Is the Equifax cure worse than the hack? Here’s what I plan to do…

Ouch.  Equifax failed to properly secure private data concerning 143 million US consumers.  Hackers may have gotten our names, Social Security numbers, birth dates, addresses and driver’s license numbers.  That’s pretty much everything they need to pull off identity theft at a scale never before seen.  Oh, and they may have gotten credit card numbers for 209,000 people too.

Plenty has been written about how poorly Equifax has handled this situation, so I won’t elaborate (much) on that.  The important question is:  What can you do to protect yourself?

Yesterday I published Equifax’s suggested solution.  When you browse to the Equifax website, you’ll see a notice stating: “Equifax Cybersecurity Incident: To learn more about the cybersecurity incident, including whether your personal information was potentially impacted, or to sign up for complimentary identity theft protection and credit file monitoring, click here

Equifax Cure

If you click the “click here” link on the Equifax site, you’ll be taken to www.equifaxsecurity2017.com. Is that a legitimate site? Is that site safe from hacking? P.S. I think it is hilarious that they named the site equifaxsecurity2017. They’re clearly preparing for the inevitable equifaxsecurity2018 and equifaxsecurity2019 mishaps.

Problems with the Equifax Cure (www.equifaxsecurity2017.com)

If you click the “click here” link on the Equifax site, you’ll be taken to www.equifaxsecurity2017.com.  There, you’ll have the opportunity to check whether your personal information was potentially impacted.  You can also sign up for the waiting list to sign up for free identity protection through TrustedID Premier.

Trusted ID Premier, according to the equifaxsecurity2017 website will provide the following services:

  • Equifax credit report
  • 3 Bureau credit file monitoring: Credit file monitoring and automated alerts of key changes to your Equifax, Experian and TransUnion credit files
  • Equifax Credit Report Lock: Allows you to prevent access to your Equifax credit report by third parties, with certain exceptions.
  • Social Security Number Monitoring: Searches suspicious web sites for your Social Security number.
  • $1M Identity Theft Insurance: Up to $1 million in ID theft insurance. Helps pay for certain out-of-pocket expenses in the event you are a victim of identity theft.

To sign up for TrustedID Premier, you first have to check if your information was impacted.  Then, regardless of the answer (which they don’t always show you anyway!), you can click a button which will give you a date when you can really sign up.

The site states the following:

To determine if your personal information may have been impacted by this incident, please follow the below steps:

  1. Click on the below link, “Check Potential Impact,” and provide your last name and the last six digits of your Social Security number.
  2. Based on that information, you will receive a message indicating whether your personal information may have been impacted by this incident.
  3. Regardless of whether your information may have been impacted, we will provide you the option to enroll in TrustedID Premier. You will receive an enrollment date. You should return to this site and follow the “How do I enroll?” instructions below on or after that date to continue the enrollment and activation process. The enrollment period ends on Tuesday, November 21, 2017.

So, in order to check if you were impacted and/or to get free credit protection through TrustedID Premier, you have to trust this sketchy site with your last name and last 6 digits of your SSN.

Surely Equifax properly secured this equifaxsecurity2017.com website, right?  Maybe not…

Ars Technica has this to say about equifaxsecurity2017.com (hat tip Barry):

…the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn’t perform proper revocation checks. Worse still, the domain name isn’t registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people’s details. It’s no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.

Waive your right to class action?

UPDATE: Equifax has updated the TrustedID terms. They’ve removed the paragraph shown below so this is no longer an issue.

Many have pointed out that when you enroll in TrustedID you waive the right to participate in class action arbitration or lawsuits according to the TrustedID Premier terms (found here).  Here’s a snippet:

This arbitration will be conducted as an individual arbitration. Neither You nor We consent or agree to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with arbitration on a class or representative basis. No arbitration will be consolidated with any other arbitration proceeding without the consent of all parties. This class action waiver provision applies to and includes any Claims made and remedies sought as part of any class action, private attorney general action, or other representative action. By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claims where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.

I’m hoping that our own king of arbitration, The Fine Print author Alex Bachuwa, will weigh in on whether or not such a clause is really binding.  Until then, you’re not bound yet…

When you click the button to enroll on the equifaxsecurity2017 website, you’re not actually enrolling at that time.  Instead, Equifax is stupidly just giving you a date in the future in which you can enroll.  It is then and only then that you would be accepting the terms shown above.  Plus, I’m sure that you’ll have to enter much more private info in order to sign up.  So, that’s great (ha).

Free alternatives

Most of the protections offered by TrustedID Premier can be achieved for free elsewhere:

The AAA Alternative

As I’ve reported before, AAA offers free credit protection services to many members.  Details vary by location.  Some AAA members get nothing, but most can sign up for ProtectMyID Essential for free.  Some members (such as those in some areas within California) get ProtectMyID Deluxe for free.  Here’s a chart showing what’s covered (image taken from AAA Michigan website. Details may vary):

See this post for more details: Free Experian Credit Monitoring with AAA membership (for many).

Other Paid Alternatives

Plenty of companies offer identity theft protection services.  Are they any good?  Are they worth paying for?  I have no idea.  I’ve never looked into them. If you have experience, please comment below.

And, for the love of all that is good, please NEVER click through a pop-up on your computer that claims that you’ve been hacked and that they’ll protect you.  I promise, they’ll do the opposite.

My Approach

My wife and I are already covered for most of this stuff:

  • Equifax credit report: We can get details from our Equifax reports whenever we want from CreditKarma and other free tools.  We also request our annual free credit reports every now and then in order to have an electronic point-in-time copy that we can refer to.
  • 3 Bureau credit file monitoring: We use Mint.com to monitor Equifax, CreditKarma for TransUnion, and ProtectMyID (free from AAA) for Experian.
  • Equifax Credit Report Lock: I don’t really want to lock our reports. This would make new credit card signups more difficult.  Instead I’ll rely on monitoring.
  • Social Security Number Monitoring: My wife and I have Discover cards, so we’re covered..
  • $1M Identity Theft Insurance: I signed us up for Civic, so we’re good to go.

Overall, I feel good about our coverage.  So, with respect to Equifax’s TrustedID Premier, I’m going to wait before signing up.  I’d like to see what internet security experts have to say about the service and what Alex Buchawa and other legal experts have to say about the arbitration clause.

What do you think?  What will you do?  Comment below.

See Also:

About Greg The Frequent Miler

Greg is the owner, founder, and primary author of the Frequent Miler. He earns millions of points and miles each year, mostly without flying, and dedicates this blog to teaching others how to do the same.

More articles by Greg The Frequent Miler »

Pingbacks

Comments

  1. In addition many (not all) homeowners insurance policies not provide id theft coverage although it is usually reactive. Also many credit card accounts provide some of the items you mention like Chase, Barclay, etc.
    The biggest problem with not agreeing with the right to sue Equifax is if this goes to a class action situation there will be 143 million people plus a bunch of attorneys so the payout will likely be very low. Maybe you get $10, $20, etc.

  2. What a sh1tshow gg Equifax lol more than 1 out of 3 american are affected by this hack. (basically me and all the churners I know are affected but we’re maxed out anyways so good luck to the hackers to try to apply for anything lol)

      • This. They aren’t going to bother to try and deduce real SS# from 6 digits when they’ve gotten 143 million legit SS# already.

      • Greg,

        Speaking of security, I would not sign up for any credit monitoring from Equifax since it requires an account which allows for one’s password to be reset really, really easily. I won’t elaborate here, but suffice to say, I discovered I have an account with Equifax from a credit monitoring service I cancelled years ago. They don’t use double authentication, and the security questions look like the early days of the internet. One way to deal with the bogus security question is to make the answer completely unrelated to the question (hence it’s really just a second password). They really don’t know what they’re doing at Equifax wrt security. I wish I could cancel my “account” with no services active, but it’s impossible to even talk to them.

  3. I’m affected and am definitely looking forward to joining the massive class action (not signing up for their BS credit monitoring) that’s sure to come. Security is a joke with all of these companies. This just proves that even the companies that peddle credit score nonsense and make billions off of it can’t even secure their own reason for existing.

    • The problem is that only the lawyers see significant money in a class action lawsuit. I want them punished though so I might hold out and join the CAL and get my $1.43 check when it is finally settled.

  4. I already had a freeze on all my credit reports. Could the hackers have stolen my PIN to unfreeze the reports? If I freeze all credit reports, am I still in danger from the hacker?

  5. I love Equifax’s statement: “The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.” Phew. So the hackers got my name, address, SSN, DoB and maybe credit card numbers, but at least they don’t know my credit score or whether I am over 5/24!!!!! So relieved!!

  6. “And, for the love of all that is good, please NEVER click through a pop-up on your computer that claims that you’ve been hacked and that they’ll protect you. I promise, they’ll do the opposite.”

    That paragraph makes me feel like an idiot. I clicked through from YOUR link because YOU linked to it yesterday and said you used it. I wish you had not posted that without more research. I feel let down.

    • I’m really sorry about that. I provided those links because they came directly from the Equifax home page. That’s very different from a phishing pop-up that may be inserted by malware or malvertising. Once I learned about the issues with the security website, I posted this new article as quickly as I could (and added a warning to the previous post)

      I think it is very unlikely that any damage was done, but of course it’s better to be safe than sorry.

  7. I learned that I MAY have been impacted. That is useless – I knew that before I checked. Breaches happen, but for Equifax to get hacked and then within a week of the hack 3 execs sell million$ in stock. They have got to go, and without golden parachutes.

  8. Seems this dark cloud may have a silver lining…

    When the hackers start doing identity theft with the information they obtained we can all apply for new social security numbers. Then we can all cancel our old AMEX cards and apply for the same AMEX cards using the new social security numbers and get a second AMEX sign on bonus! That should drive all the AMEX RATs crazy.

    • Are you serious about being able to get a me SS#? That may actually put an end to this ID they madness, like what’s the use of stealing a SS#’ when it can be replaced?

  9. I have been the victim of identity theft multiple times. This is only the latest breach that my information has been stolen. There is no way for me to scrub the dark web of my SSN and so I have adopted a different tactic. I keep all my bureaus frozen all the time. This will not affect your credit score. When you initiate a freeze you will receive a PIN that you should secure in a password safe or some other reliable tool. When you know a hard pull will be initiated for an application you just need to login to the freeze web site and perform a lift. This takes less than 5 minutes if you have your login information and PIN handy. The nice part is that you can say how long the lift should last (24 hours, 3 days, etc…). After the expiry the bureaus are frozen again. Most of the time I only have to lift from TransUnion. The lift is instantaneous. I have applied for a card over the phone and performed the lift with the rep listening. It is that fast. Freezes are not fool proof, but they are better than monitoring. Monitoring just lets you know that another bad thing has happened to you that you now have to spend even more time cleaning up. Freezing the bureaus actually prevents credit being opened in your name.

    Freeze URLs:
    https://www.experian.com/freeze/center.html
    https://www.freeze.equifax.com/
    https://freeze.transunion.com/

    • you should probably mention that there is a fee every time you want your freeze temporarily lifted with one credit bureau, unless you are already a victim of ID theft.

      • I believe it depends on the State. For example, in TN, the costs are:
        $7.50 to turn the freeze on. Costs nothing to temporarily unfreeze and costs $5.00 to permanently unfreeze.

        If I read that all correctly from Experian’s website…

  10. Isn’t it about time for them to require 2-factor authentication for credit inquiries, if they’re not going to stop using the data which has been leaked in this and many other hacks/breaches? We register ahead of time with the credit agency and when a new request is made, it could send a text or app notification or email or phone call with a time-limited code that can then unlock the credit report request at the time of request.

  11. In the FAQ on their site, it says:

    2). NO WAIVER OF RIGHTS FOR THIS CYBER SECURITY INCIDENT
    In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.

    Does that mean even if you enroll in their program we can still be part of the class action without arbitration?

    • The trouble is (as I understand it) the “Terms of Service” agreement is an actual contract whereas the FAQ statement is of the form “we promise…..trust us”. So, it really is not known if you are foregoing your rights to join the CAL by accepting the terms of service, until it is challenged in court or the terms are amended.

  12. DISCOVER becomes the beneficiary of the hack because of the free monitoring they provide.
    It’s a simple fix to lock down all other credit cards to prevent unauthorized use.
    I will and I appreciate the extra security, but then suspicion of ulterior motive haunts the hack

  13. If I went through on the trustedID site and went through the enrollment process and then received the final enrollment/activation email but never clicked the link in the email to finalize my enrollment. Am I safe from giving up my rights to join the class action lawsuit or do I still have to do a handwritten letter within 30 days?

  14. Not sure if any of you have freeze credit on Equifax. The PIN number is really secure ;-). It is the date and timestamp. e.g. 0909170925 (Sept 9 2017, 09:25).

    • Yep! Isn’t that special…. Everything about this company screams amateur. It’s worth noting that Equifax’s Chief Security Officer’s Masters degree is in music composition, so they have that going for them

  15. What a disaster. I was affected. Already had identity stolen once last year with two credit card opening attempts. Now this. They should rot for this.

    • For anyone who doesn’t want to click the link, the TLDR of it all is that you can get different results if you check from different IPs (mobile vs pc, for example). They seem to be just randomly deciding who’s affected and who isn’t

  16. How nice. “Complementary” coverage for one year. They offer it as if they are doing you a favor.
    Not only do the hackers have your info but they know how long to sit tight before trying to use it. Perfect situation for TrustedID also. How long before we begin to recieve the “fear” ads indicating how vulnerable you are without their pay service!

  17. Today was my day to enroll at Equifax thru trustedidpremier.com. But, my virus software keeps killing the connection saying it is infected with mal. oboy!

  18. Anyone else attempting to freeze their credit with the bureaus and getting “unable to honor your request to place a security freeze on your personal credit report” error messages? Any workarounds? Thanks!

    • Have you tried calling? I noticed someone on another forum who reported being unable to do it online but success over the phone. Are you getting the same message from all three bureaus?

      • I tried calling Experian, and followed the automated prompts for a caller interested in freezing their credit, and got an automated response that they were unable to help me over the phone (no option to speak to a human), and I needed to mail in my request. Figured the other 2 would provide a similar experience, so didn’t call them yet.

        • When i called Equifax, it went into a loop. I then went on to their website to freeze and they didn’t charge any fee. Called Experian and Transunion and got them done via the phone for $10 each – for Californian. You pick your own PIN for Transunion.

      • Update! Looks like the issue online is that I’m currently out of the country. Tried going through a VPN and was able to freeze all three!

  19. Same here Avast blocked me. I called Equifax to let them know my security system would not let meinto their site. Didn’t bother them at all. Told me to try the next day. Have not done so and don’t intend to do so.

    Pat

  20. I just tried accessing the ENROLL link and all worked fine. They list 3-Bureau Credit File Monitoring, Equifax Credit Report Lock, Social Security Number Scanning
    (Searches suspicious web sites for your Social Security number.), and $1MM Identity Theft Insurance as included in what they will do. They should furnish Credit Report Lock on all three services, I believe.
    I am giving them the chance to try to make this right. I was a victim of Income Tax identity theft a couple years ago, so, I know my information is out there in sticky fingers. Monitoring your own accounts is the only solution going forward anyway.

  21. I am NOT convinced that the ratio is 1 in 3 of the 143 Million Consumers affected by the HACK, maybe 1 in 3 of the BILLIONS of people LIVING in America might be more accurate. And I am not surprised that I have once again been compromised by a company who KNEW MONTHS BEFORE letting their consumers know of a “possible” threat to their Identification, AND of course offering MONITORING after the fact. One would think that THE COMPANY SHOULD HAVE BEEN MONITORING BEFORE CRAP HAPPENS, right? Obviously Equifax did not learn from Target, Home Depot, and Lowe’s Consumer BREACH – Which I was one of the Consumers in those THREE too! The only difference is that I STOPPED Shopping at those places, had my effected CC’s closed out, and even my Bank CLOSED out my account(s) associated with those Companies / card purchases made at those companies. Ironically, that SAME BANK Informed me of Equifax’s BREACH BEFORE the Company came out about it, and before the information about the Big Wigs “possibly” being the connection between their activities and the HACK. Needless to say (as I started above), I never signed up for, joined, nor Authorized Equifax to have my information to begin with, therefore they had to have BOUGHT my information from some other company I did business with in the past, which in-itself is already a BREACH of MY INFORMATION – as far as I am Concerned, because they did NOT get My AUTHORIZATION First Hand to begin with (and probably how 143 Million peoples information was compromised).

  22. I REALLY DON’T FEEL COMFORTABLE GIVING MY WHOLE SS# AND DATE OF BIRTH , ADDRESS, EMAIL, PHONE IN THEIR ENROLLMENT…YES, THEY ASKED FOR WHOLE SS# IF YOUR NAME WAS POSSIBLY INFRINGED UPON AND NOW I AM GIVING THEM ALL MY INFO IN FULL…SOMETHING SEEMS EVEN SKETCHIER IN THIS ENROLLMENT PROCESS….I DON’T TRUST IT ONE BIT…AND HOW DID EQUIFAX GET MY SS# ETC…..I HAVE NEVER GONE THROUGH THEM BEFORE????……..ANY ADVICE ON THIS….SORRY FOR CAPS ON

  23. Trying to hit the Equifax site originally got me this message:

    Secure Connection Failed

    The connection to the server was reset while the page was loading.

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

    I reloaded and followed the instructions. It took me to https://trustedidpremier.com/

  24. I am told that the monitoring companies just notify you of the hack after it occurs. It is then still our job to now fix the identity theft. In other words hypothetically a person goes into a store applies real-time for credit card, and is approved instantly and purchases some stuff and you are emailed a new account is now open, is the way I interpret the reporting. I like the freeze, using a pin to temporarily to lift the freeze for a short period of time seems well worth it to prevent the identity theft in the first place. The question is do you have to pay for the temporary lift of the freeze? I am told that it doesn’t freeze credit for existing establishments you do business with… Therefore renewing your credit cards or opening a new account with your existing bank may still not require unfreezing, as I’m hoping they still do have access to my credit. I am opening a new CD account at my bank now, so will find out soon if it worked. The freeze will also hurt the credit reporting agencies and make them earn our trust back.

  25. I tried to enroll in the TrustedID Premier from the Equifax site and after I entered my full info I got this error message:
    ——————————————————————————————————————————–
    HTTP Status 405 – Request method ‘POST’ not supported

    type: Status report
    message: Request method ‘POST’ not supported
    description: The specified HTTP method is not allowed for the requested resource.

    Apache Tomcat/8.0.45
    ——————————————————————————————————————————–
    Any idea wtf is going on? This is sketchier than some bogus sites that I’ve seen.

  26. I filled out form and I am waiting an email for their response….very sketchy situation at best…..now they have my info ALL over again

  27. I went through the process to check if my information had been impacted and was told it was and that I would receive an email to activate the protection. I did receive an email a few days later that requested “To verify your identity and activate your product, please click the link below”

    Having worked for the Federal Government for 36 years and taken the cyber security classes seriously, I was taught never to click on a hyperlink in an email, especially one from an email address that was not confirmed. The address the email was sent from was,

    no-reply@trustedid.com via amazonses.com

    I had no idea who this was from, trustedid looked OK but who is amazonses.com?

    I tried to go through the equifax website to activate the protection, but no option to do that. I called equifax and they said the email was the only way to do it. I said it could be a phishing email, and the women on the line said, Oh no, don’t worry. I told her equifax already blew it once, I do not want to be the victim of their failure to design a secure procedure to protect those they have already let down.

    I will find another way to protect myself.

  28. I know my wife and I were hacked through Equifax data. Someone in France attempted a purchase using a card she had BUT never used. The credit card company texted us about the suspicious charge. Called them and they immediately blocked her number. Later that day the crooks in France switched to my card number. Again the cc company texted us and then blocked my card. Equifax cannot say there haven’t been any actual incidents of the breached data being used. Got the Trusted ID email to take final step to activate and clicked link. Oops. Went to ‘their’ website and screen went blank. Then got msg to reboot. Sounds like spoofing and phishing link.

  29. I was informed that I was at risk after checking via Equifax, then enrolled in their “complementary” protection. (couple of weeks ago). I wanted to then use my new log in to Equifax’s TrustedID.com site to freeze my credit and for two (three?) days now, I get a message that the site is down. It says:

    “We Will Be Back Soon

    Our site is temporarily unavailable while we improve our service to you, but we are still proactively protecting your identity.

    We apologize for any inconvenience and thank you for your patience while we are working hard to make our site available to you as soon as possible.

    (EC9)”

    WTF???

  30. And what about children? I used to work for a telephone company and people would often attempt to use their children’s SSNs to get a phone connected. The point here is that it’s not just adult SSNs at risk. It’s EVERY AMERICAN with a SSN. How about starting life after high school with a ruined credit score and debt up to your eyeballs? What then? I wouldn’t suggest my thoughts are part of your story Greg, but what about the implications of SSNs stolen from 2, 3, 4, etc year olds? Perhaps you could report on this too?

Leave a Reply

Your email address will not be published. Required fields are marked *