Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Equifax free credit report dark patterns
223 points by PopAlongKid on Feb 23, 2024 | hide | past | favorite | 105 comments
For years, I have been obtaining free annual credit reports (annualcreditreport.com) which must be provided by law. Recently, for the first time, when I tried to obtain my Equifax report, I was prompted for an email address and a mobile phone number, a new requirement that apparently cannot be bypassed. The other two bureaus, and Equifax previously, confirmed identity by asking knowledge based questions. They do not need my phone or email for anything.

Next, trying to obtain the report by phone instead of web site per instructions, I got to the point where I entered my ZIP code on the phone keypad, the voice menu system correctly repeated the number back to me, but every time I press 1 to indicate it is correct, the system acts like it got an invalid response and only gives me the option to enter further information by voice, not by the phone keypad. Just as with my phone number and email, they do not need to record my voice to provide my report.

I wrote a complaint to the annualcreditreport firm earlier this week, no response yet.




The problem is, as you articulated, they are required by law to provide credit reporting information about you to you. They have no incentive to do this because they make their money by collecting and selling data about us.

They have every reason to use this reporting requirement to collect more information about you.

They have every reason to conflate credit freeze with credit hold, and confuse consumers in order to extract regular payments from them.

They have zero reason to keep sensitive data about you secure. In fact, they have every reason to promote fear and uncertainty in the public that their sensitive personal information is in the hands of criminals as a growth opportunity for their industry to sell credit monitoring services.

They have successfully convinced the public that identity theft is a separate and distinct crime done exclusively by one person to another rather than simply fraud that they are aiding and abetting.

Consumers and credit reporting bureaus have a fundamentally adversarial relationship that no legislation can harmonize. They exist because they do serve a purpose for finance, which is to give an indication of how much money they can make lending money to someone. Regardless, this reporting does not have to be done by for-profit corporations. This can just as easily be done by non-profits or government agencies. Although these are not perfect, they are free of the perverse incentives driven by for profit corporate structures.


Here's an idea: lets burn down FICO and the credit reporting bureaus.

After all things seemed to work fine before credit scores. Perhaps we put too much "stock" in them in the first place. There has to be better ways to manage this.

One way I could forsee is a government agency that acted as a reporting depot. Then you could forbid the sale of information, and create legislative firewalls for it to keep it out of the hands of other agencies[1].

Though I will continue to argue that credit scores are deeply flawed[0].

[0]: FWIW, I have excellent credit too, so I hardly run into any real issues with it, but I have see the other side of this table. They are often used in such a way I would classify it as prejudiced discrimination with extra steps. For bigger / riskier loans. You could instead opt for point in time financial audits, for example.

[1]: Two things of note. One, last I looked into this, the government very much pulls credit reports on pull without any oversight as it sits today. Two, there is a history of legislative firewalls that do work, they need clear and strong oversight provisions, and today we have almost zero oversight of the credit bureaus. I'd roll the dice on creating something akin to the GAO or Federal Reserve type agencies (that is to say, very independent from lawmakers and presidents but still have competent oversight), but for something that functions for the intentions behind what these scores are suppose to be for.


>lets burn down FICO and the credit reporting bureaus.

This seems to be the harder problem. I read potentially better solutions all the time, but I never read about how to get to that point first.


Its lack of motivation really. I think people have become ingrained / numb to them that they don't really think about it until they have a problem, or some sector of society gets repeatedly screwed by the bureaus etc.

There's been no systematic callout of the bureaus in wider society, that I can tell.


We are not the customers, we are the product. The customers are the banks and other entities that want to check our credit.

Probably the only answer is legislation


What are these better solutions? The bureaus exist because companies can only quote you loan products if they have a good [enough] understanding of how responsible you are with debt and paying existing creditors. You could make arguments about some pitfalls with the score, but any other creditworthiness system will need a lot of data if lenders want to be able to trust it to provide insight to your monthly debts and payment history.


Many European countries do not have a credit score system. Companies and banks are a lot less inclined to give you credit, but I don't see how that is a bad thing for society?


Germany enters the scene.

There was a recent article about Schufa - https://news.ycombinator.com/item?id=39395329.


> After all things seemed to work fine before credit scores. Perhaps we put too much "stock" in them in the first place. There has to be better ways to manage this.

The old way to do it, pre-credit score, is that they would take a look at your zip code, take a look at the color of your skin, and decide if you were a "trustworthy individual"


That's just ridiculous. Modern countries like France do not use credit scores. They just look at your last few bank statements.


From what I can find online, is it true that “Fichiers Banque de France”, owned by the French Government, has a de facto credit system to log credit defaults (so that lenders can deny you if you’ve missed payments for too long in the past)?


A actual state-run system has at least some legal accountability.

When a politician gets a loan denied due to bogus data, I'm sure heads would fly. It's probably also subject to whatever their equivalent to FOIA and whistleblowing laws are over there.

The private sector gives us the worst of everything: it's an obnoxious panopticon, PLUS being incentivized to be untransparent and seek out eternal growth.


Or you'd have tot take out a literal letter of credit from your bank - who would use all of that, plus some other stuff to assess your worthiness.


Now now, don’t be nasty.

They’d also look at the quality of your suit, or lack thereof, your accent, and try to guess your religion.


And they still do that.


>They have successfully convinced the public that identity theft is a separate and distinct crime done exclusively by one person to another rather than simply fraud that they are aiding and abetting.

I interpret that as: Companies like Equifax allow (or disregard good security practices to enable) data breaches to land your data into identity theft rings. They (Equifax) then try to sell you "protection services" while they continue to dangle your data to tantalized thieves. What a fucking racket.


100% agree on the incentives

Similar to why cookie accept/deny interfaces are atrocious. They're intended to be!

I think a solution will require more creativity than "have the government do it", but the current system is clearly broken.


Every financial institution has its own credit file on you. They don’t need the third party services at all. Credit profiles can be created easily from any number of public data sources. These companies exist because we wrote laws requiring them to exist, and for no other reason.


If you don't like the terms with your current bank, how would you apply for a loan with a different one [that doesn't know you]? People need the ability to shop around.


Plaid


Nobody will volunteer their unpaid debts so terms for those a good credit history will suffer.


Give me your checking account login and tax return and I will know who you owe money to


a) I take out a credit card at a new bank, spend the balance, and never make a payment.

b) I bounced a check, don't remedy, and owe money to a furniture store.

c) I move a random amount of money each month to a separate account and make loan payments from there.

d) How far back does someone need to account for their spending in order to get a loan? People complain about mortgage applications, but this is a whole new level.

Access to credit gets more expensive without a 3rd party aggregator.


I feel like at some point we just have to accept that the only system of credit that is actually fair is the one that is explicitly run in the interests of society by said society (i.e. in practice, its government). It's not that private banks shouldn't exist; but there should be a bank that anyone can go to and get a loan on conditions that actually reflect their credit risk, and take into account their life situation etc.

Yes, it does mean that there will be a certain amount of defaults that we will all be paying for. I'd rather pay for that than for another yacht of some rich finance bro.


The reach of a per financial institution credit file is different. I’m also not sure how much that is true or practical without a Pre-existing relationship with that particular institution but when your credit is polled for things that aren’t about even obtaining credit (renting/employment) what matters is the FICO Scorsese from the big 3. They have an outsized importance in functioning in society and deserve extra scrutiny.

I don’t have an inherent problem with having a broadly accepted and comprehensive credit-risk profile, but the way we do it and the institutions who profit off of it are disgusting.


I don’t think government should do it at all. That would be same broken thing. I just don’t want a selected (not by me) set of companies collect information about me without my consent. I would rather have an opt-in system where I can select a vendor to make a report on me to provide to lender. Only when I want it.


> I don’t think government should do it at all.

I'd want a non-profit to handle it. I'd want full public disclosure of internal processes, data sources and data buyers. I'd want strong, unhindered oversight provided by a fully independent public board along with separate oversight provided by the FTC - with oversight entities able to exhort meaningful influence over methods, sources and customers.


> They have successfully convinced the public that identity theft is a separate and distinct crime done exclusively by one person to another rather than simply fraud that they are aiding and abetting.

This demonstrates a fundamental misunderstanding of how credit reporting works.

When "identity theft" occurs, it's important to realize that the credit reporting firms are not involved. That is solely due to failures, at the institutions that actually grant credit, to verify the identity of the person they are interacting with.

The flow goes: a fraudster uses harvested data to impersonate someone to a credit grantor, such as a credit card company. The credit grantor, accepting this identity at face value, asks the credit reporting agency (CRA) about the credit rating of the impersonated entity. The CRA says "Joe Victim has a relatively low risk of fraud". So the identity theft has already occurred before the CRA is even consulted.

Later on, when the fraudster fails to pay as agreed, the credit grantor incorrectly reports to the CRA that the fraud was caused by Joe Victim. Again, the CRA is just relying on the data provided to them by their clients.


You might want to rethink that. Credit reporting firms actively aid identity fraudsters because it is profitable

https://privacyrights.org/data-breaches/court-ventures


I understood the comment about aiding and abetting to be a reference to the fact that Equifax leaked about half of all Social Security Numbers back in 2017. For 145 million Americans the "harvested data" you refer to was data that the credit bureaus hoovered up and then failed to protect.


> Equifax leaked about half of all Social Security Numbers back in 2017.

They weren't leaked, they were stolen. Does a bank "leak money" when it's robbed?


If the bank failed to apply industry-standard security techniques then yeah, I'd say the bank leaked money. The criminals are obviously the most culpable, but when you're storing more than 100 million SSNs it's not unreasonable to expect your IT department to:

* Update their dependencies within two months of a critical security vulnerability being patched (Mar 7 to May 12).

* In the event of a breach, detect it within a reasonable timeframe (76 days is not reasonable when you're the Fort Knox of financial information).

* Have a reasonably well-segmented network such that a compromise in a single user-facing web app doesn't lead to your entire network being compromised.


> Update their dependencies within two months of a critical security vulnerability being patched (Mar 10 to May 12).

They thought they did, but failed.

> In the event of a breach, detect it within a reasonable timeframe (76 days is not reasonable when you're the Fort Knox of financial information).

Impossible to guarantee. A sophisticated enough attack might never be detected, regardless of the competence of the security department.

> Have a reasonably well-segmented network such that a compromise in a single user-facing web app doesn't lead to your entire network being compromised.

It is impossible to so completely segment a network. If I can get the data via an authorized program, that means there's a path between networks and a hacker can potentially exploit that path.


> They thought they did, but failed.

Oh, never mind then. Clearly since they thought they updated the dependency it's all good.

> Impossible to guarantee. A sophisticated enough attack ... It is impossible to so completely segment a network ...

While I will acknowledge that this seems to have been Equifax's approach to security (it's impossible to do completely so why bother doing it at all?), this is not widely accepted as a philosophy of security in any industry.

That a bank could still be robbed by a military incursion from a neighboring nation state is not sufficient reason to leave the vault door open overnight. The record abundantly shows [0] that Equifax had security protocols that were weak enough that no sophisticated actor was needed to bypass their protections.

As far as their failure to detect the breach, this is what the House investigation concluded:

> Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyberattack.

[0] https://oversight.house.gov/report/committee-releases-report...


And they should have been held accountable, were they?

If such an entity demonstrates gross negligence yet there are no repercussions, perhaps it is worse than negligence, it is outright larceny - Equifax could be characterizes as a govt supported cartel.

It is not unreasonable then we should actually physically destroy their premises and all related collected information as an active threat to the nation, as well as re-issuing all sensitive information to all affected individuals.

As for what to do instead, credit reporting need not be the important solution, rather one part of an accepted solution, such as multiple scores issued to multiple numbers that are not tied together by a single bureau. Then when credit checks are pulled it is not sufficient to use a single service and the incentive to illegally utilize said information decreases, as the relevance is reduced for any one credit check.


> And they should have been held accountable, were they?

Huge stock hit (since recovered, of course), top executives lost their jobs, fines, had to give away a paid product, extra oversight, cost of fixing security, several rounds of layoffs for the employees, etc.

> It is not unreasonable then we should actually physically destroy their premises and all related collected information as an active threat to the nation

This is why we can't get real, meaningful change. No wonder our "leaders" think so little of us.


IMO, Leaked is probably the better word here. Equifax did not steal the data in the first place either, they recorded/copied it from other sources which leaked or sold it to them.


> other sources which leaked or sold it to them.

Every data source (such as a bank or credit card) provides that data to CRAs because consumers granted permission to do so when entering into a business relationship. Either that, or it's publicly available data purchased from aggregators.


> because consumers granted permission to do so when entering into a business relationship

Do we have an actual choice?


You could not get a loan or credit, I guess.

There are costs to that approach, of course.


Wildly unfeasible. The consumer does not have a choice, they do not have an ability to live within their means without incurring credit checks.

Take housing - perhaps it is possible to purchase outright a home with cash, however you will not find generally anyone willing to take payment in cash.

If you cannot afford that and are not taking a loan, then you must rent. However you cannot rent without a credit score.

So no the consumer did not consent to anything. This is a ridiculous and dishonest viewpoint.


How did you get that from what I wrote?

And notably, it’s entirely possible to rent without a credit check. Just not big corp places.

My current place didn’t check my credit, and they weren’t the only ones. I was disappointed they didn’t. But a lot of the cookie cutter places will.


I don't think OP is reporting because they need to be educated on the motivations of these institutions.[0] I think instead OP is reporting to bring to light an abuse to the system. I'm happy OP is doing this and making noise because we can only address issues we're aware of and that get enough traction.

But I find comments like these often become popular and highly upvoted because of their formulation but end up serving very little utility and ultimately dismissive. I think they're upvoted because they are in factual and accurate, and we like the confirmation because it shows how intelligent we are. But I think they end up being dismissive because it is missing the point. It is dismissive because there are no actual points being addressed or solutions being offered. There is an implicit solution of the government generating said report, but I think this would need to be (more) explicit. It also seems that anytime these comments raise to the top that the conversations become very unorganized and off topic, because frankly there is little to go off of. If writing a purely educational response I think it is quite hard to do (and even this comment might have the same repercussions but I'm trying to add more and my intent here is to align the thread. No one need reply to my comment).

Personally I think a good solution would be for the law regarding these free reports should be updated to specify that they should not be a data collecting process. That they are only allowed to ask for information that they already have and that this is solely used to verify the authenticity of the user. Using this process to generate novel data is an abuse of the system. I also personally feel that the public should be able to have more recourse for mistakes that are made by these companies (within reason). I still feel like there has not been enough recourse for the Equifax breach and that not enough has been done to protect citizens. I don't think this is an unpopular opinion, but ensuring our politicians are aligned with public beliefs is a whole other conversation.

[0] Personally I feel it is pretty obvious and apparent that credit agencies operate to collect and process data about people. It is then also apparent, to me, that of course the incentives align to them getting even more data about you as possible. It seems to me that anyone that is doing yearly report generating is highly likely to be aware of the business model. But not everyone is me so maybe that's not the intent. And what's obvious to one person isn't always obvious to others.


Banks and data companies are moving to biometrics for proof of identity and you may have hit this.

At least 3 credit card companies I use are signed up/using a biometrics/information provider. (they wouldn’t tell me who, despite federal disclosure requirements — I only knew they were using someone because my current accurate info was replaced by info from 7 years ago)

There are companies trying very hard to find out everything from your hair color, facial features, and skin type to your email address and connect them all for everything from identity management to advertising. They are working on getting your payroll data directly from your employer as well, so you will not be able to self declare income in the future. You will know when you run across the companies that use these providers because their data is often wrong or out of date and they usually ask you for a video of yourself holding your id to update it and may even give you a problem then.

The amount of information these companies are collecting and piecing together is scary — one company is tracking major website comment activity and tying it back to their core data sets which has your IRL info.

This means that in the future, you could be denied employment, a mortgage, or an auto loan because of something you said last year in Twitter.


You’re forgetting about the KYC/AML laws that lets these companies do that.

They can deny bank loans, auto loans, etc based on comment history and then hide behind KYC/AML laws. Under those laws, they don’t have to provide any reason whatsoever for the rejection and can operate without impunity. They are the judge, jury, executioner and the government gave them that power.


For those of us not up to speed on finance TLA's: KYC (Know Your Customer) AML (Anti-Money Laundering)


I mean if you're not willing to sue somebody then they're always the judge/jury/executioner.

It's a bit akin to all those people who complain it's impossible to know why Google closed your account despite evidence [1] to the contrary.

[1]: https://www.huffpost.com/entry/why-google-bothered-to-ap_b_2...


You do realize most of these payment processors or even financial institutions have arbitration clauses right? And as a business, they have the legal right to refuse for any reason not disability related. Hell, they could deny a disabled person a loan based on the unlikelihood they would pay it back and then hide behind KYC/AML laws. Oh we're not denying you based on disability, it's just some flags have popped up in our system and we can't tell you why. Google doesn't have KYC/AML laws to hide behind.

The funniest part is that HSBC already revealed to criminal organizations on how to evade KYC/AML tripwires. When you outlaw freedom, only the outlaws have freedom.


Thank god NYS made it illegal for employers to query your existing payroll data from the databrokers awhile back.

But unfortunately every single major payroll provider (like ADP) in the US now shares your payroll data with Equifax and more. And those services openly advertise for employers to use them to be able to beat down new employees on salaries among other things.


Their data is pretty much always wrong for me. I share my father's name, so whenever I do a credit check they ask me about the homes I owned before I was even born... Unfortunately, my family has moved a lot and I can't remember all the addresses.


It's literally out of control. We cannot have a healthy democracy in a systematically surveilled society. When people understand they're being actively and constantly surveilled they tend to self-censor their expression. When we do not have a healthy and honest exchange of expression (something that has arguably been being eroded for a long while now) it will fundamentally erode one of the pillars of our society. Kudos to CA and IL for attempting to do something about this legislatively.

As a citizen with some modicum of hope for the future I will vote for strong privacy protections. As an engineer I will not work on products that progress our state of surveillance capitalism (yep, realize the constraints here). I hope others agree and act accordingly.


I’m not sure that these requirements are actually due to Surveillance Capitalism; Government KYC requirements may be the culprits, as they’re steadily on the rise (especially with all the recent sanctions).


These are not contradictory things. Capitalism is something that is maintained by the government in the first place - it exists so long as government continues to operate a property right framework that is in favor of large corporate entities. And, of course, said entities bribe the politicians who run the government to continue this state of affairs.

In short, surveillance state capitalism that strangles actual free markets and reduces choice is the natural form of capitalism.


I've always found this process and surveillance capitalism completely insane. It is a huge national security issue. I know governments like to have data on people to let them more effectively exert control (for good or bad) but the truth of the matter is that any data that is collected can similarly be used by your adversaries. It is always and will always be a double edged sword. I don't think the problems will be adequately resolved until this becomes deeply ingrained in both the public mind as well as the minds of politicians. Data is certainly extremely useful, but we need to take a moment to weigh the utility against how vulnerable it makes us.


I made a comment in another post a few weeks about strategies to poison your apparent profile. Any strategies?


Are they tracking anonymous comments or how does it work?

This should be illegal in all countries.


>Are they tracking anonymous comments or how does it work?

Many people happily put their real names in their social media.

Many people put information and/or pictures which easily identifies them when combined with other data, which credit agencies have an enormous amount of (workplace, purchase of a new vehicle, house photos, school, etc.).

Those two things alone probably cover a large percent of the population.

Add in things like: using a username on social media that is the same/similar enough to the email address you signed up to credit monitoring, purchasing browser fingerprint data from whatever websites and comparing it to logged-in site visitors, etc. and the outlook is bleak.


Basically: a bunch of laws intersected to screw you over, even if it wasn't the intent of any one of them individually. But nobody cares, because anyone like you who looks out for their privacy is a weirdo.

:(


Please raise a complaint with the FTC and CFPB. Regulators are the only path to success.

https://reportfraud.ftc.gov/

https://www.consumerfinance.gov/complaint/


It is mind-blowing to me how incompetent the credit agencies are. I just tried to check my credit was frozen everywhere and I couldn't log into Experian. Tried "forgot my password"... oops, "can't find your username". Tried entering my email, "please verify with your phone number"... oops, "doesn't match our records". Tried "verify another way" and it asked for my phone number and last 4 of my SSN. Hey, that worked! That should not be an option...

And guess what, my account lists my username, email, and phone number exactly as I entered them. But I still can't change my password since that requires verifying my current password, which they've apparently forgotten. What an absolute joke.


I think it's the opposite of Hanlon's razor: Never attribute to stupidity/incompetence that which is adequately explained by malice/evil-intent.


The original Hanlon's law is an excellent argument for why Reverse Hanlon's law is more often true.

For another example, see every customer service phone tree in existence. Or more broadly, any customer service, although Google gets extra side-eye.


I'm completely blocked out of equifax ever since their hack. I've even sent them a certified letter and no response. Impossible to call them too. Just says sorry contact us... ok

Been annoying when trying to have a credit check run and the place uses equifax and they deny based on frozen credit. Like ya, I know. Could be worse I suppose, could be open and unable to freeze.


Try opening a new account with a different email. Worked for me when I tried after going through the process.


Just wait until you have to deal with someone else's credit information showing up in your report because of vaguely-similar names. It's very difficult to deal with without paying for a proxy to deal with it for you.


You are not their customer.


I still love the whole "we know our data is wrong, but we sell it as fact, and know that that information is used to impact cost to you, but you're required to constantly check with us, or pay us to tell you when we're lying". Yet somehow this isn't extortion, and somehow it's not illegal defamation.

The moment credit agencies started running their own monitoring services, it seemed like they were openly admitting that they were defaming people. I still do not understand why this is legal.


> The moment credit agencies started running their own monitoring services, it seemed like they were openly admitting that they were defaming people. I still do not understand why this is legal.

If you're signed up for credit monitoring, you get notified when your credit info gets changed, so you have a chance to react if it's an error (or fraud). How is that defamation? Why would it be illegal?


No.

It's defamation because they know their information is frequently incorrect, that it is trivial for people to get outright fraudulent transactions attached to people's "credit report". Knowing that, they then present that information as fact to others, despite knowing that the information they provided is used specifically for purposes where false information will add significant costs to the people they're reporting on.

Now you're right, I can get credit monitoring, in which I pay money so that I can spend my time verifying they're not publishing fraudulent information. So now it goes from defamation to extortion: we'll defame you unless you pay us and do the work of ensuring we don't defame you.


They do not publish fraudulent data. They publish data provided by the credit grantors. If the credit grantors don't do their due diligence, that's on them, not the CRA. And if credit grantors fail to due that due diligence often enough, they get kicked out.


g051051? The guy who keeps trying to post porn all over this site? I can't believe you've got the guts to go posting here. I've told everyone about your disgusting behavior.

What's that? You never did that? Well, for just $5/month you can sign up for my monitoring service and we can investigate your claims. In the mean time, I'm going to keep warning everyone about your behavior.

I feel like most people would consider the above behavior unacceptable, but it's okay because I'm a big company dedicated to stopping perverts like you.

(hopefully it is clear that I'm not actually serious. Unlike the credit agencies)


You told a reporter that story. The reporter, _without verifying it_, then tells his newspaper that the story you told is true and he's verified it (which is a lie). Now the newspaper publishes it. Who's responsible?


All three, because the newspaper knows that the reporter lies all the times, but continues to employ him because his stories sell.


The answer is that they literally bought their own law exempting themselves from defamation laws. It's called the "Fair" Credit Reporting Act.

Legislative sanity would see a repeal of the FCRA and the addition of a US equivalent of the GDPR, giving us a right to privacy that's applicable to every single company. I don't consent to being a data subject of any part of the surveillance industry, including this oldest part calling themselves "credit bureaus".


Remember, this is the company that could not keep the data they already have safe [1]. And now they want more info from you, so that they can store even more info about you (carelessly) and sell it? This is what happens when you have less regulation.

[1] https://www.csoonline.com/article/567833/equifax-data-breach...


Credit reports are a racket. I've barely had any luck obtaining one of my reports from the site in the past few years. I'm at the point where I think I will freeze my credit.


Everyone should freeze their credit by default, it's very easy to unfreeze when you actually need to apply for something.


Ideally, that would be the default state, and you'd request un unlock when you need to borrow money.


I did that years ago and I've passed multiple hard credit checks. It doesn't do anything.


We’ve been living with credit freezes for over 10 years now, ever since a bunch of fraud incidents (thanks leaky IRS). Only ever have to deal with it when we need credit (rarely), putting in for a temporary lift. Bonus is we get zero refinance or CC offers in the mail.


I recently had someone submit a fraudulent loan application using my information. I went through the process of freezing immediately after, and I would highly recommend you do it. It was the easiest thing possible. I just went to the links on here https://www.nerdwallet.com/article/finance/how-to-freeze-cre... and was done in like 10 minutes for all 3.


I applied for a credit card recently and got denied, which was weird since I have a good credit score. Applied for a different one, they eventually emailed and asked if I still wanted the card. When I said I did, they told me they needed me to unfreeze one of my credit reports. I had forgotten I did it years ago. Oops. I eventually got a snail mail from the first credit card company telling me that was why it was denied and to unfreeze it if I still wanted the card.


I'm in my mid 30s at this point. Starting on my 18th birthday I've never been allowed to see my credit record from at least one bureau. Any attempt to do so is met with a requirement to prove my identity, and any attempt to prove my identity is responded to with a request for further documentation.


It's possible to opt out of the TheWorkNumber [0] by postal mail. You might consider it. [1]

[0] https://employees.theworknumber.com/employee-data-freeze

[1] https://krebsonsecurity.com/2017/11/how-to-opt-out-of-equifa...


Highly recommend doing this - also if you think your employer is reporting data to The Work Number (highly probably if they use ADP), ask them for information on your employee profile. Equifax has lied to me about the existence of my profile even though they did, in fact, have data on me. Only when my employer told me the identifiers for my profile did I find out that they had previous data on me and I was able to opt-out.


You tried methods #1 and #2. Stamps are expensive but the effectiveness of method #3 might surprise you. The mail-in form is not going to ask for a voice sample.

From consumerfinance.gov:

"You can request and review your free report through one of the following ways:

1. Online: Visit AnnualCreditReport.com

2. Phone: Call (877) 322-8228

3. Mail: Download and complete the Annual Credit Report Request form. Mail the completed form to:

   Annual Credit Report Request Service
   P.O. Box 105281
   Atlanta, GA 30348-5281
You can request all three reports at once or you can order one report at a time. By requesting the reports separately (for example, one every four months) you can monitor your credit report throughout the year."


In my experience, requesting the reports in the mail is the only guaranteed way that I can get my full credit reports. The website sometimes works, but I often get an error for my Experian report that says that "A condition exists that prevents Experian from being able to accept your request at this time." It turns out that Experian never lets me get my annual free credit report using Firefox, but if I try it with Chrome, I can get it. This is the only workaround I've found when the website won't give you your report. The only other option is to just mail in the form and wait a few weeks (which is what I often end up doing anyway).


I continue to request my reports via certified mail to the annualcreditreport address, and this time for the first year Equifax just ... didn't reply. Completely ignored my request.


Submit a complaint via the CFPB. They most certainly will then respond.

I had a frustrating experience trying to obtain my consumer report from Early Warning Services, a less-known alternative to Chex Systems. Their process for requesting a report was unnecessarily complex and seemed designed to discourage users.

Initially, I had to navigate to a hidden webpage, which then directed me to a PDF form. This step alone was convoluted. After filling out the form, I discovered a line within the PDF that provided a link to a consumer portal, which looked like it hadn't been updated since the early 2000s.

The next step required me to create an account on this outdated portal, upload the completed PDF, and wait for a response.

However, my troubles didn't end there. For reasons unknown to me, my account was suddenly deleted. When I reached out to their IT support for help, they were clueless about the reason behind this issue.

Fed up with the lack of support and transparency, I decided to file a complaint with the Consumer Financial Protection Bureau (CFPB). To my surprise, this action prompted a swift response from Early Warning Services. Within just two days of filing the complaint, they sent me my consumer report.


Do you have your credit frozen with just Equifax, or something? Just trying to think of vanilla (i.e. incompetence rather than malice) reasons to explain this. Of course, it goes without saying that they all suck...


> confirmed identity by asking knowledge based questions

I'm not sure I feel good about this either. Isn't your mother's maiden name, the street you grew up on, your first concert, or your pet's name all information that is pretty much well known by now. Primarily by you (royal) for taking those stupid social media quizzes.


I actually prefer this over the other currently available options (Install our app on your phone so you can click "Accept" ... and give us access to scrape everything off of your smartphone!). I just select random questions from their list, and use the same answer for each of the questions. If they don't accept the same answer for each question, then I conclude I don't need whatever it is they're offering as badly as they think I need it, and move on to another entity or form of communication (if you won't make this convenient for me, then fine -- you can send me snail mail correspondence).


> ... and give us access to scrape everything off of your smartphone!

Deny them the access? Phones are way more restricted than home computers here. App stores also reject apps that insist on permissions that are out of their scope.


  App stores also reject apps that insist on permissions that are out of their scope.
Only for smaller apps.

There are major apps that have unique integrations with app stores and consumer devices. Phone security/privacy is largely PR in this regard.


I used my password manager to fill in those questions with passwords, but that proved difficult when I had to provide the answer to the question over the phone to some rep.


The funniest part about these is that if someone has stolen your identity and successfully gotten things added to your credit report then you may actually FAIL to answer correctly questions about yourself.


I just stick with Credit Karma for keeping up with my credit report. Yeah, they want to sell me loans and shit, but it's easy to ignore/block those ads and just get the data I'm looking for.


Their continued existence is pernicious and a policy failure. We should be able to replace them with a competitive privacy preserving scheme that wipes those businesses out.


Giving them the benefit of a doubt, it could be a first (or half) step in adding a level of security around credit information. It wasn't long ago that they were breached (not though user identity checking! by a software vuln!) and they're probably still smarting from it. Maybe this is part of a half-baked auth scheme or notification system.


This is most likely why

https://unifiedid.com/


I haven’t had issues with the annual credit report process personally. The system is shitty though.

Equifax will give you a copy off your real credit report once per month if you sign up with them which is better than the other two will do. The rub though is they try as hard as possible to make you think you have to pay for it and every time you sign in you have to decline to pay.

It’s so fucked up. If we’re going to have our lives controlled by credit agencies, then individuals should be able to access their real score at any time for no cost and no bullshit. What a fucking racket.


Equifax is the only company ridiculed in political satire shows with full length episodes due to their inept information security practices.


I found a security issue in the credit reports Equifax India sends out. Been trying to report it for almost a year now I think.

Equifax doesn’t care.


They already have your mobile phone number because banks and credit lines you take will report that information to them.

They ask you for your phone number to verify you, not because they want your phone number when they already have it.

If you want to avoid them knowing your "real" phone number and leaking that to marketing agencies, the best thing you can do is get 2 mobile phone numbers, one you actually use with your friends and family, and one you provide to businesses and stick that SIM in a beater phone and keep it silent.

I HATE this system and wish we had some GDPR-like law for preventing sharing of such information outside the corporation you provide it to, but such is the current state of the system in the US.


Quit complaining. If your personal data is leaked, and your credit and financial life is ruined, at least you get a year of free credit monitoring. Sheesh. /s




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: