
Reported difficulties getting help on Equifax's phone lines - PaulHoule
https://www.washingtonpost.com/news/the-switch/wp/2017/09/13/i-called-equifax-with-a-simple-question-this-is-what-happened/?utm_term=.8efe961a4475
======
voiper1
TL;DR: Equifax phone lines unhelpful for anything.

Suggestion, from
[https://www.reddit.com/r/personalfinance/comments/6yv4gb/off...](https://www.reddit.com/r/personalfinance/comments/6yv4gb/official_mega_thread_recent_equifax_security/dmqdld2/)

If you do nothing else, place an initial 90 day fraud alert on your file. This
is free and will require lenders to contact you if someone (including
yourself) tries to apply for credit. Government info. _You only have to do
this with one bureau in order for the alert to be placed on all three_ , and
it should take less than 5 minutes:

Equifax
[https://www.alerts.equifax.com/AutoFraud_Online/jsp/fraudAle...](https://www.alerts.equifax.com/AutoFraud_Online/jsp/fraudAlert.jsp)

Experian
[https://www.experian.com/fraud/center.html](https://www.experian.com/fraud/center.html)

Transunion [https://www.transunion.com/fraud-victim-resource/place-
fraud...](https://www.transunion.com/fraud-victim-resource/place-fraud-alert)

~~~
pkulak
Just 90 days? I'd rather freeze my credit. I already bought a house and a car.
I'm done with needing credit for the foreseeable future. Freezing all 4
accounts (including Innovis, which actually seems like the most competent of
the bunch) is the ticket for me.

[https://www.experian.com/ncaconline/freeze](https://www.experian.com/ncaconline/freeze)

[https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo...](https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp)

[https://freeze.transunion.com/sf/securityFreeze/landingPage....](https://freeze.transunion.com/sf/securityFreeze/landingPage.jsp)

[https://www.innovis.com/securityFreeze/index](https://www.innovis.com/securityFreeze/index)

~~~
sean2
This is great advice and appears to be a good thing to do, but I just feel
weird giving equifax money to protect me from fallout of their data breach. It
feels like I'm rewarding them for losing my data.

I bet millions of Americans, who are suddenly aware of their vulnerability to
credit fraud and learning about these options, are paying for requests and
freezes.

~~~
mildavw
Yeah, it bugs me too. What about letting "natural consequences" befall Equifax
(or rather its customers)?

I take no action now. Scammer gets a $10k loan from BigBank using my info. I
get the bill and report it as fraud. Write a few letters to clear it up
([http://www.kalzumeus.com/2017/09/09/identity-theft-credit-
re...](http://www.kalzumeus.com/2017/09/09/identity-theft-credit-reports/)).
BigBank will be out $10k and is now motivated to figure out a better way to
make loans.

~~~
PaulHoule
Maybe that big bank should decide not to get credit reports from Equifax and
not to send them data. It would be a way to show that self-regulation works
before the government forces their hand.

------
ahelwer
I have spent a very large amount of time over the past few years attempting to
correct Equifax's record of my information (all to the now-apparent end of
reducing noise in the hacker's data). They somehow had my SSN associated with
someone else, leading to a few rejected credit applications.

Equifax customer service reps are very poorly trained. The singular goal of
all Equifax employees with whom I interacted was to make me Someone Else's
Problem. To that end, they deployed several tactics:

* Telling me I'm calling the wrong Equifax customer service phone number

* Telling me I'm calling the wrong _new_ Equifax customer service phone number

* Telling me to mail in _just one more_ piece of identification

* Telling me they never received snail-mailed documents

* Telling me received snail-mailed documents "were not yet in the system" (over a week after receipt)

* Telling me to fax documents, not mail them

* Telling me the fax number I have is old, wrong, and no longer used

* Telling me the _new_ fax number I have is old, wrong, and no longer used

* Telling me to call the bank providing my credit card, and get them to send my info to Equifax

* Mysteriously hanging up

* Again telling me the identification documents provided were insufficient

Finally I just sat on the phone for several hours with a customer service
agent who had not yet discovered the complete lack of consequences for hanging
up, asking what additional information would be provided by whatever
additional piece of ID they were requesting. It escalated up the supervisor
chain a few times, went on hold for half an hour, then I was just suddenly
told the problem was taken care of and disconnected.

The problem wasn't taken care of, and the perpetual complimentary credit
monitoring service subscription I have from some past data breach other
another continued to fail its Equifax enrollment. Finally, a year, later, the
problem fixed itself.

This company is trash.

~~~
emodendroket
That's what most large call centers are like. When I worked in one the factors
in your evaluation were: 1) "handle time" (i.e., time on the phone per
customer) 2) callbacks within a set time period 3) customer surveys 4) spot
checks of recordings for adherence to company policy. So naturally, if you
have a difficult case the most logical thing to do is find some within-the-
rules way to transfer the customer to someone else (you couldn't just do this
capriciously; the circumstances under which it was allowed were enumerated),
where they won't be able to answer a survey for you and they're someone else's
problem, or else to put them through a process where they aren't supposed to
get an answer for weeks. One popular technique at the place I worked was
deliberately needling customers so they'd get upset and ask to cancel or speak
to a "supervisor" \-- both valid reasons to transfer a call to another
department and wash your hands of it. Since your failure to do well on the
metrics was tied to a big chunk of your pay you were highly incentivized to
game the metrics in this and similar ways.

~~~
PaulHoule
This is just not always true.

I sometimes have a bad time with a call center but often I call a call center
and get prompt and efficient service. If you tar them all with one brush, you
are giving the bad ones a pass.

~~~
emodendroket
For a very large call center I'd say you're getting prompt and efficient
service if your problem is a supported scenario. Something novel and your odds
aren't that good.

------
micaksica
Because I hate these clickbait titles: the author plays phone-go-round, calls
four numbers, waits on hold a bunch, gets disconnected, and eventually gets
transferred to an "agent" that ends up being a busy tone.

All that was accomplished was that he placed an automated fraud alert, even
though his original question was whether or not he was affected by the Equifax
breach.

~~~
pm24601
Not click bait at all. The article gives all the phone numbers including the
"magical" phone number at the end to get the 90 fraud alert ( 1-800-525-6285 )
including the advise to not make any noise on this call.

~~~
rebuilder
The article is fine, the headline is clickbait: "Click to see what the hell
this article is about!"

------
nafizh
I am tempted to say I am appalled by the utter disregard these credit
reporting agencies have for consumers, but I am not really surprised. Coming
from a country with a tradition of public institutions, it is amazing to see
private credit reporting agencies in US, because this should be a public
service from the Government.

~~~
imglorp
The reason they have such contempt for you is that you're NOT THEIR CUSTOMER.
Their customers are lenders looking for dirt on you.

The only reason they talk to you, with overt disdain and reluctance, is the
government says they have to.

~~~
rhizome
We aren't their customer, but we are their golden goose.

------
josefresco
This lines up with my experience with TransUnion.

Called the day after the news broke, and successfully setup a fraud alert on
my account using a automated phone system in 3 minutes and 44 seconds.

So thrilled with this easy process, I call my Mom/Dad and instructed them to
do the same.

About a day later I call again to do the same process for my wife. Got almost
to the end (after giving them her SS#), but then something changed ...
TransUnion started listing extensive documentation I had to snail mail to them
- it took several minutes for this message to play out, after which I received
no confirmation that the fraud alert was successfully activated. It seemed as
though I was "kicked over" to the identify theft reporting line, because the
documents they asked for seemed like something you would send to them, if your
identify had already been stolen.

Called Experian immediately after, hoping their system might be working
better. Their automated system failed to even start the process - I gave up.

Now my wife is convinced I gave her SS# to some random stranger. FML

TL;DR: TransUnion telephone fraud alert worked on Monday, but now is fucked.

~~~
cr0sh
As soon as I heard about this hack (last friday?), the first thing I did was
sign up for LifeLock and set up my accounts. LifeLock was being hammered at
the time, but I got thru.

When I got home, I then put freezes thru "the big three", then after reading a
couple of articles, on Sunday I put freezes in with Innovis and ChexSystems. I
also ran my credit report using TransUnion (leaving me with two more runs from
the other two during the year).

That's basically all you can do. You can also do this, I suppose:

[https://www.zanderins.com/idtheft2](https://www.zanderins.com/idtheft2)

I've read anecdotes saying that it's legit and good insurance (but LifeLock
already offers a similar thing on the level I signed up for).

I guess part of what I am saying is that the story broke, and there was a
small rush, but I got in - then when Monday rolled around and the story grew
legs - well, we're now seeing DDOS-like failures...

~~~
zaroth
With responses like this, it's almost like the breach is generating enough
business to have been _worth_ it!

------
paulgb
> I could set up a 90-day fraud alert that would force creditors to call me —
> at a number of my choosing — before agreeing to open any new accounts in my
> name.

This should be the default, for everyone, for free. If banks don't want to do
the bare minimum to verify your identity, the liability for identity theft
should be on them and not you.

~~~
jdmichal
I'm professionally involved with this, so at this point I'm obligated to say
that the following is my personal opinion and in no way representative of my
employer.

Banks use a lot of information to correlate and verify customer identity. The
process is called KYC, Know Your Customer [0]. The problem is that this
process _relies_ on exactly the information present in a database like
Equifax's. If they did perform verification calls, they would be using the
same information to verify your identity over the phone, meaning that anyone
with that same information could still impersonate you.

The problem, as often pointed out, is that much of this information is much
more akin to a username than a password, but is often used as the latter. I
mean, someone with my _drivers license_ has my name, address and date of
birth, which is often enough to verify with most systems that don't keep SSNs.

From a technical perspective, modern cryptography would seem to give us some
opportunity here. The downside here is that its usage becomes absolute -- you
either have the key or you don't, regardless of the reality of your identity.
The reality is that identity is a _very hard_ problem, with many confounding
issues.

[0]
[https://en.wikipedia.org/wiki/Know_your_customer](https://en.wikipedia.org/wiki/Know_your_customer)

~~~
cr0sh
I personally think a 3-factor system could work, but you'd never get the
changeover to happen.

1\. The government would have to invalidate all SSN numbers and re-issue them.

2\. To re-issue, you have to go down to a govt office to pick up a smart-card
like device (let's call it a "multi-pass" for s&g's) that would have built
into it a keypad and a fingerprint scanner.

3\. This person would validate you as you (perhaps you present your driver's
license/id/passport/birth certificate), and issue you one of these cards and a
reader device (for home).

4\. The card device itself would have a unique value embedded in it, but
otherwise be "blank". Perhaps the government might also have a copy of this
value matched to your other info, for tax purposes (so, it would act like your
SSN for tax purposes and such).

5\. This value would come from a one-time programming, where in front of the
official, you would scan your fingerprint, and enter your pin. The card would
hash everything together, and burn the hashed value into the card's read-only
memory.

6\. So now - to verify your identity, you would need: The card (something you
have), the pin (something you know), and your fingerprint (something you are).
If one of these isn't present, you can't identify yourself.

7\. To do a transaction, you'd need to slot the card in to your reader (if at
home doing something online), or into a vendor's or bank's reader - then put
in your pin and scan your fingerprint. It'll hash the values again, and
compare with what is on the card, and output (the only output, mind you) "yes"
or "no" for the question of "identification".

The downside to all of this is that if you lose your card, or your fingerprint
changes, or you forget your pin (or some combo), getting a new card will be
tough. But really all it should take would be another in-person visit to the
same govt office - more or less.

I also admit that there are very likely other glaring flaws with this idea
(beyond the fact that it won't ever be implemented because of the costs to
switch over, and other issues). But I think it comes close to a potential
solution.

As long as you have to be physically present and always use a reader of some
sort, if you don't have any one of the pieces of info, you can't verify your
identity:

1) You need the card, if you don't have that - no dice of course.

2) You need the fingerprint that was originally used - that's only going to
belong to the person who originally picked and configured the card at the govt
office.

3) You need the pin number - presumably only known by the proper owner of the
card.

So if the card is stolen, that doesn't matter. If they chop off your hand or
finger, that won't help. They'd basically have to beat the pin code out of
your, chop off your finger, and steal the card. I'm not saying there aren't
criminals who would do that, but they'd have to be in the minority. Plus, such
criminals are not likely id thieves anyhow.

~~~
jdmichal
I don't think it's as far as a stretch as you believe. The DOD already issues
CAC cards which includes:

* A private cryptography key. (Something you have)

* Which is PIN protected. (Something you know)

* With a photo on the front. (Something you are)

Of course, photo identification can't be easily replicated remotely. So remote
use maybe only gives you two of the three.

Upside is that there's already existent card readers, along with all the
infrastructure required to manage the cards and keys.

------
zenzen
@patio11 has a great writeup on dealing with Credit Reporting Agencies:
[http://www.kalzumeus.com/2017/09/09/identity-theft-credit-
re...](http://www.kalzumeus.com/2017/09/09/identity-theft-credit-reports/)

------
nlawalker
What is the best way for the American public to start to "escalate" this to
the government? It's clearly not even worth getting frustrated trying to deal
with Equifax directly, they obviously aren't required to have any
accountability to anyone.

~~~
maxerickson
One of my senators wrote a respectful note to the FTC asking for an
investigation, so I'd assume we are all set
([https://www.peters.senate.gov/newsroom/press-
releases/peters...](https://www.peters.senate.gov/newsroom/press-
releases/peters-urges-the-federal-trade-commission-to-investigate-equifaxs-
breach-by-hackers) ).

Less sarcastically, we need a political reformation focused on effective, pro
citizen government, instead of politics focused on holding or reversing the
status quo on divisive issues. So good luck.

------
socrates1998
I really really really wish we would do away with the SSN as the default ID
for people. It's just such a really bad system.

It was never designed to be an ID Number and now that's how it is used. We
should really go to a different system. I am not a security expert, but I
think voting, paying taxes and credit scores would all be much easier than
they are now.

------
iamleppert
Honestly, not sure why people are surprised by this. The company is
incompetent and not consumer or customer focused by any means.

Their entire operation is optimized to sell products and services to
creditors, with no regard for actual consumers. They are a B2B company. They
treat their employees poor, and their call center operations are outsourced to
third party firms on a cost-basis whom are poorly trained and purely exist to
field consumer contacts as required by law, but not actually resolve any
issues.

I truly believe credit reporting agencies need to be heavily regulated and
operated as a non-profit consumer institution, similar to the BBB.

~~~
tjohns
I'm not sure the BBB is the best example. You'll find a lot of folks online
who don't hold them in very high regard.

While they might be a non-profit, that doesn't mean they aren't still looking
for money.

In particular, it's well known that businesses who pay money to the BBB tend
to receive a better overall rating score. And conversely, businesses who
refuse to pay the BBB tend to have their scores go down.

See:
[https://en.wikipedia.org/wiki/Better_Business_Bureau#Critici...](https://en.wikipedia.org/wiki/Better_Business_Bureau#Criticism)

------
niftylettuce
Experian's freeze doesn't even work at the moment due to their JavaScript
compiled asset getting cut off (unexpected end of input error):
[https://i.imgur.com/bOGE2Sh.png](https://i.imgur.com/bOGE2Sh.png)

~~~
nawtacawp
I was just looking at that -- then I headed over to Equifax, entered all my
info and then:
[https://i.imgur.com/NmrRg1V.png](https://i.imgur.com/NmrRg1V.png)

------
XR0CSWV3h3kZWg
Please change the title to something along the lines of "Equifax customer
service is ineffective"

~~~
sctb
Sure thing, we've updated the title to a representative phrase from the
article.

~~~
jimktrains2
I thought there was a pretty hard rule of using the name of the article only,
Even when it makes no sense in context. What are the exceptions to that rule?

~~~
grzm
You're right that there's a strong preference to use the original article
title. That said, the guidelines go into more detail under "In Submissions":

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

In this case I suspect the mods agreed with 'XR0CSWV3h3kZWg that the given
title wasn't very good (and not obscure in the intriguing sense, maybe
whimsical sense). Personally I find the "I did x. This is what happened"-type
quite click-baity. As an aside, I wonder how far one could go using only
"this" as a filter for click-bait titles.

------
link_108
With experian, I have done the following:

\- Call membership number -> makes some noise and then hangs up

\- Use their website that they promote in their automated messages -> when
trying to set up an alert, it takes you to a loading page that does nothing
(looking at the requests being made in the network tab, it fails to load
bootstrap and then just sits there, I am able to download the script it fails
to download)

\- Call automated fraud number -> nothing happens after being transferred to
their automated alert system, so I hung up -> called again and waited for a
few minutes after being transferred to their automated alert system, finally a
voice starts talking asking for info (a dark pattern if I've ever seen one).
After going through the process, apparently my info wasn't correct, so they
asked me to 'leave a voicemail' with my SSN and DOB, after providing that
info, it said they couldn't save my info and to try again, then promptly hung
up.

so haven't been able to set up a fraud alert yet

------
post_break
I called Transunion to freeze my account and they hung up on me. 4 times. I
gave up.

------
ars
If we "as the product" actually want to do something about Equifax we should
call our banks and demand that they cancel any contracts they have with
Equifax.

If enough people do that to make it a national issue, Equifax will at a
minimum notice, and possibly go out of business (because no bank will work
with them) sending a very strong message to everyone who deals with private
data.

Anyone know how to start Viral Activism?

~~~
maxerickson
Are you actually prepared to leave your bank if they don't give in to your
demands?

That's what it would take for that to have any impact.

~~~
ars
That's when you get some shareholder activists. Even a single stock can give
you the right to make some noise.

------
quuquuquu
Let me save you a click:

Different agents on different hotlines bounced him around.

After 30+ minutes, an automated system took his SSN and signed him for a
trial. Sort of.

Because they kept getting disconnected from the system, they aren't sure if it
actually worked.

Seems Equifax is using the "plug fingers in ears and scream la la la la la"
method.

~~~
650REDHAIR
Thank you!

Not sure why you're getting downvoted here.

~~~
quuquuquu
Hey, thank you too!!

I have no idea either. Luckily it wasn't much, but maybe my tone was off.

It couldn't possibly be my assessment of the story- everyone else commented
the same thing!

Maybe the site wants those sweet sweet clicks and time on page metrics :)

------
AngeloAnolin
From the article:

"We finally got to a point where the system asked for our information in order
to set up a 90-day alert. I provided my Social Security number, two phone
numbers where I can be reached for verification, and a “please hold while we
process your request” message."

What if someone who got a hold of another person's SSN call the number, and
gave them a bogus number to contact? Any lender then tries to call the bogus
number and they get a "YES, I ALLOW THAT TRANSACTION TO HAPPEN" brings more
problems then.

Equifax could have made a system that performs this option and then it would
be the person whose SSN has been exposed to provide the authentic number which
they can be reached at to alert them of any transaction happening with their
SSN number being used.

------
noddy1
I think if there was any justice in the USA, a court would declare that the
Equifax breach was significant enough that the damage caused is greater than
the value of the Equifax company, and the company itself would be taken from
existing stockholders and shares distributed among the american public
affected by the breach. The company could then continue trading with all
proceeds going to the people harmed in the breach, and the employees could
then go on to work for the people that they harmed.

~~~
KGIII
I'm not sure there's a legal mechanism to do that.

------
distantsounds
Honestly, I would have expected it to take hours. 42 minutes is actually not
too bad, I've been on hold with my ISP for longer than that.

To be fair, he didn't get the answer he was looking for, so this could have
dragged on much longer if he persisted in the phone-only route. I actually
would have preferred that instead.

~~~
lucb1e
> I've been on hold with my ISP for longer than that

Sounds like it's time for a new ISP. I get impatient with XS4ALL after more
than a minute or two, but then they've been spoiling me with sub-minute
answering times for years. They scored extremely well in ratings, I figured
they went "well we can do a little less well and save some money". Still great
service -- but to come back to your situation, 42 minutes is ridiculous. Snail
mail is faster at that point.

~~~
distantsounds
This was years ago with Time Warner. I've since moved and found much better
service, thankfully.

------
ducttape12
The Washington Post wrote a click title. You won't believe what happened next!

... I didn't click the link on principle.

------
swasheck
Haha, Equifax!

Our system is currently unavailable We are currently unable to add initial 90
day fraud alert or active duty alert to credit file online. Please try again
later or click here to print a request form. If you need to install Adobe
Acrobat click here

------
michaelspivey
If Equifax takes your Social Security Number and a Phone Number to require you
to setup any new credit, couldn't the hackers call Equifax and give a stolen
Social Security Number of a high profile peerson and hold their credit ransom?

------
rrggrr
[https://democracy.io](https://democracy.io)

Email your congressperson and complain. This works. It takes time and it takes
a critical mass of complaints. Tweet your Congresspeople too.

------
tibbon
Why is this hard? Using Twilio, I can make a better voice prompt system in
like 20 minutes than a multibillion dollar company has. I don't understand the
point of having so many phone numbers.

------
Kluny
Propose changing the headline from the current clickbait to "Results of
calling four different Equifax customer service numbers" or similar.

