Re: Credit Reporting Companies

["Fugett, Julie C" <jcf () KU EDU>]

When I do presentations, I always stress these points:
 

*       
        annualcreditreport.com is the only site you should be using (the
sound and look-alikes are all subscription based scam artists)
*       
        the credit reporting agencies can and will try to sell you
things (FICO scores, monitoring, insurance, etc)
*       
        you do not need to give anyone your credit card number to obtain
your free credit report

I would be very curious to find out which site this individual used.  I
just saw a reply referencing ftc.gov/freereports--I have only used (and
only advocate) annualcreditreport.com.  Sounds pedantic, but I haven't
gotten into trouble with it yet, nor have any of my workshop attendees
reported trouble.
 
____________________________________________
Julie C. Fugett, CISSP, CCE                    
Information Security Analyst
IT Security Office, A division of Information Services
The University of Kansas       
1001 Sunnyside Avenue      
Lawrence Kansas 66045      
http://www.security.ku.edu <http://www.security.ku.edu/> 
http://www.beseKUre.ku.edu <http://www.besekure.ku.edu/> 
____________________________________________
Direct Extension: 785-864-0484
IT Security Office: 785-864-9003
Mobile: 785-691-6154
Email: jcf () ku edu 



________________________________

From: Pace, Guy [mailto:gpace () CIS CTC EDU] 
Sent: Monday, January 14, 2008 11:38 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Credit Reporting Companies



If the individual is seeing charges against their credit card that were
not authorized, or knowingly authorized, they should take this up with
Experian or with the Federal Trade Commission. All three of the
companies have been tagged in the past with using confusing language and
processes on the sites to suck folks into paying for reports they should
get for free. Unless the companies are taken to task for it, and filed
against with the FTC, they will continue to do this.

 

Checking the sites, though, you can understand that it would be trivial
(almost) for someone to agree to a monthly fee for services. The trick
is that they should never give their credit card numbers in the process.
They are not needed. That should be a key point of the training, make
sure they are aware of the kinds of information required for the free
reports, versus the on-going service.

Guy L. Pace, CISSP 
Security Administrator 
Center for Information Services (CIS) 
3101 Northup Way, Suite 100 
Bellevue, WA 98004 
425-803-9724 

gpace () cis ctc edu 

From: Mclaughlin, Kevin (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU] 
Sent: Monday, January 14, 2008 9:30 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Credit Reporting Companies

 

 

Hi Everyone:

 

As a standard part of our Identity Theft Awareness presentations and as
a standard part of our breach notification letters we tell people how to
go about receiving their free credit report(s) from Equifax, Experian,
and Trans-Union.  We walk them through the process outlined by the
Federal Trade Commission materials and have them pull a report from one
company first, then wait 4 months and pull one from the other, etc.    

 

Here's the Issue and Question:

 

I have recently received two complaints from members of my community
that when you contact Experian they are pushing their Credit Insurance
program so hard that they are "fraudulently charging credit cards" (not
my words - see the email I received below) for the service without
making the consumer fully aware of what they are doing.  

 

Any suggestions as to who I should lodge a complaint with or as to an
easy way to instruct folks on how to avoid this trap?  When we notify
them that their data may have been breached they are already a bit upset
- to then have the Credit reporting agency (who is supposed to help
them) take advantage of them further is causing a bit of pain on our
side as my department is much more accessible on the phone than someone
from Experian.

 

-Kevin

 

Recent Email Received:

 

Dear Infosec department,

 

Last year I attended a security awareness seminar offered by your
department in ERC 427 - I believe it concentrated on identity theft.
The speaker said that federal law allows everyone one free credit check
per company per year and instructions were given stating how to do this,
in particular a web address was given.  I did this and saw my report.
Then a few months later my wife and I noticed a disguised charge on our
credit card statement.

Instead of Experian we saw something like CC-01-12 or something like
that.

Upon investigating we discovered, to our horror, that Experian was
charging us for something that we did not want and did not knowingly ask
for.  So it appears your presentation has inadvertently led to
supporting fraud or at least unethical behavior by at least one and
possibly other companies. I believe we will be reimbursed by the credit
card company as a fraudulent claim but the fact that this is so routine
staggers my mind (check the web for incredible numbers of similar
complaints).  I suggest you do not tell people that credit check
companies give a free credit rating because that appears to be entirely
misleading - it is more like the first month is free

- but they do not tell you that in any plainly visible location.  I
realize there is a way to carefully step through the process to avoid
the problem but I think most people will lose their balance and fall
into the pit so it seems better not to mention it at all or provide an
up-to-date website showing, step-by-step, exactly what buttons to press
for each of the credit reporting agencies.

 

Sincerely,

 

 

 

Kevin L. McLaughlin

CISM, CISSP, GIAC,PMP, ITIL Master Certified  

Director, Information Security

University of Cincinnati

513-556-9177 (w)

513-703-3211 (m)

513-558-ISEC (department)

 

 

  

 


CONFIDENTIALITY NOTICE: This e-mail message and its content is
confidential, intended solely for the addressee, and may be legally
privileged. Access to this message and its content by any individual or
entity other than those identified in this message is unauthorized. If
you are not the intended recipient, any disclosure, copying or
distribution of this e-mail may be unlawful. Any action taken or omitted
due to the content of this message is prohibited and may be unlawful.