08
Jun 15

How I Learned to Stop Worrying and Embrace the Security Freeze

If you’ve been paying attention in recent years, you might have noticed that just about everyone is losing your personal data. Even if you haven’t noticed (or maybe you just haven’t actually received a breach notice), I’m here to tell you that if you’re an American, your basic personal data is already for sale. What follows is a primer on what you can do to avoid becoming a victim of identity theft as a result of all this data (s)pillage.

Click here for a primer on identity theft protection services.

Click here for a primer on identity theft protection services.

A seemingly never-ending stream of breaches at banks, healthcare providers, insurance companies and data brokers has created a robust market for thieves who sell identity data. Even without the help of mega breaches like the 80 million identities leaked in the Anthem compromise or last week’s news about 4 million records from the U.S. Office of Personnel Management gone missing, crooks already have access to the information needed to open new lines of credit or file phony tax refund requests in your name.

If your response to this breachapalooza is to do what each of the breached organizations suggest — to take them up on one or two years’ worth of free credit monitoring services — you might sleep better at night but you will probably not be any more protected against crooks stealing your identity. As I discussed at length in this primer, credit monitoring services aren’t really built to prevent ID theft. The most you can hope for from a credit monitoring service is that they give you a heads up when ID theft does happen, and then help you through the often labyrinthine process of getting the credit bureaus and/or creditors to remove the fraudulent activity and to fix your credit score.

In short, if you have already been victimized by identity theft (fraud involving existing credit or debit cards is not identity theft), it might be worth paying for these credit monitoring and repair services (although more than likely, you are already eligible for free coverage thanks to a recent breach at any one of dozens of companies that have lost your information over the past year). Otherwise, I’d strongly advise you to consider freezing your credit file at the major credit bureaus. 

There is shockingly little public knowledge or education about the benefits of a security freeze, also known as a “credit freeze.” I routinely do public speaking engagements in front of bankers and other experts in the financial industry, and I’m amazed at how often I hear from people in this community who are puzzled to learn that there is even such a thing as a security freeze (to be fair, most of these people are in the business of opening new lines of credit, not blocking such activity).

Also, there is a great deal of misinformation and/or bad information about security freezes available online. As such, I thought it best to approach this subject in the form of a Q&A, which is the most direct method I know how to impart knowledge about a subject in way that is easy for readers to digest.

Q: What is a security freeze?

A: A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it. 

Q: What’s involved in freezing my credit file?

A: Freezing your credit involves notifying each of the major credit bureaus that you wish to place a freeze on your credit file. This can usually be done online, but in a few cases you may need to contact one or more credit bureaus by phone or in writing. Once you complete the application process, each bureau will provide a unique personal identification number (PIN) that you can use to unfreeze or “thaw” your credit file in the event that you need to apply for new lines of credit sometime in the future. Depending on your state of residence and your circumstances, you may also have to pay a small fee to place a freeze at each bureau. There are four consumer credit bureaus, including Equifax, Experian, Innovis and Trans Union

Q: How much is the fee, and how can I know whether I have to pay it?

A: The fee ranges from $0 to $15 per bureau, meaning that it can cost upwards of $60 to place a freeze at all four credit bureaus (recommended). However, in most states, consumers can freeze their credit file for free at each of the major credit bureaus if they also supply a copy of a police report and in some cases an affidavit stating that the filer believes he/she is or is likely to be the victim of identity theft. In many states, that police report can be filed and obtained online. The fee covers a freeze as long as the consumer keeps it in place. Equifax has a decent breakdown of the state laws and freeze fees/requirements.

Q: What’s involved in unfreezing my file?

A: The easiest way to unfreeze your file for the purposes of gaining new credit is to spend a few minutes on the phone with the company from which you hope to gain the line of credit (or perhaps research the matter online) to see which credit bureau they rely upon for credit checks. It will most likely be one of the major bureaus. Once you know which bureau the creditor uses, contact that bureau either via phone or online and supply the PIN they gave you when you froze your credit file with them. The thawing process should not take more than 24 hours.

Q: I’ve heard about something called a fraud alert. What’s the difference between a security freeze and a fraud alert on my credit file?

A: With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval — by phone or whatever other method you specify when you apply for the fraud alert. To place a fraud alert, merely contact one of the credit bureaus via phone or online, fill out a short form, and answer a handful of multiple-choice, out-of-wallet questions about your credit history. Assuming the application goes through, the bureau you filed the alert with must by law share that alert with the other bureaus.

Consumers also can get an extended fraud alert, which remains on your credit report for seven years. Like the free freeze, an extended fraud alert requires a police report or other official record showing that you’ve been the victim of identity theft.

An active duty alert is another alert available if you are on active military duty. The active duty alert is similar to an initial fraud alert except that it lasts 12 months and your name is removed from pre-approved firm offers of credit or insurance (prescreening) for 2 years.

Q: Why would I pay for a security freeze when a fraud alert is free?

A: Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they’re not legally required to do this.

Q: Hang on: If I thaw my credit file after freezing it so that I can apply for new lines of credit, won’t I have to pay to refreeze my file at the credit bureau where I thawed it?

A: Yes (unless you’ve previously qualified for a free freeze). However, even if you have to do this once or twice a year, the cost of doing so is almost certainly less than paying for a year’s worth of credit monitoring services.

Q: Is there anything I should do in addition to placing a freeze that would help me get the upper hand on ID thieves?

A: Yes: Periodically order a free copy of your credit report. By law, each of the three major credit reporting bureaus must provide a free copy of your credit report each year — via a government-mandated site: annualcreditreport.com. The best way to take advantage of this right is to make a notation in your calendar to request a copy of your report every 120 days, to review the report and to report any inaccuracies or questionable entries when and if you spot them.

Q: I’ve heard that tax refund fraud is a big deal now. Would having a fraud alert or security freeze prevent thieves from filing phony tax refund requests in my name with the states and with the Internal Revenue Service?

A: Neither would stop thieves from fraudulently requesting a refund in your name. However, a freeze on your credit file would have prevented thieves from using the IRS’s own Web site to request a copy of your previous year’s tax transcript — a problem the IRS said led to tax fraud on 100,000 Americans this year and that prompted the agency to suspend online access to the information. For more information on what you can do to minimize your exposure to tax refund fraud, see this primer.

Q: Okay, I’ve got a security freeze on my file, what else should I do?

A: It’s also a good idea to notify a company called ChexSystems to keep an eye out for fraud committed in your name. Thousands of banks rely on ChexSystems to verify customers that are requesting new checking and savings accounts, and ChexSystems lets consumers place a security alert on their credit data to make it more difficult for ID thieves to fraudulently obtain checking and savings accounts. For more information on doing that with ChexSystems, see this link

Q: If I freeze my file, won’t I have trouble getting new credit going forward? 

A: If you’re in the habit of applying for a new credit card each time you see a 10 percent discount for shopping in a department store, a security freeze may cure you of that impulse. Other than that, as long as you already have existing lines of credit (credit cards, loans, etc) the credit bureaus should be able to continue to monitor and evaluate your creditworthiness should you decide at some point to take out a new loan or apply for a new line of credit.

Q: Anything else?

A: ID thieves like to intercept offers of new credit and insurance sent via postal mail, so it’s a good idea to opt out of pre-approved credit offers. If you decide that you don’t want to receive prescreened offers of credit and insurance, you have two choices: You can opt out of receiving them for five years or opt out of receiving them permanently.

To opt out for five years: Call toll-free 1-888-5-OPT-OUT (1-888-567-8688) or visit www.optoutprescreen.com. The phone number and website are operated by the major consumer reporting companies.

To opt out permanently: You can begin the permanent Opt-Out process online at www.optoutprescreen.com. To complete your request, you must return the signed Permanent Opt-Out Election form, which will be provided after you initiate your online request. 

PERSONAL EXPERIENCE

A couple of years back, I was signed up for a credit monitoring service and had several unauthorized applications for credit filed in my name in rapid succession. Over a period of weeks, I fielded numerous calls from the credit monitoring firm, and spent many grueling hours on the phone with the firm’s technicians and with the banks that had been tricked into granting the credit — all in a bid to convince the latter that I had not in fact asked them for a new credit line.

The banks in question insisted that I verify my identity by giving them all of my personal information that they didn’t already have, and I was indignant that they should have been that careful before opening the new fraudulent accounts. Needless to say, the experience was extremely frustrating and massively time-consuming.

We eventually got that straightened out, but it took weeks. Not long after that episode, I decided to freeze my credit and that of my wife’s at all of the major bureaus. Turns out, I did that none too soon: A few weeks later, I broke a story about a credit card breach at nationwide beauty chain Sally Beauty, detailing how the cards stolen from Sally Beauty customers had wound up for sale on Rescator[dot]cc, the same fraud shop that had been principally responsible for selling cards stolen in the wake of the massive data breaches at Home Depot and Target.

Rescator's message to his customers urging them to steal my identity.

Rescator’s message to his customers urging them to steal my identity.

In response to my reporting about him and his site, Rescator changed his site’s home page to a photoshopped picture of my driver’s license, and linked his customers (mostly identity thieves and credit card hustlers) to a full copy of my credit report along with links to dozens of sites where one can apply for instant credit. Rescator also encouraged his friends and customers to apply for new credit in my name.

Over the next few weeks, I received multiple rejection letters from various financial firms, stating that although they had hoped to be able to grant my application for new credit, they were unable to do so because they could not view my credit file. The freeze had done its job.

In summary, credit monitoring services are helpful in digging you out of an identity theft ditch. But if you want true piece of mind, freeze your credit file.

Tags: , , , , , , , , , , , , ,

119 comments

  1. Hi Brian. Are security freezes a USA-only thing? I can’t find any reference to them on Equifax’s UK website.

  2. I thank you for your excellent article and have referenced it on one of my blog post on http://www.homecybersifu.com. For me, trying to convince my readership to put a security freeze on their account for better home cyber security would come down to convincing them that 1) the cost is worth it, 2) the hassle is worth it, and 3) convincing them that it is not overkill. I think you do a good job addressing items 1 and 2. As you know, most folks don’t implement proper security due to the inconvenience or hassle associated with it (i.e. locking their phones). The key is to convince them to take the good with the bad and it’s not overkill due to the importance of your personal identify.

  3. The only one of the four that worked on-line was Equifax. The Transunion took all my information, including credit card then simply said it could not process the request. But there are TWO pending charges on my card now. No phone help found after hours. Innovis took all my user info over the phone then simply said they got it and dumped me unceremoniously. The web form simply failed without explanation. The Experian is down both web and phone.

    You would think they don’t want this to be convenient or easy. I know I just spend between 10 and 30 dollars, and might be between 25% and 75% done. But I really can’t tell for sure.

    Might just go back to cash if people still take that.

  4. I was able to almost all of this easily except for Experian. You may want to try this on a web (not mobile site). I also signed up for an SSA account to ensure someone didn’t beat me top it (SSA.org). Really greatful for all the information here. Cheers!

  5. I froze my credit a few years back. The one time I unfroze it I was going for a home equity loan and all I did go online and unfreeze the accounts for 24 hours. The nicest part was only the bank I specified was allowed to access my credit for that time period. It was still frozen for everyone else. It was very smooth and the freeze went back on automatically after 24 hours.

    If you do nothing else you should at least do this. it is well worth the effort

  6. I froze my records on all three big agencies in about 10 minutes online. On a Sunday morning. Maybe that’s why it was fast and easy.

    But this makes me wonder why having a PIN (or some other mechanism) that you can give to someone who legitimately needs your credit records (and then change) is not routine? The credit agencies could take up this practice voluntarily (or be forced to take it up by law) and solve a major headache. A bit like the pin that the IRS offers now through H&R Block.

    This article was the first I ever heard of security freeze, and that is because I happened to hear of Brian Krebs and subscribed to the blog! I know of nobody else who has ever heard of it.

  7. Another great article. Thank you.

    Do credit bureau’s operate phone numbers they will answer — how can we locate one for each of the four bureaus?

    What is the cost-effective method for performing a SSN-only credit search, especially useful for protecting credit and ID theft for a minor?

  8. Without researching every state law, I see Florida’s freeze law was implemented in 2006 (9 years ago and I’ve known of credit freezes for years, but never implemented one. The state law dates are listed in the Consumers Union/Consumers Report mentioned by another commenter).

  9. Brian, many thanks for your tireless efforts.

    Is it possible to have the valuable information in this article available in a format that can be distributed easily, as in a pdf? I want to disseminate this information to as many people as possible.

    Kind regards,

    Denny Heidenreich

  10. Don’t your credit report get checked and used by a lot of companies that you do business with, and failure of them to do so would do what to ur business with them?

    I’m curious because I would like to do a freeze since I only want 1 credit card, no loans and nothing else, no mortgages.

    Insurance for car and apartment always have comments that we used ur credit report to determine your rates. I would think lack of ability to do that would make the rates higher.

    Not sure if my apartment is checking it occasionally but don’t other companies check your credit report for signs that you are not financially trustworthy, and would have some issue with you for them failing to be able to access it?

    I’m basically curious of the normal non loan,non credit card, non mortgage pitfalls of a credit freeze. Is there anything that will come back to screw me over?

    What about the credit card I currently have. Would this interfere with our business relationship with each other in some way? Would this not interfere with a current credit relationship? Would they be constantly hampered and asking me to lift the freeze?

  11. I find it interesting that on the linked Equifax page for state-by-state information, a “Specific Party Lift” is sometimes available and sometimes not available, depending on the state. This implies that it is technically possible, but they only provide the option where required to by law. That’s the type of behavior that makes many of us angry at the Credit Bureaus who do not share our interest in personal security. :(

  12. Security freeze is a good idea, but there can be a hidden cost. Insurance companies use the credit score to determine your rate and some will check it at every renewal automatically, with no way to coordinate with you. Not being able to access the score can cause you to pay higher premiums. When I called my insurance and asked if there was any way I could be notified when they want to look at the score so I could unfreeze, I was told there is not, I suspect because it is an automated process with nothing in the workflow that would handle such a situation. That was auto. Home insurance said they only check it if I change the policy, and that I can handle since it’s something I would initiate. all of the insurance companies would handle things diffrently, so you would have to call your insurance to know the effects of a freeze.

  13. Thanks Brian… got to your site from Hak5/Threatwire/Patrick Norton. Placed a freeze at the 4 credit reporting agencies you mentioned and at Chex. Though I haven’t heard anything about my accounts being hacked, I figure I’m at-risk given my purchases at Home Depot, Target, a specific gov’t database and insurance through Anthem.

  14. You might want to note in your article that “optoutprescreen”

    https://www.optoutprescreen.com/opt_form.cgi

    uses an insecure site, that is it doesn’t appear to support https. Pretty pathetic but not surprising.