24
Sep 17

Equifax or Equiphish?

More than a week after it said most people would be eligible to enroll in a free year of its TrustedID identity theft monitoring service, big three consumer credit bureau Equifax has begun sending out email notifications to people who were able to take the company up on its offer. But in yet another security stumble, the company appears to be training recipients to fall for phishing scams.

Some people who signed up for the service after Equifax announced Sept. 7 that it had lost control over Social Security numbers, dates of birth and other sensitive data on 143 million Americans are still waiting for the promised notice from Equifax. But as I recently noted on Twitter, other folks have received emails from Equifax over the past few days, and the messages do not exactly come across as having emanated from a company that cares much about trying to regain the public’s trust.

Here’s a redacted example of an email Equifax sent out to one recipient recently:

equifaxcare

As we can see, the email purports to have been sent from trustedid.com, a domain that Equifax has owned for almost four years. However, Equifax apparently decided it was time for a new — and perhaps snazzier — name: trustedidpremier.com.

The above-pictured message says it was sent from one domain, and then asks the recipient to respond by clicking on a link to a completely different (but confusingly similar) domain.

My guess is the reason Equifax registered trustedidpremier.com was to help people concerned about the breach to see whether they were one of the 143 million people affected (for more on how that worked out for them, see Equifax Breach Response Turns Dumpster Fire). I’d further surmise that Equifax was expecting (and received) so much interest in the service as a result of the breach that all the traffic from the wannabe customers might swamp the trustedid.com site and ruin things for the people who were already signed up for the service before Equifax announced the breach on Sept. 7.

The problem with this dual-domain approach is that the domain trustedidpremier.com is only a few weeks old, so it had very little time to establish itself as a legitimate domain. As a result, in the first few hours after Equifax disclosed the breach the domain was actually flagged as a phishing site by multiple browsers because it was brand new and looked about as professionally designed as a phishing site.

What’s more, there is nothing tying the domain registration records for trustedidpremier.com to Equifax: The domain is registered to a WHOIS privacy service, which masks information about who really owns the domain (again, not exactly something you might expect from an identity monitoring site). Anyone looking for assurances that the site perhaps was hosted on Internet address space controlled by and assigned to Equifax would also be disappointed: The site is hosted at Amazon.

While there’s nothing wrong with that exactly, one might reasonably ask: Why didn’t Equifax just send the email from Equifax.com and host the ID theft monitoring service there as well? Wouldn’t that have considerably lessened any suspicion that this missive might be a phishing attempt?

Perhaps, but you see while TrustedID is technically owned by Equifax Inc., its services are separate from Equifax and its terms of service are different from those provided by Equifax (almost certainly to separate Equifax from any consumer liability associated with its monitoring service).

THE BACKSTORY

What’s super-interesting about trustedid.com is that it didn’t always belong to Equifax. According to the site’s Wikipedia page, TrustedID Inc. was purchased by Equifax in 2013, but it was founded in 2004 as an identity protection company which offered a service that let consumers automatically “freeze” their credit file at the major bureaus. A freeze prevents Equifax and the other major credit bureaus from selling an individual’s credit data without first getting consumer consent.

By 2006, some 17 states offered consumers the ability to freeze their credit files, and the credit bureaus were starting to see the freeze as an existential threat to their businesses (in which they make slightly more than a dollar each time a potential creditor — or ID thief — asks to peek at your credit file).

Other identity monitoring firms — such as LifeLock — were by then offering services that automated the placement of identity fraud controls — such as the “fraud alert,” a free service that consumers can request to block creditors from viewing their credit files.

[Author’s note: Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they are not legally required to do this — and very often don’t.]

Anyway, the era of identity monitoring services automating things like fraud alerts and freezes on behalf of consumers effectively died after a landmark lawsuit filed by big-three bureau Experian (which has its own storied history of data breaches). In 2008, Experian sued LifeLock, arguing its practice of automating fraud alerts violated the Fair Credit Reporting Act.

In 2009, a court found in favor of Experian, and that decision effectively killed such services — mainly because none of the banks wanted to distribute them and sell them as a service anymore.

WHAT SHOULD YOU DO

These days, consumers in all states have a right to freeze their credit files, and I would strongly encourage all readers to do this. Yes, it can be a pain, and the bureaus certainly seem to be doing everything they can at the moment to make this process extremely difficult and frustrating for consumers. As detailed in the analysis section of last week’s story — Equifax Breach: Setting the Record Straight — many of the freeze sites are timing out, crashing or telling consumers just to mail in copies of identity documents and printed-out forms.

Other bureaus, like TransUnion and Experian, are trying mightily to steer consumers away from a freeze and toward their confusingly named “credit lock” services — which claim to be the same thing as freezes only better. The truth is these lock services do not prevent the bureaus from selling your credit reports to anyone who comes asking for them (including ID thieves); and consumers who opt for them over freezes must agree to receive a flood of marketing offers from a myriad of credit bureau industry partners.

While it won’t stop all forms of identity theft (such as tax refund fraud or education loan fraud), a freeze is the option that puts you the consumer in the strongest position to control who gets to monkey with your credit file. In contrast, while credit monitoring services might alert you when someone steals your identity, they’re not designed to prevent crooks from doing so.

That’s not to say credit monitoring services aren’t useful: They can be helpful in recovering from identity theft, which often involves a tedious, lengthy and expensive process for straightening out the phony activity with the bureaus.

The thing is, it’s almost impossible to sign up for credit monitoring services while a freeze is active on your credit file, so if you’re interested in signing up for them it’s best to do so before freezing your credit. But there’s no need to pay for these services: Hundreds of companies — many of which you have probably transacted with at some point in the last year — have disclosed data breaches and are offering free monitoring. California maintains one of the most comprehensive lists of companies that disclosed a breach, and most of those are offering free monitoring.

There’s a small catch with the freezes: Depending on the state in which you live, the bureaus may each be able to charge you for freezing your file (the fee ranges from $5 to $20); they may also be able to charge you for lifting or temporarily thawing your file in the event you need access to credit. Consumers Union has a decent rundown of the freeze fees by state.

In short, sign up for whatever free monitoring is available if that’s of interest, and then freeze your file at the four major bureaus. You can do this online, by phone, or through the mail. Given how unreliable the credit bureau Web sites have been for placing freezes these past few weeks, it may be easiest to do this over the phone. Here are the freeze Web sites and freeze phone numbers for each bureau (note the phone procedures can and likely will change as the bureaus get wise to more consumers learning how to quickly step through their automated voice response systems):

Equifax: 866-349-5191; choose option 3 for a “Security Freeze”

Experian: 888-397-3742;
–Press 2 “To learn about fraud or ADD A
SECURITY FREEZE”
–Press 2 “for security freeze options”
–Press 1 “to place a security freeze”
–Press 2 “…for all others”
–enter your info when prompted

Innovis: 800-540-2505;
–Press 1 for English
–Press 3 “to place or manage an active duty alert
or a SECURITY FREEZE”
–Press 2 “to place or manage a SECURITY
FREEZE”
–enter your info when prompted

Transunion: 888-909-8872, choose option 3

If you still have questions about freezes, fraud alerts, credit monitoring or anything else related to any of the above, check out the lengthy primer/Q&A I published here on Sept. 11, The Equifax Breach: What You Should Know.

Tags: , , , , , , ,

164 comments

  1. Jeeze man…from the wikipedia page about the Fair Credit Reporting Act:

    “A partial list of companies classified as nationwide specialty consumer reporting agencies under FCRA includes: Telecheck, ChoicePoint, Acxiom, Integrated Screening Partners, Innovis, the Insurance Services Office, Tenant Data Services, LexisNexis, Retail Equation, Central Credit, Teletrack, the MIB Group, United Health Group (Ingenix Division), and Milliman.[14]

    Although the major CRAs Experian, Equifax, and TransUnion are required by law to provide a central source website for consumers to request their reports, the nationwide specialty consumer reporting agencies are not required to provide a centralized online source for disclosure.”

    What a mess of a system….just freezing your credit from the big 3 seems pointless with all the other ones out there lol.

    • Doing what you can I think makes sense. It’s easy to let the perfect be the enemy of the good, and do exactly what the big CBs want you to do: Which is nothing at all.

      • Kudos to Experian. They were the only NCRA to complete the credit freeze online. Both Equifuked and TransUnion couldn’t complete my request, they want the request submitted by mail.

        Reading through the comments, I have to wonder how Equifuked got everything so wrong – there are a ton of good InfoSec folks out there – seriously!

        Thanks Mr. B

        • Joe — It only takes 3-5 minutes to place a freeze using each of the 4 agencies’ 800 number automated phone system. The calls go through immediately — day or night. You never speak to a rep, you never wait on hold. It’s very easy.

          • Easy it may be but handing a few bucks to each agency to freeze access to something I never granted access to in the first place.. is called ransom.

            There is really nothing different from any ransom-ware campaign and what the credit agencies do except that the latter is protected by the corrupt in Washington.

            Morally I can’t give them a dime. I understand I am the product in their criminal scheme and there is little I can do.

            • I believe you are cutting off your nose to spite your face. The fairly minimal fee to freeze your credit is nothing to the amount the CB’s make selling your credit info to their clients. That’s why they so desperately don’t want you to do it.
              Don’t think of it as ransom or extortion; think of it as cheap insurance and be happy to know that you are not only protecting your self, your credit, and your good name, but also doing something the bureau does not want you to do.

          • Wrong! At least with Transunion. This was a 45 minute from start to finish on the phone process today.

            You a CRB schill or what?

            • No, not a shill. I’m a guy who works nights. The only feedback I have about peak times of the day for the 4 credit agencies web traffic/phone traffic is from people around me (family, friends, neighbors). Today, at approx. 12:30pm ET, a friend got through quickly on the phone and placed a freeze with Experian, TransUnion and Innovis. Only with Equifax did he get a message “can’t process your request now. Try our website.” That’s the first time I’ve had someone tell me they couldn’t place a freeze via phone.

              Shill? Really? Think about it for a second: why would I be closely tracking the quickest and easiest way to place a freeze (and telling anyone who will listen) if I were in any way aligned with the agencies?! If you read Krebs’ articles, you’d know that the whole point here is that credit agencies don’t want us placing a freeze because they can’t profit by selling our info when a freeze is in place. So, I’m an advocate for placing the freeze, a result of which is lower profits for the agencies. Got that?

              Don’t slam me. Inform yourself.

        • Joe,

          I got the same messages, complained on Twitter and was told to try again. Experian was asking me for a police report. I said hold on one second, let me text Equifax to send you their copy.

          That said, I was able to do it a few days later.

      • Brian– For clarity’s sake, I have slightly updated my guide to navigating the 4 agencies’ 800 number automated phone systems, adding a couple steps for Equifax and TransUnion:

        Equifax: 866-349-5191
        (Be prepared to write quickly, as Equifax’s automated system will QUICKLY give you a 10-digit PIN. Then it will QUICKLY give you a 10-digit confirmation number. Afterward, you can PRESS STAR TO REPEAT YOUR PIN AND CONFIRMATION NUMBER)
        –Choose option 3 for a “Security Freeze”
        –Press 1 to continue
        –You will be prompted to SPEAK the name of your state
        –Follow the system prompts from there

        Experian: 888-397-3742
        (Experian will NOT give a confirmation number, but will mail you your PIN)
        –Press 2 “To learn about fraud or ADD A SECURITY FREEZE”
        –Press 2 “for security freeze options”
        –Press 1 “to place a security freeze”
        –Press 2 “…for all others”
        –Enter your info when prompted

        Innovis: 800-540-2505
        (Innovis will give you a confirmation number, but will mail you your PIN)
        –Press 1 for English
        –Press 3 “to place or manage an active duty alert… or a SECURITY FREEZE”
        –Press 2 “to place or manage a SECURITY FREEZE”
        –Enter your info when prompted

        TransUnion: 888-909-8872
        (TransUnion asks you to create a 6-digit PIN and enter it, and they will mail you a confirmation letter)
        –When prompted, enter your ZIP code
        –Press 3 “to add a Security Freeze”
        –Then you’ll be prompted to enter your SS #
        –Follow the prompts. You will be asked to enter the 6-digit PIN that you created

        I’ll try my best to monitor these phone menus for any changes.

        • Note: If placing a freeze via phone, the Equifax automated system is sometimes down (for maintenance?) for a brief period somewhere around 4:00am or 5:00am ET. I’ve noticed this 3 times now.

        • If you want to verify the validity of these phone numbers:
          Equifax: 866-349-5191
          http://www.equifax.com/cs/Satellite?pagename=contact_us

          Experian: 888-397-3742
          https://www.experian.com/corporate/personal-services-contacts.html#content-04

          Innovis: 800-540-2505
          https://www.innovis.com/personal/securityFreeze

          TransUnion: 888-909-8872 https://www.transunion.com/customer-support/contact-us-consumers

          I just noticed that I cannot force an https connection on Equifax’s “Contact Us” page without breaking it — the Error 500 I get seems to be a javaScript issue. I run NoScript, and at this point I just can’t allow myself to let Equifax run javaScript . Though, their home page was secure and functional without allowing any javaScript. Go figure.

          Anyway, I’ll monitor these links to see if any agency changes the location of the 800 number on their we site.

        • TransUnion changed their prompts slightly as of Tue 9/26 11am.

          You now need to press “1” to continue with the automated system, then press “3” to Add a Freeze.

          If you press “3” first as you had listed, you now end up talking to a sales rep.

          I especially liked hearing the part about “If you have a question regarding the Equifax breach, please call Equifax at…. We are a different company.”

          • Thank you very much for the update! I will change my info and pass it along to others.

          • I just tried the TransUnion number twice and moved through the menu to the point where I’m prompted to enter my S.S.#

            The original instructions I listed are **still valid**, there have been no chnges to the TransUnion phone system menu.
            — When prompted, enter your ZIP code
            — Press 3 “to add a Security Freeze”
            — Then you’ll be prompted to enter your SS #

            Though I did notice that after hearing the option to Press 3 “to add a Security Freeze”, before I pressed 3 I immediately heard the next option “Press 1 to continue with the automated system”, so perhaps there is a glitch in their system. I’ll keep an eye on it. But, again, thank you much for your feedback.

            • The number of our street address has N/S/E/W coordinates in it, such as S13W33812. Needless to say, Experian’s automated phone system makes no accommodation for this and so their automated system over the phone doesn’t work.

              Meanwhile, when using the Transunion phone system, I entered the zip code three different times but it said I wasn’t entering 5 digits.

              “Clowns to the left of me, jokers to the right…”

        • Experian phone system has removed the ability to add a credit freeze, you have to do it online or through certified mail now.

      • Why do you say a lock isn’t sufficient? T & C for transunion’s credit lock indicates its basically a freeze with slightly looser restrictions.

        • You’re right. We should just trust that the credit bureaus have our best interests at heart, and that they really don’t mind if everyone freezes their credit.

          Look, if you want to be in control of your credit file, get a freeze. If you’re okay letting someone else manage the process, more power to you. But ask yourself why they’re making these “locks” free and still charging you for a freeze. Ask yourself if it’s the same thing as a freeze why they had to come up with even more confusing terminology. If you’re not too curious about the answers to these questions, take them up on their lock.

  2. Wouldn’t Outlook automatically junk these e-mails?

  3. Kind of amazing that Equifax couldn’t even pony up the extra $$ for an Extended Validation (EV) SSL certificate on https://trustedidpremier.com. That would be one additional step to bolster consumer confidence in the legitimacy of the site. Another wasted opportunity, as the standard SSL certificate in use is issued by and to Amazon.

    • They probably would have bought a cert from Symantec to complete their screwdupedness.

    • And it is not accessible outside the US …
      Good luck to the expats !

      • Dang, you’re right (American in Germany). Time for some Twitter-shamin’, I guess – what else can I do?

        I cannot *wait* for the GDPR to go into effect. I wonder if Equifax already does anything in Germany that we US citizen expats could use our host country’s excellent data protection laws for…

  4. To return to the original point about the super-phishy web site, if they weren’t such nitwits, they could have put the new site at premier.trustedid.com, which is in the same domain with a decade old good reputation, while still letting them use separate servers to handle the load. But nooooo….

  5. I signed up for Lifelock. I got a discounted rate. I feel safer with them doing the monitoring.

  6. If you are mad with Equifax, you should look deeper into Life Lock – they contribute your data to Equifax.

    • This is false about LifeLock giving information to Equifax. LifeLock does not sell your information to any of the credit bureaus. It’s the credit bureaus that sell your information to LifeLock, CreditKarma, IDShield and any other company that wants to post your credit score for you to view. The information goes one way and it’s from the credit bureau to the person with the money willing to buy it.

  7. AllYourBasesBelongToUs

    I went and put the free freeze from Equifax via their website two weeks ago and it timed out and gave an error. I went back to try it again a few hours later and it had already gone through burn didn’t display my pin…so now it’s locked I can’t thaw or lift it! I called the breach line last week and they said they have been notified of server errors but had not received any information about how to fix these issues. Guess I’ll be calling again this week. My stuff has been stollen so many times it’s crazy…I have like three monitoring services running concurrently for free.

    I wonder if congress will force Equifax to pay for freezing the credit files of all 143 million at all the credit monitoring companies and allow lifetime thawing. Also why is no one discussing a permanent solution to this issue that involves the disassociation of one number and a few personal data items to allow identity theft in the first place! It seems the whole system is broken. Maybe in the end it doesn’t matter to big business because they all profit either way?

    • “I wonder if congress will force Equifax to pay for freezing the credit files of all 143 million at all the credit monitoring companies and allow lifetime thawing.”

      Only if you contact your representatives and express to them how important it is that they do that. I’m doing it today.

      “It seems the whole system is broken. Maybe in the end it doesn’t matter to big business because they all profit either way?”

      Bingo. For example, you would think that because fraud costs banks money, they’d care about preventing ID theft and do whatever they can to help set up a fair system that protects consumers’ information. But they don’t care because *fraud doesn’t actually cost them a penny*: they just past the costs on to customers in the form of higher interest rates. That is precisely why Congress needs to step in and regulate the credit bureaus, the banks, and anyone else who maintains databases of consumers’ identifying information.

      • Trust me, fraud hurts community banks. We do care about our customers and someone stealing their identity. Congress has already stepped in and are regulating the hell out of community banks. I hate being lumped in with the big guys.

      • The system is broken — the POLITICAL system. All the disasters that come one after the other are due to this.
        There is currently nothing and nobody in US govt that protects the public — all three branches of govt at all levels are utterly corrupted by corporations and the wealthy and cater only to their interests.

        It is really sickening to see politicians who are directly responsible for destroying the system and corporations out of control pretending to do something about it after the fact.

        As long as Americans fail to realize that monopolies and oligopolies are the opposite of free markets that requires regulation, they will continue to be robbed and the country will go down the drain.

      • By the time lobbying is done, it will have eliminated any serious price the CBs ought to pay for their negligence.
        Which means just another similar incident lurking around the corner.

  8. This is a dumbly written article.

  9. I Have Made My Registration Last Three Weeks Ago And An Email Was Sent To Me Saying I Have Successfully Registered, And I Should Wait For Two Business Days An Email Of Confirmation Wil Be Send To Me, Up Yet Til Now Nothing Was Been Send To Me. Why?

  10. I used the link to identify that my children’s SS# was likely compromised. However, it won’t let me take advantage of free credit reporting service because they are under 18. Called the customer service and was told that they had never been asked the question about why I can’t sign my kids up for this service. Still waiting for a callback…

  11. Can you expand “The truth is these lock services do not prevent the bureaus from selling your credit reports to anyone …” How could they sell our credit reports when we had request “Lock”?

    • A lock is not the same thing as a freeze. Why do you think they had to come up with different terminology for it? Read what they say: Creditors can still access your report, while fraudsters can’t. Oh really? That’s a neat trick. How do you manage that? Well, trust us. No thanks.

      • At TransUnion their products on the Interactive side of the company, i.e. TrueCredit.com and the like, do leverage the same file freeze back end. While the front end is different, in the back end it is the same. So for setting and deleting a freeze the lock process does just as well.

        The problem is that you have to use the same process to delete it as you used to set it. There can be problems if you lock it with say TrueCredit and then cancel that membership and later want to delete the freeze. Similarly, if you lock it with TrueCredit and want to apply for credit, you can unlock it. However some people then forget to lock it again once the application is done. If you had set a freeze originally you can can temporarily lift freeze for a period of time (3-30 days) and when that expires the file freezes again. If you originally set a lock and later tried to temporarily lift it directly with TU you could have problems.

        I’ll add another problem that will start being exposed with mass freezes is the “selective” lift process. You can actually lift a file freeze in one of two ways. One is the global lift and the other is the selective lift. With the selective lift you are given an access code (different than the PIN) to give your bank where you are applying. However many of the banks or other users of reports aren’t properly set up to accept that access code. So we’d always tell people at TU to do the global lift versus the selective one.

  12. One year is nothing, thieves can wait years to cash in. Should I pull my savings from my bank?

  13. Farewell Equifax, we hardly knew ye….

  14. It’s very sad but simple: When companies discover that they can make more money selling to customers whose security is violated rather than spending money to keep data safe, they realize that it’s profitable to remain vulnerable.

  15. (I got overwhelmed with the number of comments, and haven’t read through all of them. This point may have been made elsewhere in the discussion. )

    Something that’s really clear with Equifax’s responses is that they’re treating this incident as a PR issue, and they’re doing as little as they can, in hopes that the attention will go away, and they can get back to Business As Usual. And they’re anticipating (or at least hoping) that any kind of sanctions they get are low enough that they can write off the expenses as a simple cost of doing business, but where there’s not any significant requirement of changes of how they operate. And Experian and TransUnion are watching closely — they’re glad that it was Equifax that got hit, but they have equal hopes that this whole thing will blow over.

    Equifax’s stance shouldn’t be surprising — their entire business model is based on the idea of collecting data, and then reselling it. Thus, the customer that they’re serving is not the people in whose data they’re trafficking (and profiting from), but the people who pay them for making credit checks. Therefore, they’re unfriendly to anything that inhibits that, whether freezes initiated by individuals, too-high (in their eyes) liabilities, or even individuals making checks of their own credit ratings, in various forms of trying to dissuade those checks from happening.

    The opposition to liability comes from the idea that to them, it’s all just data, but conveniently disconnecting the fact that there are real people connected to that data, and when it’s mishandled, it doesn’t really affect the credit bureaus, even if it may have significant effect on the individuals for whom the data is a mirror of real lives. This is one of the insidious things about the Wells Fargo bogus accounts fiasco, because from Wells’ malfeasance, it wasn’t just profiteering from their own customers, but data that is included in credit records. Even if Wells were to go back and repay every defrauded customer (even penalties and interest), even they can’t go back to the credit bureaus, and expunge that data, and restore damage caused by their malfeasance.

    For moving forward, I’m convinced that the only way this kind of thing stops happening is if there are sufficient penalties and requirements of changed operations — essentially, where there must be a legal “duty to care” on the part of the credit bureaus, where they’re the ones bearing the brunt of the risk, rather than the current setup of socializing the risk and privatizing the profits.

  16. It took about two weeks before I even got an email from TrustedID after signing up, in order to continue enrollment process. Is that what others have experienced? That’s after setting my calendar to come back to the site and enroll.

  17. A credit freeze is all well and good for those not looking to obtain a mortgage at the moment. :-/

  18. I was directed to this information from some net-surfing and found my name and social were on the list of the “compromised”. So, like a sheep to the slaughter, I bought in to this free 1 year “Trust” very fishy thing also. I received the same screen shot above e-mail, and when I clicked to “verify” I received a message saying, “It appears your account has already been verified. Click here to access your new services… It went to a white screen with a small blank gray box with a line under it. In short, I agree that this whole attempt to relieve people’s panic over the breach is garbage. I want to know who is starting a CLASS ACTION SUIT against Equifax and how I can get on that wagon which will have sites that work for sure!!!

  19. Equifax offered me the same Fraudulent Free Security 1Year coverage. Hell will get ready for CEO’s, Coporations, etc. wh
    eeling, scaming the people.

    I am exhausted with the constant lack of Truth in any of the system.

  20. I got the email a couple days after I signed up. Followed the link and hen it locked up right before I was supposed to create an account. Then, the site is unavailable. I tried calling the number in the email and got a message that it is a non-working number. I called the Equifax incident line and the CSR gave me another phone number which is constantly busy. Wondering if somehow the Trusted ID email got spoofed and I just gave away my info again?

  21. First, I would hesitate to quote anything from Wikipedia, since anyone can update it at any time. Second, while I really do appreciate the information in this article, it would have also been nice to see bullet points for the most important info. I know a lot about credit, and yet, my eyes started to glaze over fairly quickly. Most people are not going to take the time to read this whole thing. It’s akin to people signing contracts without reading them first. No matter how important, informative and necessary, they likely won’t.

  22. First thing I did when I heard about this was sign up with LifeLock; they were getting hammered at the time, but I did get signed up successfully. Later that evening I put a credit freeze on with the “big 3” plus Innovis and Chexsystems (got confirmations in the mail from those two this past weekend). There’s not much more that I can do than that, but I didn’t have any problems doing the freeze, likely because I acted quickly before “everyone else” found out the following monday.

  23. Like Jeff Powell, I am an American living in Canada, and have repeatedly been met with the same message: “The Amazon CloudFront distribution is configured to block access from your country”. I have tried accessing the site periodically since trying to enact a credit freeze on Sept. 9th, when I got a message telling me to return anytime after the 12th. Does anyone know how to get around this? I cannot believe the incompetence and dishonesty of this company.

  24. My email came from ” via amazonses.com”. What the heck? And I can’t find any explanation on their website about who the email will come from, etc to make me feel more comfortable. This is not confidence-inspiring.

  25. I’m getting marketing email from Experian now reguarding Equifax.

    “After the Equifax breach, watch out for phishing scams”

    Interesting thing is the links in the email are:
    CLICK.E.USA.EXPERIAN.COM

    Seems legit but it was just registered to Experian on the 25th.

  26. I finally decided to sign up for Trusted ID and also for my wife. In addition to everything pointed out here, I found another strange thing. Part of the verification process uses 5 multiple answer(guess) KBA questions. They were the same questions for both me and my wife and in the same order. They were (paraphrased/summarized) Our records indicate….: Mortgage company, last four digits of cellphone#, Auto loan/lease with, Monthly $ amoutn of payment for previous Auto loan/lease, you lived at address. All had none of the above choices. Both mine and my wife’s only had one actual answer with the other 4 being none of the above.

    Did I just disclose a security by obscurity element? You may only need to know one KBA and the rest are none of the above.

    Curious, has anybody else experienced similar?

    • My 4 correct answers were ALL “None of the above”! How can that be secure? How can that be said to have validated that it was actually me? I’m just glad I got in and got my SSN assigned to an account before some hacker did.

      Dan

    • One of the flaws of KBA products is their heavy reliance on dummy questions where the answer is “none of the above.” Often the dummy answers are all too obviously fake.

  27. The more I read about this whole thing, the more disgusted I become. I know everyone here feels the same way.

    Anyway, I made a video presentation about how to fix the system. We have consumers, creditors, and credit reporting agencies. Consumers and creditors are accountable to each other. CRAs aren’t accountable to anyone. That’s the root cause.

    Fix the problem by encrypting my credit credit history with my public key and decrypting with a private key *I* control. Boom, anyone who wants to look at my credit history goes through me first. It puts structural accountability onto all three parties – consumers, creditors, and CRAs.

    Here is the link:
    http://dgregscott.com/143-million-reasons-credit-reporting-industry-reform-part-2/

  28. from: Trusted ID Customer Service via amazonses.com
    to: xxxx
    date: Sat, Sep 16, 2017 at 12:32 PM
    subject: Update on your TrustedID Premier Product
    mailed-by: amazonses.com
    signed-by: amazonses.com
    security: Standard encryption (TLS) Learn more
    : Important according to our magic sauce.

    I question the validity of this email since its not directly from trustedID

  29. I made that mistake–I froze my credit with Equifax before I tried signing up for their free trustedID thing. While I was going through the enrollment process, the webpage errored out. When I tried to do it again, it said it couldn’t activate trustedID online and I had to call. When I called, they told me I couldn’t do it because I had a freeze on my account and that I would have to remove it first.

  30. After reading the blog and then ran through all the comments I can see that this whole system is totally messed up and has been. Like others I checked the Equifax site just to see and it told me it looks like I could be on that list. So I started the process for their free 1-yr service and today I got the 2nd email after checking Spam Folder before I emptied it. I found this blog because of the Domain Name difference when I went to research out what I saw and was concerned about.

    Not impressed about what I am reading about the service Equifax even though it is free I don’t have time to baby sit this.

    If I have read all the advice correctly…We should sign up for a Credit Monitoring Service like the Equifax or LifeLock or someone like that 1st….then we go through the process of putting a freeze on our credit report through each of the agencies listed in this blog?

    • If you want monitoring, yes; it won’t prevent credit file access and opening credit like a freeze will.

      “The thing is, it’s almost impossible to sign up for credit monitoring services while a freeze is active on your credit file, so if you’re interested in signing up for them it’s best to do so before freezing your credit.”

Leave a comment