March 19, 2014

In the wake of one data breach after another, millions of Americans each year are offered credit monitoring services that promise to shield them from identity thieves. Although these services can help true victims step out from beneath the shadow of ID theft, the sad truth is that most services offer little in the way of real preventative protection against the fastest-growing crime in America.

Experian 'protection' offered for Target victims.

Experian ‘protection’ offered for Target victims.

Having purchased credit monitoring/protection services for the past 24 months — and having been the target of multiple identity theft attempts — I feel somewhat qualified to share my experience with readers. The biggest takeaway for me has been that although these services may alert you when someone opens or attempts to open a new line of credit in your name, most will do little — if anything — to block that activity. My take: If you’re being offered free monitoring, it probably can’t hurt to sign up, but you shouldn’t expect the service to stop identity thieves from ruining your credit.

Avivah Litan, a fraud analyst at Gartner Inc., said offering credit monitoring has become the de facto public response for companies that experience a data breach, whether or not that breach resulted in the loss of personal information that could lead to actual identity theft (as opposed to mere credit card fraud).

“These are basically PR vehicles for most of the breached companies who offer credit report monitoring to potentially compromised consumers,” Litan said. “Breached companies such as Target like to offer it as a good PR move even though it does absolutely nothing to compensate for the fact that a criminal stole credit card mag stripe account data. My advice for consumers has been – sure get it for free from one of the companies where your data has been compromised (and surely these days there is at least one).  But don’t expect it to help much – by the time you get the alert, it’s too late, the damage has been done.  It just shortens the time to detection so you may have a slightly improved chance of cleaning up the damage faster.  And you can get your credit reports three times a year from the government website for free which is almost just as good so why pay for it ever?”

FRAUD ALERT BREAKDOWN

Normally, I place fraud alerts on my credit file every 90 days, as allowed by law. This step is supposed to require potential creditors to contact you and obtain your permission before opening new lines of credit in your name. You merely need to file a fraud alert (also called a “security alert”) with one of the credit bureaus (Equifax, Experian or Trans Union). Whichever one you file with is required by law to alert the other two bureaus as well.

Most consumers don’t know this (few consumers know the names of the three main credit bureaus), but there is actually a fourth credit bureau that you should alert: Innovis. This bureau follows the same rules as the big three, and you may file a fraud alert with them at this link.

Fraud alerts last 90 days, and you can renew them as often as you like (a recurring calendar entry can help with this task); consumers who can demonstrate that they are victims or are likely to be victims of identity theft can apply for a long-term fraud alert that lasts up to 7 years (a police report and other documentation may be required).

I’m not sure what happened last year, but I believe some fraudsters managed to apply for credit in my name right after my 90-day fraud alert had expired. In any case, I received a call from AllClearID (formerly Debix), a credit monitoring service that I’ve used for nearly two years now. AllClearID called to tell me someone had made several applications for credit with Capital One.

AllClearID quickly conferenced in a representative from Capital One’s fraud team, but Capital One wouldn’t tell us anything about the application unless I gave them every piece of information about me they didn’t already have. We went round and round with Capital One for hours about this, but got nowhere; I refused to hand over more personal information just to prove to them I wasn’t the one who made the application, and each new representative we spoke with made us retell the story from the beginning.

In all, I had several fraudulent applications for credit in my name, and while none of them were granted, each resulted in a “hard pull” against my credit file. Anytime a creditor pulls your credit file for the purposes of checking an application for new credit, it dings your credit score down a few notches. And as Evan Hendricks writes in his primer on the credit industry (Credit Scores & Credit Reports: How the System Really Works, and What You Can Do), “the worse your credit score, the more you pay for mortgages, loans, credit cards, and insurance. Conversely, the better your credit score, the more favorable terms you will get on interest rates and premiums.”

Unfortunately, another thing that often happens with fraudulent applications is that thieves use only part of your real information — mixing your name and Social Security number with an alternate address, for example. This is what happened on two of the fraudulent applications for credit in my name, with the result that this incorrect data was added to my credit file.

AllClearID has been tremendously professional, and quickly alerted me each time Capital One pulled my credit file. But the company could do nothing to stop creditors from pulling my file, or fraudsters from making new applications in my name. The biggest help they’ve been so far is in getting Capital One to remove the fraudulent (score-dinging) credit pulls from my file, and in scrubbing the fraudulent data from my credit file (actually, that part is ongoing: Trans Union has steadfastly ignored requests to remove bogus addresses on my file, necessitating AllClear’s filing of an official complaint with the Consumer Financial Protection Bureau).

I asked several experts that I trust for their views on credit monitoring services in general, and to explain their benefits and weaknesses. I also wanted to know why none of the credit monitoring services will offer to renew 90-day fraud alerts on behalf of customers.

Julie Ferguson, a board member of the Identity Theft Resource Center, said a lawsuit by Experian against Lifelock effectively killed that service for virtually all credit monitoring services, with the exception of Equifax.

“After Experian sued Lifelock, none of the banks wanted to distribute and sell it as a service,” Ferguson said. “Equifax will still. Nobody else does anymore, not even Experian.”

Ferguson also stressed that there are varying levels of protection services offered by the credit bureaus and private companies, and that although many of them are priced similarly ($10-$15 per month), they vary widely in the services they provide.

Take, for example, the ProtectMyID package that Experian contracted with Target to offer customers following last year’s massive data breach. The service will monitor your credit report daily and alert you of any changes, and includes up to $1 million in identity theft protection insurance. The service also offers users a fraud resolution agent if identity theft does surface, and it provides a free copy of the user’s credit report (Experian is required by law to provide a free copy of your credit report each year anyway, via annualcreditreport.com). Those who sign up for the free service still have to pay extra to see a copy of their credit scores.

“The ‘protection’ provided by these services is really all over the map once you delve into the services they provide,” Ferguson said. “Some will give you credit monitoring only on one credit bureau, while others will monitor your file at all three.”

Avivah Litan, a fraud analyst with Gartner Inc., rattled off a long list of reasons why credit monitoring services aren’t much use to most consumers.

-Most won’t tell you if a new wireless or cable service has been taken out in your name.

-They do nothing to monitor your bank account transactions, credit card accounts (for fraudulent charges), retirement accounts, brokerage accounts, loyalty accounts and more. And these are all areas where consumers should be very concerned about account takeover.

-They do nothing to tell you if a bad guy has hijacked your identity for non-financial purposes, i.e. to get a new driver’s license, passport or other identity document.  Of course a bad guy impersonating a consumer using a forged identity document can end up in prison, causing lots of problems for the victim whose identity was hijacked.

-They do nothing to stop tax fraud (typically tax refund fraud) against you.  Same is true for other government benefit programs, i.e. medicare fraud, Medicaid fraud, welfare fraud, and Social Security fraud.

“In short, they only give consumers limited help with a very small percentage of the crimes that can be inflicted on them,” Litan said. “And consumers can get most of that limited help for free via the government website or free monitoring from a breached entity where their data inevitably was compromised.”

DO THESE SERVICES HELP AT ALL?

“They help if it’s too hard for you to look through your free credit report and make sense of all the activity in it,” Litan said. “Also they can alert you faster than the free credit report does, depending on timing of the infraction and when you look at your free credit report.”

Litan added that some services — such as Lifelock — have a few extra bells and whistles. For example, Lifelock sometimes gets information (such as from the Early Warning System) when profile information on your bank account has changed (e.g. change of address).

“They also have access to most mobile carrier account application data,” Litan said. “Equifax has some extra utility company data.  So, some of these firms have access to some extra data than can help in other scenarios.”

While most plans offer identity theft insurance — usually advertised as up to $1 million — most of that is coverage consumers already have under existing laws and Visa/MC zero liability rules, Litan says.

“On top of that they reimburse ID theft victims for some legal fees and some minor expenses like postage stamps,” Litan said. “But if someone takes out a mortgage in your name and now you owe the bank $100k or more – nobody covers that, and that’s what they need to cover.”

Ferguson said credit monitoring services are most useful for people who have already been victimized or for those who are likely to be victimized (by an jilted spouse/lover, or stalker, for example). For those individuals, it makes sense to purchase a plan that offers triple credit bureau monitoring for maximum protection. The main downside of this approach is that a fraudulent application for credit can result in a deluge of alerts, emails and phone calls from all three bureaus simultaneously.

ALTERNATIVES TO CREDIT MONITORING

As mentioned above, placing a fraud alert on your credit file every 90 days is the cheapest (as in free) way to block creditors from granting new lines of credit in your name, and from unnecessarily dinging your credit score.

You are entitled to a free copy of your credit report from each of the three major credit bureaus annually. The only site you need to obtain this free copy is annualcreditreport.com, or by phone via 877-322-8228. Everywhere else will try to sell you a report, or offer a “free” report if you agree to sign up for some kind of subscription service — usually credit monitoring.

If you have been the victim of identity theft, or if you don’t anticipate needing to take out a loan or apply for new lines of credit anytime soon and you’d rather not deal with fraud alerts, placing a freeze on your credit file may be the smarter option.

A security freeze gives consumers the choice to “freeze” or lock access to their credit file against anyone trying to open up a new account or to get new credit in their name. As Consumers  Union writes, “when a security freeze is in place at all three major credit bureaus, an identity thief cannot open a new account because the potential creditor or seller of services will not be able to check the credit file. When the consumer is applying for credit, he or she can lift the freeze temporarily using a PIN so legitimate applications for credit or services can be processed.”

Forty-nine states and the District of Columbia now have laws on the books allowing consumers to freeze their credit (Michigan is the holdout). Many of these laws allow the placement of a freeze for free if the consumer has a police report documenting an identity theft episode; for those without an ID theft scare notched on their belt, most states allow for the placement of a freeze for a $10 fee. See this site for more details on the various state freeze laws and instructions on how to obtain them.

Consumers also can reduce their exposure to identity theft by opting out of unsolicited credit card or insurance offers. Doing this, via www.optoutprescreen.com, or 888-5OPT-OUT, should block most unsolicited applications and reduce the incidence of identity theft. Doing so removes your name, address and personal identifiers from lists supplied by the Equifax, Experian, TransUnion and Innovis credit reporting agencies that are used for preapproved and pre-screened offers of credit or insurance.


146 thoughts on “Are Credit Monitoring Services Worth It?

  1. Jonathan

    I used to have an account with AllClearId (formerly Debix) when the price was a reasonable $10 per year or so, but I dropped it because the price increased to a very unreasonable $8/month and because I realized after I had refinanced a mortgage that the company had done absolulely nothing during the process to warn me that new credit was being established in my name. About a month later my cell phone rang asking me if I had opened a mortgage, and at that point the damage would have already been done.

    Consumer Reports recommended this year against using any credit monitoring service for this exact reason. You can accomplish the same thing for free by spreading out your free credit reports to once every four months and removing your name from the pre-screen opt out list.

    1. JCitizen

      Although I totally agree with you, and that is how I used to do it – I decided to go with a service from my password management company, because they have built a solid reputation for closely monitoring the security of their servers, and I wasn’t as nervous at having my information there. Also they encrypt everything just in case there was a breach. I get absolutely instantaneous alerts from them right at my computer desktop! I once applied for a loan at the bank and 15 minutes after I got home the alert popped up detailing what, when, and where the requesting agency made the credit inquiry. So far I’ve never been let down by LastPass, going on two years now. I was also able to look at any addresses I’d supposedly lived at, and vetted those as well.

      You can take advantage of the free product as well, which may be the smartest way to go ever. They will alert you to changes, then they even recommend you can contact the reporting services for free, just as you have detailed, but in this scheme you would get timely information, and not waste any free reports until needed. That is the way I see it – maybe someone could read the agreement further and suggest corrections to my understanding here:

      https://lastpass.com/creditmonitoring.php?cmd=showterms

  2. Donna Mendes

    Equifax, no problem, experian would not allow me to place a freeze on our names for me or my husband and there is no way to talk to a person, live on the phone. Does anyone know how to either get a hold of esperian or why they would not allow us to place a security freeze on our lives?

    1. JCitizen

      Others have written good advice on freeze information here, but I have read it can be hard to get anything done, especially with Experian. I bet if you sent a letter they’d have to respond.

      Experian
      P.O. Box 9556
      Allen, TX 75013

      Send all mail CERTIFIED. Certified mail cannot easily be ignored. And send copies, never originals, of all documents.

      Usually if the online process doesn’t work it will redirect you to a page that you can print out, with the forms you need. I’ve never done this for a credit freeze though, but I would think there would also be a choice in this process online.

    2. cienna

      In his article above he states” Normally, I place fraud alerts on my credit file every 90 days, as allowed by law. This step is supposed to require potential creditors to contact you and obtain your permission before opening new lines of credit in your name. You merely need to file a fraud alert (also called a “security alert”) with one of the credit bureaus (Equifax, Experian or Trans Union). Whichever one you file with is required by law to alert the other two bureaus as well.”
      If this is true it would seem you would not have to contact Experian directly to get it with them as well. At least that is how I interpret it.

      1. BrianKrebs Post author

        Freeze != fraud alert. You can’t enact a freeze with all three bureaus by just alerting one. You need to file a freeze request with all, and any unfreeze requests on individual basis.

  3. Doug Pollack

    This article from Mr. Krebs brings up a number of interesting questions in addition to the one that the title poses (are credit monitoring services worth it?). One that I think most salient, right on the back of the huge Target breach, is whether the current approach taken by companies in responding to a data breach effective for the affected individuals?

    Now let’s consider that there are multiple factors at play in crafting a data breach response strategy. There are regulatory mandates based on state data breach notification laws, and in some cases federal regulations, that require notification of the affected population and have something to say about what content must be included in the notification. Then there is, in many cases, an offer of a free identity protection product (most typically credit monitoring) for some period of time (typically no less than one year) which is done voluntarily by the breached organization.

    As Avivah Litan from Gartner, Inc. notes, the offer of credit monitoring has become a “defacto public response” to a data breach and that this can be done as much or more for “PR” purposes in intent, rather than a result of thoughtfully consideration as to whether this is the most efficacious offering for addressing the potential harms to the affected individuals. Which gets back to the title question as to “are credit monitoring services worth it?”

    I generally agree with Mr. Krebs that “it probably can’t hurt”. It’s like taking your vitamins when you feel like you may be coming down with a cold. They might help. They aren’t the only way for you to get those nutrients, you could always eat healthier and drink a lot of orange juice for extra vitamin C, but it might make you feel just a little better knowing that you’re doing something to address this new risk.

    So given this, two things where I’d like to suggest some food for thought. First, should legislators do more to ensure consumer protection in cases of malicious data breaches? If offering credit monitoring has become “defacto”, and if it isn’t very efficacious, should more or something different be required? Some in the industry have suggested that a more effective solution would be to provide identity restoration services. Rather than using credit monitoring to provide a late, early-warning indicator, maybe consumers would be better off with services to help them out if/when they become a victim of identity theft? (full disclosure: my company, ID Experts, provides fully managed identity restoration services)

    And second, there is the nagging question in the back of my mind as to whether I’m comfortable giving Experian more information about me. By signing up for their credit monitoring, they how have a valid email address and phone number for me. And they also have my permission to send me emails encouraging me to “buy extra stuff”. I’m certain to get offers to upgrade my service and to sign up to pay for service once the free offering period expires. Maybe of even greater concern to me, though, is that Experian is in the business of selling information about me to other companies that want to market “their stuff” to me, among other things.

    So this question of what an organization should do for individuals when they’ve exposed personal information about them in a data breach has many tentacles. Unfortunately no simple answers.

  4. Allan Hilsinger

    Excellent article. Exposes much of the reality surrounding monitoring products and why the average consumer is so utterly confused and misinformed. For the reasons stated in this article, and many more, our firm’s core belief is complete identity theft resolution for all types of identity theft/fraud. When the circumstance of identity theft strikes (and it will strike all of us) we take charge, stop the thieves cold and fully resolve all issues whether it takes two hours or two years. We do this not only for our Members, but also for any relative residing in the Member’s household. It’s an incredible Program, 24/7/365 World-Wide. Why would you pay for something that does not fix the problems? We already know monitoring products are expensive and mostly ineffective. It would be like buying car insurance that tells you that you just had an accident but is only going to fix a portion of your car…you have to fix the rest yourself. Is that something you should pay for? Check us out @ http://www.guardwellid.com We are growing exponentially because we do what we say we are going to do and we do it very well. We protect families, not just individuals.

    1. JCitizen

      No WOT rating – a little too new? Maybe someday.

  5. Bob

    I’m curious about everyone’s thoughts on monitoring/protecting children? Is this something that should be started at birth? I’d be interested to hear any stories out there.

  6. Blanche Dubois

    The market for Credit Monitoring Services (CMS) should determine whether subscribing to any CMS that covers one Credit Reporting Agency (CRA) given that there are 3 others, is useful as to comprehensibility, posting and reporting, timeliness, and cost. But “market” means fully informed buyers and sellers, negotiating on a standardized product. Most CMS buyers are ill-informed if not ignorant of the crucial details of the entire loan underwriting process, and the CMS sellers hype bells and whistles for a very marginal service.
    Even using such a marginal service (“gee, it’s free from Target/Neiman’s, it can’t hurt”) helps delude the post-breach victim that he’ll get real defense with the core threat, the theft of his Critical Personal Identifying Info’s 4 elements (SSN, DOB, drivers license #, name), and his CPII’s mis-use.

    I am not interested in being notified long after the fact of CPII compromise and New Account fraud, by a CMS cheerleader, and then trying to swab up the financial blood on the floor.
    I am interested in PREVENTING the download of my CR to any NEW lender by a CPII thief, even if my CPII was previously compromised by my dentist’s admin assistant needing some ready cash, armed only with a flash drive; or an SQL insertion into my bank or his processor; or me handing my CPII to a “street entrepreneur” holding a gun; or me losing a wallet; or my (previously unknown) now gambling-addicted cousin rifling my financial cabinets during our annual family Thanksgiving dinner.

    That kind of CR download prevention protection is available only from a Security Freeze.
    It is definitely NOT available from a 90 day FA or a 7 year EFA, equally as marginal as CMS.

    What you will spend ANNUALLY for CMS services, you can spend ONE TIME, for a lifetime Security Freeze at each of the four CRAs.
    For your own NEW Credit applications, the Freeze can be lifted 15 minutes after your phone call with your PIN, to a dedicated CRA telephone line for a time specific period. You can get a Security Freeze for your baby, or your adult, but disabled child, or Alzheimered grandma; all stellar CPII theft candidates, along with you. This is 2014.

    FYI: Loan Underwriting Process
    When adverse data is posted on a CPII victim’s CRA Credit Report, it is long after the fact of:
    a) when the ID thief submitted a loan application with the victim’s stolen CPII;
    b) when the lender vetted the application (“CR pull”); and
    c) granted the loan funds to the thief under stolen CPII (“same day loan service?”). Alas, the new loan’s existence will not be reported to the lender’s CRA until the usual date he sends off his “monthly loan performance tapes” to the CRA (1-30 days after loan funds granted);
    d) when that loan went into “arrears”, and after its “late period” (after another 30-45 days);
    e) when the lender reported that arrears to the CRA (see monthly loan performance tapes);
    f) when the CRA got around to posting the adverse data to its CR database (5-10 days), and only then does the victim’s Credit Score really tank;
    g) when the CMS service got around to sending a “Credit Score tank” email advisory to its client (only if the CMS is using that lender’s CRA’s database; delayed further if the CMS is using one of the other three);
    h) when the victim properly interprets steps b) through g) and its meaning for him, whilst keeping his facebook account current and other charming aspects of 2014 tech life.
    Did you follow all that and the players, time, and sequence involved?

    However, there were two lender reported clues (one is murky) to the CRA early in the process that, had they been interpreted properly by the victim alone or his surrogate, would have informed both that his CPII had been compromised. But even if both clues were understood, it would not have ameliorated either the damage or the victim’s lengthy and costly repair effort. Those early points are b) and c) above, separated by 15-30 days.
    Point b) would have been recorded as a “CR pull” at one of the four CRAs that the lender uses. Whether a New lender’s pull would have set off any alarm is problematic, as the victim’s existing lenders routinely do a CR pull (“inquiry”) as a legitimate part of existing loan risk management. New and existing lenders’ “pulls” are reported in the same section of the CR. To add further confusion/murky to that section, some legitimate lenders’ marketers may pull a “credit header” (top of the CR) which that CRA may or may not post as an “inquiry”. By itself, one inquiry has no effect on the Credit Score. A series of them within 45 days should, but not with the sheer tanking effect of an “arrears” post.
    Point c) When the New loan was posted to the victim’s CR at the CRA, assuming the CMS noted it, did the victim understand what this meant? Even if he did, the thief has had his stolen funds for at least 3-10 weeks and a head start. A knowledgeable consumer helps, but what does he do with these CMS alerts when he’s on vacation or out of the country, or if/when the ID thief also compromised his CMS notification email account? Hmmmm.
    (The Target breach involved 70 million email accounts, which is gravy sold separately from the stolen PII and 40 million credit cards, by the thieves. Hmmmm.)
    When a CMS says he’ll “stop ID thieves cold”, put your hand on your wallet.
    The CRA sloppiness described above and CMS “services” should be low hanging fruit to the CFPB, but they’ve got their hands full fighting pseudo “over reach claims” from the Hill, pushed by bank and credit union lobbyists. But I digress.

    What won’t a Security Freeze stop?
    An illegal alien buying my compromised CPII and using it to get a job in Utah, and registering to vote in many states and DC, for openers.
    But at least I’ll learn about the job compromise when the IRS charges that I deliberately under-reported my income from a chicken chopper job in Utah and they have the W-2 to prove it. Right.
    If your CPII is compromised, you will become intimately acquainted with affidavits and notaries. Did I say this is 2014?
    CPII compromise and data security today is a race without a finish line. Prevent what you can prevent, with a Security Freeze. (Disclosure: I don’t sell them.)

Comments are closed.