Re: Credit Reporting Companies

["Custer, William L. Mr." <custerwl () MUOHIO EDU>]

The following site advertises itself as the only 'authorized' site then goes on to defend what it means by 'authorized'.

http://www.ftc.gov/freereports

From: Dan Johnson [mailto:djj4 () UWM EDU]
Sent: Monday, January 14, 2008 12:43 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Credit Reporting Companies

Hi Kevin,

I'm guessing that your presentation uses creditreport.com or freecreditreport.com as the web site where people can go 
to get their free credit reports online.  I've seen numerous presentations that suggest one or the other.

Both have a 'bait and switch' tactic that they never used in the past and both use a 'free for 30 days, but if you 
don't cancel...HAHA... we're charging you!'  I guess everyone's out to make a buck...

Here is another website that does offer the free credit reports that you may wish to use in your presentations: 
https://www.annualcreditreport.com/cra/index.jsp

(Note: both previous sites, creditreport.com and freecreditreport.com list the above site for the free reports by law.  
I have not tried annualcreditreport.com  personally, and YMMV)

As to who to complain to... I guess I would just send Experian a nastygram and tell them how you WILL NOT be sending 
any business their way.  Although, I have a feeling that this may be an exercise in futility...

Hope that helps.

Dan Johnson
IS Comprehensive Services Senior
University of Wisconsin-Milwaukee
2442 East Kenwood Boulevard
Mellencamp Hall, Room B60G
Milwaukee, WI  53211
(414)229-2911

"The stupid neither forgive nor forget; the naive forgive and forget; the wise forgive but do not forget."
Thomas Szasz, The Second Sin (1973) "Personal Conduct"



From: Mclaughlin, Kevin (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU]
Sent: Monday, January 14, 2008 11:30 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Credit Reporting Companies


Hi Everyone:

As a standard part of our Identity Theft Awareness presentations and as a standard part of our breach notification 
letters we tell people how to go about receiving their free credit report(s) from Equifax, Experian, and Trans-Union.  
We walk them through the process outlined by the Federal Trade Commission materials and have them pull a report from 
one company first, then wait 4 months and pull one from the other, etc.

Here's the Issue and Question:

I have recently received two complaints from members of my community that when you contact Experian they are pushing 
their Credit Insurance program so hard that they are "fraudulently charging credit cards" (not my words - see the email 
I received below) for the service without making the consumer fully aware of what they are doing.

Any suggestions as to who I should lodge a complaint with or as to an easy way to instruct folks on how to avoid this 
trap?  When we notify them that their data may have been breached they are already a bit upset - to then have the 
Credit reporting agency (who is supposed to help them) take advantage of them further is causing a bit of pain on our 
side as my department is much more accessible on the phone than someone from Experian.

-Kevin

Recent Email Received:


Dear Infosec department,



Last year I attended a security awareness seminar offered by your department in ERC 427 - I believe it concentrated on 
identity theft.  The speaker said that federal law allows everyone one free credit check per company per year and 
instructions were given stating how to do this, in particular a web address was given.  I did this and saw my report.  
Then a few months later my wife and I noticed a disguised charge on our credit card statement.

Instead of Experian we saw something like CC-01-12 or something like that.

Upon investigating we discovered, to our horror, that Experian was charging us for something that we did not want and 
did not knowingly ask for.  So it appears your presentation has inadvertently led to supporting fraud or at least 
unethical behavior by at least one and possibly other companies. I believe we will be reimbursed by the credit card 
company as a fraudulent claim but the fact that this is so routine staggers my mind (check the web for incredible 
numbers of similar complaints).  I suggest you do not tell people that credit check companies give a free credit rating 
because that appears to be entirely misleading - it is more like the first month is free

- but they do not tell you that in any plainly visible location.  I realize there is a way to carefully step through 
the process to avoid the problem but I think most people will lose their balance and fall into the pit so it seems 
better not to mention it at all or provide an up-to-date website showing, step-by-step, exactly what buttons to press 
for each of the credit reporting agencies.



Sincerely,



Kevin L. McLaughlin
CISM, CISSP, GIAC,PMP, ITIL Master Certified
Director, Information Security
University of Cincinnati
513-556-9177 (w)
513-703-3211 (m)
513-558-ISEC (department)


 [cid:image001.png@01C856B4.67AB22F0]


CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may 
be legally privileged. Access to this message and its content by any individual or entity other than those identified 
in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this 
e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be 
unlawful.