In a previous post on how to obtain the free annual reports (one per bureau) you are or will be entitled to get by law once every 12 months, I suggested that going online to annualcreditreport.com would be safe as long as you took very careful measures to ensure that you are at the right place.

In light of a Wall Street Journal Article today “Cracks in Computer Security Code Raise Red Flag” (not linked since it requires paid subscription), I hereby retract that suggestion:

With worries about online security already at a high pitch, the discovery of a crack in a widely used Internet encryption technique has raised another red flag among government agencies and computer-code experts.

The technique, called a “hash function,” has been used for years by Web-site operators to scramble online transmissions containing credit-card information, Social Security numbers and other sensitive data. Hash functions are at work, for instance, for most of the millions of transactions that take place on the Internet every day. The system, involving an algorithm, or mathematical formula, was thought to be impenetrable.

But last month, a team of researchers from Shandong University in eastern China began circulating a draft of a paper showing that a key hash function used in state-of-the-art encryption could be less resistant to an attack by hackers than had been thought.

…..Cryptographers say exploiting the flaw for malevolent purposes doesn’t seem practical, even using a lot of computer power. Hash functions are also often used in conjunction with other cryptographic techniques, which haven’t shown any flaws. But if someone were to exploit the newfound flaw, the most immediate threat would be to applications involving “authentication.” A hacker theoretically could set up a dummy Web site that appears to have the security credentials of a trusted, secure site — and then steal data that is shipped to this site by unsuspecting users.

Experts say the research weighs particularly on the technology underlying secure Web sites. An online-banking site, for example, displays a “certificate” of authenticity to a Web browser, which then compares it, using hashes, to a third-party certificate repository to be sure the site actually belongs to the bank.

…..(Researchers were able to) produce two different certificates with the same hash — something that shouldn’t happen. The certificates aren’t for real sites.

YIKES. Maybe it “doesn’t seem practical” to the “experts.” But if you were going to spend the time to exploit this weakness, where would you try it first? Answer: The place where you can find the most personal data. The annualcreditreport.com web site is the motherlode. Even as you read this, online criminals are surely working feverishly to figure out how to compromise the site.

I give up–DON’T GO THERE. Based on this new information, you simply cannot be certain, even after “verifying” the site certificate, that you’re in the right place.

The low-tech ways to get your credit reports are:

Phone: 877-322-8228

Mail: Annual Credit Report Request Service
P.O. Box 105281, Atlanta, GA 30348-5281

This problem has potentially grave implications for online security in general. As I learn more, I’ll certainly pass it on. I have also noted my changed suggestion on the previous post.

So, why would the National Consumer Law (NCLC), as noted in a previous post, care so much about the lack of adequate Truth-in-Lending disclosures, and even more about the failure to curb lender abuses, in the Bankruptcy “Reform” bill?

Here is an egregious example of why (if this doesn’t make you turn the walls blue with anger, you’re a better person than me–link requires free registration; also, since this is a week old, apologies for lack of recognition to other bloggers who may have already posted on this):

John Rao, staff attorney of the National Consumer Law Center, one of many consumer groups fighting the bankruptcy bill, says the plight consumers face was illustrated last year in a bankruptcy case filed in Northern Virginia.

Manassas resident Josephine McCarthy’s Providian Visa bill increased to $5,357 from $4,888 in two years, even though McCarthy has used the card for only $218.16 in purchases and has made monthly payments totaling $3,058. Those payments, noted U.S. Bankruptcy Judge Stephen S. Mitchell in Alexandria, all went to “pay finance charges (at a whopping 29.99%), late charges, over-limit fees, bad check fees and phone payment fees.” Mitchell allowed the claim “because the debtor admitted owing it.” McCarthy, through her lawyer, declined to be interviewed.

Alan Elias, a Providian Financial Corp. spokesman, said: “When consumers sign up for a credit card, they should understand that it’s a loan, no different than their mortgage payment or their car payment, and it needs to be repaid. And just like a mortgage payment and a car payment, if you are late you are assessed a fee.” The 29.99 percent interest rate, he said, is the default rate charged to consumers “who don’t met their obligation to pay their bills on time” and is clearly disclosed on account applications.

If I were Providian, I would have been ashamed to try to collect more than a couple thousand in court (I’m sure others would start the bidding a lot lower). The Judge (Mitchell), who obviously felt his hands were tied in this instance, will have even less discretion under the new bill. Under the new law, all of the high-interest charges and penalty fees go into the “debt pool,” and if he could supposedly “afford it,” the guy could be forced to pay the entire $5,357 “owed” (most of which is really “leeched”) over the next 3-5 years. BALONEY (I said I’m turning the walls blue, not this web post).

OF COURSE, you can argue that they guy was dumber than a box of rocks, and yes, we may not know the whole story. But who in the world, if this guy under the new law would be forced to make full repayment in Ch. 13 (again, because if his income is above the median “he can afford it”), thinks that this would equitable and fair?

And people wonder why we don’t show a little more love for the moneychangers.

++++++++

UPDATE: Politology has been on the “what do we do?” beat consistently. Go there.

Also, thanks to All Spin Zone for the link and nice words.

Blogrolls for the both of you.

Per their web site, The National Consumer Law Center (NCLC) “is the nation’s consumer law expert, helping consumers, their advocates, and public policy makers to use powerful and complex consumer laws to assure justice for vulnerable, low income Americans.”

It appears to be wholly engaged in providing free or low-cost legal services for poor people, and when it has a moment, opines on pending legislation.

Note to “conservatives”–Yeah, they’re funded partially by the Ford Foundation and they’re on the left side of the aisle–and your point is….? Geez, they have a whopping $4 million budget, their tax return says they spent no political money, and y’know, I’m glad somebody’s out there trying to protect people who don’t have the money to pay legal fees. K?

Here’s their critical overview of the so-called “improvements” in Truth-in-Lending disclosures that are part of the bankruptcy “reform” bill (headed “Bankruptcy Bill�s ‘Truth-in-Lending’ Provisions Will Obscure the Truth”):

- The bill promotes misleading information about credit card minimum payments. It requires inaccurate descriptions for consumers of the consequences of making minimum payments while failing to mandate easy access to accurate information about the consumer�s loan balance, interest rate, or minimum payment.
- The bill allows credit card introductory “teaser” rate promotions that don’t place the permanent rate in an equally prominent position and that don’t prevent later rate changes. Credit card teaser rates would not be placed side-by-side with the permanent rate. The bill leaves open the possibility that the introductory rate could be shown more prominently than the permanent rate. Moreover, the bill permits creditors to change the teaser or permanent rate with a change of terms or penalty rate.
- The bill gives creditors license to post inaccurate and hard-to-find rate information in Internet credit card solicitations. Internet disclosures only need to be updated “regularly.” The burden would be on a consumer to contact the creditor to get up-to-date and accurate information. The bill also leaves open the possibility that disclosure information could be posted on a separate page from a solicitation, as long as it is in “close proximity.”
- The major new disclosures provided by the bill cannot be enforced by consumers in court. These limited new protections thus ring hollow and undermine 30 years of effective Truth-in-Lending enforcement.

More detailed info is at the linked page.

If their assessment is correct (and it appears to be), I agree with NCLC. I tell attendees at classes I present that I don’t understsand why the card companies don’t just save all the expense of disclosure and say “we get to do what we want whenever we want to, and there’s almost nothing you can do about it.” (And while we’re not looking they say “Nyah-nyah, nyah-nyah-nyah.”)

Why is the NCLC so strident about “boring” disclosures and penalty rates? See this post; you won’t believe what happened to one consumer.