Equifax’s mea-culpa-ing by offering free credit locks for life starting on 31 January.
These are not credit freezes, mind you. No, Equifax is giving away credit padlocks that it says are a new service.
We don’t know much about the credit locks outside of what Equifax’s new interim CEO, Paulino do Rego Barros Jr., said in an editorial published by the Wall Street Journal on Wednesday, the day after he was appointed.
Barros got his new gig the same day that Equifax’s previous CEO, Richard Smith, washed his hands and walked away from the embarrassing mess. That is, Smith washed his hands, but he didn’t wash off the $18 million pension he took with him after his 12 year tenure.
Barros said the credit locks will be easy for consumers to lock and unlock, unlike credit freezes, which require PINs (yes, those PINS) to unlock … and which stop thieves dead in their tracks … and which cost the credit bureaus money they’d otherwise make by banks, credit card companies, cell phone companies or the like pulling customers’ credit reports, as the New York Times explains.
The data monger has a lot to mea culpa about. The credit lock freebie-4-ever comes three weeks after Equifax’s breach affected about half of everybody in the US, 400,000 in the UK and 100,000 in Canada.
…mind you, it was a breach that was enabled by a critical RCE (Remote Code Execution) flaw for which patches had been available for two months before the mid-May attack.
Equifax has been pratfalling ever since, as Barros is well aware.
As ZDNet’s Zack Whittaker reported, a XSS (Cross-site scripting) vulnerability was found in Equifax’s fraud alerts website—a flaw that could be used in phishing emails to trick consumers into turning over personal data.
And there was that leaky customer portal in Argentina – username ‘admin’, password ‘admin’.
It just kept getting more and more pratfally: There were the woeful PINs that put frozen credit files at risk, and then too there was Equifax’s not-so-neat party trick of ditching its tried, trusted equifax.com
domain and instead putting its breach info site onto the easy to typosquat and bafflingly convoluted domain equifaxsecurity2017.com
… a convoluted domain name which it proceeded to scramble at least 3 times, sending customers to a fake phishing site for weeks.
Beyond the pile of cyber D’oh!, there were insufficient, underprepared operators at the call centres, leaving alarmed customers facing delays and agents who couldn’t answer questions.
There’s no excuse for any of it, Barros said in his editorial. The company is adding agents and getting them trained, and he’s getting a daily update on the situation.
As well, Equifax is going to fix that problematic site of theirs. If it can’t fix it, it’s going to build a new one from scratch, Barros said. It’s also extending the window to sign up for free credit freezes and its TrustedID Premier credit monitoring service, both of which you can sign up for through the end of January.
I’m sure Equifax is sincerely sorry about this mess. But here’s the thing: given its track record, would you trust the company’s new credit lock service? From the NYT’s Ron Lieber:
This is the same company … that could not create a functioning website for people worried about whether thieves had stolen their Social Security numbers. People who have been trying to freeze their files have run into too many problems to name, and many of them do not yet have PINs. I’ve received hundreds of emails complaining about Equifax’s basic dysfunction.
Why does Equifax even need a new service? Why can’t it just give free credit freezes for life?
Lieber sent Equifax 18 questions that we still need answered, including:
Whether Equifax will force people to submit to mandatory arbitration or some other loss of privileges or rights in exchange for free locks for life. Or whether your name will end up on lists for various offers of credit. This is how TransUnion’s similar free service works, one that it’s been pushing hard at people who have come to its website looking for a credit freeze in the wake of the Equifax hack.
Good questions. As Mother Jones has noted, credit freezes or credit locks come with strings. Transunion’s Disclaimers and Warranties suggest that in order to interact with the company at all, you have to absolve them of liability for anything that might happen to your data on their watch.
Transunion, by the way, also has credit locks, and they’re definitely not free. I tried to set one up, it looks like I was heading toward a $19.99/month credit monitoring bleed.
Will the free credit locks cause the other credit bureaus to follow suit? I’m not holding my breath. At any rate, I want my $5 back. I want all my $5 payments back: as a citizen of Massachusetts, that’s how much I had to fork over to Transunion and to Experian to freeze my credit at those bureaus, all on account of Equifax’s pratfall. People in other states have had to shell out even more.
I called Equifax’s “We’re sorry, we’re sorry, we’ve got enough phone operators on hand now, we swear!” number to ask if Equifax had any intention of refunding customers the money we’ve had to fork over because of its breach.
Its trained operators might not have been trained to handle that one yet: the answer was a stammered “I haven’t heard of anything like that…”
No, I’m not surprised. Again, I’m not holding my breath on that one, either.
from Naked Security http://ift.tt/2xGNqfr
0 comments:
Post a Comment