Skip to content
Sorry
Naked Security Naked Security

Equifax mea-culpas with free credit “locks” forever

They'll be easy to lock and unlock... and they don't exist yet
Written by
September 29, 2017
Naked Security credit freezes Equifax Equifax breach free credit locks Paulino do Rego Barros Jr.

Equifax’s mea-culpa-ing by offering free credit locks for life starting on 31 January.

These are not credit freezes, mind you. No, Equifax is giving away credit padlocks that it says are a new service.

We don’t know much about the credit locks outside of what Equifax’s new interim CEO, Paulino do Rego Barros Jr., said in an editorial published by the Wall Street Journal on Wednesday, the day after he was appointed.

Barros got his new gig the same day that Equifax’s previous CEO, Richard Smith, washed his hands and walked away from the embarrassing mess. That is, Smith washed his hands, but he didn’t wash off the $18 million pension he took with him after his 12 year tenure.

Barros said the credit locks will be easy for consumers to lock and unlock, unlike credit freezes, which require PINs (yes, those PINS) to unlock … and which stop thieves dead in their tracks … and which cost the credit bureaus money they’d otherwise make by banks, credit card companies, cell phone companies or the like pulling customers’ credit reports, as the New York Times explains.

The data monger has a lot to mea culpa about. The credit lock freebie-4-ever comes three weeks after Equifax’s breach affected about half of everybody in the US, 400,000 in the UK and 100,000 in Canada.

…mind you, it was a breach that was enabled by a critical RCE (Remote Code Execution) flaw for which patches had been available for two months before the mid-May attack.

Equifax has been pratfalling ever since, as Barros is well aware.

As ZDNet’s Zack Whittaker reported, a XSS (Cross-site scripting) vulnerability was found in Equifax’s fraud alerts website—a flaw that could be used in phishing emails to trick consumers into turning over personal data.

And there was that leaky customer portal in Argentina – username ‘admin’, password ‘admin’.

It just kept getting more and more pratfally: There were the woeful PINs that put frozen credit files at risk, and then too there was Equifax’s not-so-neat party trick of ditching its tried, trusted equifax.com domain and instead putting its breach info site onto the easy to typosquat and bafflingly convoluted domain equifaxsecurity2017.com … a convoluted domain name which it proceeded to scramble at least 3 times, sending customers to a fake phishing site for weeks.

Beyond the pile of cyber D’oh!, there were insufficient, underprepared operators at the call centres, leaving alarmed customers facing delays and agents who couldn’t answer questions.

There’s no excuse for any of it, Barros said in his editorial. The company is adding agents and getting them trained, and he’s getting a daily update on the situation.

As well, Equifax is going to fix that problematic site of theirs. If it can’t fix it, it’s going to build a new one from scratch, Barros said. It’s also extending the window to sign up for free credit freezes and its TrustedID Premier credit monitoring service, both of which you can sign up for through the end of January.

I’m sure Equifax is sincerely sorry about this mess. But here’s the thing: given its track record, would you trust the company’s new credit lock service? From the NYT’s Ron Lieber:

This is the same company … that could not create a functioning website for people worried about whether thieves had stolen their Social Security numbers. People who have been trying to freeze their files have run into too many problems to name, and many of them do not yet have PINs. I’ve received hundreds of emails complaining about Equifax’s basic dysfunction.

Why does Equifax even need a new service? Why can’t it just give free credit freezes for life?

Lieber sent Equifax 18 questions that we still need answered, including:

Whether Equifax will force people to submit to mandatory arbitration or some other loss of privileges or rights in exchange for free locks for life. Or whether your name will end up on lists for various offers of credit. This is how TransUnion’s similar free service works, one that it’s been pushing hard at people who have come to its website looking for a credit freeze in the wake of the Equifax hack.

Good questions. As Mother Jones has noted, credit freezes or credit locks come with strings. Transunion’s Disclaimers and Warranties suggest that in order to interact with the company at all, you have to absolve them of liability for anything that might happen to your data on their watch.

Transunion, by the way, also has credit locks, and they’re definitely not free. When I tried to set one up, it looked like I was heading toward a $19.99/month credit monitoring bleed.

Will the free credit locks cause the other credit bureaus to follow suit? I’m not holding my breath. At any rate, I want my $5 back. I want all my $5 payments back: as a citizen of Massachusetts, that’s how much I had to fork over to Transunion and to Experian to freeze my credit at those bureaus, all on account of Equifax’s pratfall. People in other states have had to shell out even more.

I called Equifax’s “We’re sorry, we’re sorry, we’ve got enough phone operators on hand now, we swear!” number to ask if Equifax had any intention of refunding customers the money we’ve had to fork over because of its breach.

Its trained operators might not have been trained to handle that one yet: the answer was a stammered “I haven’t heard of anything like that…”

No, I’m not surprised. Again, I’m not holding my breath on that one, either.


About the Author

Read Similar Articles

8 Comments

Another CEO departing with enough retirement money to live in considerable comfort–atop his prior actual salaried compensation, bonuses, et cetera–I was worried the poor guy wouldn’t make it on his own. *whew*

Yes the grass is always greener (and eighteen mil no doubt includes things not considered here) but I don’t suppose there’s much of a chance Equifax has another $143 million set aside for… unexpected cleanup.

Lisa, you missed the low-hanging fruit. Equifax has offered its TrustedID Premier (similar to LifeLock, offers 3-bureau credit report monitoring, Copies of your Equifax credit report, Ability to lock and unlock your Equifax credit file, Social security number monitoring, $1 million identity theft insurance) for a year.

I can’t change my SSAN, DOB, or DL in a year. It would be difficult to change my name and address. Therefore Equifax should offer the service for life. I’ve written the NC Attorney General to request this.

By the way, in 2005 the Attorney General, here in NC, negotiated the credit freeze price more effectively than there in MA. It’s free for unlimited locks and unlocks and PIN recoveries. “North Carolina consumers can get a free security freeze online under NC law. Identity theft victims who have filed a police report, their spouses, and consumers over the age of 62 can also get free security freezes by mail or phone.” per http://www.ncdoj.com/Consumer/Credit-and-Debt/2-4-3-1-1-Freeze-Your-Credit.aspx

You are absolutely right, they should offer the uber deluxe whipped-cream-on-top protection free for life. Here’s another thing I missed until I saw a Slashdotted Fortune article: The former CEO is actually walking away with something like $90 million in total. And finally, you North Carolinians are much savvier negotiators, obviously. I mean, $5 isn’t going to bankrupt me (albeit there are plenty of people for whom the cumulative charges are a burden, given their low income). It’s more the principle of the thing, as in, damn, Equifax, you’ve got chutzpah, charging me to protect the information you’ve mishandled in so many ways.

I see their CIO and the person in charge of security both retired. At least that’s the word the article used. I can’t see anyone wanting to hire them after this. I bet they both got golden parachutes though. Maybe we need laws that make it illegal to give any executive any money after a mess like this.

Don’t fall for credit “locks.” Equifax continues to try to make lemonade out of lemons – or in this case get their bread and butter from sales of your data to others (at about $1/credit check).

A “freeze” is the only way to legally bind a credit bureau from selling tour data to whomever they want.

Sign up for free monitoring if you want but prevention is a must and that’s what a freeze does (at least from the big four CBs).

The adages “if it’s too good to be true” and “you get what you pay for” apply as always.

Let your congressional rep know yku’re fed up and you expect regulations to protect your data. We should have the first say on who gets our data and for what purpose. We should no have our data taken from us for a ransom! That’s what the big corporations are doing to us right now without impunity. Pretty shameful.

Check out Brian Krebs blog for the latest details.

A KY couple only learned they had been hacked after they traded in thier car for a new one. Thinking everything was fine until the title on their trade in was unable to be transferred to the dealership & to a new owner. How do you find out if you have been a victim of Equifax ?

Perhaps it’s time for the Attorney’s General to take these companies (all of them) out of business and for the government to step in and create a secure alternative. I know.. you’re thinking the *government* ???!!.. but this looks like an opportunity for blockchain technology.

I noticed the CFPB web site is still providing the screwed up Equifax web page link for people to see if they have been compromised…

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?