Equifax, one of the "big three" credit monitoring bureaus, became the latest victim of a major data breach, in which cyber criminals gained access to names, Social Security numbers, birth dates and addresses for 143 million Americans, and credit card numbers for 209,000 especially unlucky folks. The Equifax mess follows in the wake of a string of high-profile hacks on companies like Yahoo!, Target and Home Depot.
By now we know the public relations drill. The humbled company issues an apology, promises to investigate and patch the security hole, and offers customers a year of free credit-monitoring services. So far, Equifax is sticking to the script, setting up a website in which consumers can get free access to Equifax's TrustedID Premier fraud-protection service, usually a paid subscription service.
But will an identity theft-protection service really do any good after a breach like this?
First, the irony. Equifax is promising to protect consumers when it just proved incapable of protecting consumers. To make it worse, you have to hand over all of your personal information (again) to sign up for TrustedID Premier, and some experts are questioning the security of the very website Equifax has set up to address the problem.
Security consultant and author Adam Shostack thinks that we absolutely should not trust Equifax. In fact, he's petitioned the U.S. Federal Trade Commission to force companies with data breaches give consumers a voucher for $50 or $100 so they can choose their own monitoring service, not just the service that "Equifax is foisting on people," says Shostack.
Then there's the bigger question of whether any of these fraud-monitoring services, TrustedID or otherwise, really protect consumers. Avivah Litan, a fraud analyst from Gartner Inc., told security blogger Brian Krebbs that these services are basically "PR vehicles." Sure, they will alert a consumer when a new credit account has been opened in their name — credit card, car loan, mortgage, etc. — but they don't automatically block the transaction or clean up the mess. Once a fraudulent account is opened, "the damage has been done," noted Litan.
He pointed out that there are plenty of ways that an ID thief can ruin your life that won't be detected by most credit-monitoring services — like stealing your tax refund, applying for government services with your Social Security number, or using your information to apply for a fake driver's license in your name.