Thank You for Calling Equifax. Your Business Is Not Important to Us
You shouldn’t need to do a damn thing to keep your credit information safe.
We’re all accustomed to the busywork of managing personal finances. You check your 401(k) retirement account, making sure your portfolio is carefully balanced. You scan your bank and credit card statements from time to time to verify the charges. These are things responsible people do.
But there’s a good chance you’ve spent time recently on a chore you didn’t sign up for: finding out if hackers possibly stole information about you from Equifax Inc., one of the three big consumer-credit reporting companies in the U.S. On Sept. 7 it announced a data breach that may have put about 143 million people in the U.S. at risk, exposing names, addresses, birth dates, and Social Security numbers, details that could help identity thieves take out loans, apply for a credit card, or buy a new wardrobe in your name. (Equifax had no comment for this story.) The company has set up a web page where you can find out if you are potentially affected. If the answer is yes, you then have to decide what to do about it. Should you sign up for the free year of credit monitoring Equifax is offering? Set a fraud alert on your account? Activate something called a security freeze? Would any of these things really help?
What makes the situation especially awful is that you never had much choice about entering into a relationship with Equifax. “It’s not like when you get to choose your bank, or choose your credit card,” says Mike Litt, consumer program advocate at U.S. PIRG, a group that works for tougher consumer protection laws. No one specifically asked Equifax or its competitors, Experian Plc and TransUnion, to collect data about them. But unless you want to live off the financial grid, you have to accept that these companies you may know little about are keeping an eye on you and your reputation with creditors.
This setup isn’t just infuriating—it partly explains why the hacking of just one company can make so many people so vulnerable. Credit reporting businesses have been built primarily to serve banks and credit card companies, not the consumers they monitor. But just as a lender benefits from having quick access to credit reports and scores, which lets them grant credit to perfect strangers, so does the impostor who comes to them looking to open an account.
Consumers benefit from the credit reporting business, too: Maintaining a good profile makes it easy to get a loan or a card. You can apply in the time it takes to get a 20 percent discount at a Gap checkout counter. And lenders share consumers’ interest in not getting ripped off. But that doesn’t mean the risks they face are the same. To a lender, the unpaid bill on a fraudulent credit card is just one bad loan in a massive portfolio—a cost of doing business. You, on the other hand, have only one identity and reputation.
In the end the issue isn’t whether the financial-services industry cares about fraud. It’s really about control. Who ought to hold the keys to unlock your data, them or you?
Consider the security freeze, the most effective way for anyone anxious about the Equifax hack to protect themselves. If you contact a credit reporting company and request a freeze, which you can do at each of the companies’ websites, you’re telling it not to provide any information when a lender contacts it in the process of opening an account. That means if someone tries to use your name and Social Security number to get a fresh Mastercard, the application will probably be rejected, which prevents bogus plastic, and the resulting unpaid bills, from ending up on your report and damaging your credit. When you decide you’re in the market for a loan, you can contact the credit agency and lift the freeze. This approach amounts to grabbing the keys to your data and not giving them back.
It’s an elegant solution in theory, and one the credit reporting industry had to be dragged into. In the early 2000s, groups including U.S. PIRG, Consumers Union, and AARP lobbied state legislatures to mandate freezes. Eventually enough states passed laws that the three companies offered freezes nationally. What a freeze costs depends on state law. It’s usually free to victims of identity theft, while those who are simply being cautious might pay from $3 to $10 to set a freeze, and a similar fee when they lift it. On Sept. 12, Equifax temporarily waived freeze fees.
The charge accentuates the overall consumer unfriendliness of the process. You need to place a separate freeze with each of the credit reporting companies. (Although it was Equifax that was hacked, identity thieves might apply for credit at lenders using any of these services.) Then you get a PIN you’ll need to use—again, one for each company—when you want the freeze lifted. To put a freeze in place online, you’ll need to verify your identity by entering your Social Security number, which can be scary if you’re putting the freeze in place because you just found out your Social Security number could have been stolen. As the New York Times reported, people who set up freezes at Equifax immediately after the breach found that their PIN codes were made up of the date and time they put the freeze on—as opposed to random, unguessable numbers you’d want for a system meant to keep out crooks. (Equifax has since changed this.) Once a freeze is in place, you’ll have to remember where you stashed your PIN before you apply for a mortgage—or, for that matter, a job or rental apartment.
The credit reporting companies’ websites tend to push other security fixes that shut things down less drastically than a freeze. One is a fraud alert, which, instead of locking down your file, warns lenders that for the next 90 days they should take extra steps to verify the identity of anyone who claims to be you. And then there’s credit monitoring, a service that lets you see your credit report so you can spot potential problems. You may indeed see something: A 2012 study by the Federal Trade Commission found that about 20 percent of consumers who were asked to review their reports discovered an error that was fixed after they disputed it, and more than 10 percent found an error significant enough to affect their credit score. Monitoring also alerts you if an application has been placed for a new account in your name.
Equifax, Experian, and TransUnion have turned monitoring into a business, charging as much as $25 a month for “premium” services that include reports from all three companies. The price can also cover the ability to “lock” credit, which as the companies describe it sounds similar to the state-mandated freeze. (TransUnion has a free monitoring and lock service, which works only with its own reports.) After announcing the data breach, Equifax offered those affected a free year of its service. But does anyone really want to pay money to make sure bad information doesn’t get into these companies’ databases? You don’t pay extra at restaurants to keep rat poison out of the food. (Just to make this whole episode even more exasperating: As Bloomberg News reported on Sept. 14, the hackers exploited a software flaw that had been widely known since March, when the Apache Software Foundation provided a fix for it.) “They spend all this time developing products to sell to consumers instead of making their systems more accurate,” says Chi Chi Wu, a staff attorney at the National Consumer Law Center.
Wu says monitoring may be fine if it’s free, but she recommends freezes. By law, you can also request one free copy of your credit report per year from each company via annualcreditreport.com, and that’s worth doing, too. If 143 million people are exposed, Wu says, that would be about three-quarters of all the people who have credit reports. If everyone potentially affected were to request a freeze, it would be tantamount to the situation some consumer advocates would like to see: freezes as the default setting for credit files, with everyone’s credit data essentially off-limits unless the consumer says otherwise. As it stands, the hassles of freezes may make that solution less than appealing, but if it became the norm, companies would likely devise better ways to do it. For example, a free smartphone app might allow you to toggle on and off access to all three of your credit files. As Chris Jay Hoofnagle, who teaches privacy law at the University of California at Berkeley, has argued, such a shift could change the relationship between consumers and credit reporting companies. You wouldn’t be just another file they keep track of, but a person they need to work with and please.
There are technical challenges to making such systems secure, but surmounting them could produce residual benefits. If the credit industry began prioritizing the security of consumers’ credit files, it might also help to diminish the role of the Social Security number. Currently, the SSN is a key tool the financial system uses for both tracking and verifying consumers, and today it seems conspicuously low-tech. Whereas signing into Facebook on a new computer might require you to provide both a unique password and a one-time code sent via text to your phone, getting a new credit card might only entail giving your name, a few personal details, and a nine-digit number generated by a system that was set up to help administer old-age retirement benefits in 1936.
The SSN wasn’t built to promote security. Until 2011 it wasn’t even randomly generated but based in part on where you lived when it was issued. The number took on its supreme importance only gradually. In the 1930s it tidily solved a problem plaguing consumers—all those people out there with the same name. A history page on the Social Security website refers to a 1937 publication stating that “the Fred Smiths of New York City have had so much trouble being identified by their creditors, the courts, and even their friends, that they have joined together in forming the ‘Fred Smiths, Incorporated.’ ” In 1943, federal agencies were ordered to use the number as an identifier when setting up new record systems, but its use really took off in the 1960s, with the advent of computers. By 1973 government reports were warning that the SSN shouldn’t become a national identifier, but new regulations and legislation promoted its use in a wide array of sectors, including financial services.
For a long time, people were casual about sharing their numbers. Colleges used Social Security numbers as student IDs, while a manufacturer once included a sample Social Security card in wallets it sold at Woolworth’s—a replica of a company secretary’s actual card. But as the SSN has spread, the associated risks have grown. Once your SSN has been compromised, it’s a hard problem to fix, in part because so many systems rely on it. While you can get a new number in cases of identity theft or abuse or if you are a victim of domestic violence, it’s not a simple process. In the case of ID theft, you must provide evidence of the number’s misuse and how it’s causing you continued, significant harm.
The ultimate solution to the SSN problem may be neither a new kind of number nor a single magic password. “The answer is layers,” says Eva Velasquez, chief executive officer of the Identity Theft Resource Center, a nonprofit that helps consumers who’ve been hit by fraud. So in addition to SSNs, you might start to see more use of what are now standard internet security protocols, such as a combination of security questions and one-time security codes sent via email or text message. These systems might go hand in hand with something like a default freeze—at the same time you are applying for credit at the store, you might also be getting an alert that someone wants to look at your credit file, and you’d go through an authentication process on your phone.
But such measures get back to the basic tension in the system—extra steps can slow things down when you’re trying to buy that new $999 iPhone on a monthly installment plan. “When I talk to ID theft victims, they are more than willing to forgo some of the convenience,” says Velasquez. “Because they know what the aftereffect is. One of the few silver linings we can see when you have these large-scale data breaches is that it does bring it to the front of our national consciousness, and we start having conversations about what our priorities are when it comes to our identities and our data.”
Some of those conversations are happening in Washington now. As news of the Equifax breach hit, a committee in the House of Representatives was hearing testimony on a bill that would limit damages in some suits against credit reporting companies. The breach may slow the momentum on such bills and perhaps swing things the other way. At least six congressional committees are now examining Equifax.
What seems clear is that the problem has become too big for so much of the responsibility to lie with consumers. There’s too much data out there to steal—before this summer’s Equifax breach, there were thefts from Yahoo!, Home Depot, Target, and even the government. Sure, it’s a good idea to be careful with your SSN, and a better idea to put on a fraud alert or a security freeze. But what you really need is more control—by default—of how your data are used. —With Karen Weise and Elizabeth Dexheimer