'Security Risk' Blocks U.S. Military Overseas from Free Credit Report Site
No Free Online Access for Millions of U.S. Citizens
Four years ago, the U.S. Congress mandated the creation of AnnualCreditReport.com, a site that gives consumers access to free copies of their credit reports. But millions of U.S. citizens overseas--including several hundred thousand members of the armed forces--are unable to access the site. How to place a "fraud alert" with the three major agencies:
The Fair and Accurate Credit Transactions Act of 2003--known as FACTA, or the FACT Act--was designed to protect U.S. citizens against fraud and identity theft by providing easy access to credit information. FACTA requires each of the three major consumer credit reporting agencies--Equifax, Experian, and TransUnion--to provide consumers upon request with a free copy of their credit report once every 12 months.
A credit report details a person's financial history, measuring timeliness of credit card payments, loans and other liabilities, based on data from banks, merchants, creditors and courts. Credit reporting agencies sell this information to businesses that use it to evaluate your applications for loans, insurance, credit, employment or renting a home. Credit reports compiled by Equifax, Experian and TransUnion form the basis by which a credit score is calculated.
In a Dec. 4, 2003 statement, the White House lauded President Bush's signing of FACTA into law, noting, "[The act will] help ensure that all Americans, of every income level and background, are able to build good credit and confront the problem of identify theft."
But access to AnnualCreditReport.com is denied to Americans living outside the United States. This includes not only students and private citizens, but government employees and military personnel, including combat troops in Afghanistan and Iraq.
Their attempts to access the site outside the United States are met with the following notice:
"The AnnualCreditReport.com website is only accessible through ISPs (Internet Service Providers) located within the United States and its territories."
Supporting the Troops?
WebWatch confirmed with military personnel that the site cannot be accessed through traditional land-based Internet systems in other countries.
The United Service Organizations (USO) is a key link to the outside world for many U.S. military personnel. The USO provides services--including Internet and email access--to 1.4 million active-duty service members and 1.2 million National Guard and Reserves, as well as their families, at more than 130 centers worldwide.
WebWatch recently asked USO personnel around the world to log on to AnnualCreditReport.com from computers used by the troops. From Europe to Asia, all attempts were met with the same boiler-plate response.
Yet there seems little doubt the law--and even the Web site itself--was created with members of the military in mind. In fact, AnnualCreditReport.com's home page is illustrated with a photo of a soldier in battle dress uniform.
For those users who choose to order the free report online, the "Select Your State" drop-down box includes options for "Armed Frcs Europe" and "Armed Frcs Pacific." In addition, the law that created the Web site includes a clause pertaining to "Active Duty Alerts," specifically addressing the needs of military personnel called to active duty.
This passage provides the authority for members of the Armed Forces--or individuals acting on their behalf--to institute a "fraud alert" for at least 12 months, as a precaution against identity theft, especially while such personnel are overseas and particularly vulnerable to this type of crime.
Experts say military personnel are prime targets. "If you're on patrol in some remote location, you can't check email," says Mark Phillips, a spokesman for USO. "Some of these folks don't even have telephone access."
Lack of Access a Violation of FACTA?
The Federal Trade Commission, which is responsible for enforcing FACTA, said it was unaware of the problem. "It's the first I've heard of it," said FTC spokesman Frank Dorman, when contacted by phone.
Later that day, Dorman sent WebWatch the following e-mail: "The nationwide consumer reporting agencies have stated that AnnualCreditReport.com does not accept foreign IP addresses due to concerns about security of the operation of the system. They own and operate the Web site, and only they can comment on whether changes will be made to the system in the future."
In an attempt to discover whether the lack of overseas access for U.S. troops was a violation of the act, WebWatch contacted the office of Rep. Spencer Bachus (R-Ala.), the lead sponsor of FACTA, who in 2003 was Chairman of the House Subcommittee on Financial Institutions and Consumer Credit and is now the ranking Republican on the House Financial Services Committee.
Tim Johnson, a spokesman for Bachus, declined requests for an interview with the Congressman and referred all questions the House Financial Services Committee.
At press time, calls to the Committee had not been returned.
The Big Three Respond as One
After FACTA's passage, Equifax, Experian, and TransUnion created a joint venture company, Central Source LLC, to oversee the management and operation of AnnualCreditReport.com.
When contacted, the companies referred all inquiries to the Consumer Data Industry Association (CDIA), a Washington, D.C. trade group representing credit reporting agencies and other related industries. "Yes, we're aware of it," says Stuart Pratt, president and CEO of CDIA, when asked about the inability of U.S. citizens to access AnnualCreditReport.com abroad.
Pratt recalled negotiations that took place as the site was constructed: "We were willing to share as many IP (Internet Provider) addresses as the military would like. Today, the offer still stands. In fairness, they probably didn't understand what we were asking...The military was uneven in its response back to us. They had [security] concerns about it."
Pratt says AnnualCreditReport.com must balance the needs of about 5 million citizens overseas and about 200 million within the U.S.--and he maintains the real issue is not just about logging on. "Access is important, but security is equally important," he said. "Our primary risk is denial of service attacks. The majority come from foreign IP addresses and not from U.S. IP addresses. It's a geometric risk."
Although Pratt says they are considering allowing foreign IP addresses, he offered no timeline as to when this might happen. "That's a risk management decision and we are looking at the risks," Pratt said. "It's not static."
When asked why banks and other financial institutions allow American consumers to access accounts from foreign IP addresses, Pratt responded: "Other sites can be taken down if there's a denial of service. We're in a somewhat different position...We must be up and running [at all times]." He states CDIA is exploring new technologies but adds, "There's a stipulated performance standard and that's different than commercial sites that can suddenly shut down."
Snail Mail the Only Option, for Now
So what can members of the military or other Americans living outside the U.S. do? Pratt acknowledges CDIA's "telephonic system" has limitations for foreign callers, i.e. the toll-free number only works for domestic calls. "For most customers, it's probably best to use mail."
Phillips says one way around the problem for military personnel would entail making Annual CreditReport.com accessible to ".mil" addresses. "It wouldn't fix it for the ex-pats but it would fix it for hundreds of thousands of troops around the world."
Lt. Col. Les Melnyk, a spokesman for the Office of the Assistant Secretary of Defense for Public Affairs at the Pentagon, says the military is aware of the problem, and is working with the CDIA "to ensure online access for our service members stationed overseas."
Unfortunately, he explained, allowing all ".mil" addresses blanket access to the site isn't possible, due to a steady barrage of attacks by hackers. Instead, CDIA has agreed to allow access to the site from any foreign IP address under the direct control of the military. "The services choose which IP addresses to provide, and these are green-listed by CDIA," he explained.
But since this process entails the CDIA making exceptions for individual IP addresses on a case-by-case basis, Melnyk concedes, the overwhelming majority of troops still lack access to AnnualCreditReport.com.
"The next step is to get the technical staff from DOD to work with technical staff of CDIA to address any additional issues," Melnyk added. "In cases where accessibility is a problem, there is a simple work-around in that an individual can request the credit report by mail." However, not being able to access the site also means not having an easy way to get that postal address. (We have provided it below).
So for millions of Americans living overseas--including hundreds of thousands of U.S. troops--AnnualCreditReport.com remains off-limits.
Sidebar: Contact Info
How to obtain your free annual credit reports: