In the wake of one data breach after another, millions of Americans each year are offered credit monitoring services that promise to shield them from identity thieves. Although these services can help true victims step out from beneath the shadow of ID theft, the sad truth is that most services offer little in the way of real preventative protection against the fastest-growing crime in America.
Experian ‘protection’ offered for Target victims.
Having purchased credit monitoring/protection services for the past 24 months — and having been the target of multiple identity theft attempts — I feel somewhat qualified to share my experience with readers. The biggest takeaway for me has been that although these services may alert you when someone opens or attempts to open a new line of credit in your name, most will do little — if anything — to block that activity. My take: If you’re being offered free monitoring, it probably can’t hurt to sign up, but you shouldn’t expect the service to stop identity thieves from ruining your credit.
Avivah Litan, a fraud analyst at Gartner Inc., said offering credit monitoring has become the de facto public response for companies that experience a data breach, whether or not that breach resulted in the loss of personal information that could lead to actual identity theft (as opposed to mere credit card fraud).
“These are basically PR vehicles for most of the breached companies who offer credit report monitoring to potentially compromised consumers,” Litan said. “Breached companies such as Target like to offer it as a good PR move even though it does absolutely nothing to compensate for the fact that a criminal stole credit card mag stripe account data. My advice for consumers has been – sure get it for free from one of the companies where your data has been compromised (and surely these days there is at least one). But don’t expect it to help much – by the time you get the alert, it’s too late, the damage has been done. It just shortens the time to detection so you may have a slightly improved chance of cleaning up the damage faster. And you can get your credit reports three times a year from the government website for free which is almost just as good so why pay for it ever?”
FRAUD ALERT BREAKDOWN
Normally, I place fraud alerts on my credit file every 90 days, as allowed by law. This step is supposed to require potential creditors to contact you and obtain your permission before opening new lines of credit in your name. You merely need to file a fraud alert (also called a “security alert”) with one of the credit bureaus (Equifax, Experian or Trans Union). Whichever one you file with is required by law to alert the other two bureaus as well.
Most consumers don’t know this (few consumers know the names of the three main credit bureaus), but there is actually a fourth credit bureau that you should alert: Innovis. This bureau follows the same rules as the big three, and you may file a fraud alert with them at this link.
Fraud alerts last 90 days, and you can renew them as often as you like (a recurring calendar entry can help with this task); consumers who can demonstrate that they are victims or are likely to be victims of identity theft can apply for a long-term fraud alert that lasts up to 7 years (a police report and other documentation may be required).
I’m not sure what happened last year, but I believe some fraudsters managed to apply for credit in my name right after my 90-day fraud alert had expired. In any case, I received a call from AllClearID (formerly Debix), a credit monitoring service that I’ve used for nearly two years now. AllClearID called to tell me someone had made several applications for credit with Capital One.
AllClearID quickly conferenced in a representative from Capital One’s fraud team, but Capital One wouldn’t tell us anything about the application unless I gave them every piece of information about me they didn’t already have. We went round and round with Capital One for hours about this, but got nowhere; I refused to hand over more personal information just to prove to them I wasn’t the one who made the application, and each new representative we spoke with made us retell the story from the beginning.
In all, I had several fraudulent applications for credit in my name, and while none of them were granted, each resulted in a “hard pull” against my credit file. Anytime a creditor pulls your credit file for the purposes of checking an application for new credit, it dings your credit score down a few notches. And as Evan Hendricks writes in his primer on the credit industry (Credit Scores & Credit Reports: How the System Really Works, and What You Can Do), “the worse your credit score, the more you pay for mortgages, loans, credit cards, and insurance. Conversely, the better your credit score, the more favorable terms you will get on interest rates and premiums.”
Unfortunately, another thing that often happens with fraudulent applications is that thieves use only part of your real information — mixing your name and Social Security number with an alternate address, for example. This is what happened on two of the fraudulent applications for credit in my name, with the result that this incorrect data was added to my credit file.
AllClearID has been tremendously professional, and quickly alerted me each time Capital One pulled my credit file. But the company could do nothing to stop creditors from pulling my file, or fraudsters from making new applications in my name. The biggest help they’ve been so far is in getting Capital One to remove the fraudulent (score-dinging) credit pulls from my file, and in scrubbing the fraudulent data from my credit file (actually, that part is ongoing: Trans Union has steadfastly ignored requests to remove bogus addresses on my file, necessitating AllClear’s filing of an official complaint with the Consumer Financial Protection Bureau).
I asked several experts that I trust for their views on credit monitoring services in general, and to explain their benefits and weaknesses. I also wanted to know why none of the credit monitoring services will offer to renew 90-day fraud alerts on behalf of customers.
Julie Ferguson, a board member of the Identity Theft Resource Center, said a lawsuit by Experian against Lifelock effectively killed that service for virtually all credit monitoring services, with the exception of Equifax.
“After Experian sued Lifelock, none of the banks wanted to distribute and sell it as a service,” Ferguson said. “Equifax will still. Nobody else does anymore, not even Experian.”
Ferguson also stressed that there are varying levels of protection services offered by the credit bureaus and private companies, and that although many of them are priced similarly ($10-$15 per month), they vary widely in the services they provide.
Take, for example, the ProtectMyID package that Experian contracted with Target to offer customers following last year’s massive data breach. The service will monitor your credit report daily and alert you of any changes, and includes up to $1 million in identity theft protection insurance. The service also offers users a fraud resolution agent if identity theft does surface, and it provides a free copy of the user’s credit report (Experian is required by law to provide a free copy of your credit report each year anyway, via annualcreditreport.com). Those who sign up for the free service still have to pay extra to see a copy of their credit scores.
“The ‘protection’ provided by these services is really all over the map once you delve into the services they provide,” Ferguson said. “Some will give you credit monitoring only on one credit bureau, while others will monitor your file at all three.”
Avivah Litan, a fraud analyst with Gartner Inc., rattled off a long list of reasons why credit monitoring services aren’t much use to most consumers.
-Most won’t tell you if a new wireless or cable service has been taken out in your name.
-They do nothing to monitor your bank account transactions, credit card accounts (for fraudulent charges), retirement accounts, brokerage accounts, loyalty accounts and more. And these are all areas where consumers should be very concerned about account takeover.
-They do nothing to tell you if a bad guy has hijacked your identity for non-financial purposes, i.e. to get a new driver’s license, passport or other identity document. Of course a bad guy impersonating a consumer using a forged identity document can end up in prison, causing lots of problems for the victim whose identity was hijacked.
-They do nothing to stop tax fraud (typically tax refund fraud) against you. Same is true for other government benefit programs, i.e. medicare fraud, Medicaid fraud, welfare fraud, and Social Security fraud.
“In short, they only give consumers limited help with a very small percentage of the crimes that can be inflicted on them,” Litan said. “And consumers can get most of that limited help for free via the government website or free monitoring from a breached entity where their data inevitably was compromised.”
DO THESE SERVICES HELP AT ALL?
“They help if it’s too hard for you to look through your free credit report and make sense of all the activity in it,” Litan said. “Also they can alert you faster than the free credit report does, depending on timing of the infraction and when you look at your free credit report.”
Litan added that some services — such as Lifelock — have a few extra bells and whistles. For example, Lifelock sometimes gets information (such as from the Early Warning System) when profile information on your bank account has changed (e.g. change of address).
“They also have access to most mobile carrier account application data,” Litan said. “Equifax has some extra utility company data. So, some of these firms have access to some extra data than can help in other scenarios.”
While most plans offer identity theft insurance — usually advertised as up to $1 million — most of that is coverage consumers already have under existing laws and Visa/MC zero liability rules, Litan says.
“On top of that they reimburse ID theft victims for some legal fees and some minor expenses like postage stamps,” Litan said. “But if someone takes out a mortgage in your name and now you owe the bank $100k or more – nobody covers that, and that’s what they need to cover.”
Ferguson said credit monitoring services are most useful for people who have already been victimized or for those who are likely to be victimized (by an jilted spouse/lover, or stalker, for example). For those individuals, it makes sense to purchase a plan that offers triple credit bureau monitoring for maximum protection. The main downside of this approach is that a fraudulent application for credit can result in a deluge of alerts, emails and phone calls from all three bureaus simultaneously.
ALTERNATIVES TO CREDIT MONITORING
As mentioned above, placing a fraud alert on your credit file every 90 days is the cheapest (as in free) way to block creditors from granting new lines of credit in your name, and from unnecessarily dinging your credit score.
You are entitled to a free copy of your credit report from each of the three major credit bureaus annually. The only site you need to obtain this free copy is annualcreditreport.com, or by phone via 877-322-8228. Everywhere else will try to sell you a report, or offer a “free” report if you agree to sign up for some kind of subscription service — usually credit monitoring.
If you have been the victim of identity theft, or if you don’t anticipate needing to take out a loan or apply for new lines of credit anytime soon and you’d rather not deal with fraud alerts, placing a freeze on your credit file may be the smarter option.
A security freeze gives consumers the choice to “freeze” or lock access to their credit file against anyone trying to open up a new account or to get new credit in their name. As Consumers Union writes, “when a security freeze is in place at all three major credit bureaus, an identity thief cannot open a new account because the potential creditor or seller of services will not be able to check the credit file. When the consumer is applying for credit, he or she can lift the freeze temporarily using a PIN so legitimate applications for credit or services can be processed.”
Forty-nine states and the District of Columbia now have laws on the books allowing consumers to freeze their credit (Michigan is the holdout). Many of these laws allow the placement of a freeze for free if the consumer has a police report documenting an identity theft episode; for those without an ID theft scare notched on their belt, most states allow for the placement of a freeze for a $10 fee. See this site for more details on the various state freeze laws and instructions on how to obtain them.
Consumers also can reduce their exposure to identity theft by opting out of unsolicited credit card or insurance offers. Doing this, via www.optoutprescreen.com, or 888-5OPT-OUT, should block most unsolicited applications and reduce the incidence of identity theft. Doing so removes your name, address and personal identifiers from lists supplied by the Equifax, Experian, TransUnion and Innovis credit reporting agencies that are used for preapproved and pre-screened offers of credit or insurance.
Brian, you should really highlight on the MANY services that are claiming to be ‘protection services’ but are actually ‘data mining services’. I will retrieve the links from an experience my wife had, where she was lured into a credit report by a company that is beyond “shady”, and whom I am still fighting to get her information DELETED from their systems. I have had to cancel a credit card because of their failure to remove her and stop billing her. Here’s the worst part. They were listed on one of the “big three’s” websites, and their own site has links back to that same ‘big-three’ member. This whole credit monitoring issue is MUCH worse and MUCH MORE dangerous than the thieves who steal information, because these shady companies lure you in, and obtain your permission with misleading statements.
People need to research these companies before they even start typing the first character into a form on the site because you just never know what you’re getting yourselves into.
Call me a socialist or impractical, but I think the credit reporting business needs to be more highly regulated, to the point where their sole business must be credit reporting ONLY and they may not be in the business of buying or selling information or database products except as part of the credit reporting function.
In the lender-credit bureau-consumer love triangle, the consumer is the product, not the customer. Lenders are the customer and this means the credit bureaus have an obvious moral hazard with regard to the data they report — the worse they portray potential borrowers to creditors, the more money creditors make through higher interest rates and fees. This means that the credit bureaus have zero incentive to fix problems or make any effort at ensuring that reported data is accurate. The less accurate it is and the lower your score, the more valuable the information is.
You can’t regulate it – the entire premise of their business model is untenable when it comes to security. There is not a way you can strip information that most often the subject of – aka you and me – don’t want to give away, bundle it and sell it to millions of companies, governments, and security contractors without leaking it all over the place. Basically if they did create a super secret and highly audited framework to lock down the flow of info, the cost would be so enormous it wouldn’t be worth doing. There is also a financial conflict of interest at play – if the consumer has ability to remove things that are questionable then most stuff would get removed because few if any unresolved debts are 100% the fault of the borrower and they know that.
“preventative”? No, Brian, say it ain’t so! The word is “preventive”. Just like “orientated” vs. “oriented”, etc.
“Preventative” is a perfectly acceptable form of the word. You just don’t know it. “Orientated” is also acceptable..
Help stamp out gratuitous polysyllabicity!
Mr. Krebs:
Good looking out for others’ welfare.
Indeed. This is a very timely article!
I had to put a security freeze on my credit a few years ago and it will lapse sometime next year.
There had been a clerical error apparently. Someone had almost the same Soc. Sec. # I had (which was off by one digit!)
A representative from Lifelock recommended that I place a security freeze on my credit for good measure.
Recently I found out that I could not create an online account at SSA due to the freeze!
(Formerly I had an account at SSA)
Anyway, I thoroughly read your article and I’m so glad I did. I found out some information re: my State’s policy on securing / removing a credit freeze about which I was unaware.
I encourage all those who appreciate you and your website to donate to http://www.krebsonsecurity.com.
I did (with no regrets) and you too will find that it’s ALL worth it!
Brian,
I agree, this “credit monitoring” stuff is PR garbage.
You really ought to consider a credit FREEZE. I have one and I love it; I don’t have to worry about any of this stuff. It makes it impossible for anybody to even pull my credit report without me either (a) specifically unlocking it for that creditor or (b) unlocking it for 72 hours.
Unfortunately I’ve found that (a) doesn’t work that well (oftentimes the name of the company doing the credit check mismatches), but then again I don’t apply for credit very often anymore.
This is only available in certain states (California for one). I really wish the Federal government would require the option be offered to all citizens.
In your experience, how long does it take the credit bureaus to lift the freeze after you contact them? I’m wondering how far in advice you need to do it when you plan to apply for credit. Thanks.
I have a security freeze – best thing ever. I don’t recall exactly how much time it takes to lift, but I seem to recall I gave it a couple days last time I tried.
Not a good option for somebody who decides to sign up for a store credit card on the spur of the moment, but great for people who plan ahead and manage their finances.
Thanks for the feedback.
I’ve done it before for the next day. Never tried same day. In general you specify the date range you want the freeze lifted for.
“FREEZING” is thoroughly covered in the article…
hey Brian,
How can you not mention the good folks at creditkarma.com. They provide best service as far as I know. Free monitoring and free credit score, updates every week.
Do they sell your information? There’s gotta be a catch.
What do they get out of this–information they can sell to other companies? There’s gotta be a catch; they can’t be offering this service for free without one.
(Sorry ’bout the double post; I experienced some comment publishing lag time.)
As I posted below, the service has its limitations, but it makes its money by marketing information about “special offers” to its customers, not by selling their personal information. Mea culpa.
creditkarma.com. Free. Very good. I’m not affiliated with them at all.
For anyone who’s interested in this service, be sure to read my post about it elsewhere in this comment section.
Since each credit bureau is required to give you a credit report once a year free if requested, I request one on Febuary 1, from a different bureau on June 1 and from the third bureau on October 1. Not perfect but it is better than getting all three and once and waiting a year to see how much incorrect information has accumulated.
I think I’ll look into the fraud alerts and permanent freezes as those are things I hadn’t considered doing before reading about them here.
Me either! Very interesting useful information! :-bd
Yeah, this is what has been recommended to me. (And what I’d recommend to other residents.)
I didn’t go this way, but only because I planned to Freeze my credit. I requested all three reports at once. I found some minor issues – but I haven’t had the time to yell at the agencies.
Then my information was stolen, I now have free tracking from one of the named services, and I think the requisite Police report for filing for my freezes. I plan to actually deal with the paperwork for freezing my credit in a few weeks.
Note that while Brian talks about the big three agencies (and the plus one), there are also agencies for other countries: http://en.wikipedia.org/wiki/Credit_bureau#List_of_credit_reporting_agencies
Personally, as an expat, I’m recommending my fellow expats go with Freezes for all the countries in which they are no longer actively seeking credit (which should be all of them).
Interesting wiki link! I notice the big three are still involved with the majority of those countries. I would think, surely the data bases would be shared world wide within any one of the big three companies – maybe not. International law could complicate things I suppose.
I hadn’t heard about Compuscan in ages.
From personal experience, credit reporting is not shared worldwide.
If you move from one country to another, you start with essentially zero credit. The only workaround to this is American Express — they offer “Global Transfer” which lets you use your previous AmEx credit to get a new AmEx card in your new region (US, Canada, Europe).
And, yeah, the fact that there is significant overlap between countries is quite amusing / distressing, etc.
I don’t think its international law (which is mostly a myth). It’s probably mostly a mix of each country’s laws (e.g. privacy), as well as how hard it is to correlate people without some globally unique ID. Each country has an identifier, but names aren’t generally globally unique…
I would think creditkarma.com is at least selling your information, the only really truly “free” stuff is exactly what Brian put in the article. And we’ve all heard how this information gets into the wrong hands – reference reporting agencies getting into trouble shown here on KOS!
You would think at least one of these credit watchers would allow freeze re-initiation, so the customer would not have to remember to do it themselves every 90 days. I’ve never trusted Life Lock, I’m not surprised they are already involved in litigation trouble – but I’ve also wondered if the reporting agencies see them as robbing them of the same business – I don’t know what the rules on this are, or if that would be a conflict of interest as seen by the SEC or the CFPB.
As was said by others here, this is a great and very useful article, and KUDOs to KOS for publishing it! 🙂 I definitely signed up for the opt-out pre-screen!!! I hate getting all those offers in the mail, and I can’t just throw them away, I have to shred everyone of them – WHAT A PAIN!! Hopefully I will get fewer of them now. If not, maybe it IS time for a complaint to the CFPB! I hear Richard Cordray is a like a junk yard dog over there! 🙂
Actually, they make their money by marketing offers to their customers, like Mint does.
They can build their database on that model, and then switch to a new model that exploits and leverages their ‘investment’ in the future.
I think a more important question is how will they make their money in the future, say 5 years from now, or 50 years .. or 100.
Building a brand, and then monetizing it is pretty standard practice, so it’s more likely than not in their case as well.
regards,
Lee
This hadn’t occurred to me, so I’m glad you posted it.
Not many people are familiar with the CFPB. They are relatively new compared to the FTC.
I just wanted to add a link:
http://www.consumerfinance.gov/
+1 :-bd
1) I wonder, shouldn’t the credit agencies all be required to buy each other’s data so they can do their due diligence on things like credit freezes and such?
So, say for example someone has notified a credit agency that they don’t want credit, don’t want a mortgage, don’t want credit of any kind, and any such request for credit of any kind whatsoever, in any form, is fraudulent.
First question: Would the other agencies be negligent if they didn’t check with each other? I mean, they do SAY they do due diligence.. but it appears they do not even do the most simple tasks, such as pay the other credit agencies to check their data. They all pretend they operate in a vacuum.
Second question: if someone had them put a note on file that requested a credit freeze but objected to paying them protection money and they continued to operate as though there was no credit freeze, where would the liability be?
In other words, once they are notified, whether they demand $10 or a $1,000,000 becomes moot. They have been notified of the request. My advice to the credit agencies is that they would be wise to effect the freeze without the ransom demand. 🙂
2) I think folks see the ransom demand of $10 for what it is, a way to put a barrier to folks opting out of their credit data business model. I recognize not everyone can take the ‘no credit at all’ approach, particularly if they want or need to play the credit game.
3) It’s also interesting these problems are happening after decades of ‘credit expansion’. In some ways it’s another delayed price to be paid for that unsustainable economic model. It’s also interesting many folks have an anchoring bias towards that period where the party was full swing and the price to be paid was in the future. We are in what PIMCO termed ‘the new normal’. So long as the pie was growing at a good clip these sorts of ‘glitches’ would be buried in good looking numbers (e.g. GDP growth that was still 4+%). As we get to smaller arbitrage economics (to distributive economics) these unpleasant inefficiencies become more apparent.
It’s clear we need a revamp of the credit regulations, but hey, looking to Congress is a waste of time also.
Great article, brian. I think it’s one of your best yet.
The credit bureaus compete against each other, so they wouldn’t want to coordinate like that, I would imagine. They’re in the business of providing information to companies looking for new customers, or keeping tabs on their current ones. Making sure the information is correct isn’t their primary concern.
I guess I should have made it clear they don’t want to buy each other’s data. (of course they don’t, they want the muppets to have to buy the data, but nooooOOOooo.. perish the thought that they be required to pay list price for their own product!) 🙂
By definition, not checking the other reports, particularly when they have been alerted that ‘there is something there’ is negligent in my book, and I suspect many juries would find likewise.
Their information grabbing tentacles keep getting deeper, sooner or later someone will come up with a way to inject false/extra info by the millions to them all to the point their data is worthless. Sooner or later the government will have no choice but to shut them down as their constant breaches and intrusions start to hit home.
Unfortunately the ability to inject information into a record is already out there on the web.
This link is ONLY to a screenshot of the form page on my account with no identifying information as to where this site is. I don’t believe in promoting that type of site:
http://images.quickblogcast.com/4/2/6/6/5/166425-156624/createapublicrecord.png
This form can be used to create whole people as well as add/alter data on existing people by keeping some fields the same as a person. It then propagates throughout other data brokers.
This has been anticipated by NIST – but then again, I can’t say whether they will come up with a proper model to mitigate it. We all know how well anything remotely involved with the gubbamint turns out!
Brian, you interviewed me during our effort to get a Credit Freeze (CF) law passed in DE (the credit card state) in 2006, against the fierce opposition of the CRAs and banking industry.
Your last 3 paragraphs are the action take away for your sidebar. Credit monitoring is NOT preventive.
Am surprised you didn’t get a police report from the attack on you and your significant other, and then use it to apply for a free Credit Freeze to be put in place on each of your accounts with the 4 CRAs (8 Freezes).
Have operated the CF for my new loan apps, opening/closing it, since 2006, and it is a breeze.
The day will come when you will be too old to remember to do your 90 day/7 year Fraud Alert sequence, but you are never too old, nor too young, to have your good credit stolen in the USA of 2014. FA is NOT preventive. Why are you using the FA Kleenex, when there’s a CF vaccine available?
On Dec 6, I left the US for Antarctica, returning Jan 23. Target breach? Not a concern. I could have handed my Critical PII to the thieves before I left. Thank you Credit Freeze. I guard my PII, but the CF adds a thick layer of protection from the thin data protections of the 2014 US private sector.
I used a police report that was 3 years old, and the CRAs bought it. Good luck.
How long does it take the credit bureaus to temporarily lift a credit freeze? Just curious.
That day or the next day. When you temporarily lift a freeze, you specify the date range. Eg. “I want the freeze lifted for March 25-March30.” You have to do this for all 3 bureaus if you don’t know which one will be checked. It can be a pain. I’ve found lifting freezes by phone to be easier than the websites.
Good to know, Chris (about calling being easier). Thanks.
I wonder, if you were to call a business ahead of time, if it’d tell you which bureau it uses.
Let’s give a big round of applause for Credit Karma!!
Please note that you can request to be taken off of the list of people who receive unsolicited credit offers for five years online, but if you want to be taken off of it permanently, you need to print out a form, fill it out, and put it in the mail.
Also, even if you sign up, you’ll likely get occasional credit offers from companies with which you already do business, Legit companies tend to respect your wishes if you call them and say that you don’t wish to receive more offers, though–at least for a while.
I’ve let my credit card companies know I don’t wish to receive those blank checks that can be used to make purchases, either, and they’ve complied. Those things can be dangerous if they fall into the wrong hands.
Your suggestion works if there is just a few people using that mechanism, not if a million people are doing it.
With volume, those requests could simply be dumped – your snail mail will get lost, dropped, and mishandled, in an isolated incident of course. 🙂 One could say ‘no way’, but history is filled with similar examples (e.g. IRS dumped tax forms in the past).
So then we could try registered mail, which finding whom to send it to becomes an issue. And how do we know it’s been processed? And when they send form letter saying it’s processed, how do you know it’s processed? etc. and so on. Once their proverbial authentication certificate is revoked there is no authentication possible.
It’s one heck of a fine system they created. And we get to pay the price (we can’t even opt out in any meaningful way).
I was just offering people some details about how things work now. My husband and I have opted out permanently using the form from the Opoutprescreen website, and we’re very pleased with the results.
I looked up the details about Credit Karma. They make their money by sending customers offers for services from their partner companies. They only offer you detailed information from TransUnion. And they give you a credit score that’s supposed to reflect information from all three major credit bureaus, but that’s not likely to be the score possible lenders will see (and base your interest rate on). It’s not your FICO score, in other words.
I’m not saying Credit Karma isn’t worthwhile, but it’s good to be aware of its limitations.
Source: http://20somethingfinance.com/credit-karma-review/
The thing is – if a big retailer like Target can’t be trusted with our personal information, I got a feeling that a place like creditkarma will probably be even less concerned with protecting this information in their servers. I personally think it is good to limit as much as possible any vendor, online store, or web-site from having any accurate information about me personally. The lower the number, the less imposing my threat profile is, the way I look at it. At least when you deal directly with the reporting agencies yourself, there is no more risk than usual, because they already have all your information as it is.
You’re preaching to the choir, J. I was just putting the information out there for anyone who was intrigued by the posts saying, “Use Credit Karma.”
I’m surprised how much you missed in your blog, Brian.
1. You were wasting your time with CapOne and should have gone directly to the credit bureaus. They are required by Federal Law (FCRA, Sec 605B) to block any info caused by identity theft within 4 business days as long as you’re willing to provide your ID, an ID theft report and a statement saying the info is not yours.
2. The security freeze (aka Credit Freeze) is considerably more effective than credit monitoring and/or perpetually adding new fraud alerts every 90 days. The cost is either zero or, if you have been the victim of fraud, capped by state law. Where I live, GA, it’s $3 per credit bureau…so $9 total. Because of your CapOne fraud a security freeze would have been free for you.
3. Regarding the criticism of credit monitoring services…they’re called CREDIT monitoring services for a reason. They’re not designed to monitor bank accounts or credit card fraud or the sale of your data via black market websites or tax fraud or utility fraud. They’re designed to monitor changes on your CREDIT report and most of what the Gartner analyst was listing isn’t even on a credit report.
4. The credit monitoring service provided in the wake of the Target breach is single bureau monitoring, which means it monitors one of your three credit report. That’s like locking one of the three doors in your house. Ineffective unless you’re lucky enough that a fraudster applies for credit in your name and the lender just happens to use the one credit report that’s being monitored.
You should really read things more thoroughly before calling someone out… And, once again, he did talk about CF, so you really haven’t made as much of a contribution to the subject at hand as you think.
It’s always nice to feel smart though, isn’t it?
But they have access to your account, both checking, and savings. And after a credit check inquiry , I saw the numbers to the wifes IRA listed in the transaction areas. So why are they not covered, unknown? Somehow these folks datamine to the extreme. It used to be called churning in the financial industries, and that was declared illegal. So what is it called in the datamining industry, when every bit is up for grabs? and for a profit.
I thought I’d read somewhere that identity thieves were starting to pull those free reports for you, in order to get all your information, as well as to make it harder for you to monitor what they are doing.
Any idea if this is really a problem, or just a marketing attempt to get you to pull your reports all at the beginning of the year, and then pay to get them later?
Yes, that’s a problem.
The flawed credit system just adds layers upon the problem.
To use OOP as a metaphor, if the base classes are poorly designed, then the derived objects will inherit those flaws.
The base class of the credit system is that authentication is focused on legal defense of the CRAs, not you. As such,at best , it is only half the problem of authentication.
Regardless of authentication, if it’s only one way, then the authentication system can be spoofed, and the authentication data mined for further exploits. This is as true for two, three, or a million factor authentication as it is for single factor.
And that’s the problem; whatever you provide to authenticate yourself, a black hat can also (“what one fool can do, so can another”).
By not providing authentication of the system, user authentication is exploitable. Sure, one can make it an arms race, but that’s all it is, an arms race. That’s why we see more exploits now than in the past; the black hats have better capabilities, including funding to buy the data they need.
There are some really good 2nd and 3rd factor authentication systems out there, one of them seems the simplest and cheapest to implement, and that is PassWindow. Although it could also be merged with SMS technology and is scalable as hell – it uses ingenious methods that would limit the ability to do a man in the middle authentication. I think it would eliminate it all together, because a big piece of the information is what you have, and it isn’t electronic(although scaling it up could possibly involve that), so the man in the middle would get nothing except possible session riding into the target site. Rapport could mitigate that already, so I have a feeling the web is going to have no choice but to go with what is “just keep it simple stupid” and go with something like PassWindow.
http://passwindow.com/
Another aspect of the police report requirement for getting out of the protection payment demand by the credit agencies is that the information on the police report is valuable information in itself. It would have, I presume, the correct address, SSN, etc. A police report, rearranged is nice current accurate information (at least the identification part anyway).
I suppose the credit agencies would like to get their information corrected either by you paying, or, well, you still pay. Most folks working hourly would pay quite a price to file a police report, so it’s a loss for them no matter how you slice it. I would imagine that in the future one would pay simply to contact the credit agencies in anyway, similar to the charge from a bank to use a teller.
Question 1:
Can the police report be entirely redacted? Let’s understand that Experian has said we ‘agreed’ to give them our information.. so therefore they must accept when we do not agree as well, yes?
Question 2:
if someone doesn’t agree, how can they register that they don’t agree without having the credit agencies use the identification information to update their databases? In other words, how does one authenticate when denying the other party access?
Freezing credit:
As stated in another post, of course they don’t want to buy the data from other CRAs, they sell data, not buy it. Yet, by definition, if they are aware that data exists that is significant, it is negligent to represent otherwise. They should be required to buy each other’s data, at list prices of course. And particularly once they have been alerted. So, tell CRA 1 to put on a freeze. Tell other CRA’s that there is significant data change at CRA1. Result is that they HAVE been notified. If the CRA’s choose to give out credit pretending ignorance, that’s negligent, and malicious negligence at that.
What are you getting out of sounding so lofty?
My credit was hurt when I was divorced since my husband ran up bills without my knowledge. Luckily a lot of those were in his name only so I wasn’t liable for them. They did show up on my credit record but it was pretty easy to get them, and his addresses, taken off my records. Then I closed and paid off the joint account. Within a year I had pretty good credit even though it took somewhat longer to get rid of the bills.
I did have to go through the same process at all the credit bureaus individually but it was free and didn’t take long.
Someone posted that, to the credit industry, the consumer is actually the product. Wall St. knows that the most valuable commodity is not cash, gold, real estate or ?? – it’s DEBT. They spend millions convincing the sheeple how important CREDIT (debt) is the American way of life thereby enslaving us. Don’t believe it. Just look at the mortgage debacle and how it all revolved around packaging and reselling DEBT as mortgage backed securities.
Still don’t believe it? Why then are CC ads all touting how much money they’ll give you back if you go into debt? WHAT? Why are we rewarded with lower interest rates when we have good credit scores? They say because we are less of a risk if we have good scores. So, again, banks/insurance punish us financially when we’ve rejected their enslavement (DEBT). Pretty sick!
Having been through all that and filing Chap13 bankruptcy to protect my house, no one wants to hijack my credit. We have learned to live without credit nicely (thank you) and, moving forward, I will NEVER have another credit card.
+1
No wonder I don’t have more stellar credit scores than I feel I deserve! I keep my cards paid off! 😀
Just a little more about https://www.optoutprescreen.com. They state: ” Through this website, you may request to:
Opt-Out from receiving Firm Offers for Five Years – (electronically through this website).
Opt-Out from receiving Firm Offers permanently – (mail Permanent Opt-Out Election form available through this website).
Opt-In and be eligible to receive Firm Offers. This option is for consumers who have previously completed an Opt-Out request – (electronically through this website).”
If you have elderly relatives with dementia issues, the permanent opt-out for them would be a good idea as well as monitoring their mail for charity scams. As for me, I completed the opt-out process in January and now life is a little better.
I was part of a Utah state data breach of 800,000 people from hospitals & Dr’s who were ‘pinging’ the Medicaid system to see if they might make some money ( hit those with medicaid or no medicaid). My retired parents, my son were also part of the data breach. We were offered the Protect my ID Experian product & are on our second year with this service. My problem with this service is it sends an alert that something is wrong with your credit report, but gives no specific reason, person or company. It only offers you a link to pay $14.95 to find out what company is involved. So basically I’m alerted but given no information regarding the alert. I agree with the author of this article that it’s useless.
Brian, Thank you so much for this great information! This will be one of my weekend projects. I’ve never set up a fraud alert or freeze before, but I will now. I can easily go for the freeze, my credit has been static since refinancing a mortgage a few years ago, and I’m not planning to change anything any time soon. Thanks again!
I have an issue with the sentiment the “some fraudster took out a mortgage in my name and now I owe $100,000”.
Nothing could be further from the truth.
If a fraudulently obtained loan is taken out in your name, it’s on the loan provider. Just file an affidavit and police report and put a not in your credit record. You owe no such amount. The burden is on the creditor to do due diligence in offering the credit and proving that it was you who obtained it.
You are under no obligation to pay the “debt” if you did not apply for and agree to it.
Be careful of what you sign when notifying the creditor that the debt is fraudulent.
Would starting a credit freeze prevent car rental companies from renting a car to me with a credit card?
No. The car rental company does not pull your credit history so the freeze will not come into play.
However, freezes can come into play when you try to establish a new cellphone contract as the service providers often look at credit reports.
Lets say I have in the past accidentally lost a CC that I thought was compromised and had another mailed to me.
With cards being good for 3+ years – some way longer – the potential risk of a card getting pwned is pretty good now a days.
Though the banks are getting more proactive on CC abuse/activity because it is happening more, and cutting into their profit margin they consider safe, the fact remains that they will deem when its time to replace your card.
I tend to want to help them decide when to replace the card. Its my money and time wasted in the bank filling out fraud paperwork, saying I told them so…
May be a bit over-proactive, but if it adds to the piece of mind….
Big fan of your blog and I work for one of the big 3 CRAs so I wanted to clarify a couple of things. I don’t work with the credit monitoring product or in the credit reporting/credit risk area at all but I am familiar with the issues involved.
1. On the “hard pull” affecting your credit score … you are right to point this out, but any effect is very temporary.
First, there’s a floor. A single inquiry doesn’t do anything, and it’s common for people to shop for a rate on a mortgage or car loan, so neither does 2 or 3 pulls. On the other hand, fraudsters like identity thieves commonly hit the mall trying to open up store cards left and right (or do the equivalent thing online), trying to grab as much loot as possible before they’re discovered, basically trashing the identity. So … of course application velocity is a big fraud indicator in our models, and our fraud/identity products are going to take it into account in the scores we return. The idea is to stop fraudsters from opening accounts in good people’s names.
Second, this effect is temporary (as in, your credit score might lose 10 or 20 points, but bounce back in a week). I can’t speak for FICO, but our mortgage risk products are a lot more sophisticated than just a single score, and tuning the analytics is a constant effort. The customers of the credit risk products (like mortgage) are the lenders, and the last thing these customers want to do is turn down a perfectly good paying customer application because of bad intelligence.
2. On the “scrubbing of fraudulent data” from your credit file after the Cap One frauds … obviously I have no idea of the details of your credit file and I can’t speak for TU, but I know the credit file is going to have addresses associated with every *account*, and it’s also going to have an incoming inquiry address for each of these credit *applications*. I’m assuming the addresses you’re talking about are from the bogus *applications*.
Well … application velocity, previous history of fraud … these are indicators of fraud. So … our identity and fraud products, they’re designed to protect Bank of America/Verizon/Comcast and *you* from fraud, so that when someone uses your name to try to buy an iPhone or get a credit card, we return appropriate risk scores. For instance, the fact you put a fraud alert on, we return a big red X for that. So you can see why these bogus applications on your file might be useful in measuring identity/fraud risk.
These risks are nothing to do with credit risk, i.e. your “ability to pay” or likelihood to pay your car loan or credit card bill back. Whether those measure are affected I honestly can’t say, but similar to inquiry velocity I’d guess any effects are small and temporary.
3. Last, just wanted to say one thing about the credit monitoring products. i.e., the difference between our credit monitoring product (as a CRA) versus AllClearID. Now, I don’t have anything good or bad to say about AllClearID, and it sounds like they advocated hard on your behalf, good for them.
But they aren’t a CRA, they don’t have write access to the credit file (or the legal obligation under the FCRA to correct errors). I know that the monitoring service from my company, you are definitely fast-tracked to freeze and remediate your credit file if there are any incidents, since we have already fully verified your identity and authenticated you. It is a leg up over a third-party service.
You are right that credit monitoring is no panacea. Definitely can’t see account details like credit card charges (your bank keeps that). But can protect against utility/telco theft if you find a better monitoring service.
4. OK, last for real, that experience with Cap One sucks. I have friends who have been ID theft victims and it blows. I’m sorry.
I could point the finger at Cap One, because they’re the ones who reported these inquiries and they’re supposed to withdraw them, but that would be a copout. The whole ecosystem needs to work together to clean this problem up.
The reality is that the banks have a certain threshold/tolerance for fraud, because fraud detection isn’t perfect and a false positive equals turning away a customer, and that is lost revenue. So their accountants do the math, tune their risk models to accept some false negatives, and accept having to write off some fraud losses.
In the bright shiny future there will be strong authentication and privacy-preserving federated identity, but it’s a ways off.
Thanks for taking the time to post. I don’t share your optimism about what will happen in the future, but I hope you’ll turn out to be right.
I don’t, the credit system is a sham and needs to die. Back when most jobs paid a living wage the majority of people didn’t need debt, now you have 30-50 year mortgages and student debt that follows you until you die, for a degree that is basically worthless if you can’t find a decent job with it within 3 years of graduating.
Been hoping for an article like this. Great job.
Hi all,
I faxed a form containing my SSN, name, address and signature with account number. Transmission report was ok, but the financial institute did not receive it. I may have it entered an extra digit unnecessarily to get on outside line from work and caused the error. I already called them to see if they would change account number.
Since the time I realized the error and not knowing the whereabouts of the fax, now I am worried and wondering what and how much to do. I did call the phone number that the fax would have gone to unintentionally and it was disconnected/not in service. There may be other possible numbers it could have gone to.
Any suggestions ? Should I write to the three credit bureaus now? Credit freeze? I was going to change phone plans in few months.
In way, credit monitoring services make things worse. Not a single one of them offers decent online access security (a simple password gets you in). If someone hacks into your account, all of your sensitive financial information will be delivered to the hacker on a silver platter. It would be similar to a criminal breaking into your house and using your own weapon to hold you hostage…
The one you all know and see all the time on TV will give you a free shredder! That’s how stupid they think we are by giving us a non-crosscut model. Yipee, I’m really safe now.