- For Equifax, the process was quite easy. Too easy, in fact. The problem is, the only identifying information they asked me for was my name, birth date, address and SSN. In other words, the exact information they lost to the hackers. So there is a distinct possibility that a hacker could put a freeze on your Equifax report, and you would have no way of removing it. Worse yet, the hacker will then possess the PIN necessary to temporarily lift the freeze, meaning that they could get credit in your name, but you couldn't.
- My experience at TransUnion was somewhat better, in that they asked me a series of questions that the hacker likely doesn't have the answer to. The problem there is that I must have answered one of the questions wrong, because the web site instructed me to call a number. I expected I would need to talk to a human to prove my identity, but no. Instead, I simply entered by phone a bunch of the same data the hacker already has. So, like with Equifax, the hacker could have gotten in ahead of me to freeze my account and get my PIN. I suppose it's possible that TransUnion was able to verify my identity by recognizing my phone number, but it was still a bit unsettling.
- Finally, Experian gave me the warm fuzzies. Like with TransUnion, they asked me a bunch of questions a hacker likely would not know the answer to, and this time, the freeze went into place without a hitch.
- Update: Apparently there is a fourth, smaller credit agency called Innovis. As with Equifax, the only information I had to provide is information that the hackers have already stolen. On the plus side, they didn't charge me anything. They also did not immediately provide me with a PIN to lift/remove the freeze, but are apparently sending it to me via snail mail.
- Update: And there's another agency, called ChexSystems, which is similar to the credit agencies, but for banks. Like Innovis, placing the security freeze was free, and my PIN will be sent to me via snail mail.
So now my credit reports are frozen with all five agencies, and only I can unfreeze them. The three big agencies gave me a PIN I will need to provide to temporarily lift or completely remove the freeze, and PINs for the smaller two agencies are on their way. According to the FTC, the freeze will remain in effect forever, until I temporarily lift or remove it.
As noted earlier, this is not a complete solution to potential identity theft, resulting either from Equifax's screwup or for other reasons. But it does make me feel a bit better about things, and it only cost a total of $15 (price will vary by state).
Update: Well, hell. Shortly after I posted this, it was pointed out to me that the PIN Equifax generates for lifting/removing a credit freeze is basically just a date stamp. This is effectively as bad as setting your password to 'password' or --- and I'm not making this up --- setting up an account where the username and password are both 'admin'.
I happen to work in the tech industry, and doing something this stupid on a production system is definitely grounds for termination. For a whole company to do something like this is grounds for something much stronger.
But that's not the point. The point is if you set up a security freeze with Equifax before 9/12/2017, you may have a PIN which looks something like '0909171220' --- which corresponds to the timestamp '09/09/2017 at 12:20 PM'. If that's the case, you need to go back to Equifax and request a new PIN to be generated and mailed to you via snail mail. Unfortunately, it appears that this cannot be done online. To request a replacement PIN, you must do the following:
Update: Well, hell. Shortly after I posted this, it was pointed out to me that the PIN Equifax generates for lifting/removing a credit freeze is basically just a date stamp. This is effectively as bad as setting your password to 'password' or --- and I'm not making this up --- setting up an account where the username and password are both 'admin'.
I happen to work in the tech industry, and doing something this stupid on a production system is definitely grounds for termination. For a whole company to do something like this is grounds for something much stronger.
But that's not the point. The point is if you set up a security freeze with Equifax before 9/12/2017, you may have a PIN which looks something like '0909171220' --- which corresponds to the timestamp '09/09/2017 at 12:20 PM'. If that's the case, you need to go back to Equifax and request a new PIN to be generated and mailed to you via snail mail. Unfortunately, it appears that this cannot be done online. To request a replacement PIN, you must do the following:
- Call Equifax at 1-866-349-5191.
- Press '5' to talk to an actual human person.
- Wait on hold for a while.
- Answer a bunch of questions to confirm your identity, during which time you are likely to be placed on hold several more times.
Needless to say, this is a drag, but it's almost certainly worth the effort. And it seems that Equifax has finally received the hint that they need to take this stuff seriously --- I had to answer several very specific questions which a crook is highly unlikely to be able to answer correctly. Indeed, I recommend that you make the call sitting in front of your computer, so that you can look up things such as the credit limits and balances on various accounts that you hold.
After going through all that, you should receive your new, secure PIN from Equifax within 5-10 business days --- and hopefully THEN, your information will be at least somewhat secure.
No comments:
Post a Comment