02
Sep 15

OPM (Mis)Spends $133M on Credit Monitoring

The Office of Personnel Management (OPM) has awarded a $133 million contract to a private firm in an effort to provide credit monitoring services for three years to nearly 22 million people who had their Social Security numbers and other sensitive data stolen by cybercriminals. But perhaps the agency should be offering the option to pay for the cost that victims may incur in “freezing” their credit files, a much more effective way of preventing identity theft.

Not long after news broke that Chinese hackers had stolen SSNs and far more sensitive data on 4.2 million individuals — including background investigations, fingerprint data, addresses, medical and mental-health history, and financial history — OPM announced it had awarded a contract worth more than $20 million to Austin, Texas-based identity protection firm CSID to provide 18 months of protection for those affected.

Soon after the CSID contract was awarded, the OPM acknowledged that the breach actually impacted more than five times as many individuals as originally thought. In response, the OPM has awarded a $133 million contract to Portland, Ore. based ID Experts.

No matter how you slice it, $133 million is a staggering figure for a service that in all likelihood will do little to prevent identity thieves from hijacking the names, good credit and good faith of breach victims. While state-sponsored hackers thought to be responsible for this breach were likely interested in the data for more strategic than financial reasons (recruiting, discovering and/or thwarting spies), the OPM should not force breach victims to pay for true protection.

As I’ve noted in story after story, identity protection services like those offered by CSID, Experian and others do little to block identity theft: The most you can hope for from these services is that they will notify you after crooks have opened a new line of credit in your name. Where these services do excel is in helping with the time-consuming and expensive process of cleaning up your credit report with the major credit reporting agencies.

Many of these third party services also induce people to provide even more information than was leaked in the original breach. For example, CSID offers the ability to “monitor thousands of websites, chat rooms, forums and networks, and alerts you if your personal information is being bought or sold online.” But in order to use this service, users are encouraged to provide bank account and credit card data, passport and medical ID numbers, as well as telephone numbers and driver’s license information.

The only step that will reliably block identity thieves from accessing your credit file — and therefore applying for new loans, credit cards and otherwise ruining your good name — is freezing your credit file with the major credit bureaus. This freeze process — described in detail in the primer, How I Learned to Stop Worrying and Embrace the Security Freeze — can be done online or over the phone. Each bureau will give the consumer a unique personal identification number (PIN) that the consumer will need to provide in the event that he needs to apply for new credit in the future.

But there’s a catch: Depending on the state in which you reside, the freeze can cost $5 to $15 per credit bureau. Also, in some states consumers can be charged a fee to temporarily lift the freeze.

It is true that most states allow consumers who can show they have been or are likely to be a victim of ID theft to obtain the freezes for free, but this generally requires the consumer to file a police report, obtain and mail a copy of that report along with photocopied identity documents, and submit an affidavit swearing that the victim believes his or her statement about identity theft to be true.

Unsurprisingly, many who seek the comprehensive protection offered by a freeze in the wake of a breach are more interested in securing the freeze than they are untangling a huge knot of red tape, and so they pay the freeze fees and get on with their lives.

The OPM’s advisory on this breach includes the same boilerplate advice sent to countless victims in other breaches, including the admonition to monitor’s one’s financial statements carefully, to obtain a free copy of one’s credit report from annualcreditreport.com, and to consider filing a free and/or fraud alert with the three major credit bureaus. Nowhere does the agency mention the availability or merits of establishing a security freeze.

If you were affected by the OPM breach, or if you’re interested in learning more about what you can do to protect your identity, please read this story.

Update, 2:30 p.m. ET: Identity Theft Guard Solutions LLC was the original, founding name of ID Experts, the Portland-based company that won the $133 million contract from the OPM. The story above has been changed to include the new name.

Tags: , , , , , ,

71 comments

  1. I wonder if the IRS is going to offer anything to the millions of people who had their information stolen as well from their website. I’m still waiting on my refund and the amount of paperwork, phone calls and time to get this resolved is staggering. I won’t be holding my breath.

    • The IRS issue wasn’t so much a breach where data was scooped up and stolen, as it was unauthorized access due to poor gate security that allowed crooks that had information about you already to gain access and gather even more. The fraudulent tax returns that were filed were also done with information they already had not really an IRS breach per-say.

  2. Yep, at $5/affected person, a freeze for everyone would be cheaper than the two contracts.

    And since OPM can confirm to the bureaus that there was a breach and the affected IDs, it’d be much better if they did that.

    They should also be able to negotiate a discount rate for such a bulk purchase :).

    • The cost depends on the state, and depending upon how often your info needs to be viewed, it could add up… So, your info included in a breech…that should be considered ID Theft qualifications.

      https://help.equifax.com/app/answers/detail/a_id/75/~/security-freeze-fees-and-requirements

      • Yes, it varies by state, but those fees are state set upper limits. If a state passes a law mandating a fee not greater than $15, then a bureau could choose to charge $14 (to entice people to use the service), or $1, or even $0. The bureaus tend to charge the maximum they can, because they aren’t competing for customers, and they don’t see an incentive to accept lower than the maximum, but the law doesn’t prevent them from charging less.

        OPM should be able to negotiate lower fees, and also should be able to certify to the bureaus that there was a breach which would mean they’d be able to have the reduced (frequently $0) rate in most states.

    • I took Brians advise when I learned about credit freeze from reading here, incurred the minimal cost and moved on. When I say the credit monitoring firm OPM hired asking for even more personal information I didn’t even finish the ‘sign up’ process, figured all I needed was yet another database with all of my information in it.

      • Ditto what TErickson said.

      • I too followed Brian’s advice on freezing our credit. It was very simple and cost me $30 total. I shared his advice with work colleagues and friends and hope they do the same. The only people this won’t work for are those who constantly open new lines of credit or open new credit cards at every store with a ‘Save 10% Today’ offer. (But that’s a different kind of problem.)

        • I’m glad you’re doing this (I did it a while ago), but $30 sounds wrong.

          The increments (which vary by state) are: $0, $5, $10, or $15.

          You should be freezing 4 places, so your costs should be $0, $20, $40, or $60.

          You probably missed Innovis. Please go back and get them too.

    • At $5/person on the open market, the USG discount rate shakes out to something like $25/person.

      Sadly, I’m not joking.

      These people literally can’t run a whorehouse and make a profit.

  3. We are currently “protected” by 3 such “consolation prizes” due to our information being harvested in 3 separate breeches, and Brian is correct, they do nothing to protect you, only notifying you AFTER the fact. Additionally, you need to freeze your credit not only at the big 3 (Trans,Exp,Equi), you also need to check it and then freeze it at Innovis, ChexSystems, DATAX Ltd, Clarity Services, and unknown others, which you won’t discover exist until you get phone calls from the creditor or find out in some obscure manner that your info has been used, like, a dozen or more times on the same day at a dozen or more payday loan locations. And create an account at the Soc. Sec. Admin. so you can manage your SSN. We’ve also sent in the IRS ID Theft Form, have heard nothing back, after having received a CP05 form telling us they were holding our return. We weren’t getting a return, we paid. I’m in agreement, don’t hold your breath.

    • This article reads like a scam; we gave your information to the thieves now we’re going to give every single one of your credit card transactions to credit protection agencies so they can protect you, and you’re going to pay for it. Same gambit with terrorism, this time around I have no idea what the purchasing info is going to be used for but I do know it will not be good.

      • I had the exact same feeling every time I saw ads for Life Lock, because right in the fine print it says that Life Lock is, or was at the time, actually a bank.

  4. And the $133 million are additional tax payers dollars.

  5. Over the several years I’ve been in this fraud/risk/payments industry, never understood how easy it is to pacify, and otherwise irate consumer/account holder, by telling them they are being give free credit monitoring services; which are nothing more than one just simply monitoring their CC statements on a regular basis and disputing anything that is fraudulent. You are absolutely correct in saying that freezing your credit file is unequivocally a far better option !! This will prevent the unauthorized use of credit credentials to open “new” lines of credit. Thanks for continuing to hit home in this point Brian !!!

  6. I work for a company that has a lot of their employees affected by this. The company went ahead a few weeks ago and gave us 3 years of credit monitoring. I would have preferred the “freeze” option. Also, it may be three years just to sort out all the information before identity thefts began.

    In addition, the security investigations that were compromised contain names, addresses, birth/death dates of close relatives – and none of the relatives affected get this protection.

  7. My son and I have a running contest going (not by choice) on who has the most free credit monitoring services as the result of multiple breaches. He was ahead by one but I’ve caught him. Pretty sad. Must be some use for that kind of metric.

  8. Two questions about freezing credit. 1. How easy or hard is it to work with the three (or four??) credit reporting agencies to start or stop the credit freeze. I am not opposed to paying the money. What I fear is whether the freeze will actually get set up properly and whether there is any way for me to even check to see if it was set up properly??? I fear the credit reporting agencies almost as much as I fear the bad guys. 2. If I freeze my credit will credit card companies I do business with who currently send me free FICO scores (for two of the main credit reporting agencies) still be able to provide those FICO scores or will all that go dark as well???

    • 1. Freezing was relatively easy. Three of the Four were done via their website. One of them I had to call cuz their website freeze wasn’t working for me. Haven’t had to unfreeze yet, but it should be similarly easy.

      2. It has not affected that ability for me….I’ve been frozen for over 2 months.

    • @K-Dee is correct

      1. Freezing is pretty fast and painless.
      2. Freezing doesn’t prevent entities who already do business with you from interacting with you / your file. It only prevents businesses who don’t yet have a relationship from accessing your file.

      http://www.kiplinger.com/article/credit/T017-C001-S001-how-a-credit-freeze-works.html

      «Freezing your credit report prevents lenders and other companies from accessing your credit report without your permission, which can help stop identity thieves from taking out new credit in your name (even if they have your Social Security number and other personal information). Companies you currently do business with are exempt from the freeze, so your bank, credit card company, auto insurer and mortgage lender can continue to check your report. You can use a PIN to thaw your report if you want to grant access to a new lender, insurer or other company. And you should still be able to access your own report without having to lift the freeze.»

    • No problems.

      I still get my free credit score.

      After the freeze, I opened a new credit card. It was with a bank with whom I had a deposit account. After I sent in the paperwork, they called me and said I had a freeze. They told me the agency. I unfroze for a few days, free. The new card was approved.

      Again, no problems, and I sleep better.

      It’s interesting that someone hear posted some more name of smaller agencies. I haven’t frozen them yet.
      ChexSystems
      DATAX Ltd
      Clarity Services

  9. Isn’t the fundamental problem here one of just how the whole strange US credit system works? Why is life so tied up to some “credit rating”, and why don’t companies just insert a paper loop into applications for things like credit cards? If you force a crook to chase paper as well, the cost of exploiting a breech goes up quite a bit.

    • Credit is not a solely American concept.

      It exists throughout the civilized world.
      Bureaus to report on people’s reliability grow in any area bigger than a town of 10 people. https://en.wikipedia.org/wiki/Credit_bureau#List_of_credit_reporting_agencies

      If you’re in a town of 10 people, you know which person borrows money but doesn’t pay it back. If you’re in some place with a million people, you can’t know everyone personally, so you need someone who can tell you whether a person you’re meeting for the first time is reliable. This is the impetus for bureaus.

      You could ask “shouldn’t this be nationalized?” instead of being private. But lots of people would object to that. I’m not sure where I stand on such a question.

      I do believe that the cost for a freeze shouldn’t exceed $5.

      I wish that states would force (by passing laws,) bureaus to treat files of their residents as default-frozen, with an instant credit for whatever amount their residents have paid to freeze. Then people would only pay to temporarily thaw.

    • +++This

      The bar is too low. And there needs to be a correction.

      Banks corrected their easy-money tendencies that lead to the housing crash of 2008-2009.

      The same ought to happen with general credit.

      Sadly, the consequences of reforming “EZ-CREDIT!!” make for a less Democratic/less upwardly-mobile economy.

  10. This is yet another fiasco of incompetence in the endless stream of SNAFUs cranked out by the mechanism of the political state, whose principal product is legalized fraud.

    I have tried to insulate myself as much as possible from the state, but no one can escape its clutches entirely. When there is no one to protect us from the purported protectors, privacy and security are relative terms in such a society.

    As long as the myth that the only way to provide government is through such an incompetent mechanism whose only strength lies not in its integrity but rather in its ability to legally coerce the citizenry, it can only get worse.

  11. I understand that monitoring is not very effective, but to say that simply paying for a freeze for all affected people will not solve the problem of id theft. A freeze will only stop fraudulent accounts that will attach to your credit file, it would do nothing to prevent someone from filing taxes in your name, gaining medical services or giving your info to police. It would also likely not stop them from opening utilities or taking out a payday loan, as they often don’t check credit reports first.

    The other issue to consider is who would pay each time the credit file needs to be thawed and re-frozen? Is this something the government should pay for every time a consumer wants to apply for a new line of credit?

    And finally, most of the people involved in the breach will never be the victims of id theft, so why make them jump through the hoops that are a freeze. Why not set up fraud alerts, which are free and don’t get in your way of obtaining legitimate credit.

    I appreciated the work Brian does and understand his belief in the credit freeze system, but that is built on having been the victim of id theft. Of the 20+ million in the OPM breach, the vast majority will not have an issue that a freeze would prevent. The key to identity theft protection is making sure the company you are with offers full recovery, because id theft cannot be prevented, but it can always be resolved.

    • Agreed, except that fraud alerts need to be renewed manually thanks to Experian who sued the original supplier of such services. They won based on the letter of the Law that states “you” can place such an alert, and hence a company on your behave should not be allowed to do that.

      Now you can only auto-renew using Equifax who for obvious reasons won’t be sued by Experian. Nobody else offers teh auto-renew service.

      That said a fraud alert works as I have experienced in first hand. Not only do they alert institutions, but they then have a verified phone number and address they can then cross-reference with any new applications. That already stops someone in Florida from opening an account while you live in New York.

      Plus they can – and in my case do – call you when new accounts are being opened in your name. So you get alerted *before* anything is opened.

      The only caviat is that officially fraud alerts *should* not be used pre-emptive. In my case I was affected by a breach, but other people are looking for preemptive measures. Not much will prevent you from using it anyway, but *officially* you are not supposed to…

      • Not to mention you get another free copy of your credit report from each bureau every time you renew the alerts. So you can get four extras on top of the free annual we all get.

        • You don’t get (free) coppies when you place a fraude alert. Or at least, perhaps that was once upon a time, but is no longer today.

  12. Actually several years ago we did that move but it cost us $60 per bureau per person (and twice each time because my spouse had to as well). Maybe policies have changed since then but that’s what it cost.

    • AND the same fees, we were told, would be to unfreeze. So we’ve kept the freeze on. No PINS at the time, but maybe by now that is possible.

    • Mark,

      With all due respect I think you may be misremembering that. $60 per person would make sense if you filed a freeze with all four major credit bureaus including Innovis. But $60 per bureau is not accurate.

  13. As my name suggests, I was hacked and got CSID’s services courtesy of OPM. I emailed asking CSID what sort of security they had on all this new information they wanted for me. After a week, they emailed back saying read the FAQs (no information there), and to call them. I want something in writing from them. It looks like they’re a “security through obscurity” operation.

  14. I still don’t understand why FROZEN isn’t the DEFAULT state of every credit report. The credit bureaus could eliminate 99% of the problem by simply freezing everyone’s credit report by default, and requiring you to contact them with a some form of 2fa to unfreeze it when you want to apply for credit. Then after 10 days, it reverts back to frozen again automatically. Problem solved. A system that works any other way is broken.

    • Doing that would basicallly prohibit credit bureaus from doing business. And before you object, yes credit bureaus are not popular, but inherently there is nothing wrong with a credit bureau. Almost all industrialized countries have them.

      The issue is that it gets overly-used for pretty much everything AND there is no other check outside knowing a SSN and some other info. The US has no central database, allowing crooks to easily get accounts once they get your data. There is no place to cross-check. Credit bureaus effectively taken the role of such government central databases. And be happy for that – unles you prefer the government having one central federal database with your address etc.

      Preventing credit bureaus from doing business (by making all credit default froze, or otherwise) would also result in you not being able to get a creditcard, mobile connection, TV subscription, etc without first handing over payslips and other important financial information. Plsu a copy of your ID. And it would likely increase interests as they cannot accurately estimate your credit worthyness.

      Despite all negative emotions towards credit bureaus, let us not forget they do play a role whether we like it or not. The problem is mostly they are overly used…

  15. There is a lot of misinformation in this article, as well as the comments section.

    Credit freezes not only cost money to put in place but it also costs money to thaw them, even if just temporarily. And you need to freeze it separately with each of the three Major credit bureaus. Not to mention the minor ones. A freeze doesn’t stop things from being added to your credit report. It only prevents companies from viewing your credit reports to decide if they wish to approve your request for credit. There is a long list of reasons companies need to look at your reports, and it is not limited to credit. Renting a car, renting an apartment/home, and setting up utilities like electricity or water in your name all require looking at your credit report. Every time you wish to accomplish any of these tasks you will have to pay to thaw your credit temporarily and then refreeze it again. And if you do not know which bureau(s) the agency you are doing business with wishes to view then you have to thaw and then re-freeze all 3 bureaus. This repeatedly costs you money unless you go through the huge list of steps to prove you are a victim of ID theft. In short, freezing your credit, for most people, is not something people want to deal with or can afford. It is an incredible hassle for anyone “financially active”. A much better solution would be to place a free 90 day fraud alert and continue renewing them every 90 days.

    And the thing nobody is mentioning here, and this is often the case with discussions about ID theft services, is that credit monitoring is often an “add on” or special feature of the ID theft coverage. A bonus feature. The real benefit to these services is the “recovery” of your identity if it ends up being stolen. These services can take limited power of attorney over the victim and then work on your behalf to solve/fix/restore your identity. This saves you from the real headache of identity theft, the paperwork and effort it takes to fix. Identity theft almost never costs victims actual money. It just takes an enormous amount of time and effort to clean up. Especially for the average person who has never dealt with it before.

    Credit monitoring normally has nothing to do with your existing credit or bank accounts. It is only watching your credit bureau reports for updates or additions. It is not looking for fraudulent charges on your existing cards, but rather new lines of credit being issued in your name, often from banks or creditors you’ve never even heard of or done business with. Credit monitoring is an early alert system, nothing more. It does nothing to stop the account from being opened. And it does nothing to close the account. It simply notifies you of the problem. So yes, credit monitoring is only so helpful and does nothing to stop ID theft. But to say that OPM should not provide identity theft services just because the service “includes” credit monitoring is just plain silly. And I’m surprised this article by Krebs would imply such a thing.

  16. Putting aside the cost factor, is there any reason not to register a credit freeze with each of the major agencies as a pure preventative measure? Even in the absence of someone being at risk for identity theft due to some event, why wouldn’t the most sensible option be to freeze credit anyway so that you never place yourself at risk? The inconvenience of having to use a pin to temporarily unfreeze seems minor in light of the peace of mind. Am I missing something here, such as perhaps a freeze interfering with the ability to freely use one’s credit cards?

    • Basically, there’s a small cost and a small nuisance in the rare case that someone with whom you don’t have a relationship needs to review your account in order to offer you credit. These are rare events, whereas fraud is a day-to-day event. You’re right to think that you should optimize for day-to-day over the rare event.

      What are the rare events?
      When you move (buy/rent a house/apartment), or try to make a big purchase or set up a new account (loan, line of credit, credit card), you’ll probably need to thaw your report(s) for each entity that needs to consider offering you credit.
      — Those thaws aren’t free (they generally cost the same amount as the initial freeze).

      That said. Most people don’t open lines of credit particularly often. Most people don’t move particularly often.

      If you’re about to move/set up accounts, I’d encourage you to wait until you’ve done so before freezing (and then do it ASAP). If you don’t plan to move/get new credit, I’d encourage you to freeze *today*.

  17. While Mr. Krebs is one of the best in the world at identifying and announcing data breaches, from this article it appears he is not very well versed in what ID Theft is. According to the 2015 FTC report, only 17% of ID Theft could be stopped by a credit freeze. This still leaves you open to 83% of ID Theft such as Government Document Fraud/Taxes, Employment, Medical, Driver’s License/Criminal and other non-credit types which now make up the majority of ID Theft victim complaints. Brian, please stick to data breaches or brush up on the FTC and other consumer ID Theft studies before spreading misinformation.

    • Wally,

      Spreading misinformation? I hardly think so. The FTC also considers credit card fraud to be identity theft (which you conveniently left out of your list) so I wouldn’t put much stock in that statistic.

      You’re right, Wally. People should just throw up their hands and do nothing. If you can’t fix everything, do nothing, eh?

      You don’t by chance work in the credit bureau or credit protection industry, do you Wally?

      • But a credit freeze wouldn’t prevent credit card fraud either, would it? The freeze only prevents new accounts from being opened, it has no effect on accounts that are already active. So the 17% would actually be lower if credit card fraud was included.

        • Check your math.

          If you DECREASE the size of the “identity theft” pie by not including fraud on pre-existing credit cards, then the fraud prevented by a credit freeze will be a LARGER percentage of the remaining “identity theft” pie. Substantially larger, in fact. Something like 28%, since fraud on pre-existing credit cards appears to be approximately 40% of the total “identity theft” reported by the FTC.

          Which is precisely the point that Brian made earlier in this thread.

          • But standard credit card fraud (fraudulent charges on your legitamate accounts) is not stopped by a freeze at all.

            • The difference between someone establishing a new account in your name and someone using an existing account is that it’s trivial for you to void charges for the latter:
              https://en.wikipedia.org/wiki/Credit_card_fraud#Cardholder_liability
              You don’t have liability, you just call your card issuer, report they’re fraudulent, and they’re gone. The card issuer will often issue you a replacement card, at no charge, and mail it to you wherever you are, at no charge.

              If someone opens a line of credit in your name, but attached to a different address/contact information, then you’ll have trouble canceling the items. 1. you won’t even know that they exist until much later. 2. you won’t have a proper relationship with the account (you didn’t open it, you don’t know the passwords for it, …). 3. you’ll probably only notice it when you check your credit report and see a ding, or when a collection agent comes after you.

              • Actually, when you see a new account established on your credit, it is very easy to get that ding removed. The credit reporting agencies will use the information in the New Account and correlate it to out of bounds credit services. By this they will analyze the data from past purchases and uses of credit and make a determination based on that. If you continue to shop in say the tristate area of DC, VA, MD, and NJ then all of a sudden a credit card purchase appears in Alaska, then there is a high likelihood that your details were stolen and that new line of credit is canceled immediately. I have had this done to me before, and that is how it got stopped. They can also see data patterns in your purchases as well, and they will go by that to make a determination.

  18. Credit monitoring prevents nothing more than a credit freeze would. Credit monitoring also has no effect on accounts that are already active. Credit monitoring does not monitor credit transactions, only new account creation via credit bureaus.

    Enhanced monitoring may cover more than just credit bureau activity, but that is what requires more information such as driver’s license, bank accounts, etc. I don’t trust these services to protect the information any better.

    I am affected by the “second” OPM data breach found during the investigation of the “first”. I think they were one and the same only the true scope was realized after the investigsation was under way.

    I chose the freeze option from the big three and Innovis for myself and my spouse since her information was included in my background investigation application. Other relatives are included but nothing more than is publicly available.

    I do not want to first become a identity theft victim to qualify for the fee waivers.

    The other forms of identity theft have other protections of varying effectiveness. Some only have reactive protections unfortunately.

  19. One of the OPM breeches involved the Standard Forms (SF) 86 (Questionnaire for National Security Positions) data. Page 127 of the SF-86 states “Note: If you have a security freeze on your consumer or credit report file, then we may not be able to complete your investigation, which can adversely affect your eligibility for a national security position. To avoid such delays, you should request that the consumer reporting agencies lift the freeze in these instances.”

    Periodic reinvestigations occur at 5, 10 or 15 year intervals depending on the clearance level. It appears that those holding security clearances will need to unfreeze their credit at all agencies for several months while their initial investigation or periodic reinvestigation is completed.

  20. I find that creditkarma.com is a very good free alternative to credit monitoring. Not as effective as a credit freeze but a great tool for monitoring the appearance of new credit accounts.

  21. I find it funny that my previous post, which was completely relevant, harmless, and appropriate was not approved to be shown here. What is that about?

    • Hey John,

      Thanks for your comment above (http://krebsonsecurity.com/2015/09/opm-misspends-133m-on-credit-monitoring/comment-page-1/#comment-392269). It has been approved.

      FYI, nobody censors comments around here, at least not initially. Sometimes, comments just get held because Akismet (anti-spam filter for comments) detects something odd. This is fairly typical for lengthy comments.

      In your case, I went back to try to see what was the issue, and noticed that someone with your same IP address has been commenting here for more than a year under many different names, almost always on ID theft stories. The very first comment you left here is I believe the only one where you used your real name and email address, which comes from the domain IDexpertscorp.com — the very company that won this $133M contract from the OPM.

      I wish people who comment here with such stridency would lay their cards on the table and come clean about their interest in the matter. Will you come clean? Thanks.

      • Yes, I am a low level employee at a large identity theft company. This was my first comment but I imagine many of my coworkers post their random opinions on sites like yours while using their work computers. Since we work in the cyber security field.

        I don’t think the comment I left necessarily reflects the opinions of my employer. Nor is my comment radical or controversial in any way and should not be dismissed simply because I work in the field. Likely everyone commenting here and reading your site does.

        • So if it’s not a big deal that you work at a firm that benefits from our collective identity malaise, why can’t you preface your comment with a simple disclaimer like this?

          • And why should he? And why should he have to? Are you one of those people that believe that people have no right to be anonymous on the internet or something? Why does he have to give an explanation to either of you? Just because he doesn’t agree with you (and I keep seeing that on these comment sections here — what the hell is wrong with people parroting and worshipping people instead of thinking for themselves? THINK, people!)?

            Do you believe that free speech only exists if (a) people use their real names when they write something (if so you may want to check out the history of the United States — quite a few statesmen and interesting folks would write letters to the editor under pseudonyms — and that’s sort of the equivalent of a comment section, isn’t it? and (b) if people agree with you?

            Quit the IP address shaming. BTW, I use Tor, so I bet my IP is all over your site too with different people writing comments. VPNs work like this too. I bet you’ll be happy when/if IPv6 ever REALLY becomes a standard just so people can have their opinions tracked easier.

            I guess I’m saying grow up.

  22. RunningFromTheDogs

    Does anyone know if getting a freeze will interfere with applying for a job? What about a federal job?

    • It can, and @Ed posted earlier: http://krebsonsecurity.com/2015/09/opm-misspends-133m-on-credit-monitoring/comment-page-1/#comment-392287 about a case where it would for federal jobs requiring clearance.

      For reference, here’s a (current) link for the SF-86 form: http://www.gsa.gov/portal/getFormFormatPortalData.action;jsessionid=84136039D82531E18574509D4E15C109.$%7Bjvm.route%7D?mediaId=73373

      Anyone who will need access to your file should tell you in advance that they do, and they should tell you which bureau they check and their identity so that you can establish a thaw for them. They should also be able to tell you the checking window (windows can be tied to a time window and a client id).

      • I’ve had a security clearance for over 30 years and I know they pull the credit report every time I go through a periodic review but I’ve never seen the request pop up on my credit report. I am currently going through a PR and had to sign the form allowing them to pull my financials. That leads me to wonder if the bureau’s hide such requests or if there is an alternate method.

        Also, just a caution to folks. A freeze doesn’t fully protect you from being defrauded. The unfortunate reality is that a miscreant only needs your name, SSN and a valid home address (any home address) to sign up (on-line) for utilities and move on from there. Back around 2009, I received a call from a debt collector calling on behalf of Verizon for land-line service in Providence, RI. Never been there. But as I dug further, I found out I had an apartment, a wife and two kids, and unpaid electric, natural gas (huge bill), wireless, wireline, and directv. It took a lot of effort to clear that mess up only to find that the person just moved to Woonsocket and started all over again. To this day, even though Directv pushed the debt over to fraud, they will not let me sign up for service.

        First step, find an empty apartment. Then establish a land-line phone. Now you have a permanent address with a wired phone, name, and social. That’s all you need to get basic services. But, after a credit card application showed up on one of my reports, I froze them. It stopped credit card requests. I also put a security freeze on all of my bank accounts where I needed to provide a password for any withdrawal or transfer. That was less painful than I thought it would be.

        And last night I get an email from Comcast for new service install (at $310 a month) in Connecticut. You guessed it – I don’t live there either. This comes a month after my Amex chipped card was compromised.

        Brian, if you read this comment, did you hear of any ADP breach about 3 months back? Our company uses ADP for FSA accounts and all cards were replaced, , all transactions halted for 3 weeks, and new website set up. Makes me just a bit suspicious.

  23. A government agency which is part of a political system that is the best that a credit-based economy can buy cannot be seen discouraging (or otherwise encouraging the impedance of obtaining) more credit or the whole thing will fall apart and everyone will see the smoke and mirrors inside!

    And that’s why paying for credit freezes is a wholly inappropriate response. It simply sends the wrong message.

  24. The problem I have with credit bureaus is that they collect our information and act like the own it. They do not pay us for our information, in fact they charge us if we want to control who sees our data. They apparently sell our information to anyone.

  25. ProbablyHackedITSecPerson

    On another note (my comment, above, should be amusing to any reader here, and sadly very true story):

    I am not entirely persuaded China was behind this hack, btw. I noted that when reading the article. I understand the evidence the US claims to have is enough for them to have confidence to go to the public on and declare, effectively, “China did this, but we know this by secret surveillance and so continuing that conversation with China or the public would reveal that secret surveillance. Therefore, we will not”.

    However, a. you have to realize that is a counterintelligence issue, ultimately, and so it is routine for public messages to either be entirely not given, or to have some manner of quantity of “disinformation” in them. b. secondly, you know that the US government has a track record of expressing, publicly, intelligence “knowledge” which, in fact, is not vetted and not conclusive. And, c. There was a report the other day from “anonymous government sources” that activity indicating possession of the OPM data was seen in *both* China and Russia. Now, if China stole such a prized mountain of data, would they really be sharing that with Russia? Even if they were… so soon? Before they could even begin to process the quality of it? I really do not find that plausible.

    So, either those “anonymous officials” were ‘not in the know and provided incorrect information’, or that was a fishing expedition by the US government under the guise of “anonymous officials” seeking clarification on ‘who was the culprit, China or Russia’. By making such a statement they might induce activity that could indirectly provide such confirmation or further clues.

    ie, they don’t really know.

    I would not be surprised if it was not actually North Korea, frankly.

  26. “Breach Protection” as new revenue market opportunity…gotta love capitalism.

    Surveying the security & identity news threads of the last 24 months, I’m left with the inescapable feeling that living in a cabin in Montana off the grid is an entirely reasonable aspiration.

    I should have realized this after the Target breach and the insistent/urgent postal messages I received after that (with zero followup after that).

    This is Target. We’re so sorry about the breach. We’ll guard your identity now…..

    and then, +90 days later, more junk mail, more spammy phone calls, more spam in my inbox.

    I’d suggest that this is all a classic market failure and it’s time for collective action on the part of the public, but…well…OPM.

    Depressing

  27. I always enjoy reading this blog and also the many comments on the variety of topics covered by Mr. Krebs. Identity theft, however, is a passionate topic for me and I would like to weigh in.

    First, I want to ‘lay my cards on the table’ and advise that I’m an independent associate for LegalShield, which offers an amazing IDShield plan for a low monthly rate. They have partnered with Kroll Inc. to provide identity protection to consumers with a $5M service guarantee. The service includes complete identity restoration, direct access to licensed private investigators specializing in identity restoration, privacy monitoring, security monitoring—the list is extensive. Having been the victim of identity theft myself, it’s an awful feeling of violation and exposure. The majority of services available on the market–credit freeze/thaw, ID theft protection, and credit monitoring–do nothing to restore your credit to its previous state nor monitor the added risk of having your identity sold and used. Used by someone who could use your SSNO, medical insurance, or driver’s license to commit crimes in your name or use your medical insurance possibly putting you at risk with their use of your medical record. I didn’t have time to spend the endless hours necessary to restore my identity and it’s wonderful to know there is a great company out there willing to do all this for me, so I can “worry less and live more”.

    I didn’t mean to give a long sales pitch but I’m passionate about our legal rights, and so many people aren’t aware of what’s available to them.

  28. Would not it be easier to adopt some sort of security BEFORE someone uses SSn? Or spending millions and suffering fraud (and making others to do the same) is US knowhow and way of life as we see it in payment card industry:)

  29. Credit Bureaus were invented, and make money by charging businesses to access your ability to pay (remember the FICO score?). Later, the FCRA said consumers had the right to amend their record if there was a problem. The Bureaus later added the freeze option as service, with a fee. I monitor weekly, for free via Credit Karma. Everyone should. The ads on Karma are worth putting up with.

  30. As long as people (include you!) keep calling it “identity theft”, rather what it is: “failure of banks to proper authenticate people”, the problem is only going to get worse.

    My identity is not stolen: I am still sure who I am, the problem is that the banks never bother to check. Signing up to tumblr or facebook requires a stronger proof than what the banks demand.

    Maybe you remember SET (maybe you don’t). The Credit Cart companies (there are only really two of them), had a plan to bring us secure, pseudonymous transactions in the late 1990s. They got cold feet.