure your IP doesn’t get compromised
- If you have any connected apps (oAuth, etc) — especially true on Google, Facebook, Twitter — you’ll want to scrutinize those closely. They can allow an attacker to continue to access your accounts even once you’ve changed the password. Remove any connected apps you don’t recognize. If there’s a doubt, disconnect it.
Notify the institutions
- Follow the super helpful instructions at https://identitytheft.gov/ which also has the benefit of informing the FTC
- Register your SSN at http://ssa.gov so no one can do it in your place
- Put a credit freeze on all three Credit Bureaus. You’ll have to manage the pins and temporarily disable the freeze if you want to get a credit card or loan, but this is a great way to prevent financial misuse.
- Call every bank, credit card and insurance company and tell them you have had identity theft or are at risk of it. Ask to add 2FA, verbal passwords, high-risk alerts on all of your accounts. For verbal passwords, use diceware/xkcd passwords, not your mother’s maiden name (see above)
- Inform the IRS and your state taxation authority. Often identity thieves try to file fake tax returns to claim refunds on your account. The IRS form is here. If you live in California, the Franchise Tax Form is here.
- For good measure, sign up for an identity theft protection mechanism. I’ve been recommended All Clear ID. Others exist.
If you start seeing stuff that’s fishy, you might need to go further and:
- Change your Social Security Number
- Change your Passport / Drivers License
Thank you to all the folks who recommended many of the items on this list. If any are missing, please let me know and I’ll do my best to keep this updated. Be safe.
UPDATE: Why you should care. What attackers will try.
Just to give you a sense of why you want to do the above, attackers will attempt to:
- Create fraudulent tax returns to claim refunds from Federal or State governments. This is particularly risky if you tend to file extensions to your returns, because the attackers can front-run you and file before you file your legitimate return
- Create fake insurance claims to extract money from your insurance companies
- Access your bank or credit cards to steal money or make fraudulent charges
- Sign up for credit cards, loans, or other financial instruments tied to your financial identity, then use those to buy things, essentially stealing money from you
- Use you as a vector (via email, social networks, etc) to steal other identities