[conspire] Fwd: Equifax data theft - this is a big deal

[Rick Moen]

Quoting Nick Moffitt (nick at zork.net):

> There have been a number of concerns with the site Equifax set up to
> deal with the compromise.
> 
> First of all, people noted that putting in last name "Test" and last
> six digits of SSN "123456" told them they were vulnerable.  I've seen
> a lot of "Smith 123456" and "Smith 000000" showing positive as well,
> but it does seem there are negative results.  Either way, giving six
> digits of SSN seems like more than I'd be willing to do over a Web
> site like this.
> 
> Second, even if you do accept that the result of the site is accurate,
> it encourages you to do two things:
> 
>     1: Purchase services from Equifax to "protect" you.  This is a crass
>        upsell.
>     2: Waive your right to join a class-action lawsuit against Equifax.
>        This is simply crass.

Equifax (and the two others, actually) remind me of a joke Mort Sahl
used to tell about President Nixon.  'Nixon is the kind of man who, if
he saw you drowning 30 feet from shore, would throw you a 20 foot
rope....   And then, Press Secretary Ziegler would go on television
saying "The President has met you more than half-way."'

After Equifax was widely slagged for this sleazy move (and it should be 
stressed that this is not a rare rights takeback among credit reporting
agencies (CRAs) or for that matter a variety of other businesses), it
made a small revision to the terms:  Persons accepting the 'free'
monitoring service may opt out of the mandatory arbitration requirement
that prevents joining class-action lawsuits, or filing one's own
lawsuit, by notifying Equifax within 30 days that you are opting out.
If accepting the 'free' monitoring, it would be an excellent idea to
send that letter.

FWIW, lawyers who've looked at those terms have opined that, at worst,
Equifax would not have been able to enjoin litigation over the breach,
only of any perceived inadequacies in the credit monitoring.

It may be of interest that the Federal Consumer Financial Protection
Bureau (CFPB) has passed a rulemaking prohibiting banks, credit card
issuers, and CRAs from imposing these sorts of mandatory arbitration
requirements on the public.  (One problem is that arbitration firms are
seldom neutral in their judgements.  For one thing, they know where
their money comes from.)  FWIW, the Republican majority in the US
Congress is currently attempting to pass legislation stripping that
authority from CFPB.

Please note that the 'free' credit monitoring service aspires to notify
you of subsequent catastrophe, but not do fsck-all about it.  You get no
help fixing credit problems, no counseling, no advice, no products, no
assistance of any kind.  (This is bluntly stated in the terms and
conditions.)  So, the 'free' report is barely more than nothing.

Here's my thoughts on the larger issue:

1.  Get your annual free credit reports, one each from Equifax,
Experian, and TransUnion.  https://www.annualcreditreport.com/
This would significantly help the current situation, but do it for its
general benefits.

2.  Use Equifax's https://www.equifaxsecurity2017.com/ lookup feature
('Potential Impact' button, bottom-left) to see whether Equifax claims
your data were disclosed in the data breach.  Yes, you do need to hand
Equifax the last four digits of your Social Security number, and the
Irony Fairy will soon smite everyone in this situation for expecting 
you to give even a tiny amount of trust to a CRA that's already shown
itself untrustworthy.  OTOH, it's not like they don't have your SSN
already.

3.  If you're listed as 'We think you've been adversely affected'
(paraphrased) in that database, consider the nuclear option:  Call each
of the three CRAs and have them put a credit freeze on your account.  
A credit freeze locks down access to your credit report, which
effectively prevents identity thieves from opening new accounts in your
name because most creditors need to see your credit report before they
approve a new account.  

Cost of this action per CRA is from $5 to $10, depending on where you
live.  It's $10 for Californians, except free to Californians age 60 and
over.  The freeze remains until you request its removal, which entails
a similar fee.  FAQ and further information:
https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

(I commend Elise's friend Susan for her comments about this.  In
particular, I didn't know about the PIN feature.  Thanks!)

4.  Consider putting a fraud alert on your account at any one of the
three CRAs.  Doing one causing it to be done at the other two.  A fraud
alert expires after 90 days, and can be renewed arbitrarily many times.
The effect of a fraud alert is that credit issuers have a warning that
they ought to contact you directly before issuing new credit.
Information about fraud alerts:
https://www.consumer.ftc.gov/articles/0275-place-fraud-alert

5.  Watch your existing bank acounts and credit card statements 
like a hawk that's just gotten LASIK.  In fact, use online access so you
catch such things even before the monthly statement gets cut.  In fact,
keep doing this starting now, and keep doing it.

Susan's idea of notifications for any notable transaction seems a wise
idea, too.

6.  If you want, sign up for the 'free' monitoring service (and opt out
of mandatory arbitration by sending a letter within 30 days).  It's weak
sauce, but slightly better than nothing.


But yes, Elise's friend isn't exaggerating.  People should wake up about
this, because many are likely to be hurt.  Maybe folks should just keep
renewing fraud alerts at the CRAs every 90 days.  It's really that
serious.