September 24, 2017

More than a week after it said most people would be eligible to enroll in a free year of its TrustedID identity theft monitoring service, big three consumer credit bureau Equifax has begun sending out email notifications to people who were able to take the company up on its offer. But in yet another security stumble, the company appears to be training recipients to fall for phishing scams.

Some people who signed up for the service after Equifax announced Sept. 7 that it had lost control over Social Security numbers, dates of birth and other sensitive data on 143 million Americans are still waiting for the promised notice from Equifax. But as I recently noted on Twitter, other folks have received emails from Equifax over the past few days, and the messages do not exactly come across as having emanated from a company that cares much about trying to regain the public’s trust.

Here’s a redacted example of an email Equifax sent out to one recipient recently:

equifaxcare

As we can see, the email purports to have been sent from trustedid.com, a domain that Equifax has owned for almost four years. However, Equifax apparently decided it was time for a new — and perhaps snazzier — name: trustedidpremier.com.

The above-pictured message says it was sent from one domain, and then asks the recipient to respond by clicking on a link to a completely different (but confusingly similar) domain.

My guess is the reason Equifax registered trustedidpremier.com was to help people concerned about the breach to see whether they were one of the 143 million people affected (for more on how that worked out for them, see Equifax Breach Response Turns Dumpster Fire). I’d further surmise that Equifax was expecting (and received) so much interest in the service as a result of the breach that all the traffic from the wannabe customers might swamp the trustedid.com site and ruin things for the people who were already signed up for the service before Equifax announced the breach on Sept. 7.

The problem with this dual-domain approach is that the domain trustedidpremier.com is only a few weeks old, so it had very little time to establish itself as a legitimate domain. As a result, in the first few hours after Equifax disclosed the breach the domain was actually flagged as a phishing site by multiple browsers because it was brand new and looked about as professionally designed as a phishing site.

What’s more, there is nothing tying the domain registration records for trustedidpremier.com to Equifax: The domain is registered to a WHOIS privacy service, which masks information about who really owns the domain (again, not exactly something you might expect from an identity monitoring site). Anyone looking for assurances that the site perhaps was hosted on Internet address space controlled by and assigned to Equifax would also be disappointed: The site is hosted at Amazon.

While there’s nothing wrong with that exactly, one might reasonably ask: Why didn’t Equifax just send the email from Equifax.com and host the ID theft monitoring service there as well? Wouldn’t that have considerably lessened any suspicion that this missive might be a phishing attempt?

Perhaps, but you see while TrustedID is technically owned by Equifax Inc., its services are separate from Equifax and its terms of service are different from those provided by Equifax (almost certainly to separate Equifax from any consumer liability associated with its monitoring service).

THE BACKSTORY

What’s super-interesting about trustedid.com is that it didn’t always belong to Equifax. According to the site’s Wikipedia page, TrustedID Inc. was purchased by Equifax in 2013, but it was founded in 2004 as an identity protection company which offered a service that let consumers automatically “freeze” their credit file at the major bureaus. A freeze prevents Equifax and the other major credit bureaus from selling an individual’s credit data without first getting consumer consent.

By 2006, some 17 states offered consumers the ability to freeze their credit files, and the credit bureaus were starting to see the freeze as an existential threat to their businesses (in which they make slightly more than a dollar each time a potential creditor — or ID thief — asks to peek at your credit file).

Other identity monitoring firms — such as LifeLock — were by then offering services that automated the placement of identity fraud controls — such as the “fraud alert,” a free service that consumers can request to block creditors from viewing their credit files.

[Author’s note: Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they are not legally required to do this — and very often don’t.]

Anyway, the era of identity monitoring services automating things like fraud alerts and freezes on behalf of consumers effectively died after a landmark lawsuit filed by big-three bureau Experian (which has its own storied history of data breaches). In 2008, Experian sued LifeLock, arguing its practice of automating fraud alerts violated the Fair Credit Reporting Act.

In 2009, a court found in favor of Experian, and that decision effectively killed such services — mainly because none of the banks wanted to distribute them and sell them as a service anymore.

WHAT SHOULD YOU DO

These days, consumers in all states have a right to freeze their credit files, and I would strongly encourage all readers to do this. Yes, it can be a pain, and the bureaus certainly seem to be doing everything they can at the moment to make this process extremely difficult and frustrating for consumers. As detailed in the analysis section of last week’s story — Equifax Breach: Setting the Record Straight — many of the freeze sites are timing out, crashing or telling consumers just to mail in copies of identity documents and printed-out forms.

Other bureaus, like TransUnion and Experian, are trying mightily to steer consumers away from a freeze and toward their confusingly named “credit lock” services — which claim to be the same thing as freezes only better. The truth is these lock services do not prevent the bureaus from selling your credit reports to anyone who comes asking for them (including ID thieves); and consumers who opt for them over freezes must agree to receive a flood of marketing offers from a myriad of credit bureau industry partners.

While it won’t stop all forms of identity theft (such as tax refund fraud or education loan fraud), a freeze is the option that puts you the consumer in the strongest position to control who gets to monkey with your credit file. In contrast, while credit monitoring services might alert you when someone steals your identity, they’re not designed to prevent crooks from doing so.

That’s not to say credit monitoring services aren’t useful: They can be helpful in recovering from identity theft, which often involves a tedious, lengthy and expensive process for straightening out the phony activity with the bureaus.

The thing is, it’s almost impossible to sign up for credit monitoring services while a freeze is active on your credit file, so if you’re interested in signing up for them it’s best to do so before freezing your credit. But there’s no need to pay for these services: Hundreds of companies — many of which you have probably transacted with at some point in the last year — have disclosed data breaches and are offering free monitoring. California maintains one of the most comprehensive lists of companies that disclosed a breach, and most of those are offering free monitoring.

There’s a small catch with the freezes: Depending on the state in which you live, the bureaus may each be able to charge you for freezing your file (the fee ranges from $5 to $20); they may also be able to charge you for lifting or temporarily thawing your file in the event you need access to credit. Consumers Union has a decent rundown of the freeze fees by state.

In short, sign up for whatever free monitoring is available if that’s of interest, and then freeze your file at the four major bureaus. You can do this online, by phone, or through the mail. Given how unreliable the credit bureau Web sites have been for placing freezes these past few weeks, it may be easiest to do this over the phone. Here are the freeze Web sites and freeze phone numbers for each bureau (note the phone procedures can and likely will change as the bureaus get wise to more consumers learning how to quickly step through their automated voice response systems):

Equifax: 866-349-5191; choose option 3 for a “Security Freeze”

Experian: 888-397-3742;
–Press 2 “To learn about fraud or ADD A
SECURITY FREEZE”
–Press 2 “for security freeze options”
–Press 1 “to place a security freeze”
–Press 2 “…for all others”
–enter your info when prompted

Innovis: 800-540-2505;
–Press 1 for English
–Press 3 “to place or manage an active duty alert
or a SECURITY FREEZE”
–Press 2 “to place or manage a SECURITY
FREEZE”
–enter your info when prompted

Transunion: 888-909-8872, choose option 3

If you still have questions about freezes, fraud alerts, credit monitoring or anything else related to any of the above, check out the lengthy primer/Q&A I published here on Sept. 11, The Equifax Breach: What You Should Know.


164 thoughts on “Equifax or Equiphish?

  1. Harry Fox

    I had my credit frozen last year and then when I needed to open up a Comcast account for our summer home in another state I was told that because of the freeze on my credit the only way I could open up the account was to show up in person with proof of identity. This was not practical since our summer house is 600 miles away. I inquired which credit monitoring service they were using so I could have it unfrozen but the customer service rep had no idea. This led me to have my credit unfrozen at all three major credit services. I wanted to share that story because it is my experiences that freezing your credit is a very cumbersome and unworkable situation. I don’t know what better solutions are out there but I would be interested in your thoughts on this in your blog. Thank you

    1. BrianKrebs Post author

      I grow extremely weary of reading comments like this. It’s like complaining that a life preserver is preventing you from doing scuba diving.

      The fact is that the way our credit system in the US has operated over the past few decades is a default-open system, or opt-out if you like. By default, anyone can view your credit whenever they like. This is the exact opposite of most other countries.

      Unfortunately, this has allowed Americans to be effectively financially illiterate about how the system works, and how they can use it to their advantage (as well as how to counter thieves looking to abuse the system).

      A freeze definitely requires people to assume a tad more responsibility for their own credit files, no doubt. But generally what that means is you can’t just show up at a dealership or at closing on a house and expect to be able to push the process through. Then again, nor can an ID thief.

      In the event that you wish to take out new lines of credit, a freeze requires you to take steps *in advance* of needing new credit. Generally, 24 hours notice is sufficient to thaw or lift a freeze.

      1. British Gentleman

        Unfortunately it is worse in the UK where there is a default-open system but the option to freeze ones’ file does not seem to exist!

      2. Buckminster.Bob

        It’s understandable for Brian to be “weary” — given the volume of questions, and that an extremely small number of people have reached his expertise. In this case, Harry “…inquired which credit monitoring service they were using…but the customer service rep had no idea.”. In other words, he knew what needed to be done, but didn’t want to spend money to unfreeze anywhere when exactly one would suffice. Why spend $30 when $10 will do?

      3. Bart

        Last year we bought a car and the dealer said to put a 24 hour thaw on one of the agencies, I forget which, and they would take care of the credit check. It worked fine.

        We froze all three in 2008 based on recommendations that we on the internet, probably here, at the time.

        As I said earlier in the week, it is annoying that these corporations can pop up pretty much unannounced, like Innovis.

      4. JJ

        I can beat that. My daughter lost her card so she froze her credit at all three. When the card was replaced she unfroze it at all three.

        She applied for a new Chase credit card and was denied because, you guessed it, one of the bureaus still had her frozen, Equifax. She had a letter with a confirmation code that it was unfrozen, which cost her $20.

        She called Equifax and they said there was no freeze. She conferenced in a rep from Chase and they pulled her credit report and yes, it was denied because Equifax had it frozen. The Equifax rep insisted there was no freeze and it must be a Chase problem.

        When she came home a few weeks later I got involved. She and I called Equfax and got someone who had a clue and figured out that, get this, when she requested her report to be unfrozen she gave them her SSN and her new FL address. Equifax had no history of her at that address so took her $20, and unfroze a non-existent credit report but left the one in PA frozen.

        Right, they did not unfreeze it by SSN but by her reported address that they had no record of. She had to pay yet another $20 to get her PA credit report unfrozen.

        Experian and Transunion did it by SSN correctly.

      5. juliac

        With all due respect, Brian, it’s not obvious to me that opening a Comcast account is the same as applying for credit. It is, in a narrow sense, but the amount is limited and at most the company could lose one or two month’s cable bill. Another area where this happens is auto insurance, and it can happen without one’s knowledge when they go to set rates for the coming year.

        I just wonder how many other things in life generate a credit check, and how many do so without giving the consumer a clue that it’s happening. Also, I understand that unfreezing/refreezing can generate charges from the credit bureau, which could get burdensome pretty quickly for someone on a fixed/limited income, especially when you don’t know which credit bureau so have to do all four.

        1. BrianKrebs Post author

          Anything where there is regular service contract or equipment involved (even cable boxes) they will likely demand some credit check. That especially includes utilities, such as gas (even just propane deliveries), satellite TV, cable TV, fiber optic internet, mobile phone service, and renting just about anything.

          I should add that just because they demand it doesn’t mean you have to let them do it. Most companies will waive the credit check in favor of a hefty deposit that you may not get back until you stop service with them, or they may give it back to you after a certain amount of time has passed and apply it toward your future bills. But there’s no question that avoiding these credit checks is a hassle and potentially expensive (at least in the short run).

          1. Cyber

            Google “permissible purpose” to understand the criteria for accessing consumer credit records.

    2. Eric

      Harry, saw your comment but not sure what your problem is. Doing something like adding a Comcast account is something we do once every couple of years, if that. I just went through the sign-up for the security freeze for both my wife and myself with the three major companies, and it took maybe half an hour. I noted the website and PINs, information which I will be putting in a safe place. Temporarily unfreezing is bound to be even faster than the initial signing up. That’s a small price to pay.

      FYI, only Trans Union charged me for the freeze, both Equifax and Experian offered it for free after entering basic personal information (the kind lost in the breech) and guessing at their out-of-wallet questions.

    3. acorn

      From my recent three conversations with an insurance company’s two customer service reps, about the company’s use of credit reports: Ask the company Credit Team. That’s where the question should be asked; I got very good answers from a Credit Team member.

  2. Winston

    So, when is this this obviously Internet-security incompetent company, hopefully to be sued out of existence if there’s any justice left in the world, going to send a notice via SNAIL MAIL, the only guaranteed secure means of communication with them, to everyone compromised?

  3. Mike M

    Great insights and coverage – as always. As someone who moves a lot (complicated life), I’m also concerned about the hassle factor of freezes and unfreezes. Does anyone have insights about how long it takes to get a freeze lifted or removed by the different agencies? Of if there are state laws about that? Or do the credit bureaus operate like cable companies with their own timelines and sense of non-urgency to peoples’ issues and requests?

    1. Paul

      I think Brian (read up a comment or two – something about life jackets…) said 24 hours at least to open up your credit reports for a transaction.

      1. BrianKrebs Post author

        In practice a thaw or unfreeze generally takes a few minutes, but it’s a good idea to leave yourself time in case one method (online) isn’t working properly from the bureau’s end, causing you to need to call the bureau and go through that.

    2. JCitizen

      The Consumer’s Union link Brian provided is a good one, and would probably lead to all answers to any questions you might have.

    3. gesneri

      I successfully lifted freezes with all four credit bureaus in one afternoon, and that’s while this dumpster fire was in process. (Didn’t want to lift freeze at this point, but life happens.) Granted, Equifax’s website kept timing out and it eventually lifted the freeze temporarily without being able to respond to me. I only found out when a subsequent lift attempt attempt at that site informed me that the lift already existed. When things return to something approximating normal, it should be quicker.

    4. Broadway

      Would you rather go through the hassle of rebuilding your identity and life after an id theft? This could take months or even years! Not to mention the stress and paranoia that goes along with an id theft.

      I put freezes on after an id theft and the detective at the police precinct suggested it.

    5. snic

      I have had a security freeze for the last 10+ years, so I have plenty of experience with temporary lifts. One bureau always allows me to lift it instantly online, never a problem. With the other two, it always fails online. For one of them, I have to call the automated system, and that works. For the third, I have to send a snail mail.

      It’s a bit cumbersome, but the process has never prevented me from obtaining credit. At least for me it’s free, as I was a victim of identify theft. There really should be a law forcing the bureaus to provide free freezes and lifts for everyone – after all, it’s our information they have, so why should we pay for it not to be sold to people we don’t want it sold to?

  4. Wm Buxton

    “many of the freeze sites are timing out, crashing or telling consumers just to mail in copies of identity documents and printed-out forms.”

    I submitted freeze request at all 4 sites suggested by Kreb. TransUnion took my information and charged my credit card, only to then spit out an error message, leaving the charge in place. The error message required me to send in the information again via mail, also saying to send in the $10 payment. I sent in a copy of the credit card receipt, but haven’t gotten back a freeze confirmation letter yet. I will cancel the charge after about a month. Best use mail with TransUnion if you don’t want to be held in limbo on the payment.

  5. Dan D

    As someone who has had a freeze at all 4 agencies, for both may wife and I, for the past 10-ish years, I can tell you that it really isn’t that hard to do a temporary lift.

    3 months ago I decided to trade-in and purchase a new car using the promo 1% financing special. When I went to the dealership I took my PINs and phone numbers (which I keep in our fire safe) for just me (not my wife). When it came time to get the final credit check the “finance guy” called his contact at the financing company and asked which agency they will be using to run the check. That took, maybe, 3-minutes.

    I then used my cell phone, called the dedicated freeze lift number for the agency selected, and using merely the touch pad (no human intervention), performed the lift (required SS#, PIN, and credit card number). I did a 20-day lift, just because that’s a bit more convenient for the financing company. The credit card was required for the $10 re-freeze (no fee for the lift, only for a temporary lift or re-freeze). The card was charged while I was on the phone and the lift happened immediately.

    Yes, a bit of work, but really not overly onerous. Yes the $10 per agency per person comes to $80 for my wife and I, but we feel it’s money well spent.

    Good luck to all.

    1. JLW

      Re: “… As someone who has had a freeze at all 4 agencies, for both may wife and I, for the past 10-ish years, I can tell you that it really isn’t that hard to do a temporary lift …”

      That has been my experience as well over the last 5 years.

      It’s just not THAT hard to plan-ahead …

      … although it GALLS me no end that I have to pay these bureaus to NOT release MY info which.

  6. Chris

    Quick question. Why is Innovis included in the list of credit bureaus? I was under the impression that the big three were Equifax, TransUnion, and Experian. Do I need to file a freeze with Innovis as well?

    1. gesneri

      They’re not well known, but I’m doing business with a largish financial institution that definitely uses them. I was warned about that when I said I had a credit freeze. They’re a newer company but apparently they’re being utilized.

  7. Brian

    I attempted online freezes at the big three, plus the newer one, Innovis, and ChexSystems, used by banks for checking’s and savings accounts. Trans Union, Innovis, and ChexSystems all worked fine, with the latter two sending me my pin by snail mail. Experian had a glitch – I went through the proceess, got to the end, and they told me I had to print and fill out the forms, and send it by snail mail. The next day, I did it again, in this time it worked.

    Then there was Equifax. I went through the process online. I got to the end. It told me when I hit submit I would get a confirmation with my pin. I should print that page and save it. I hit submit. I had a pop-up that was totally blank. At the top of it was an error code. Nothing to print.

    I went back, started the process over. When I logged in I was given the choice of lifting the freeze on my account temporarily for all lenders, for a specific lender, or lifting it permanently. For any of these I would need my 10 digit pin.

    The only way to get a “lost” pin was to write a letter, sending drivers license/passport type proof of identity, and asking for a new pin.

    I’ve decided that a permanent freeze on Equifax would be appropriate. Fortunately, I’m in the position of not needing credit for the foreseeable future.

  8. Glenn F.

    Assuming the Equifax “Am I Impacted?” answer comes up yes, when filling out security freeze requests, should we indicate “Yes, I am a victim of identity theft” or “No…”?

    1. BrianKrebs Post author

      I think you, and just about any other American, can with good conscience answer yes to that question.

  9. Chris Nielsen

    Is this just an evil plan to scare 143 million Americans into signing up for a free 1-year service that they will later have to pay for?

    If there is no actual harm that can be confirmed as a result of the alleged data breech, I don’t think there will be any real grounds for the lawsuits.

    Then all you have is massive free publicity and millions of potential new customers.

    1. BrianKrebs Post author

      I hope nobody has misconstrued this story to suggest that I somehow am encouraging people to sign up for TrustedID. I don’t think this service will be useful for anything other than helping people fix the mess that the credit bureaus themselves have created.

      However, answer me this: How exactly do you think someone could “confirm” that harm resulted from this massive screw up by Equifax, vs. from some other place that leaked it? It’s not like you can get a new SSN. This data has a very long shelf life and has value for years and years after it is stolen. And it’s been stolen 100 times over during the past decade, from 100 different places. This is why I have been urging people for years to forget about this credit monitoring nonsense and freeze your files already. That’s the only properly sane response: Assume your data is compromised.

  10. Jeff Powell

    Just tried the Equifax site again to see if I am affected by the breach. I did it a week ago and was told “maybe”, so I figured I’d try again and see if I got the same answer. But no… this time I get:

    ERROR

    The request could not be satisfied.

    The Amazon CloudFront distribution is configured to block access from your country.
    Generated by cloudfront (CloudFront)

    I am an American living in Canada at the moment. What the heck am I supposed to do now?

    1. Buckminster.Bob

      Good to see Equifax taking security seriously by blocking access from hostile regimes like Canada.
      /s

    2. timeless

      Contact your MPP (and have your neighbors contact them as well).

      Tell them that you believe Canadians are entitled to security freezes just like their American neighbors.

      Note that 100,000+ Canadians were also impacted by this breach.

      As with the USA, regulations in Canada are at the regional (Provincial ~ State) level. I’m this case, only Ontario and Manitoba even have laws granting consumers basic abilities wrt credit. And that doesn’t include freezes, at best there’s an alert that expires after 7 years.

  11. CJG

    Comcast doesn’t actually require a credit check if you place a deposit on the equipment used and this is refunded after 12 months of service. I would guess that the interest on the deposit amount is less than the cost of lifting a freeze at even one credit agency. See https://www.xfinity.com/Checkout/CreditCheck/Creditpolicy.aspx
    “A credit check and/or deposit is required for new customers (and customers with less than six (6) months of payment history) who lease more valuable Comcast equipment or request Comcast Digital Voice services with a new phone number. If you select a credit check, you may also be asked to pay a partial deposit. If you do NOT want a credit check, you may choose to pay the full deposit. The full amount of any deposit will be applied to your account balance after twelve (12) months, as long as the account has been in good standing for the previous six (6) months.”

  12. B Griffin

    Literally just called Equifax to setup freeze. It took me right up to the point of what is your state. Then proceeded to say the service was temporarily unavailable telling me to use the website. Potentially it has begun where they have figured out people are using the phone to bypass the garbage.

    1. David_

      thanks for posting your experience, so I was not totally surprised to just now call and got the same recorded msg as soon as I said the state….sigh

  13. Buckminster.Bob

    How many credit reporting agencies do we need before this becomes absurd? I see people writing about 3 major bureaus in the US, and others mentioning 4 major bureaus. (In Canada, it’s 2, or maybe 3?) It’s up to the “consumer” to know where their data is being sold, and we just accept this? Yes, the vast majority are ignorant — the system thrives from ignorance.

    Credit agencies should be competing for my business, where I can choose whether or not to allow them to see my personal information. Unfortunately, it’s not even possible to to opt-out, let alone choose. (A parking ticket will tell you that.)

    1. acorn

      I jokingly consider starting my own credit bureau, with a mantra of we “take protecting the security of the information in our possession is a responsibility we take very seriously”™ , as Equifax and similarly by so many other breached entities so gloriously put it.

      Then, I’ll create a “special” formula to create the credit scores specific to executives of breached entities, of course it won’t be a publicly available formula as that’s not required.

      Maybe even create a couple credit bureas, one for each breached entity.

    2. Cyber

      Ah, but alas, you are not a customer of the credit bureau by default. You’re a commodity.

  14. Gloria

    Hi Brian! First of all thank you so much for all your help. I have found better information here than anywhere else. My questions is regarding having already frozen the 4 reports and now wanting to have some sort of monitoring in place. Are you saying I would need to unfreeze one or more and then set up fraud alerts and then freeze them all again? Thanks.

    1. JCitizen

      To sign up for monitoring you would have to unfreeze everything again. Maybe it would be better if you did your own monitoring yourself – after all a freeze is better than a fraud alert, and better than any monitoring scheme. Use this URL and see if you can check it yourself, but you probably won’t be able to with a freeze in place. The law formed this site so people could get one free report from each agency once a year. So theoretically you could check your credit and look at reports as many times a year as there are reporting agencies. It works, because that is how I used to do it.

      https://www.annualcreditreport.com/index.action

      1. snic

        If you have a freeze, you may be asked to mail in your request for a free credit report.

      2. Gloria

        I had an account on one of the three and paid to get all three a couple days before I froze them. Yesterday I tried again and it wouldn’t pull the other two but I was able to get the report for the bureau I had the account on. It’s some comfort that it couldn’t pull the other two. That tells me the freeze is in place on those. The report I did get stated that there was a freeze on this one as well. I think I just have to keep monitoring all my accounts from here on. And pull the free ones when I can. Something has to change in the lending process. Penalizing and regulating the bureaus isn’t going to do a darn thing. Too late for that.

  15. Bill

    I placed a credit freeze under my name at the 5 credit bureaus. Do I need to to also place a credit freeze for my wife? I am unable to find an answer for this.

    1. JCitizen

      I our state, unless you are financially divorced from your wife to completely separate you credit, then you are both responsible for the same credit situation. You both directly affect each other – so that would mean to me, that you’ve already do enough. But then I’m not a lawyer, and have no idea how your state works.

    2. timeless

      Yes. Every person with an SSN or TIN or really any ID who has ever (or will ever) interacted with anything credit-like needs their own freeze.

      If you have babies, once you get their SSN, you should freeze their files…

      1. snic

        I disagree with the advice to freeze childrens’ credit files. They don’t have a credit history, so their files should be empty. As soon as you place a freeze, all you have done is told the credit bureau that there is a person named X with a DOB of Y who has a SSN Z. Inevitably that information will become known to someone else, as we saw with the Equifax breach. Why accelerate the process?

        For kids, it should suffice to simply keep the use of their SSNs to an absolute minimum.

        1. ASB

          >>For kids, it should suffice to simply keep the use of their SSNs to an absolute minimum.

          Absolutely agree. Let’s not create problems in advance.

  16. James Schumaker

    I have put a security freeze on with all four credit monitoring bureaus for myself and my wife. Since I have no need for new credit or loans, I intend to keep the freeze on permanently. This solution is not perfect, since some miscreant can penetrate Equifax’s pathetic security and unfreeze any account with the proper information. There is no real solution to this problem, except to put Equifax out of business and require that the remaining credit monitoring bureaus are themselves subject to much stricter regulation. In the meantime, everyone is vulnerable.

  17. David Kleinsmith

    If we can all agree that ID Theft is crazy out of control, AND that it seems to be getting worse by the day, AND that it has been the number 1 complaint by consumers to the FTC for 16 consecutive years, AND that only about 20% of ID Theft shows up with monitoring alone, AND that “it’s not a question of if, but when…”, AND that cleaning up the fall-out if I were to become a victim can be costly & time-consuming, AND that often times ID Theft can have legal consequences…. then why not try to find something that will give me Peace of Mind with Consultation, Monitoring (of the Dark Web), and Restoration by Licensed Private Investigators, for less than 4 cents per day? It’s a no-brainer. Doesn’t this just make the most sense?

  18. Larry Morgan

    I have never regretted getting the freeze on my 4 credit bureau accounts. I ask which bureau is used when getting new credit. If the person does not know I ask for their supervisor. Now I have to have a good reason to get a new line of credit, as there is some work involved.

    Right now if the I am told Equifax is used, I insist on another service or I will take my business elsewhere.

    In one case(Comcast) I was told I could pay a $100 deposit (automatically refunded in 6 months) in lieu of a credit check since I had a freeze on. No brainer.

    Brian, thank you for recommending the freeze and doing the legwork for us.

    I would love to see Congress insist that freezes and temporary lifts be free, but we have the best Congress money can buy, and typically only companies are buying.

  19. JLW

    Brian:

    Another fine piece of reporting.

    Thank you for your even-handed and fact-based approach to this topic.

    JLW

    1. Jim

      No one should take Huffington Post as a serious media outlet. They are one of the originators of fake news.

      1. JCitizen

        Yep – and as far as I’m concerned Bloomberg fits in the same category. To tell you the truth the only two news outlets I trust enough is Brian Krebs on Security, and the BBC.

        1. Larry

          For security I would add Bruce Schneier, Steve Gibson & those they refer to ie, Ars Technica, etc.

          1. JCitizen

            Excellent! I hadn’t heard of Bruce Schneier – maybe I ought to sign up for his newsletter, if he has one. I haven’t been regularly reading Ars Technica, except where a link appears in my other readings; but yeah, I put a lot of credence on them.

            I get a lot of those links from the Register – but that site is more entertainment than serious journalism; I still get a kick out of reading their form of “step right up – read all about it!!” sidewalk news with a UK bend on it. They are kind of like having an old time paper boy running down the street yelling the latest headlines.

            1. timeless

              Hi JCitizen, I’m somewhat surprised you haven’t run across him. I’m glad you have now.

    2. Robert

      The HuffPost used to publish some decent articles, years ago. These days one wonders what they huffed before they posted 😉

      HuffPost: “But a credit freeze doesn’t do a thing to protect any data that has already been compromised. While a freeze prevents new lines of credit from being opened, it doesn’t stop thieves from going on a shopping spree with your already-breached credit card number.”

      Yea, but it helps prevent any new info being used, compromised. It’s one step in the game along with fixing your credit – after it’s been compromised and used. But to “prevent” the possible compromise, freeze your credit. What doesn’t the H.P. understand about “preventing” the compromise to begin with??????????

      H.P.: “Credit card companies pay attention to where and how you shop. A large online purchase of electronics sent to an address you’ve never used is going to raise a red flag, and you will likely be contacted and asked to verify it.”

      In my case the CC thief picked up a large $$$ purchase in store, where it was sent after it was ordered, no red flags raised. And I had never purchased from the business before, explain that H.P.

      The entire article is g-a-r-b-a-g-e, poor reporting by someone who did not do their homework or worse, did the bidding of someone who paid them to write the article, just my opinion.

      HuffPost articles = sound of toilet flushing each time you read one. Another online news source down the drain.

      What freezing will do is reduce the amount of store credit cards being obtained on the spur of the moment when someone is shopping. It will cause people to be more thoughtful before applying for yet another CC.

      It will hopefully stop many thieves from getting at information they need to steal out identity for credit. And this mess will cause many people to finally be more alert to the digital financial dangers we face in todays society.

      Question is, what new things will thieves try next? Roadblocks can be circumvented, they are alternate routes. I’m sure Brian will alert us to the new trends as they pop up.

  20. John M.

    This just gets more and more confusing and worrisome. I received the following email on the 21st:

    From: Customer@Creditexpert.com

    Subject: RE: Inappropriate change of address

    Thank you for contacting CreditExpert with your inquiry. We will review and reply to your email in the order in which it was received.

    Thanks again, and we look forward to assisting you.

    Sincerely,

    Credit Expert Customer Care

    That was it – no links, no phone number. Problem is I never called them and had no idea who they were. A quick search and that domain will lead you to what you might presume is an Experian credit management service.

    However, CSC Corporate Domains (the domain owner) is a privately held company that “is the world’s leading provider of business, legal, financial, and digital brand services to companies around the globe”.

    Two hours on hold with Experian to see if anyone really had tried to change my address and I finally had to hang up. So, are the other credit bureaus now trying to hawk their credit monitoring services at Equifax ‘expense’ and does this email in and of itself indicate an identity theft attempt?

    1. JCitizen

      I don’t know what you mean by no links, as that link was obviously an email address – I’d call that a “link”. Of course it won’t work automatically unless you have Outlook or other server based email enabled on your device.

      I would be suspicious of ALL email I received since this news came out, because this is an excellent time for spammers and phishers to get people to click on the wrong thing and give out information to the wrong people. I’d do all solution and fact checking by searching the web myself with a site adviser enabled, and completely ignore what comes in the email – with the exception of those already on your trusted contacts list, and even then, I’d follow up outside the email message and browse to my source independently, just to be on the safe side.

      Phishing emails can be so carefully crafted that even someone like me could be fooled into clicking on something and be set on the road to disaster! I’ve come very close once with a PayPal email that had my real name on it, and was every bit a phishing email – the only thing that saved me from my own foolishness was my password manager that refused to fill out the phishing sign in page (which looked totally legit as well!!)

  21. Jurgen

    What is it that permits these reporting companies housing our data in the first place? Why aren’t we allowed to force them to delete all records about us? I know the credit granting system depends on it but that isn’t the question.

    1. JCitizen

      They do it because there is no law against it, and it is a lucrative business. Until people start banging on the doors of their congressmen, we will never get this out of control business regulated.

    2. Cyber

      The credit bureaus created their own market and they know they have had a monopoly except that data is a commodity anymore. It’s symbiotic by design. “Subscribers” can pull consumer credit but only if they agree to report on the credit performance of those they extend credit to. This process keeps the files fresher. Also, there are three major CRA’s due to history. Equifax had the SouthEast data by proximity back in the day, TU had the Northeast and Experian had the SW. Now, they *could* all be combined.

  22. acorn

    1. “…nothing tying the domain registration records for trustedidpremier.com to Equifax…”
    There’s another way besides whois to verify website ownership. Equifax links–say it’s theirs in at least one instance: help.equifax.com/s/topic/0TO37000000CjtZGAS/trustedid-premier?tabset-5fd87=2
    As for trustedid.com mentioned by Brian’s article, I only found one instance on their site that Equifax is associated with it and vaguely–another bungle–if you trust Equifax (Equifax is loosing credibility as they continually bungle handling the breach).
    But yes; entities often make it less than easy to determine ownership of their website addresses and don’t care, not only Equifax. Been going on for years. But hey, companies are considered “people” and have two-faces, three-faces, etc and can put forth all those faces (wear all those faces at once, unlike real humans).

    2. By using “Trusted”ID.com, Equifax is also displaying their incompatency of how to build trust–like a domain name builds trust, yeah right (perhaps some artistic-music person came up with that idea).

  23. Tom

    It continues:
    I received the following no-reply email from Equifax at 10:59 a. m., pst this morning:
    Trusted Id Customer Service no-reply@trustedid.com via anazonses.com
    It is shocking to think that anyone would actually reply to this, especially in the wake of the Equifax leak.

  24. Bob

    Thanks very much for providing this information! I just called all four credit bureaus using you convenient number list and successfully placed a freeze on all four — two were free, two charged me $5.00 each.

  25. G.Scott H.

    @BrianKrebs
    I have to challenge your definition of Identity Theft. My definition of Identity Theft requires active use of information about an individual to assume their Identity for various purposes. Your definition seems to be theft of the information alone. I would very much prefer your definition since that would make me an Identity Theft victim many times over. My definition only qualifies me as a potential Identity Theft victim. These are the hairs split by legal eagles.

    You have a talent for competently covering these topics in a manner understood by the general public. I think you should produce an article on the whole (legal and beyond just credit worthiness) industry of selling information about people. In the comments to your writings this week, I see a lot of misunderstanding and ignorance of the topic.

    1. BrianKrebs Post author

      So, if your information is actively for sale in the cybercrime underground (which it is and I can almost certainly prove that’s the case), it’s not ID theft even when someone buys it with the intent to use it fraudulently, is that what you’re saying? They also have to harm your credit as well?

      1. G.Scott H.

        Unfortunately, I must answer your question with, Yes, that is exactly what I am saying. IANAL, but my read of the current US legal stance on Identity Theft in the legislative, judicial, and executive areas is that actual legal harm has to occur before one is a victim of identity theft.

        Am I content with this? NO! The situation has to change. US citizens need to know they have to demand a change in this situation to their representatives.

        I do agree with you that theft of information about you on The Internet in today’s world is harmful. I feel I may have a better leg to stand on if I publish all the same information which has been collected and stolen, I could then claim copyright and use the force of the DMCA.

        BTW, I had information about me stolen from OPM. That is about as bad a data breach as you can get. Until I filled out that SF-86 some of that information was not written down directly associated with me. For the benefit of other readers, s recent court decision in a case about the OPM breach determined people like me were not harmed, go figure.

        1. BrianKrebs Post author

          Let me get this straight. So you’ve been a victim of both the Equifax breach and the OPM breach, and you don’t feel comfortable saying you’ve been a victim of identity theft? Even though the latter has been attributed to a nation state hacking group that actively mines hacked data for political and personal gain?

          1. G.Scott H.

            Until the information about me is used to impersonate me, I am only a potential identity theft victim. I am a victim of identity information theft. My risk of becoming an identity theft victim is higher now due to these breaches.

            I understand and agree with your point of view. Pragmatically, this is an area where law lags technology. Today’s technology allows for so much more to be done so much faster. These days by the time an identity theft victim finds out they are a victim, there is likely a huge mess to be cleaned up and more disruption to their life. I am holding out hope that an appeal of the recent decision in the OPM case does find that theft of identity information is harm in the legal sense and the litigants do have standing.

            I have taken steps to mitigate identity theft. I have spent time and money on protective measures I may not have otherwise due to these data breaches. I certainly feel harmed.

          2. Phil

            Brian, I’m afraid he is right on this. There is a large body of case law developing that suggests a “no harm, no foul” interpretation of Identity Theft. You need a police report; otherwise, no theft happened as far as the authorities are concerned.

            And indeed, the information that was stolen does not belong to us. It was about us, sure; but it was not of our creation: it was created about us by others, for their use. Like all data or information, it is best understood as intellectual property; as such, what was stolen was the property of Equifax. The fact of its having been aggregated was what made it valuable: that’s what was stolen–the aggregation. The information was not otherwise ours; indeed, it was not even known to us in its entirety.

            Until that aggregated information is actually (mis)used to do harm by fraud, no “identity theft” has happened. Claiming to be a victim before such a harm is, ironically, a kind of fraud. It may be morally, but is not legally, justified.

            This argumentation has been repeatedly tested, most recently in a case on D-Link routers. Members of the class could not prove they had suffered quantifiable harm through the routers’ vulnerabilities, and the plaintiffs lost.

            It is much the same as the surveillance cases, where nobody has standing to sue the government because they can’t show they have actually been harmed by surveillance.

            So the harmful practices continue, without legal remedy.

            1. BrianKrebs Post author

              Hrm. So if someone publishes my health records, home address, social security number, credit card number and everything that is dear to me on a web site for the whole world to see, I still have not suffered identity theft? I guess they better haul me off to jail for fraud then, because that’s a justification I have used for obtaining a police report (and was encouraged to do so by a police officer). And that really happened to me, by the way.

          3. acorn

            Brian, I take it you may have met the requirements of state law for the following reason.

            Current Virginia Laws, Identity Theft Resource Center quote
            “It is unlawful for any person, without the authorization or permission of the person or persons who are the subjects of the identifying information, with the intent to defraud,
            for his own use or the use of a third person, to:
            · Obtain, record, or access identifying information which is not available to the general public that would assist in accessing financial resources, obtaining identification documents, or obtaining benefits of such other person; ”

            idtheftcenter.org/images/states/Virginia.pdf

            I only looked at one other state, and it too has similar wording. Other states:
            idtheftcenter.org/state-resource-map, then for instance “Expanded Identity Theft Laws” pdf (at the end of the top section–end of the “Identity Theft laws”)

        2. acorn

          Which leads to the August 25, 2016 statement by the Social Security Administration Deputy Commissioner,

          “Identity theft occurs when someone steals your personally identifiable information and pretends to be you.”…[the act of using the taken PII]

          blog.ssa.gov/protecting-your-social-security-number-from-identity-theft

        3. acorn

          Department of Justice:
          “Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains AND [my emphasis] uses another person’s personal data in some way that involves fraud or deception, typically for economic gain.

          justice.gov/criminal-fraud/identity-theft/identity-theft-and-identity-fraud

        4. acorn

          Legal references of Congressional Acts:

          fbi.gov/investigate/white-collar-crime/identity-theft

          Though, I’d question “knowingly transfer or use, without lawful authority” whether credit bureaus have authority to keep 143 million records unencrypted. Perhaps it’s willful negligence in my non-legal opinion.

          1. acorn

            “…or to aid…, any unlawful activity that constitutes a violation of federal law…”

            Non-lawyer speaking: Once, if, the PII is used for violation of federal law…Equifax may face new lawsuits.

        5. acorn

          I wasn’t going to post this since it went off course from the original post; but, it comes back around to your followup comment: “I am holding out hope that an appeal of the recent decision in the OPM case does find that theft of identity information is harm in the legal sense and the litigants do have standing.”

          Non-lawyer speaking:
          Equifax may face a lawsuit of the act of “unlawful activity that constitutes a violation of federal law” not in the use of the illegal use of PII at this time; but, by criminals having violated Federal law by accessing the Equifax server–“intentionally accesses a computer without authorization…information contained in…a file of a consumer reporting agency on a consumer…”

          law.cornell.edu/uscode/text/18/1030
          U.S. Code › Title 18 › Part I › Chapter 47 › § 1030 (a)(2)(A)

          At the same time, Equifax may, to use some of your words, have been “harm[ed] in the legal sense…” under the same Federal law.

    2. Tom Goldie

      I was thinking the same thing.

      But someone stealing the very information these businesses use to verify your identity seems to neatly fit the literal meaning of the words.

      1. acorn

        I don’t believe it was Equifax’s PII to be losing in the way it was –willful negligence–my choice would have been to have my PII record, and everyones record, protected by encryption when not in use since it has higher value and greater targeting when massed with 143 million other records.

  26. Annie

    I recently received 2 emails from Trusted ID Customer Service no-reply@trustedid.com via amazonses.com (the exact same as instructed above) instructing me to activate my product. However, when I tried to activate, it said I was already activated and it prompted me to sign in. I didn’t remember activating but hit the “forgot password” link which sent me an email. When I clicked on the link in the email, it prompted me to enter the last 4 digits of my social and DOB. I called the number first and she assured me it wasn’t a scam, but I decided not to enter the information. Now, I’m afraid of the ramifications of having clicked on the links in the email! I wish I had never attempted to sign up for TrustedID. Would appreciate knowing if someone else had this same experience and/or has insight into this.

    1. JCitizen

      You were smart – don’t ever use an email link to follow up on a problem, even if they are on your trusted contact list. It is always better to browse to the same source outside of using email, and start your action that way.

  27. Debra

    Great info !! … going through the auto system with Equifax a few weeks ago it came on with a message that they couldn’t take my info. I’ve called back and it says my information is on a freeze but I never got any information about a PIN number Etc. Live hotline no help….can I help me?

    1. JCitizen

      Apparently Experian will allow you to unfreeze your credit, without the PIN, by going online to deactivate it. This is not good in my opinion, but you could try that. All other suggestions I’ve found say you should call the agency you want to unfreeze the credit by phone. That may be quite a hassle, about now, with the large load on Equifax personnel. As far as I’m concerned they should not be able to do it without actually physically knowing it is you doing this. So apparently you can do it without the PIN or if you lose your personal identification number. I think they need a law that makes it possible to go to your bank personally and unfreeze it that way, as they would be able to verify that your actual physical presence is there. But who am it to judge? :p

  28. JCitizen

    My state requires that I be a victim first before I get a free freeze. Looks like it is time to start banging on the door of my state congressman next. Why should I wait to be a victim before I can get what should have been FREE from an inept-negligent reporting agency? They did it, NOT ME!!—RIDICULOUS!!

Comments are closed.