19
Mar 14

Are Credit Monitoring Services Worth It?

In the wake of one data breach after another, millions of Americans each year are offered credit monitoring services that promise to shield them from identity thieves. Although these services can help true victims step out from beneath the shadow of ID theft, the sad truth is that most services offer little in the way of real preventative protection against the fastest-growing crime in America.

Experian 'protection' offered for Target victims.

Experian ‘protection’ offered for Target victims.

Having purchased credit monitoring/protection services for the past 24 months — and having been the target of multiple identity theft attempts — I feel somewhat qualified to share my experience with readers. The biggest takeaway for me has been that although these services may alert you when someone opens or attempts to open a new line of credit in your name, most will do little — if anything — to block that activity. My take: If you’re being offered free monitoring, it probably can’t hurt to sign up, but you shouldn’t expect the service to stop identity thieves from ruining your credit.

Avivah Litan, a fraud analyst at Gartner Inc., said offering credit monitoring has become the de facto public response for companies that experience a data breach, whether or not that breach resulted in the loss of personal information that could lead to actual identity theft (as opposed to mere credit card fraud).

“These are basically PR vehicles for most of the breached companies who offer credit report monitoring to potentially compromised consumers,” Litan said. “Breached companies such as Target like to offer it as a good PR move even though it does absolutely nothing to compensate for the fact that a criminal stole credit card mag stripe account data. My advice for consumers has been – sure get it for free from one of the companies where your data has been compromised (and surely these days there is at least one).  But don’t expect it to help much – by the time you get the alert, it’s too late, the damage has been done.  It just shortens the time to detection so you may have a slightly improved chance of cleaning up the damage faster.  And you can get your credit reports three times a year from the government website for free which is almost just as good so why pay for it ever?”

FRAUD ALERT BREAKDOWN

Normally, I place fraud alerts on my credit file every 90 days, as allowed by law. This step is supposed to require potential creditors to contact you and obtain your permission before opening new lines of credit in your name. You merely need to file a fraud alert (also called a “security alert”) with one of the credit bureaus (Equifax, Experian or Trans Union). Whichever one you file with is required by law to alert the other two bureaus as well.

Most consumers don’t know this (few consumers know the names of the three main credit bureaus), but there is actually a fourth credit bureau that you should alert: Innovis. This bureau follows the same rules as the big three, and you may file a fraud alert with them at this link.

Fraud alerts last 90 days, and you can renew them as often as you like (a recurring calendar entry can help with this task); consumers who can demonstrate that they are victims or are likely to be victims of identity theft can apply for a long-term fraud alert that lasts up to 7 years (a police report and other documentation may be required).

I’m not sure what happened last year, but I believe some fraudsters managed to apply for credit in my name right after my 90-day fraud alert had expired. In any case, I received a call from AllClearID (formerly Debix), a credit monitoring service that I’ve used for nearly two years now. AllClearID called to tell me someone had made several applications for credit with Capital One.

AllClearID quickly conferenced in a representative from Capital One’s fraud team, but Capital One wouldn’t tell us anything about the application unless I gave them every piece of information about me they didn’t already have. We went round and round with Capital One for hours about this, but got nowhere; I refused to hand over more personal information just to prove to them I wasn’t the one who made the application, and each new representative we spoke with made us retell the story from the beginning.

In all, I had several fraudulent applications for credit in my name, and while none of them were granted, each resulted in a “hard pull” against my credit file. Anytime a creditor pulls your credit file for the purposes of checking an application for new credit, it dings your credit score down a few notches. And as Evan Hendricks writes in his primer on the credit industry (Credit Scores & Credit Reports: How the System Really Works, and What You Can Do), “the worse your credit score, the more you pay for mortgages, loans, credit cards, and insurance. Conversely, the better your credit score, the more favorable terms you will get on interest rates and premiums.”

Unfortunately, another thing that often happens with fraudulent applications is that thieves use only part of your real information — mixing your name and Social Security number with an alternate address, for example. This is what happened on two of the fraudulent applications for credit in my name, with the result that this incorrect data was added to my credit file.

AllClearID has been tremendously professional, and quickly alerted me each time Capital One pulled my credit file. But the company could do nothing to stop creditors from pulling my file, or fraudsters from making new applications in my name. The biggest help they’ve been so far is in getting Capital One to remove the fraudulent (score-dinging) credit pulls from my file, and in scrubbing the fraudulent data from my credit file (actually, that part is ongoing: Trans Union has steadfastly ignored requests to remove bogus addresses on my file, necessitating AllClear’s filing of an official complaint with the Consumer Financial Protection Bureau).

I asked several experts that I trust for their views on credit monitoring services in general, and to explain their benefits and weaknesses. I also wanted to know why none of the credit monitoring services will offer to renew 90-day fraud alerts on behalf of customers.

Julie Ferguson, a board member of the Identity Theft Resource Center, said a lawsuit by Experian against Lifelock effectively killed that service for virtually all credit monitoring services, with the exception of Equifax.

“After Experian sued Lifelock, none of the banks wanted to distribute and sell it as a service,” Ferguson said. “Equifax will still. Nobody else does anymore, not even Experian.”

Ferguson also stressed that there are varying levels of protection services offered by the credit bureaus and private companies, and that although many of them are priced similarly ($10-$15 per month), they vary widely in the services they provide.

Take, for example, the ProtectMyID package that Experian contracted with Target to offer customers following last year’s massive data breach. The service will monitor your credit report daily and alert you of any changes, and includes up to $1 million in identity theft protection insurance. The service also offers users a fraud resolution agent if identity theft does surface, and it provides a free copy of the user’s credit report (Experian is required by law to provide a free copy of your credit report each year anyway, via annualcreditreport.com). Those who sign up for the free service still have to pay extra to see a copy of their credit scores.

“The ‘protection’ provided by these services is really all over the map once you delve into the services they provide,” Ferguson said. “Some will give you credit monitoring only on one credit bureau, while others will monitor your file at all three.”

Avivah Litan, a fraud analyst with Gartner Inc., rattled off a long list of reasons why credit monitoring services aren’t much use to most consumers.

-Most won’t tell you if a new wireless or cable service has been taken out in your name.

-They do nothing to monitor your bank account transactions, credit card accounts (for fraudulent charges), retirement accounts, brokerage accounts, loyalty accounts and more. And these are all areas where consumers should be very concerned about account takeover.

-They do nothing to tell you if a bad guy has hijacked your identity for non-financial purposes, i.e. to get a new driver’s license, passport or other identity document.  Of course a bad guy impersonating a consumer using a forged identity document can end up in prison, causing lots of problems for the victim whose identity was hijacked.

-They do nothing to stop tax fraud (typically tax refund fraud) against you.  Same is true for other government benefit programs, i.e. medicare fraud, Medicaid fraud, welfare fraud, and Social Security fraud.

“In short, they only give consumers limited help with a very small percentage of the crimes that can be inflicted on them,” Litan said. “And consumers can get most of that limited help for free via the government website or free monitoring from a breached entity where their data inevitably was compromised.”

DO THESE SERVICES HELP AT ALL?

“They help if it’s too hard for you to look through your free credit report and make sense of all the activity in it,” Litan said. “Also they can alert you faster than the free credit report does, depending on timing of the infraction and when you look at your free credit report.”

Litan added that some services — such as Lifelock — have a few extra bells and whistles. For example, Lifelock sometimes gets information (such as from the Early Warning System) when profile information on your bank account has changed (e.g. change of address).

“They also have access to most mobile carrier account application data,” Litan said. “Equifax has some extra utility company data.  So, some of these firms have access to some extra data than can help in other scenarios.”

While most plans offer identity theft insurance — usually advertised as up to $1 million — most of that is coverage consumers already have under existing laws and Visa/MC zero liability rules, Litan says.

“On top of that they reimburse ID theft victims for some legal fees and some minor expenses like postage stamps,” Litan said. “But if someone takes out a mortgage in your name and now you owe the bank $100k or more – nobody covers that, and that’s what they need to cover.”

Ferguson said credit monitoring services are most useful for people who have already been victimized or for those who are likely to be victimized (by an jilted spouse/lover, or stalker, for example). For those individuals, it makes sense to purchase a plan that offers triple credit bureau monitoring for maximum protection. The main downside of this approach is that a fraudulent application for credit can result in a deluge of alerts, emails and phone calls from all three bureaus simultaneously.

ALTERNATIVES TO CREDIT MONITORING

As mentioned above, placing a fraud alert on your credit file every 90 days is the cheapest (as in free) way to block creditors from granting new lines of credit in your name, and from unnecessarily dinging your credit score.

You are entitled to a free copy of your credit report from each of the three major credit bureaus annually. The only site you need to obtain this free copy is annualcreditreport.com, or by phone via 877-322-8228. Everywhere else will try to sell you a report, or offer a “free” report if you agree to sign up for some kind of subscription service — usually credit monitoring.

If you have been the victim of identity theft, or if you don’t anticipate needing to take out a loan or apply for new lines of credit anytime soon and you’d rather not deal with fraud alerts, placing a freeze on your credit file may be the smarter option.

A security freeze gives consumers the choice to “freeze” or lock access to their credit file against anyone trying to open up a new account or to get new credit in their name. As Consumers  Union writes, “when a security freeze is in place at all three major credit bureaus, an identity thief cannot open a new account because the potential creditor or seller of services will not be able to check the credit file. When the consumer is applying for credit, he or she can lift the freeze temporarily using a PIN so legitimate applications for credit or services can be processed.”

Forty-nine states and the District of Columbia now have laws on the books allowing consumers to freeze their credit (Michigan is the holdout). Many of these laws allow the placement of a freeze for free if the consumer has a police report documenting an identity theft episode; for those without an ID theft scare notched on their belt, most states allow for the placement of a freeze for a $10 fee. See this site for more details on the various state freeze laws and instructions on how to obtain them.

Consumers also can reduce their exposure to identity theft by opting out of unsolicited credit card or insurance offers. Doing this, via www.optoutprescreen.com, or 888-5OPT-OUT, should block most unsolicited applications and reduce the incidence of identity theft. Doing so removes your name, address and personal identifiers from lists supplied by the Equifax, Experian, TransUnion and Innovis credit reporting agencies that are used for preapproved and pre-screened offers of credit or insurance.

Tags: , , , , , , , , , , , , , , , , ,

146 comments

  1. Great writeup on credit monitoring. Needs to be added on the right side of the page like Tools for a Safer PC and the Value of a Hacked PC.

  2. I’ve made this suggestion on previous posts of yours. If you fall victim to any type of ID theft; and you don’t already have a passport; I strongly suggest you get one to secure it. Personal identifying information has been used to obtain passports.

  3. I think it ss more effective to have your credit profile locked by these agencies. When its locked, even the thieves cannot use your identity to open new accounts or credit line. Downsize, you will have to pay a fee to unlock (perm or temp) if you need a loan, say but a new car.

  4. Do you have any deeper ideas on the identity theft insurance piece? I know that some of them offer the following services

    ◦ all disputes and file paperwork on your behalf related to new account fraud, medical id fraud, social security, insurance benefit and unemployment fraud, etc.
    ◦ Unlimited recovery services for ALL types of ID Theft
    ◦ Removal of fraudulent criminal or civil judgments from your credit report
    ◦ Removal of fraudulent credit accounts from your credit report

    I am wondering if they work as advertised

  5. What a racket… Half the time these chumps are the ones who gave away the info in the first place.

  6. Really good article. How do I get similar information for the UK?

  7. It seems we are nearing the breaking point of how people are identified. SSN was never a good idea for identification but anymore it seems like it is useless as a true means of identity.

    • SSN work great as an IDENTIFIER. They do not work well as an AUTHENTICATOR. Your SSN should be treated like your name or address, a public bit of information that helps identify you. The problem is that it is regarded as a secret authenticator.

      Sometimes I wish someone would publish a nice huge list of SSNs (I guess it takes more than already have?) to make them really, really, obviously useless as authenticators.

      • There’s a web site that lists your ATM PIN, it’s a page that has every number from 0000 to 9999. No reason why you couldn’t do the same for SSNs with a fairly simple Perl script. And it would be just as meaningless.

        It seems like I argue every time with doctors when I go to a new one. I never fill it in on the forms for me or my wife (she’s the policy holder) and tell them I don’t know it off-hand. They have my full insurance information, so they can lump it.

      • It can work as an authenticator if it’s random and non-unique.

        So for example, I ask you your SSN and you say “123-45-6789”.

        Is that your real SSN? or was that the response to the “what is your SSN question”?

        By using Identification questions as authenticator questions one could add a level of security as even if someone knew your actual SSN, they would not know what to answer when I ask you your SSN.

        But other than that, yes, SSN, the actual and accurate SSN, is not authentication.. but it could be 🙂

  8. I believe you have to do way more than just monitor your credit these days. Personal information on dark websites, driver’s license, medical card, if I lose my wallet. I dont have time to monitor all that stuff. Not to mention the story I saw on 60 minutes about being tracked online and bombarded with advertisements. If I have the choice of paying a company like idradar, Identity Guard, or whoever will take care of all that for me, and allow me to be hidden online, then it’s worth the money.

  9. Any idea whether Canadians can exercise some of the options like the free credit report, security freeze or 90-day fraud alert?

  10. It is my understanding that Innovis is an agregators of the three credit reporting agencies (Experian, Equifax, and Trans Union) so I am unsure that they are able to place a fraud alert on a consumer credit report.

    Is this a new service that they are offering?

  11. I second the Canadian request? Does anyone have any information on Canada’s poilicies on credit monitoring, locking and freezing?

  12. I would sure like to opt out from credit offers but I’m too paranoid to enter my SSN into their site before I apply for credit freezes 😀

    Thanks for the writeup Brian

    • Exactly. They clearly mine your data, so giving up your personal information to them (or confirming that it’s correct and recent) is a huge price to pay for them to agree to not ruin you financially.

      Sounds like a protection racket.. “you either give us the thing we value most (your data) to sell, or we harm you”.

    • Credit Freezes are even worse when you try to temporarily or permanently list them. Aside from charging a fee (depending on state) they demand government ID, utility bills with current address, copy of your social card, and so forth. And of course the PIN number you received when you placed the freeze. If you lost it they are happy to replace it; for a fee and after providing the same information. They make it sound like you can just call up or go to a web page, enter that PIN number, and you’re all set. I can say from experience that this is just not so. I think it’s just another way to suck up more data.

  13. I created the follow list of addresses to assist those who wish to learn more about their credit status or place limits on the availability of the their credit information. The title of the following report says it all: So How Many Consumer Reporting Companies Are There?
    http://www.whitehouse.gov/blog/2012/07/17/so-how-many-consumer-reporting-companies-are-there . In the report there is a paragraph that reads:
    “So we encourage you to take a look at the list of companies and think about which ones might be reporting on you. It’s important to ask for your report from those companies so you can correct any mistakes or see whether anyone’s been trying to hijack your identity. For example, if you’re going to rent a new apartment or home, ask the landlord what tenant background company they use, if any. You can access the list here. “ Be sure to read the list because there are credit reporting agencies that have specialties.

    Under “SUPPLEMENTARY/ALTERNATIVE CREDIT REPORTS”, there are companies that offer free credit reports.
    List of consumer reporting agencies
    http://files.consumerfinance.gov/f/201207_cfpb_list_consumer-reporting-agencies.pdf
    Information about free credit reports is available at
    http://www.consumer.ftc.gov/articles/0155-free-credit-reports
    Some people may wish to put a security freeze on their credit reports. Here is some general information on security freezes: http://en.wikipedia.org/wiki/Credit_freeze . The following are freeze links.
    Innovis
    https://www.innovis.com/InnovisWeb/pers_placeSecurityFreeze.html
    Experian
    http://www.experian.com/consumer/security_freeze.html
    Equifax
    https://help.equifax.com/app/answers/detail/a_id/159
    Transunion
    http://www.transunion.com/personal-credit/credit-disputes/credit-freezes.page

    I tested all of the links

    • How does one put a freeze on without giving the credit bureaus your personal information? It’s an oxymoron.. you give them highly accurate information to sell about you, in exchange for them not harming you by offering credit to somebody committing fraud.

      We need a single SS number freeze function, without the credit bureaus getting all the other information. Know of such a mechanism?

  14. Great post Brian. I did some research into identity theft insurance for a post on my blog yesterday, but hadn’t considered the other side of the coin. Thanks for the information.

    I didn’t realize you could put a fraud alert on your credit history without having a specific fraud event to back it up – that is good to know.

  15. Gotta love groups like Experian. I called AAA to price car insurance, they pull up my my accident record through Experian and say that I had three accidents in Phoenix, which I haven’t. Turns out that the brilliant people at Experian have conflated my dad’s accidents in to my record as his middle name is my first name.

    I haven’t gotten it cleared up yet, but it makes me wonder how much other garbage are in my reports. I didn’t even know that they tracked things like car accidents! I could see it if I stiffed or defrauded my car insurance, but this?

    • From your post, it’s possible that you have been over charged for car insurance if they looked at that report in coming up with your premium.

      However, since it’s all behind the scenes, they can just deny they looked at it, and who would know? How exactly would you prove that they looked at that information and it changed your rate?

      Welcome to the great benefits of big data.

      And secondly, why should you have to clean up their data? People end up having to clean up their data so they can make more money on it. Do they pay you for having incorrect data? do they compensate you for time, expense of obtaining it, reviewing it, and correcting it? Nope.

    • http://www.questia.com/library/journal/1G1-353644783/accuracy-of-information-maintained-by-us-credit-bureaus
      «A representative sample of 1,000 US consumers reviewed their credit reports from the three major US credit bureaus with help from university research associates. 26% of study participants claimed to find at least one potentially material error and filed formal disputes with the relevant bureau(s). For 78% of the 263 consumers who filed disputes (20% of participants overall) at least one bureau altered the credit report accordingly. 33% of disputants (8.7% of participants) experienced a resulting increase of 10+ points in one or more of their FICO[R] scores; 21% of disputants (5.5% of study participants) had one or more scores cross a threshold that would typically result in more favorable terms of credit. … individual consumers need to be vigilant to protect themselves against potentially costly errors in their files.»

    • http://www.questia.com/library/journal/1G1-353644783/accuracy-of-information-maintained-by-us-credit-bureaus

      «A representative sample of 1,000 US consumers reviewed their credit reports from the three major US credit bureaus with help from university research associates. 26% of study participants claimed to find at least one potentially material error and filed formal disputes with the relevant bureau(s). For 78% of the 263 consumers who filed disputes (20% of participants overall) at least one bureau altered the credit report accordingly. 33% of disputants (8.7% of participants) experienced a resulting increase of 10+ points in one or more of their FICO[R] scores; 21% of disputants (5.5% of study participants) had one or more scores cross a threshold that would typically result in more favorable terms of credit. … individual consumers need to be vigilant to protect themselves against potentially costly errors in their files.»

      So, your experience is fairly typical.

      • I hate to be another one calling for more regulations, but their was a time about 20 years ago when a simple phone call to just one of the big three would get immediate correction, and it would trickle down to the other two as a matter of course.

        Now it seems they are getting recalcitrant – I suspect this may be because they want to hawk their own alert services and figure this just generates more business. However it was only because of promises to do better over 30 years ago that congress has stayed off their backs. It may be time to put pressure on congress to kick some butt on the big three game players to own up to inaccurate data on customers. I must admit though, that the Consumer Financial Protection Bureau has not been in force long enough to see if that can be a source of relief for consumers. Anyone having this problem should contact the CFPB and log a complaint. Until we use our resources, we won’t know if they work!

  16. There’s another data/credit bureau that no one knows about. It’s the Medical Information Bureau (mib.com). It contains everyone’s medical records and it works mostly for health insurers. If you jump nicely through its hoops, it will spit out your data.

  17. Be aware that even some of the credit monitoring services that say they monitor all three bureaus don’t. I was given credit monitoring from 2 different places, on serviced through Experian (so we know who they monitor) and the other that claims it monitors all three. However when a new inquiry showed up on my Equifax report, they didn’t notify me and, in fact, sent an all clear at the end of the month. When I called and pushed them on it, they admitted they only monitor Experian as well. Buyer beware, and put the fraud alerts on at the first sign of trouble.

  18. Another suggestion: NEVER post your birthday online, nor when registering for many websites. It’s astounding how many people post their actual birthday on Facebook (among others) for the world to see — and to use for identity theft!

    I have what I call my “internet birthday.” It’s nowhere near the actual month, day or year I was born — but every online entity that asks for it gets it. When asked to provide it as an authenticator when, e.g., I call about something, it works perfectly. And when stolen, anyone who tries to use it won’t get very far. Sure, you have to use your true birthday when dealing with government and bank sites, but no one else “needs” it, so if they ask…

    (For those who like to lie about their age, this is made to order! )

    • “Internet birthday”, good idea. For new users, consider using April 1 plus the year of high school graduation.

    • Internet birthday. How funny, I thought that I was the only one who did this. I don’t change the month / day (I probably should just for fun); I just swipe 20 years off the back end, and I always feel a lot kickier afterwards. Sometimes, I use a slight misspelling of my name. It’s amazing how this helps to track who’s giving out your info despite all the “we respect your privacy” reassurances. Of course, all of this is going to show up on my credit report someday.

      • JATny,

        DON’T use your actual month/day! It’s easy to identify your year of birth from all sorts of sources. e.g., Facebook and LinkedIn usually show when you graduated school. It’s so much easier just picking a totally different month/day/year and using that date consistently. A completely incorrect birth date is a great obstacle to identity thieves; many companies will accept a date if 2 out of 3 fields are correct. (No, it won’t totally stop the thieves, but it may make you less “desirable” to them.)

        • Okay, I got one for you all, http://www.mylife.com, monitors and compiles all the information gathered on you from all the social media. It is supposed to be so that you can “monitor all your connections in one place” and “take control of your identity,” but you KNOW that is not so. They ought to call it This Used to Be My Life.

  19. KOS wrote: “these services may alert you when someone opens or attempts to open a new line of credit in your name, most will do little — if anything — to block that activity”

    And more importantly, they will do nothing at all to resolve the situation. You will be the one to pay for legal fees, $10 fees for temporarily opening up a credit freeze, obtaining a new SSN if it comes to that, etc.

    KOS wrote: “credit monitoring has become the de facto public response for companies that experience a data breach”

    That’s because it is dirt cheap and Congress allows this to substitute for actual liability (see above).

    KOS wrote: “The biggest help they’ve been so far is in getting Capital One to remove the fraudulent (score-dinging) credit pulls from my file”

    I’ll bet your name is the main reason they helped.

    If you really want banks and, I assume, credit agencies to dance to your tune, file a complaint with the Office of the Comptroller of the Currency. A bank tried to give me the run-around and they changed their tune within days of my contacting the OCC.

    And AmEx does not play by the same rules. I have credit freezes in place with the big-three, but AmEx still sent me credit applications about a year later. I had to send them a specific letter to get them to stop.

  20. I follow this blog with interest and find a large amount of the information useful. However as someone living in the United Kingdom some information, such as your rights mentioned in this blog, is irrelevant. Are there any good IT security blogs based in the UK that might contain the same kind of information?

    I’d still follow Krebsonsecurity but it’s made me aware of how little I know about the UK situation.

    Thanks

  21. TheOreganoRouter.onion.it

    My opinion on this one is the social security administration should offer 24/7 monitoring of your nine digit identifiable number from the time of your birth until you kick the bucket.

    Now and days, people should not have to pay for your credit score and report along with information that is in your background check ( things like court information). Why a person has to pay for credit monitoring when banks should be more responsible enough to offer chip and pin to protect customers is beyond comprehension. It’s all about how companies can make money off your personal information be it your credit report, background check or some type of monitoring of P.I.I.

    Another good site is “creditkarma.com” where you don’t have to give them your credit card information. This site give you your new credit score every 7 days

  22. Thanks for an extraordinarily helpful post, Brian. We forget sometimes that ID theft and cyber theft are not just about bits and bytes and international intrigue. I have my own stories about credit monitoring and such.

    My old company got hacked for retirement info and offered me c redit monitoring. My mortgage bank got ripped off for data and did the same. The city utilities company opened an acct at a second address in a part of town I’ve never lived in and when I tried to unhook this info from my credit report, the credit report agency refused to remove the info. They even suggested that I should be happy because that person apparently paid the bills that attached them to me on time. I’ve always suspected that they confuse me with my ex-spouse, and for them that wasn’t a problem. Duh. Anyway, thanks to you and all for the great info and helpful links as we navigate our sad way through Big Data.

  23. Breached companies do the “good PR move even though it does absolutely nothing to compensate for the fact that a criminal stole credit card mag stripe account data”.

    Perhaps at some point I’ll request a breached company offer me a Free Credit Freeze (and unfreezing and refreezing) as something worthwhile as my personal choice.

  24. 1) to put on a fraud alert, one must give experian and others personal information such as SS, name, address, etc. All stuff they then sell. I can’t put a freeze on without also allowing them to update my address, etc. (and I don’t agree that they should be provided with my information for free in the first place).

    2) When calling their automated system (can one be sure the automated system is even the credit agency? how can the end user authenticate calling into an automated system?)

    3) With experian, they routed the call to an indian call center. So your personal information, and voice channel is then routed out of the states and into a foreign country. There isn’t a good way to make sure the voice path stays in the states, thus it’s insecure as well. I don’t agree to share my personal information with a country that is outside the US, and object to being required to do so. Even if we mail the fraud freeze, the credit agencies will mine the data, sell it, and share it outside the US (indian call centers), and I don’t consent to that.

    So it’s a great idea to freeze one’s credit, but it requires you to provide the credit agencies with your personal data (which I don’t agree they should have to begin with).

    So we are at an impasse. It’s not possible to protect oneself from the credit agencies unless one makes themselves less secure by giving the credit agencies even more accurate information to harm us. That’s one huge moral hazard.

    The bottom line is the US needs a way for folks to have their SS number frozen/disabled for credit purposes. The mechanism simply doesn’t exist to do that. One could argue WHY one would or would not do that action, but not allowing that action is a security hole the size of the grand canyon.

    Quite an impressive system they built.. huh? (sarcasm).

    • Although I fully agree that there should be a way to ‘opt out’ of using my SSN for credit checks, in practice I wonder whether it matters.

      You need to provide pretty much all info including bra sizes when putting in a freeze. But don’t they already have that? Serious question, not cynically joking here…

      When I applied for a new credit card, I saw my bank pulled my credit at one of the big three. But after I was granted the card, it showed up at all three. So I always assumed these three just share everything?

      So in practice don’t they already have all this?

      • That is how I’ve always understood it – that the big three automatically share information every so many months; at least it seems like it takes a month to catch up anyway. However some of the information seems to get stuck like gumby in the files, and either never changes or is not updated properly. Also it seems to go in two stages, where there is an inquiry first, then an establishment file on a new account for example. Some of them get stuck in inquiry mode, then three months later suddenly get the new account information.

        I must admit though, they do seem to be much more accurate than in the past. I used to catch all kinds of errors back in the ’90s. Of course, the PC/internet revolution was still going on back then.

  25. There are also other “consumer reports” that collect all sorts of personal information about you and then sell it to make money — one example is the Lexis Nexis Personal Report https://personalreports.lexisnexis.com/

  26. Credit fraud is serious and requires new laws to combat it. Businesses and banks are accepting it as a cost of doing business and passing it on to customers in their prices, but do not help those who are burdened by the occurrence. The government needs to lock down credit information and require proof that it is the person who is taking out the credit. Tax refunds and inquiries should require a Federal PIN that can be changed online with the IRS. The Federal government needs to do much more and get around the banks and businesses that feel it is a burden. Its got to be cheaper than what is happening now in this country.

  27. Will I be offered free credit monitoring by Experian due to the data breach at Experian where they were selling data to a private investigator in Singapore?

  28. Rather than use some expensive monitoring service, every 3 months I merely re-apply for a temporary security alert for 90 days. I configure this alert so that they have to call me before a new line of credit can be opening in my name.

    This costs me nothing, other than having to re-apply every 90 days.

    https://www.experian.com/fraud/center.html

  29. Wow, this is an awesome post!

    I had NO idea about the ability to post fraud alerts on a credit file (excuse my ignorance), but that’s definitely something I plan to do. As a young 20-something fresh out of college building (and protecting) my credit is extremely important to me. I’m not too keen on Experian after reading this blog, to be honest. Too many mishaps their “protection” of financial information. My only concern is having to rely on an Experian to put a fraud alert on my account…any other companies good at this?

    When’s the best time of the year to request a free credit report? I don’t want to make that pull (even if soft) if there’s some sort of methodology in doing so.

    In reference to the inability of these credit monitoring companies to block fraudulent activity, I can’t say that I’m not surprised. If anything, the alert is something that I’d be interested in having unlimited access to…at the very least, it’s beneficial to be alerted when something wrong is going on…at least I can take the initiative to then contact the correct authorities.

    • As mentioned by others, the general best practice seems to be to stagger your three free reports. That means requesting one every 4 months. Since most items are on most reports, that gives you the chance to spot problems within four months instead of up to 12 months after they happen.

      Note that you need distinct fraud alerts for each agency. There might be third parties who could help, but I’d assume most aren’t worth it.

    • Checking your credit for free will not impact your report. I’ve never seen any evidence of it; in fact I can’t remember seeing my inquiry on my report at all. However there are some things that remain hidden in such reports, as they are only required to report what the law allows.

      One of the most important factors in credit worthiness is keeping in contact with your creditors. I had to struggle when I got out of college, and had to adjust my student loan often, but I kept in constant contact with Sallie Mae and so my report reflected well, despite my financial woes. The one thing to remember is not to let credit card debt go over 5000 total, unless you are making good money. You can almost never pay off a revolving account, even if you throw every dollar you make into the payment of such accounts.

      I found out the hard way, you can only stop using them and redact the debt into a car payment or house equity loan to have any hope of getting out of debt. Daily revolving balance is the worst type of loan you can have – personal car loans and/or home equity loans are usually some of the best. Always get the formula from the loan institution on how they calculate the interest and pay off schedule. They will feign ignorance or try to hide this formula, but you have a right to know it, so you can calculate the payoff your self. I always love that deer stuck in the head lights look, when I ask for the loan formula – it never ceases to amaze me how little loan officers act like they know.