Consumer Reports guide to the Equifax breach

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Post Reply
BuyAndHoldOn
Posts: 77
Joined: Mon Mar 30, 2015 6:51 pm

Consumer Reports guide to the Equifax breach

Post by BuyAndHoldOn » Mon Sep 11, 2017 8:25 pm

This is the best set of suggestions I have found. Feel free to add more.

https://www.consumerreports.org/equifax ... ax-breach/

User avatar
VictoriaF
Posts: 17491
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Consumer Reports guide to the Equifax breach

Post by VictoriaF » Mon Sep 11, 2017 8:29 pm

My go-to source on cyber security and cyber breaches is Brian Krebs. An hour ago he posted a new article answering most of the questions that came up in the past few days, https://krebsonsecurity.com/2017/09/the ... ould-know/

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

User avatar
VictoriaF
Posts: 17491
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Consumer Reports guide to the Equifax breach

Post by VictoriaF » Mon Sep 11, 2017 8:37 pm

Here is another good article explaining how Credit Reporting Agencies (CRA) work and what to do if your credit has been misused:
http://www.kalzumeus.com/2017/09/09/ide ... t-reports/

The article is full of nontrivial advice if someone opens credit in your name and you discover it in your credit report:
Patrick McKenzie wrote:Never pay a penny of a debt which isn’t yours. Paying waives your legal rights, because the system assumes that nobody would pay something they didn’t actually owe.
Patrick McKenzie wrote:You should never call a CRA, ever. ... These days they have streamlined online applications for writing to them, but I suggest that you only send them paper letters.
Patrick McKenzie wrote:Retain copies of all correspondence with a bank or a CRA forever.
Patrick McKenzie wrote:[Banks'] CS department is scored on number of tickets resolved per hour, and each rep’s incentives are simply to classify you as something requiring no followup and get you off the phone.
...
Accordingly, anyone who sounds like a well-organized professional with a paper trail is a problem to be swiftly addressed.
Patrick McKenzie wrote:Micro-tip: I never phrase an initial letter with “I demand you…” because I’m a professional. Angry people demand; professionals “require.” If you’ve asked me to pay money that I don’t owe you, I “require” you to stop doing that.
Patrick McKenzie wrote:Be very clear about what you want. What you do not want is to give someone the excuse to read your letter and conclude that no further action is required or that a form letter trivially answers it. You want a specific set of actions, you want those actions to be confirmed to you in writing, and you want them done by a specific date.
...
"Please correct this tradeline and confirm this to me in writing within the timeframe specified by law. If you cannot correct this tradeline, provide me with your written justification for why your investigation concluded that this tradeline was accurate."
Patrick McKenzie wrote:If an account was opened without your knowledge and consent ... Resolve the ambiguity by immediately filing a police report.
...
You will have your first letter be to the bank and include a copy of your police report. It will be short and to the point: when you learned the account was opened, a clear statement that you did not open the account, and your requirement that they investigate and take appropriate action immediately.
Patrick McKenzie wrote:I got a call from a debt collector. “What is your address?” Get it then hang up. Never speak to debt collectors. Write the debt collector.
Patrick McKenzie wrote:My per-incident resolution time was generally 2~3 letters (total cost: < $20 – I was sending “certified mail, return receipt requested”
Patrick McKenzie wrote:If you need help and can’t afford or locate an attorney, good choices are:
- Your state’s attorney general office (Google it)
- Your state’s consumer protection division (Google it)
- The FTC’s complaint division

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

User avatar
nisiprius
Advisory Board
Posts: 34145
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Consumer Reports guide to the Equifax breach

Post by nisiprius » Tue Sep 12, 2017 6:43 am

Oh, for heaven's sake. This kind of thing drives me bananas:
Never click unsolicited, unexpected, or suspicious-looking links sent to you by email or text. They could download malware capable of spying on your phone or personal computer activity.
Right. "Ooh, this link looks suspicious, I think I'll click on it just to see what happens."
It was all very well to say ‘Drink me,’ but the wise little Alice was not going to do that in a hurry. ‘No, I’ll look first,’ she said, ‘and see whether it’s marked “poison” or not’; for she had read several nice little histories about children who had got burnt, and eaten up by wild beasts and other unpleasant things, all because they would not remember the simple rules their friends had taught them: such as, that a red-hot poker will burn you if you hold it too long; and that if you cut your finger very deeply with a knife, it usually bleeds; and she had never forgotten that, if you drink much from a bottle marked ‘poison,’ it is almost certain to disagree with you, sooner or later.

However, this bottle was not marked ‘poison,’ so Alice ventured to taste it.
The most "suspicious" thing I've responded to in the past few days was falling for Equifax's own suspicious activity. I did several dangerous things. First, I read a news story that told me "how to find out if you're affected" and simply clicked on the link provided in the story. Second, I failed to notice that the link in the story was not to equifax.com but to "equifaxsecurity2017.com", which is very suspicious--a lot of phishing and malware sites rely on URLs that look like they might belong to a big firm, but don't. Here's a harmless example: "vanguardsolutions.org" Third, I failed to notice that the web page that asked me to enter SIX (six!) digits of my Social Security number was not even an Equifax site at all.

Why did I do this? Because I was stressed, anxious, and eager to follow the newspaper's "good advice" quickly. The point is not whether or not "trustedidpremier.com" is a safe site or not; the point is that I personally broke all the safety rules, almost instantly and without thinking about it, when I was under only the mildest stress.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.

User avatar
JPH
Posts: 659
Joined: Mon Jun 27, 2011 8:56 pm

Re: Consumer Reports guide to the Equifax breach

Post by JPH » Tue Sep 12, 2017 7:13 am

VictoriaF wrote:
Mon Sep 11, 2017 8:29 pm
My go-to source on cyber security and cyber breaches is Brian Krebs. An hour ago he posted a new article answering most of the questions that came up in the past few days, https://krebsonsecurity.com/2017/09/the ... ould-know/

Victoria
I've often wondered if links posted on Bogleheads are checked out in any way before the post is activated. Is any checking done? I usually just click on those without much doubt.
While the moments do summersaults into eternity | Cling to their coattails and beg them to stay - Townes Van Zandt

Ervin
Posts: 141
Joined: Sun Apr 27, 2014 7:59 am

Re: Consumer Reports guide to the Equifax breach

Post by Ervin » Tue Sep 12, 2017 7:31 am

VictoriaF wrote:
Mon Sep 11, 2017 8:29 pm
My go-to source on cyber security and cyber breaches is Brian Krebs. An hour ago he posted a new article answering most of the questions that came up in the past few days, https://krebsonsecurity.com/2017/09/the ... ould-know/

Victoria
+1. When about information security, Krebs is the real deal.

User avatar
VictoriaF
Posts: 17491
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Consumer Reports guide to the Equifax breach

Post by VictoriaF » Tue Sep 12, 2017 8:31 am

JPH wrote:
Tue Sep 12, 2017 7:13 am
VictoriaF wrote:
Mon Sep 11, 2017 8:29 pm
My go-to source on cyber security and cyber breaches is Brian Krebs. An hour ago he posted a new article answering most of the questions that came up in the past few days, https://krebsonsecurity.com/2017/09/the ... ould-know/

Victoria
I've often wondered if links posted on Bogleheads are checked out in any way before the post is activated. Is any checking done? I usually just click on those without much doubt.
No, the Bogleheads site is not checking posts for the legitimacy of the included links. Before clicking, I check the URL. After I click, my browser flags potentially malicious sites.

I used to hide URLs to make my messages more readable, but recently I switched to posting URLs as a part of my message to make it easier for the others to visually examine it.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

User avatar
nisiprius
Advisory Board
Posts: 34145
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Consumer Reports guide to the Equifax breach

Post by nisiprius » Tue Sep 12, 2017 9:49 am

VictoriaF wrote:
Mon Sep 11, 2017 8:37 pm
Here is another good article explaining how Credit Reporting Agencies (CRA) work and what to do if your credit has been misused:
http://www.kalzumeus.com/2017/09/09/ide ... t-reports/
That is a GREAT article, thank you so much for posting it. I have only one question about it: what does he mean by a "shoe?"
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.

User avatar
nisiprius
Advisory Board
Posts: 34145
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Consumer Reports guide to the Equifax breach

Post by nisiprius » Tue Sep 12, 2017 9:52 am

P.S. I found this interesting, in addition to the bits you quoted:
Do not use the following advice to correct a problem with an account which is factually yours. If someone has stolen your credit card number and used it to buy things, you should not send letters. Just call your bank; they’ll take care of it. For reasons beyond the scope of this post, that is a really well-understood scenario that banks are very customer-friendly about. The only thing we’re talking about here is accounts / debts which were never yours.

Was an account opened in your name without your consent? Great, you’re in the right place....
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.

User avatar
VictoriaF
Posts: 17491
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Consumer Reports guide to the Equifax breach

Post by VictoriaF » Tue Sep 12, 2017 10:35 am

nisiprius wrote:
Tue Sep 12, 2017 9:49 am
VictoriaF wrote:
Mon Sep 11, 2017 8:37 pm
Here is another good article explaining how Credit Reporting Agencies (CRA) work and what to do if your credit has been misused:
http://www.kalzumeus.com/2017/09/09/ide ... t-reports/
That is a GREAT article, thank you so much for posting it. I have only one question about it: what does he mean by a "shoe?"
Early in the post, Patrick McKenzie points out that you are a product, not a customer, and quips that
Patrick McKenzie wrote:[CRAs] have very limited availability to help, for the same reason that the phone center for Walmart does not have anyone who can help a shoe.
Later he plays with this analogy.

I think this article, including recommended text of letters, is useful for many types of official correspondence, apart from the Equifax breach.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

azurekep
Posts: 947
Joined: Tue Jun 16, 2015 7:16 pm

Re: Consumer Reports guide to the Equifax breach

Post by azurekep » Tue Sep 12, 2017 11:45 am

VictoriaF wrote:
Tue Sep 12, 2017 8:31 am


I used to hide URLs to make my messages more readable, but recently I switched to posting URLs as a part of my message to make it easier for the others to visually examine it.

Victoria
I usually hide the link because I expect people to use their mouse to hover over the link. That will show the actual URL in the Status Bar of their browser window.

However, I realize several things:
  • Not everyone uses a mouse. Without a mouse, I'm not sure how one can "hover" over a link.
  • Browsers are becoming more minimalistic to save on screen real estate. In the process, they are hiding or eliminating the Status Bar at the bottom of the browser window. The status bar is where the URL typically/frequently shows up when the mouse is hovering over the link.
  • Many people browse using smart phones instead of PCs. Browser apps on smart phones create displays that are a lot different than browsers on computers. I'm not sure how easy it is to see the real link on a smart phone.
I think the trend towards hiding things in browsers is a bad one. Customizing the browser to bring back the Status Bar for those browsers that are hiding it can be a useful adjunct to browser security.

FWIW, I will probably still hide URLs in most cases since a lot of posts are unreadable otherwise. I myself skip posts that are dominated by a lot of unhidden URLs. It's really up to the reader to follow good security practices.

User avatar
VictoriaF
Posts: 17491
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Consumer Reports guide to the Equifax breach

Post by VictoriaF » Tue Sep 12, 2017 11:50 am

azurekep wrote:
Tue Sep 12, 2017 11:45 am
FWIW, I will probably still hide URLs in most cases since a lot of posts are unreadable otherwise. I myself skip posts that are dominated by a lot of unhidden URLs. It's really up to the reader to follow good security practices.
I can't speak about other people, but I try to make my posts readable even with explicit URLs. For example, I don't put them in the middle of long paragraphs. I will consider putting URLs on their separate dedicated lines to make them stand out.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

wrongfunds
Posts: 830
Joined: Tue Dec 21, 2010 3:55 pm

Re: Consumer Reports guide to the Equifax breach

Post by wrongfunds » Tue Sep 12, 2017 11:59 am

nisiprius wrote:
Tue Sep 12, 2017 6:43 am
Oh, for heaven's sake. This kind of thing drives me bananas:
Never click unsolicited, unexpected, or suspicious-looking links sent to you by email or text. They could download malware capable of spying on your phone or personal computer activity.
Right. "Ooh, this link looks suspicious, I think I'll click on it just to see what happens."
It was all very well to say ‘Drink me,’ but the wise little Alice was not going to do that in a hurry. ‘No, I’ll look first,’ she said, ‘and see whether it’s marked “poison” or not’; for she had read several nice little histories about children who had got burnt, and eaten up by wild beasts and other unpleasant things, all because they would not remember the simple rules their friends had taught them: such as, that a red-hot poker will burn you if you hold it too long; and that if you cut your finger very deeply with a knife, it usually bleeds; and she had never forgotten that, if you drink much from a bottle marked ‘poison,’ it is almost certain to disagree with you, sooner or later.

However, this bottle was not marked ‘poison,’ so Alice ventured to taste it.
The most "suspicious" thing I've responded to in the past few days was falling for Equifax's own suspicious activity. I did several dangerous things. First, I read a news story that told me "how to find out if you're affected" and simply clicked on the link provided in the story. Second, I failed to notice that the link in the story was not to equifax.com but to "equifaxsecurity2017.com", which is very suspicious--a lot of phishing and malware sites rely on URLs that look like they might belong to a big firm, but don't. Here's a harmless example: "vanguardsolutions.org" Third, I failed to notice that the web page that asked me to enter SIX (six!) digits of my Social Security number was not even an Equifax site at all.

Why did I do this? Because I was stressed, anxious, and eager to follow the newspaper's "good advice" quickly. The point is not whether or not "trustedidpremier.com" is a safe site or not; the point is that I personally broke all the safety rules, almost instantly and without thinking about it, when I was under only the mildest stress.
If somebody like you could have been so easily duped, imagine how easily an average person would fall for such a trap. What I am most afraid of is the possibility of social engineering on customer service agents of the financial institutes where I have my accounts. They would get all the correct authentication information from the hacker and would not be in a position to determine if my identity was being spoofed on phone or online.

User avatar
zaplunken
Posts: 854
Joined: Tue Jul 01, 2008 9:07 am

Re: Consumer Reports guide to the Equifax breach

Post by zaplunken » Tue Sep 12, 2017 4:41 pm

I would be hesitant to go to Equifax's site after this breech for anything (not that I did anyway) but when I saw the spelling of "their" check to see if you are a victim site bells rang, red flags popped up. Forget their free credit monitoring, they didn't so such a good job protecting our data why would you trust them to monitor for problems?

User avatar
nisiprius
Advisory Board
Posts: 34145
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Consumer Reports guide to the Equifax breach

Post by nisiprius » Tue Sep 12, 2017 5:56 pm

WHOA!

Just out of curiosity I decided to check the domain ownership of equifaxsecurity2017.com and trustedidpremier.com just to verify that they really are Equifax sites. equifaxsecurity2017.com is, but this is what I got for trustedidpremier.com:

https://whois.icann.org/en/lookup?name= ... remier.com

Registrant Contact
Name: On behalf of trustedidpremier.com owner
Organization: Whois Privacy Service
Mailing Address: P.O. Box 81226, Seattle WA 98108-1226 US
Phone: +1.2065771368
Ext:
Fax:
Fax Ext:
Email:owner-541851@trustedidpremier.com.whoisprivacyservice.org


Image

In short: you can't verify whether or not the site is actually Equifax, or whose site it is. I'm going to try emailing the owner at the address shown and ask who they are, and we will see what happens.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.

User avatar
TimeRunner
Posts: 1164
Joined: Sat Dec 29, 2012 9:23 pm

Re: Consumer Reports guide to the Equifax breach

Post by TimeRunner » Tue Sep 12, 2017 6:08 pm

nisiprius wrote:
Tue Sep 12, 2017 5:56 pm
WHOA!...
Part of last Friday's Brian Krebs' web post discussed the new website registration, see:
https://krebsonsecurity.com/2017/09/equ ... ster-fire/

This was the Krebs post prior to this Monday's post that Victoria referenced in her link upthread. In short, it's a real (but crappy) Equifax website.
One cannot enlighten the unconscious. | Endurance athletes are the Bogleheads of sports. | "I like people - I just don't want to be around 'em." - Russell Gordy

User avatar
Duckie
Posts: 5082
Joined: Thu Mar 08, 2007 2:55 pm

Re: Consumer Reports guide to the Equifax breach

Post by Duckie » Tue Sep 12, 2017 7:09 pm

nisiprius wrote:Just out of curiosity I decided to check the domain ownership of equifaxsecurity2017.com and trustedidpremier.com just to verify that they really are Equifax sites.
<snip>
In short: you can't verify whether or not the site is actually Equifax, or whose site it is.
You can access both sites from https://www.equifax.com/. Currently on the home page a large clickable button takes you to equifaxsecurity2017 and from the very top of that page a red "click here" link takes you to trustedidpremier. They're legit.

Post Reply