NEW YORK — When Helene Muller-Landau first heard the news about the Equifax security breach, she set about freezing her credit files and those of her husband and mother.
Very quickly, however, Muller-Landau, a Smithsonian research scientist, noticed something strange: The personal identification numbers that Equifax was assigning her family members (to use for eventually lifting the freezes) were awfully similar.
At first, she thought it was a mistake. Maybe it had to do with the fact that she was in Panama, or that her Web browsers were acting up. But no: The Equifax PINs are based on the date and time that you set up your freeze.
“The whole point of a 10-digit PIN is that it’s supposed to be hard to guess,” she said. “And then, they have this totally transparent algorithm for assigning them.”
This is among the worst of the facts that have emerged in the wake of the company’s announcement on Thursday that thieves may have stolen up to 143 million Social Security numbers, dates of birth, names, and addresses from its credit files. Armed with that information, thieves, blackmailers, and enemies can make a lot of mischief. A credit freeze can prevent thieves from using your information to open new accounts, since lenders want to see a credit report before doing business with you.
On Saturday, many readers sent me tales of outrage and woe. They could not believe that Equifax and the other credit-reporting firms, Experian and TransUnion, charge fees to freeze the credit files that they had not asked the companies to set up in the first place. Besides, isn’t keeping that information safe their most important job?
Nevertheless, consumers persisted. But when they pulled up the websites of Equifax, Experian and TransUnion, they often found crashed sites (because everyone else was persisting, too) or requests from the companies to write in or call instead. (For a variety of reasons — some of them security-related — the bureaus sometimes refuse online requests for freezes. Just be glad you don’t have to make the request via registered mail, as I did back in the old days).
Candy Sagon, in Reston, Va., had a typical experience. Equifax’s system worked fine. “Including the $10 charge they don’t deserve,” she said. But Experian’s site to set up an online freeze didn’t work at first, then kicked her to the snail mail option because she didn’t put in the amount of her monthly mortgage payment correctly when the site attempted to identify her. Then, TransUnion’s phone system disconnected her four times.
Dan Harrison, a Los Angeles media executive, said he already had a credit freeze, one he’d set up after a previous breach at another company. When he heard about Equifax’s, his instinct was to contact Equifax to change his PINs. His logic was this: Why assume that those were safe, given the circumstances?
But when he called, a representative did not know what a PIN was and said there were no supervisors with whom Harrison could speak. The story changed once Harrison educated the representative on basic facts. A supervisor did exist, but the one who got on the phone said it was not possible to change the PIN. He would not answer additional questions, referring Harrison to the company’s breach site instead.
On Saturday, Harrison said he wouldn’t trust someone swearing on a stack of bibles that his PIN numbers were safe. “They are going to have to change my PIN,” he said, adding that it is the safety net of last resort for him and every other person who has had their personal information stolen. “I’m going to force them.”
Sunday afternoon, in an e-mail, an Equifax spokesman, Wyatt Jefferies, said that no PINs had been compromised in the breach and that the company would soon be changing the PIN generation and reset request process.
“While we have confidence in the current system, we understand and appreciate that consumers have questions about how PINs are currently generated,” he wrote. “We are engaged in a process that will provide consumers a randomly generated PIN. We expect this change to be effective within 24 hours.”
Meanwhile, Harrison said he longed for a legislative or regulatory solution, even if it means the sort of piecemeal, drip-by-drip state actions that have forced the credit bureaus to provide more information and protection to consumers.
A memo to state legislatures: Maybe start with giving everyone access to their credit reports whenever they want to see them, for free, at all three bureaus, as the Stanford professor Jeffrey Pfeffer suggested over the weekend in a LinkedIn article. (Currently, you get only one free look at each report each year via annualcreditreport.com.)
Then, we could require the bureaus to provide free, top-of-the-line monitoring forever, including free freezes and thaws, whenever a breach occurs at one of their own websites.