More than a week after it said most people would be eligible to enroll in a free year of its TrustedID identity theft monitoring service, big three consumer credit bureau Equifax has begun sending out email notifications to people who were able to take the company up on its offer. But in yet another security stumble, the company appears to be training recipients to fall for phishing scams.
Some people who signed up for the service after Equifax announced Sept. 7 that it had lost control over Social Security numbers, dates of birth and other sensitive data on 143 million Americans are still waiting for the promised notice from Equifax. But as I recently noted on Twitter, other folks have received emails from Equifax over the past few days, and the messages do not exactly come across as having emanated from a company that cares much about trying to regain the public’s trust.
Here’s a redacted example of an email Equifax sent out to one recipient recently:
As we can see, the email purports to have been sent from trustedid.com, a domain that Equifax has owned for almost four years. However, Equifax apparently decided it was time for a new — and perhaps snazzier — name: trustedidpremier.com.
The above-pictured message says it was sent from one domain, and then asks the recipient to respond by clicking on a link to a completely different (but confusingly similar) domain.
My guess is the reason Equifax registered trustedidpremier.com was to help people concerned about the breach to see whether they were one of the 143 million people affected (for more on how that worked out for them, see Equifax Breach Response Turns Dumpster Fire). I’d further surmise that Equifax was expecting (and received) so much interest in the service as a result of the breach that all the traffic from the wannabe customers might swamp the trustedid.com site and ruin things for the people who were already signed up for the service before Equifax announced the breach on Sept. 7.
The problem with this dual-domain approach is that the domain trustedidpremier.com is only a few weeks old, so it had very little time to establish itself as a legitimate domain. As a result, in the first few hours after Equifax disclosed the breach the domain was actually flagged as a phishing site by multiple browsers because it was brand new and looked about as professionally designed as a phishing site.
What’s more, there is nothing tying the domain registration records for trustedidpremier.com to Equifax: The domain is registered to a WHOIS privacy service, which masks information about who really owns the domain (again, not exactly something you might expect from an identity monitoring site). Anyone looking for assurances that the site perhaps was hosted on Internet address space controlled by and assigned to Equifax would also be disappointed: The site is hosted at Amazon.
While there’s nothing wrong with that exactly, one might reasonably ask: Why didn’t Equifax just send the email from Equifax.com and host the ID theft monitoring service there as well? Wouldn’t that have considerably lessened any suspicion that this missive might be a phishing attempt?
Perhaps, but you see while TrustedID is technically owned by Equifax Inc., its services are separate from Equifax and its terms of service are different from those provided by Equifax (almost certainly to separate Equifax from any consumer liability associated with its monitoring service).
What’s super-interesting about trustedid.com is that it didn’t always belong to Equifax. According to the site’s Wikipedia page, TrustedID Inc. was purchased by Equifax in 2013, but it was founded in 2004 as an identity protection company which offered a service that let consumers automatically “freeze” their credit file at the major bureaus. A freeze prevents Equifax and the other major credit bureaus from selling an individual’s credit data without first getting consumer consent.
By 2006, some 17 states offered consumers the ability to freeze their credit files, and the credit bureaus were starting to see the freeze as an existential threat to their businesses (in which they make slightly more than a dollar each time a potential creditor — or ID thief — asks to peek at your credit file).
Other identity monitoring firms — such as LifeLock — were by then offering services that automated the placement of identity fraud controls — such as the “fraud alert,” a free service that consumers can request to block creditors from viewing their credit files.
[Author’s note: Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they are not legally required to do this — and very often don’t.]
Anyway, the era of identity monitoring services automating things like fraud alerts and freezes on behalf of consumers effectively died after a landmark lawsuit filed by big-three bureau Experian (which has its own storied history of data breaches). In 2008, Experian sued LifeLock, arguing its practice of automating fraud alerts violated the Fair Credit Reporting Act.
In 2009, a court found in favor of Experian, and that decision effectively killed such services — mainly because none of the banks wanted to distribute them and sell them as a service anymore.
WHAT SHOULD YOU DO
These days, consumers in all states have a right to freeze their credit files, and I would strongly encourage all readers to do this. Yes, it can be a pain, and the bureaus certainly seem to be doing everything they can at the moment to make this process extremely difficult and frustrating for consumers. As detailed in the analysis section of last week’s story — Equifax Breach: Setting the Record Straight — many of the freeze sites are timing out, crashing or telling consumers just to mail in copies of identity documents and printed-out forms.
Other bureaus, like TransUnion and Experian, are trying mightily to steer consumers away from a freeze and toward their confusingly named “credit lock” services — which claim to be the same thing as freezes only better. The truth is these lock services do not prevent the bureaus from selling your credit reports to anyone who comes asking for them (including ID thieves); and consumers who opt for them over freezes must agree to receive a flood of marketing offers from a myriad of credit bureau industry partners.
While it won’t stop all forms of identity theft (such as tax refund fraud or education loan fraud), a freeze is the option that puts you the consumer in the strongest position to control who gets to monkey with your credit file. In contrast, while credit monitoring services might alert you when someone steals your identity, they’re not designed to prevent crooks from doing so.
That’s not to say credit monitoring services aren’t useful: They can be helpful in recovering from identity theft, which often involves a tedious, lengthy and expensive process for straightening out the phony activity with the bureaus.
The thing is, it’s almost impossible to sign up for credit monitoring services while a freeze is active on your credit file, so if you’re interested in signing up for them it’s best to do so before freezing your credit. But there’s no need to pay for these services: Hundreds of companies — many of which you have probably transacted with at some point in the last year — have disclosed data breaches and are offering free monitoring. California maintains one of the most comprehensive lists of companies that disclosed a breach, and most of those are offering free monitoring.
There’s a small catch with the freezes: Depending on the state in which you live, the bureaus may each be able to charge you for freezing your file (the fee ranges from $5 to $20); they may also be able to charge you for lifting or temporarily thawing your file in the event you need access to credit. Consumers Union has a decent rundown of the freeze fees by state.
In short, sign up for whatever free monitoring is available if that’s of interest, and then freeze your file at the four major bureaus. You can do this online, by phone, or through the mail. Given how unreliable the credit bureau Web sites have been for placing freezes these past few weeks, it may be easiest to do this over the phone. Here are the freeze Web sites and freeze phone numbers for each bureau (note the phone procedures can and likely will change as the bureaus get wise to more consumers learning how to quickly step through their automated voice response systems):
Equifax: 866-349-5191; choose option 3 for a “Security Freeze”
–Press 2 “To learn about fraud or ADD A
–Press 2 “for security freeze options”
–Press 1 “to place a security freeze”
–Press 2 “…for all others”
–enter your info when prompted
–Press 1 for English
–Press 3 “to place or manage an active duty alert
or a SECURITY FREEZE”
–Press 2 “to place or manage a SECURITY
–enter your info when prompted
Transunion: 888-909-8872, choose option 3
If you still have questions about freezes, fraud alerts, credit monitoring or anything else related to any of the above, check out the lengthy primer/Q&A I published here on Sept. 11, The Equifax Breach: What You Should Know.
The end of online security will happen one day. Someone will hack an entire credit bureau and put all the info online on multiple servers across the net. Actually, it does not have to be hacked. One employee with root access can accomplish most of a complete breach. Snowden did the tip of the iceberg. He says he was trying to be patriotic.
I received the email asking me to verify my id by clicking on the trustedidpremier.com link to verify my identity. Thinking that it was a possible phishing attempt, I started some research, which led me immediately to your excellent summary.
After reading your post, I am still left with a question: Is the link legitimate and can I trust it?
Why has this comment not been replied to by Krebs? No where in this article does it say if we should ACTUALLY trust this email & link or not.
As a rule of thumb, *never* click on a link in an email. There’s a very high probability that the email is not from who it is claiming to be from. A link in an email is one of the primary tactics that scammers use to pilfer data, gain priveleges on your computer, etc.
If your identity truly needs to be confirmed by a company for some reason, there are other ways to go about it. You can go to that company’s website and log in if you have an account with them, or you can call them (of course, using a phone number you obtained from the company’s website, *not* a phone number that was sent in an email).
The main idea is: if you take an active approach –a hands-on approach– by going to a company’s website to confirm informtion or by phoning them, you’ll massively reduce the likelihood that you’ll fall victim to a phishing/social engineering attack. The passive approach would be to (1.)accept at face value the validity of the email in front of you, and then (2.)click on that link in the email and provide the requested info. Then you’re at the mercy of whoever really sent you that email, and that’s not where you want to be.
Shouldn’t TrustedIdPremier.com use an EV (Extended Validation) security certificate designed for sites that gather information like Social Security and credit card numbers instead of using the standard certificate that is used for information like emails?
I’ve called 3 numbers being referred to each one consecutively then being put on hold by the last (888.548.7878) one at Trusted ID before being cut off as I was transferred to a supervisor. Of course, they took my number to call me back but never did.
–TrustedID Premier for one year
–Can’t change my Social Security Number in a year (or at all)
–Can’t change my date of birth in a year (or at all)
–Can only change my name in a year with great difficulty
–Can only change my address in a year with great difficulty
–The data will still be in the wild after a year
What’s wrong with this picture? Equifax needs to offer the TrustedID Premier protection free for the life of each victim.
A person more cynical than myself might believe that the breach was allowed to happen as a way to sell more TrustedID services after the year expires.