Back in the end of 2017, I wrote a quick post about the horrific Equifax breach. If you want to take a few simple steps to mitigate your risk from it, check it out. It’s been a while since then, and it occurred to me that many people have already forgotten all about it. Our politicians already have. I know there are so many things to worry about these days, but it’s important for people to truly understand the consequences of the Equifax hack, and to take whatever actions they can to protect themselves. This is no joke: it is quite likely a significant number of people’s entire livelihoods will be destroyed as a result of this breach.
To put it bluntly: every single American is at risk at the moment, with the potential problems ranging from identity theft to hacking your online accounts to tax fraud to . . . well, pretty much anything is possible now. How can a simple hack be such a big deal? Aren’t there hacks all the time? Everyone always says those are a big deal and then my life doesn’t change so… how is this different?
It’s very different. The reality is that your credit information includes so much sensitive data in one location (your social security, your addresses, your credit cards, all your bank relationships, etc.).. and all of that is exposed now thanks to the breach. A malicious attacker has absolute and unprecedented power to do as they please with this information. Yes, you can monitor your credit for a while, but the attackers are intelligent, and will likely not do anything with your data until at least a year from now. They will wait for everyone to forget. Then, just when everyone feels safe with the blanket of ignorance, they’ll make their move. It will likely be very costly to many people. This is why I’m posting this now.
You may be tempted to close this tab and ignore the potential threat. That would definitely be easier, and I don’t blame you for wanting to. Dealing with security in our digital era is not simple, but the good news is you can take some steps to mitigate the damage (there is no real way to undo the damage, the best we can do is try and limit its impact on us).
So how did we even get here? Of course, the breach was the trigger, but once you dive into the infrastructure of our credit system, it seems almost inevitable that this happened. The hack could have easily been prevented, but the level of incompetence in the entities which are tasked with securing one of the most sensitive data sets in America is just shocking. To understand the real impacts of how we find ourselves so vulnerable, let’s first get a better understanding of the system of credit in America.
Let’s think about how people establish credit today. Put simply: people will not trust you with things of value (money, cars, houses, etc.) unless other people have already trusted you with things of value. In other words, the entire system is based on relationships — in order to make new ones, you have to have existing ones. Want a credit card with no credit? Well, you can get a crappy one, or you can get a co-signer. If you want a car, show your credit history. If you want a house, show your lease payment history. And so on.
This makes it particularly difficult for people who are just starting out in this country. You simply cannot avoid the credit system to participate in the economy. This reminds us how critical the system is to the functioning of our population (and how horrifying it is that it is among the least secure systems out there).
In my case, I came to the U.S. from Canada, and I had outstanding credit there which I expected to carry over. I was sorely mistaken. I was in my twenties, but to the American credit system, I was born in 2006 (the year I got my social security number). I found this strange, but at the time, only mildly infuriating — I didn’t have any major purchases needing credit, so it didn’t really bother me then. Also, I was lucky enough to have opened a credit card and the history of “successfully paying” my zero balances built up until I came back a year later. Still, when I moved to the U.S. in 2007, I had difficulty getting an apartment with such little credit. I was lucky and managed to get one anyway, but it was a clear lesson that I had a lot of work ahead of me — whatever this “credit” thing was, I needed to work on it and build it, or else I’d have trouble thriving in this country.
For most people, being able to establish credit is a painstaking process that can take literally their entire lives. If you think that sounds silly, and have good credit without thinking about it much, you should take a minute and thank your privilege. You likely had some help — if it wasn’t your family getting you a credit card early, it was the safety of their financial security which allowed you to so boldly go and open one up yourself. There are no real consequences to jumping if you know there’s a net waiting for you.
The rest of the country, however, has to struggle with the already overwhelming challenge of simply paying their bills — and credit is a convenient answer to their problems. Unfortunately, even though most people have a credit card, they generally don’t bother managing their credit score. It’s hard to blame them — the complexity of managing one’s credit can be so high that there are many entities out there that will happily take your money simply to help you deal with the credit agencies. Most people can’t afford luxuries like that, or simply don’t think about their credit that much. As a result, financial institutions are able to apply leverage, often with a healthy dose of superior attitude, and intimidate people into paying higher rates or fees because their credit isn’t great.
The tragedy is that most people don’t even know why their credit score is low, or what to do about it. One could write a book about ways to improve your credit (perhaps I could write another post about it, comment if you would be interested!), but for now let’s look at the who the heck these credit “agencies” are, and how they managed to get to make all decisions for the country about who is a “good” and “bad” financial citizen.
The “big three” credit agencies that are used as sources for individual credit scores are Equifax, Experian and TransUnion. While they each have different founding stories (Experian actually dates back 200 years), they each started as a way for creditors to have access to a list of “good consumers” that they could trust. This was to defend against bad actor consumers, and allow creditors to be more generous with amounts they lent without exposing themselves to too much risk.
So, the first thing to understand is that credit agencies were built, first and foremost, for creditors (i.e. banks, lenders, etc.). They were*,*of course, *not*designed and continue to not be designed for consumers.
The second thing to note is that despite the credit system being foundational to our economy and society, the government did not appoint them, nor does it oversee them. The words “agency” and “bureau” give them undue legitimacy — they are simply for-profit corporations that are seeking to provide a product (your data) to their customers (creditors and businesses).
Each agency simply gained prominence as a business, and eventually the three of them became the standard sometime around the 1970s, when credit cards really took off. At the time, creditors were getting screwed left and right, and there was a strong need for some sort of system to protect from bad actors. The demand for the “good and bad lists” grew, and eventually businesses across the country started leveraging these scores to help make their financial decisions on behalf of customers.
So, the “need for credit” is hopefully clear now (in reality, that need was dictated by Keynesian monetary policy which has caused far worse problems, but that’s a whole post in itself)… the problem is that these agencies are doing a terrible job at providing credit. Specifically, they offer very little transparency, make decisions that are often arbitrary, and heavily penalize those who they choose to deny access to credit to. Worst of all, they give consumers little or no control over their own credit data. If you’ve heard the news lately about China’s social credit system which would deny citizens rights to being able to travel, and think that’s crazy — well, our credit system already does penalize people in similar ways. It’s just not run by our government (usually that’s a good thing, but these guys have managed to outdo even the government in incompetency), and the consequences are different but arguably even more fundamental to life (e.g. you cannot buy a car or a house, or even rent an apartment).
While Experian and TransUnion have their own massive flaws, let me focus on the star of the proverbial Dipshit Display today: Equifax. Where do I even begin? I can’t even pull a narrative around all these, so I’m just going to share a few that come to mind. It’s worth noting that every time I was about to publish this post, another one would come up… but I had to stop at some point. Here goes…
Equifax knew about the breach for MONTHS, and was warned multiple times, but chose to do absolutely nothing. This worse than incompetence — it’s outright criminal negligence.
When the breach became public, they put up a website designed to tell you whether or not you were at risk of the breach. This website was utterly pointless, since pretty much all their data was exposed. Still, they managed to make a useless website *harmful.*To this day I’m still honestly shocked at how horrifyingly bad this website was… here’s why:
To find out if you were “at risk”, you had to submit your SSID just to get the info, and that would sign you up for their credit monitoring service. This wasn’t optional — you either get to find out and sign up, or you don’t get either. Yes, they gave the service away for free for one year as a gesture, but the truth is you’ll need monitoring for life now. And who the hell wants to trust EQUIFAX to monitor your credit?
By agreeing to it you would unknowingly agree to forced arbitration. This was part of a hidden clause in the agreement to signup for monitoring. Forced arbitration means you cannot ever take a case against them to court, and cannot participate in class action lawsuits. Yes, they really did that (although later once there was enough public uproar, they backed down and changed the policy). Think about how evil you need to be to do this on a website designed to inform users of how badly you just screwed them over in a massive breach? Honestly, this is cartoon villain stuff.
If you read my earlier post on the breach, one of the things you’d be doing is setting up a credit freeze on the three agencies. Of course, with Equifax, this comes with fun additional breaches of security! Specifically, when you create the freeze on their dilapidated site, you get a “secure” PIN. This unique one-time PIN can then be used to unfreeze your credit at a later time. Unfortunately, the way they generated them is to simply take the timestamp of when you requested the freeze. This is incredibly insecure, and means that an attacker who had your data through the breach could EASILY generate your PIN by just trying a small set of timestamps since the breach and unfreeze your credit without you even knowing it! There’s literally too much incompetence here for me to keep up with. Good LORD.
When sharing this amazing website with affected consumers, they actually sent out a link to a fake phishing website instead. MULTIPLE TIMES.
Once the CIO knew about the breach, they decided to sell stock (almost $2 million worth) before it crashed from the breach news. I can’t even make this stuff up.
In February of this year, Equifax revealed the breach was even worse than they thought. Super duper surprising!
Honestly, every time I’m about to publish this post, they f*&! up again and I have to add another entry. I’m just going to stop now, but you should assume there is much, much more to this list…
OK, hopefully you get the point by now. Our entire American economic lives are mostly dependent on credit, which is managed by a group of private agencies, one of whom is Equifax, which probably deserves its own movie just to discuss all the various ways it is awful and evil and a colossal failure in every way.
So, how do we get out of this mess? Well… do you want the bad news, or the bad news?
The agencies were never elected, and so they can’t be voted out. You can’t simply “stop using” an agency: banks and businesses choose to use them and you have virtually no control over their decisions. If you want a loan from a bank, they will rely on these agencies, regardless of your opinion of them.
Can the government help? That would be great! Sadly, the FCC has limited jurisdiction over these agencies, at worst we may see them getting fines, but that doesn’t really help us. Some admirable politicians are really trying, but they can only do so much with limited power. There was a probe to investigate the massive breach and its consequences, but as you could predict, it has yielded nothing and recently it was announced that they were pulling back on the probe. Great…
There is a story about a guy who successfully sued Equifax himself, and won $8,000. It is heartening to see, but the majority of consumers will not have the time or the patience to take such actions. That said, it could be worth it and it’s great to see that at least we can get some justice on a small scale.
Ideally, customers would have their financial relationships on a repository that they control, with full access, preventing them from having to rely entirely on some centralized entity. Some people (even the U.S. government) have hinted about how “blockchain technology” could be useful here, and there is even a company (Credito) working on this building a global credit system on the blockchain. I’m not bullish on such solutions. I have done a lot of studying into Bitcoin lately, and am pretty convinced about its potential, but am entirely unconvinced of the basis for all these “blockchain apps” that launch their own tokens. It’s probably a good topic for another post, though I did a tweetstorm on it. Still, I am in favor of any kind of research to get us away from the existing credit system in America.
Alternatively, Bitcoin could save us from this plight, by simply enabling people to be less reliant on credit in general (even if the credit system doesn’t change, people can liberate themselves from using credit as much, or at all). Bitcoin does not have any central bank to create money, artificial or otherwise, and so all money in Bitcoin is 100% backed funds. If you want to learn more about this, check out this great post on Bitcoin on monetary policy.
Hopefully this post is a strong reminder to you to be aware of the current risks with credit in America, and encourages you to take appropriate precautions. Not just right now, but on a regular basis. Spread the word, and stay safe!