Well, the recent Equifax debacle has once again reminded us (because we seem to keep forgetting) that anything is hackable.
Of course, it’s particularly disturbing when the hackee is an entity that knows more about you than you do, including your unfortunate decision in 1982 to use a furniture store’s easy payment plan to purchase a waterbed, an act you’ve managed to push to the far back of your subconscious, but which nevertheless remains on your record in perpetuity.
The news media is no help. It’s in full panic mode, urgently advising consumers to sign up for fraud alerts, freeze their credit, change their passwords and carefully scan their credit card statements for mysterious charges.
I decided to sign up for Equifax’s fraud alert for the best possible reason: it was free. I waited, however, until the company removed its sneaky clause about not being able to sue, because I wanted to be sure I could get my piece of the inevitable class-action law suits. I frequently receive notices that I have won such suits, usually against companies who did something questionable regarding their stock offerings, even though I didn’t even know I owned stock in these companies because it was part of some mutual fund. Usually my share of the multi-million dollar settlement is about $1.98. Sometimes, if the lawsuit was against a company that was misrepresenting their fees, my settlement amount is in the form of store coupons.
But getting back to Equifax, I registered for their fraud alert, which entailed providing much of the personal information they had previously protected to the best of their ability, and participating in some weird CAPTCHA puzzle game involving road signs. I was told they’d get back to me in a few days. They did, with this email:
Dear Mark Hallen,
It is time to take the final steps in enrolling in your free product, TrustedID Premier, by verifying your identity. To do this, you’ll need to answer some questions about yourself. Successfully completing this step will conclude your enrollment process and activate your product.
To verify your identity and activate your product, please click the link below:
Hah! I knew better than to click a link in an email. This email could be a phishing scam from people who had hacked Equifax’s database of people who had signed up for their fraud alert. So I got to where I needed to be by circuitous means, provided the last four digits of my Social Security number and my date of birth, and clicked “Continue.”
I called the phone number in the email and was surprised when it was quickly answered by a real, English-speaking person. “We’re sorry about that,” she said. “Our servers are overloaded, what with everyone trying to protect their identities because we didn’t protect their identities.”
Well, maybe she didn’t use those exact words.
She told me to try again in a few hours, and, of course, I forgot. But when I woke up at 3 am to go to the bathroom, I had an e-pee-phany that this might be a good time to activate “my product.” So, once again I entered the last four digits of my Social Security number and my date of birth. But, when I used the pull down list to get to the year of my birth (and I had to pull it down a long way), I accidentally clicked on the year before I was born, and got this message:
“We’re sorry. The information you provided doesn’t match our records. Please try again in 24 hours.”
Okay, well, first, if I’m an identity thief, what difference is the 24 hours going to make? Is that just to make me wait a day before I take another guess at the year? Second, what are the odds that a criminal knows my Social Security number and birthday, but hasn’t quite managed to get his hands on the year I was born?
And third, is this indicative of the advanced security measures usually in place at Equifax?
Let me leave you today with an idea that will make everybody’s personal data three times more secure: eliminate two of the three credit reporting agencies. I mean, think about it: why are three companies collecting and selling the same information? It just means there are three times the number of servers available to be hacked.
See you soon.