08
Mar 19

MyEquifax.com Bypasses Credit Freeze PIN

Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number (PIN) which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don’t already have an account at the credit bureau’s new myEquifax portal, it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday.

Consumers in every U.S. state can now freeze their credit files for free with Equifax and two other major bureaus (Trans Union and Experian). A freeze makes it much harder for identity thieves to open new lines of credit in your name.

In the wake of Equifax’s epic 2017 data breach impacting some 148 million Americans, many people did freeze their credit files at the big three in response. But Equifax has changed a few things since then.

Seeking to manage my own credit freeze at equifax.com as I’d done in years past, I was steered toward creating an account at myequifax.com, which I was shocked to find I did not previously possess.

Getting an account at myequifax.com was easy. In fact, it was too easy. The portal asked me for an email address and suggested a longish, randomized password, which I accepted. I chose an old email address that I knew wasn’t directly tied to my real-life identity.

The next page asked me enter my SSN and date of birth, and to share a phone number (sharing was optional, so I didn’t). SSN and DOB data is widely available for sale in the cybercrime underground on almost all U.S. citizens. This has been the reality for years, and was so well before Equifax announced its big 2017 breach.

myEquifax said it couldn’t verify that my email address belonged to the Brian Krebs at that SSN and DOB. It then asked a series of four security questions — so-called “knowledge-based authentication” or KBA questions designed to see if I could recall bits about my recent financial history.

In general, the data being asked about in these KBA quizzes is culled from public records, meaning that this information likely is publicly available in some form — either digitally or in-person. Indeed, I have long assailed the KBA industry as creating a false sense of security that is easily bypassed by fraudsters.

One potential problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

The first three multiple-guess questions myEquifax asked were about loans or debts that I have never owed. Thus, the answer to the first three KBA questions asked was, “none of the above.” The final question asked for the name of our last mortgage company. Again, information that is not hard to find.

Satisfied with my answers, Equifax informed me that yes indeed I was Brian Krebs and that I could now manage my existing freeze with the company. After requesting a thaw, I was brought to a vintage Equifax page that looked nothing like myEquifax’s sunnier new online plumage.

Equifax’s site says it will require users requesting changes to an existing credit freeze to have access to their freeze PIN and be ready to supply it. But Equifax never actually asks for the PIN.

This page informed me that if I previously secured a freeze of my credit file with Equifax and been given a PIN needed to undo that status in any way, that I should be ready to provide said information if I was requesting changes via phone or email. 

In other words, credit freezes and thaws requested via myEquifax don’t require users to supply any pre-existing PIN.

Fine, I said. Let’s do this.

myEquifax then asked for the date range requested to thaw my credit freeze. Submit.

“We’ve successfully processed your security freeze request!,” the site declared.

This also was exclaimed in an email to the random old address I’d used at myEquifax, although the site never once made any attempt to validate that I had access to this inbox, something that could be done by simply sending a confirmation link that needs to be clicked to activate the account.

In addition, I noticed Equifax added my old mobile number to my account, even though I never supplied this information and was not using this phone when I created the myEquifax account.

Successfully unfreezing (temporarily thawing) my credit freeze did not require me to ever supply my previously-issued freeze PIN from Equifax. Anyone who knew the vaguest and most knowable details about me could have done the same.

myEquifax.com does not currently seek to verify the account by requesting confirmation via a phone call or text to the phone number associated with the account (also, recall that even providing a phone number was optional).

Happily, I did discover then when I used a different computer and Internet address to try to open up another account under my name, date of birth and SSN, it informed me that a profile already existed for this information. This suggests that signing up at myEquifax is probably a good idea, given that the alternative is more risky.

It was way too easy to create my account, but I’m not saying everyone will be able to create one online. In testing with several readers over the past 24 hours, myEquifax seems to be returning a lot more error pages at the KBA stage of the process now, prompting people to try again later or make a request via email or phone.

Equifax spokesperson Nancy Bistritz-Balkan said not requiring a PIN for people with existing freezes was by design.

“With myEquifax, we created an online experience that enables consumers to securely and conveniently manage security freezes and fraud alerts,” Bistritz-Balkan said..

“We deployed an experience that embraces both security standards (using a multi-factor and layered approach to verify the consumer’s identity) and reflects specific consumer feedback on managing security freezes and fraud alerts online without the use of a PIN,” she continued. “The account set-up process, which involves the creation of a username and password, relies on both user inputs and other factors to securely establish, verify, and authenticate that the consumer’s identity is connected to the consumer every time.”

I asked Bistritz-Balkan what else besides a username and a password the company may have meant by “multi-factor;” I’m still waiting for clarification. But I did not experience anything like multi-factor in setting up or logging into my myEquifax account.

This may by closer to Equifax’s idea of multi-factor: The company told me that if I still really wanted to use my freeze PIN, I could always call their 800 number (800-349-9960) or make the request via mail. Nevermind that if I’m a bad guy looking to hack others, I’m definitely going to be using the myEquifax Web site — not the options that make me have to supply a PIN.

Virtually the entire United States population in 2017 became eligible for free credit monitoring from Equifax following its 2017 breach. Credit monitoring can be useful for recovering from identity theft, but consumers should not expect these services to block new account fraud; the most they will likely do in this case is alert you after ID thieves have already opened new accounts in your name.

A credit freeze does not impact your ability to use any existing financial accounts you may have, including bank and credit/debit accounts. Nor will it protect you from fraud on those existing accounts. It is mainly a way to minimize the risk that someone may be able to create new accounts in your name.

If you haven’t done so lately, it might a good time to order a free copy of your credit report from annualcreditreport.com. This service entitles each consumer one free copy of their credit report annually from each of the three credit bureaus — either all at once or spread out over the year.

Additional reading:

NYTimes, March 8, 2019: How Equifax Complicates a Simple Task: Freezing a Child’s Credit

The Register, March 8, 2019: Tech Security at Equifax was so diabolical, senators want to pass US laws making its incompetence  illegal.

Equifax Investigation by Senate Homeland Security committee (.PDF, Sen. Carper).

Credit Freezes are Free: Let the Ice Age Begin

Plant Your Flag, Mark Your Territory

Experian Site Can Give Anyone Your Freeze PIN

Survey: Americans Spent $1.4B on Credit Freeze Fees in Wake of Equifax Breach

Equifax Breach Fallout: Your Salary History

Data Broker Giants Hacked by ID Theft Service

Experian Sold Access to ID Theft Service

Tags: , , , , , ,

104 comments

  1. This is just unreal. I’ve had my freezes in place for 3 or 4 years, and have slept peacefully at night believing I was one of the informed and proactive that took the necessary steps to protect myself. Now this.

    Putting aside all the talk about regulations we need and the accountability necessary at the agencies, what is the best thing to do now? I assume call the agencies, confirm my freezes haven’t been lifted, and then create the online account to plant my flag? Is that the best we can do here?

    • Quick follow up question. I’m familiar with Winstonlaw in PA and Griffon Force in FL, but are there any companies out there that can essentially be a one stop shop for identity and credit data protection BEFORE an identity breach occurs? This latest news from Brian unravels for me what has obviously been a false sense of security with credit freezes. They may be better than nothing, but clearly my PIN and freeze is unacceptably vulnerable with equifax (and it seems at least one other). I’ve never utilized any of the credit monitoring services bc they all come into play after the damage has already commenced. But I would be very interested and happy to pay for a service which, for example, notified me by phone/text anytime someone attempted to lift an existing freeze, and offered meaningful protection to keep all identity and credit info secure BEFORE a breach occurs. Is there anything like that out there?

      • “But I would be very interested and happy to pay for a service which, for example, notified me by phone/text anytime someone attempted to lift an existing freeze, and offered meaningful protection to keep all identity and credit info secure BEFORE a breach occurs. Is there anything like that out there?”

        Any service like that not directly offered by one of the credit bureaus then raises the question of how trustworthy a third party would be. I don’t trust the credit bureaus as it is. Sending my personal information, contact information, and banking/brokerage/finance details to an unknown, opaque company seems even worse to me.

        Don’t forget, Lifelock wasn’t even able to protect its own CEO from identity theft!

    • *******************************************************
      Noreply
      March 8, 2019 at 9:45 pm
      This is just unreal. I’ve had my freezes in place for 3 or 4 years, and have slept peacefully at night believing I was one of the informed and proactive that took the necessary steps to protect myself. Now this.

      Putting aside all the talk about regulations we need and the accountability necessary at the agencies, what is the best thing to do now? I assume call the agencies, confirm my freezes haven’t been lifted, and then create the online account to plant my flag? Is that the best we can do here?
      *******************************************************

      Hi No Reply,

      You basically sum up what every one of who’s read this latest posting from Brian. It also neatly ties into many of our posts from several months ago alerting Brian to what is going on with the “online” sign-up account push by the big 4 credit reporting agencies…it’s nice to see he experienced what many of us were trying to tell him about last October—this whole big push by Equifax, at least, started in late Sept 2018….and my jaw dropped realizing what they were doing….they simply lost database control over who had placed “phone” freezes and who “hadn’t”. This was there way around it, pushing the onus back onto consumers).

      Overall, I’m sure Brain feels the exact same anger and frustration we all do, realizing the endless circus going on ever since the 1st big breach (Equifax) was made public a few years ago (and the big U.S. gov’t OPM breaches).

      It seems, at the moment, all we can do is keep trying to stay on top of it all, and ultimately, hope for the best. This is horrible, yes, but it is what it is. Also, maybe doing some of these things help:

      1) Plant your flag online wherever it is important, as soon as you can. Brian’s archives of articles over the past two years about this is a great starting point.

      2) Despite this article today, please know, yes, credit freezes are still necessary and a good thing. It’s just that now you know how easy they are to circumvent.

      3) Approach life online like this; any thing you do online, do with a wary and jaundiced eye. Especially when it comes to surfing to sites you normally don’t go to. Downloading anything you normally don’t.
      Opening emails from that are not in a “sandbox” (sorry, I am Linux user, and having been using “walled gardens” for years when it comes to anything email.

      4) As many have mentioned here in this forum, if you are offered for any kind of additional security on “any” type of account, even if it is a series of questions, then most definitely create off the wall, totally whacked-out responses to them that serve as passwords/answers. It’s better than standard answers and/or not doing anything

      5) If “any” site also offers 2fa, (especially for email), then it is a crime (and we are the criminal) for not utilizing & implementing it. There’s a reason things like Yubikey (which I’ve used for over 2 years now), which Google helped bring to the masses a few years go (for free, outside of us buying the “key”itself, a trivial cost), are used. As of the moment, 2fa (like Yubikey) are too dam# hard to crack since it takes security level to a whole new plateau.

      6) If you’re not already, on all your devices, start using one of the big three Password Managers, and also start re-introducing paper and pencil (which, ironically, is now once again considered the gold standard for high level security when it comes to keep things “offline” and “safe”)

      7) Stop using your phone, Apple and/or Android, as a means of storing anything of significance. Also stop using (if possible and given the option) SMS, or being sent a 4-8 digit code, as a form of account verification/protection for anything in your digital life. Authenticators on the phone, which can be used offline, are great. But SMS? No. SMS is ridiculously unsafe, and given how 99% of the world’s SMS are built out, it will remain unsafe for another decade.

      8) Other things, like having a dedicated OS (at home) assigned to do only one thing, i.e., like handle only online banking, is another smart idea. Keep the OS clean (no installing anything), keep it updated, never allow the OS’s browser (no browser add-ons of any kind are allowed!) to ever go to any web site other than your online banking site(s). Connect only via network cable (no wifi), all other house machines should be off or unplugged from the network, and when finished doing your online banking business, completely/fully wipe all browser cache (of everything) & immediately close browser and then machine down. Try to limit any type of financial (and other sensitive transactions) done outside of the home, like on phones, tablets and/or laptops.

      There’s many, many other things we can do (too many to list here), but you get what all these (above) are driving at.

      Until the economic world begins demanding two things: end-to-end full encryption on every thing that travels across the wide open web, while also demanding that at a minimum that those “things travelling across the web” are occurring with full implementation of 2fa……….all we poor consumers can do is hunker down, focus on what “we” have control over, and hope that people like Brain (and others) keep bringing to light the very shoddy security practices of companies who have weaved themselves into the unpleasant fabric of making money off of our gathered-for-free our own personal histories and sold as an economic unit of value within the system.

      Public shame is a powerful thing in economics. It is just a question of how long it will take to build it up to a point where it begins to hold companies (like these credit reporting agencies) collective feet’ to the fire—-where they finally begin correcting it, or risk being penalized so badly that they are put down, for good. Put down from either better alternatives out there, or by the very hands (regulators) that have allowed them to sprout up & exists these past 50-60 years.They served a massively useful purpose after WWII, but nowadays, what they’ve morphed into given the environment that grew from the late 60s up till now, well, something’s gonna give.

  2. So far haven’t been able to continue past the point of solving the reCAPTCHA challenge. So thought it my be because uBlock was blocking something and found the following in the uBlock logger.

    https://ci-mpsnare.iovation.com/snare.js
    https://nexus.ensighten.com/equifax/us_ucsc_prod/Bootstrap.js

    After searching, found ~100:1 opinions against, that these were evil companies that fingerprint a specific device with something like an evercookie in conjunction with recording all of one’s browsing history to supposedly ID whether they are trustworthy or not. Their version of antifraud.

    Anyone know the real details.

  3. Ironically enough, I still have my original Social Security card that was given to my parents in 1958. It comes stapled to a ‘fact sheet’ called “Your Social Security Account Card”. The opening paragraph on the card states (and I quote): “Your card shows the number of your social security account. It is necessary to identify the account as belonging to you, but has no other purpose. The social security card should not be used for identification purposes.”

  4. I responded to the Equifax campaign to get more people to sign up for MyEquifax via the threat of unwanted credit thaw, and signed up myself.

  5. Yesterday, I tried to setup myEquifax account.
    Yesterday, I could not access myEquifax account. I called and was told that my identity needed to be verified by a supervisor. I would get a call back.
    Today I called and with just my email and name. I was granted access. Presumably, there was a glitch yesterday when I tried to setup myEquifax.
    I inquired how to setup stronger sign-in criteria like second factor authorization.
    That discussion went no where.

  6. themanwiththehat

    Just tried creating accounts for both myself and my wife. After the KBAs for myself it than said it would send a mailer (possibly because of my existing freeze?). My account does exist now, trying to log in it err’s and asks me to try again later. After the KBAs for my wife it straight up err’s asking me to try again later.

  7. I went through the MyEquifax registration process for two people. Both have existing credit freezes.

    For the first person, a newly established email address was submitted while for the second person, an existing email address was used. Neither person provided a mobile phone number.

    After completing the KBAs, both registrations ended with a message stating further details had to be sent via USPS. So we’ll see what happens once the snail mail arrives…(to be continued, sadly)

  8. Maybe I feel better now: I was never able to freeze my credit on Equifax (as an adult) in the first place; tried a couple of times online and never had success. Sent a letter, nothing happened. With that kind of reliability in a company that plays such a big part in the U.S. credit industry, I pretty much threw up my hands a long time ago.

  9. When I try to get my free report online once a year, Equifax makes me go through the KBA-based questions (three of the four answers are always ‘none of the above’ responses). After I answer perfectly, I’m told to mail in a manual request form instead. This has happened the last 3 years that I’ve tried to quickly get my free report from annualcreditreport.com. I’m so fed up with this stupid robot company that will easily risk my financial security so that it’s easier for prospective creditors to do business with me. Equifax makes money from creditors by trying to turn me into an eager, witless consumer. My file is frozen, but this article makes me nervous. If someone steals my ID, Equifax will ignore me like the stupid robot that it is. But, it may also offer me expensive programs to help monitor my credit in the future. The idiots will try a bit harder if I pay them? I hate credit bureaus!

  10. Just created my account using a newly created email address. No KBA. They knew my cell phone number and texted me a verification code. Done! Now all I need to lift my freeze is that email address (which they didn’t verify) and a password. Aaaaaaaaaarghhhhhhh! But they did send me a welcome email which confirms that “With your myEquifax account, you can conveniently place, temporarily lift, or remove your security freeze online without having to remember your PIN.”

  11. Bill – Very likely the reason you were asked to send your request for your annual report was that you did not answer the KBA questions correctly. Therefore, they could not properly identify you. (This has been my experience also.)
    I think while the KBA questions are being made obscure they are also being made to be slightly incorrect (and, therefore, useless).
    I got an email from Equifax a few days ago trying to sell me another of their (crap) services. It had a the telephone number at the bottom supposedly for resolving questions or requesting assistance. Called it. Asked whether my account had been frozen as I had requested Equifax to do more than 6 months earlier. I am told, “well, let’s make sure you are who you say you are.” The KBA questions come out. “Have you ever had a bank loan?” “yes” “What bank?” Hmmm… In my life time (78 yrs.) I’ve probably had more than 3 dozen bank loans. WHAT TO ANSWER? Wasn’t able to identify myself. Was told to make copies of acceptable ID and send USPS. And, was given an email address so I could ask my question that way.
    My question? “is my Equifax account and that of my wife frozen?” Response: No answer. Nothing but links to the Equifax website where the only services offered are “Unfreeze temporarily” or “get a new account? I got that response 3 times when asked directly, “Is my account frozen?” Then, of course, told to send copies of ID with a form asking my question. And, will inform admin of your problem!
    I have to conclude that either this idiot at the other end of the email address really had no idea what the answer to my question was and had no way to determine it OR Equifax has told employees not to supply that info in any form.
    AND…, Equifax wants to tend my financial information? No @#$%^&*ing way!!!

  12. Brian, my McAfee internet security is about to expire. I have a Dell PC and use Windows 10 which comes with some level of security I wonder if you have any advice on the kind of security that McAfee and others like them provide?

    • In general, you can get a much better deal trying something for the first time than you can renewing your current AV, which is how those companies make money. Pick another one, chance are the first year will be half price. Sophos. Malwarebytes, Eset, all worth trying, are pretty decent and not heavy on resources.

    • Brian is giving good advice, but please remember to run the McAfee Consumer Products Removal removal tool from their web site to clean out all the gunk they leave behind. Much of there leftovers will interfere with certain legitimate processes. Do this before getting a new AV product.

      Better yet, maybe the download at bleepingcomputer would be a better site, as they have better instructions on using the tool. Also the comments below the download button can be helpful.

  13. random numbers

    Called Equifax after signing up at myEquifax errored out. They still created my account with my PII but the logging in was not successful, presumably because of the KBA questions I didn’t answer correctly. They transferred me 5 times after I asked them to help me finish the signup process and the first 4 all said it’s none of their business. So I gave up and asked the last person to do a temporary thaw of my credit. Guess what! They only needed my PII and asking me several KBA questions before they can do the “unfreeze” of my docs, without asking my PIN for the thaw. So there you have it, by calling them to thaw your files, you don’t need your PIN either.

    We need to abolish the whole credit bureau industry and KBA industry. They have been doing too much damage to every one of us for a long time.

  14. I got a message saying to call them when I tried to create my account. I tried again without my VPN and it said I already had an account. When I try to login it says “We are temporarily unable to complete this request.” I was on the phone with them for half an hour and they transferred me 6 times, every time claiming they would send me to the correct department. Eventually they told me that the system was having issues and to try again tomorrow.

  15. What, no two factor authentication offered? This is 2019 folks.

    • For what do you need 2fA?

      The data doesn’t belong to you. You generate data for credit bureaus (by using banks, credit unions, obtaining or paying credit accounts, loans, mobile phones, electricity accounts, cable accounts, and store accounts), but that data doesn’t belong to you.

      The data belongs to the partnered institutions, banks, creditors, and credit bureaus. They share it, whether you like it or not.

      When a biographer gathers stories and public records about your life, he/she doesn’t need to give you secure access to his/her records.

      Similarly, when a credit bureau collects information about you, it doesn’t need to provide you with a secure portal to peek inside its files. It isn’t even required to verify your identity.

      That Equifax allows you to sit at a table and review any information they hold is required by law. But they don’t have to give you PINs or multifactor authentication or even a password.

      So why would they care?

      • Well, one reason I think falls into the category of “in Equifax’s own enlightened self-interest”:

        Because fantastically bungling clien- er, product access security was more or less what flipped the rule to “everyone gets free credit reporting now”.

        I’m sure it wasn’t the most horrendous loss they might have suffered from that, but it was an otherwise guaranteed revenue stream they now don’t have.

        • I’m sure some bean counter did the math and decided it’s not in their enlightened self-interest, just because extra security comes with higher telephone support costs.

          • Maybe. Honestly I go with Hanlon’s Razor on this one.

            Neglect isn’t typically planning. It’s more usually just neglect.

  16. It is impossible for me to create an account at “myequifax.com” (actually “my.equifax.com”) because on the page:

    https://my.equifax.com/consumer-registration/UCSC/#/personal-info

    There is a “recaptcha” box that requires javascript be enabled for an unidentified (and unidentifiable) site. Since I don’t enable javascript globally (it is enabled for equifax.com) and since the site domain name is hidden (totally) I can’t create an account.

  17. I’m assuming everyone knows about the flaw at Experian’s website that came to light last October. The flaw allowed security freeze PIN retrieval (for those who forgot their PIN) by responding “none of the above” to all the KBA questions. The flaw has since been fixed, according to Experian. The take home message was to assume your security freeze PIN at Experian was compromised and to change it. You might find this interesting. https://uspirg.org/resources/usp/letter-ftc-and-cfpb-re-experian-credit-freeze-security-issue

    I never got notified by Experian. Did you?

    Even without this flaw, I learned soon after the Equifax breach that it’s pretty easy to thaw your freeze without a PIN at Experian.

    Good luck seeking accountability from the credit bureaus. My experience dealing with all of them in the past led me to believe that they’re inept, dishonest, and/or lazy. I’ve gotten radically different responses to the same questions I asked depending on who I talked to, even just a day apart. And that’s at all three bureaus.

    It’s time to demand real and meaningful change.

  18. I have been trying for weeks to get a security freeze on Equifax after they cancelled TrustedID. I get same message – ‘Temporarily unable to complete request try later’. Originally gave phone number which didn’t work but now that is gone. Tried various options on their 800 numbers and all they say is ‘do it online’. Have tried Macs, PC’s iphone and ipad (from secure site) and all browsers but no luck. Anyone else had these problems?

  19. Sharing my experience from this morning with Equifax. I’ve read Brian’s article on this, which sounded alarm bells the likes of which I haven’t heard since my initial decision years ago to create a freeze with all of the agencies. I also read about the problems creating an account an myequifax. So here’s this morning’s work flow:

    1. Called equifax and waited to get to a live person.

    2. Answered their inexplicably-relied-upon KBQ’s to verify I’m me.

    3. Confirmed that my freeze is in place, has been in place since its creation, and has never ever been lifted/thawed.

    4. Told them their myequifax site was causing problems and I wanted to create an account but needed assistance. They transferred me to their online account assistance dept.

    5. A rep in that dept. verified me again, but this time only asking 2 painfully basic questions. The rep then asked for my email address. This, the rep said, would be my username at myequifax.com and could never be changed. I gave a dormant address that is not associated with any other accounts anywhere.

    6. They sent an email to that address that I then used to “change” my password (I never had one and they didn’t give me one). I created a complicated password 20 characters long.

    FYI…after the first rep confirmed my freeze was still in place, I spent some time with her asking the same question and line of inquiry at least 5 different ways. The essence of the inquiry was “can I lift my freeze via myequifax.com without providing the PIN previously assigned to me by equifax when I first created the freeze, but rather by answering verification-type questions about me?” The rep answered that, even at myequifax.com, you would still need a PIN to lift the freeze. This person obviously was unaware of the vulnerability at myequifax, but it was still surprising to hear her repeated assurances (again, I asked the same thing several times several different ways, including using hypothetical scenarios) that you still needed the PIN to lift/thaw the freeze via myequifax.com.

    To say that this whole thing is disturbing would be a masterpiece of English understatement. The old sense of security came from having the freeze itself. But now…? I feel like I’m standing on a street corner with my wallet in hand waiting for the thief to arrive.

  20. Credit freezes aren’t good for Equifax’s business model. Making it easier to un-freeze may be a way to discourage this pesky behavior.

  21. EDDIE GONZALEZ

    I wonder why these credit companies are allowed to continue operating. They lost all credibility since their reporting/ performance fiasco of 2008.

    • Crooks for life

      Are you really asking this question?

      Have you met the USA?

      If your not a crook , you just haven’t been caught.

      The government isn’t going to stop a legit company from making millions for them in tax revenue. Hell they probably hacked the info and sold it themselves to get some double, triple , quadruple dip action.

      Don’t be A fool, start fooling.

  22. Nothing is secure in life. Do you dissect each piece of food prior to taking a bite looking for specific ingredients even tho a label clearly states what it’s made with?

    Nothing in life will ever be secure.

    You MUST BE O.C.D.

    Now perhaps instead of pointing out the obvious, everything in life is not secure, why not spend your crafty time coming up with a solution instead of offering up starting points for ones new scheme.

    Your work is pointless if you can’t offer solutions to your major flaws you’ve magically discovered.

    If you’re worried about your credit , don’t use it & you will be safe from all the evil that will ever try to haunt you. Use only cash and never look back. Otherwise your credit is better of being shark in a 10 gallon trash can trying not to go get shot by an Uzi.

    Yes we know our PII has been compromised.

    Nothing is secure.

    Customer friendly , easy access, computer illiteracy will never = security
    Even
    IT professional, government official and NSA will never equal secure.

    It’s known
    Won’t change
    And very repetitive

    Good luck in coming up with a solution, I’ll stay tuned to the next report about an insecure procedure that even you can’t fix but will belittle every last minuscule you come across.

    EVEN YOU WILL NEVER BE SECURE.

  23. If you want change , make them change.

    Stop worrying and sit back and relax.

    Don’t bother checking your credit but 1 time a year.

    Hopefully nothing bad happens but if it does you can guarantee that someone is going to have to pay for all the damage done. It won’t be the crook, it won’t be you, it will be the people feeding off your normal worried behavior, the lenders.

    Guaranteed you stop doing their work, they’ll start doing more by not only doing their work but will come up with solutions at no cost and better yet at their cost.

    Make them pay for their weak system that can be compromised at every point in every direxction at ever stop light from California to New York.

    You aren’t to blame.
    You aren’t to pay bc youve already paid in not only taxes but in interest fees.

    They must come up to a solution for the problems they are selling us.

    Take the bone back and let them bite the bullet for a change and bet just like with credit cards and EMV, a solution will be made.

  24. arosebyanyother

    Just a note, apparently Transunion has a similar policy now and only requires a PIN if one is attempting to lift a freeze by Phone. Their account recovery process (say for a ‘forgotten’ password) is also stupidly easy.

  25. In over a decade, I have never been able to get free credit report from Equifax. The other two work though. Anyone else have this issue?

    • I’ve had issues checking my score. The security questions they ask are all about bank accounts and loans I don’t have and streets I’ve never lived on, so I fail every time. None of that stuff is on my actual credit report which I end up having them mail to me. Having it mailed is insecure in itself since the post office continuously puts my mail in the wrong box.

  26. I have LastPass set up to warn me before filling in insecure forms (preferences / advanced) and I received a warning on the Equifax site. I know sometimes these are false positives – but not always – does anyone know more about this and if it is safe to proceed?

    • Re: lastpass

      It could be my.equifax.com vs equfiax.com. Lastpass considers these to be different domains.

      I didn’t get “unsafe” error, but it wouldn’t autofill creds from equifax.com to fill at my.equfiax.com

  27. I am a freelance contractor. The staffing companies often run ‘background checks.’ Can anyone tell me if putting a ‘freeze’ on my credit will prevent those background checks from functioning properly?

    ———-
    A lot of those Knowledge Checks Answers (KCA) can be found at FamilyTreeNow dot com. Look it up in the news and be sure to opt out for your name and every family member’s name. It provides a list of current and historic addresses people live at.

    As a goof to a friend of mine, i used it to find my friend’s address then i went to RedFin to find out what the inside of his very expensive home looked like (When it was listed for sale before his purchase). I then was able to look up and find his mortgage company and exactly how much his mortgage is and i was able to do simple math and find his down payment. Those are all KCAs that the credit reporting companies use.