[courtewing]

I strongly encourage anyone in the US to put a full credit security freeze on all three credit agencies. When a credit freeze is in place, you still have access to all of your existing loan accounts and whatnot (e.g. credit cards), but lenders cannot access your credit to open new accounts unless you want them to.

It's not difficult nor expensive to do, and the freeze lasts until you decide to revoke it. Whenever you need to allow access to your credit (credit check for rent, taking out a loan, etc), you can temporarily lift your credit freeze for a small fee. The fees associated with this are going to be much cheaper than any of the professional "identify protection" services that exist out there, and the freeze is significantly more effective at protecting you.

When a company leaks your social security number and personal details, which almost certainly will happen at some point if it hasn't already, then opening fraudulent accounts in your name isn't the only risk you face, but it's an obvious and dangerous possibility that can ruin you financially or make you spend a considerable amount of time and energy fixing the situation.

For every person in the US with kids, I also strongly suggest that you freeze their credit as well. There's no good reason for your 13 year old to take out a loan, but identity thieves don't care about how old their victim is.

[cm2187]

At this stage, if you have to pay the company that leaks your own data to prevent it from harming you, it starts to sound like protection racket.

[fweespeech]

It is a protection racket that shifts the risks and costs from the financial system to consumers.

[cjsuk]

Same with chip and pin here in the UK

[seanp2k2]

At least you get the pin as well. We just have chip, and it does ~nothing.

[matthewmacleod]

I have heard of no cases where liability has been shifted in that way.

[mannykannot]

There is strong evidence for it here: http://www.cl.cam.ac.uk/~sjm217/papers/oakland14chipandskim....

And regardless of whether you claim the evidence is inconclusive, it is simply not acceptable to dismiss a known vulnerability in something important by saying "I don't know of any case where it has been exploited yet."

[matthewmacleod]

That's explicitly not what I said.

I know that flaws have and will continue to be discovered in those authentication systems, and also that a theoretical shift in liability occurs. Any bugs will need to be fixed, and that's important. But you can't ignore the situation in practice – liability is not being shifted, and all UK banks and credit card providers are pretty happy to refund fraudulent transactions regardless.

[cjsuk]

Exactly. All it does as far as I can see is flag the transaction as card holder present. The PIN is easy to steal as well evidenced by the number of fake reader heads and cameras found attached to ATMs as well.

[cdubzzz]

I recently did this and highly recommend IdentityTheft.gov for assistance. It has tons of great resources/guidance for dealing with identity theft and other credit issues.

https://www.identitytheft.gov/

[welder]

Direct link to phone numbers for security freeze: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faq...

[toomuchtodo]

This will make a great addition to the /r/personalfinance wiki! Thanks for posting it!

[cdubzzz]

Happy to help! I was really surprised how well the site works. A bit more about my experience here in case it could also be useful (though the post is admittedly a bit scatter brained): https://chrxs.net/articles/2017/03/23/responding-to-identity...

[MichaelApproved]

clickable links.

The subreddit https://reddit.com/r/personalfinance

The wiki https://www.reddit.com/r/personalfinance/wiki/index

[mcshicks]

I can't agree with this more. I was the victim of identity theft many years ago. I my case the data leaked from an employee at my company's payroll dept! There was nothing I could have done to prevent it. Anyway I did this many years ago and have not worried about it since. There is some small hassle because people run credit checks for weird reasons that have nothing to do with trying to get a loan or line of credit. For instance when I got promoted to a certain level at my last company they ran one, and while they didn't run them when I got hired, I think later they started doing them as part of "background checks" for all new hires. The other hassle is sometimes the credit agencies change the way you "unfreeze" and I've had some problems with that, or the people running the check don't actually know which of the three credit agencies they are using. However for the once every four or five years hassle it is definitely worth the piece of mind for me. In many cases you can "temporarily" revoke it for a week or 10 days.

[__jal]

I'd phrase this more as, "I was impersonated by someone, and a third-party compounded the problem by lying about it to others. Now, to avoid that problem, I pay protection money to that third-party and waste my time jumping through their hoops."

I do the same thing, BTW, because the alternative is worse. But it is a protection racket offered by the very people causing the problem.

[mcshicks]

I think that pretty much is exactly how I felt about it at the time. One thing I haven't seen mentioned is the fact that this "remedy" was actually a requirement imposed (at least in California) on the credit agencies by the government, and it wasn't always that way. So for several years instead of this, I would have to actually go check (all three) credit agencies getting my "free" report (since I was an identity theft victim). Of course I still had to ask for it, they didn't just send it to me. So yes it was the least bad alternative. If a large enough people actually signed up for this it would actually destroy the credit agencies business model, because instead of working by default, they would be broken often enough that people would do other, more reliable solutions. I think they may already be happening in some cases. For instance when my son moved into his first apartment, I had to put my name on the lease. I told them my credit was locked and they said they don't use the credit agencies, they had some other check they did. So yeah, no love for credit reporting agencies from me..

[Y7ZCQtNo39]

So if an identity thief has enough of my information to potentially open a new line of credit, wouldn't they also have enough information to reverse the freeze?

In other words, is a freeze enough to stop new accounts from being created?

[mcshicks]

You get a unique long pin code when you freeze the account. You need that to unfreeze it. There is some "recovery" procedure, I think you need a notary or something

[cespare]

And that unique long pin definitely isn't stored in plaintext in the next column over in their database, right?

[roywiggins]

At least it's only in one database, and not all of them, like SSNs are...

[ianai]

At this point it's about doing that one thing the other 1 million won't. It might be surmountable but do you figure the adversary is going to have the incentive to surmount it?

[gruez]

"don't worry, your 12 digit pin is securely encrypted with md5"

/s

[seanp2k2]

md5? They use triple ROT13.

[raquo]

Sounds like such a freeze should be the default state.

[dasil003]

That doesn't sound very profitable.

[elipsey]

Anyone know if there's a way to get your free credit report if you can't answer the questions for the free one?

The computer says no, and the phone number just sends a letter that says no. I tried to to buy one from my bank, but as far as I can tell they only sell subscriptions...

[maxerickson]

You could see if Credit Karma works. I think it is mostly a free interface to Trans Union though.

[toomuchtodo]

Funny enough, it also provides your Equifax report.

[cbhl]

Each of the credit reporting agencies has a process for requesting your credit report by snail mail. The form is hidden away on the various websites, but it has generally worked for me when the online form didn't work (it turns out another person's delinquent loans and CCs were in the report that they were using to test that it was me).

Not as free, since you need to buy envelopes / print the forms / photocopy your ID / get stamps / wait X weeks, but as free as it gets when the online system doesn't work.

[jlgaddis]

http://annualcreditreport.com/ is the "official" site for this, per the FTC [0].

There's info on that page on how to proceed to get yours via snail mail (along with a link to the form).

[0]: https://www.consumer.ftc.gov/articles/0155-free-credit-repor...

[hello_newman]

there is! https://www.annualcreditreport.com/ i use it every year along with being a regular credit karma user.

[kingnothing]

credit karma

[anigbrowl]

Why not just shift the presumption of liability (absent verification) to the financial institution instead of the consumer? Loan issuers can hire skilled professionals to do credit verification, so why should consumers bear the risk for their lack of due diligence?

[ohazi]

"just"

Consumers would love this. Financial institutions would not. Guess who wins this battle?

[pwg]

> Consumers would love this. Financial institutions would not. Guess who wins this battle?

And everyone thought SOPA and PIPA were done deals, that is until the great internet SOPA/PIPA blackout day that resulted in so many calls to congress that the congress critters backed down.

If enough voters could be motivated appropriately to contact their congress critters requesting jail time for the Equifax executive staff that clearly did not stress security sufficiently, there would be some change that would occur.

Remember, money (donors) only help the congress critters to pay for the costs of the election. They still have to get those voters to actually vote for them. So there's still a way to influence their viewpoint. It just takes _way_ more than a few handfuls of voters calling/writing to reach the point where they actually pay attention anymore.

[anigbrowl]

For sure, and that's precisely the problem.

[nkcmr]

Wow. Equifax's Credit Freeze line is just dead. Must be getting slammed right now.

[Thriptic]

Their signup process for the credit freeze involves entering your SSN which is not obscured at all. It's increasingly obvious how this could have happened -_-

[KingMinos]

Care to elaborate?

[mi100hael]

Shit-tier security practices

[msumpter]

Also just tried to pull a credit report for Equifax via annualcreditreport.com and received a messages a condition exists at this time not allowing my report to be pulled and instead gave me mailing instructions.

[bitbang]

I did this about 8 years ago, and have only needed to temporally unfreeze it 3 times. Besides the big 3, I also froze reporting from Innovis.

The only unforeseen hangup from frozen credit reporting I've run into is with car rentals. With a few exceptions, most car rental companies (at least in the US) run your credit. Everything else was pretty predictable.

[pbhjpbhj]

Do they refuse you rental?

Here in UK they verify address via utility bills, cross-check with drivers license (verified by gov agency, DVLA). They maybe only take card payments too, no cash?

I'd expect that to be enough, given they force you to take out expensive insurance, that must cover them, surely. What's the credit report going to get them at that point?

(It may be even stricter now, don't know.)

[bitbang]

I just changed to one of the rental companies that doesn't require pulling credit.

[iiiggglll]

> Besides the big 3, I also froze reporting from Innovis.

Why Innovis? Who typically uses their reports?

[bitbang]

Same people that pull from the other 3. It's not as commonly used, though its usage is trending upwards from what I understand.

[jonahx]

Can you call and it get it unfrozen immediately if it needs to be run?

[khalilravanna]

To unfreeze it entirely it looks like it can take no longer than 3 days. Unfreezing it for specific parties it sounds like is less money and perhaps takes less time but that will depend on the company.

Source: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faq...

[bitbang]

Law limits it to no more than three days. My experience has been that it mostly takes place within 12-24 hours.

[sgs1370]

I did this about 2 years ago with all 3 of the major agencies and in addition to the benefits described in post and comments, my junk mail volume dropped considerably. I don't know if it's always the case but this did not cost me any money.

[interlocutor]

This is actually a major inconvenience. You won't be able to apply for credit cards or get a loan to buy a car if you have a credit freeze. You have to unfreeze and re-freeze each time you apply for a credit card, and this costs about $30.

[gricardo99]

It depends on your situation. I've done this for the last 3 years, and have only had to lift the freeze a 2 times, both times actually for job offers (it's pretty routine for companies to run background checks on new hires, which includes a credit history check). It does cost ~$30, but can be done online, and takes little time. You can also reduce the cost by asking whoever wants to legitimately check on your credit history, which reporting agency they will be checking with. Then you only need to lift the freeze for that agency, and for that entity asking for a report.

If there isn't some handshake/ack mechanism like this, I'm not sure how you cut back on fraudulent activity. I can see the case for making the credit agencies eat this cost and provide these services for free. That would probably require an act of congress...

Edit: You could also ask a potential employer to eat the cost of unfreezing to check your credit history, or ask them not to do the check at all (especially if it's not really relevant to your job). Either request seems reasonable to me, although I haven't tried that, I'm betting at least most employers would pay for the unfreeze.

[lawnchair_larry]

It's definitely not routine for employers to do credit history checks except in certain narrow roles (and even illegal in many states). You absolutely should not unfreeze it for an employer unless they can provide justification for needing credit information.

[__jal]

How often to you apply for credit?

It is, in any case, far less of an inconvenience than not paying the protection racket, having someone impersonate you, and having the credit oligopoly lie about you because of it, leaving you to somehow clean up their mess.

[praneshp]

Some folks churn, so they apply for credit several times a month. It's not a very small niche community either.

[goialoq]

It is a small niche relative to the credit-using public at large, and there's no reason to accommodate them at the expense of everyone else.

[praneshp]

No one asked anyone to accommodate anyone.

[djrogers]

How often do you apply for credit? In the last 5 years I’ve done it zero times...

[distances]

I have one credit card that I got in my twenties, and have never taken a loan. I'm wondering too what these people are doing.

[mediocrejoker]

What stops the would-be identity thief from removing the freeze before opening a fraudulent account?

[skylark]

A credit freeze gives you a PIN that they'll ask for before the freeze can be lifted.

[Osmium]

Does a credit freeze stop you from accessing your free credit scores (e.g. CreditKarma, Mint etc.)?

[CapnCrunchie]

No it won't prevent you from accessing your free credit scores.

[bognition]

You've sold me, now tell me how to do it

[courtewing]

You have to place the freeze on each of the three credit agencies individually. In most states it's $10 each, but it can vary state to state.

https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo...

https://www.transunion.com/credit-freeze/place-credit-freeze

https://www.experian.com/freeze/center.html

[TravelTechGuy]

I think you are missing something. Here's what's needed to initiate your TransUnion freeze:

To set up a security freeze with TransUnion, please visit our online form. You should be prepared with the following types of information: 1. Your full name, including middle initial and suffix, such as Jr., Sr. II, III 2. Social Security Number 3. Date of birth 4. Current address 5. All addresses where you have lived during the past two years 6. Email address 7. A copy of a government-issued identification card, such as a driver’s license or state ID card, etc. 8. A copy of a utility bill, bank or insurance statement, etc.

So, if I hack TU, all I need to do is get the data of the people who asked for a credit freeze.

The problem is these companies, who non of us ever chose or nominated to collect our data, are careless with our PII. And until some accountability is added into the system, this will continue.

I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay. Preferably with their jobs.

[justboxing]

> I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay. Preferably with their jobs.

Nope. Ain't gonna happen. Financial crime pays, big time! No one goes to Jail. They usually have an investigation followed by a hearing in Congress (if it is "BIG" enough), then come back and pay a fine. Media will report the fine as "MILLIONS OF $" but the fine hardly makes a dent in the Bank / Financial institute's coffer.

W.r.t. this particular situation, here's a story that just broke.

Three Equifax Managers Sold Stock Before Cyber Hack Was Revealed (bloomberg.com) => https://news.ycombinator.com/item?id=15196309

It's called INSIDER TRADING.

[ericd]

If they did that because of this, the SEC will likely nail them for it.

[icelancer]

Of the three letter agencies, the IRS and the SEC are particularly ruthless. They can only enforce what Congress will allow, unfortunately, so that leads to bigger fish not being fried up.

[scarmig]

Equifax can handle its internal management and operations however it wants.

Externally, though, I want Equifax to have to pay a fine for every individual whose information was compromised. Identity theft can easily cause five figures worth of damage, so $10k per individual would be fair. Maybe as a warning shot we could lower this to... $1k? $100?

That's the only way to properly align incentives so companies will proactively defend against attacks like this.

[tombrossman]

This thing called "Identity Theft" does cause damage, but it's important to remember that if fraudsters trick a bank into thinking they are you, it is the bank's fault for failing to properly verify it was actually you. Doing so would cost them more money and it is much easier to do cursory checks instead.

No doubt fraudsters impersonating you is a hassle and you must spend some time and money dealing with it if you are targeted, but do not lose sight of why it happens and who is ultimately responsible.

[damnfine]

But you still pay the fees from the banks failings, so it really does hurt everyone even when the bank eats it.

[losteric]

I expect managers to go to jail, in addition to a financial kneecap that forces other companies to vigilantly pressure their management for security.

Well, maybe not expect. This is America... I expect infuriating golden parachutes. But I certainly hope for criminal charges and jail time.

[hysan]

$1k, $100, that's far too low in my opinion even for a warning shot.

As someone who has had their info leaked by two universities before, both of whom subsequently paid for multiple years of credit/fraud protection, the sheer pain and stress of having random credit cards frozen and need to be replaced is worth far more than that dollar amount of my time. This is potentially messing with people's livelihoods with long term lasting effects.

If monetary sums are given out, then I hope a fair amount is given out instead of a warning shot. Those tiny figures won't help at all and effectively send the message that companies are more important than the people they serve.

[scarmig]

$100 per each individual would be 14 billion dollars... Which would definitely put Equifax out of business.

[ceejayoz]

$1k would mean a $146 billion fine in this case. Hardly a "tiny figure".

[toomuchtodo]

I would not doubt a class action lawsuit results from this, and I'd be very surprised if Elizabeth Warren didn't pursue congressional action against them (although not officers of the company unfortunately).

[scarmig]

And then I'll get six months of free credit monitoring from Equifax? Oh boy!!1!

More seriously, this is a breach big enough that Equifax should honestly no longer exist as a company. So call it $100/incident, and I'm happy. Other agencies would still exist, and, although they're just as terrible, it might get them to kick their asses into high gear to fix their security.

[jstarfish]

> I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay.

The issue here is likely related to business units that were acquisitions, with the breached product in question having been developed pre-acquisition by a code farm staffed by interns in some developing nation. I spent a few years trying to unfuck some of those messes and moved on.

It's more a problem with their reckless growth over the last decade than anything. (ed) Due diligence is obviously lacking, but I can personally attest that nobody in senior leadership there willfully ignores matters of security once it becomes known.

[TravelTechGuy]

We don't know if this has anything to do with any acquisitions - this is a conjecture, at best.

At any rate - I don't care. I never gave Equifax permission to collect my personal data. I certainly never gave them permission to store it in a way that it can easily be hacked. If you buy a 3rd party company, "unfuck" and harden their software BEFORE you let the data flow in.

Allowing data to slip out is negligent. If you're in the army, or the intelligence community, you get punished for this. It's about time the private sector felt some sort of accountability.

[damnfine]

This so much. The stream of corporations passing the buck into a black hole of irresponsibility needs to end now. If people arent held responsible, they will continue to make these failings without pause. I hope everyone is writing their legislators and congresspeople right now. They listen more than even my disillusioned self thought. The just might have bigger incentives to act otherwise. But if they dont know, they cant even choose to be corrupt or not, they are ignorant by proxy. Communicate to your leaders, and remember their response when you vote.

[pfarnsworth]

The best way to punish them is for us all to organize and create a Proposition that bans them from being a credit bureau, etc. If this passes in California, it will destroy them as a company.

[jstarfish]

Not really conjecture:

> The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

Since core business was unaffected (nobody hacked the mainframe), I guarantee you some crappy product they acquired got compromised.

And like it or not, you do give them permission to collect your personal data every time you authorize a creditor, utility or employer to run a credit check. Never sign up for utilities, loans, credit cards or get a job and then you'd have a case for privacy.

[sjg007]

You probably did if you have any sort of bank account or loan or job application or rent. It's pervasive in contracts/agreements that they report to partners and credit agencies.

[maxerickson]

I find it difficult to reconcile your second and third paragraphs.

I guess choosing not to prioritize security (vs profit or whatever) when making acquisitions is different than just ignoring it entirely.

[scarmig]

If that were the case, then who approved the acquisition? Who did due diligence on it?

Suddenly letting a bunch of untrusted, poorly audited code run on your infrastructure is itself a massive security breach. And even that doesn't explain how data was extracted for two months with no one noticing.

[deadmetheny]

>Preferably with their jobs

That's not nearly enough, considering the reach and impact this could potentially have. These people need to be getting life prison sentences before security is finally taken seriously enough by executives.

[TravelTechGuy]

It's high time we had an equivalent law to Sarbanes-Oxley for security.

S-O made sure that when a C-level type guy signs a report, he knows his ass is on the line in case an illegal transaction just occur under his nose. If your company deals with PII, I want that data to be treated as important, if not more important, then company's funds. If you lose it, and you had any say in security (or lack thereof), you should do time.

[sbov]

> So, if I hack TU, all I need to do is get the data of the people who asked for a credit freeze.

Sure, but TU already has all the above information anyways.

[brational]

> So, if I hack TU, all I need to do is get the data of the people who asked for a credit freeze.

To what end? As has been pointed out they have all that info anyway so it's not like you're making the situation worse.

But more importantly, if your credit is frozen who cares? What are they going to do with your SSN? Get a loan? Get a CC? Buy a house?

That's the point of a freeze, it makes your PII less valuable.

The actual concern is about the PIN. Because surely they could go through the trouble of PIN recovery to unfreeze your credit and then make use of it. But considering the numbers game, its not worth their trouble vs all the unfrozen accounts.

[notyourday]

> I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay. Preferably with their jobs.

No. With jail. And go bankrupt.

[ninguem2]

Now there are news that they sold their shares last week.

[rcoder]

/me sighs

The Equifax site appears broken in at least some browsers. Transunion wants me to sign up for an online account, and Experian charges a $10 fee in my state to place a freeze.

All three want to collect my name, DOB, SSN, etc. _again_ in order to sign up.

This is complete and utter BS. Credit reporting agencies are one of the greatest/worst rackets in the modern financial system.

[leggomylibro]

"You could be at GRAVE RISK because we accidentally leaked your personal information. Please give us all of your personal information so that we can tell you if you were affected."

It's almost funny, in a way. What, so I can become affected if I'm not already?

[cjhanks]

I don't understand this. Equifax claims they just leaked my SSN, Drivers License, and other pertinent data to everybody. How would they possibly confirm that I am the one lifting the 'freeze'?

[krn1p4n1c]

When you get your account frozen they provide a PIN to unlock.

[hughes]

And what happens if I call to unfreeze but have lost the PIN? Can I never get a loan again for the rest of my life? Or is there some way around the PIN - perhaps only requiring the already leaked information?

[icelancer]

>>And what happens if I call to unfreeze but have lost the PIN? Can I never get a loan again for the rest of my life?

Exactly. There's no shot this "PIN" is like one-way a encryption passphrase. There is definitely a way around it.

[sjg007]

You call them up... but this will probably no longer work b/c of the data breach. Otherwise you snail mail them a letter with a govt ID and they send you a new pin.

[hello_newman]

thanks for this info! saved me a lot of time hunting these links down myself

[tempestn]

Unfortunately it appears freezing credit reporting is impossible in Canada, presumably because there are no laws forcing these companies to allow it here: https://money.stackexchange.com/a/54677

[chaostheory]

Calling a phone number is easier than signing up by web

https://www.transunion.com/fraud-victim-resource/important- contacts

[8ytecoder]

Question for you: My card comes with Identity theft protection [1]. Do you think that's a good alternative to freezing credit completely?

[1] https://www.discover.com/credit-cards/member-benefits/securi...

[gricardo99]

It sounds like this would alert you to potential fraud, but not prevent it from happening. You'd still have the headache of undoing the damage, although that may be easier if you find out sooner.

If you freeze your credit, it basically prevents anyone from opening any new credit under your name. The reason for this is that any lender (car, mortgage, credit card, etc...) first would want to see your credit history, to determine how credit worthy you are. If they can't do that, they will not lend.

I'm waiting for the headline one day soon that hackers were able to unfreeze people's profiles and commit fraud under these accounts anyway. It's just another database entry somewhere, which says "freeze". All these systems are vulnerable and can be penetrated.

[bubblethink]

That's a bad idea I think. You are giving your card company proxy rights, and more data about yourself then they should have.

[yclept]

Dilemma: spend $30 on credit freezes or put $30 into bitcoins?