Could someone explain to me what's up with the "monitoring services"? I recently read a book on infosec risk, and they keep mentioning that the usual response for data breach involves sponsoring a "credit monitoring service" for customers. Marriott is now referring people to some non-credit "monitoring service", that (from skimming their site) ultimately tries to fill in some holes left by "credit monitoring".
Here's what I don't understand:
- Why?
- Why is that not a service provided by a bank, as a part of having a credit card?
- Why do individuals have to pay some random third parties to protect themselves from some fraudster defrauding some bank via data obtained from some company (even if, in publicized breach cases, this gets covered by breached company)?
- (Somewhat related) how is it that your "credit score" isn't just a number on your bank dashboard, but you have to pay third parties to discover it?
It can't be that all of this is just a legalized racket, can it? Because if feels like it is.
Because they’re probably paying Marriot for the privilege of being listed as a provider for monitoring services. Once the free tier runs out they’ll try to milk the consumers for an ongoing protection charge.
> - Why is that not a service provided by a bank, as a part of having a credit card?
Separation of concerns. A bank or card issuer cares more about covering their own liability for fraud on a particular card. They don’t care if a new one gets issued in your name somewhere else or if a line of credit gets opened.
> - Why do individuals have to pay some random third parties to protect themselves from some fraudster defrauding some bank via data obtained from some company (even if, in publicized breach cases, this gets covered by breached company)?
That’s not strictly true. Freezing your credit across all the major credit agencies is free. They likely don’t want you to know or do that as it also limits junk mail for credit cards.
> - (Somewhat related) how is it that your "credit score" isn't just a number on your bank dashboard, but you have to pay third parties to discover it?
It can't be that all of this is just a legalized racket, can it? Because if feels like it is.
It is a racket with a private sector origin that effectively got standardized over the years. There’s a number of private organizations that provide “credit scores” with FICO being the most prominent.
Starting a few years ago most financial providers provide free access to your current score or some “fako” equivalent.
In the UK much the same racket is going on. A couple of years ago I was the target of identity theft, which involved somebody walking into a phone store, and giving for 'security purposes' my full name, address and date of birth, and walking out with a new iPhone on contract. I am a director of a limited company, so all of this information is freely available online.
I eventually got it sorted (the suggested route of contacting Action Fraud did nothing; I had to make numerous proactive calls to the network's fraud team), but in order to prevent it from happening again they suggested I mark myself as high risk with the credit agencies (CIFAS protective registration), which involves paying a £10/year fee to set a boolean on my file.
I'm tempted not to renew it, and if it happens again send a strongly worded letter telling them to cease all communications as there has been an error on their part (maybe GDPR gives more powers in this case?). I'm not a heavy credit user, so the impact on my credit score isn't a concern.
For anyone concerned, the best way I found to monitor this is through free credit score monitoring services such as ClearScore. Through their website I can see any searches on my credit score (unfortunately they don't notify you). If a search appears for a company you don't recognise, it is most likely an indication of something similar going on.
That sucks. In Sweden it's the law that credit reporting agencies have to send you a copy containing the same information every time someone does a pull on your credit. Seems like a common-sense regulation.
I use ClearScore too (which covers Equifax), as well as the MoneySavingExpert Credit Club which covers Experian, and is also free: https://moneysavingexpert.com/creditclub
I don't believe that these 'free' credit score services are free, you just don't pay them a monthly fee.
Instead, they make money from having your financial details, presumably to sell you other services. Same as farcebook et al, not really free at all.
I use Noddle (operated by CallCredit) and I don't recall ever having been upsold anything.
Edit: After logging back in to have a look, it turns out that the website has a bunch of cross-selling adverts mixed in and around the 'free' credit-reporting service:
Going through the process of drawing red circles around the adverts made me realise 80% of the page is in fact advertising but for some reason I just never noticed them. I like to think I have a built in uBlock in my brain although I'm probably subconsciously absorbing their marketing message without realising it.
Because the cost at the margin for pulling credit reports is so low and because banks will periodically pull for customers anyhow, some banks are starting to offer it as a perk to customers. Capital One and American Express both have reasonably good experiences here. (No CC required at Capital One; you can get it with their deposit accounts only, which have no minimums.) This very literally results in your FICO score being on your dashboard with an option to click through and see what changed.
People should not generally pay for credit monitoring, for the same reason that one would not pay monthly to subscribe to tests to a disease one is not at risk for. Various errors will cause you stress for no reason.
(You can get a full credit report 3X yearly by going to annualcreditreport.com ; this is probably overkill for most people who are not actively attempting to improve credit in advance of e.g. a mortgage application or because of catastrophic errors.)
> (You can get a full credit report 3X yearly by going to annualcreditreport.com ; this is probably overkill for most people who are not actively attempting to improve credit in advance of e.g. a mortgage application or because of catastrophic errors.)
You should pull your full credit report (from all 3 bureaus, that would be one "full report") at least once a year. It's very difficult to tell if someone has stolen your identity and opened loans in your name otherwise, and while in theory you're protected, you might be looking at a protracted legal battle.
Just like you get a physical at least once a year, you should do a credit checkup too.
I don't know how it is elsewhere but my bank does monitor my transactions. If something suspicious happens they block the card. Also by default you can only use it in Europe.
I trust my bank more than Visacard. But the reason why creditcards still exist at all is because they are the only payment system that is universally accepted. Its old technology but it works precisely because its so simple. Hell there are air liners that only accept creditcards! Visacard knows that they have a monopoly.
Things like this seem to indicate an almost complete lack of competence in regards to security and breach response. Can Marriott not afford to hire one full-time, experienced, competent person to oversee security policy? Of course they can. But it seems that they haven't, because someone who's job it is to oversee security policy should certainly be right in the middle of Marriot's response process, and should have caught something like this.
I'm not saying there are no competent people doing security at Marriott. If you work at Marriott doing security work, I'm not trying to attack you; this kind of thing is not one person's fault (unless it really, really, really is, and not even then, because the other people in the organization shouldn't have allowed such a single-point-of-failure). But really.. it's just abysmal.
The top two items in the MBA handbook is firstly to keep personnel count as low as possible (because the few left are more "productive" somehow) and secondly to shrink any IT department to the bare minimum (it's a cost center, no good comes from a cost center).
To me the annoying thing about the e-mail from Marriott that I received, was that it simply says my details 'may' have been breached and that 'some' of the breached e-mails had various types of data stolen.
I understand this as an initial response. What I don't appreciate is the lack of a line in the e-mail saying 'as soon as we have more details about the extent of the breach for your particular account. we will let you know.
I still have no real idea what was stolen and I don't know if I'll ever be told.
Perhaps marriott.com would be at risk of being sent to junkmail if they sent out mass security update emails. Maybe that’s a risk they weren’t willing to take. They clearly only care about their business and not their customers so why would they junk their domain?
Here's what I don't understand:
- Why?
- Why is that not a service provided by a bank, as a part of having a credit card?
- Why do individuals have to pay some random third parties to protect themselves from some fraudster defrauding some bank via data obtained from some company (even if, in publicized breach cases, this gets covered by breached company)?
- (Somewhat related) how is it that your "credit score" isn't just a number on your bank dashboard, but you have to pay third parties to discover it?
It can't be that all of this is just a legalized racket, can it? Because if feels like it is.