September 21, 2017

An alert reader recently pointed my attention to a free online service offered by big-three credit bureau Experian that allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian.

Experian's page for retrieving someone's credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.

Experian’s page for retrieving someone’s credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.

The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).

After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!

The final authorization check is that Experian asks you to answer four so-called “knowledge-based authentication” or KBA questions. As I have noted in countless stories published here previously, the problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

What’s more, many of the companies that provide and resell these types of KBA challenge/response questions have been hacked in the past by criminals that run their own identity theft services.

“Whenever I’m faced with KBA-type questions I find that database tools like Spokeo, Zillow, etc are my friend because they are more likely to know the answers for me than I am,” said Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI).

The above quote from Mr. Weaver came in a story from May 2017 which looked at how identity thieves were able to steal financial and personal data for over a year from TALX, an Equifax subsidiary that provides online payroll, HR and tax services. Equifax says crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering KBA questions about those employees.

In short: Crooks and identity thieves broadly have access to the data needed to reliably answer KBA questions on most consumers. That is why this offering from Experian completely undermines the entire point of placing a freeze. 

After discovering this portal at Experian, I tried to get my PIN, but the system failed and told me to submit the request via mail. That’s fine and as far as I’m concerned the way it should be. However, I also asked my followers on Twitter who have freezes in place at Experian to test it themselves. More than a dozen readers responded in just a few minutes, and most of them reported success at retrieving their PINs on the site and via email after answering the KBA questions.

Here’s a sample of the KBA questions the site asked one reader:

1. Please select the city that you have previously resided in.

2. According to our records, you previously lived on (XXTH). Please choose the city from the following list where this street is located.

3. Which of the following people live or previously lived with you at the address you provided?

4. Please select the model year of the vehicle you purchased or leased prior to July 2017 .

Experian will display the freeze PIN on its site, and offer to send it to an email address of your choice.

Experian will display the freeze PIN on its site, and offer to send it to an email address of your choice. Image: Rob Jacques.

I understand if people who place freezes on their credit files are prone to misplacing the PIN provided by the bureaus that is needed to unlock or thaw a freeze. This is human nature, and the bureaus should absolutely have a reliable process to recover this PIN. However, the information should be sent via snail mail to the address on the credit record, not via email to any old email address.

This is yet another example of how someone or some entity other than the credit bureaus needs to be in put in charge of rethinking and rebuilding the process by which consumers apply for and manage credit freezes. I addressed some of these issues — as well as other abuses by the credit reporting bureaus — in the second half of a long story published Wednesday evening.

Experian has not yet responded to requests for comment.

While this service is disappointing, I stand by my recommendation that everyone should place a freeze on their credit files. I published a detailed Q&A a few days ago about why this is so important and how you can do it. For those wondering about whether it’s possible and advisable to do this for their kids or dependents, check out The Lowdown on Freezing Your Kid’s Credit.


189 thoughts on “Experian Site Can Give Anyone Your Credit Freeze PIN

  1. Scarr

    Brian, while this was very informative and I greatly appreciate the info, it’s easy to criticize and not offer any viable solutions.

    I think an article like this could be much more relevant if it began to address some solutions to the problem (2 factor authentication, etc?).

    The public knows Experian, Equifax’s security is BS (the former Equifax security Chief was a music major), know how can we pressure them to fix it. What can WE do to address it??

    1. Peter B

      But he does offer a solution: physically mailing the PIN to the most recent address on record in the credit report. It is not maximally convenient to the user, but it is a heck of a big improvement, and also consistent with the general business practices of the credit bureaus (there are many actions that they require be performed by postal mail).

      1. Alan

        mailing the pin is all fin and good but the credit bureau has by address wrong dispute me having an open mortgage on my house.

        1. Shawn

          I feel like if your address with Experian is wrong, you would have a lot more issues than just getting your PIN if you forgot it. In fact, I had to get a snail mail just to RECEIVE the PIN, so it’s only reasonable that you have a functioning address with them in the first place.

          Fix your address with them using whatever procedure they have there. Then fix the secondary issue with the PIN. It’s a lot slower, but it *should* be because that’s the entire point to begin with.

    2. failrate

      Krebs did offer a specific remedy: “However, the information should be sent via snail mail to the address on the credit record, not via email to any old email address.”

    3. Joe Sixpack

      Scarr, you gotta be kidding!

      We need to know the breadth and depth of the system Equifax uses.

      It’s not up to Brian to solve how Equifax must behave.

      I know silly journalism today has, for example, pro football writers telling readers how a coach should fix his team, but this is not a journalist’s role.

    4. Bob Z

      This is Experian’s business – It’s their job to fix their business. It’s Brian’s job to identify when businesses that handle data inappropriately.

      Apparently, it’s nobody’s job to effectively police this business.

    5. laura ann

      These four credit agencies are run by idiots and will become a nightmare for anyone who doesn’t freeze their credit and procrastinate. Their kids and young people could be ruined for life when they cannot buy a house, etc. if their info was used by criminals. Our gov. is a sorry incompetent mess, congress failed to make laws protecting the public against hacking, and many are even wondering if Equifax hacking was an inside job, me included. Many top officials dumped stock and resigned from company. We froze our credit and it was tedious and time consuming. Check financial statements and don’t fall for the BS of locking your credit and paying for monitoring as your info can be compromised even if locked. FREEZE credit in all four agencies. Many are under more stress over this than having a loved one pass, since people’s lives and their children’s can be ruined for decades or their businesses. Knowing for many years that the US gov is dysfunctional/crooked on all levels, we haven’t voted in four decades, incl local/state. These agencies can burn to the ground.

      1. fp

        Actually, they are NOT idiots, they are doing exactly what they should do GIVEN THEIR LEGAL OBLIGATIONS under the current system: maximize their profit.

        They are free to collect all data they want, but not to protect it and are not liable for any damage they cause to the public — we are not their customers. So it would not be rational for them to invest heavily in security.

        It is the political, economic and financial system of this country that’s corrupted, dysfunctional and irresponsible. The CBs were created by it and in the absence of rules and regulations, this is quite predictable.

        1. Some_guy

          Actually, they are liable. Target was sued after their breach a couple years ago, and settled for several million dollars. This is why the terms of service for equifax’s fraud monitoring should be so worrying; by signing up you might be waiving your right to sure them over the breach. Even under the current system, Equifax has very good incentive to take security seriously. This is the kind of thing that could destroy their company – erasing any semblance of profitability.
          I’m not saying the current system is perfect. It creates an environment where companies are incentivized to weigh the costs of good security against the damage that can be caused by poor security. Large corporations are starting to realize that security breaches are no longer a matter of if, but if when and how bad. Equifax was obviously behind the curve and will suffer huge losses because of it.

          1. laura ann

            Some guy: Just read/researched, if you freeze credit you can still sue in class action if your stuff is breached before you froze it. Watch you bank balances, financial stuff, I tell folks, just keep one credit card, use more prepaid ones like Shell gas, AmEx Blue bird (wal mart) and save up for a car, trade it in and pay rest in cash w. bank check from your savings.

          2. Reader

            Settlements mean that no judgment was made and no precedent was established. Therefore, Target (and other breached companies that settled law suits and government complaints) didn’t do anything wrong.

            You can thank Obama and Dodd-Frank for establishing the CFRB, which pursued settlements rather than judgements and precedents. Why didn’t they pursue criminal convictions? Settlements allowed the DOJ to set up community-action slush funds with the extracted corporate money to further Obama’s social activism. Look it up.

        2. laura ann

          Reply: They are not idiots if those employed by these four agencies were smart enough to freeze their credit. They are just as vulnerable as you and I, if we didn’t freeze ours. All four agencies are suspect, as if one is hacked, so can the others. They deliberately allowed this breach because the security folks either were involved in an inside job (bribes to “let it happen” ) or they are idiots for not securing info. and too busy playing games on their I phones/androids.

    6. Fister

      I can tell you what won’t fix it: being an apologist for these shenanigans and free consulting.

      Burn these guys at the stake.

    7. Ivan

      Two factor authentication is good in a lot of situations but there has to be trust at the start – which is the problem here. So in this situation the bad guy just gives his cell (or above mentioned email) for the token when he registers for the pin with your stolen info.
      Snail mail seems the safest for this.

      1. Eric

        Ivan,

        I think you misunderstand what two-factor authentication is. It is something you “know” like a username/password combination (ONE factor, not two) and then something you “have” like an RSA key token with a code that regenerates every 60 seconds or so. This key is something that is on your person that nobody else can access. That is true 2FA. Not just a username/password combination.

        1. timeless

          So, 2FA is really not a particularly helpful response here.

          PIN/password resets exist because people are good at losing things.

          PINs/passwords work best for things where we’re challenged to use them frequently.

          Credit reports are things which we should not be accessing frequently.

          One common approach to 2FA is a key-fob that produces a rotating stream of digits. If you deal with 100 different entities over the course of the year, and each gave you a fob, and you only used some once a year, would you be likely to lose them? Probably. In fact, it’s highly unlikely that you wouldn’t lose at least one.

          Another approach to 2FA is sending an SMS. The system behind SMS delivery is incredibly insecure. Which is why people (NIST) are actively discouraging its use for 2FA [1].

          Using email for 2FA is laughable (it tends to suffer from all the problems of SMS and more).

          There really aren’t any good systems. But, probably the best approach for a number of systems (especially credit reports) is requiring a physical affidavit. It’s unclear how such a system would actually work, but….

          [1] https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

    8. David Lapham

      While we are all warning not to speculate on this, as the cold facts are crazy enough, I do want to add something here that is speculation, but I think warranted. Politicians in both major parties have wanted a national ID for some time, but for different reasons (at least publicly). This is a near impossible sale to the general public, because, big brother. Anyhow, I think it likely that the Equifax hack will be a catalyst that leads to a national ID, which uses encryption tech that allows for a token, without ever giving out your actual private key.

      1. MM

        That wouldn’t fix the problem for anyone who has already been impacted by this. Anyone who is over the age of 18 who has had any kind of financial account, then their SSN is on file somewhere and likely with one of the Credit Agencies.

        A national ID does nothing to resolve this

  2. Blue Critter

    According to the US Constitution, I have the right of association. If I do not want to associate with a credit agency, they must delete all my information from their files. We must demand our rights. Forget Big Brother, Big Data is watching you.

  3. FunnyBits

    It’s unfortunate that Experian hasn’t realized this. They should institute 2 form factor authentication. This is the same issue that the IRS had with their lost PIN process.

  4. joe

    Didn’t transunion avoid this problem by having people create an account with them before being able to freeze? Meaning you have to log in with TU username and password in order to request new pin.

  5. Naomi

    I would really like to know how these credit monitoring bureaus got into the business in the first place. No one ever asked me if it was all right to collect my most personal data. I’m sure no one asked you either. So who gave them the right to do it? Isn’t that invasion of privacy at an extreme level?

    1. FunnyBits

      You think that’s scary….look-up LexisNexis. There are MANY of these ‘database services’ that anyone can pay a fee and find out your personal information. As well as who your siblings, mother, father, ETC. Addresses/Phone numbers. These services are like the hackers phonebook to our personal (public info) and they have these relationship data trees of info. All for the low price of $20 a month. LexisNexis is one of the biggest and they have bought up other smaller companies. None of these companies have any security in place on how their monthly subscribers are using this data. These are a real pain to get your information removed from their databased. (Many Hrs. and having to use their specific opt-out removal forms)
      In the early times (sounds like a western) we only had printed phonebooks and crisscross directories to look up address/phone numbers. In todays world Data is big business and the detail level has increased 100 fold.

      1. FunnyBits

        CORRECTION to my comment: Intelius is the company. NOT LexisNexis.

    2. TaxPayer99

      Your account information is given to the credit reporting bureaus by the creditor. For example if you have a Macy’s charge card, it is Macy’s that gives your account information to the credit reporting bureaus. Creditors do this because it is obviously in their interests for credit reporting bureaus to exist, otherwise creditors would have no way to check the credit-worthiness of people applying for credit with them.

      So the real question is, who gave Macy’s the right to give away your account information? Macy’s would argue that it’s THEIR information, so they don’t have to ask for your permission. Or that you agreed to this in the fine print when you opened the account.

      The point is that credit bureaus only have information that is either given to them by creditors, or is publicly available. So your complaint should be directed at the creditors, not at the credit bureaus.

    3. Tory

      Actually, whenever you apply for credit cards and loans, the fine print says that they will share your info with credit reporting agencies. You consent to the fine print when you submit the application.

    4. fp

      People will do for profit ANYTHING they can get away with.

      To stop them you need REGULATIONS. But that’s anathema in America, and these are consequences.

      All these companies — Uber, AirBnB, Facebook, Google — are nothing but scams producing nothing but stealing private data. What they disrupt is the system of regulations that were put in place to protect the public. Let them get away with it and they suck all your blood dry.

  6. FunnyBits

    “Credit lock” is very much a play on words and to most would give the impression that it is the same as a “Credit Freeze”. Very deceptive tactic by TransUnion.
    It’s unfortunate that Equifax’s mistake will inadvertently hurt all the Credit Bureau’s bottom line as now NO one should feel that their most personal info is safe with ANY of these companies.
    We all need to be security conscious and we should all “Freeze Our Credit” to ensure that we are not dealing with fraudulent opening of accounts that will haunt you for years.
    (Error on the side of caution)
    Equifax/Experian/TransUnion/Innovis- Security Freeze all of them for your family members.
    On another note. NOTICE we initially heard about the Equifax Exec’s selling off Stocks prior to the public notification. We haven’t heard anything more in the press about SEC investigations on this matter… WHY?

    1. treFunny

      I think brian hit on this issue in an earlier article.. the msm is in bed with the credit agencies and dont want to shoot themselves in the foot… gotta pay for those $18k suits son.

  7. Con.

    I have two questions. Is the Chief Security Officer at Experian also a music major? Did all the Barnum and Bailey clowns get hired at Equifax, Transunion, and Experian? This mess is a three ring circus. How can this mess ever be fixed; unless we get a new form of identification. To rely on social security numbers seems to be a pointless; now that the hackers have our info. The credit freezes and fraud alerts are just a temporary solution; until the next security breach occurs.

    1. Bob Brown

      The Social Security number is a dandy identifier. It’s a major problem when people try to use it as an *authenticator.*

  8. Anonymous

    There’s the Federal Bridge PKI, and efforts/laws like “Real ID”, so why not marry the two to give people a way to authenticate themselves? Perhaps a license/state ID with smart chip and embedded certs on it?

    Oh boo hoo “we don’t want a national ID card”, but “we’ll happily accept a 9 digit number to identify ourselves even if it doesn’t really suit the purpose!”

    Something has to give.

    1. DudeSmacker

      Well, no one “happily” gave over a 9-digit number. In fact, the SSN being used in lieu of a national ID took quite a long time to accomplish and generally against the desires of the public who never wanted a national identifier. (as a pertinent aside, Amish people, for instance, do not even have them at all).

      Hence the original legislation made it illegal to request (or even use?) a SSN for any purpose other than that of administering Social Security.

      We’ve come a long way since then. But I’d wager that today people will still opt for privacy and anonymity (as your pseudonym would imply) , rather than a “better” national ID number.

  9. Stephen

    I’m sorry, but snail mail is not the answer. Gee I would love to close on that house but it’s going to take me 30 days to unfreeze my credit report. FFS

    1. SteveH

      The snail mail part was to retrieve a PIN used to unfreeze credit, not to actually do the unfreezing. You only need to retrieve the PIN if you lost the one you got when you froze the credit.

    2. JustMe

      Or maybe take a little initative and start the process to thaw/retrieve your PIN BEFORE you start looking for a new home, not after. Unless you impulse-buy homes, then I guess you’re screwed…

  10. Janet

    How would you suggest I freeze all 3? I listened on phone and they said to send check. Don’t know if it does all 3? Please advise.

    1. Wade

      Go to each credit reporting company’s website and request a credit freeze. Since they are all separate companies, mailing one check will not work. Additionally, you can do it all online so there’s no need to mail any checks at all.

      Google will be your friend.

  11. Will

    The ONLY foolproof way to keep someone from opening credit in your name is to have extremely poor credit.

    There are credit score apps that are FREE. Use them and check them often. I check mine on Sunday mornings, or during halftime on Saturdays during football season. They show if new accounts have been opened. I opened a new account and within 48 hours the app I use sent me an email to check the app to review the newly opened account.

    There was an article earlier this week about a security flaw in two-step authentication. There is a not too complicated method to intercept the text message with the one time code.

    For every method that is designed to foil those who want your money/info, those same people devise at least two ways to bypass it. If you think your home alarm code is secure, sorry, it is not. A device no larger than a matchbook placed within 50 feet of your door can capture the RF signal of the numbers you enter to disarm/arm the alarm. I guess if you placed a Faraday cage around the pad you could defeat that particular hack.

  12. Selang

    It should be the responsibility of the LENDER to verify that the person they are lending to is who they say they are. Lenders that fail to do this should be liable for all losses. Lenders should also be liable for submitting false credit information when they issue credit to imposters and then report loan history to the credit bureaus. In practice, that means showing up somewhere with proof that you are who you say you are before credit is approved. Bank branches could easily perform this service for third parties as a service for their customers.

    1. Gloria

      I agree with Selang! The responsibility should be on the lendors! If they don’t get it right, they pay, not us.

      Also, the day after I froze all 4 of my credit reports I started getting phishing emails. They totally looked legit and I even called one of my providers to verify and it was not them. Is this happening to anyone else? I have never gotten phishing emails like this before.

  13. Name Goy

    Here’s a fun fact: TransUnion REQUIRES you create an account before you can freeze your credit report with them. If you have to pay a fee to freeze (as I did — $10) they save your credit card on file with no option to remove it from your account information. And it has to be a valid credit card, they will not accept just any 16 digit number to save in the account info.

    Also, did anyone else get through the process, get charged to freeze their credit, then get told “Something went wrong, please call or write to us”? I cannot get through on the phone number because none of the options apply to me and there is no real person on the other end to talk to.

    1. Tim

      I did TransUnion and after I did the freeze it buckled and gave me an error. I tried again and it looked like the freeze did in fact work as I couldn’t do that but when I clicked on UnFreeze it started to ask for Info. So, pretty sure it worked and then just went bonkers on exit or something. Hope this info helps…

      1. Name Goy

        It did not give me any kind of freeze. The error came just as I was supposed to get the freeze placed. If I call the number for freezes, and select “I have a security freeze” it tells me I do not. Looking at my credit card pending charges, I have two (one for me and my partner) and I’d rather not do the whole process over if it means getting charged again for an error again.

    2. Steve

      I saw the same thing at trans union and thought the last thing I’m going to do is create an online account with these people. One more vector of leakage for my data.

      So I called to use automated phone tree – and I got error, and it dropped the call. So then had to speak to actual person there to
      Complete it – whose system, btw, kept freezing.

      When calling trans union keep hitting *0 (star-zero) to flip out the automated system which will eventually dump you to a human.

  14. LYN SCOTT

    Can someone please explain to me how it is even remotely possible that Equifax can still CHARGE the consumer to freeze their credit in view of what they have done? Or only offer the ability to lock their credit through the TrustedID service they’re offering (which may or may not exempt people from participation in a class action lawsuit…?). Any available protection should be a given – not a give me.

    1. Bob

      Equifax is offering free credit freezes for the next 30 days (give or take, depending on when you read this). Take advantage now, before they decide to rescind the offer.

  15. Robert

    As for the lame security questions. Ever Bank asks me what county my town is in, is my home a single or two family res. All questions “any” bad guy can easily find. So remember, Ever Bank = lame security. Maybe embarrassing these businesses will force them to change.

    Several other banks I deal with ask me for the mother’s maiden name I gave them, not the public records real name. Lots of luck guessing a 10 digit answer which is numbers, letters and symbols if you’re trying to access my account. Yes it requires some effort on your part but anyone can come up with an initialism that they will remember and use it for mmn or any password they need to.

    As for pin numbers. Why not add a very simple extra step, two security measures. They could ask for the phone number you will be calling from, not your home or cell number, easily found and spoofed.

    How about giving a work number, one that is not listed, not the main number for the business. A neighbor or a relative’s number. Yes that requires you having access to such when you need to use it but it’s an extra level.

    At the least, one should be required to give a password besides the pin. And don’t use a real word, make one up. All my passwords are initialisms and long ones, never been successfully password hacked. Pick a phrase you know well and choose the first or second letter of each word, add numbers, it’s not hard to do. But those who we need to secure data with “must” give us better security options.

    Who knows how much of our info is out there. BTW, last week on NPR’s “On Point” program with Tom Ashbrook, he had a caller stating that his dad had worked for Equifax years ago when the company had a different name. They collected medical data and heaven knows what else on people. Question is, is the data still on file? Was it breached. I suspect we’re only being told “what” someone deems we need to know, not the whole story. WCBS radios Joe Connolly mentioned Brian Krebs and the Equifax breach on one of his broadcasts last week.

    See https://en.wikipedia.org/wiki/Equifax for more depressing info on our collected data.

    One last soapbox. Any State granting a drivers license to someone who holds a drivers license in another State, must request a copy of the current drivers license, including a photo of the driver before granting a new license. Thank you Equifax for making us worry about our drivers license too. Might as well force all businesses granting loans, credit cards, banks, etc… to confirm in dupilcate if not triplicate, that you “are” in fact “you”. Identity thieves do not want obstacles in their way. Someone breaking into a car will avoid ones with car alarms and locked doors for those that are unlocked and maybe have the keys in the ignition. Not freezing you credit is like leaving the keys in the ignition.

  16. coakl

    Better idea: the online form is just Step 1. After you answer the KBA questions, you’re given a unique “request number”.

    Step 2: You mail in a credit freeze PIN request letter, with that request number, AND with the request letter notarized or signature guaranteed.

    Think of this as a “2-factor authentication”.

  17. Inquisitor

    Thanks for all the help and information you are providing! I have one question, however. Would you use the phone to enact a security freeze? TransUnion, Equifax and Innovis offers this. Experian does not, I believe.

  18. aj

    Transunion has a similar problem with Trueidentity accounts which can be used to do “credit locks”.

    Trueidentity only requires basic PII data and a secret answer. God help you if the answer to the secret password is floating somewhere on the net.

  19. Debbie

    I did not receive a pin # from Experian when I froze my credit. What do I do to get a pin#? I also hadn’t been able to get a hold of Transunion or Experian. Why? I flat don’t know what to do abt any of this. Plus if our info is already out there how r these 3 companies gna tell if it is the right person. Pin # or no pin.#? Why didn’t Experian give me me a pin#. I don’t quite understand really what to do? Maybe because I’m so scared that I can’t even trust what I’m reading & its not just another scam? So I need to freeze all 4. I’ve nvr even heard of Innovis.

      1. David_

        Big thank you Clay_T! Very gracious of you to take the time to refer to it, so easy to miss as I’d already read the comments before today.

  20. Mike

    At bare minimum the credit company should try to contact the person at the phone number, address and email address previously on file. Only after failing to connect with the person via known channels should there be a reasonable belief that the person providing updated contact information may be legitimate.

  21. Clay_T

    Well, crap.

    Are these guys create their KBA questions based on information they think they already know about me?

    That blows my usual strategy of using completely unrelated answers to those useless KBA’s.

    ps: I love those sites that allow all three useless KBA questions to be answered with the same, completely unrelated, answer. Saves a lot of memorizing.

    1. Steve

      Yes they rely on their data. And it often shows how weird or inaccurate their data is.

  22. Rick

    “More than a dozen readers responded in just a few minutes, and most of them reported success at retrieving their PINs on the site and via email after answering the KBA questions.”

    What am I missing? The dozen readers SHOULD have been able to retrieve their own pins. It’s if they’d have been able to get Brian’s (or anyone else’s) that this’d be significant.

    1. Fred Mora

      You are missing the point. You can get an unfreeze PIN via email by filling in a form with data found in the Equifax breach, among others. So an ID thief can go around a freeze, rendering it useless. The email address they supply is obviously one they control.

  23. DanInCO

    Is there any reason to believe the unfreeze PIN is not stored in the same SQL table as name, SSN, DOB, etc. that was hacked at Equifax?

    1. David M

      Up until just a few days ago, the Equifax freeze pin was a timestamp of the moment you froze your account. As a programmer, I can say with reasonably high confidence that the timestamp was likely the ID for the freeze record, or stored as a field in the freeze record.

      The good news, it is no longer a timestamp as of at least today.

      If you froze your account before the breach, I would recommend permanently unfreezing the account, and then turn around and immediately refreeze the account so that you generate a new, non-timestamp pin. That was you can be sure that the stolen data will not include your freeze pin.

      1. timeless

        In theory you should be able to use your existing PIN to change it w/o unfreezing + re-freezing. Remember that in general, it costs you money to unfreeze/refreeze.

  24. Joaquin Tall

    As a subscriber to ConsumerReports, I rceived this email today.

    “A Credit Freeze Won’t Help With All Equifax Breach Threats.”

    In short, 1) “Tax Refunds”. Get an Identity Protection PIN from the IRS. But you can get a PIN only if a fraudulent return has previously been filed in your name, if the IRS determines that you’re an ID-fraud victim, or if you live in a high tax-related identity theft locale such as Washington, D.C.; Florida; or Georgia.

    2) “Health Insurance”. Get copies of your medical records from providers to establish the baseline of your health before your records are compromised. Increasingly, online patient portals make this easy to do. Check back regularly to see whether providers you didn’t use are listed and whether you’ve been charged for treatments you never received.

    3) “Your Driver’s License”. Ask the motor vehicles department to give you a copy of your driving record; most states charge for this, usually about $10. To find out whether any bad checks are attributed to your driver’s license, request your free annual consumer report from each of the big three check verification companies, ChexSystems, Certegy, and TeleCheck.

    Forewarned is forearmed.

    1. JCitizen

      Yep! ID theft isn’t funny at all, but at least the freeze is the start of it – my congress critters better get off their duff and kick some major hind ends over at Equifax and start out with a good extra dollop of new regulations forcing them to pay for their OWN mistakes.

      AS far as that goes ID theft is one of the worst crimes that the victim is the one left holding the bag of cleaning up all the loose ends. Sometimes it can take 10 years to straighten out – then start all over again when the perp gets out of jail!! The loose ends shouldn’t even be there in the 1st place – they need to address that too – PRONTO!!

  25. Andy

    My credit reports have been screwed up for 18 years and I told them 18 years ago I don’t have, and have never used, a middle initial, and that I don’t live with my ex-wife and her husband, but they won’t remove the initial or the address. The only convenient thing is when I do get mail addressed to my name with a middle initial I throw it in the trash without opening, since it isn’t me. Lesson learned – never move into a house whose prior tenant’s name was only two letters different than yours and had a middle initial, and don’t divorce your wife, kill her, then she can’t get remarried.

  26. Chris

    Wow. In your investigation, have you seen any evidence of enterprise risk related to this breach? Meaning — several companies link to credit bureaus backend services via APIs — the big three offer a variety of services to enterprises. Mainly just curious if companies think “whew, glad it wasn’t us” when in fact they may have extended enterprise risk here.

  27. James Alantra

    There is a team out of Stanford that implemented a Blockchain ID and credit system, called HelloBloom.io

  28. Michael

    Leave it to Experian to pile up more insults to injury… after waiting for my “enrollment date” to come around, I tried to enroll in their “protection”… only to be told that it is blocked for IPs outside the U.S… Makes sense, there’s only 9 million US expats overseas… I know how to fire up a VPN to get around it, but not everyone can.

    m

  29. Marc

    If i file a police report against equifax for stealing my identity, can i then use that police report to get them to waive the credit freeze fees?

Comments are closed.