Advertising Disclosure

Featured Savings Rates

Popular Posts

Featured Accounts

After the Equifax Debacle, Does Your Bank Have Your Back?


The headlines about Equifax keep coming. The latest is the CEO is “retiring”. The fact that he was allowed to retire, instead of being fired has stirred yet more ire. It’s one thing to read about the breach and quite another when you’re a victim.

Sandra Davis (not her real name), shares her story. “I checked the Equifax site after the breach was FINALLY announced to the public, I was informed that my information was at risk. At that time (and after they removed the "you can't sue us" clause), I signed up for the Trusted ID monitoring service and checked my credit reports. Nothing seemed out of the ordinary. Two weeks later, I got a letter in the mail from Radius Bank in Boston, welcoming me to an account I did not open. It's been downhill since.”

She says it has been impossible to communicate with Equifax. “I call at various hours on various days and get nothing. The website is useless. TrustedID sent an email suggesting there's an alert that requires a response but I can't get through to them, either. It's been 10 days of nonstop busy signals. I have checked all my reports and again nothing, put fraud alerts on all, contacted my bank to flag my accounts, contacted all creditors as well. I check all my accounts in the morning and evening. I filed an ID theft report with the LAPD and reported all this to at the FTC and followed the recommended plan.”

We fully expect to see an increase in identity theft cases and a higher risk of synthetic identity fraud because the type of PII exposed in the Equifax breach (social security numbers, driver’s license numbers, etc.) are traditionally the foundation of this type of fraud.
Sarah Clark, VP of product and customer success at Mitek

But with all that, she still had troubling news. “I have now been notified by Stubhub, Netflix, and my bank that there has been a flurry of login activity on my accounts that required me to close out and start again. All I've learned is that nothing is safe, the credit bureaus are NIGHTMARES to communicate with (even the websites are absurdly complex), and constant pro-actively reviewing all your financials will be the only way you'll get immediate information.”

She adds, “The FTC site has been helpful, but I'm the type of person who needs to speak with someone to ask questions and feel informed and empowered. Since no living human exists at Equifax or TrustedID, I can't get help or info from the source which is unnerving and infuriating.”

There are likely plenty more stories like hers and some worse. All this makes you wonder what banks and credit unions require to initiate wire transfers or other types of transfers out of accounts? Do they require info that wouldn't be contained in the Equifax data breach? Do they have an additional verification step?

“Every financial institution varies the method of authentication but the one thing I see most often is the requirement for the customer to come into the branch, pass authentication and then be provided with a remote wire PIN that can be used in tandem with other verification methods selected at random by the institution. Money movement would then mean a variety of security layers, plus PIN,” says John Buzzard, Industry Fraud Specialist at CO-OP Financial Services, a financial technology company that serves 3,500 credit unions nationwide and their 60 million members.

Mitek, inventors of Mobile Deposit and a leader in digital identity verification, works with nearly all the leading financial institutions in the U.S. Sarah Clark, VP of product and customer success at Mitek, shares what they’ve been hearing from their bank and credit union customers in the wake of the breach.

“Many of our customers have expressed that this breach is finally convincing them that relying on personally identifiable information (PII) and knowledge-based authentication (KBA) to verify consumers’ identities is no longer a viable option. We fully expect to see an increase in identity theft cases and a higher risk of synthetic identity fraud because the type of PII exposed in the Equifax breach (social security numbers, driver’s license numbers, etc.) are traditionally the foundation of this type of fraud.”

asking consumers to travel to the branch to show their ID is simply not a viable option in this day and age.
Sarah Clark, VP of product and customer success at Mitek

However, she adds, asking consumers to travel to the branch to show their ID is simply not a viable option in this day and age. “Instead, many financial institutions are moving toward digital identity verification techniques and relying on new mobile technologies to help them. With digital identity verification technology, banks can have customers snap a picture of the front and back of their ID using their smartphone camera. Using computer vision and advanced machine-learning algorithms, the technology is able to instantly determine whether the ID is an authentic, government-issued ID and that it has not been tampered with. The bank can also go a step further by having the consumer snap a selfie. Using biometric facial comparison technology, it can verify that the individual in the selfie is in fact the same person pictured on the ID.  This creates strong identity assurance through two factors of authentication: something you have (the ID) and something you are (biometric facial recognition).”

Greg Scott, an IT and security expert with Infrasupport, shared his blog posts with DepositAccounts. He thinks one way to attack the problem is passphrases. “When I provide a social security number, I don’t prove I’m me, I only prove I know the SSN that belongs to Daniel Gregory Scott.  Same for my driver’s license number, date of birth, mother’s maiden name, and anything else I might know that’s public knowledge.  The shorthand way to say this is, my SSN identifies me, but does not authenticate me.”

That’s the issue. “A private passphrase could authenticate me.  Not a password, but a passphrase.  Passphrases are more secure than passwords because they have more characters and they’re easier to remember than passwords filled with random characters.  The passphrase, “Your mom wears army boots” is more secure and easier to remember than a password, say, “@rMyb00ts!” A passphrase also has an advantage, you control it and can change it any time. “So, for starters, let’s encrypt all that data credit reporting agencies hold about me with a passphrase I control.  Anyone who wants to look at my data goes through me first.  Which gives me all the advantages of a credit freeze with fewer hassles. Nobody can borrow money in my name, because nobody can check up on me with a CRA unless they know my passphrase.  CRAs don’t know the plaintext contents of my data – they only know the encrypted contents.  I control the key, which means I control the access.”

While it sounds good, it may be tough to adapt. Says Scott, “That’s radical surgery.  CRAs will scream about how much work it will require to educate consumers and set all this up.  They’ll also scream because this idea takes away much of their power. Many consumers will also scream about taking on the responsibility to remember a passphrase. And what happens if a consumer forgets their passphrase?  The easy answer – Banks or other institutions can offer a passphrase storage service. And creditors will scream about how it complicates the system and makes offering credit more difficult than before. I plead guilty on all charges.  But we have 143 million reasons to change the system, and either we do it in the private sector or the government will force something down everyone’s throat. And, as a consumer, I should have control over data about me.  Millions of us should have demanded it 30 years ago.”

Editor's Note: For more information and discussion of the Equifax data breach, please refer to Sheryl's article, Why You Should Think Twice About Freezing Your Credit, and these DA forum threads:

hrm   |     |   Comment #1
"Sandra Davis" did a lot of unnecessary work that just caused her grief. Mitek and USAA never quite settled who actually invented mobile/remote check deposits. The "passphase" suggestion isn't useful nor the direction the industry is headed. 2 factor authtication is usually based around 1) something you have, and 2) something you know. The #1 is often a small security device (which displays a code that changes every few minutes or must be attached to your computer/device) but it's costly and inconvient to do for millions of customers hence other schemes like sending a code via email or text mag.
Martin   |     |   Comment #2
There is nothing 100% sure if someone knows and is imitating your profile. If passwords can be stolen so can the security phrases, because somewhere must be a permanent record of your phrases too. We can not change the system after the fact. Every person has his/her own ideas of how should be done, but there is nobody going to listen to the people. We are pawns in the government game, they want 24/7 open files on us and what we do, buy or sell, travel or purchase, talk to and so on.
By the way, your closed bank accounts are never closed in the government files, it may says closed on your report, but all accounts and all transactions are stored in a permanent file forever.
We will never get a full proof system of personal protection no matter what we want or demand, we can not influence anything or anybody, there is higher force that does it for us.
steved   |     |   Comment #3
I doubt Equifax has anything to do with Sandra Davis's problems. They don't have information that would allow someone to log into her StubHub and Netflix accounts. It's much more likely that she has malware on her computer that is enabling hackers to steal her usernames and passwords.
Dunmovin   |     |   Comment #4
Why is anyone doing business with a bank/CU that uses Equifax? Why haven't the Feds taken over Equifax?
CuriousDave   |     |   Comment #9
From a practical point of view, even if banks using Equifax wish to terminate their relationship will need to continue dealing with Equifax until an alternative credit reporting service is engaged. That takes time, especially because of transitional issues and the legal implications of severing their contracts. Also, who knows whether the replacing credit reporting service will necessarily be any better than Equifax? Their employees probably have worked at one or more of the other servicing agencies at some time in the past and the practices of these firms - including some of their lax and/or cost-cutting practices - probably are similar as well. The problem may not be only with Equifax but with the entire credit reporting industry. As for bringing in the Feds, on what grounds? What Federal laws have been broken? The Feds are concerned more with bank money, not with the credit records of their customers nor their privacy concerns.
Dunmovin   |     |   Comment #10
If the Feds have the time to go after NCAA sports payments, etc., they clearly have the time to do what wasn't done in the 2008-9 meltdown, i.e. what is right. As to banks not using Equifax...clear material breach of Equifax going to sue that bank for breach? Get serious! I will not (knowing) be using a financial institution that uses Equifax...reflects no interest in my financial security nor theirs!
deplorable 1
deplorable 1   |     |   Comment #5
Please don't tell me that I'm going to have to change my 100 or so user names and passwords to phrases now. The 2 factor authentication is already a pain in the rear and time consuming. It's as if they think that everyone has just one bank account and credit card. The consumer needs to have more control to change false information with the 3 credit bureaus without having to wait forever and go through miles of red tape. You should be able to call them, verify your identity and have them update your credit profile on the spot after providing them with all the necessary information required. You could send them a pdf file for example. This way you wouldn't need to lock your credit profile and shut yourself out as well. There has to be a better way of doing things then locking your credit profile, waiting endlessly, faxing info and never being able to talk to a real person. The credit bureaus are making big bucks off of our information by reselling it to businesses and back to consumers(talk about a rip off). Isn't it about time that we start demanding some decent customer service from them? They can't even seem to protect our information let alone fix things if there is a problem. I wonder if even any class action will be successful.
Martin   |     |   Comment #6
#5, The main problem is this: Transunion is owned by a division of Goldman Sachs, Experian is an internationally based company that trades in London and the Equifax is the only U.S. listed pure-play company that is regulated by FEC and FTC.
Innovis is the fourth national U.S. consumer credit bureau. Innovis began life as Associated Credit Bureaus before going through several name changes and ownership changes.
Pay Rent Build Credit (PRBC) tracks how consumers manage apartment rentals, gas and electric bills, cell phone and cable bills, and more.
Dun and Bradstreet is the acknowledged leader in this space. D&B collects third party trade information, utilizes agents to inspect business locations and the interaction with consumers and data files. is now the second largest business credit bureau. They recently purchased the business information reporting division from Experian, which had been the number two provider until divesting the business unit after the financial meltdown in 2008.
There may be hundreds of regional and affiliate bureaus. Each of these organizations is an independently owned and operated business that collects and stores consumer lending information but disseminates the data through one or more of the three national consumer-reporting agencies: Experian, Equifax, or TransUnion.
The Medical Information Bureau is a non-profit member organization that collects stores and shares underwriting information for use by health and life insurers. The data are used to determine an individual’s risk when applying for life, health, disability income, long-term care, and critical illness insurance policies.
And many others alike collection agencies feed data 24/7 in all of the above. None is regulated or there is a list of what is allowed or not, to be inserted in anyones credit file.
The complexity is mind boggling and can not be solved with complains or other make shift regulations.
deplorable 1
deplorable 1   |     |   Comment #13
I had no idea there were so many of these stealth consumer reporting agencies! Apparently there somewhere around 400 of them. I searched online and found this:
I had never even heard of most of these. And people think a credit freeze and or lifelock is going to protect them. Equifax is just the tip of the iceburg.
Bozo   |     |   Comment #7
Deplorable 1 (re comment #5), I suspect the tension is always going to be "security" versus "convenience". For example, the Patriot Act already erects barriers to jumping on "hot deal" CDs. Should you need to "unfreeze" your credit report(s) as well, to open a hot deal CD, that just further complicates things. Brighter lights than I in the financial services industry may finally come up with a solution. One solution, oft-discussed here at DA, is a rate-lock for CDs. Example, you find a hot deal, and want to apply and transfer funds. Your rate is locked at the time of application, subject to compliance with Patriot Act compliance and accessibility of your credit report. Once that is done, your rate upon application is confirmed, and interest would commence at the date the funds were received.

Now, does that sound so complicated?
Jersy   |     |   Comment #8
Privacy has been dead for some time.
The problem is most people were unaware or indifferent to events unfolding before them. Have friends over for dinner and then see your house and your family posted on their FB pages. I trust almost no one anymore, including many family members. It's a sad new reality created by power hungry technology charlatans.
DCGuy   |     |   Comment #11
This is the same CEO who just in a speech in the summer was looking to double the company's profits and glorified how the company has access to more data than the Library of Congress. He preached how the company could expand on their data mining processes to get even more detailed information on the people that they have on their database. Just who gave these credit bureaus all of this information? Credit card companies and lenders. Who is an expert in cybersecurity? Well, it seems not the credit card companies, lenders, and credit bureaus. The internet was never made to be secure, so when you put your information for pubic access 24/7, you are setting yourself up as a "sitting duck". The internet was created to allow continued communication in the case of a nuclear war. If the communication link gets taken down in the future, all hell will break loose.
DCGuy   |     |   Comment #12
I meant public and not pubic access, but you end up getting ****ed both ways. LOL
Martin   |     |   Comment #15
DCGuy comment#11,
You wrote: "Just who gave these credit bureaus all of this information?", please read comment #6 for more info, furthermore, every time you pay by Debit or Credit card or check or even cash the data is fed at the very moment to all of the credit bureaus.
There is camera at every cash register in any store and the face recognition is applied to everyone while transacting or paying the cashier, yes, even cash transactions are referenced to you, including the ATM machines you withdrew the cash from,

(anyone depositing or withdrawing cash at all ATMs, a picture of your face is sent to all relevant departments, private or government and when you purchase using the cash, your face is referenced to the previous d-bases of your face taken at various places of business, including bank tellers windows and your DL picture on file).

There is no escaping the "big brother", the data collection machine.
???   |     |   Comment #14
moot at this point but Equifax say 2.5 million more added to breach total
Martin   |     |   Comment #16
I think everyone profile is stolen, 2.5 million is just a PR stunt. Why would the thieves spare anyone, all of the records where in the same d-base servers or backup computers or archives at third location (federal law require storage in at least 3 different places for a national d-base to be stored, in case of fire, flood or earthquake and in at least 3 different geographical locations).
Kaight   |     |   Comment #17
Heard the skunk who used to be head of Equifax will answer questions posed by Congress today. I'm betting on a circus.  What you will witness there is a skunk being interrogated by other skunks. Congress could fix this if they had the will and the necessary integrity. But the Republicans who run Congress work for their big corporate donors, NOT for the people. The Democrats in Congress are a lot better, except when you elect any Democrat you are voting for communism and Hispanic/Muslim invasion. Thus, within neither party are the best interests of the American people paramount.

Congress: WABOA
Martin   |     |   Comment #18
#17, you are slightly off on your observation. All of the democrats in the present congress are globalists, stand for open boarders, open invasion, will give amnesty to all illegals, stand against sovereignty of USA, want 100% of the UN agenda 21 implemented, want single payer health plan, want to make most Americans poor by encouraging the manufacturers to move abroad, want unlimited printing of money and total destruction of the US dollar and the list is almost endless, but you get the picture.
Just look at CA sanctuary state for the illegals, now imagine it implemented to all US states should they get a full control of the next congress or the congress after that. There are no more "real" democrats left, you can twist and turn around and protect them any way you want, but the final outcome is destruction of America. There are plenty of GOP traitors in congress right now, therefore, nothing can be done for the benefit of the people. GOP or the DEM in the present congress need be replaced with real Americans, forget the divisive view, I'm democrat or I'm GOP and therefore will vote for the lesser evil, it has proven not to work.

Only as united Americans we can change this nation to serve the people, otherwise, drawing ideological party boundaries, works for the detriment of ourselves and this country. Divide and conquer is the present mantra of the DEMs and GOP sits asides and allows it to happen. Both parties are guilty of treason.
deplorable 1
deplorable 1   |     |   Comment #21
Well said Martin. I can see like myself you are not under the illusion that Republicans are all wonderful either. They can't even get the votes to repeal Obamacare and they are supposedly in control. No matter what side you vote for it is the politicians who are in control of the country unless something changes.
???   |     |   Comment #19
Get a room!
Bill   |     |   Comment #20
Good post Kaight,
Each party has their own negatives .
The republicans won't and can't fix healthcare and the Dems what everyone to come in and get benefits.
Martin   |     |   Comment #22
Bill, there are 83 overlapping federal welfare programs that cost taxpayers $1.03 trillions a year. How long you think this country can last paying that amount or borrowing from China to pay that amount every year?
Dunmovin   |     |   Comment #23
And, the big one...the military!
bill   |     |   Comment #24
Forget about Globalist, new world order, and socialism. There is nothing you can do about it. Socialism is coming no matter what because things have gotten too expensive for the avg. person. Healthcare will be free as well as collage. Universal pay is discussed everywhere now, its all coming. The 2008 fin. crisis and low % rates probably moved the timeline up by 15 to 20 years.
Its fun to talk about conspiracy but it will get you nowhere.
For future retirees, well, its going to get very tough to make it.
DCGuy   |     |   Comment #25
When you are born matters big time. If you were born in the 1920s, you had to deal with WW2 and the draft. If you were born in the 1940s to 1950s, you had to deal with the Vietnam War draft. If you were born during the early 1900s, you had to deal with the Great Depression. I am part of the Baby Boomer generation and will retire soon. I will receive pension, 401(k),, IRA after I retire (besides my savings reserve). I owe zero debt. For those just starting their work careers, some may never retire in the future due to lack of retirement funds. You cannot turn back the clock or go forward in time so that you can be living in a more prosperous period for yourself.
deplorable 1
deplorable 1   |     |   Comment #26
Well Bill I try to at least vote against it whenever possible but you are right we really don't have any control which is why it's so darn frustrating. What is universal pay? Let me guess It's like a welfare check for anyone with a pulse. It's like the participation trophy except with a paycheck. Do you guys really like the way we are going?
Martin   |     |   Comment #30
In socialism everyone will have to contribute. You can not separate yourself from the masses and can not sleep until noon and wait for the check in the mail. There will be boot and work camps waiting for you.
Martin   |     |   Comment #31
The above comment was meant for bill#24.
Att   |     |   Comment #27
I don't think a bank should do a credit check when you open a deposi account. The Patriot act requires that the depositor identification be verified by the financial institution.
Kaight   |     |   Comment #28
You are, of course, correct. The excuse I have heard on this one, from a bank, it that the credit check is routinely performed as result of standardization of incoming customer processing, and in anticipation of customer opening additional, possibly DD (demand deposit), accounts in future.

Years back I discovered a hard pull which took place when I deposited a very large sum of money at a bank where I was a new customer. There was no checking account. I complained bitterly. The bank wrote a letter to the credit agency rescinding the pull, and copied me. This spoke very well of that bank in my view.
Luvcd   |     |   Comment #29
Kaight/Att, I recently had a client that had only a checking acct. with historical over 5 digits in deposits (no overdraft protection, i.e. "bounce any overdraft check!" mindset) and safe dep boxes (and a bennie on a large IRA CD) have her credit report pulled (been a bank customer for several decades and no credit app ever) and saw it on the annual report. Thinking Wells Fargo, she finally got an answer saying it was her bank that pulled the report and it was for "account review." What? She had a freeze with the credit reporting agency and all to no avail.

What's your take...even if only your money in an account does that entitles a bank to order a credit report w/o your consent or knowledge?
Att   |     |   Comment #32
I think the freeze is to prevent opening new credit? I think they can still do a check on your credit even though you have a freeze. In many states your credit score is one of the factors that decides what your car insurance premium.

The financial institution, product, and APY (Annual Percentage Yield) data displayed on this website is gathered from various sources and may not reflect all of the offers available in your region. Although we strive to provide the most accurate data possible, we cannot guarantee its accuracy. The content displayed is for general information purposes only; always verify account details and availability with the financial institution before opening an account. Contact to report inaccurate info or to request offers be included in this website. We are not affiliated with the financial institutions included in this website.