If you received a notice from Equifax that your personal data has been hacked, you’ll want to read this first.  On September 7th, the large credit reporting agency announced that its servers had been hacked and as many as 143 million customer records may have been exposed.   That’s right, almost 50% of the entire U.S. population may have been exposed.  This is a biggie big data fail.  Or, as the company put it:

“The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed…….Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers – all complimentary to U.S. consumers for one year. The website also provides additional information on steps consumers can take to protect their personal information.”

So, in effect, to make up for the hassles to which you may be subjected, Equifax is offering a free one-year trial membership to TrustedID’s Premier service.  Should you take Equifax up on its offer?   The answer is: Probably not.  First, most monitoring services, like TrustedID, only have the capability to inform you of an identity theft after it occurs. A better alternative may be a  security freeze which can prevent new account fraud before it happens. Monitoring does not actually stop the opening of new accounts. You will just find out about the fraudulent accounts sooner. Monitoring services may provide a false sense of security because there may be holes in coverage.

First off, it is possible (if not probable) that any email you receive from Equifax is actually a phishing (fake) email designed to steal your personal information.  It will likely look something like this:

Please know that Equifax will be contacting you by snail mail (pursuant to the law) and not by email.  So do not respond to any emails.

Second, by even signing up for Equifax’ website, you may be inadvertently giving up your legal rights to sue Equifax.  Buried in the fine print (terms of use) at that site is an arbitration clause that would prohibit you from being part of a class action.   This clause is probably illegal and it can be argued that it relates only to TrustedID, and not to Equifax.  But still, did they really need to put in that bogus legal waiver?   Really Equifax?   As of this writing, some 23 class-action lawsuits have been filed, so it’s sort of obvious why Equifax tried to sneak that language into the fine print.

If you go to Equifax’ website thinking that you’ll learn whether your personal records are at risk, think again.  Equifax won’t give you an answer to that very important question.  Instead, they ask you to input your last name and partial SSN  (against our recommendation), you’ll get a notice that looks like this:

This is just an invitation for you to open a membership with TrustedID — a credit monitoring service.  Equifax never actually tells you whether your records are at risk.   Essentially, they are using this news of a data breach to sign up AS MANY CONSUMERS AS POSSIBLE to this one-year deal, in the hopes that many of the consumers will automatically renew in future years.   To borrow a nonlegal term:  that’s slimy!

And it gets even worse.  According to Bob Rankin, the Equifax website was not even registered to Equifax until the afternoon of September 10. Its implementation of TLS encryption is flawed, so connections to it may not be secure. It’s running on the free version of WordPress blogging software, which is entirely unsuitable for enterprise-grade secure applications. Those are just the highlights; there are so many security flaws in the site that OpenDNS, the Cisco-owned domain name service, blocked access to EquifaxSecurity2017.com and warned it was a potential phishing scam. Indeed, the site looks very much like something a phishing scammer would put together.

Moreover, TrustedID is not a top-of-the-line identity restoration company.   Its service doesn’t rank even close to PrivacyGuard, LifeLock, IDShield, or ProtectMyID. In fact, the reason Equifax is offering this “deal” is because Equifax OWNS TrustedID.    TrustedID’s services are somewhat limited. The company does not offer financial account monitoring or financial, criminal, or tax identity recovery. Additionally, it is unclear whether or not TrustedID provides social security number monitoring, preexisting condition assistance, or limited power of attorney. Nor does it provide its customers with antivirus software to protect information on their personal computers.   Once that 1-year deal expires, you have to pay the relatively high amount of $29.95/month, you can cover up to two adults and four children living in the same household.   You get your three-bureau credit report and scores annually, plus unlimited updates to your Equifax credit score whenever a change is reported to a credit bureau. However those who want to monitor all three of their credit scores on a regular basis, should consider looking elsewhere.   Many other credit monitoring services offer far better services at half that monthly price.   So, Equifax is doing little more than giving you a one-year test of its high-priced, substandard identity protection service.

In fact, perhaps the best low-cost way of protecting yourself against a data hack is through a security freeze.   A security freeze locks your credit files at the three credit reporting agencies (Equifax, Experian, and TransUnion) until you unlock your file with a password or PIN. The freeze stops new accounts from being established by imposters because potential creditors are not able to check your credit report or credit score, the standard procedure when financial accounts are opened. Any potential creditors’ requests for access to your credit files will be denied. However, a security freeze cannot stop misuse of your existing bank or credit accounts. You still must check the monthly statements on your current accounts for any erroneous charges or debits. Generally, you will pay no more than $30 for a lifetime of security freeze protection. In some circumstances (identity theft victims and senior citizens in some states), this protection may be free.  Caveat:  with a security freeze, your credit reports cannot be seen by prospective creditors, insurance companies, landlords, utilities, or for employment screening. However, you may lift the freeze when necessary to allow a company to check your credit report. It can be cumbersome for individuals who frequently apply for credit, are contemplating a new mortgage, or who plan to change jobs.

Another free option is using a fraud alert. You are entitled to place a free fraud alert on your credit reports even if you have not yet become a victim of identity theft. You can do this by phone, online, or in writing. A fraud alert places a “red flag” on your credit reports, alerting potential creditors to take extra precautions before extending credit. Typically, creditors will call you to verify your identity before issuing any credit.The fraud alert will last for 90 days, but may be renewed on the 91st day for another 90 days. You can continue to renew a fraud alert indefinitely  An added benefit of a fraud alert is that it entitles you to free copies of your three credit reports each time the fraud alert is established. This is in addition to your right to your free annual credit reports. For more information, visit the official annual credit report website and read the Federal Trade Commission’s guide.

Some banks, credit unions, auto clubs, and other organizations offer free monitoring services with their credit cards or other  services.  Sometimes, they will use a free basic service as a marketing tool to “upsell” you to a fee-based premium service.Credit Karma offers free credit monitoring. Their service utilizes TransUnion, one of the three major credit reporting agencies. Credit Karma’s advertisers pay for the credit monitoring service.  Consumers are not charged for the service and no credit card is required.  You should be aware that the other two credit bureaus, Experian and Equifax, are not included in this service.  (No endorsement implied.)  You can also see both your TransUnion and Equifax credit reports and credit scores on this site at no charge. Credit Sesame also offers free credit monitoring. Their service utilizes Experian, one of the three major credit reporting agencies. Credit Sesame’s advertisers pay for the credit monitoring service.  Consumers are not charged for the service and no credit card is required.  You should be aware that the other two credit bureaus, TransUnion and Equifax, are not included in this service.

Our advice:   Enrolling in an expensive credit monitoring service may actually increase your vulnerability to ID theft. The FTC is alleged in its complaint against Lifelock back in 2013 that it had failed (after five years!) to implement industry-standard security practices to protect the sensitive data that it collects from subscribers. It’s unlikely that Lifelock’s competitors do much better to protect customers’ data.  We believe that is you received notice from Equifax about the data breach along with its offer of free ID-theft “protection,” turn it down. Do your own monitoring and be pro-active.  Don’t give up your legal rights for a substandard and overpriced credit monitoring deal.