June 8, 2015

If you’ve been paying attention in recent years, you might have noticed that just about everyone is losing your personal data. Even if you haven’t noticed (or maybe you just haven’t actually received a breach notice), I’m here to tell you that if you’re an American, your basic personal data is already for sale. What follows is a primer on what you can do to avoid becoming a victim of identity theft as a result of all this data (s)pillage.

Click here for a primer on identity theft protection services.

Click here for a primer on identity theft protection services.

A seemingly never-ending stream of breaches at banks, healthcare providers, insurance companies and data brokers has created a robust market for thieves who sell identity data. Even without the help of mega breaches like the 80 million identities leaked in the Anthem compromise or last week’s news about 4 million records from the U.S. Office of Personnel Management gone missing, crooks already have access to the information needed to open new lines of credit or file phony tax refund requests in your name.

If your response to this breachapalooza is to do what each of the breached organizations suggest — to take them up on one or two years’ worth of free credit monitoring services — you might sleep better at night but you will probably not be any more protected against crooks stealing your identity. As I discussed at length in this primer, credit monitoring services aren’t really built to prevent ID theft. The most you can hope for from a credit monitoring service is that they give you a heads up when ID theft does happen, and then help you through the often labyrinthine process of getting the credit bureaus and/or creditors to remove the fraudulent activity and to fix your credit score.

In short, if you have already been victimized by identity theft (fraud involving existing credit or debit cards is not identity theft), it might be worth paying for these credit monitoring and repair services (although more than likely, you are already eligible for free coverage thanks to a recent breach at any one of dozens of companies that have lost your information over the past year). Otherwise, I’d strongly advise you to consider freezing your credit file at the major credit bureaus. 

There is shockingly little public knowledge or education about the benefits of a security freeze, also known as a “credit freeze.” I routinely do public speaking engagements in front of bankers and other experts in the financial industry, and I’m amazed at how often I hear from people in this community who are puzzled to learn that there is even such a thing as a security freeze (to be fair, most of these people are in the business of opening new lines of credit, not blocking such activity).

Also, there is a great deal of misinformation and/or bad information about security freezes available online. As such, I thought it best to approach this subject in the form of a Q&A, which is the most direct method I know how to impart knowledge about a subject in way that is easy for readers to digest.

Q: What is a security freeze?

A: A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it. 

Q: What’s involved in freezing my credit file?

A: Freezing your credit involves notifying each of the major credit bureaus that you wish to place a freeze on your credit file. This can usually be done online, but in a few cases you may need to contact one or more credit bureaus by phone or in writing. Once you complete the application process, each bureau will provide a unique personal identification number (PIN) that you can use to unfreeze or “thaw” your credit file in the event that you need to apply for new lines of credit sometime in the future. Depending on your state of residence and your circumstances, you may also have to pay a small fee to place a freeze at each bureau. There are four consumer credit bureaus, including Equifax, Experian, Innovis and Trans Union

Q: How much is the fee, and how can I know whether I have to pay it?

A: The fee ranges from $0 to $15 per bureau, meaning that it can cost upwards of $60 to place a freeze at all four credit bureaus (recommended). However, in most states, consumers can freeze their credit file for free at each of the major credit bureaus if they also supply a copy of a police report and in some cases an affidavit stating that the filer believes he/she is or is likely to be the victim of identity theft. In many states, that police report can be filed and obtained online. The fee covers a freeze as long as the consumer keeps it in place. Equifax has a decent breakdown of the state laws and freeze fees/requirements.

Q: What’s involved in unfreezing my file?

A: The easiest way to unfreeze your file for the purposes of gaining new credit is to spend a few minutes on the phone with the company from which you hope to gain the line of credit (or perhaps research the matter online) to see which credit bureau they rely upon for credit checks. It will most likely be one of the major bureaus. Once you know which bureau the creditor uses, contact that bureau either via phone or online and supply the PIN they gave you when you froze your credit file with them. The thawing process should not take more than 24 hours.

Q: I’ve heard about something called a fraud alert. What’s the difference between a security freeze and a fraud alert on my credit file?

A: With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval — by phone or whatever other method you specify when you apply for the fraud alert. To place a fraud alert, merely contact one of the credit bureaus via phone or online, fill out a short form, and answer a handful of multiple-choice, out-of-wallet questions about your credit history. Assuming the application goes through, the bureau you filed the alert with must by law share that alert with the other bureaus.

Consumers also can get an extended fraud alert, which remains on your credit report for seven years. Like the free freeze, an extended fraud alert requires a police report or other official record showing that you’ve been the victim of identity theft.

An active duty alert is another alert available if you are on active military duty. The active duty alert is similar to an initial fraud alert except that it lasts 12 months and your name is removed from pre-approved firm offers of credit or insurance (prescreening) for 2 years.

Q: Why would I pay for a security freeze when a fraud alert is free?

A: Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they’re not legally required to do this.

Q: Hang on: If I thaw my credit file after freezing it so that I can apply for new lines of credit, won’t I have to pay to refreeze my file at the credit bureau where I thawed it?

A: It depends on your state. Some states allow bureaus to charge $5 for a temporary thaw or a lift on a freeze. However, even if you have to do this once or twice a year, the cost of doing so is almost certainly less than paying for a year’s worth of credit monitoring services. The Consumers Union has a handy state-by-state guide listing the freeze and unfreeze fees.

Q: Is there anything I should do in addition to placing a freeze that would help me get the upper hand on ID thieves?

A: Yes: Periodically order a free copy of your credit report. By law, each of the three major credit reporting bureaus must provide a free copy of your credit report each year — via a government-mandated site: annualcreditreport.com. The best way to take advantage of this right is to make a notation in your calendar to request a copy of your report every 120 days, to review the report and to report any inaccuracies or questionable entries when and if you spot them.

Q: I’ve heard that tax refund fraud is a big deal now. Would having a fraud alert or security freeze prevent thieves from filing phony tax refund requests in my name with the states and with the Internal Revenue Service?

A: Neither would stop thieves from fraudulently requesting a refund in your name. However, a freeze on your credit file would have prevented thieves from using the IRS’s own Web site to request a copy of your previous year’s tax transcript — a problem the IRS said led to tax fraud on 100,000 Americans this year and that prompted the agency to suspend online access to the information. For more information on what you can do to minimize your exposure to tax refund fraud, see this primer.

Q: Okay, I’ve got a security freeze on my file, what else should I do?

A: It’s also a good idea to notify a company called ChexSystems to keep an eye out for fraud committed in your name. Thousands of banks rely on ChexSystems to verify customers that are requesting new checking and savings accounts, and ChexSystems lets consumers place a security alert on their credit data to make it more difficult for ID thieves to fraudulently obtain checking and savings accounts. For more information on doing that with ChexSystems, see this link

Q: If I freeze my file, won’t I have trouble getting new credit going forward? 

A: If you’re in the habit of applying for a new credit card each time you see a 10 percent discount for shopping in a department store, a security freeze may cure you of that impulse. Other than that, as long as you already have existing lines of credit (credit cards, loans, etc) the credit bureaus should be able to continue to monitor and evaluate your creditworthiness should you decide at some point to take out a new loan or apply for a new line of credit.

Q: Anything else?

A: ID thieves like to intercept offers of new credit and insurance sent via postal mail, so it’s a good idea to opt out of pre-approved credit offers. If you decide that you don’t want to receive prescreened offers of credit and insurance, you have two choices: You can opt out of receiving them for five years or opt out of receiving them permanently.

To opt out for five years: Call toll-free 1-888-5-OPT-OUT (1-888-567-8688) or visit www.optoutprescreen.com. The phone number and website are operated by the major consumer reporting companies.

To opt out permanently: You can begin the permanent Opt-Out process online at www.optoutprescreen.com. To complete your request, you must return the signed Permanent Opt-Out Election form, which will be provided after you initiate your online request. 

PERSONAL EXPERIENCE

A couple of years back, I was signed up for a credit monitoring service and had several unauthorized applications for credit filed in my name in rapid succession. Over a period of weeks, I fielded numerous calls from the credit monitoring firm, and spent many grueling hours on the phone with the firm’s technicians and with the banks that had been tricked into granting the credit — all in a bid to convince the latter that I had not in fact asked them for a new credit line.

The banks in question insisted that I verify my identity by giving them all of my personal information that they didn’t already have, and I was indignant that they should have been that careful before opening the new fraudulent accounts. Needless to say, the experience was extremely frustrating and massively time-consuming.

We eventually got that straightened out, but it took weeks. Not long after that episode, I decided to freeze my credit and that of my wife’s at all of the major bureaus. Turns out, I did that none too soon: A few weeks later, I broke a story about a credit card breach at nationwide beauty chain Sally Beauty, detailing how the cards stolen from Sally Beauty customers had wound up for sale on Rescator[dot]cc, the same fraud shop that had been principally responsible for selling cards stolen in the wake of the massive data breaches at Home Depot and Target.

Rescator's message to his customers urging them to steal my identity.

Rescator’s message to his customers urging them to steal my identity.

In response to my reporting about him and his site, Rescator changed his site’s home page to a photoshopped picture of my driver’s license, and linked his customers (mostly identity thieves and credit card hustlers) to a full copy of my credit report along with links to dozens of sites where one can apply for instant credit. Rescator also encouraged his friends and customers to apply for new credit in my name.

Over the next few weeks, I received multiple rejection letters from various financial firms, stating that although they had hoped to be able to grant my application for new credit, they were unable to do so because they could not view my credit file. The freeze had done its job.

In summary, credit monitoring services are helpful in digging you out of an identity theft ditch. But if you want true piece of mind, freeze your credit file.


119 thoughts on “How I Learned to Stop Worrying and Embrace the Security Freeze

  1. TS

    Seems to me the whole credit reporting system is broken. Here we are paying credit reporting agencies to fix their broken system? Why not come up with a better solution and ditch this silly thing altogether? Surely there’s a better way.

    1. BrianKrebs Post author

      Can’t argue with you there, TS, but it doesn’t change the fact that in the meantime the freeze is the best option.

      1. meh

        I disagree, the best option is refusing to play crooked ball. The credit bureaus are the weak link and by design they will always be the weak link. I can never in good conscience pay them a dime and when vast portions of their unethically acquired reports are full of errors or fraud they deserve to go bust, not get handed even more money.

        1. Bruce

          However, you’re already playing. It just doesn’t feel that way because you did not consciously join the game. they make far more money selling your info than they recoup from the fee. That’s why they fought for so long to not even offer the service, they were forced into it by state legislation.

          1. meh

            If everyone had that attitude nothing would ever be regulated or reformed.

            1. JCitizen

              Join the consumers policy and action group from Consumer Reports at Consumer’s Union. We have been instrumental in getting congress to pass some of the few laws that actually help protect the public, and especially in forming the new Consumer Financial Protection Bureau (CFPB). We are the people’s lobby group, and probably have even more weight than many of the other industry lobbyists.

              Just go to consumersunion(dot)org and join your favorite cause.

  2. Dennis

    Thanks for the compilation of wisdom, Brian. It’s very helpful. I bookmarked it and will share it with friends.

    After having read it, I have one follow up question. I froze my credit with 3 major bureaus. But I didn’t know that Innovis is the 4th one. Is it important to place a freeze with them as well?

  3. Ron

    The credit system is not broken at all. They have managed to create an elaborate “phone book” of faulty information about you without your permission that you need to worry about and everyone pays to access. Works fine for them which was the point anyway.

    1. meh

      Don’t forget the associated crooks like the insurance companies who double your rates if you don’t have great credit. Get a surprise medical procedure you couldn’t afford? Great, now your car insurance is going to double as well as anything else tied to their phony databases.

  4. Bart

    Whoa and WTF! There are now four (4) credit bureaus?? It has always been 3 for as long as I can remember.

    We froze our 3 files several years ago, and never regretted doing that.

    Who died and allowed the establishment of #4 and how can we find out when new ones are granted?

    1. meh

      Who granted the first 3? Something to remember is 2 generations ago there weren’t any at all, and life went on just fine.

    2. Sorry Miss Jackson

      Yeah, agreed. Where did #4 come from. I’ve never even heard of Innovis.

    3. timeless

      There are many more than 4 credit bureaus. There are 4 *major* credit bureaus.

      And for most of us, the 4 major have been along longer than we have.

      Wikipedia:
      «Innovis began as ACB Services – founded by Associated Credit Bureaus (ACB), in 1970. In 1989 ACB Services was purchased and renamed Consumers Credit Associates (CCA). First Data Corporation purchased CCA and renamed it Innovis, Inc. in 1997. Most recently, CBC Companies purchased Innovis, Inc. in 1999.

      As of 2008, CBC Companies claims it has provided consumer credit information through its credit bureau organization for over 55 years.»

      Here’s one list of US reporting agencies:
      http://files.consumerfinance.gov/f/201501_cfpb_list-consumer-reporting-agencies.pdf

      The problem w/ Innovis is that some vendors use it. This is a game of whack-a-mole, but thankfully at 4 (or even 5 — PRBC), it’s a heck of a lot cheaper than whack-a-bank (there are thousands, and they’re mostly incompetent).

  5. YourCreditor

    A caveat: Your current creditors can attempt to pull a random annual report on you. If your file is not accessible, you risk having your card(s) suspended. And for those trying to build your credit score, your good standing with your creditors during the freeze will not be reflected as an improved score. Worth taking into consideration before freezing your file.

    1. YourCreditor

      Talking about the inability of a lender or credit card to perform a “soft”, or review inquiry. They may reserve the right to suspend your credit. Varies.

    2. pasca

      Not true. All current creditors have access to frozen reports. Only new credit is barred. That is stated up front during the freezing process.

  6. Clark

    Brian, what about other family members. Should I freeze the credit on my four wives? My 23 Children? (kidding).

  7. Matt

    We froze our credit at the 3 credit bureaus roughly 10 years ago. It has never caused any problems. NOw there are 4 credit bureaus, so I’ll be freezing our credit at Innovis later today.

    Are there any other credit bureaus out there we need to worry about?

  8. Jake

    What is the recommendation to protect a minor? I’ve received notices from a few companies that my children’s data was stolen, but I don’t see any good way to protect them.

    Ideas?

  9. Charles D.

    Thanks. I’ll be doing this for me and my wife asap. Also emailed your article to my two sons and recommended they do they same.

    From what I was reading on the various sites, looks like an existing creditor can still request your credit report.

    As someone else noted, the link to Trans Union does not get you to where to need to be. The correct place is easy to find from their main home page.

  10. James Cameron

    > Freezing your credit involves notifying each of the major credit bureaus that you wish to place a freeze on your credit file.

    And if you’re married or have a partner . . . this has to be done for each of you, correct?

    1. Soy Tenley

      Yes.
      Remember, in community property states, one spouse’s debt is also the other spouse’s debt, and you both have to protect yourselves to protect the other.

      1. JCitizen

        That depends – in some states a spouse can get a “financial divorce” to shield themselves from an errant spouse’s bad habits. In that case you’d never have to worry about what the “significant other” was up to.

  11. Mark

    I took a look at the ChexSystems site, and it appears that they also have a way to request a security freeze separate from a fraud alert. Any thoughts on doing that?

  12. Robin Holt

    Brian, in some previous posts, you have mentioned creating your accounts on irs.gov and ssa.gov. Would you consider amending this post to add those very useful links to either your previous posts or, more conveniently, both the previous post and the government sites.

  13. Boris

    You Americans are so awfully indebted that I wonder do you go to the bathroom on credit too?

    1. American

      Huh…I’m American in my early 30’s and have zero debt…you discredit yourself when you blurt out blanket stereotypes without any knowledge of what you are saying.

    2. Soy Tenley

      Most transactions in the modern world are debt-driven.
      For example, every utility bill is a short-term debt.

      Transactions in which you pay in advance shift the debt burden from you to the party that is providing what you have paid for, thus, they are the ones that are in debt.

  14. ATMThief

    There is a username in that screenshot.

  15. Kip Saunders

    Brian, does freezing my credit affect a background investigator running a credit check on me even if I gave the BI the go ahead by signing the credit report authorization and release form?

  16. Michael

    I’ve read articles that people are using the SSN of children because they are clean. Is freezing their credit an option? My children are only 5, but I would hate for their first experience with credit to be having to fix it because we were unaware of a theft that happened years prior. Is it even possible to do these things on behalf of a minor, or do I have to have them make the calls?

    1. Daniel

      I am in the same boat as Michael. I want to place a security freeze on my kids SSN but when I have tried, Equifax gave me a pop up window stating I need to be at least 18 years old to place a security freeze.

      I’ve also read that some parents are requesting brand new SSN for their kids when they turn 18 so they have a clean slate, though I have no idea how easily this is accomplished or even if one can still do this.

      1. Alan W.

        Daniel & Michael,
        As far as I know, to freeze your child’s credit information you have to supply a police report showing they are a victim of ID Theft (e.g., their SSN was breached).

        Here is another good resource for ID Theft info:
        http://www.idtheftcenter.org/

        1. Daniel

          That’s the problem Alan W. I want to freeze their SSN before the breach…not afterwards. In this day and age, it’s not a IF it’s a WHEN.

    1. mike foo

      just curious what submittting IRS and state fraud affidavid’s would do or not do, I don’t want to create the inability to pay my taxes online for example , i have not had any fraud that i’ve noticed.

      but i’m sure in all my years I have lost a wallet, or sent an insecure credit card number somewhere online , etc

      re:
      have experienced an event involving my personal information
      that may at some future time affect my federal tax records.
      You should check this box if you are the victim of non-federal
      tax related identity theft, such as the misuse of your personal
      identity information to obtain credit. You should also check this
      box if no identity theft violation has occurred, but you have
      experienced an event that could result in identity theft, such as
      a lost/stolen purse or wallet, home robbery, etc.

      1. Mike

        In theory IRS will give you a PIN number to use when you file your taxes online, or at least give your returns extra scrutiny. It should not prevent your filing online.

  17. Tarek

    Transunion’s link leads to the corporate side, not the customer side. The correct link to request a security freeze for a consumer is http://www.transunion.com/securityfreeze

    The problem here is that Transunion is not using TLS 1.2. It’s using the much weaker AES-256 with SHA1.

    1. Peter

      TLS is the protocol, AES the encryption.
      In fact it is using TLS 1.2 with AES 256bit ecnryption
      None of that matters though in terms of how safe they are.

  18. Tomi Olivia

    Placed a freeze a few months ago (post Anthem). And just added Innovis. Must say that I have a LOT less worry since doing so (thanks for the info, BK!).

    Also tried to get a PIN from the IRS a few months ago. They sent me a notice that said to continue doing as I’m doing and file my returns, etc. There was NO mention of a PIN in their reply.

    Question for those who have gotten a PIN: Is this their ‘normal’ behavior? Will they send a PIN closer to the end of the tax year? WTF?

  19. John

    It’s my understanding that US federal law doesn’t allow credit for persons under age 18. This came up at work due to a data breach that involved folks from just born to 90, the credit monitoring vendor advised that they could handle the 18+ folks, but since the younger ones aren’t supposed to have credit, they couldn’t monitor what doesn’t exist. They simply didn’t have a product addressing that cohort.

    1. Soy Tenley

      Which is phenomenally stupid, because once criminals have successfully used the child’s name and SSN and a phony birth date, a credit history will eventually make its way to the credit bureau for that SSN.

      Time to harangue the legislators to make another law forcing the credit bureaus to do what is needed because they won’t do it themselves.

    2. thoromyr

      I don’t know what the rules are supposed to be, but you can certainly use a child’s SSN for credit purposes. The cases I know of are the parents using the child’s SSN because theirs are burned.

      My sister discovered when she got her first credit report that she had had a line of credit from before she was born (thanks to first name/last name match). Someone else’s debt reported as hers.

      All of this is business as usual as far as I can tell.

  20. Jay

    Perhaps those organizations suffering breaches should also be offering free credit freezes to those whose personal data has been compromised.

  21. Chunky Monkey

    Do these good ideas also work in the UK?

  22. pasca

    I’ve rechecked our agreements with the three reporting agencies (I will be freezing on the fourth) and unfreezing does not cost money. I imagine if you do it often, they would charge. So far a current creditors–as was incorrectly stated–they still have access even after freezing your reports. Freezing does not affect current creditors.

    1. timeless

      (They’re not the same Innovis, just a random group that doesn’t know how to configure a web server…)

  23. mike

    the big 3 , transunion seems to force you to create an account, one asks where you live, the other does neither.

    looks like there are 5 to freeze?
    Innovis
    Innovis is a provider of consumer data solutions and is considered a CRA in the United States, the other three being Equifax, Experian and TransUnion. Most sources of information about consumer credit repair seldom mention either Innovis or PRBC, a fifth agency, as of 2013.

  24. Tim

    Brian, does this mean that it should be OK to cancel credit monitoring (and the monthly fee), or is that still useful in some way?

  25. Rich

    Third-party anecdote: Security freeze was placed on credit file after identity theft. Subsequently, home insurance premium, from a big national insurer, increased 30% because their automated credit check failed. Issue was resolved, but took 3 weeks and about 8 hours’ effort.

    Although a security freeze has no negative impact on your credit score and your relationship with existing creditors, who continue to be able to pull your report, you MAY have other, non-credit-related financial relationships that could be adversely affected by a freeze.

    1. Soy Tenley

      Automobile insurances companies *might* do the same thing, especially after a claim.

  26. Mr Freeze

    Brian,

    It’s not necessarily true that you have to pay again to re-freeze your credit reports after a “lift.” There are options to lift the freeze for a specific period of time (which you specify), as well as for a specific named party (which you name). I generally use the former option and lift for a week or 10 days when applying for new credit and it has worked well. Yes, you do have to pay for the lift, but once the lift expires your credit is automatically re-frozen for no additional charge.

Comments are closed.