Las Vegas Review-Journal

After the Equifax breach: rage, crashed sites and new promises

- By Ron Lieber New York Times News Service

When Helene Muller-landau first heard the news about the Equifax security breach, she set about freezing her credit files and those of her husband and mother.

Very quickly, however, Muller-landau, a Smithsonia­n research scientist, noticed something strange: The personal identifica­tion numbers that Equifax was assigning her family members (to use for eventually lifting the freezes) were awfully similar.

At first, she thought it was a mistake. Maybe it had to do with the fact that she was in Panama, or that her web browsers were acting up. But no: The Equifax PINS are based on the date and time that you set up your freeze.

“The whole point of a 10-digit PIN is that it’s supposed to be hard to guess,” she said. “And then, they have this totally transparen­t algorithm for assigning them.”

This is among the worst of the facts that have emerged in the wake of the company’s announceme­nt on Thursday that thieves may have stolen up to 143 million Social Security numbers, dates of birth, names and addresses from its credit files. Armed with that informatio­n, thieves, blackmaile­rs and enemies can make a lot of mischief. A credit freeze can prevent thieves from using your informatio­n to open new accounts, since lenders want to see a credit report before doing business with you.

Since the breach, many readers sent me tales of outrage and woe. They could not believe that Equifax and the other credit reporting firms, Experian and Transunion, charge fees to freeze the credit files that they had not asked the companies to set up in the first place. Besides, isn’t keeping that informatio­n safe their most important job?

Neverthele­ss, consumers persisted. But when they pulled up the websites of Equifax, Experian and Transunion, they often found crashed sites (because everyone else was persisting, too) or requests from the companies to write in or call instead. (For a variety of reasons — some of them security-related — the bureaus sometimes refuse online requests for freezes. Just be glad you don’t have to make the request via registered mail as I did back in the old days).

Candy Sagon, in Reston, Va., had a typical experience. Equifax’s system worked fine. “Including the $10 charge they don’t deserve,” she said. But Experian’s site to set up an online freeze didn’t work at first, then kicked her to the snail mail option because she didn’t put in the amount of her monthly mortgage payment correctly when the site attempted to identify her. Then, Transunion’s phone system disconnect­ed her four times.

Dan Harrison, a Los Angeles media executive who is also an attorney, said he already had a credit freeze, one that he’d set up after a previous breach involving another company. When he heard about the Equifax breach, his immediate instinct was to contact Equifax to change his PINS. His logic was this: Why assume that those were safe, given the circumstan­ces?

But when he called the company, a representa­tive said that he did not even know what a PIN was and that there were no supervisor­s with whom Harrison could speak. The story changed once Harrison educated the Equifax representa­tive on basic freeze facts. A supervisor did exist, but the one who got on the phone with Harrison said that it was not possible to change the PIN. He would not answer additional questions, referring Harrison to the company’s breach site instead.

In an interview, Harrison said that he wouldn’t trust someone swearing on a stack of Bibles that his PIN numbers were safe. “They are going to have to change my PIN,” he said, adding that it is the safety net of last resort for him and every other person who has had their personal informatio­n stolen. “I’m going to force them.”

In an emailed statement, an Equifax spokesman, Wyatt Jefferies, said that no PINS had been compromise­d in the breach and that the company would soon be changing the PIN generation and reset request process.

“While we have confidence in the current system, we understand and appreciate that consumers have questions about how PINS are currently generated,” he wrote. “We are engaged in a process that will provide consumers a randomly generated PIN. We expect this change to be effective within 24 hours.”

Meanwhile, Harrison said he longed for a legislativ­e or regulatory solution, even if it means the sort of piecemeal, drip-by-drip state actions that have forced the credit bureaus to provide more informatio­n and protection to consumers.

A memo to state legislatur­es: Maybe start with giving everyone access to their credit reports whenever they want to see them, for free, at all three bureaus, as the Stanford professor Jeffrey Pfeffer suggested over the weekend in a Linkedin article. (Currently, you get only one free look at each report each year via annualcred­itreport.com.)

Then, we could require the bureaus to provide free, topof-the-line monitoring forever, including free freezes and thaws, whenever a breach occurs at one of their own websites.

Several readers also suggested that freezes simply become the default. Would Equifax fight such an effort? “This is a very complicate­d issue and we expect to engage with regulators and legislator­s on this topic in the future,” Jefferies wrote.

Credit should be hard to get, readers noted. That might also help reduce impulse buys at pushy retailers that hand over store cards with 29.9 percent interest rates, while pretending that the 10 percent off they give you for that day’s purchases somehow makes up for the usurious interest rates.

Even if any of these things happen — and I’m not holding my breath — it will take many months, at a minimum. In the meantime, we’re on our own, per usual, to protect ourselves.

So keep freezing your credit files. Keep crashing the company’s websites. Every freeze puts a stick in the spoke of the wheel of credit data that has spun far out of control for far too long.

 ?? MIKE STEWART / AP FILE (2012) ?? On Monday, Equifax said it has made changes to address customer complaints since it disclosed a week earlier that it exposed vital data on about 143 million Americans. Equifax, whose headquarte­rs in Atlanta are shown here in this 2012 photo, has come...
MIKE STEWART / AP FILE (2012) On Monday, Equifax said it has made changes to address customer complaints since it disclosed a week earlier that it exposed vital data on about 143 million Americans. Equifax, whose headquarte­rs in Atlanta are shown here in this 2012 photo, has come...

Newspapers in English

Newspapers from United States