Earlier this week I received a new Mastercard in the mail. But I hadn't applied for one and the first name wasn't right. Identity theft?
So first, call the issuing bank: they would cancel the card. Then I called Equifax and TransUnion; all was good with my credit reports. Whatever was up with this person using my address and a near-name, they hadn't been connected to my credit file. I had the bureaus put an alert on my file just in case, so that extra identity verification would be done for any credit requests. Equifax insisted on charging me $5.65 to put an alert on my file, TransUnion did not charge me. I also called Canada Post to ensure that there were no mail redirects happening.
Then today I received a call from the same bank again, about another credit card application. The call was triggered by the alert on my credit file. The bank said they would request the applicant go into a branch to verify their identity in the hope of “catching them”. Seems unlikely.
This made me want to actually look at my credit file: we'd renewed our mortgage recently, so we knew all was good at that time, but the assertion of the credit bureau people that “nothing had changed” since that event was no longer enough for me. I wanted to see the files myself. And then I thought, maybe I should sign up for credit monitoring too.
First, Equifax. I go through the signup process, creating a username and password. Then I'm prompted to call Equifax for additional verification. Fair enough, in fact that seems a good thing. I call the number, and have to wade through a number of menus, all of which have minute+ preambles. You would think that you'd be given a direct “additional verification” number, rather than a general number. Moving past that, the preambles (verbosity: maximum) prompting me to go to the website were exceedingly annoying: I'd just been on the website, stop wasting a whole lot of my time by telling me to go there first, repeatedly! Eventually, I get a human: a bored male voice answers. He asks me a number of questions to verify my identity, but it seemed he just couldn't get me off the phone fast enough, to the point of being rude. Clearly there is an significant emphasis on call duration or volume. He said I'd get an email with my password. I'm thinking, why, I already set up my password online? But I check, and I have not one, but four identical emails with the password I'd provided online in plaintext. What the hell? What idiot stores passwords in plaintext these days, and sends them over email that way? These people are responsible for the security of our credit information? I'd randomly generated a password unique to Equifax, but still concerning.
I then attempt to sign up for credit monitoring. But it quickly becomes clear that the provider of the monitoring service is a separate company from Equifax and the integration is poor: it seemed I was going to have to enter all my information over again and create a separate account for that product. Given that I decided to just request a credit report (which had nothing unexpected in it).
Next, TransUnion. Ok, their site seems a little more professional, and their credit monitoring, while it is probably also a separate company, seems better integrated. But I couldn't even get past creating an account there. I was asked to provide an user id, but there was no indication of whether I'd picked a unique one. So I went to the next screen, where it said "the information matched an existing account". What does that mean? Was there a userid conflict, or is there already an account with my personal details? Calling them seemed to indicate the first, but I couldn't get any further. Once you get to that screen, there is no way to go back, you have to start over. In the end I gave up for today.
These companies are all about tracking information that is particularly vital, both to financial institutions and the population at large. Accuracy is key and security is critical. But even ignoring the Equifax password security issue, there is a lot of poor design in both the technology and the processes. While the individual items I encountered may mostly just be annoying, it leads me to wonder whether these issues are reflective of the quality of the rest of the systems for these two companies. My experience with both companies doesn't leave me with warm fuzzy feelings about the safety of my credit information.