Re: Credit Reporting Companies

["Custer, William L. Mr." <custerwl () MUOHIO EDU>]

Kevin,

I recently ordered up a credit report from Experian.  What I remember is a box that one checks to sign up for their 
services.   The box may or not have defaulted to having a check in it.

I entered their web site from the following link.  I would have someone in the organization verify that the checkbox is 
there and whether it defaults to checked.

I made sure the box was blank,  I haven't received any e-mail indicating that I signed up or any billing to my credit 
card.

http://www.ftc.gov/freereports

From: Mclaughlin, Kevin (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU]
Sent: Monday, January 14, 2008 12:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Credit Reporting Companies


Hi Everyone:

As a standard part of our Identity Theft Awareness presentations and as a standard part of our breach notification 
letters we tell people how to go about receiving their free credit report(s) from Equifax, Experian, and Trans-Union.  
We walk them through the process outlined by the Federal Trade Commission materials and have them pull a report from 
one company first, then wait 4 months and pull one from the other, etc.

Here's the Issue and Question:

I have recently received two complaints from members of my community that when you contact Experian they are pushing 
their Credit Insurance program so hard that they are "fraudulently charging credit cards" (not my words - see the email 
I received below) for the service without making the consumer fully aware of what they are doing.

Any suggestions as to who I should lodge a complaint with or as to an easy way to instruct folks on how to avoid this 
trap?  When we notify them that their data may have been breached they are already a bit upset - to then have the 
Credit reporting agency (who is supposed to help them) take advantage of them further is causing a bit of pain on our 
side as my department is much more accessible on the phone than someone from Experian.

-Kevin

Recent Email Received:


Dear Infosec department,



Last year I attended a security awareness seminar offered by your department in ERC 427 - I believe it concentrated on 
identity theft.  The speaker said that federal law allows everyone one free credit check per company per year and 
instructions were given stating how to do this, in particular a web address was given.  I did this and saw my report.  
Then a few months later my wife and I noticed a disguised charge on our credit card statement.

Instead of Experian we saw something like CC-01-12 or something like that.

Upon investigating we discovered, to our horror, that Experian was charging us for something that we did not want and 
did not knowingly ask for.  So it appears your presentation has inadvertently led to supporting fraud or at least 
unethical behavior by at least one and possibly other companies. I believe we will be reimbursed by the credit card 
company as a fraudulent claim but the fact that this is so routine staggers my mind (check the web for incredible 
numbers of similar complaints).  I suggest you do not tell people that credit check companies give a free credit rating 
because that appears to be entirely misleading - it is more like the first month is free

- but they do not tell you that in any plainly visible location.  I realize there is a way to carefully step through 
the process to avoid the problem but I think most people will lose their balance and fall into the pit so it seems 
better not to mention it at all or provide an up-to-date website showing, step-by-step, exactly what buttons to press 
for each of the credit reporting agencies.



Sincerely,



Kevin L. McLaughlin
CISM, CISSP, GIAC,PMP, ITIL Master Certified
Director, Information Security
University of Cincinnati
513-556-9177 (w)
513-703-3211 (m)
513-558-ISEC (department)


 [cid:image001.png@01C856AA.342CCF00]


CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may 
be legally privileged. Access to this message and its content by any individual or entity other than those identified 
in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this 
e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be 
unlawful.