Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number (PIN) which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don’t already have an account at the credit bureau’s new myEquifax portal, it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday.
Consumers in every U.S. state can now freeze their credit files for free with Equifax and two other major bureaus (Trans Union and Experian). A freeze makes it much harder for identity thieves to open new lines of credit in your name.
In the wake of Equifax’s epic 2017 data breach impacting some 148 million Americans, many people did freeze their credit files at the big three in response. But Equifax has changed a few things since then.
Seeking to manage my own credit freeze at equifax.com as I’d done in years past, I was steered toward creating an account at myequifax.com, which I was shocked to find I did not previously possess.
Getting an account at myequifax.com was easy. In fact, it was too easy. The portal asked me for an email address and suggested a longish, randomized password, which I accepted. I chose an old email address that I knew wasn’t directly tied to my real-life identity.
The next page asked me enter my SSN and date of birth, and to share a phone number (sharing was optional, so I didn’t). SSN and DOB data is widely available for sale in the cybercrime underground on almost all U.S. citizens. This has been the reality for years, and was so well before Equifax announced its big 2017 breach.
myEquifax said it couldn’t verify that my email address belonged to the Brian Krebs at that SSN and DOB. It then asked a series of four security questions — so-called “knowledge-based authentication” or KBA questions designed to see if I could recall bits about my recent financial history.
In general, the data being asked about in these KBA quizzes is culled from public records, meaning that this information likely is publicly available in some form — either digitally or in-person. Indeed, I have long assailed the KBA industry as creating a false sense of security that is easily bypassed by fraudsters.
One potential problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.
The first three multiple-guess questions myEquifax asked were about loans or debts that I have never owed. Thus, the answer to the first three KBA questions asked was, “none of the above.” The final question asked for the name of our last mortgage company. Again, information that is not hard to find.
Satisfied with my answers, Equifax informed me that yes indeed I was Brian Krebs and that I could now manage my existing freeze with the company. After requesting a thaw, I was brought to a vintage Equifax page that looked nothing like myEquifax’s sunnier new online plumage.
Equifax’s site says it will require users requesting changes to an existing credit freeze to have access to their freeze PIN and be ready to supply it. But Equifax never actually asks for the PIN.
This page informed me that if I previously secured a freeze of my credit file with Equifax and been given a PIN needed to undo that status in any way, that I should be ready to provide said information if I was requesting changes via phone or email.
In other words, credit freezes and thaws requested via myEquifax don’t require users to supply any pre-existing PIN.
Fine, I said. Let’s do this.
myEquifax then asked for the date range requested to thaw my credit freeze. Submit.
“We’ve successfully processed your security freeze request!,” the site declared.
This also was exclaimed in an email to the random old address I’d used at myEquifax, although the site never once made any attempt to validate that I had access to this inbox, something that could be done by simply sending a confirmation link that needs to be clicked to activate the account.
In addition, I noticed Equifax added my old mobile number to my account, even though I never supplied this information and was not using this phone when I created the myEquifax account.
Successfully unfreezing (temporarily thawing) my credit freeze did not require me to ever supply my previously-issued freeze PIN from Equifax. Anyone who knew the vaguest and most knowable details about me could have done the same.
myEquifax.com does not currently seek to verify the account by requesting confirmation via a phone call or text to the phone number associated with the account (also, recall that even providing a phone number was optional).
Happily, I did discover then when I used a different computer and Internet address to try to open up another account under my name, date of birth and SSN, it informed me that a profile already existed for this information. This suggests that signing up at myEquifax is probably a good idea, given that the alternative is more risky.
It was way too easy to create my account, but I’m not saying everyone will be able to create one online. In testing with several readers over the past 24 hours, myEquifax seems to be returning a lot more error pages at the KBA stage of the process now, prompting people to try again later or make a request via email or phone.
Equifax spokesperson Nancy Bistritz-Balkan said not requiring a PIN for people with existing freezes was by design.
“With myEquifax, we created an online experience that enables consumers to securely and conveniently manage security freezes and fraud alerts,” Bistritz-Balkan said..
“We deployed an experience that embraces both security standards (using a multi-factor and layered approach to verify the consumer’s identity) and reflects specific consumer feedback on managing security freezes and fraud alerts online without the use of a PIN,” she continued. “The account set-up process, which involves the creation of a username and password, relies on both user inputs and other factors to securely establish, verify, and authenticate that the consumer’s identity is connected to the consumer every time.”
I asked Bistritz-Balkan what else besides a username and a password the company may have meant by “multi-factor;” I’m still waiting for clarification. But I did not experience anything like multi-factor in setting up or logging into my myEquifax account.
This may by closer to Equifax’s idea of multi-factor: The company told me that if I still really wanted to use my freeze PIN, I could always call their 800 number (800-349-9960) or make the request via mail. Nevermind that if I’m a bad guy looking to hack others, I’m definitely going to be using the myEquifax Web site — not the options that make me have to supply a PIN.
Virtually the entire United States population in 2017 became eligible for free credit monitoring from Equifax following its 2017 breach. Credit monitoring can be useful for recovering from identity theft, but consumers should not expect these services to block new account fraud; the most they will likely do in this case is alert you after ID thieves have already opened new accounts in your name.
A credit freeze does not impact your ability to use any existing financial accounts you may have, including bank and credit/debit accounts. Nor will it protect you from fraud on those existing accounts. It is mainly a way to minimize the risk that someone may be able to create new accounts in your name.
If you haven’t done so lately, it might a good time to order a free copy of your credit report from annualcreditreport.com. This service entitles each consumer one free copy of their credit report annually from each of the three credit bureaus — either all at once or spread out over the year.
Additional reading:
NYTimes, March 8, 2019: How Equifax Complicates a Simple Task: Freezing a Child’s Credit
The Register, March 8, 2019: Tech Security at Equifax was so diabolical, senators want to pass US laws making its incompetence illegal.
Equifax Investigation by Senate Homeland Security committee (.PDF, Sen. Carper).
Credit Freezes are Free: Let the Ice Age Begin
Plant Your Flag, Mark Your Territory
Experian Site Can Give Anyone Your Freeze PIN
Survey: Americans Spent $1.4B on Credit Freeze Fees in Wake of Equifax Breach
Equifax Breach Fallout: Your Salary History
“This may by closer to Equifax’s idea of multi-factor…” It sure sounds like it.
“I asked Bistritz-Balkan what else besides a username and a password the company may have meant by “multi-factor;” I’m still waiting for clarification. ”
Do I hear chirping crickets?
It wasn’t on the bullet point list she was provided of approved talking points.
lets just all crash our credit scores and return to the gold std… whos in?
I will bring the kool-aid and matching nike gear…
Interesting because when I try to log in, I get a generic message that every time I contact them they is by design due to ‘system maintenance’ and I must call them.
Well, finally, we have open confirmation to what many of us we’re finding out months ago (and posting here about) about myEquifax.com setup and authenticating. Thank you, Brian, for finally getting this out there. Every avenue screaming about this is the only thing Equifax will seem to listen to, as they repeatedly avoided facing it when presented with the problem a several months ago.
As the saying goes, as with everything nowadays (Social Security, etc,etc) plant your flag at Equifax as soon as you can.
Unfortunately, there’s one of the other big four (crediting reporting agencies) that has this exact same problem with their online account setup (if you’ve an existing pin already in place). Not sure why they are not being discussed here, but hopefully they will soon.
Thankfully the other two of the credit reporting agencies will still protect you if you already have had a numercial pin set up (in other words, in an online new account set up, the existing pin cannot be changed as that very pin will be required to set up the account in the first place & also initiating a new freeze pin).
Minute ago created account and instead of allowing me to “Place or Manage” security freeze, I see this:
A CRC image Equifax Secure Site
Additional Information Required
We’re sorry. We can’t process your Equifax security freeze request online, because we need additional address or identification information. To help us process your request, please click here to see instructions and a link to required information.
what did they say when you contacted them. I just experienced this too…
Great informative article !
God, Equifax is terrible.
I signed up for the site, thanks for the heads-up as always.
“terrible” …”heads up”
Awaiting version like 3 (heads up) of of their freeze management portal, maybe even a third domain name in the tradition of Equifax’s terrible data management…”MessedUpMy.Equifax.com”. “We want to assure you that at Equifax we take our responsibility to protect personal data very seriously.”™
I found it too easy to thaw my credit with Transunion as they never required my PIN…just KBA questions. Thankfully the free Credit Karma alerted me to the thaw so if/when a fraudster were to do this I would be alerted. Consumers like me are trying so hard to listen to you and freeze our credit but there’s always a loophole somewhere for the fraudsters and it always seems to be for the benefit of the bureaus!!
I’m able to login to myEquifax and confirm the freeze I placed a long time ago (thanks, Brian!) is still in effect.
But there is no option to setup MFA on the account.
Not owning my PII is very frustrating.
The US really needs a version of GDPR.
It looks so simple when it is laid out step by step like this.
Why does Equifax think this is okay?
At what point does this become criminal negligence on their part?
IMHO, that point was passed some time ago…
It looks like both Equifax AND TransUnion no longer require PINs to unfreeze online. You only need an online account with them.
I noticed that Experian has this text show up when hovering over the question mark next to “Do you remember your personal identification number (PIN)?” on the freeze remove page here: https://www.experian.com/ncaconline/removefreeze
“After you place a security freeze on your report, a PIN is needed to remove the freeze from your credit file. If you do not remember your PIN, you may still remove a security freeze on this site by next answering a few questions verifying your identity.”
Really? What’s the point of having a PIN if it can be bypassed by KBA questions?
I just signed up – I entered my mobile (I don’t recall if it was required or not) and it did require an SMS PIN to set up the account. It did not verify that I already had an account/PIN, however after I logged in and went to “place or manage a freeze” my options were to temporarily lift or permanently remove the freeze I had in place (on the same portal page I’ve used before with my PIN.)
However, now that my account is set up it only requires username/password to sign in. I haven’t found an option yet to enable MFA. Ridiculous. I’m calling them now.
yes much still to be done there staring the leadership! I was thoroughly taken aback by the CEO’s assertions they hadn’t failed at all by being breached; rather they had done everything right by putting people process and technology in place.
Hmmm they didn’t use a patching process people. and of course they were all piling into the market selling their stock before announcing breach, former C-level execs.
It looks like both Equifax AND TransUnion no longer require PINs to unfreeze online. You only need an online account with them. You can’t even use long passwords on these sites. Equifax maximum is 20 characters and TransUnion maximum is 15 characters.
I noticed that Experian has this text show up when hovering over the question mark next to “Do you remember your personal identification number (PIN)?” on the freeze remove page here: https://www.experian.com/ncaconline/removefreeze
“After you place a security freeze on your report, a PIN is needed to remove the freeze from your credit file. If you do not remember your PIN, you may still remove a security freeze on this site by next answering a few questions verifying your identity.”
Really? What’s the point of having a PIN if it can be bypassed by KBA questions?
So I called Equifax and their official position (at least according to their support group) confirms what Dan posted earlier, no MFA. The rep also stated that there are no plans for MyEquifax.com to have a an MFA option as “a username and password is sufficient”.
I called their corporate office and tried to speak to someone but got sent to “customer care”, even though I’m just a data point and not a customer, by their own definition. I guess my only recourse is to opt into a lawsuit. Fortunately there are many, see “Legal Proceedings” section in their most recent 10-K filing.
“The rep also stated that there are no plans for MyEquifax.com to have a an MFA option as ‘a username and password is sufficient'”
Face…palm. What is going to be their excuse the next time they get breached? MFA is not perfect, but it most definitely can help with BEC and phishing. All it takes is the wrong person to find out they don’t use–or worse, don’t plan to use–MFA. This reminds me of the wise words from the “Frickin’ Fricks” kid: “When will you learn? When will you learn… THAT YOUR ACTIONS HAVE CONSEQUENCES!!!”
We are temporarily unable to complete this request.
Please try again later.
Well, I called Equifax to ask why I could not process my request for myEquifax account.
“We are temporarily unable to complete this request.
Please try again later.”
I satisfied Equifax security questions… but, could not recall the month n’ day of my Security Freeze.
So, waiting for call back from Supervisor. I’ve since found the Equifax letter re my Freeze.
Thanks so much for your valuable info for us. I just reviewed your info, and I will try to verify my acct.
We hate these 3 or 4 credit agencies……a bureaucratic nightmare.
C’mon, Brian, admit it, the battle is lost. You can’t expect anything serious from a dummy company like Equifax. What makes you think that they can manage our data securely if they don’t understand the basic concept of a multi-factor authentication? I can guarantee that that lady means those knowledge based answers as MFA. Plus, even if you created your account how sure are you that someone wouldn’t be able to reset it with those KBA again?
PS. It reminds me of another dummy company – PayPal. When you set up a 2FA on their site (over SMS, but oh well, still a form on 2FA) but then try to log in only to see a “helpful” link below that reads, “oh, you can’t access your phone, try using secret question instead.” And at that point you just know that the company doesn’t understand security and you do a face palm and move on with your day.
I’m glad you wrote about this. I was shocked a couple of months ago when I went to temporarily lift the freeze. I had retrieved my pin and was ready to have to enter it only to find out I didn’t need it which means the pin is completely useless.
Why is this company still in business? Why have our elected leaders taken no action to punish them for this breach? Still no move by any agency to replace SSN?
I just applied for a home loan and needed to unfreeze accounts. Transunion and Experian were dead simple using the info created when I locked them. With Equifax I had to go through this same song and dance described here. I so hate this company, and am vocal about it with the banks that still use these idiots — why not just go with Transunion and Experian?
This is terrific!
/sarcasm
When the Equifax gateway fails, prompts you to have a verification code emailed to you, then instructs you to telephone their Customer Service . . . . . wait for it . . . . . . you’re speaking with someone in a Call Center, in the Philippines.
Nothing but the best when it comes to protecting your data.
Yes, that was just my experience. I just gave my personally identifiable information to who knows who. I must be crazy.
Just read this yesterday, seems like it is equally simple to unfreeze just by calling:
https://www.reddit.com/r/personalfinance/comments/ay7aoy/identity_thief_is_unfreezing_my_credit_freeze/
That website is useless. It cannot tell you the one simple thing you want to know — is there a freeze on my record?
I have an Equifax acct, dating back to the breech, but it doesn’t work for MyEquifax. Actually, that’s good news. So I created that acct. It played out exactly as Brian described, including the same four KBA questions (different answers, obviously). At least I had to create my own password. Since I preemptively created an acct, that should slow down ID thieves. But if they manage to steal my email and password, not uncommon these days, they are in. Equifax doesn’t even let you create a unique userid, they force you to use your email, so thieves have half the info they need.
Sadly, there’s no way to force Equifax, or any other custodian of your PII, to establish meaningful security rules. A little bit of inconvenience is a lot better than a stolen ID. Only Congress or perhaps the oversight agencies have any power in this regard, and nothing is likely to happen in those arenas, for all the usual reasons.
Equifax in the news: https://www.theregister.co.uk/2019/03/08/security_equifax_senate/
https://www.carper.senate.gov/public/_cache/files/5/0/508a6447-853f-4f41-85e8-1927641557f3/D5CFA4A0FC19997FF41FB3A5CE9EB6F7.equifax-report-3.6.19.pdf
This is so distressing!
It seems like as of late the worst-handled web designs affecting the public are in Georgia, USA. What’s going on down there, y’all?!
(1) Equifax is in Geogia. And the GOP congress passed a law limiting suits against Equifax.
(2) Apex Human Capital Management online payroll services, as reported here on KrebsOnSecurity, is a Georgia company. They were slammed with ransomware and paid it to keep their customers payroll moving along. Who’d want to keep payroll at company that’s infested?
(3) “…flaw common to websites designed by the Atlanta firm SEDC…” that creates websites with store passwords in plaintext and emails them for password resets. (Slashdot)
Let’s send General Sherman down there again, posthaste.
Thank you yet again Brian. I never would have known about this account or process if not for your reporting. Was able to create my account, though it took about ten tries for the account creation button to activate after completing the captcha. No 2FA, but it did require I have an SMS sent to my phone to complete the process.
Anyone feeling like Sisyphus about now? Just when we think we’ve put in place some small measure of protection to safeguard our sensitive personal and financial information, the credit bureaus bulldoze that boulder downhill and, if we’re lucky enough to jump out of the way and not get squished, we have to start pushing that boulder uphill again. It will never end. Why? We all know the reasons. The credit bureaus don’t have a keen interest in safeguarding our information. WE are not their customers. We’re just data that they’re monetizing.
Call me cynical, but security freezes bite into their profits by creating a cumbersome process. Freezes impede their ability to quickly and efficiently sell our information, so there’s plenty of incentive to facilitate an easy thaw. Wasn’t their offer of free “credit locks” as an alternative to security freezes the bureaus way of steering consumers away from freezes because freezes come with more regulatory strings than credit locks (as far as how the bureaus can use and sell our data)? These credit bureaus are also heavily in the credit monitoring business, so there’s another incentive to perpetuate an insecure environment. Boy, what a great business model! Create the problems and sell the fixes for those problems.
If anything is going to change, it will have to be forced on them through regulations that are actually enforced. Do I think Congress will enact laws with some teeth? After witnessing the post-Equifax Congressional hand-wringing followed by inaction, maybe not. But consumers have a better chance pushing for reform there than wasting time dealing with the credit bureaus.
As for creating an account with Equifax or the other bureaus, weren’t some or all of their portals compromised within the last few years, resulting in exposed consumer information? I don’t think Equifax was alone, just the biggest. I recall that even LifeLock was breached, which I thought was ironic considering they’re a credit monitoring company.
So is it safer to create an account that might get compromised due to security flaws in their website or lack of 2FA, or to forego creating an account and risk getting targeted individually by identify thieves? Any thoughts?
i cant even sign in to my Equifax account it says its not working try agine later
We need a law which makes using SSN for anything outside of tax forms/needs illegal.
We also need a law which makes it impossible for someone to open a financial-related account online using trivial-to-know data.
I go out of my way never to use email when dealing with any financial institutions. Everything is done on paper. Call me old fashioned, but after working as a programmer and security consultant for decades, there’s no way I’d send sensitive data over the internet using the default encryption provided.
Steve = old fashioned