A year after offering free credit monitoring to all Americans on account of its massive data breach that exposed the personal information of nearly 148 million people, Equifax now says it has chosen to extend the offer by turning to a credit monitoring service offered by a top competitor — Experian. And to do that, it will soon be sharing with Experian contact information that affected consumers gave to Equifax in order to sign up for the service.
The news came in an email Equifax is sending to people who took the company up on its offer for one year of free credit monitoring through its TrustedID Premier service.
Here’s the introduction from that message:
“We recently sent you an email advising you that, until further notice, we would be extending the free TrustedID® Premier subscription you enrolled in following the September 7, 2017 cybersecurity incident. We are now pleased to let you know that Equifax has chosen Experian®, one of the three nationwide credit bureaus, to provide you with an additional year of free credit monitoring service. This extension is at no cost to you , and you will not be asked to provide a credit card number or other payment information. You have until January 31, 2019 to enroll in this extension of free credit monitoring through IDnotify™, a part of Experian.”
Equifax says it will share the name, address, date of birth, Social Security number and self-provided phone number and email address with Experian for anyone who signed up for its original TrustedID Premier offering. That is, unless those folks affirmatively opt-out of having that information transferred from Equifax to Experian.
But not to worry, Equifax says: Experian already has most of this data.
“Experian currently has and is using this information (except phone number and email address) in the fulfillment of the Experian file monitoring which is part of your current service with TrustedID Premier,” Equifax wrote in its email. “Experian will only use the information Equifax is sharing to confirm your identity and securely enroll you in the Experian product, and will not use it for marketing or solicitation.”
Even though people who don’t opt-out of the new IDnotify offer will have their contact information automatically shared with Experian, TrustedID Premier users must still affirmatively enroll in the new program before then end of January 2019 — the date the TrustedID product expires.
Equifax’s FAQ on the changes is available here.
EQUIFERIAN®?
Talk about the blind leading the blind. It appears that in order to opt-out of the information sharing or enroll in the new Experian program, people will need to click a customized link in the email that Equifax is sending to TrustedID enrollees. I’m not aware of another method for opting out or signing up, but I’ve asked Equifax for clarification on that point.
Consumers who don’t want Equifax sharing their phone number and email address with Experian need to opt-out by clicking a link in an email.
Fundamentally, I see no problem with people using these credit monitoring services as long as they are free. Credit monitoring services can be useful in helping consumers dig themselves out of the mess caused by identity theft.
The chief danger I see in relying on credit monitoring services to stop identity theft, however, is that these services traditionally have not been very good at doing that. As I’ve written ad nauseam, credit monitoring services are more useful at detecting *when* someone opens a new line of credit in your name. What this means is that while they might let you know when someone has stolen your identity, they’re not likely to prevent that from occurring in the first place.
The best mechanism for preventing identity thieves from creating and abusing new accounts in your name is to freeze your credit file with Experian, Equifax and TransUnion. This process is now free for all Americans, and simply blocks potential creditors from viewing your credit file.
Since very few creditors are willing to grant new lines of credit without being able to determine how risky it is to do so, freezing your credit file with the Big Three is a great way to stop all sorts of ID theft shenanigans. I explain in much greater detail how to freeze your files and what’s involved with that in this post from September.
Please note that if you haven’t yet frozen your credit and you’d like to take advantage of this offer from Equifax/Experian, it’s a good idea to enroll in the IDnotify first, as it’s often not possible to enroll in credit monitoring services *after* you’ve frozen your credit. That said, Equifax’s FAQ suggests this might not be the case, noting that if your Equifax credit report is frozen, the security freeze will stay in place for people who enroll in the new program.
I imagine this arrangement should help the credit bureaus steer more people away from freezing their and toward their respective “credit lock” services, which the bureaus have marketed as just as good as a credit freeze but also easier to use.
All three big bureaus tout their credit lock services as an easier and faster alternative to freezes — mainly because these alternatives aren’t as disruptive to their bottom lines. According to a recent post by CreditKarma.com, consumers can use these services to quickly lock or unlock access to credit inquiries, although some bureaus can take up to 48 hours. In contrast, they can take up to five business days to act on a freeze request, although in my experience the automated freeze process via the bureaus’ freeze sites has been more or less instantaneous (assuming the request actually goes through).
TransUnion and Equifax both offer free credit lock services, while Experian’s is free for 30 days and $19.99 for each additional month. However, TransUnion says those who take advantage of their free lock service agree to receive targeted marketing offers. What’s more, TransUnion also pushes consumers who sign up for its free lock service to subscribe to its “premium” lock services for a monthly fee with a perpetual auto-renewal.
Unsurprisingly, the bureaus’ use of the term credit lock has confused many consumers; this was almost certainly by design. But here’s one basic fact consumers should keep in mind about these lock services: Unlike freezes, locks are not governed by any law, meaning that the credit bureaus can change the terms of these arrangements when and if it suits them to do so.
Did you receive this offer from Equifax/Experian? Are you planning to opt out or enroll? Sound off in the comments below.
Brian: glad you had a good experience with the automated Freeze processes. Wish I could say the same. When I was trying to unlock my freeze, worked fine for Trans Union and Experian. Equifax was a nightmare – call center in PH kept saying it was unfrozen, but my bank said it wasn’t. This went on for weeks (trying to close on my house). Could NOT reach anyone at Equifax in US, and call center could only read their script. Worst experience with any company ever, and that is not hyperbole.
We’re not the customers of Equifax – banks and retailers are.
Unbelievable there weren’t regulations put in after the breach to let us have an Erasure (like GDPR). Wonder if the CA law has that in it?
Same here, easy to freeze, nightmare to unfreeze or place temporary lift afterwards. i did it once and chose not to do it again. I usually put a free security alert on my account. Now lasts for a year. Otherwise IMO that security freeze is not worth the hassle. Plus, with it in place you need to watch out for any of your other services (like insurance) not to start silently raising your rates simply because they can’t access your credit file. I got bit by that.
“I usually put a free security alert on my account. Now lasts for a year.”
Think about it. Not only should a “security alert” mode be the STANDARD mode that SHOULD be free, it should have NO time limit. B’stards carelessly handling and making money off of personal information we never gave them permission to accumulate should provide this protection continuously and when there is a huge security breach they should be HEAVILY sued if not outright sued out of existence. Only that will grab their attention adequately. But since our government is corporate owned…
Dennis, I would think a company, like ALLSTATE, would have to contact you if they could not review your credit before raising your rates. I’ve had my credit at all three companies frozen for nearly ten years with no problems but I intend to check with my insurance company.
When this happened to me, only with TransUnion, it turned out to be a flaw in some type of in-house software used by the bank I was dealing with. After I faxed a copy of the letter from TransUnion stating that credit freeze had been lifted for 30 days, bank investigated and problem was fixed.
Now here I thought, I was the only on that actually got that email LOL
Interestingly, I received my extension notification back on 9/12/18 from Equifax, and my year extension is apparently still through Equifax’s TrustedID Premier product, and not through Experian. Some co-workers who signed up around the same time have gotten the Experian email as you described, so maybe it’s not a total switch but they’re offloading some of the risk but not all, perhaps?
I was involved in the OPM breach a while back, and let things slide at the time.
Then, Equifax happened and I couldn’t get on the credit bureaus’ sites fast enough to get a freeze on both my and my wifes’ credit reports. If I hadn’t known about freezes from reading your pages, I probably would’ve either been bamboozled into the credit “lock” or just going with the credit monitoring…
If you can still opt in to the OPM free credit monitoring, I would recommend it. I believe it’s good for something like 10 years from the date of the breach. I have been pleased with the service.
And so begins the phishing campaign with big orange ‘opt-out’ buttons
Perhaps it’s a method for Equifax to figure out which idiots will click email links, for a future sales campaign.
Top-tier managers of these 2 criminal vendors should be in prison. They are much to corrupt to make privacy decisions.
opt out… my accounts are frozen with the big 3 and I plan on NEVER unfreezing.
If you plan to open an account with the IRS, Medicare, or Social Security, it’s best to do so before freezing your credit accounts, since the use questions based on your credit report to verify your identity. It’ll soon be tax refund theft season, so opening an IRS acct is a good idea. I expect Brian will write again about this topic over the next few months.
I’d suggest adding Innovis as the 4th major credit reporting agency, and freeze your acct there, as well. They have a much more friendly web site than any of the big three, and are quick and easy to deal with.
There’s another 30 or so specialized credit reporting agencies, I think Brian has written about them in the past. If you fall into one of their categories, such as health care provider, and many others, it could be worth freezing your acct with them.
BTW, I haven’t yet received any email from Equifax, but if it dropped into the bulk/junk mail folder, I probably just deleted it.
I’ve been checking my junk mail for at least a year or more now. No emails from Equifax – it is hard for me to believe I’m not included in the breach! I have a lot of junk email accounts, but I wouldn’t give a trusted institution those addresses.
I know it is stupid on my part, but I’m too stubborn to budge – I feel they owe us a free freeze on our credit reports for at least one year, but I also feel someone at Equifax needs to go to jail for dereliction of duty in keeping their security up and running. Too bad there isn’t a law making this possible; but congress needs to force a free credit freeze for everyone involved for at least the big three credit reporting agencies. It would be easier than trying to write a complicated adjustment in regulating the industry – although I feel more regulations are in order, and should have been done 30 years ago.
If congress set it up right they’d make it easier to get a freeze and unlock it when necessary, and force a reasonable cost for doing it too. Once again – it is way easier than piling regulations on top of the reporting agencies. When they mess up, we the consumer gets to punish them buy locking down our credit indefinitely unless THEY PAY US to unlock it!!!
JCitizen credit freezes are now free, no cost to thraw ( or unfreeze) any longer. YMMV as I read the posts above I ahve had freezes in place for 6 years I refinaced homes bought new cars etc. Plus with it becoming federal law for US citizens that was a huge help.
I do agree that they should pay us …but this things has become a gigantic monster 100 times different from where it started,
Paying us would be novel but I am afraid they would never do it.
Heh… I have accounts on both TrustedID and IDNotify already. Will they figure this out, or will I end up with two separate accounts? Hmmmm
According to these people, when I try to get the “free” stuff or even follow up a declined sale/credit I am told I’m not in the system. Don’t ask, I’m not revealing how I did that.
“Experian currently has and is using this information (except phone number and email address)…”
Experian has your phone number too. A wrong phone number was on my credit report (for a different person with the same last name). I had to fill out a couple of forms and send them snail-mail to get that corrected.
I received that offer from Equifax. I plan on enrolling in the free Experian plan.
As a side note, I had my credit files frozen before the freezes became free on September 21, 2018. Then in October, I had to unfreeze my files. It was different unfreezing them now. The PINs I had no longer work. I already had profiles with the Big Three but as a result of the changes with the implementation of the new law, I had to create new profiles with Equifax and TransUnion. In conclusion, I went through a headache to unfreeze my files but am glad they are now free.
I, too, had my credit files frozen before Sept. 21, 2018. I never had to create an online account to freeze them, rather I used the telephone or applied directly online and got my pins through the mail. I never read anywhere that ‘old’ pins no longer work, if created before sept 21, 2018. Do online profiles now have to be created to get new pins?
Equifax has a new web portal allowing people w/credit freeze’s to create an account and self manage the freeze. They can remove the freeze for a range of days or revoke the freeze totally.
The self service portal does not (that’s correct, it does NOT) require using the security pin assigned when the freeze was instituted.
Another innovation from Equifax? Well that’s what the customer service representative tried to convince me. I think it’s just another failure from the company that continues to disappoint.
Dear Sheeple, We’re providing you a fashionable new neck collar free for the next year….
https://xkcd.com/1013/
In the paragraph with the sub-header “EQUIFERIAN®?”, it says ‘opt our’ when it should say ‘opt out’
Sorry, ‘opting our’ should be ‘opting out’
I agree with Brian’s title: “Equifax Has Chosen Experian. Wait, What?”!! No way I trust these folks with any more information than absolutely required. My accounts are frozen. Done and Done….
Does IDNotify have an insurance component?
Their highest level says it does. But where are the limits? Protect yourself. Freeze Freeze Freeze.
Am I the only one who sees the word “Lucifer” hidden inside that Equiferian logo?
I have loved working with the “credit agencies”, ever since my first credit report. They had the wrong middle name for me. Snail mailed the correction, waited six months, paid for a credit report, no change, just a addendum, an aka same wrong middle name. But now, the phone number is wrong, one of the family members in my phone tag. Cute.
Anyone and everyone who has read Brian’s site over the years, and has followed his advice to put freezes into place (hopefully at all 4 big credit agencies) needs to STOP what they are doing at this instant and read Dan’s message above (written at November 1, 2018 at 9:57 pm).
I also know for a fact, as of Sept 2018, both Equifax and TransUnion are allowing (in essence, quasi-requiring) all people to create “online” accounts at both agencies for the explicit purpose from this day forward to manage your freezes online. How? You will use this new online account and its password your create to freeze and unfreeze your account. HERE IS THE SPOOKY PART: neither Equifax and/or TransUnion in their online account creation process, require and/or ask for your current credit freeze PIN number for that account creation. Once the account is created, the PIN is passe’, and it is the account login (with its password) that governs whether a freeze is “on” or “off”.
Think about that for a moment. The one piece of info that all along you have felt is secure, those created “PIN” numbers (thankfully, Experian has basically said in a public statement they think that both Equifax and TransUnion are misguided, and that Experian will still require the PIN originally created). So that one piece of info you created, the PIN, becomes useless once an account is created in your name at these two agencies.
And here’s where it gets even better: during the online account creation at both Equifax and TransUnion, guess what information they are asking you as you go through the pages creating the account? I know you may not believe it, but they are asking the very information that Equifax completely lost in the massive breach. Neither Equifax nr TransUnion ask for the current PINs existing on your credit freeze. It is incredible.
All this information Equifax lost about us is available on the dark web for very few $$$$, and with that info, any criminal/fraud-oriented person could create accounts at both Equifax & TransUnion and from that day forward completely nullify the existing PIN and freezes you now have on your credit files/reports there. They, not you,will have control of your credit at both agencies and what occurs there. Why? They created the accounts first, and not you. Dam# be to your existing PIN credit freezes there.
I tried to make Brian aware of this several weeks ago when emailing him, but it seems this massive oversight is not being put out on the bullhorn to make all existing people with credit freezes AWARE of what Equifax and TransUnion are doing.
People with existing credit freezes, BE AWARE, BE ALARMED, and get on top of this before an account is created for you by someone that you absolutely do not want creating that account.
This is no different than the Social Security issue Brian has been trying to make us aware of, and to get us to create one before somebody else does.
But what is occurring with Equifax and TransUnion now has even greater ramifications.
Brian, please, PLEASE get the word out about this……even inside the U.S. Government, of which I am a part, we are scrambling trying to get the word out to all (especially all the OPM-breached people) about this development with Equifax and TransUnion.
Do not wait—-get online and create your Equifax and TransUnion accounts now, and to be safe, also create online accounts with the other two agencies too. This is not the best scenario, especially since both Equifax and TransUnion have already said these accounts are going to be used to market their services towards us, trying to sell us solutions to problems that they in the first place created.
It is all unreal that this continues to go on……
Can Equifax make this any more confusing? My wife received the email advising her of the transition and extension of Equifax TrustedID Premier to Experian IDnotify, giving her only the choice to opt OUT. So, to opt IN, you do nothing. But wait! You can’t do nothing for too long, because then you have to keep alert for future emails requiring you to affirmatively opt IN to enroll in IDnotify. (By the way, my identity was stolen following the Equifax hack and I signed up for TrustedID, but I have not received the Equifax email advising that I qualify for the extended protection.)
Here’s an FAQ on the Equifax page:
What happens if I locked my Equifax credit report through TrustedID Premier – will my Equifax credit report remain locked?
No, your Equifax credit report will be unlocked when your TrustedID Premier subscription expires. Also, if you enroll in the Experian IDnotify product, your TrustedID Premier product will cancel and your Equifax credit report will be unlocked.
If you have another Equifax product with Equifax Credit Lock, we recommend that you sign into that product and lock your Equifax credit report.
If you wish to restrict access to your Equifax credit report, you can place a free security freeze or sign up for our complimentary product Lock & Alert™.
For this to work, ‘word’ your links the right way.
Remember you needn’t be a grammar wiz to positively
write an effective article. Search engines look for keywords are generally being seached
for.
unsure. Many of the above messages are frightening. Freeze, unfreeze, be frozen.
I had a nasty few days trying to get my account unfrozen to buy a car. What have we come to?
Brian, I already have a freeze in place by way of a PIN, created when the data breach was first revealed.
Your take please on what Belli has written, above, before anyone here rushes headlong to the Equifax site, https://my.equifax.com/consumer-registration/UCSC/#/personal-info to create an account.
Is this a good idea or alarmist?
FWIW, checked with Qualys SSL Server Test, which gives the Equifax URL for this an A+
What happens once the next tens of millions to hundreds of millions of ‘same’ data victims are then credit victims–it’s on the orgs to protect “it’s-my (our)” data ‘at some point’.
Regardless of what you or I do, I know many people that haven’t and won’t implement a freeze on their own; I’d guesstimate most people don’t.
…………………………………………………………………
W43
November 4, 2018 at 5:06 pm
Is this a good idea or alarmist? “………………….
Hi W43 & everyone,
Please accept my apology if my previous post sounded “alarmist”. It is in a way, and honestly was also written in outright anger and astonishment.
I’ve learned (by actually going to both credit agencies’ websites and also by speaking to their online representatives) that I should be alarmed, angry and astonished.
So this all needs repeating, whether you live Stateside and/or overseas: if you’ve already had/ have a “credit freeze” in place—-and currently this is especially true if you live and have an address within one of the 50 U.S. States, then be PROACTIVE (just like with the IRS and SS Administration)—then please get your new myAccount created at both Equifax & TransUnion. Will these credit agencies abuse our creating an account with them? Probably so… But the current alternative (someone else creating an online account for you, nullifying your current existing credit freeze PIN number) is much worse.
NOTE: for those millions of Americans working & residing overseas with military and non-military, using APO/FPO addresses, it seems currently you all are out-of-luck with no ability to create a new account at either Equifax and/or TransUnion. Weirdly, due to this Equifax/TransUnion rollout of online-account creation ineptness, if you have an APO/FPO address, you are protected for the moment because your security PIN will still rule. Neither Equifax nor TansUnion has the ability to create an online account if you use the U.S.-official recognized APO/FPO address, which is what all overseas around-the-world working Americans do. No new online account can be created at either Equifax and/or TransUnion, thus for the moment you do not have to worry that a new online account, once created, would override your current existing credit freeze PIN and make it obsolete. This is not so, sadly, for everyone else living in the 50 United States.
This all just buggers the imagination: think about it: both Equifax and TransUnion could have easily had people (whether living in one of the 50 States and/or living overseas in the APO/FPO system), who have existing credit freezes & PINs in place, upon new-account creation could have required for that creation one last verified piece of info to actually create that new online account, your current, existing credit freeze PIN number. Did either Equifax and/or TransUnion do this? As noted previously, neither does ;-0
It makes one wonder how is that Experian is still requiring and asking for any previously-created credit freeze PIN number, for whatever you want to do at Experian, yet somehow Equifax and TransUnion are not. I am starting to think both Equifax and TrasnUnion don’t have a handle on all the credit freezes put into place, and it is so overwhelmed them that their answer to this data base mess for them is to put the onus of its (credit freezes and existing PINS) security back on you by forcing you to create an online account to setup, manage, freeze, unfreeze, etc.
Please, Mr. Krebs, something not right is going on here and needs to be brought to light. There are literally millions of people with existing credit freezes & PINs unaware what Equifax and/or TransUnion is trying to do.
Still hoping that Brian will offer his perspective on this.
Decided to create account anyway — several things to note:
Upon the account being created, one is taken to the following page (screenshot below), asking what action to take. One of the options is to place a freeze, and since I already have a freeze in place, I quit this page (note that in order to continue here a PIN will be sent by way of a pdf — which, since I quit that page, I declined. So I don’t have a new PIN, whatever that might be worth.
Not certain of this, but makes sense to not place a new freeze. The important thing is that now that an account has been created, it should not be possible (hopefully) for a malicious actor to login with stolen credentials and remove that freeze. Seems to me this should be sufficient, no need to continue with the actions page. Opinions on this?
Screenshot of actions page:
https://i.postimg.cc/G3FwWj67/Equifax-Action.jpg
Finally, several rather important things to take note of:
Qualys SSL Server Test (https://www.ssllabs.com/ssltest/) flags
the following account login URL as F rated. https://www.econsumer.equifax.com/otc/landing.ehtml?%5Estart=&companyName=login
No idea how or why that badly rated URL is provided (got it from a search), but not only is it rated F, it also asks for a user name, which is nowhere to be found or asked for when the account is first created — might be explained because it’s for an older account page, not tied to the current one. I tried with the email address I used for the account creation (suggested at that page), which it rejected with the message that either user name or password was incorrect. So probably not related to the current account setup.
But thinking that I inadvertently missed that user name, tried recovering it from the help URL provided at that dicey URL https://www.econsumer.equifax.com/otc/loginhelp.ehtml, which Qualys also gives an F.
So DO NOT use either of those 2 last URLS above, but checking with Virus Total, I’m seeing both of those URLs newly scanned as clean
To login as safely as possible ONLY USE https://my.equifax.com/membercenter/#/login (Qualys A+).
Always a good idea when sensitive information is being requested to check out it out with Qualys.
And note, since I wasn’t all that happy with those 2 F rated URLs, I decided to log back in to my newly created account and change the password, which is easily done.
Still hoping that Brian will offer his perspective on this.
Decided to create account anyway — several things to note:
Upon the account being created, one is taken to a page asking what action to take. One of the options is to place a freeze, and since I already have a freeze in place, I quit this page (note that in order to continue a PIN will be sent by way of a pdf — which, since I quit that page, I declined. So I don’t have a new PIN, whatever that might be worth. And, as far as I could see, no way to log out of the account once logged in. So to do that I just deleted all Equifax cookies.
Not 100% certain of this, but makes sense to not place a new freeze. The important thing is that now that an account has been created, it should not be possible (hopefully) for a malicious actor to login with stolen credentials and remove that freeze. Seems to me this should be sufficient, no need to continue with the actions page. Opinions on this?
Finally, several rather important things to take note of:
Qualys SSL Server Test (https://www.ssllabs.com/ssltest/) flags
the following account login URL as F rated. https://www.econsumer.equifax.com/otc/landing.ehtml?%5Estart=&companyName=login
No idea how or why that bad URL is provided (got it from a search), but not only is it rated F, it also asks for a user name, which is nowhere to be found or asked for when the account is first created. I tried with the email address I used for the account creation (suggested at that page), which it rejected with the message that either user name or password was incorrect.
Next, thinking that I inadvertently missed that user name, tried recovering it from the help URL provided at that dicey URL https://www.econsumer.equifax.com/otc/loginhelp.ehtml, which Qualys also gives an F.
So DO NOT use either of those 2 last URLS above
To login safely ONLY USE https://my.equifax.com/membercenter/#/login (Qualys A+).
Always a good idea when sensitive information is being requested to check out it out with Qualys.
And note, since I wasn’t all that happy with those 2 F rated URLs, I decided to log back in to my newly created account and change the password, which is easily done.
Unable to post new comment, posted already several hours ago. Contains several links–all rated clean by Virus Total. But needs to be evaluated for spam or malicious links first?
Your comment has been approved. Sometimes these things get auto-moderated when they have a ton of links. No need to submit more than once, please, thanks.
Sorry about the duplicate submissions. Reason was that I thought at least one of those links needed to be removed, and tried again with different settings (Ghostery, uBlockOrigin, etc. at my end, which I thought might be interfering.
Note in the FAQ’s about transitioning:
“…your Equifax credit report will be unlocked when your TrustedID Premier subscription expires. Also, if you enroll in the Experian IDnotify product, your TrustedID Premier product will cancel and your Equifax credit report will be unlocked.”
Source: https://www.trustedid.com/premier/faqs_notification_experian.php