08
Jun 15

How I Learned to Stop Worrying and Embrace the Security Freeze

If you’ve been paying attention in recent years, you might have noticed that just about everyone is losing your personal data. Even if you haven’t noticed (or maybe you just haven’t actually received a breach notice), I’m here to tell you that if you’re an American, your basic personal data is already for sale. What follows is a primer on what you can do to avoid becoming a victim of identity theft as a result of all this data (s)pillage.

Click here for a primer on identity theft protection services.

Click here for a primer on identity theft protection services.

A seemingly never-ending stream of breaches at banks, healthcare providers, insurance companies and data brokers has created a robust market for thieves who sell identity data. Even without the help of mega breaches like the 80 million identities leaked in the Anthem compromise or last week’s news about 4 million records from the U.S. Office of Personnel Management gone missing, crooks already have access to the information needed to open new lines of credit or file phony tax refund requests in your name.

If your response to this breachapalooza is to do what each of the breached organizations suggest — to take them up on one or two years’ worth of free credit monitoring services — you might sleep better at night but you will probably not be any more protected against crooks stealing your identity. As I discussed at length in this primer, credit monitoring services aren’t really built to prevent ID theft. The most you can hope for from a credit monitoring service is that they give you a heads up when ID theft does happen, and then help you through the often labyrinthine process of getting the credit bureaus and/or creditors to remove the fraudulent activity and to fix your credit score.

In short, if you have already been victimized by identity theft (fraud involving existing credit or debit cards is not identity theft), it might be worth paying for these credit monitoring and repair services (although more than likely, you are already eligible for free coverage thanks to a recent breach at any one of dozens of companies that have lost your information over the past year). Otherwise, I’d strongly advise you to consider freezing your credit file at the major credit bureaus. 

There is shockingly little public knowledge or education about the benefits of a security freeze, also known as a “credit freeze.” I routinely do public speaking engagements in front of bankers and other experts in the financial industry, and I’m amazed at how often I hear from people in this community who are puzzled to learn that there is even such a thing as a security freeze (to be fair, most of these people are in the business of opening new lines of credit, not blocking such activity).

Also, there is a great deal of misinformation and/or bad information about security freezes available online. As such, I thought it best to approach this subject in the form of a Q&A, which is the most direct method I know how to impart knowledge about a subject in way that is easy for readers to digest.

Q: What is a security freeze?

A: A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it. 

Q: What’s involved in freezing my credit file?

A: Freezing your credit involves notifying each of the major credit bureaus that you wish to place a freeze on your credit file. This can usually be done online, but in a few cases you may need to contact one or more credit bureaus by phone or in writing. Once you complete the application process, each bureau will provide a unique personal identification number (PIN) that you can use to unfreeze or “thaw” your credit file in the event that you need to apply for new lines of credit sometime in the future. Depending on your state of residence and your circumstances, you may also have to pay a small fee to place a freeze at each bureau. There are four consumer credit bureaus, including Equifax, Experian, Innovis and Trans Union

Q: How much is the fee, and how can I know whether I have to pay it?

A: The fee ranges from $0 to $15 per bureau, meaning that it can cost upwards of $60 to place a freeze at all four credit bureaus (recommended). However, in most states, consumers can freeze their credit file for free at each of the major credit bureaus if they also supply a copy of a police report and in some cases an affidavit stating that the filer believes he/she is or is likely to be the victim of identity theft. In many states, that police report can be filed and obtained online. The fee covers a freeze as long as the consumer keeps it in place. Equifax has a decent breakdown of the state laws and freeze fees/requirements.

Q: What’s involved in unfreezing my file?

A: The easiest way to unfreeze your file for the purposes of gaining new credit is to spend a few minutes on the phone with the company from which you hope to gain the line of credit (or perhaps research the matter online) to see which credit bureau they rely upon for credit checks. It will most likely be one of the major bureaus. Once you know which bureau the creditor uses, contact that bureau either via phone or online and supply the PIN they gave you when you froze your credit file with them. The thawing process should not take more than 24 hours.

Q: I’ve heard about something called a fraud alert. What’s the difference between a security freeze and a fraud alert on my credit file?

A: With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval — by phone or whatever other method you specify when you apply for the fraud alert. To place a fraud alert, merely contact one of the credit bureaus via phone or online, fill out a short form, and answer a handful of multiple-choice, out-of-wallet questions about your credit history. Assuming the application goes through, the bureau you filed the alert with must by law share that alert with the other bureaus.

Consumers also can get an extended fraud alert, which remains on your credit report for seven years. Like the free freeze, an extended fraud alert requires a police report or other official record showing that you’ve been the victim of identity theft.

An active duty alert is another alert available if you are on active military duty. The active duty alert is similar to an initial fraud alert except that it lasts 12 months and your name is removed from pre-approved firm offers of credit or insurance (prescreening) for 2 years.

Q: Why would I pay for a security freeze when a fraud alert is free?

A: Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they’re not legally required to do this.

Q: Hang on: If I thaw my credit file after freezing it so that I can apply for new lines of credit, won’t I have to pay to refreeze my file at the credit bureau where I thawed it?

A: It depends on your state. Some states allow bureaus to charge $5 for a temporary thaw or a lift on a freeze. However, even if you have to do this once or twice a year, the cost of doing so is almost certainly less than paying for a year’s worth of credit monitoring services. The Consumers Union has a handy state-by-state guide listing the freeze and unfreeze fees.

Q: Is there anything I should do in addition to placing a freeze that would help me get the upper hand on ID thieves?

A: Yes: Periodically order a free copy of your credit report. By law, each of the three major credit reporting bureaus must provide a free copy of your credit report each year — via a government-mandated site: annualcreditreport.com. The best way to take advantage of this right is to make a notation in your calendar to request a copy of your report every 120 days, to review the report and to report any inaccuracies or questionable entries when and if you spot them.

Q: I’ve heard that tax refund fraud is a big deal now. Would having a fraud alert or security freeze prevent thieves from filing phony tax refund requests in my name with the states and with the Internal Revenue Service?

A: Neither would stop thieves from fraudulently requesting a refund in your name. However, a freeze on your credit file would have prevented thieves from using the IRS’s own Web site to request a copy of your previous year’s tax transcript — a problem the IRS said led to tax fraud on 100,000 Americans this year and that prompted the agency to suspend online access to the information. For more information on what you can do to minimize your exposure to tax refund fraud, see this primer.

Q: Okay, I’ve got a security freeze on my file, what else should I do?

A: It’s also a good idea to notify a company called ChexSystems to keep an eye out for fraud committed in your name. Thousands of banks rely on ChexSystems to verify customers that are requesting new checking and savings accounts, and ChexSystems lets consumers place a security alert on their credit data to make it more difficult for ID thieves to fraudulently obtain checking and savings accounts. For more information on doing that with ChexSystems, see this link

Q: If I freeze my file, won’t I have trouble getting new credit going forward? 

A: If you’re in the habit of applying for a new credit card each time you see a 10 percent discount for shopping in a department store, a security freeze may cure you of that impulse. Other than that, as long as you already have existing lines of credit (credit cards, loans, etc) the credit bureaus should be able to continue to monitor and evaluate your creditworthiness should you decide at some point to take out a new loan or apply for a new line of credit.

Q: Anything else?

A: ID thieves like to intercept offers of new credit and insurance sent via postal mail, so it’s a good idea to opt out of pre-approved credit offers. If you decide that you don’t want to receive prescreened offers of credit and insurance, you have two choices: You can opt out of receiving them for five years or opt out of receiving them permanently.

To opt out for five years: Call toll-free 1-888-5-OPT-OUT (1-888-567-8688) or visit www.optoutprescreen.com. The phone number and website are operated by the major consumer reporting companies.

To opt out permanently: You can begin the permanent Opt-Out process online at www.optoutprescreen.com. To complete your request, you must return the signed Permanent Opt-Out Election form, which will be provided after you initiate your online request. 

PERSONAL EXPERIENCE

A couple of years back, I was signed up for a credit monitoring service and had several unauthorized applications for credit filed in my name in rapid succession. Over a period of weeks, I fielded numerous calls from the credit monitoring firm, and spent many grueling hours on the phone with the firm’s technicians and with the banks that had been tricked into granting the credit — all in a bid to convince the latter that I had not in fact asked them for a new credit line.

The banks in question insisted that I verify my identity by giving them all of my personal information that they didn’t already have, and I was indignant that they should have been that careful before opening the new fraudulent accounts. Needless to say, the experience was extremely frustrating and massively time-consuming.

We eventually got that straightened out, but it took weeks. Not long after that episode, I decided to freeze my credit and that of my wife’s at all of the major bureaus. Turns out, I did that none too soon: A few weeks later, I broke a story about a credit card breach at nationwide beauty chain Sally Beauty, detailing how the cards stolen from Sally Beauty customers had wound up for sale on Rescator[dot]cc, the same fraud shop that had been principally responsible for selling cards stolen in the wake of the massive data breaches at Home Depot and Target.

Rescator's message to his customers urging them to steal my identity.

Rescator’s message to his customers urging them to steal my identity.

In response to my reporting about him and his site, Rescator changed his site’s home page to a photoshopped picture of my driver’s license, and linked his customers (mostly identity thieves and credit card hustlers) to a full copy of my credit report along with links to dozens of sites where one can apply for instant credit. Rescator also encouraged his friends and customers to apply for new credit in my name.

Over the next few weeks, I received multiple rejection letters from various financial firms, stating that although they had hoped to be able to grant my application for new credit, they were unable to do so because they could not view my credit file. The freeze had done its job.

In summary, credit monitoring services are helpful in digging you out of an identity theft ditch. But if you want true piece of mind, freeze your credit file.

Tags: , , , , , , , , , , , , ,

119 comments

  1. Dr. Strangelove

    Really appreciate the allusion to my work, thanks Mr Krebs!!

  2. Section 215 Patriot Act

    Good article

  3. Brian,
    This was a very helpful article in helping people manage identity theft. Keep up the great work.

  4. Great post Brian. Some follow ups:

    1. Does putting a security freeze on your accounts have any impact on the credit scoring algorithm used by the bureaus? Obviously it is a net positive on the back side, but do the bureaus ding you at all for wanting to put the freeze in place?

    2. What about kids? Should parents contact the bureaus to put a freeze on their kids credit as well? Is it the same process?

    3. Is there any legislation around this at all which given the volume of data breached at this point everyone is in a bad guys database. Legislation which mandates a free credit freeze as part of data breach response?

    It seems that if a credit freeze on your accounts actually gave a bump in credit score, more people would be incentivized to do it, which then perhaps reduces overall fraud and costs associated.

    • 1. No, no direct effect. Note that a credit score is a ballpark number how creditworthy you are. Whether you freeze something, place a fraude alert, etc should – and has – no effect on it as it doesn’t make you more or less creditworthy.
      2. Kids are not allowed to have credit reports and hence cannot be frozen. I know ridiculous as the reverse should be true (always frozen), but that is the reality.
      3. Yes, you can often have the $15 waved if you were a victim.

      Note that credit report companies obviously don’t like you to freeze your report. They live by the reports being accessible and your data sold. So they won’t ever incentify it.

      Last it *will* hamper (as typically in ‘completely block’) your ability to change phone companies, get a quote on car insurance, etc. Basicly all kinds of activities that are not directly ‘new credit’ related, but do require a company to check your credit. Just make sure you are aware of that!

  5. I can’t wait until the NSA and the IRS realize that they can also monetize their data collection activities by requiring us to pay to protect the data we never asked them to collect in the first place. Crazy? Can’t happen? This is exactly what all 4 credit bureaus do.

    • This led me to think: The Rescator “Credit Bureau”, is a 5th never-asked for “credit bureau”. Payments are being made there too, just not for direct freeze “protection” that I’ve seen yet.

      Entrepreneurs already created 100’s more spam “credit bureaus” (“illegal-legal” business) putting more “personal information” into non-personal systems. These additional “credit bureaus” are existing online, just not with paid credit freeze “protection”, instead they only offer the “credit bureau” service of selling what’s in their “credit bureau” database.

  6. Glad you’re getting the word out to your large audience. I’ve been trying to educate people on this for about 2 years. I do have two comments though:

    1) Before you get a credit freeze, sign up for the Social Security Administration’s “My Social Security” Account. The reason? You will have to unfreeze your Equifax (I think) report before you can sign up if you do it after. And you’ll probably want to have access to this site to review your Social Security ballances, etc. So why not head over there now and sign up before someone else signs you up? They also have 2 factor authentication using a cell phone, I’d sign up for that two.

    2) The Consumer’s Union (i.e., Consumer Reports) has a nice guide for all states, listing the process, costs and applicable laws. You can find it by Googling “Consumers Union’s guide to security freeze protection”

    3). It’s clear to me that there is a concerted effort to scare people away from Credit Freezes and push them towards the montly/annual “we’ll keep an eye on your credit for you” plans. Don’t fall for it. Getting a security freeze is like requiring a PIN on your ATM card. If someone tells you that you don’t want to do that because it will make life ‘complicated’, they’re either an idiot or they’re lying to you.

    2)

    • Sorry..that ended up being (3) comments and a typo. :-)

    • Yes, Mike, I just tried over at Equifax, and to lock your report, they steer you towards “Credit report monitoring” for $19.95/month. It appears you cannot create an account without doing that. This must be a way around this, or I’m just missing it (could be).

    • Hi Mike,

      Tried signing up for My Social Security (http://socialsecurity.gov/createaccount/) but was redirected to an error page. Then again, no HTTPS, so might not be a bad thing for it not to work :)

  7. I find it interesting that credit bureau’s hold your information and charge you to not release it. Sounds like blackmail.

  8. Thanks for this. For some reason I had not gone through the process of freezing my credit although I knew I should

    Three out of four bureaus took a total of 10 minutes (not each.. totally!). With a little help from Roboform it was a piece of cake until I got to Transunion. PIA. Would not work online (the only one I had to create an account to get through the process) and would not work in the automation on the phone. I’m now on hold with a person who is verifying what the other three verified in about 30 seconds. Thinking my Transunion listing had some problems so maybe it was worth the exercise just to have that done.

    I’ll sleep better knowing this is done. Again, thanks.

  9. It seems to me that *frozen* should be the *default* state of your credit report.

    Any time an inquiry comes in for my credit information, it should be the credit bureau’s responsibility to contact me for authorization to release my personal information to a specific party, for a specific purpose. I shouldn’t have to take any action to prevent them from doing so, and I certainly shouldn’t have to *pay* for it. It should be that way by default. It is completely insane for the process to work any other way.

    Write to your congressmen. I have, but they need to hear this from more than just me.

  10. Dean Colpitts

    Nice article Brian… Do you have any advice or pointers for us Canadians though since our laws and credit agencies are most likely different than the US?

    Thanks

  11. I froze my account and my wife’s account immediately after concluding NOTHING would stop these creeps from getting our identity. We do not need credit at this point in our lives….. even if we did we would freeze our accounts.

    Our son needs credit bureau activity more than us for work or mortgage purposes so we slammed a credit alert on his name renewable every 60 days for 90 days coverage.

    Just reapply like a new comer to reactivate…. the renewel process make you think you need a police report for a 7 year alert. Nonsense. Just reapply like you did 60-90 days ago. Mark your calender to re-up for another 90 days for the credit alert.

    By far the most peace of mind for us was the CREDIT FREEZE. You can always lift it on-line though it will cost you 10-15 dollars usually.

  12. Excellent advice. Here’s a video review of how security freezes actually work:

    https://www.youtube.com/watch?v=yqTm3koC0oU

  13. Thanks for your work Krebs!

    I feel mislead believing I have to pay to be protected when a company gets hacked. I think these credit protectors “lifelock”and others do next to nothing to collect your money. Has anyone known someone where they are notified that their credit has been breeched?
    My C/C company does this for free.

  14. Great information, thank you so much for providing it all. I have had my debit/credit card number stolen 4 times in 8 months, thank goodness my bank put a fraud notice on my account so when someone from another state/country try to use it, they decline it.

  15. Getting back to the three major agencies and the 4th and 5th ones that many are not aware of, can a fraudster pick Innovis to set up stolen accounts without going to the major three that one may have frozen?

    I sent this question to Consumer Reports and they said to ask the big three. It is not easy to contact those people.

    It seems a new one could pop up without most families finding out.

  16. Rich Altmaier

    Excellent advice! It is the case the dealing with a new credit application, requiring a temporary unfreeze, can be a kind of clown circus with the bank. My bank doesn’t understand freeze, requires all 3 credit agencies to be unfrozen, makes repeated requests for the same access, then adds my spouse to the request, and finally loses all the information retrieved so far.

    Assuming you don’t often do a new credit application, is still a very wise step, to freeze your credit reporting!

  17. I thought there were 3 credit bureaus…you referred to 4 bureaus.

    Could you list the 4. I froze info at 3 but I guess I’m still vulnerable.

    Thanks,

    • Robert.Walter

      The answer to your question is in the earliest comments.

      • Ok I have Trans Union, Equifax, and Experian. I went back through
        the comments…don’t see the name of the 4th. Please just a name and
        I’ll follow through.

        Thank you

        • I found it in the article not the comments section.

        • FRank, that information is in the main body of the story. The fourth bureau is Innovis.

          https://www.innovis.com/personal/securityFreeze

          • ThoughtThereWereOnlyThree

            who is innovis? who uses them? are they big? do they really matter? when did they become a credit bureau?

            sorry for the dumb questions, but years ago in 2008, have had my credit record frozen with the big three (equifax, transunion, experian). the general info back then said to do freezes at the big three. now there is a fourth? ugh.

            so that’s an unfrozen hole that crooks can get through applying for credit at companies that use innovis to check people’s unfrozen credit reports.

  18. Caroline Worsham

    I didn’t wade through all the comments so the following may have been mentioned by someone. If you have a credit freeze on your file and are applying for credit, you can request a temporary lift and pay a one time fee.

  19. I read the Equifax link you referenced and my state (Missouri) has free freezes if I supply a police report of identity theft. But in the description, they talk about “…the unlawful use of your personal information by another person”. I have had my data compromised in one of the health care breaches but the data has not yet been used fradulently. Will that still qualify for free or would I have to have actually had someone open an account with my identity first?

  20. yorkiemom2002

    Brian, Thanks so much for the information. I was unaware of Innovis, but had put a freeze on the other 3 several months ago. I immediately put a freeze with Innovis. Thanks again. I and many others appreciate the hard work you put in for our benefit.

  21. Three things Brian neglected to mention:

    1) Lots of government agencies use Experian or another credit agency to validate requests. The IRS and SSN refuse attempts to open accounts if a credit freeze is in place.

    2) Credit freezes can be temporarily lifted for a set period of time, often three or seven days, for a price, usually $10.

    3) One must ask a business which credit agency it uses to ensure that the proper freeze is lifted.

    • But my question above is where the crook goes only to Innovis where one did not freeze due to not having heard about them and bypasses the big three which do have freezes? Could ID theft be done that way?

    • Er…I think all three of those things were addressed in my story, if you read the whole thing.

      • 1) You stated that “a freeze on your credit file would have prevented thieves from using the IRS’s own Web site to request a copy of your previous year’s tax transcript,” but you did not mention that ordinary Americans are also prevented from creating accounts with the IRS and SSA to prevent thieves from doing so. But since they are also blocked, it’s not all bad. The SSA notes on its website that “You cannot create a my Social Security account online if you have a security freeze, fraud alert, or both on your Experian credit report.”

        2) You mentioned that *placing* a credit freeze will incur a charge, but not temporarily removing it. I found the exact opposite to be true, with initiations being free and temporary removals costing $10. State law may have something to do with it.

        3) This you did mention.

  22. Thank you for posting this. My husband and I were notified last week that we were of the 100,000 who had their tax returns stolen. While the IRS confirmed five years of our returns were downloaded, they only offer the credit monitoring. As we go through the long process of getting new everything, we were thinking of the seven year fraud alert but will definitely now go with the security freeze. It will be worth any fees we pay to do so.

  23. There is no link to the primer on identity theft protection services where it say’s ‘Click here’.

  24. Without denigrating in the least the good recommendations about credit freezes, people should be aware that freezing credit does not prevent the unauthorized use of stolen credit card information to charge purchases to that stolen account– that’s not an attempt to secure new credit. A freeze does prevent the use of the information to create a new credit card or other line of credit. But if the bad guys have your credit card info, say Chase Visa, they can go ahead and use that Visa account until you or Chase figure out the use was unauthorized and cancel the account, notwithstanding that you have set up credit freezes with all 4 agencies. You still have to check your bank’s website to monitor your credit card transactions fastidiously.

  25. I froze my credit a couple of years ago and have never regretted it ….if you are ,I believe ,70 or older it is free (not in all states but most)and only one of them cost you $10 to unfreeze for any period of time that you need. I have unfrozen them a couple of times and re-froze with no hassle …all done on line…I especially encourage parents freeze their child’s social security number also at SS website

  26. what about protecting the future credit files of children? Any thoughts Brian? correct me if I’m wrong, that did not stop fraudsters from using SSN of children in their attempts to steal their IDs.

  27. It is possible with some of the bureaus to lift a freeze temporarily (1 day, 1 week, or 1 month) for purposes of seeking new credit but not having to worry about re-setting the freeze.

    With some it is also possible to get one-time-use PINs to give to a creditor. When they run in to the freeze, they enter that PIN (or your regular PIN, if you share it with them) directly and they can then pull your report instantly from a back-end system. No need to wait a day.

  28. So, I’ve been able to put a freeze on credit at 3 or the 4 agencies..after multiple attempts the past few days, Experian “can’t verify my identity” and wants me to mail documents in…I don’t think so.

    Anyone else have this problem?

    • I had the exact same issue with Experian. You can upload the documents on their secure sit too

    • Is the 7 year ChexSystems security alert only if you’ve had fraud on your account? The process to get the 7 year alert includes filling out an Affadavit, so it seems that way, but I don’t see it stated anywhere

  29. that market is in darkode information of millions of people, because the authors are silent noles the security, because they know who mess, here I only see Rescator, Rescator,

  30. What are your thoughts on PRBC? Good to put a security freeze on there too?

    • That company is a new one formed to help consumers build non debt related payment history. Since it isn’t debt related, I’m not sure how it would help to freeze something like that. I’m not even sure they could detect someone renting an apartment in your name.