Ouch. Equifax failed to properly secure private data concerning 143 million US consumers. Hackers may have gotten our names, Social Security numbers, birth dates, addresses and driver’s license numbers. That’s pretty much everything they need to pull off identity theft at a scale never before seen. Oh, and they may have gotten credit card numbers for 209,000 people too.
Plenty has been written about how poorly Equifax has handled this situation, so I won’t elaborate (much) on that. The important question is: What can you do to protect yourself?
Yesterday I published Equifax’s suggested solution. When you browse to the Equifax website, you’ll see a notice stating: “Equifax Cybersecurity Incident: To learn more about the cybersecurity incident, including whether your personal information was potentially impacted, or to sign up for complimentary identity theft protection and credit file monitoring, click here”
Problems with the Equifax Cure (www.equifaxsecurity2017.com)
If you click the “click here” link on the Equifax site, you’ll be taken to www.equifaxsecurity2017.com. There, you’ll have the opportunity to check whether your personal information was potentially impacted. You can also sign up for the waiting list to sign up for free identity protection through TrustedID Premier.
Trusted ID Premier, according to the equifaxsecurity2017 website will provide the following services:
- Equifax credit report
- 3 Bureau credit file monitoring: Credit file monitoring and automated alerts of key changes to your Equifax, Experian and TransUnion credit files
- Equifax Credit Report Lock: Allows you to prevent access to your Equifax credit report by third parties, with certain exceptions.
- Social Security Number Monitoring: Searches suspicious web sites for your Social Security number.
- $1M Identity Theft Insurance: Up to $1 million in ID theft insurance. Helps pay for certain out-of-pocket expenses in the event you are a victim of identity theft.
To sign up for TrustedID Premier, you first have to check if your information was impacted. Then, regardless of the answer (which they don’t always show you anyway!), you can click a button which will give you a date when you can really sign up.
The site states the following:
To determine if your personal information may have been impacted by this incident, please follow the below steps:
- Click on the below link, “Check Potential Impact,” and provide your last name and the last six digits of your Social Security number.
- Based on that information, you will receive a message indicating whether your personal information may have been impacted by this incident.
- Regardless of whether your information may have been impacted, we will provide you the option to enroll in TrustedID Premier. You will receive an enrollment date. You should return to this site and follow the “How do I enroll?” instructions below on or after that date to continue the enrollment and activation process. The enrollment period ends on Tuesday, November 21, 2017.
So, in order to check if you were impacted and/or to get free credit protection through TrustedID Premier, you have to trust this sketchy site with your last name and last 6 digits of your SSN.
Surely Equifax properly secured this equifaxsecurity2017.com website, right? Maybe not…
Ars Technica has this to say about equifaxsecurity2017.com (hat tip Barry):
…the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn’t perform proper revocation checks. Worse still, the domain name isn’t registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people’s details. It’s no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.
Waive your right to class action?
UPDATE: Equifax has updated the TrustedID terms. They’ve removed the paragraph shown below so this is no longer an issue. |
Many have pointed out that when you enroll in TrustedID you waive the right to participate in class action arbitration or lawsuits according to the TrustedID Premier terms (found here). Here’s a snippet:
This arbitration will be conducted as an individual arbitration. Neither You nor We consent or agree to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with arbitration on a class or representative basis. No arbitration will be consolidated with any other arbitration proceeding without the consent of all parties. This class action waiver provision applies to and includes any Claims made and remedies sought as part of any class action, private attorney general action, or other representative action. By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claims where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.
I’m hoping that our own king of arbitration, The Fine Print author Alex Bachuwa, will weigh in on whether or not such a clause is really binding. Until then, you’re not bound yet…
When you click the button to enroll on the equifaxsecurity2017 website, you’re not actually enrolling at that time. Instead, Equifax is stupidly just giving you a date in the future in which you can enroll. It is then and only then that you would be accepting the terms shown above. Plus, I’m sure that you’ll have to enter much more private info in order to sign up. So, that’s great (ha).
Free alternatives
Most of the protections offered by TrustedID Premier can be achieved for free elsewhere:
- Equifax credit report: Once per year you can always get your credit report for free via annualcreditreport.com. Additionally, any time you are denied credit (such as when you sign up for a credit card and are denied), you have the right to request the credit report for free. Also, some free credit monitoring tools (such as Credit Karma or Credit Sesame) offer full (or nearly full) access to your report details for free at any time (typically updated once a month).
- 3 Bureau credit file monitoring: A number of free tools offer credit monitoring, but each is usually specific to one bureau. You can sign up for multiple tools to monitor all three bureaus for free. See: Equifax Hack Rx: Free credit monitoring.
- Equifax Credit Report Lock: You can actually freeze all three bureaus if you want to. It’s not necessarily free, but it’s cheap (costs vary by state and situation). Doctor of Credit has all of the details here.
- Social Security Number Monitoring: Discover now provides this service for free to cardholders.
- $1M Identity Theft Insurance: You can get identity theft insurance for free simply by signing up for Credit Sesame or Civic. For full details, please see: Equifax Hack Rx: Free Identity Theft Insurance.
The AAA Alternative
As I’ve reported before, AAA offers free credit protection services to many members. Details vary by location. Some AAA members get nothing, but most can sign up for ProtectMyID Essential for free. Some members (such as those in some areas within California) get ProtectMyID Deluxe for free. Here’s a chart showing what’s covered (image taken from AAA Michigan website. Details may vary):
See this post for more details: Free Experian Credit Monitoring with AAA membership (for many).
Other Paid Alternatives
Plenty of companies offer identity theft protection services. Are they any good? Are they worth paying for? I have no idea. I’ve never looked into them. If you have experience, please comment below.
And, for the love of all that is good, please NEVER click through a pop-up on your computer that claims that you’ve been hacked and that they’ll protect you. I promise, they’ll do the opposite.
My Approach
My wife and I are already covered for most of this stuff:
- Equifax credit report: We can get details from our Equifax reports whenever we want from CreditKarma and other free tools. We also request our annual free credit reports every now and then in order to have an electronic point-in-time copy that we can refer to.
- 3 Bureau credit file monitoring: We use Mint.com to monitor Equifax, CreditKarma for TransUnion, and ProtectMyID (free from AAA) for Experian.
- Equifax Credit Report Lock: I don’t really want to lock our reports. This would make new credit card signups more difficult. Instead I’ll rely on monitoring.
- Social Security Number Monitoring: My wife and I have Discover cards, so we’re covered..
- $1M Identity Theft Insurance: I signed us up for Civic, so we’re good to go.
Overall, I feel good about our coverage. So, with respect to Equifax’s TrustedID Premier, I’m going to wait before signing up. I’d like to see what internet security experts have to say about the service and what Alex Buchawa and other legal experts have to say about the arbitration clause.
What do you think? What will you do? Comment below.
See Also:
- Complete Guide to Free Credit Scores, Reports, and Monitoring
- Equifax Hack Rx: Free Identity Theft Insurance
- Equifax Hack Rx: Free credit monitoring.
And what about children? I used to work for a telephone company and people would often attempt to use their children’s SSNs to get a phone connected. The point here is that it’s not just adult SSNs at risk. It’s EVERY AMERICAN with a SSN. How about starting life after high school with a ruined credit score and debt up to your eyeballs? What then? I wouldn’t suggest my thoughts are part of your story Greg, but what about the implications of SSNs stolen from 2, 3, 4, etc year olds? Perhaps you could report on this too?
That’s a great question. I don’t have any knowledge/expertise regarding that though
[…] data breach is to offer everyone one year of protection via their TrustedID Premier service (see: Is the Equifax cure worse than the hack?). Trusted ID Premier offers a collection of services to help protect you from identity theft: […]
[…] This story involves an aging dog, the Google Search app, a Citibank credit card perk I’ve never before used, and the infamous Equifax Hack (for the latter, see: Is the Equifax cure worse than the hack?). […]
Can anyone verify that the email from no-reply@trustedid.com who’s return path is actually (multiple characters)…@amazonses.com is legitimate? How can I be sure? That return path looks very suspicious to me.
You know what… even if it’s legitimate (I don’t know if it is), I wouldn’t recommend clicking the links.
I was informed that I was at risk after checking via Equifax, then enrolled in their “complementary” protection. (couple of weeks ago). I wanted to then use my new log in to Equifax’s TrustedID.com site to freeze my credit and for two (three?) days now, I get a message that the site is down. It says:
“We Will Be Back Soon
Our site is temporarily unavailable while we improve our service to you, but we are still proactively protecting your identity.
We apologize for any inconvenience and thank you for your patience while we are working hard to make our site available to you as soon as possible.
(EC9)”
WTF???
Same for me…on my laptop. Although I can get it to come up on my phone. What gives?
Yeah, I’m not planning to use their TrustedID service at all. You can get just as much protection from other free sources.
[…] one year of free protection in the form of their Trusted ID Premier service. In my post “Is the Equifax cure worse than the hack?” I argued against relying on that service. After all, Equifax lost our data and they’re […]
So did they erase the paragraph that says we wave our right? So it’s a non issue now?
Correct. That’s now a non-issue
Have you seen this article on Equifax? “Someone Made a Fake Equifax Site. Then Equifax Linked to It” 9/20/2017 NYTimes.com
https://www.nytimes.com/2017/09/20/business/equifax-fake-website.html?mabReward=ART_TS2&recid=5c5f2842-840c-48e7-7921-562a486a00f3&recp=1&moduleDetail=recommendations-1&action=click&contentCollection=U.S.®ion=Footer&module=WhatsNext&version=WhatsNext&contentID=WhatsNext&src=recg&pgtype=article
I know my wife and I were hacked through Equifax data. Someone in France attempted a purchase using a card she had BUT never used. The credit card company texted us about the suspicious charge. Called them and they immediately blocked her number. Later that day the crooks in France switched to my card number. Again the cc company texted us and then blocked my card. Equifax cannot say there haven’t been any actual incidents of the breached data being used. Got the Trusted ID email to take final step to activate and clicked link. Oops. Went to ‘their’ website and screen went blank. Then got msg to reboot. Sounds like spoofing and phishing link.
I went through the process to check if my information had been impacted and was told it was and that I would receive an email to activate the protection. I did receive an email a few days later that requested “To verify your identity and activate your product, please click the link below”
Having worked for the Federal Government for 36 years and taken the cyber security classes seriously, I was taught never to click on a hyperlink in an email, especially one from an email address that was not confirmed. The address the email was sent from was,
no-reply@trustedid.com via amazonses.com
I had no idea who this was from, trustedid looked OK but who is amazonses.com?
I tried to go through the equifax website to activate the protection, but no option to do that. I called equifax and they said the email was the only way to do it. I said it could be a phishing email, and the women on the line said, Oh no, don’t worry. I told her equifax already blew it once, I do not want to be the victim of their failure to design a secure procedure to protect those they have already let down.
I will find another way to protect myself.
I got an email from the same no-reply@trustedid.com via amazonses.com. That’s why I’m here, I’m trying to find out if it’s legitimate. It looks like an email was cut and pasted into the email I got – it doesn’t look legit. I’m glad I’m not the only one who’s leary about no-reply@trustedid.com via amazonses.com!
I agree with your decision… even if it’s legitimate (I don’t know if it is), I wouldn’t recommend clicking the links.
I filled out form and I am waiting an email for their response….very sketchy situation at best…..now they have my info ALL over again
I tried to enroll in the TrustedID Premier from the Equifax site and after I entered my full info I got this error message:
——————————————————————————————————————————–
HTTP Status 405 – Request method ‘POST’ not supported
type: Status report
message: Request method ‘POST’ not supported
description: The specified HTTP method is not allowed for the requested resource.
Apache Tomcat/8.0.45
——————————————————————————————————————————–
Any idea wtf is going on? This is sketchier than some bogus sites that I’ve seen.
I am told that the monitoring companies just notify you of the hack after it occurs. It is then still our job to now fix the identity theft. In other words hypothetically a person goes into a store applies real-time for credit card, and is approved instantly and purchases some stuff and you are emailed a new account is now open, is the way I interpret the reporting. I like the freeze, using a pin to temporarily to lift the freeze for a short period of time seems well worth it to prevent the identity theft in the first place. The question is do you have to pay for the temporary lift of the freeze? I am told that it doesn’t freeze credit for existing establishments you do business with… Therefore renewing your credit cards or opening a new account with your existing bank may still not require unfreezing, as I’m hoping they still do have access to my credit. I am opening a new CD account at my bank now, so will find out soon if it worked. The freeze will also hurt the credit reporting agencies and make them earn our trust back.
[…] Frequent Miler has more useful suggestions of free ways to help protect yourself during this frustrating experience. […]
Trying to hit the Equifax site originally got me this message:
Secure Connection Failed
The connection to the server was reset while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
I reloaded and followed the instructions. It took me to https://trustedidpremier.com/