Is the Equifax cure worse than the hack? Here’s what I plan to do…

86

Ouch.  Equifax failed to properly secure private data concerning 143 million US consumers.  Hackers may have gotten our names, Social Security numbers, birth dates, addresses and driver’s license numbers.  That’s pretty much everything they need to pull off identity theft at a scale never before seen.  Oh, and they may have gotten credit card numbers for 209,000 people too.

Plenty has been written about how poorly Equifax has handled this situation, so I won’t elaborate (much) on that.  The important question is:  What can you do to protect yourself?

Yesterday I published Equifax’s suggested solution.  When you browse to the Equifax website, you’ll see a notice stating: “Equifax Cybersecurity Incident: To learn more about the cybersecurity incident, including whether your personal information was potentially impacted, or to sign up for complimentary identity theft protection and credit file monitoring, click here

Equifax Cure
If you click the “click here” link on the Equifax site, you’ll be taken to www.equifaxsecurity2017.com. Is that a legitimate site? Is that site safe from hacking? P.S. I think it is hilarious that they named the site equifaxsecurity2017. They’re clearly preparing for the inevitable equifaxsecurity2018 and equifaxsecurity2019 mishaps.

Problems with the Equifax Cure (www.equifaxsecurity2017.com)

If you click the “click here” link on the Equifax site, you’ll be taken to www.equifaxsecurity2017.com.  There, you’ll have the opportunity to check whether your personal information was potentially impacted.  You can also sign up for the waiting list to sign up for free identity protection through TrustedID Premier.

Trusted ID Premier, according to the equifaxsecurity2017 website will provide the following services:

  • Equifax credit report
  • 3 Bureau credit file monitoring: Credit file monitoring and automated alerts of key changes to your Equifax, Experian and TransUnion credit files
  • Equifax Credit Report Lock: Allows you to prevent access to your Equifax credit report by third parties, with certain exceptions.
  • Social Security Number Monitoring: Searches suspicious web sites for your Social Security number.
  • $1M Identity Theft Insurance: Up to $1 million in ID theft insurance. Helps pay for certain out-of-pocket expenses in the event you are a victim of identity theft.

To sign up for TrustedID Premier, you first have to check if your information was impacted.  Then, regardless of the answer (which they don’t always show you anyway!), you can click a button which will give you a date when you can really sign up.

The site states the following:

To determine if your personal information may have been impacted by this incident, please follow the below steps:

  1. Click on the below link, “Check Potential Impact,” and provide your last name and the last six digits of your Social Security number.
  2. Based on that information, you will receive a message indicating whether your personal information may have been impacted by this incident.
  3. Regardless of whether your information may have been impacted, we will provide you the option to enroll in TrustedID Premier. You will receive an enrollment date. You should return to this site and follow the “How do I enroll?” instructions below on or after that date to continue the enrollment and activation process. The enrollment period ends on Tuesday, November 21, 2017.

So, in order to check if you were impacted and/or to get free credit protection through TrustedID Premier, you have to trust this sketchy site with your last name and last 6 digits of your SSN.

Surely Equifax properly secured this equifaxsecurity2017.com website, right?  Maybe not…

Ars Technica has this to say about equifaxsecurity2017.com (hat tip Barry):

…the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn’t perform proper revocation checks. Worse still, the domain name isn’t registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people’s details. It’s no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.

Waive your right to class action?

UPDATE: Equifax has updated the TrustedID terms. They’ve removed the paragraph shown below so this is no longer an issue.

Many have pointed out that when you enroll in TrustedID you waive the right to participate in class action arbitration or lawsuits according to the TrustedID Premier terms (found here).  Here’s a snippet:

This arbitration will be conducted as an individual arbitration. Neither You nor We consent or agree to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with arbitration on a class or representative basis. No arbitration will be consolidated with any other arbitration proceeding without the consent of all parties. This class action waiver provision applies to and includes any Claims made and remedies sought as part of any class action, private attorney general action, or other representative action. By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claims where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.

I’m hoping that our own king of arbitration, The Fine Print author Alex Bachuwa, will weigh in on whether or not such a clause is really binding.  Until then, you’re not bound yet…

When you click the button to enroll on the equifaxsecurity2017 website, you’re not actually enrolling at that time.  Instead, Equifax is stupidly just giving you a date in the future in which you can enroll.  It is then and only then that you would be accepting the terms shown above.  Plus, I’m sure that you’ll have to enter much more private info in order to sign up.  So, that’s great (ha).

Free alternatives

Most of the protections offered by TrustedID Premier can be achieved for free elsewhere:

The AAA Alternative

As I’ve reported before, AAA offers free credit protection services to many members.  Details vary by location.  Some AAA members get nothing, but most can sign up for ProtectMyID Essential for free.  Some members (such as those in some areas within California) get ProtectMyID Deluxe for free.  Here’s a chart showing what’s covered (image taken from AAA Michigan website. Details may vary):

See this post for more details: Free Experian Credit Monitoring with AAA membership (for many).

Other Paid Alternatives

Plenty of companies offer identity theft protection services.  Are they any good?  Are they worth paying for?  I have no idea.  I’ve never looked into them. If you have experience, please comment below.

And, for the love of all that is good, please NEVER click through a pop-up on your computer that claims that you’ve been hacked and that they’ll protect you.  I promise, they’ll do the opposite.

My Approach

My wife and I are already covered for most of this stuff:

  • Equifax credit report: We can get details from our Equifax reports whenever we want from CreditKarma and other free tools.  We also request our annual free credit reports every now and then in order to have an electronic point-in-time copy that we can refer to.
  • 3 Bureau credit file monitoring: We use Mint.com to monitor Equifax, CreditKarma for TransUnion, and ProtectMyID (free from AAA) for Experian.
  • Equifax Credit Report Lock: I don’t really want to lock our reports. This would make new credit card signups more difficult.  Instead I’ll rely on monitoring.
  • Social Security Number Monitoring: My wife and I have Discover cards, so we’re covered..
  • $1M Identity Theft Insurance: I signed us up for Civic, so we’re good to go.

Overall, I feel good about our coverage.  So, with respect to Equifax’s TrustedID Premier, I’m going to wait before signing up.  I’d like to see what internet security experts have to say about the service and what Alex Buchawa and other legal experts have to say about the arbitration clause.

What do you think?  What will you do?  Comment below.

See Also:

Email:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

86 Comments
oldest
newest most voted
Inline Feedbacks
View all comments