TransUnion is Failing Cybersecurity

As a victim of the #CapitolOne breach, I received free credit monitoring through @TransUnion "mytrueidentity" service. I signed up and my account was immediately locked. So, I had to call customer service (three times!) and ended up speaking with a supervisor. Here is how it went. It got really interesting when he asked me to confirm publicly available information about my account!

After asking for my social security number, I told him I would not give such information. He could ask for other information to confirm my identity. After going through the motions of him objecting, he finally understood the err of his ways. We moved on to other information.

Do I have a mortgage? Yes, and I told him the bank. Then he asks the monthly amount. Hell, I don't know. I don't pay the bills in my house. Ask for something else. After all, my mortgage is held by a popular bank so I could have guessed.

Do I have a car payment? Yes, and I told him the institution. Again, what is the monthly amount? I don't know and explain to him that look, the institution I gave you is not a well known institution so there is very little change I guessed it. What else can you ask?

He moves on to prior residential addresses. I give him my current address which I have lived at for almost 20 years. Nope, not good enough he says. Anyone can look that up he says. OK, so I rattle off the 4 previous addresses going back 40 years. Still, not good enough. I provided the street numbers, street name, city, and state. Nope, that is incomplete information he says. Hunh? Why?

You didn't give me the full address. There was no zip code.

Wait. What??? I give you the street number, street name, city, and state and yet that is not complete information? After 10 minutes of going back and forth over how stupid this is (and this was a Supervisor I had been escalated to after being hung up on twice!), I say, "OK, you want me to confirm my identity using publicly available information anyone can get on the Internet? The zip code of these towns?" His response was "you didn't provide the complete address."

So, to really test the waters, I said to him, "Great. I'm putting you on speaker so I can use my phone's Internet connection, look up the zip code of AnySmallTown, NY, and give it to you. Hold on." He responds "I will." I verbally walk through the process in real time with him not once, but twice for two different addresses that I already provided. "Let's see, Google.com, anysmalltown ny zip code. Here ya go. The 'complete' address is 123 Main St, AnySmallTown, NY 12345"

His response, "Your account is now unlocked."

How is this even remotely secure? It is a complete disservice to @TransUnion customers and @CapitalOne victims. To be clear here, I provided all of this information before the publicly available zip code:

• Full Legal Name (spelled phonetically numerous times)
• Date of Birth
• Last four of Social Security Number
• TransUnion Account User Name (no one could have this as I just made it up last night)
• CapitalOne Authorization Code (physically mailed to my home address yesterday)
• Both primary, personal Email addresses
• Mortgage Institution (sans monthly payment amount)
• Car Payment Institution (sans monthly payment amount)
• Begrudgingly, my full Social Security Number
• Four previously residential addresses for 40 years of living

And yet, with ALL that personal information, it took the publicly available zip code to unlock my credit report account with TransUnion.

This is a case of policy interrupting customer service and cybersecurity. The addition of the zip code offers no additional layer of security to the conversation especially considering the depth of the information provided already. If someone nefarious is trying to access my credit report on TransUnion, there is already a high probability they have accessed the other credit bureau's information to gain the knowledge I presented. Asking for the zip code does not add any protection to this process.

My TransUnion My"True"Identity account is now unlocked. In it was nothing I hadn't already provided except for the monthly payments. I didn't realize my mortgage was so cheap. LOL

Stay safe and remember your cyber hygiene.

Chris