Game over for your credit
#41
Needs more Lemon Pledge
Here is what I want to know...
If I can make my credit account "frozen" and only unfreeze it when I need it checked, why in sweet Jesus's Jupiter is it not ALWAYS frozen by default and require my approval to run a check?
This should be the default, not some $5 add on service.
If I can make my credit account "frozen" and only unfreeze it when I need it checked, why in sweet Jesus's Jupiter is it not ALWAYS frozen by default and require my approval to run a check?
This should be the default, not some $5 add on service.
The following users liked this post:
Bearcat94 (09-14-2017)
#43
Here is what I want to know...
If I can make my credit account "frozen" and only unfreeze it when I need it checked, why in sweet Jesus's Jupiter is it not ALWAYS frozen by default and require my approval to run a check?
This should be the default, not some $5 add on service.
If I can make my credit account "frozen" and only unfreeze it when I need it checked, why in sweet Jesus's Jupiter is it not ALWAYS frozen by default and require my approval to run a check?
This should be the default, not some $5 add on service.
2) Frozen profiles makes it harder for credit card issuers to pull up a list of credit worthy people and send them offers.
3) Frozen profiles makes it harder/pain in the arse for businesses to operate. Say you're shopping for a new car. When your credit profile is unfrozen, the finance guy can within minutes pull up your credit score and find out if you're approved or not for a loan and at what rate. If your profile is frozen, it can take longer (days even) if you forgot to unfreeze it ahead of time. You'll then have to go home to find your unfreeze password (Damn, where did I put my password?), call up credit agency and verify the release of your profile to the dealer. Then drive all the way back to the dealer for them to run a credit check, but only after they're done with the 5 buyers ahead of you.
4) Makes it harder for shoppers to open up lines of credit with (department) stores/retailers when they see a retailer running a special offer (Ex. Macy's offering 20% off with new Macy's charge account opening).
5) Same scenario as #3 and #4, but with credit card companies and banks. I'm sure you've seen credit card companies and banks offer deals where if you open a new credit card or check account with them, they'll give you X bonus points or a $200 or $500 sign up bonus after you meet a few spend or deposit requirements. Frozen profiles makes it harder for people to churn credit cards by taking advantage of these offers.
6) Same scenario as above, but this time with wireless provider. You want to get the new iPhone X or Samsung Galaxy Note 8 and the special offer that Best Buy is offering ($200 off or BOGO or free Gear 360 camera or free 128GB memory card and Fast Wireless Charging Convertible). They need to run a credit check to see if you qualify. But your profile is frozen.
TL;DR? Frozen profiles can lower credit loan volumes, hurting businesses, banks and the economy.
Last edited by AZuser; 09-14-2017 at 01:39 PM.
The following 2 users liked this post by AZuser:
Costco (09-14-2017),
stogie1020 (09-14-2017)
#45
Needs more Lemon Pledge
I appreciate the insight AZUser, but all of those reasons seem to only point to the need for a way for individuals to actively enable/disable access to my credit profile.
Give me an app that flips a switch for all three bureaus so when I am sitting in the finance office at a car dealership and they want to run my credit, I can say "hang on," flip the switch, let them pull credit and then flip it off again. No cell phone? Call an 800 number with an automated system, provide several authenticating factors and enable/disable at will.
if I can enroll in credit MONITORING in under 60 seconds on a web site, there is no reasonable explanation as to why I should not be able to enable and disable access to my credit profile via a web page in 60 seconds or less.
Give me an app that flips a switch for all three bureaus so when I am sitting in the finance office at a car dealership and they want to run my credit, I can say "hang on," flip the switch, let them pull credit and then flip it off again. No cell phone? Call an 800 number with an automated system, provide several authenticating factors and enable/disable at will.
if I can enroll in credit MONITORING in under 60 seconds on a web site, there is no reasonable explanation as to why I should not be able to enable and disable access to my credit profile via a web page in 60 seconds or less.
The following 2 users liked this post by stogie1020:
NBP04TL4ME (09-14-2017),
teh CL (09-20-2017)
#46
Maybe something like that can come out of all this if Congress does something about this mess. But I have a feeling that all the lobbyists for the financial industry would fight against something like this as it's not in their best interest.
Ultimately it's up to the credit agencies to develop that app that will allow us to easily freeze and unfreeze our profiles. Don't see them doing this.
Ultimately it's up to the credit agencies to develop that app that will allow us to easily freeze and unfreeze our profiles. Don't see them doing this.
#47
Team Owner
Thread Starter
When someone does a hard query on my credit history the credit agencies should send me a txt message asking if it's okay for them to release my report. There should be no reason for freezing.
Freezing and credit monitoring is just some BS they setup to make money.
Freezing and credit monitoring is just some BS they setup to make money.
Last edited by doopstr; 09-14-2017 at 05:36 PM.
The following users liked this post:
stogie1020 (09-14-2017)
#48
- Equifax is offering free credit freeze until November 21. If you can get their site to work. They told me to try again later because too many people trying to freeze their profiles.
- Transunion was free for me. Normally it's $10.
- Experian charged me $10. Maybe if enough people contact them, they'll drop and refund the fee considering what's going on.
The following users liked this post:
Rapture (09-16-2017)
#50
Racer
I appreciate the insight AZUser, but all of those reasons seem to only point to the need for a way for individuals to actively enable/disable access to my credit profile.
Give me an app that flips a switch for all three bureaus so when I am sitting in the finance office at a car dealership and they want to run my credit, I can say "hang on," flip the switch, let them pull credit and then flip it off again. No cell phone? Call an 800 number with an automated system, provide several authenticating factors and enable/disable at will.
if I can enroll in credit MONITORING in under 60 seconds on a web site, there is no reasonable explanation as to why I should not be able to enable and disable access to my credit profile via a web page in 60 seconds or less.
Give me an app that flips a switch for all three bureaus so when I am sitting in the finance office at a car dealership and they want to run my credit, I can say "hang on," flip the switch, let them pull credit and then flip it off again. No cell phone? Call an 800 number with an automated system, provide several authenticating factors and enable/disable at will.
if I can enroll in credit MONITORING in under 60 seconds on a web site, there is no reasonable explanation as to why I should not be able to enable and disable access to my credit profile via a web page in 60 seconds or less.
#51
Team Owner
Thread Starter
Equifax hired a music major as chief security officer and she has just retired - MarketWatch
CIO and CSO are out
http://www.marketwatch.com/story/2-top-equifax-execs-retire-in-wake-of-massive-data-breach-2017-09-15?siteid=yhoof2&yptr=yahoo
CIO and CSO are out
http://www.marketwatch.com/story/2-top-equifax-execs-retire-in-wake-of-massive-data-breach-2017-09-15?siteid=yhoof2&yptr=yahoo
Chief Information Officer David Webb and Chief Security Officer Susan Mauldin retired immediately, Equifax EFX, -3.81% said in a news release that did not mention either of those executives by name. Mark Rohrwasser, who had been leading Equifax’s international information-technology operations since 2016, will replace Webb and Russ Ayres, a member of Equifax’s IT operation, will replace Mauldin.
Last edited by doopstr; 09-15-2017 at 07:25 PM.
#52
She must've realized she was in deep deep treble and quit. She heard the fat lady singing.
#53
We can now add almost 400,000 Britons to the 143 million American profiles that were accessed.
So now we're at close to 200 million compromised data profiles.
Equifax says almost 400,000 Britons hit in data breach - BBC News
So now we're at close to 200 million compromised data profiles.
Equifax says almost 400,000 Britons hit in data breach - BBC News
Equifax says almost 400,000 Britons hit in data breach
Sep. 15, 2017
The UK arm of the organisation said files containing information on "fewer than 400,000" UK consumers was accessed in the breach.
Last week, Equifax revealed details of the hack and said data on more than 143 million Americans was taken.
The US Federal Trade Commission is investigating how the data was stolen.
Information released when details of the breach were disclosed suggest that hackers got at Equifax's internal systems between mid-May and the end of July this year when the company discovered it had been penetrated.
n a statement, the UK office of Equifax said an internal investigation had shown that data on UK consumers was accessed during the hack.
It said data on Britons was being held in the US due to a "process failure" which meant that a limited amount of information was stored in North America between 2011 and 2016.
The information held included names, dates of birth, email addresses and telephone numbers. No addresses, passwords or financial data was involved.
Equifax said that because the data on UK citizens was limited it was "unlikely" that those affected would suffer identity theft.
It said it would contact those affected and offer them free ID protection services that would alert them to any attempt to carry out fraud with their details.
"We apologise for this failure to protect UK consumer data," said Patricio Remon, president at Equifax's UK office, in the statement.
"Our immediate focus is to support those affected by this incident and to ensure we make all of the necessary improvements and investments to strengthen our security and processes going forward," he added.
It said it was co-operating with the Financial Conduct Authority and the Information Commissioner's Office on their investigations.
Sep. 15, 2017
The UK arm of the organisation said files containing information on "fewer than 400,000" UK consumers was accessed in the breach.
Last week, Equifax revealed details of the hack and said data on more than 143 million Americans was taken.
The US Federal Trade Commission is investigating how the data was stolen.
Information released when details of the breach were disclosed suggest that hackers got at Equifax's internal systems between mid-May and the end of July this year when the company discovered it had been penetrated.
n a statement, the UK office of Equifax said an internal investigation had shown that data on UK consumers was accessed during the hack.
It said data on Britons was being held in the US due to a "process failure" which meant that a limited amount of information was stored in North America between 2011 and 2016.
The information held included names, dates of birth, email addresses and telephone numbers. No addresses, passwords or financial data was involved.
Equifax said that because the data on UK citizens was limited it was "unlikely" that those affected would suffer identity theft.
It said it would contact those affected and offer them free ID protection services that would alert them to any attempt to carry out fraud with their details.
"We apologise for this failure to protect UK consumer data," said Patricio Remon, president at Equifax's UK office, in the statement.
"Our immediate focus is to support those affected by this incident and to ensure we make all of the necessary improvements and investments to strengthen our security and processes going forward," he added.
It said it was co-operating with the Financial Conduct Authority and the Information Commissioner's Office on their investigations.
#54
Senior Moderator
Originally Posted by RenoTL
One, and maybe more, of the Credit Card companies offers an app that lets you turn the card off/on at will. There is no reason something similar can't be done by the credit reporting agencies. We have the technology so let's use it. It like returning a purchase bought with a CC. It takes days to see the credit back on to your account but the charge showed up almost instantly.
#55
Here's a good blog post about what to do now that your info is out in the wild.
https://medium.com/@trevin/equifax-data-breach-what-to-do-to-protect-yourself-e46a1f46499f
I didn't even know there were more than 3 credit agencies. I read elsewhere it was like $10 for each freeze. Jeez. $50 for someone else's fuckups.
https://medium.com/@trevin/equifax-data-breach-what-to-do-to-protect-yourself-e46a1f46499f
I didn't even know there were more than 3 credit agencies. I read elsewhere it was like $10 for each freeze. Jeez. $50 for someone else's fuckups.
#57
Just found out I've been Equifvcked. Got a letter saying my Goldman Sachs account has been overdrawn by almost $10K. The thing is I've never opened a GS account. Ever. That means someone got a hold of all my info to open bank accounts and a credit freeze will do nothing to stop them.
Their fraud dept said to contact Chex Systems ( https://www.chexsystems.com ) to get a report to see if any other bank accounts have been opened. Lame that report isn't provided instantly , but rather is mailed to you (takes 5 business days)
You guys/gals may want to do the same. You can also place a security alert with them (90 days or 7 years). I'm going to have to do the 7 years (requires mailing them a notarized affidavit).
Their fraud dept said to contact Chex Systems ( https://www.chexsystems.com ) to get a report to see if any other bank accounts have been opened. Lame that report isn't provided instantly , but rather is mailed to you (takes 5 business days)
You guys/gals may want to do the same. You can also place a security alert with them (90 days or 7 years). I'm going to have to do the 7 years (requires mailing them a notarized affidavit).
What to do if your identity has been stolen
- Contact the fraud departments of the three major credit bureaus. Select the following link for Credit Bureau Contact Information.
- Place a security alert on your ChexSystems consumer file.
- Contact all financial institutions where you have accounts that an identity thief has taken over or that were created in your name but without your knowledge.
- Cancel those accounts, place stop-payment orders on any outstanding checks that may not have cleared, and change your Automated Teller Machine (ATM) card, account and personal identification number.
- File a police report and get a copy of the report to be used if need to show proof of the crime.
- Contact the Federal Trade Commission (FTC) to file a complaint.
- Access the FTC’s ID Theft website
- Call toll-free at 877.IDTheft (877.438.4338)
- TDD at 202.326.2502
- Send mail to Consumer Response Center, FTC, 600 Pennsylvania Avenue, N.W., Washington, DC 20580
- You may also want to contact the US Postal Inspection Service at U.S. Postal Inspector Service or the Social Security Administration at 800.629.0271.
Last edited by AZuser; 09-18-2017 at 03:27 PM.
#58
Team Owner
Thread Starter
You need to be careful with these letters. Make sure they are legit, a lot of scams going around.
I covered my short today.
#59
I froze everything yesterday. Cost a total of $10 (to Experian). Transunion had some sort of profile you could create on their site where you could "lock" and "unlock" your credit file whenever you wanted. It was free, so I went that route. I think the other two should have something like that, but then you know, people and sad passwords.
#60
GS account was opened on 8/30. If Equifax had reported the breach in a timely manner (back in July), maybe this wouldn't have happened because I would have placed fraud alerts on and frozen everything.
#61
Team Owner
Thread Starter
https://www.cnbc.com/2017/09/18/equi...ent-march.html
Equifax acknowledges a second security 'incident' happened in March
- Equifax got hacked at least twice this year.
- The company retained FireEye-owned Mandiant to investigate both breaches.
#63
Needs more Lemon Pledge
Filled out the "free one year monitoring" application on Equifax website late last week. Site said "you will receive confirmation email in a 'few days'"... No email yet.
#65
Race Director
You can now go through Equifax to freeze your credit for FREE and if you already paid them last week, they will refund your money:
https://www.equifaxsecurity2017.com/...e-consumers-3/
They give you a 10-digit PIN which you will have to use to "unfreeze".
Edit: And so far, they are claiming that I'm not affected....
https://www.equifaxsecurity2017.com/...e-consumers-3/
They give you a 10-digit PIN which you will have to use to "unfreeze".
Edit: And so far, they are claiming that I'm not affected....
Last edited by nfnsquared; 09-19-2017 at 01:22 PM.
#66
Another thing for me to worry about. Thanks Equifvck.
https://www.cnbc.com/2017/09/18/your...x-returns.html
https://www.cnbc.com/2017/09/18/your...x-returns.html
Your next worry after the Equifax breach: Fake tax returns
Sep. 19, 2017
After the Equifax data breach, year-end tax planning may be even more important.
Social Security numbers were among the data exposed in the Equifax hack, which affects up to 143 million people. Immediate to-dos have focused on fraud alerts, credit freezes and monitoring to curtail thieves' ability to open new accounts in victims' names. But experts say consumers should also start thinking ahead to tax season — when criminals could potentially use those stolen Social Security numbers to file fraudulent tax returns and snare refunds.
Having a credit freeze or other monitoring in place doesn't prevent tax-related identity theft, which is among the top scams on the IRS "Dirty Dozen" list. The agency estimates that during the first nine months of 2016, beefed up safeguards helped it stop 787,000 fraudulent returns totaling more than $4 billion — but it still paid out $239 million in "suspect" refunds.
It's still unclear what impact the Equifax breach could have on the 2018 filing season.
"The IRS continues to review and assess this serious situation to determine necessary next steps," an IRS spokesman said to CNBC in an e-mailed statement.
So what can you do?
First, some bad news. IRS protections currently in place — filing an identity-theft affidavit or obtaining a filing PIN (more on that, below) — are specifically for victims of tax-related identity theft. Having your Social Security number exposed in a data breach isn't enough. As the IRS notes in its taxpayer resource, "not every data breach results in identity theft, and not every identity theft is tax-related identity theft."
But there are still some steps you can take to mitigate the risks ahead of tax time:
Prepare to file early
"Our motto is, file first and beat the crooks," Velasquez said. "It does have an impact. You are not giving them an open window."
"File early" doesn't mean rush to file (and risk underreporting income or having to file an amended return later), Gagnon said. Some taxpayers can't file right at the start of the season — investment 1099s for dividends and interest can show up in mid-February, and taxpayers with partnership income may still be waiting for their K-1s for last season's returns, he said.
The prep you can do is more about getting organized so that you're ready to go ASAP:
Monitor your tax record
The IRS offers online access that lets taxpayers see details of their tax account, said certified public accountant Andy Mattson, tax partner at Moss Adams in Campbell, California.
"It's a good way to monitor your account, if you're concerned about it," he said. You'd be able to see if someone files a return in your name and take action more quickly.
But signing up is no easy feat. The IRS requires a slew of personal information, and the process is so stringent that less than half of those who try to register actually succeed, Mattson said.
Adjust your withholding
If you're a victim of tax-related identity theft, untangling the problem can take months, said Velasquez — who described the time frame as "wildly inconsistent." That's a tougher wait if you were anticipating a refund windfall. (The average this year was $2,769, according to IRS filing statistics.)
"[Tax-related identity theft] has less of a day-to-day impact for folks who aren't relying on, waiting on or counting on a refund," she said.
Even if you're not a victim, safeguards put in place could delay your refund. In its 2016 report to Congress, the IRS National Taxpayer Advocate estimated that some filters used to detect fraudulent returns and identity theft had false positive rates exceeding 50 percent.
"These incorrect selections delayed approximately 1.2 million tax returns associated with about $9 billion in legitimate refunds for more than an additional 30 days on average," the IRS noted in the report.
Your best defensive move: Revisit your W-4, the form that tells your employer how much federal income tax to withhold from your paycheck, Gagnon said. Changing allocations can keep more in your paycheck now, and even out your tax bill.
"You want as little a refund as possible, so you're least exposed," he said. "It's better to wait for $100 to come in than $1,000."
But be careful with this strategy, Mattson said. It's not always easy to estimate tax liability, and you'll need to have cash set aside in case you end up owing at tax time.
"The cure might do more harm than the disease," he said. "People could end up owing money they weren't expecting to."
Consider a PIN
The IRS does offer so-called identity protecting PINs, or IP PINs, to prevent someone from filing a fraudulent return with your Social Security number. Participants get a new six-digit number each year, without which your e-filed return will be rejected and a paper return, significantly delayed.
"The PIN makes perfect sense," Mattson said. "But right now you can only get a PIN if you're a victim of tax identity theft, if someone files a return using your Social."
Currently, IRS guidelines only allow you to get an IP PIN if you filed last year's return with a home address in Florida, Georgia or Washington, D.C., where the government is running a pilot program. Or if the IRS invites you to apply — which, as Mattson points out, generally only happens if you have already been a victim of tax-related identity theft.
(Another point for would-be applicants: According to IRS documents, "If you've placed a credit security freeze with Equifax, you must contact Equifax to have the freeze temporarily removed to allow us to verify your identity.")
PIN protection isn't foolproof, Velasquez said. The IRS PIN system has itself been subject to cyberattacks , she said. Earlier this year, the Treasury inspector general for tax administration released a report noting inconsistencies in IRS processes that left some victims without PINs.
Watch for fraud flags
Fraudulent tax returns aren't the only tax-time identity theft issue to keep an eye on. The IRS warns that receiving certain tax documents or IRS notices — like a CP2000 to verify unreported income or a 1099 from an employer you haven't worked for — can be a red flag for employment-related identity theft.
- Tax-related identity theft is one of the IRS "Dirty Dozen" top tax scams.
- Victims of the Equifax breach may not qualify for IRS ID-theft precautions like an identity protecting PIN.
- Getting organized now can help you file your return earlier next year.
Sep. 19, 2017
After the Equifax data breach, year-end tax planning may be even more important.
Social Security numbers were among the data exposed in the Equifax hack, which affects up to 143 million people. Immediate to-dos have focused on fraud alerts, credit freezes and monitoring to curtail thieves' ability to open new accounts in victims' names. But experts say consumers should also start thinking ahead to tax season — when criminals could potentially use those stolen Social Security numbers to file fraudulent tax returns and snare refunds.
Having a credit freeze or other monitoring in place doesn't prevent tax-related identity theft, which is among the top scams on the IRS "Dirty Dozen" list. The agency estimates that during the first nine months of 2016, beefed up safeguards helped it stop 787,000 fraudulent returns totaling more than $4 billion — but it still paid out $239 million in "suspect" refunds.
It's still unclear what impact the Equifax breach could have on the 2018 filing season.
"The IRS continues to review and assess this serious situation to determine necessary next steps," an IRS spokesman said to CNBC in an e-mailed statement.
So what can you do?
First, some bad news. IRS protections currently in place — filing an identity-theft affidavit or obtaining a filing PIN (more on that, below) — are specifically for victims of tax-related identity theft. Having your Social Security number exposed in a data breach isn't enough. As the IRS notes in its taxpayer resource, "not every data breach results in identity theft, and not every identity theft is tax-related identity theft."
But there are still some steps you can take to mitigate the risks ahead of tax time:
Prepare to file early
"Our motto is, file first and beat the crooks," Velasquez said. "It does have an impact. You are not giving them an open window."
"File early" doesn't mean rush to file (and risk underreporting income or having to file an amended return later), Gagnon said. Some taxpayers can't file right at the start of the season — investment 1099s for dividends and interest can show up in mid-February, and taxpayers with partnership income may still be waiting for their K-1s for last season's returns, he said.
The prep you can do is more about getting organized so that you're ready to go ASAP:
- Review your most recent tax return. That can provide a good framework for this year, in terms of deductible expenses to tally and official documents (W-2s, 1099s, etc.) to expect, Gagnon said. Note any changes, say, if you switched jobs, or opened a new investment account.
- Make a list of key documents you'll need, so you can check them off as they arrive and see at a glance what you are still waiting on. Be proactive about calling or emailing to track down a late document, he said.
- If you have moved this year, reach out to any of the employers, financial institutions and other entities sending you key forms, to make sure they have your current mailing address and contact information, he said.
- Start gathering receipts and records for potentially deductible expenses, like charitable donations or business expenses.
- Monitor online accounts, Gagnon said. Some entities only make tax documents available online, rather than mailing a copy; others offer online access well before they send paper copies in the mail.
Monitor your tax record
The IRS offers online access that lets taxpayers see details of their tax account, said certified public accountant Andy Mattson, tax partner at Moss Adams in Campbell, California.
"It's a good way to monitor your account, if you're concerned about it," he said. You'd be able to see if someone files a return in your name and take action more quickly.
But signing up is no easy feat. The IRS requires a slew of personal information, and the process is so stringent that less than half of those who try to register actually succeed, Mattson said.
Adjust your withholding
If you're a victim of tax-related identity theft, untangling the problem can take months, said Velasquez — who described the time frame as "wildly inconsistent." That's a tougher wait if you were anticipating a refund windfall. (The average this year was $2,769, according to IRS filing statistics.)
"[Tax-related identity theft] has less of a day-to-day impact for folks who aren't relying on, waiting on or counting on a refund," she said.
Even if you're not a victim, safeguards put in place could delay your refund. In its 2016 report to Congress, the IRS National Taxpayer Advocate estimated that some filters used to detect fraudulent returns and identity theft had false positive rates exceeding 50 percent.
"These incorrect selections delayed approximately 1.2 million tax returns associated with about $9 billion in legitimate refunds for more than an additional 30 days on average," the IRS noted in the report.
Your best defensive move: Revisit your W-4, the form that tells your employer how much federal income tax to withhold from your paycheck, Gagnon said. Changing allocations can keep more in your paycheck now, and even out your tax bill.
"You want as little a refund as possible, so you're least exposed," he said. "It's better to wait for $100 to come in than $1,000."
But be careful with this strategy, Mattson said. It's not always easy to estimate tax liability, and you'll need to have cash set aside in case you end up owing at tax time.
"The cure might do more harm than the disease," he said. "People could end up owing money they weren't expecting to."
Consider a PIN
The IRS does offer so-called identity protecting PINs, or IP PINs, to prevent someone from filing a fraudulent return with your Social Security number. Participants get a new six-digit number each year, without which your e-filed return will be rejected and a paper return, significantly delayed.
"The PIN makes perfect sense," Mattson said. "But right now you can only get a PIN if you're a victim of tax identity theft, if someone files a return using your Social."
Currently, IRS guidelines only allow you to get an IP PIN if you filed last year's return with a home address in Florida, Georgia or Washington, D.C., where the government is running a pilot program. Or if the IRS invites you to apply — which, as Mattson points out, generally only happens if you have already been a victim of tax-related identity theft.
(Another point for would-be applicants: According to IRS documents, "If you've placed a credit security freeze with Equifax, you must contact Equifax to have the freeze temporarily removed to allow us to verify your identity.")
PIN protection isn't foolproof, Velasquez said. The IRS PIN system has itself been subject to cyberattacks , she said. Earlier this year, the Treasury inspector general for tax administration released a report noting inconsistencies in IRS processes that left some victims without PINs.
Watch for fraud flags
Fraudulent tax returns aren't the only tax-time identity theft issue to keep an eye on. The IRS warns that receiving certain tax documents or IRS notices — like a CP2000 to verify unreported income or a 1099 from an employer you haven't worked for — can be a red flag for employment-related identity theft.
#67
Equifax's credit report monitoring site is also vulnerable to hacking ZDNet
Equifax's credit report monitoring site is also vulnerable to hacking
The site has at least one vulnerability that allows a hacker to trick users into turning over sensitive data.
September 12, 2017
Equifax's site used to set up credit account monitoring in the wake of last week's security breach is also vulnerable to hackers, ZDNet has learned.
In the aftermath of the breach, the going recommendation has been to set up alerts and freezes on any and all credit accounts. Countless are thought to have flocked to the websites and the credit rating agency phone banks to protect themselves from hackers.
The problem is that that Equifax's site used to set up alerts on individual's credit rating history can be easily spoofed, security researcher Martin Hall told ZDNet.
The site is used to request a 90-day fraud or active duty alert for credit report holders -- thought to be the majority of Americans.
But vulnerabilities in the site can allow hackers to siphon off personal information of anyone who visits.
The site is vulnerable to a cross-site scripting (XSS) attack, which lets an attacker run malicious code on a legitimate website or web application, such as Equifax's site.
In this case, a hacker can trick a user into loading the site from a malicious link, which prompts for the consumer's social security number and other personal information.
That data could be seen by a malicious actor as soon as the information is submitted.
Because the malicious code is included in Equifax's web address, the malicious prompt will be part of the Equifax domain. The browser thinks that the site is still secure, and displays the "lock" icon in the browser window. That also means that it's difficult to spot from a spam or phishing email because the code is loaded from Equifax's legitimate domain.
Anyone with knowledge of the code can use it in phishing emails to trick unaware consumers into turning over personal information to an attacker -- even though the link and the page appear to be Equifax's domain.
"I looked at the code and noticed that I could break out of the developers code into my own," said Hall. "This gives me full permission to change the page to say or load any content I want."
"Do you trust Equifax with your details? The problem is that post breach they are asking people to enter their personal details all over again while they still have many insecure sites and pages," he said.
Hall said that he reached out to Equifax's security team about several flaws across the company's site but didn't hear back.
Troy Hunt, a security expert who runs the data breach notification site Have I Been Pwned, told ZDNet that it was "alarming" that the flaw existed in the first place, but, "even more alarming that the researcher hasn't been able to get a response when attempting to report it."
Cross site scripting, he said, "enables an attacker to run their own arbitrary JavaScript in a victim's browser which gives them an enormous amount of control over how a vulnerable website behaves."
"They can rewrite the page, change where forms post data to (consequently grabbing any information entered into the page), load external content into the browser and even deliver malware to the victim," said Hunt.
At least one other XSS security issue has been found. It's not known if hackers are actively exploiting the website vulnerability.
Because the website is vulnerable, we can't recommend breach-affected consumers use the Equifax website to set up alerts or credit freezes for the time being until the security flaw is resolved.
An Equifax spokesperson did not return a call or email at the time of writing. If that changes, we'll update.
The site has at least one vulnerability that allows a hacker to trick users into turning over sensitive data.
September 12, 2017
Equifax's site used to set up credit account monitoring in the wake of last week's security breach is also vulnerable to hackers, ZDNet has learned.
In the aftermath of the breach, the going recommendation has been to set up alerts and freezes on any and all credit accounts. Countless are thought to have flocked to the websites and the credit rating agency phone banks to protect themselves from hackers.
The problem is that that Equifax's site used to set up alerts on individual's credit rating history can be easily spoofed, security researcher Martin Hall told ZDNet.
The site is used to request a 90-day fraud or active duty alert for credit report holders -- thought to be the majority of Americans.
But vulnerabilities in the site can allow hackers to siphon off personal information of anyone who visits.
The site is vulnerable to a cross-site scripting (XSS) attack, which lets an attacker run malicious code on a legitimate website or web application, such as Equifax's site.
In this case, a hacker can trick a user into loading the site from a malicious link, which prompts for the consumer's social security number and other personal information.
That data could be seen by a malicious actor as soon as the information is submitted.
Because the malicious code is included in Equifax's web address, the malicious prompt will be part of the Equifax domain. The browser thinks that the site is still secure, and displays the "lock" icon in the browser window. That also means that it's difficult to spot from a spam or phishing email because the code is loaded from Equifax's legitimate domain.
Anyone with knowledge of the code can use it in phishing emails to trick unaware consumers into turning over personal information to an attacker -- even though the link and the page appear to be Equifax's domain.
"I looked at the code and noticed that I could break out of the developers code into my own," said Hall. "This gives me full permission to change the page to say or load any content I want."
"Do you trust Equifax with your details? The problem is that post breach they are asking people to enter their personal details all over again while they still have many insecure sites and pages," he said.
Hall said that he reached out to Equifax's security team about several flaws across the company's site but didn't hear back.
Troy Hunt, a security expert who runs the data breach notification site Have I Been Pwned, told ZDNet that it was "alarming" that the flaw existed in the first place, but, "even more alarming that the researcher hasn't been able to get a response when attempting to report it."
Cross site scripting, he said, "enables an attacker to run their own arbitrary JavaScript in a victim's browser which gives them an enormous amount of control over how a vulnerable website behaves."
"They can rewrite the page, change where forms post data to (consequently grabbing any information entered into the page), load external content into the browser and even deliver malware to the victim," said Hunt.
At least one other XSS security issue has been found. It's not known if hackers are actively exploiting the website vulnerability.
Because the website is vulnerable, we can't recommend breach-affected consumers use the Equifax website to set up alerts or credit freezes for the time being until the security flaw is resolved.
An Equifax spokesperson did not return a call or email at the time of writing. If that changes, we'll update.
#68
Race Director
Another thing for me to worry about. Thanks Equifvck.
https://www.cnbc.com/2017/09/18/your...x-returns.html
https://www.cnbc.com/2017/09/18/your...x-returns.html
#69
Needs more Lemon Pledge
Your application probably never made it through. Data probably got siphoned and set to hackers.
Equifax's credit report monitoring site is also vulnerable to hacking ZDNet
No update to story in over a week so that means no response from Equifax yet?
Equifax's credit report monitoring site is also vulnerable to hacking ZDNet
No update to story in over a week so that means no response from Equifax yet?
What an effing mess.
#70
The people working at/running this company are a joke.
https://www.cnbc.com/2017/09/20/equi...hing-site.html
And more questionable trading activity...
House Finance Committee delves into unusual Equifax options trades: CNBC | Reuters
https://www.cnbc.com/2017/09/20/equi...hing-site.html
Equifax tweets sent victims to phishing site
Published 1 Hour Ago
Put another check in the Equifax goof column.
As if consumers weren't already confused enough when they tried to find out if they were part of the credit reporting company's massive data breach, at least some of them were misdirected to a phishing website by Equifax itself, according to various published reports.
Over the last couple of weeks, tweets from the official Equifax account and signed by "Tim" directed a handful of Twitter users to a fake site instead of to the official Equifax site set up specifically to help concerned consumers, Equifaxsecurity2017.com.
The fake site used an address similar to the valid Equifax site. Instead of offering help, the site mocks Equifax for "using a domain that's so easily impersonated by phishing sites."
Equifax has since deleted the tweets.
"All posts using the wrong link have been taken down," a company spokesperson said. "We apologize for the confusion."
Equifax has said that the personal information of 143 million consumers was potentially compromised in the cyberattack revealed by the company Sept. 7.
The takeway from all this: You need to triple check that you've landed on the right webpage.
- The company has since deleted the incorrect tweets.
- The mistake comes amid other misinformation or confusion among consumers
Published 1 Hour Ago
Put another check in the Equifax goof column.
As if consumers weren't already confused enough when they tried to find out if they were part of the credit reporting company's massive data breach, at least some of them were misdirected to a phishing website by Equifax itself, according to various published reports.
Over the last couple of weeks, tweets from the official Equifax account and signed by "Tim" directed a handful of Twitter users to a fake site instead of to the official Equifax site set up specifically to help concerned consumers, Equifaxsecurity2017.com.
The fake site used an address similar to the valid Equifax site. Instead of offering help, the site mocks Equifax for "using a domain that's so easily impersonated by phishing sites."
Equifax has since deleted the tweets.
"All posts using the wrong link have been taken down," a company spokesperson said. "We apologize for the confusion."
Equifax has said that the personal information of 143 million consumers was potentially compromised in the cyberattack revealed by the company Sept. 7.
The takeway from all this: You need to triple check that you've landed on the right webpage.
And more questionable trading activity...
House Finance Committee delves into unusual Equifax options trades: CNBC | Reuters
House Finance Committee delves into unusual Equifax options trades: CNBC
September 20, 2017
NEW YORK (Reuters) - The House Financial Services Committee is seeking information about certain Equifax Inc (EFX.N) options trades made weeks before the credit reporting company disclosed a data breach, according to CNBC report on Wednesday.
Equifax options drew an unusually large trade less than three weeks before Sept. 7, when Equifax disclosed that personal details of as many as 143 million U.S. consumers were accessed by hackers between mid-May and July.
On Aug. 21, 2,500 put contracts betting on Equifax shares dipping below $135 by Sept. 15 traded for a total price of about $181,000.
By end of trading on Sept. 8, these puts were worth about $2.6 million, according to options analytics firm Trade Alert data.
Buying of put options conveys the right to sell shares at a fixed price in the future and indicates a bearish bias, while selling puts would imply a bullish outlook.
Options activity has been known to spike before the public announcement of information that moves stock prices, and the U.S. Securities and Exchange Commission has in the past announced enforcement action for alleged insider trading involving options.
A spokeswoman for the U.S. Securities and Exchange Commission declined to comment.
September 20, 2017
NEW YORK (Reuters) - The House Financial Services Committee is seeking information about certain Equifax Inc (EFX.N) options trades made weeks before the credit reporting company disclosed a data breach, according to CNBC report on Wednesday.
Equifax options drew an unusually large trade less than three weeks before Sept. 7, when Equifax disclosed that personal details of as many as 143 million U.S. consumers were accessed by hackers between mid-May and July.
On Aug. 21, 2,500 put contracts betting on Equifax shares dipping below $135 by Sept. 15 traded for a total price of about $181,000.
By end of trading on Sept. 8, these puts were worth about $2.6 million, according to options analytics firm Trade Alert data.
Buying of put options conveys the right to sell shares at a fixed price in the future and indicates a bearish bias, while selling puts would imply a bullish outlook.
Options activity has been known to spike before the public announcement of information that moves stock prices, and the U.S. Securities and Exchange Commission has in the past announced enforcement action for alleged insider trading involving options.
A spokeswoman for the U.S. Securities and Exchange Commission declined to comment.
Last edited by AZuser; 09-20-2017 at 05:16 PM.
#71
https://krebsonsecurity.com/2017/09/...it-freeze-pin/
Experian Site Can Give Anyone Your Credit Freeze PIN
Sep. 17, 2017
An alert reader recently pointed my attention to a free online service offered by big-three credit bureau Experian that allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian.
The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).
After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!
The final authorization check is that Experian asks you to answer four so-called “knowledge-based authentication” or KBA questions. As I have noted in countless stories published here previously, the problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.
What’s more, many of the companies that provide and resell these types of KBA challenge/response questions have been hacked in the past by criminals that run their own identity theft services.
“Whenever I’m faced with KBA-type questions I find that database tools like Spokeo, Zillow, etc are my friend because they are more likely to know the answers for me than I am,” said Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI).
The above quote from Mr. Weaver came in a story from May 2017 which looked at how identity thieves were able to steal financial and personal data for over a year from TALX, an Equifax subsidiary that provides online payroll, HR and tax services. Equifax says crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering KBA questions about those employees.
In short: Crooks and identity thieves broadly have access to the data needed to reliably answer KBA questions on most consumers. That is why this offering from Experian completely undermines the entire point of placing a freeze.
After discovering this portal at Experian, I tried to get my PIN, but the system failed and told me to submit the request via mail. That’s fine and as far as I’m concerned the way it should be. However, I also asked my followers on Twitter who have freezes in place at Experian to test it themselves. More than a dozen readers responded in just a few minutes, and most of them reported success at retrieving their PINs on the site and via email after answering the KBA questions.
Here’s a sample of the KBA questions the site asked one reader:
1. Please select the city that you have previously resided in.
2. According to our records, you previously lived on (XXTH). Please choose the city from the following list where this street is located.
3. Which of the following people live or previously lived with you at the address you provided?
4. Please select the model year of the vehicle you purchased or leased prior to July 2017 .
I understand if people who place freezes on their credit files are prone to misplacing the PIN provided by the bureaus that is needed to unlock or thaw a freeze. This is human nature, and the bureaus should absolutely have a reliable process to recover this PIN. However, the information should be sent via snail mail to the address on the credit record, not via email to any old email address.
This is yet another example of how someone or some entity other than the credit bureaus needs to be in put in charge of rethinking and rebuilding the process by which consumers apply for and manage credit freezes. I addressed some of these issues — as well as other abuses by the credit reporting bureaus — in the second half of a long story published Wednesday evening.
Experian has not yet responded to requests for comment.
While this service is disappointing, I stand by my recommendation that everyone should place a freeze on their credit files. I published a detailed Q&A a few days ago about why this is so important and how you can do it. For those wondering about whether it’s possible and advisable to do this for their kids or dependents, check out The Lowdown on Freezing Your Kid’s Credit.
Sep. 17, 2017
An alert reader recently pointed my attention to a free online service offered by big-three credit bureau Experian that allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian.
The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).
After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!
The final authorization check is that Experian asks you to answer four so-called “knowledge-based authentication” or KBA questions. As I have noted in countless stories published here previously, the problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.
What’s more, many of the companies that provide and resell these types of KBA challenge/response questions have been hacked in the past by criminals that run their own identity theft services.
“Whenever I’m faced with KBA-type questions I find that database tools like Spokeo, Zillow, etc are my friend because they are more likely to know the answers for me than I am,” said Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI).
The above quote from Mr. Weaver came in a story from May 2017 which looked at how identity thieves were able to steal financial and personal data for over a year from TALX, an Equifax subsidiary that provides online payroll, HR and tax services. Equifax says crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering KBA questions about those employees.
In short: Crooks and identity thieves broadly have access to the data needed to reliably answer KBA questions on most consumers. That is why this offering from Experian completely undermines the entire point of placing a freeze.
After discovering this portal at Experian, I tried to get my PIN, but the system failed and told me to submit the request via mail. That’s fine and as far as I’m concerned the way it should be. However, I also asked my followers on Twitter who have freezes in place at Experian to test it themselves. More than a dozen readers responded in just a few minutes, and most of them reported success at retrieving their PINs on the site and via email after answering the KBA questions.
Here’s a sample of the KBA questions the site asked one reader:
1. Please select the city that you have previously resided in.
2. According to our records, you previously lived on (XXTH). Please choose the city from the following list where this street is located.
3. Which of the following people live or previously lived with you at the address you provided?
4. Please select the model year of the vehicle you purchased or leased prior to July 2017 .
I understand if people who place freezes on their credit files are prone to misplacing the PIN provided by the bureaus that is needed to unlock or thaw a freeze. This is human nature, and the bureaus should absolutely have a reliable process to recover this PIN. However, the information should be sent via snail mail to the address on the credit record, not via email to any old email address.
This is yet another example of how someone or some entity other than the credit bureaus needs to be in put in charge of rethinking and rebuilding the process by which consumers apply for and manage credit freezes. I addressed some of these issues — as well as other abuses by the credit reporting bureaus — in the second half of a long story published Wednesday evening.
Experian has not yet responded to requests for comment.
While this service is disappointing, I stand by my recommendation that everyone should place a freeze on their credit files. I published a detailed Q&A a few days ago about why this is so important and how you can do it. For those wondering about whether it’s possible and advisable to do this for their kids or dependents, check out The Lowdown on Freezing Your Kid’s Credit.
#72
Now to get rid of the board members.
Let's see what golden parachute he gets.
https://www.wsj.com/articles/equifax...ach-1506431571
Let's see what golden parachute he gets.
https://www.wsj.com/articles/equifax...ach-1506431571
Equifax CEO Richard Smith to Exit Following Massive Data Breach
Paulino do Rego Barros Jr. named interim leader as the board searches for a successor
Sept. 26, 2017 10:19 a.m. ET
Equifax Inc. said Chairman and Chief Executive Richard Smith will step aside and the embattled credit-reporting firm will begin a search for a replacement as it continues to grapple with the aftershocks of its massive hack.
Paulino do Rego Barros Jr., who was most recently Equifax’s president for the Asia-Pacific region, has been appointed interim CEO. He was one of a handful of senior executives that Mr. Smith had been grooming as a possible successor in recent years, according to people familiar with the matter. Current director, Mark Feidler, will serve as the nonexecutive chairman.
“The board remains deeply concerned about and totally focused on the cybersecurity incident. We are working intensely to support consumers and make the necessary changes to minimize the risk that something like this happens again,” Mr. Feidler said in the company’s statement.
“Speaking for everyone on the board, I sincerely apologize.” He added that the board has formed a special committee to focus on “the issues arising from the incident and to ensure that all appropriate actions are taken.”
Mr. Smith, who the board said would retire as of Tuesday, had been due to appear next week before two congressional committees. Mr. Smith is still expected to testify next week before the House Energy Committee, according to a person familiar with the matter. It isn’t clear if he will also appear before the Senate Banking Committee. Equifax said Mr. Smith will continue as an unpaid adviser to the company during the transition.
“The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right,” Mr. Smith said in a statement issued by the company. “At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward.”
Before the breach, Mr. Smith had told people he didn’t plan to leave the company for at least the next two years, according to a person familiar with the matter. Even after the hack disclosure, Mr. Smith shared that he didn’t want to leave the company until he had helped resolve the problem, the person added.
When Mr. Smith took over as CEO in 2005, Equifax was a staid, slow-growing credit-reporting company, according to remarks he made last month at an event. He set about to transform the company by expanding the amount of data it stored about consumers and monetizing it.
Mr. Smith did so by acquiring companies that had information about consumers’ employment histories, salaries and savings while also expanding internationally to places like Australia and India. The result was that by 2016, credit-reporting activities accounted for less than a third of revenue versus about 80% a decade earlier.
Paulino do Rego Barros Jr. named interim leader as the board searches for a successor
Sept. 26, 2017 10:19 a.m. ET
Equifax Inc. said Chairman and Chief Executive Richard Smith will step aside and the embattled credit-reporting firm will begin a search for a replacement as it continues to grapple with the aftershocks of its massive hack.
Paulino do Rego Barros Jr., who was most recently Equifax’s president for the Asia-Pacific region, has been appointed interim CEO. He was one of a handful of senior executives that Mr. Smith had been grooming as a possible successor in recent years, according to people familiar with the matter. Current director, Mark Feidler, will serve as the nonexecutive chairman.
“The board remains deeply concerned about and totally focused on the cybersecurity incident. We are working intensely to support consumers and make the necessary changes to minimize the risk that something like this happens again,” Mr. Feidler said in the company’s statement.
“Speaking for everyone on the board, I sincerely apologize.” He added that the board has formed a special committee to focus on “the issues arising from the incident and to ensure that all appropriate actions are taken.”
Mr. Smith, who the board said would retire as of Tuesday, had been due to appear next week before two congressional committees. Mr. Smith is still expected to testify next week before the House Energy Committee, according to a person familiar with the matter. It isn’t clear if he will also appear before the Senate Banking Committee. Equifax said Mr. Smith will continue as an unpaid adviser to the company during the transition.
“The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right,” Mr. Smith said in a statement issued by the company. “At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward.”
Before the breach, Mr. Smith had told people he didn’t plan to leave the company for at least the next two years, according to a person familiar with the matter. Even after the hack disclosure, Mr. Smith shared that he didn’t want to leave the company until he had helped resolve the problem, the person added.
When Mr. Smith took over as CEO in 2005, Equifax was a staid, slow-growing credit-reporting company, according to remarks he made last month at an event. He set about to transform the company by expanding the amount of data it stored about consumers and monetizing it.
Mr. Smith did so by acquiring companies that had information about consumers’ employment histories, salaries and savings while also expanding internationally to places like Australia and India. The result was that by 2016, credit-reporting activities accounted for less than a third of revenue versus about 80% a decade earlier.
#73
Team Owner
Thread Starter
Golden parachute away!
#74
Needs more Lemon Pledge
I wish some of them got a golden shower instead....
#76
Needs more Lemon Pledge
#78
Senior Moderator
Shiet.. glad i don't eat there
#80
Senior Moderator
Ehh, they're just stealing VIsa/MC/Amex's money, not mine
Just cancel and get a new number for the consumer.
Just cancel and get a new number for the consumer.