Ouch. Equifax failed to properly secure private data concerning 143 million US consumers. Hackers may have gotten our names, Social Security numbers, birth dates, addresses and driver’s license numbers. That’s pretty much everything they need to pull off identity theft at a scale never before seen. Oh, and they may have gotten credit card numbers for 209,000 people too.
Plenty has been written about how poorly Equifax has handled this situation, so I won’t elaborate (much) on that. The important question is: What can you do to protect yourself?
Yesterday I published Equifax’s suggested solution. When you browse to the Equifax website, you’ll see a notice stating: “Equifax Cybersecurity Incident: To learn more about the cybersecurity incident, including whether your personal information was potentially impacted, or to sign up for complimentary identity theft protection and credit file monitoring, click here”
Problems with the Equifax Cure (www.equifaxsecurity2017.com)
If you click the “click here” link on the Equifax site, you’ll be taken to www.equifaxsecurity2017.com. There, you’ll have the opportunity to check whether your personal information was potentially impacted. You can also sign up for the waiting list to sign up for free identity protection through TrustedID Premier.
Trusted ID Premier, according to the equifaxsecurity2017 website will provide the following services:
- Equifax credit report
- 3 Bureau credit file monitoring: Credit file monitoring and automated alerts of key changes to your Equifax, Experian and TransUnion credit files
- Equifax Credit Report Lock: Allows you to prevent access to your Equifax credit report by third parties, with certain exceptions.
- Social Security Number Monitoring: Searches suspicious web sites for your Social Security number.
- $1M Identity Theft Insurance: Up to $1 million in ID theft insurance. Helps pay for certain out-of-pocket expenses in the event you are a victim of identity theft.
To sign up for TrustedID Premier, you first have to check if your information was impacted. Then, regardless of the answer (which they don’t always show you anyway!), you can click a button which will give you a date when you can really sign up.
The site states the following:
To determine if your personal information may have been impacted by this incident, please follow the below steps:
- Click on the below link, “Check Potential Impact,” and provide your last name and the last six digits of your Social Security number.
- Based on that information, you will receive a message indicating whether your personal information may have been impacted by this incident.
- Regardless of whether your information may have been impacted, we will provide you the option to enroll in TrustedID Premier. You will receive an enrollment date. You should return to this site and follow the “How do I enroll?” instructions below on or after that date to continue the enrollment and activation process. The enrollment period ends on Tuesday, November 21, 2017.
So, in order to check if you were impacted and/or to get free credit protection through TrustedID Premier, you have to trust this sketchy site with your last name and last 6 digits of your SSN.
Surely Equifax properly secured this equifaxsecurity2017.com website, right? Maybe not…
Ars Technica has this to say about equifaxsecurity2017.com (hat tip Barry):
…the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn’t perform proper revocation checks. Worse still, the domain name isn’t registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people’s details. It’s no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.
Waive your right to class action?
|UPDATE: Equifax has updated the TrustedID terms. They’ve removed the paragraph shown below so this is no longer an issue.
Many have pointed out that when you enroll in TrustedID you waive the right to participate in class action arbitration or lawsuits according to the TrustedID Premier terms (found here). Here’s a snippet:
This arbitration will be conducted as an individual arbitration. Neither You nor We consent or agree to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with arbitration on a class or representative basis. No arbitration will be consolidated with any other arbitration proceeding without the consent of all parties. This class action waiver provision applies to and includes any Claims made and remedies sought as part of any class action, private attorney general action, or other representative action. By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claims where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.
I’m hoping that our own king of arbitration, The Fine Print author Alex Bachuwa, will weigh in on whether or not such a clause is really binding. Until then, you’re not bound yet…
When you click the button to enroll on the equifaxsecurity2017 website, you’re not actually enrolling at that time. Instead, Equifax is stupidly just giving you a date in the future in which you can enroll. It is then and only then that you would be accepting the terms shown above. Plus, I’m sure that you’ll have to enter much more private info in order to sign up. So, that’s great (ha).
Most of the protections offered by TrustedID Premier can be achieved for free elsewhere:
- Equifax credit report: Once per year you can always get your credit report for free via annualcreditreport.com. Additionally, any time you are denied credit (such as when you sign up for a credit card and are denied), you have the right to request the credit report for free. Also, some free credit monitoring tools (such as Credit Karma or Credit Sesame) offer full (or nearly full) access to your report details for free at any time (typically updated once a month).
- 3 Bureau credit file monitoring: A number of free tools offer credit monitoring, but each is usually specific to one bureau. You can sign up for multiple tools to monitor all three bureaus for free. See: Equifax Hack Rx: Free credit monitoring.
- Equifax Credit Report Lock: You can actually freeze all three bureaus if you want to. It’s not necessarily free, but it’s cheap (costs vary by state and situation). Doctor of Credit has all of the details here.
- Social Security Number Monitoring: Discover now provides this service for free to cardholders.
- $1M Identity Theft Insurance: You can get identity theft insurance for free simply by signing up for Credit Sesame or Civic. For full details, please see: Equifax Hack Rx: Free Identity Theft Insurance.
The AAA Alternative
As I’ve reported before, AAA offers free credit protection services to many members. Details vary by location. Some AAA members get nothing, but most can sign up for ProtectMyID Essential for free. Some members (such as those in some areas within California) get ProtectMyID Deluxe for free. Here’s a chart showing what’s covered (image taken from AAA Michigan website. Details may vary):
See this post for more details: Free Experian Credit Monitoring with AAA membership (for many).
Other Paid Alternatives
Plenty of companies offer identity theft protection services. Are they any good? Are they worth paying for? I have no idea. I’ve never looked into them. If you have experience, please comment below.
And, for the love of all that is good, please NEVER click through a pop-up on your computer that claims that you’ve been hacked and that they’ll protect you. I promise, they’ll do the opposite.
My wife and I are already covered for most of this stuff:
- Equifax credit report: We can get details from our Equifax reports whenever we want from CreditKarma and other free tools. We also request our annual free credit reports every now and then in order to have an electronic point-in-time copy that we can refer to.
- 3 Bureau credit file monitoring: We use Mint.com to monitor Equifax, CreditKarma for TransUnion, and ProtectMyID (free from AAA) for Experian.
- Equifax Credit Report Lock: I don’t really want to lock our reports. This would make new credit card signups more difficult. Instead I’ll rely on monitoring.
- Social Security Number Monitoring: My wife and I have Discover cards, so we’re covered..
- $1M Identity Theft Insurance: I signed us up for Civic, so we’re good to go.
Overall, I feel good about our coverage. So, with respect to Equifax’s TrustedID Premier, I’m going to wait before signing up. I’d like to see what internet security experts have to say about the service and what Alex Buchawa and other legal experts have to say about the arbitration clause.
What do you think? What will you do? Comment below.