20
Sep 17

Equifax Breach: Setting the Record Straight

Bloomberg published a story this week citing three unnamed sources who told the publication that Equifax experienced a breach earlier this year which predated the intrusion that the big-three credit bureau announced on Sept. 7. To be clear, this earlier breach at Equifax is not a new finding and has been a matter of public record for months. Furthermore, it was first reported on this Web site in May 2017.

equihaxIn my initial Sept. 7 story about the Equifax breach affecting more than 140 million Americans, I noted that this was hardly the first time Equifax or another major credit bureau has experienced a breach impacting a significant number of Americans.

On May 17, KrebsOnSecurity reported that fraudsters exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services.

That story was about how Equifax’s TALX division let customers who use the firm’s payroll management services authenticate to the service with little more than a 4-digit personal identification number (PIN).

Identity thieves who specialize in perpetrating tax refund fraud figured out that they could reset the PINs of payroll managers at various companies just by answering some multiple-guess questions — known as “knowledge-based authentication” or KBA questions — such as previous addresses and dates that past home or car loans were granted.

On Tuesday, Sept. 18, Bloomberg ran a piece with reporting from no fewer than five journalists there who relied on information provided by three anonymous sources. Those sources reportedly spoke in broad terms about an earlier breach at Equifax, and told the publication that these two incidents were thought to have been perpetrated by the same group of hackers.

The Bloomberg story did not name TALX. Only post-publication did Bloomberg reporters update the piece to include a statement from Equifax saying the breach was unrelated to the hack announced on Sept. 7, and that it had to do with a security incident involving a payroll-related service during the 2016 tax year.

I have thus far seen zero evidence that these two incidents are related. Equifax has said the unauthorized access to customers’ employee tax records (we’ll call this “the March breach” from here on) happened between April 17, 2016 and March 29, 2017.

The criminals responsible for unauthorized activity in the March breach were participating in an insidious but common form of cybercrime known as tax refund fraud, which involves filing phony tax refund requests with the IRS and state tax authorities using the personal information from identity theft victims.

My original report on the March breach was based on public breach disclosures that Equifax was required by law to file with several state attorneys general.

Because the TALX incident exposed the tax and payroll records of its customers’ employees, the victim customers were in turn required to notify their employees as well. That story referenced public breach disclosures from five companies that used TALX, including defense contractor giant Northrop Grumman; staffing firm Allegis GroupSaint-Gobain Corp.; Erickson Living; and the University of Louisville.

When asked Tuesday about previous media coverage of the March breach, Equifax pointed National Public Radio (NPR) to coverage in KrebsonSecurity.

One more thing before I move on to the analysis. For more information on why KBA is a woefully ineffective method of stopping fraudsters, see this story from 2013 about how some of the biggest vendors of these KBA questions were all hacked by criminals running an identity theft service online.

Or, check out these stories about how tax refund fraudsters used weak KBA questions to steal personal data on hundreds of thousands of taxpayers directly from the Internal Revenue Service‘s own Web site. It’s probably worth mentioning that Equifax provided those KBA questions as well.

ANALYSIS

Over the past two weeks, KrebsOnSecurity has received an unusually large number of inquiries from reporters at major publications who were seeking background interviews so that they could get up to speed on Equifax’s spotty security history (sadly, Bloomberg was not among them).

These informational interviews — in which I agree to provide context and am asked to speak mainly on background — are not unusual; I sometimes field two or three of these requests a month, and very often more when time permits. And for the most part I am always happy to help fellow journalists make sure they get the facts straight before publishing them.

But I do find it slightly disturbing that there appear to be so many reporters on the tech and security beats who apparently lack basic knowledge about what these companies do and their roles in perpetuating — not fighting — identity theft.

It seems to me that some of the world’s most influential publications have for too long given Equifax and the rest of the credit reporting industry a free pass — perhaps because of the complexities involved in succinctly explaining the issues to consumers. Indeed, I would argue the mainstream media has largely failed to hold these companies’ feet to the fire over a pattern of lax security and a complete disregard for securing the very sensitive consumer data that drives their core businesses.

To be sure, Equifax has dug themselves into a giant public relations hole, and they just keep right on digging. On Sept. 8, I published a story equating Equifax’s breach response to a dumpster fire, noting that it could hardly have been more haphazard and ill-conceived.

But I couldn’t have been more wrong. Since then, Equifax’s response to this incident has been even more astonishingly poor.

EQUIPHISH

On Tuesday, the official Equifax account on Twitter replied to a tweet requesting the Web address of the site that the company set up to give away its free one-year of credit monitoring service. That site is https://www.equifaxsecurity2017.com, but the company’s Twitter account told users to instead visit securityequifax2017[dot]com, which is currently blocked by multiple browsers as a phishing site.

equiphish

FREEZING UP

Under intense public pressure from federal lawmakers and regulators, Equifax said that for 30 days it would waive the fee it charges for placing a security freeze on one’s credit file (for more on what a security freeze entails and why you and your family should be freezing their files, please see The Equifax Breach: What You Should Know).

Unfortunately, the free freeze offer from Equifax doesn’t mean much if consumers can’t actually request one via the company’s freeze page; I have lost count of how many comments have been left here by readers over the past week complaining of being unable to load the site, let alone successfully obtain a freeze. Instead, consumers have been told to submit the requests and freeze fees in writing and to include copies of identity documents to validate the requests.

Sen. Elizabeth Warren (D-Mass) recently introduced a measure that would force the bureaus to eliminate the freeze fees and to streamline the entire process. To my mind, that bill could not get passed soon enough.

Understand that each credit bureau has a legal right to charge up to $20 in some states to freeze a credit file, and in many states they are allowed to charge additional fees if consumers later wish to lift or temporarily thaw a freeze. This is especially rich given that credit bureaus earn roughly $1 every time a potential creditor (or identity thief) inquires about your creditworthiness, according to Avivah Litan, a fraud analyst with Gartner Inc.

In light of this, it’s difficult to view these freeze fees as anything other than a bid to discourage consumers from filing them.

The Web sites where consumers can go to file freezes at the other major bureaus — including TransUnion and Experian — have hardly fared any better since Equifax announced the breach on Sept. 7. Currently, if you attempt to freeze your credit file at TransUnion, the company’s site is relentless in trying to steer you away from a freeze and toward the company’s free “credit lock” service.

That service, called TrueIdentity, claims to allow consumers to lock or unlock their credit files for free as often as they like with the touch of a button. But readers who take the bait probably won’t notice or read the terms of service for TrueIdentity, which has the consumer agree to a class action waiver, a mandatory arbitration clause, and something called ‘targeted marketing’ from TransUnion and their myriad partners.

The agreement also states TransUnion may share the data with other companies:

“If you indicated to us when you registered, placed an order or updated your account that you were interested in receiving information about products and services provided by TransUnion Interactive and its marketing partners, or if you opted for the free membership option, your name and email address may be shared with a third party in order to present these offers to you. These entities are only allowed to use shared information for the intended purpose only and will be monitored in accordance with our security and confidentiality policies. In the event you indicate that you want to receive offers from TransUnion Interactive and its marketing partners, your information may be used to serve relevant ads to you when you visit the site and to send you targeted offers.  For the avoidance of doubt, you understand that in order to receive the free membership, you must agree to receive targeted offers.

TransUnion then encourages consumers who are persuaded to use the “free” service to subscribe to “premium” services for a monthly fee with a perpetual auto-renewal.

In short, TransUnion’s credit lock service (and a similarly named service from Experian) doesn’t prevent potential creditors from accessing your files, and these dubious services allow the credit bureaus to keep selling your credit history to lenders (or identity thieves) as they see fit.

As I wrote in a Sept. 11 Q&A about the Equifax breach, I take strong exception to the credit bureaus’ increasing use of the term “credit lock” to divert people away from freezes. Their motives for saddling consumers with even more confusing terminology are suspect, and I would not count on a credit lock to take the place of a credit freeze, regardless of what these companies claim (consider the source).

Experian’s freeze Web site has performed little better since Sept. 7. Several readers pinged KrebsOnSecurity via email and Twitter to complain that while Experian’s freeze site repeatedly returned error messages stating that the freeze did not go through, these readers’ credit cards were nonetheless charged $15 freeze fees multiple times.

If the above facts are not enough to make your blood boil, consider that Equifax and other bureaus have been lobbying lawmakers in Congress to pass legislation that would dramatically limit the ability of consumers to sue credit bureaus for sloppy security, and cap damages in related class action lawsuits to $500,000.

If ever there was an industry that deserved obsolescence or at least more regulation, it is the credit bureaus. If either of those outcomes are to become reality, it is going to take much more attentive and relentless coverage on the part of the world’s top news publications. That’s because there’s a lot at stake here for an industry that lobbies heavily (and successfully) against any new laws that may restrict their businesses.

Here’s hoping the media can get up to speed quickly on this vitally important topic, and help lead the debate over legal and regulatory changes that are sorely needed.

Tags: , , , , ,

123 comments

  1. block! schmock! freeze! sneeze!! all of this blocking and freezing is a waste of time & effort. Everyone’s data is out there for the taking, if you’re willing to provide personal data to various websites, be prepared for it to be used illegally. NO WEBSITE IS SAFE, they can all be breached.

    Every consumer must do their own data monitoring as often as possible. Don’t depend on the gov’t or any other agency to help.

    • That’s exactly the attitude ID thieves and the bureaus want to instill in Americans: Defeatism, so nobody does anything to change the status quo.

      • Even those with a jaundiced view can be convinced to spend less than 2 minutes: Safer and less painful than the web form Equifax wants used, you can do a phone freeze with them if you know the “secret” phone number. Just tell the automated system your SSN and numeric portion of address, they initiate the freeze, give you a 10 digit PIN, and promise a followup mailing. It speaks the PIN and confirmation number too fast, but you can say “repeat.” The phone number I just successfully used: 800 349-9960
        Pay it forward.

      • two days after the breach, I used the telephone system to freeze my reports at the big three and at Innovis.

        there were no issues with any of the phone call based freezes.

  2. > Equifax said that for 30 days it would waive the fee it charges for placing a security freeze on one’s credit file

    30 days from when? when does this end?

    • Don’t when this waiver was announced or will end, but it must have been after I set up my security freezes. I just noticed the fees for those freezes were returned to my credit card.

  3. I’ve had a freeze with all three credit agencies going back several years. Now, since the Equifax blowup, are those longtime freezes no longer valid? I would appreciate advice and recommendations. Thank you.

    • I too implemented credit freezes with Experian, Equifax and TransUnion several years ago (thanks to Krebs on Security). After reading about the Equifax hack here, I went to each bureau online to check that the freezes were still in place. I don’t have accounts with them, because I don’t subscribe to their monitoring services. There was no straightforward way to find that information. My work arounds were to: 1) follow the links to unfreeze my data and cancel before entering my PIN and/or 2) follow the links to establish a new freeze and cancel before submitting the information. Using one or both techniques, I found that my freezes were still in place. I didn’t try calling (I’m out of the country and many time zones away), but that might work too.

      • You can also try to apply for credit somewhere and as long as they can’t see your file you know it’s still frozen.

    • Yes, our old freezes are in place, but considering what I’ve learned recently reading these articles…BIG DEAL! If you can, in fact, believe Equifax that PINs weren’t included in the information so readily given away by them, does it really matter under the circumstances?

      If PIN numbers are so easily determined, and the breach was from the Dispute Portal, how hard can it be to determine the date driven algorithm appointed PIN? After all, weren’t most freezes in the past, done in conjunction with a dispute—often connected to fraud? I suspect many freezes and dispute claims share the same date – thus an easily discernible PIN.

      Plus, consider, even freezing doesn’t really “freeze” your information.
      Anyone who says they do busines with you can still access it without your
      permission–other than in the small print in their terms of service.

      I think the solution is relatively simple on it’s face. That’s assuming the US Gov. has updated their security and it’s sites are truly secure (note I said “assuming”). They should assign us all NEW SOCIAL SECURITY NUMBERS. And, our SS number should not be used, nor required by every Tom, Dick & Harry–including for our medical records.

      There has to be a method of securing our information.

      Data mining has become too prevalent, too invasive and too free to sell to whomever they want. Those companies should all be shut down!

      Sorry, but they weren’t thoughtful and didn’t give a damn about collecting
      every fact they could about us and selling it. All they cared about was the
      money they’d make. I’m tired of trying to do doing everything right and having others, without my consent, accumulating my personal information and distributing/selling it lawfully! If they weren’t doing it, hackers couldn’t
      steal it.

      All information gained by them should be destroyed–as well as their hardware, software, and all other records that contain any of it. That won’t get back what is already out there, but NEW SS NUMBERS will make it harder to use and it will prevent the accumulation and distribution of more information safeguarding the other half of the US population who wasn’t included in this hack.

      Since companies can’t be trusted to keep personally identifiable information secure and private, they shouldn’t be allowed to accumulate it for any reason. After all, a company is merely a legal and or commercial identity. It’s not a living, breathing human being. It doesn’t need to worry about keeping the roof over it’s head, or the food needed to feed it’s family. Yes, it’s employees do, but
      they can get another job. It’s not like unemployment is 10%—it’s the lowest it’s been in many, many years.

      I think our security is more important than the companies and their profits. As fast as the so-called “security experts” come up with a new system, the hackers come up with a way to breach it and sell our information for illegal, fraudulent purposes.

      The three credit bureaus have shown themselves to be more interested in their bottom lines than our security and survival. This breach is just a windfall for them. All three are advertising their “security programs” 24/7 on TV, the web and I “assume “ everywhere else. Watch their profits explode. In the same vain, so is LifeLock—an Equifax firm– which also has been hacked!
      Sure thing! I’ll just hand over all my sensitive information to them to protect!

      Defeatism isn’t the answer—getting damn mad is! Fighting them is. Holding their feet to the fire and making them responsible for ANY AND ALL LOSSES – UNLIMITED. Unlimited time frame and unlimited dollar amount. If your losses are more than $1million too bad, they still have to make you WHOLE.
      If your losses don’t occur for 10 or 20 yrs — too bad, they still have to make you WHOLE. They’ve made us all vulnerable for the rest of our lives.
      Their responsibility should last at least that long and cover everything that’s lost without limitations.

      That doesn’t even cover pain and suffering, time wasted, trauma….

      SO.. yes, your freeze should still be in place but it, apparently, doesn’t mean much. They said they’d come out with a program to change our PINS within days, but weeks later, I can’t find anything on that.

  4. I was able to get a freeze placed (finally) at all 3 of the big ones. My secret, do it in the middle of the night on Sunday. I think during the daytime their servers are so woefully underpowered that they just get swamped. So try late at night(really late at night), hopefully that works for others.

    • If on Eastern time, 5 or 6 am should be ok, most people are still in bed. Taylor: I would like to see those in charge of security fined heavily, given a felony record and much community service. Gov. needs to shut down all credit agencies and people have to give references when taking out a loan to prove other bills are/have been paid on time incl utility bills, former landlords, car loans, and bank issued credit cards.

  5. I’d love to see the leaders of these credit bureaus in jail for their gross mishandling of our PII.

  6. Innovis has a very similar “vulnerability.” I Just ordered a report from them. In order a credit report over the phone nothing is required other than name, address, date of birth, and social security number of the person in question! Wow.

  7. I am new to the credit bureau horror show. Since the Equifax breach I tried to get a credit report from TransUnion and Experian online. In one case I was told to apply in writing. In the other, I called the phone number to submit my information. They said a report would be mailed to me in 15 days. I also tried unsuccessfully, to open an online bank account with Barkley’s. The website generated an error and I was given a number to call. When I did, they said I had to email them a photo copy of my driver’s license and my social security card. This didn’t seem very secure, so I canceled the account. Are others having similar experiences since the Equifax breach?

    • By law, each of the big three reporting services owe you one free credit report a year. By going online to gain a free credit report download, you can do that three times a year for free. Occasionally the web page will error and it will suggest you send the request by mail and it offered to download a form. It has also been my experience that just canceling out and coming back later gains success, and makes mailing in the request superfluous. YMMV.

      Be prepared to pay for a lot of paper and printer ink though, those reports can be over 18 pages long if you have a busy credit record. However also be aware that credit reports will not always reflect other ID theft activities, that is why a freeze is much better, but I’ll be damned if I’m going to pay for it, when this was Equifax’s fault in the first place!

  8. Aside from firewalls, IPD/IDS, everyone agrees that patch management is absolutely critical. How about endpoint security protection? Is anyone keep scores on what antivirus/antimalware software were used by Equifax, Target, Home Depot and the alike?

    I would love to have that information before I buy the next endpoint security software!

    • This breach could have been avoided completely by simply doing their job and updating the Apache server Struts service to the new CVE for java based services. Buying a lot of things like end point protection or antivirus can be just a band aid compared to actually patching all operating systems, application, gateway network devices and switches, and other devices. You know – basic job requirements. That is what makes this breach so vexing for me. Why am I expected to pay for their lazy worthless mistakes when it is THEIR fault the breach happened in the first place??!! AAARRrrg!!! 🙁

  9. Mr. Krebs, like many people I appreciate your continued coverage of this debacle as it unfolds. Thank you for your great work.
    While I suspect it may not stand much of a chance in the Senate, I suspect the bill introduced by Senator Warren may have a better chance if those of us who support it write to our representatives. To that end, it would be helpful to have the Bill’s identification number readily available to your readers. I know I was able to find it (https://www.congress.gov/bill/115th-congress/senate-bill/1816); but, if you could include the bill’s reference number: S.1816 in your articles, it may be helpful for others who aren’t used to digging up details like that.

    • Just make sure that you read the entire bill before showing support for it. If there is more to it than was described here (I haven’t read it yet), you may just find that you’re supporting something you don’t support!

    • Yeah Senator Warren is a rabid junk yard dog – I’d be suspicious of anything she starts. Just keep the pressure on you congressmen and senators and tell them the credit reporting agencies have go long enough without regulatory over sight. In fact all they’d have to do is pass some of this off to the Consumer Financial Protection Bureau. If you have any trouble with these services or detect ID theft because of it, and don’t want to be fleeced by the credit reporting agencies that would be a good place to lodge a complaint.

      • Sorry for the typo – I meant to write “have gone long enough without regulatory oversite” I would still think the CFPB would be a good place to call though – if they aren’t buried already!

      • Elizabeth Warren is hardly a “rabid, junk yard dog” except when it comes to going after the criminals in the financial industry.

        I suspect her detractors get their paychecks from the same industry.
        She’s fought time after time for the little guy being abused by the multiply lawyered banks and credit agencies.

        Her record speaks for itself.
        Her opponents are hiding something or complicit in the crimes she’s fighting against.

    • Better than free credit freezes would be frozen by default, as several articles have suggested, so your information could only be released by affirmatively getting your OK.

    • That Senate Bill would continue the Obama policy of forcing settlements that pay into community-action slush funds for use by racial and ethnic based activists. It also would permit settlements for other criminal negligence, which avoids precedent setting damages against bad corporate actions.

      That Senate bill fails to enact actual regulation, instead it empowers Deep State bureaucrats to invent regulations as they see fit. Yes, the same Deep State bureaucrats who have already allowed this situation to occur…. repeatedly.

      The proposed Senate bill won’t actually force any real changes to the security or credit industries. It’s just another publicity stunt by Senator Pocahontas.

  10. As a victim of tax identity theft in 2014, my husband and I “benefit” by having 7 years of a free credit freeze. (The following year, I learned I was part of the OPM data breach.) In January 2017, unknown actors assumed our identity and tried to start two new businesses in each of our names Mineral Royalties Dealers for my husband; Aurora West Inc. for me. Because of the freeze, Bank of America refused the fraudsters credit! I, like John above, worry that our freeze is melting at Equifax.

  11. “Credit lock” is very much a play on words and to most would give the impression that it is the same as a “Credit Freeze”. Very deceptive tactic by TransUnion.
    It’s unfortunate that Equifax’s mistake will inadvertently hurt all the Credit Bureau’s bottom line as now know one should feel that their most personal info is safe with ANY of these companies.
    We all need to be security conscious and we should all “Freeze Our Credit” to ensure that we are not dealing with fraudulent opening of accounts that will haunt you for years.
    (Error on the side of caution)
    Equifax/Experian/TransUnion/Innovis- Security Freeze all of them for your family members.
    On another note. NOTICE we initially heard about the Equifax Exec’s selling off Stocks prior to the public notification. We haven’t heard anything more in the press about SEC investigations on this matter… WHY?

  12. I did what they said to do to enroll. Then a notice that said go to a URL on 9/13 came up saying “This is your only notice”. So I made a note and came back on the date and tried to complete the enrollment. After entering my email and part of my SSN, I was told I would receive an email. That was over a week ago! Where is the commitment to give me my one year of credit monitoring and credit freeze? Are they hoping we will all forget about it? I am disgusted with these services.

    • I’m in the same situation Brad. My enrollment date was 9/14 and no response since I did my part. Their call center has no access to enrollment status queries. They just redirect me to other 800 numbers that are completely overwhelmed (or intentionally disabled). My next stop is to start complaining to my elected officials in Washington. Probably futile but maybe combined with other voices, someone will get heard.

    • Same thing here. Been waiting a week, and no email from Equifax.
      Another example of how overwhelmed and ill-equipped this company really is.

      • I enrolled on 09/14, never received the e-mail confirmation. On 09/18, I called Equifax Customer Service, she asked for my e-mail address to see if I “was at least in the system”, she said I was. She then said they were backlogged and to wait another day or so & I should receive the email, I never did. Today, 09/22, I called Customer Service and they told me they don’t have my e-mail in the system!? She apologized & asked that I enroll again from scratch, I did. Two hours later, I received the email and now I am set up for monitoring. I found out on Reddit that others had to do the same thing I did.

    • #EquiFAIL #NoConfirmationEmails #AintGotAnyMorePatienceForThisEquifaxSh!t

      it has been at least a week for our family waiting for confirmation emails. checked our spam/junk folders also. nothing. nada. zilch. then got on twitter and saw a bunch of people waiting also. like waiting forever now. so, sent a direct message asking those Equifax fools what’s the hold up on the delay with getting the confirmation email for enrolling at their stupid EquifaxSecurity2017.com website. specifically told them that have been waiting for at least a week. what’s the deal?! and this is their response:

      Hi ,
      Due to the number of people who have requested enrollment in the TrustedID Premier product, we are experiencing periodic delays in issuing confirmation emails. We assure you we are working diligently to send confirmation information as quickly as possible, and apologize that you have not yet received your confirmation email. We are continuing to work to make the experience smoother. We appreciate your patience.
      Amina

    • Finally got this in my email. After over ten days of waiting. My question now is this: If they can send me this lengthy email, why can’t they send me the actual activation/confirmation email??? Anyways, here is the Equifax email saying that we have to still continue waiting:

      Important Information About Your TrustedID Premier Activation

      Dear ,

      We recognize you may not have received your activation email for TrustedID Premier. We apologize for the delay and assure you we are working diligently to send your activation email as quickly as possible.

      To help you know what to expect moving forward, we have included a description of the TrustedID Premier activation process below, which explains the steps you should take once you receive your activation email.

      What to expect next:

      You will receive an email from “Trusted ID Customer Service” [‪no-reply@trustedid.com‬] which will clearly state “Your Activation Email is Here.” Please be sure to check your junk or spam folders in case the email was filtered to those mailboxes.

      When the email arrives, you will be asked to answer some questions about yourself to verify your identity so that you can complete your enrollment in TrustedID Premier. During the initial enrollment process, if you provided us with a valid mobile number that we can confirm, you may be given an option to validate your identity through a PIN or passcode that will be sent to your mobile phone.

      Once you have gone through the process of verifying your identity, you will be able to create a unique password so you can quickly and easily log in to TrustedID Premier to begin your credit monitoring service, and lock and unlock your Equifax Credit File.

      We appreciate your patience, and please know we are doing everything we can to make the experience faster and more convenient for everyone.

      Sincerely,
      Your Equifax Customer Care Team

    • It took over a week to get my email. The site then eventually (there’s another 48hr waiting period after sign-up to access most features!) provides the ability to lock one’s Equifax report, see alerts, see their current Equifax report in a really terrible format, and the results of some SSN search service they perform. Oh yeah, and it’s slow as heck during most waking hours.

      Overall the service seems similar​ to one I’ve been receiving through my AAA membership by Experian for ages.

  13. Equifax needs to be bought. This is ridiculous.

  14. I MEANT Experian! Well audit all 3 of them, frankly.

    Are any of the credit unions using audited SOP?

    These people have the keys to the kingdom and their fly is down over and over again.

    No wonder identity theft is exploding.

  15. Trans (G) Union website has crashed. Will not finish the
    application process.

    We need CONgress to mandate freezes and not the
    other way around.

    All leakers need to be sued to the max.

  16. I’ve called the above Equifax # (after verifying its authenticity) and I never get an option to select #3 or any other number; just repeated directing to web site for faster service or to hold (hold time greater than 15 minutes). If I punch #3 anyway, it throws me back to the very beginning and repeats all the above. What am I missing here?

  17. I think the credit reporting agencies should work like a firewall:
    Everything is blocked by default, and you only open it for those that need access.

    As soon as a credit reporting agency starts collecting data for an individual, the account should be frozen. The agency can notify the individual via snail mail regarding options to allow access for creditors.

    • Thank you, Mr Davis.

      Finally someone posted a most relevant answer to an
      ongoing problem.

      In fact, these credit reporting agencies should have
      their data base mixed with fictitious accounts, to make
      them valueless to hackers.

      WARMING: This poster graduated with a GED.

    • Equicrap, has crashed again today.

  18. So far I have seen what went wrong – have not seen what can be fixed with Equifax. If patching was that easy it would have been done blaming it on availability is an excuse – am sure if you dig deeper you will find what is really going on

    This negative mentality is what is driving easy hacks

  19. This is the type of conduct and actions
    which leads to either governmental units
    regulations or statutes.

    I suspect Sen Pocahontas is codifying
    the necessary language, to bring these
    rouge organizations into responsible
    civic, consumer compliance.

    These credit firms have only themselves to blame.

  20. I’m a member of Experian in the UK and have been for 10 years. They don’t even offer a credit freeze service.

  21. So if I got tricked and registered for TrueIdentity thinking it was the same as freezing with Transunion, should I still pay the money and freeze my transunion account?

  22. You are not kidding about TransUnion trying to steer people to alternative or paid services. I just placed a “Fraud Alert” (yes I know it is limited compared to a Freeze) through the TransUnion phone line. Not once but twice I had to listen to a rather longish rambling about getting a 30 days free trial to their paid service. After I indicated no the fist time they start up again with are you sure …. and then just as long or longer of a message about it. Other than that pretty painless I guess but ridiculous that they went through the whole pitch twice.

  23. Received two letters from Equifax today after requesting a new PIN for my previously frozen credit file.

    Both letters dated September 18, 2017.

    One letter with new PIN confirming file was frozen, second letter confirmed the security freeze was “permanently removed”.

    Called 800-349-9960 & it confirmed my file was still frozen. (I’m assuming they had to unfreeze & re-freeze my file to generate a new PIN).

    Oh, and the TrustedID service shows my Equifax file with a Open “X”Padlock saying to call Customer Service. Customer Service was clueless. I’m assuming they weren’t able to access my files at Experian & Transunion which were frozen years ago.

  24. Nothing new if it happened to the Pentagon should the credit bureau’s be a surprise. There is no accountability no one goes to jail and until that happens: Pay Your Nickel and enjoy the ride.

    • Delaware:

      http://consumersunion.org/pdf/security/securityDE.pdf

      Note, there is a very good reason they have the highest fee in the land: It’s also perhaps the most business friendly state in the union. All laws are passed behind closed doors and not open to the public. Citizens of that state actually have to be invited by a representative to sit in on deliberations over new laws.

      I wrote a story in 2007 for The Washington Post about the hard-fought effort to get freeze laws passed there. It was quite a slog:

      http://www.washingtonpost.com/wp-dyn/content/article/2007/05/09/AR2007050900427.html

      • I think that improved in 2009 [1]:
        «… (5) A consumer reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report pursuant to paragraph (b)(4) of this section shall comply with the request no later than 3 business days after receiving the request. By no later than January 31, 2009, a consumer reporting agency shall honor such a request made by electronic mail or by telephone within 15 minutes of receiving the request.
        … (8) If a third party requests access to a consumer credit report on which a security freeze is in effect, and this request is in connection with an application for credit or any other use, and the consumer does not allow that consumer’s own credit report to be accessed for that specific period of time, the third party may treat the application as incomplete.
        … (13) A consumer reporting agency may charge a consumer for a security freeze service only in the following discrete circumstances:
        … a. Ten dollars for the initial application for the consumer’s first personal identification number or password.
        … b. Five dollars for the initial application for a person age 65 years or over.»

        [1]http://delcode.delaware.gov/title6/c022/index.shtml

  25. Hi Brian,

    I know this is a few days old, but wasn’t sure where else to ask. I am starting to see Experian offering a “Free Dark Web scan” in TV commercials. My immediate though is that it is useless and simply being touted since it has a big buzz word and they are going to profit from the Equifax scare. I was wondering if you’d seen this and/or were already checking it out? I’d love to hear your thoughts.

    Thanks – and I love your work! Keep it up!

    • I cracked up laughing the first time I heard the add … almost crying. My wife was rather worried, and I had to explain how TOR (Dark Web) spreads the data across tens of thousands of users. You can’t scan the Dark web! You can download a file – which pulls data for that one given file from thousands of locations – and then scan that file. However, most files with user data will only be known to a limited number of private key users i.e. there’s no directory or hard drive to search.

      Total fantasy, and criminal misleading of the public.

  26. Brian, thank you for great article once again! Could you please clarify the following.

    “TransUnion’s credit lock service (and a similarly named service from Experian) doesn’t prevent potential creditors from accessing your files”

    Is this true? I thought TransUnion page says it DOES prevent access to credit reports for vast majority of cases (one exception is insurance companies, which I think is “good”, since I want insurance companies seeing it and not increasing insurance rates on me, like they would with a freeze). More specifically, TransUnion quote is:

    “… while a credit lock prevents most third party access to your credit report, a third party may access a locked report in certain instances that are considered a low risk for identity theft, such as official government investigations, collection activities and insurance underwriting and claims administration.”

    My main concern is that report is not reachable by banks and financial institutions for purpose of opening new accounts.

    What am I missing?

    P.S. As an aside: upon signing up, I recall UNchecking the box for advertisements; but even if I get some ads, I know how to ignore them, if I understood the feature right.

  27. Yesterday, the new CEO of Equifax announced that Equifax will now offer free, unlimited credit freezes and unfreezes for life.

    idtheftcenter.org/Identity-Theft/equifax-makes-amends-with-free-credit-freezes-for-life

  28. I wrote Experian and asked them about this. Well I knew they would not answer so I went through the CFPB so they had to answer. They said if anyone gets one of the four security questions wrong (they didn’t argue that anyone who stole my ID could easily get to that point) they would get a message requiring them to write in and provide proof they are who they say. It sounded like it locks that PIN retrieval feature until they do that. So my solution is to log on and intentionally get one or all of the security questions wrong and lock the PIN retrieval feature on your account. Hopefully that is a permanent thing.

  29. This is why companies that have breaches release as little information as possible until the investigation is complete…

    http://6abc.com/finance/equifax-25-million-more-americans-may-be-affected-by-hack/2482429/