Equifax, one of the "big three" credit monitoring bureaus, became the latest victim of a major data breach, in which cyber criminals gained access to names, Social Security numbers, birth dates and addresses for 143 million Americans, and credit card numbers for 209,000 especially unlucky folks. The Equifax mess follows in the wake of a string of high-profile hacks on companies like Yahoo!, Target and Home Depot.
By now we know the public relations drill. The humbled company issues an apology, promises to investigate and patch the security hole, and offers customers a year of free credit-monitoring services. So far, Equifax is sticking to the script, setting up a website in which consumers can get free access to Equifax's TrustedID Premier fraud-protection service, usually a paid subscription service.
But will an identity theft-protection service really do any good after a breach like this?
First, the irony. Equifax is promising to protect consumers when it just proved incapable of protecting consumers. To make it worse, you have to hand over all of your personal information (again) to sign up for TrustedID Premier, and some experts are questioning the security of the very website Equifax has set up to address the problem.
Security consultant and author Adam Shostack thinks that we absolutely should not trust Equifax. In fact, he's petitioned the U.S. Federal Trade Commission to force companies with data breaches give consumers a voucher for $50 or $100 so they can choose their own monitoring service, not just the service that "Equifax is foisting on people," says Shostack.
Then there's the bigger question of whether any of these fraud-monitoring services, TrustedID or otherwise, really protect consumers. Avivah Litan, a fraud analyst from Gartner Inc., told security blogger Brian Krebbs that these services are basically "PR vehicles." Sure, they will alert a consumer when a new credit account has been opened in their name — credit card, car loan, mortgage, etc. — but they don't automatically block the transaction or clean up the mess. Once a fraudulent account is opened, "the damage has been done," noted Litan.
He pointed out that there are plenty of ways that an ID thief can ruin your life that won't be detected by most credit-monitoring services — like stealing your tax refund, applying for government services with your Social Security number, or using your information to apply for a fake driver's license in your name.
Who Are Equifax's Customers?
The added complication with the Equifax hack is that while everyone with a credit record is technically an Equifax "customer," no one really is. Rahul Telang studies the economics of information security at Carnegie Mellon University. He says that Equifax and the other credit bureaus are data brokers that provide credit histories primarily for businesses and employers, not consumers.
"You deal with your retailer. You deal with your bank. You deal with your credit card company. But you don't deal directly with Equifax," says Telang. "You're not a 'Equifax customer.'"
In a recent study of 500,000 customers of a major U.S. bank, Telang found that customers who experienced some kind of account fraud were 1 to 3 percent more likely to leave the bank within six months of the event. While it's not a huge number, Telang says it's "economically significant" and represents the first hard data proving that consumers will take action if they lose trust in a financial institution.
But that's not going to happen with Equifax. Consumers can't punish Equifax for their lousy security by taking our business elsewhere. The big three credit monitoring bureaus — the other two are Experian and TransUnion — are going to keep tracking and storing our highly sensitive data whether we like it or not. That's their business model.
Protecting Yourself from Credit Fraud
So, what can you do to protect yourself if you don't trust Equifax to do it for you? Telang and others point out that most, if not all of the services offered by TrustedID and other fraud-monitoring services can be done for free by consumers themselves. Here's how:
- You can get a free credit report from all three credit bureaus every 12 months at annualcreditreport.com. Spread that out by requesting a report from a different bureau every four months.
- You can put a credit freeze on your Equifax, TransUnion or Experian credit reports, which blocks any new credit applications until you lift the freeze. Cost is usally free if you've been the victim of identity theft.
- You can sign up for a free 90-day fraud alert at any of the credit bureaus, which alerts you to all new credit applications (and you can renew the fraud alert as many times as you want).