In an absolutely delightful example of screwing the pooch both before and after lunch, the big credit agencies, spurred on by so-called experts, are offering everyone the option to freeze their credit following the Equifax breach.
Indeed. The way they set this up qualifies as the most irresponsible response I have seen to a massive breach since... hmm... honestly? I'm not sure I have a good example.
Well, here is how it works: you freeze your credit, and you get a PIN to allow you and only you to unfreeze it in the future. Makes sense? of course it does, if you discount a little thing called actual human behavior.
Only problem is, there are two massive issues with this "solution".
The first, and smaller, is that all three agencies will have to have some way to remove a freeze without the PIN, because guess what, people forget or lose stuff like that all the time, and you can't just shut them out of life for life because of the breach. And how will they prove they are them? no matter the process, an identity thief focused on stealing your identity can successfully pretend to be you with all the information they have on hand following the breach.
Still, that's the smaller issue. It's mainly a royal pain in the ass, but at least it's you fighting for yourself.
The really big, really scary problem with this approach is that identity thieves can now hold your friggin' identity hostage!
Because guess what? when you go to freeze your identity, you do it via an online portal that requires you to identify yourself... using information about yourself... that was lost in the breach.
A smart identity thief, then, only has to start freezing people's credit reports at random using the information they have about them, setting and collecting PINs for every one, and then using or selling that information (PIN included) to anyone wishing to make use of it.
Which means that you, the actual victim, are doubly screwed. You don't have the PIN that you supposedly set to freeze your account - because you never actually set it. Somebody else did. Good luck going through that process, which is guaranteed to be a much bigger hassle than the already draining act of trying to remove fake accounts from your report.
In the meantime, the thief unfreezes your report at their convenience, opens a bunch of accounts, then refreezes it - and you are left without even the ability to access your report to see what's going on, and having to prove you are you. Without the PIN. That only the thief has.
Welcome to a much, much bigger mess and one that will have a serious impact on the victims, who will need to, as we say in Hebrew, "prove they don't have a sister" when their identity gets not only stolen, but taken hostage.
I hate to say it, but there really is no recovering from this. The entire credit reporting apparatus in the USA has to be completely refactored, from scratch. It will be inconvenient, and expensive (personally, I think Equifax should pay for it, even if it means liquidating the company to raise the cash), but it has to be done. Step one? scrap social security numbers entirely and immeidately as a form of authorization for credit. One way to do it is issue every citizen a national ID with a biometric profile - and yes, privacy be damned. Utilize the biometric profile to approve transactions of any kind. It has to be done, and it has to be done now. I shudder to think of the poor souls who will be trapped in the hell much worse than a stolen identity - those whose identity was taken hostage.
Come to think of it, I suppose it is true: go, no run to your favorite browser to freeze your report - not because it's going to solve the identity theft problem, but because you'd better do it before some identity thief does it for you.