Freezing Your Credit

Following up on my post from two weeks ago, I went and did it: I obtained a copy of my credit report and placed a security freeze on my reports with the three major agencies. Here are my impressions of how it went.
WinonaSavingsBankVault

Free Credit Report

I’ve never actually requested my own credit report before, in spite of being bombarded by expert advice to do so. Until now.

To get your credit report, copy and past the following text into your browser’s address bar. Do not trust anyone who gives you a link to click on: those can be faked to send you to a dodgy website that will certainly prompt you for your Social Security Number …

https://annualcreditreport.com

My actual credit report is unremarkable. It’s just a summary of all the credit accounts I’ve had for about the past 15-20 years: credit cards, mortgages, car loans, and the like, including that short-lived Brooks Brothers credit card I signed up for because the salesman told me I could save 15% and then I cancelled the next month and forgot about. And my payment history for each account. Every month. How far back they go varies by agency.

Your credit score is not included in the free credit reports from each agency. You can pay to see it, if you want.

Credit Freeze

A credit freeze is stronger than a fraud alert: it prevents the credit agencies from releasing your credit report to anyone. This stops most forms of identity “theft” (more accurately called “identity fraud”). It won’t prevent some specific kinds of fraud like medical fraud (someone accruing medical bills in your name) or payday loans.

Freezing my report with the three agencies was easy, with one interesting exception. Here’s how it broke down:

  • Equifax (https://www.equifax.com): A credit freeze with Equifax is free at the time of this writing, and rightly so.
  • TransUnion (https://www.transunion.com/): TransUnion wants you to create an account with them in order to freeze your credit, which is questionable. It’s one more password to forget — or for a stranger to “recover” for you! I recommend you use a password manager. If you do, making and keeping a strong password for TransUnion is routine. Then you get the dubious benefit of being able to freeze and unfreeze your credit any time! TransUnion charged me $5 for the freeze. How much they will charge you is determined by state law.
  • Experian (http://www.experian.com/): Here’s where it gets interesting, if you find blatant predatory marketing to be interesting. Experian will freeze your credit for you for $5 if you figure out where to look. To get there, you will have to grope your way past several giant screens trumpeting their identity protection services for “only” $24.99 a month. If I weren’t so disgusted by the price-gouging, I would scoff at their chutzpah. You get better protection by placing a freeze for a one-time fee of $5. For me, I was able to freeze my credit by going through the following menus: “Credit Report Assistance” -> “Security Freeze.”

And that’s about all there is to it. According to the experts I’ve read, credit monitoring services are not worth paying for. You get as much by requesting your free annual credit report, which takes about 20 minutes the first time. You get meaningful protection by placing a freeze on your accounts for a nominal fee. The only catch is you will have to contact each agency again to remove or temporarily suspend the freeze every time you want to switch cell phone plans, rent a new apartment, buy a car, or apply for a loan or credit card. My current feeling is that unfreezing your credit whenever you really need to use it is a lot less hassle than dealing with identity fraud when it happens. By now, nearly every American’s Social Security Number has been released by one of the major data breaches. That credit agencies and government regulators still pretend Social Security Numbers are secret is disingenuous, in my opinion.

Cat photo: Two cats in an office chair

This is why it's hard to get work done.

This is why it’s hard to get work done.

Protecting Your Credit in the Wake of Equifax Breach

The credit rating service Equifax announced on Sept. 7, 2017 a massive data breach that compromised the private financial information of more than 140 million consumers. The compromised data includes Social Security numbers, birth dates, home addresses, and (in some cases) driver’s license numbers. It’s one-stop shopping for criminals wanting to commit identity fraud — that is, to open credit card or loan accounts in a victim’s name, take the money, and run.

What can a regular person do to protect themselves? This article from IEEE (Institute of Electrical and Electronics Engineers) has good advice. According to the article, credit monitoring services don’t do a lot for you and it’s not clear they are worth the money, but there are a few simple steps you can take that will help. I’m going to try them out over the next few days and will report on how it goes.

How to get updates for Windows 7, long after Windows 10 came out

Like many Windows users, I had Windows 7 on my machine and was perfectly satisfied with it before Microsoft “encouraged” me to upgrade to Windows 10. This “encouragement” included some tactics I consider aggressive, such as making the normal Windows Update utility — necessary to get security patches — install Windows 10 by default.

If you are a Windows 7 user who chose not to upgrade to Windows 10, I have good news! You can still get routine system updates, including security patches, without migrating to Windows 10. Here’s how:

1. Open Internet Explorer
2. Go to http://update.microsoft.com
3. You may get a response saying your browser is out of date. If you do, follow Microsoft’s advice and install Internet Explorer 10, then come back to http://update.microsoft.com

From there, you will see the familiar Windows Update interface.

I tried this today to set up a test machine at work, and it worked great.

I learned the method today from WikiHow (it’s Method 2).

Shewstone Publishing

ShewstonePublishingLogo I’m aware that it’s been more than 2 years since I’ve posted to this blog. This long, quiet period coincided with the launch of 5th Edition D&D at Gen Con 2014. 🙂 2014 was my first Gen Con. Since then my engagement with roleplaying games has been reinvigorated and I’ve been putting my time into world-building, adventure planning, and roleplaying with my friends (plus more than a little Fallout 4).

Another new pastime is my new (tiny) company to publish roleplaying games. Our first product is still a long way off but I have a very clear idea what it will be, and it will be great.

Henceforward, I’ll be posting most of my roleplaying-related articles on my company blog, Shewstone Publishing. Please check out that site for teasers and (eventually) news about my upcoming game.

Why Programming Sucks

I came across an amusing blog post about why programming sucks. I actually like my job, but I have to say, this author really nailed what’s annoying about it.

Understanding Heartbleed

Train wreck at Montparnasse 1895

From a software engineer’s point of view, Heartbleed is a complete train wreck.

This week, a major security bug called Heartbleed was discovered. Technology sites for programmers, system administrators, and security experts have been abuzz about it all week, but I haven’t seen much coverage of it in the mainstream press. I was able to find this article at CNN.com.

In a nutshell, Heartbleed affects a large fraction of the Web sites on the Internet. It enables an attacker to observe any supposedly-encrypted information that goes into or out of an affected Web site. You’ll notice that is pretty much the opposite of what encryption is supposed to do. Any data you send to an affected Web site — including your password, your financial information, Social Security number, anything — could have been seen and recorded by the Russian mob or those Nigerian scammers: anyone. There is no way to know who has been eavesdropping for how long, or what they’ve overheard. The bug existed, undetected, for over two years before it was discovered this week.

This is a big deal. It is potentially much more serious than the Target security breach that made front-page headlines last winter. In the case of Target, we know what data was disclosed (credit card information) and we even know the affected account holders, so we can start to repair the damage and move on. With Heartbleed, we don’t know what data was disclosed, so we don’t even know what the damage was, yet. I expect the aftershocks of this crisis will be felt for a long time to come. I suspect the reason mainstream media aren’t running with the story yet is they lack the imagination to immediately see its importance.

Security expert Bruce Schneier said of Heartbleed, “‘”Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”

What You Need to Do

On affected Web sites, your secure Internet connection wasn’t secure: any data moving between your computer and that Web site could have been seen by an attacker. Since the Heartbleed bug is now known to approximately every black hat in the world, there’s a good chance someone eavesdropped on any site that had the bug, but didn’t fix it fast enough.

Account passwords are a high-value target and it is likely that many username/password pairs have been intercepted. The only way to rule out yours being among them is if you know how the Web server was configured. Most user’s don’t know that and most companies don’t tell.

This means you need to change all your passwords — but there is no point in doing that till after companies have fixed the Heartbleed bug. A fix is already available so it is just a matter of time until all the company’s servers are upgraded with the fix. According to this article from CNN/Money (posted yesterday, April 11), Yahoo, Amazon, Google, and OKCupid have finished rolling out their fixes and are now secure. You can change your passwords there immediately. For other sites, it’s hard to say: banks and financial companies are probably fixed by now, and the rest will have time to catch up over the weekend. So you should stay off secure Web sites until about Monday, and then change your passwords.

Since you have to change your passwords anyway, now is a good opportunity to improve your password practices.

Understanding Heartbleed continued »

Weather.gov

Today we’re having another winter storm here in New England. I was getting tired of all the advertising (and third-party tracking cookies) at the Weather Channel web site, weather.com. It finally occurred to me that all the weather alerts weather.com was sending to my cell phone come from the U.S. National Weather Service, and the National Weather Service has its own web site: weather.gov.

You can get all the same up-to-date weather information there, without the glitz and flummery of the Weather.com Web site, and without the advertising and tracking. Somehow it took me years to realize this, so I thought I would share.

The Day We Fight Back Against Dragnet Surveillance

The Day We Fight Back banner from the Electronic Frontier Foundation

Feb. 11, 2014 is the day we fight back against illegal, unconstitutional government surveillance.


Today is the day we use the democratic process and our right of free speech to fight back against unconstitutional government surveillance. Please join me, the Electronic Frontier Foundation, the American Civil Liberties Union, and other technology and civil-rights groups in contacting your elected officials and demanding they restore the right to privacy.

If you come across this post and Feb. 11 is already over, it’s not really too late. Call or email your elected representative anyway. 🙂

If you live outside the United States, demand your government stand up for your rights and refuse to cooperate with US intelligence programs, data-sharing agreements, and telecommunications treaties.

Lawsuit Accuses Gmail of Wiretapping

Right after my post yesterday about an anonymous search engine, I found a headline that a class-action lawsuit accusing Gmail of violating anti-wiretapping and privacy laws is set to go forward.

It’s better if you read the article for details, but the gist of the case is that Google uses software to scan, profile, and track email sent and received by Gmail users for purposes of advertising. Non-Gmail users who send to a Gmail address never agreed to have their messages scanned by a Google, the plaintiffs allege. Google’s lawyers moved to have the case dismissed, and the judge refused the motion. So, evidently, there will be a trial.