Equifax's dox of America: Sign up for "free" monitoring, get billed forever

Originally published at: https://boingboing.net/2017/09/09/to-unsubscribe-just-die.html

I just signed up. No cc needed.

they have your credit card numbers. this happened to me - they make it impossible to cancel, so i thought no problem, when my CC company issues me a new card, the billing will just stop. imagine my surprise when they were able to keep billing me against the new credit card number.


Don’t worry, they will keep your new cc number safe, they got this fancy box and to keep people from wondering whats in the fancy box they will put it in a cardboard box…problem solved, all of your monies per month please.


I never authorised a charge. Never entered a cc number. Just my last name and last six digits of my ssn.

I have several cards. Which one would they charge? They’ll just pick one and drop a charge on it next year? This feels far-fetched.

1 Like

If they have all the CC numbers, why not create fake accounts and start billing the world?


I got a “free” credit report via Experian (who is cut from the same cloth as Equifax) a couple of years ago and somehow wound up on their $20/month monitoring plan. I did voluntarily pay them $5.00 for some reason but I can’t recall how they convinced me that was normal for a free credit report. Apparently that $5.00 was the first month’s price for the premium plan.

Luckily I used a temporary credit card number with a low limit so the following month I started getting alerts from my bank that charge attempts were failing and Experian eventually started emailing me to let me know my “card” was expired. I told them to kindly fuck off and to their credit (ha ha) they did.

So yeah, I have no doubt Equifax sees this as a huge marketing opportunity to get lots of new subscribers once the year-long free trial is up.


Normally I’d agree with you, but then I look back at the scores of Western Union articles


I have some sympathy for companies that get hacked and then come clean about it through a full public debrief and sincere support to their customers.

Equifax has already blown through my sympathies and it is quickly turning to rage.

This scale of breach has never happened before. I hope this encourages banks and other financial institutions to stop using SSNs as quasi-passwords.


It’s almost like they don’t really want us to use consumer credit.


Could it be the canary of the next bubble burst?


Yes, a lot of people don’t know, but the law was changed so that merchants are able to bill new credit card numbers on the same account as long as they show your bank or credit union that you agreed to the charges, i.e. you entered your cc information on a page showing the intended charges and clicked agree. It’s absolutely imperative to make certain you read everything on the page, even the stuff that looks like a footnote. I wound up “buying” a year of Office 365 I had no use for from Microsoft because I didn’t read that it was being tacked onto a OneDrive account I needed for work. A hundred bucks…poof.

If the merchant fails to offer any means of canceling the recurring charges they tricked you into, you have to try to contact them. Email is best, as you can save the emails you send even if you never get a reply. If they provide no contact information, document your discovery of the fact in detail, describing all the places you tried to find contact info (merchant’s site, google search, ect…). If you do get a response but the merchant won’t cancel the recurring charges, keep those emails. If you get a response saying the recurring charges have been canceled, keep that email (and if you talk to them on the phone, ask for an email confirmation, but email is always better because you can easily document your asking them).

If you can’t get them to cancel or can’t get them to respond, it’s time to call your bank using the number on the back of the credit card and let them know you want to open a dispute on the recurring charges because you’re unable to cancel. The level of help you’ll get here depends on your bank’s customer service. Most major banks will help you open the dispute, but you’ll spend a good deal of time on the phone. Credit unions and other member-owned banks are more efficient, and better to bank with all around.

The bank will provide an email to which to send your documentation of your attempts to cancel the recurring charges. They’ll also place an internal flag on the account so that if that merchant does attempt to charge it again, it won’t automatically go through and a human will have to review it. As long as they’re diligent, they quickly review the documentation you provided and should block the charge.

If the merchant does agree to cancel the recurring charges, but then charges your card anyway, you’ll call the bank using the same number, but this time you’ll open a fraud claim instead of disputing the recurring charges. Depending on the bank, most will credit back the charge to you and eat the loss (since they have no way to get it back from the merchant) while they investigate. Since it’s a merchant you previously allowed to charge your cc at some point in the past, they’ll want to you to send them documentation showing they agreed to cancel the recurring charges, and this is why you want an email confirmation. The bank may also send you a form to physically sign and mail back affirming the charges are fraudulent. If so, make sure to do so or the charge will be re-applied to your card if it was refunded.

It’s all a ridiculous hassle and there’s no easy way to find this information. A far better solution is to do what @Cunk did and use a temporary pre-paid credit card, as this isn’t tied to any account after you use it up and close it.

Either way, never ever give checking or savings account information to a merchant if you can possibly avoid it.

In the unlikely event that a merchant charges a cc they somehow got a hold of but which you never provided them, that’s fraud.

The credit bureaus are a pure undiluted evil menace, but they don’t have the full information needed to charge any credit card which the holder hasn’t provided them. Banks report any activity with them under your identity on an account-by-account basis to one or more of the three bureaus at the banks’ discretion. Banks aren’t required to report your activity, but most do report things like credit line changes, overdrafts, opening and closing accounts, and so forth.

The credit bureaus don’t ask for and the banks don’t give them the full numbers of the account which would be needed to charge them. However, someone with your personal information and SSN can open a fraudulent account under your identity, as Western Union did to millions of its own customers and identity thieves do all the time. That’s why this data breach by Equifax is so bad.

The irony is that the only way to find out if someone has opened fake accounts under your identity is to check for the impact on your credit score with the three bureaus. One could argue that Equifax had an incentive not to keep people’s identifying information secure, since this breech makes millions of new customers for them and they’ll make tens to hundreds of millions off of it by exploiting the very people they’ve put at risk. As I said, pure fucking evil.


You really are a trusting soul, aren’t you. Please. Let me help you with your money!


@anon89609066 is not wrong if he never gave them his credit card. I don’t know if signing up for their bullshit monitoring through equifaxsecurity2017 requires providing a cc number for the first free year, but it’s possible people met with different requirements using it versus the original link on the Equifax site or one of the other numerous ways they’ve tried to sign people up for this over the years, or it’s also possible they removed the requirement after getting bad press for it. Finding out would require I get to that stage by going through the first part of the process, which I’m unwilling to do.

1 Like

Lol, if they asked for cc or had some clause, “we start charging after a year,” then I’d have walked away. But all I did was enter last name, last six of ssn and then they said I’d be enrolled in about a week because they are doing rolling enrollment for some reason, probably load balancing. If they ask for cc at any point, I will not give it. Just don’t give out my info, damn it!

Right. You didn’t enroll or sign up for anything. You’re just now in the queue to be able to sign up for the service.


Well, fuck them, then. They can take their service and shove it up their data breaches.



As noted in yesterday’s breaking story on this breach, the Web site that Equifax advertised as the place where concerned Americans could go to find out whether they were impacted by this breach — equifaxsecurity2017.com
is completely broken at best, and little more than a stalling tactic or sham at worst.
In the early hours after the breach announcement, the site was being flagged by various browsers as a phishing threat. In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they checked the site with the same information on their mobile phones.

My advice: Sign up for credit monitoring if you can (and you’re not holding out for a puny class action windfall) and then freeze your credit files at the major credit bureaus (it is generally not possible to sign up for credit monitoring services after a freeze is in place). Again, advice for how to file a freeze is available here.