Nov 15

Report: Everyone Should Get a Security Freeze

This author has frequently urged readers to place a security freeze on their credit files as a means of proactively preventing identity theft. Now, a major consumer advocacy group is recommending the same: The U.S. Public Interest Research Group (US-PIRG) recently issued a call for all consumers to request credit file freezes before becoming victims of ID theft.


Each time news of a major data breach breaks, the hacked organization arranges free credit monitoring for all customers potentially at risk from the intrusion. But as I’ve echoed time and again, credit monitoring services do little if anything to stop thieves from stealing your identity. The best you can hope for from these services is that they will alert you when a thief opens or tries to open a new line of credit in your name.

But with a “security freeze” on your credit file at the four major credit bureaus, creditors won’t even be able to look at your file in order to grant that phony new line of credit to ID thieves.

Thankfully, US-PIRG — the federation of state public interest research groups — also is now recommending that consumers file proactive security freezes on their credit files.

“These constant breaches reveal what’s wrong with data security and data breach response. Agencies and companies hold too much information for too long and don’t protect it adequately,” the organization wrote in a report (PDF) issued late last month. “Then, they might wait months or even years before informing victims. Then, they make things worse by offering weak, short-term help such as credit monitoring services.”

The report continues: “Whether your personal information has been stolen or not, your best protection against someone opening new credit accounts in your name is the security freeze (also known as the credit freeze), not the often-offered, under-achieving credit monitoring. Paid credit monitoring services in particular are not necessary because federal law requires each of the three major credit bureaus to provide a free credit report every year to all customers who request one. You can use those free reports as a form of do-it-yourself credit monitoring.”

Check out the USPIRG’s full report, Why You Should Get Security Freezes Before Your Information is Stolen (PDF) for more good advice. In case anything in that report is unclear, in June I posted a Q&A on security freezes, explaining how they work, how to place them and the benefits and potential drawbacks of placing a freeze.

Have you frozen your credit file? If so, sound off about the experience in the comments. If not, why not?

Tags: , , ,


  1. I’ve set up the freeze. I’m happy to have the security, but I’m disappointed that I can’t easily sign up for new credit cards. I like getting a new credit card every six months or so to take advantage of the miles/points that they give you when you sign up. I wish it was easy to un-freeze temporarily to let a credit card application go through and then quickly re-freeze.

    • I’m surprised to hear that people actually do this.

      Nerdwallet [1] says you shouldn’t do it more frequently than every six months, so apparently what you’re doing is ok, assuming your credit is great (or excellent).

      Credit Karma [2] says that you should keep credit cards longer since their age helps your credit score. This is certainly my understanding. Although if you don’t intend to ever get a big loan, it won’t matter much. But it’s worth considering if you’re actually trying to improve your credit score…

      [1] https://www.nerdwallet.com/blog/credit-cards/credit-score/long-wait-credit-card-applications/
      [2] https://blog.creditkarma.com/credit-101/credit-report-card-break-down-average-age-of-open-credit-lines/

      • I have a great credit score, and even if I didn’t I still don’t care about my credit score. I have no mortgage, own the house, have absolutely no need for credit of any kind for the rest of my life.

        For me, it’s a fun game to see the rewards/points I can earn by paying attention to the credit card deals.

        The security from the freeze is worth it even if I’ve lost the ability to play the credit card game, I just miss it because it was fun. We had entire vacations where the hotel and flights were paid for with points from signing up for credit cards. Pretty cool!

        • Your credit score is also a factor in the rates you pay for insurance. You could be paying for your miles and points via higher insurance premiums. Doesn’t seem like it should be legal, but it is. And it would also seem that if the big three aren’t already tying your online life (browser searches, email, streamed media) to the dossier they have on you, they will be.

  2. Clark Howard has been recommending credit freezes for some time as well. See below:

    Credit Freeze and Thaw Guide

    Credit freezes: Your biggest questions

  3. It’s been a couple of years since I froze mine. What I remember is that either Experian or Equifax made it a bonafide PITA to both freeze and unfreeze to the point where I /believe/ the government had to step in and tell them to knock it off.

    Looking up at the comments, my experiences match perfectly with Dave Pooles’.

  4. From the USPIRG.ORG report:

    “Security freezes are available to consumers in all 50 states and the District of Columbia. A security freeze costs between $3-10 for each of the three big national credit bureaus, depending on the state. (There is no fee to place a freeze with the fourth, smaller bureau, Innovis.) There is a $2-12 fee, depending on the state, for unfreezing your credit report with each bureau. All states give you the right to place free security freezes if you can prove that you are an identity theft victim. Some states offer them for free to consumer[s] 65 years+.

    There are seven states where freezes are free to all consumers, whether they are identity theft victims or not:

    – Colorado (first freeze is free)
    – Indiana
    – Maine
    – New Jersey
    – New York (first freeze is free)
    – North Carolina (free online only)
    – South Carolina

    Lifting freezes both temporarily and permanently is free to all consumers in: D.C., Delaware, Indiana, Maine, North Carolina, South Carolina, Tennessee, and Virginia.

    Lifting freezes permanently (but not temporarily) is free to all consumers in Alaska, Idaho, Missouri, Montana, Nebraska, North Dakota, and Pennsylvania.”

    My comment: The fact that the fees vary from state to state and some are $0 means that they are completely arbitrary and are simply as high as the credit bureaus can get away with according to each state’s law. If you live in state where there is any charge for freezing or unfreezing YOUR data, write or call your state legislator and tell them you want the law changed to give YOU control over your data at no charge to YOU. If the states IN, ME, NJ and SC can do it, so can your state. It is unconscionable for these companies to charge consumers for providing the protection which this data should have had in the first place. Call or write your state legislator TODAY! It’s YOUR money and YOUR data!

    This has been a Public Service Announcement from a freeze-fee-free South Carolinian. Yer Welcome!

    • Is a ‘breach of personal information’ (in the hundreds of millions of cases at this point) considered “identity theft” (identity theft in the “third degree” awaiting further misuse or theft)?

      I had my personal information taken three times, but not used yet for further theft.

      • No, being part of a data breach does not make you the victim of id theft. Your information needs to be used fraudulently for it to be id theft, the breach just means your info was compromised, but that doesn’t guarantee it will be used.

  5. As another poster has elucidated, Canadians do not currently have the option to ‘freeze’ their files. And this in spite of the fact that we use two of the same credit reporting agencies as our U.S. neighbors: EquiFax and TransUnion!

  6. Healthcare.gov, Federal Express and UPS all use credit reporting agencies to verify identity when creating an account online. If I’m not mistaken, the US Postal Service does as well. Even if you’re not using all of these services at present, save some money by creating accounts with all of them while your files are un-frozen.

    • Healthcare.gov has been selling the information people entered into its forms to no less than 14 marketing companies. People should still not use it. This was not a hack. This was government complicity. You can see the research in the article HealthCare.gov Sends Personal Data to Dozens of Tracking Websites at the Electronic Frontier Foundation’s website. They now have a “privacy manager” if you don’t want to “enhance” your experience of filling out a government form for health insurance. But before 2015, they were doing this completely in secret, to everyone using their site.

      I’m still scratching my head at how people thought that was good judgement, to allow marketers to secretly observe and log what people filled out into a healthcare form (income, pregnancy status, all of it). They certainly wouldn’t have liked 14 marketers in the room with them, looking over their shoulder as they filled out such forms. Yet they set up their system to do that to everyone by default.

    • People should still not use healthcare.gov. They have been selling the information people have been filling out in the fields, to no less than 14 marketers. You can see the research confirming this at the Electronic Frontier Foundation’s website, in the article HealthCare.gov Sends Personal Data to Dozens of Tracking Websites. Before 2015, they did this silently, in the background, now they have a “privacy manager” because you’re supposed to suspect they’re doing this and then you’re supposed to trust them when they say they’ve now “managed” your privacy. But the truth is, they sold every person’s information who used the website, every field.

      It boggles the mind that someone thought this was showing good judgement. They certainly would never consent to filling out a healthcare form with 14 marketers looking over their shoulder and taking note of every single letter they wrote. Yet this is the default, even now.
      Best to call the number if you must. Although whether they are using the web interface, with all the same exposure, who knows. How much more corrupt can you be as a government than to require that people give you information and then turn around and sell it in secret?

  7. I have never dealt with any credit bureau. Does this mean that my details are not held by credit bureaux and therefore are not in jeopardy of being stolen?

    • Do you have a credit card? Ever financed anything? There are many more things that can lead to your information being in a credit bureau.

      Basically, unless you’ve paid for everything in cash they probably have some information on you.

      • But if I have never registered with a credit bureau, how am I to freeze my information? I seem neither to be able to opt out or to opt in.

        • The parties w/ whom you do business register your information w/ the bureau.

          When you set up a utilities contract (electricity, water, sewer, phone, internet, cable), the utility reports your payment information to a bureau (you paid on time, you were late, what the amount was).

          When you sign a lease to rent a place, the agent renting you the property will report your payment information to a bureau (you paid on time, you were late, what the amount was).

          The same applies for renting a property, or having a credit card, or having a mortgage.

          These agents do this for a couple of reasons:
          1. They benefit from knowing if people like you are delinquent / high risk.
          2. They may be compensated for reporting (possibly directly, or through lower charges for access to similar data).

    • According to the report here: , you are vulnerable if you:
      Shop with credit or debit cards;
       Pay taxes;
       Have health insurance;
       Attend college;
       Patronize any business that keeps customer records; or,
       Work for the government or a company

      • Sorry… the URL was removed. See if US-PIRG pdf given in the article.

      • Not having read the article, I suppose what is meant by “vulnerability” here is any place where details are stored (and lost) that may be used to create a financial account in someone elses name. Thus, I can add more to the list. Any record that contains personal information that may be used to create a finanical account:

        Financial institutions (breached banks, brokerages, etc)
        Payment systems (breached payment systems)
        Personal computers (breached PCs)
        Online accounts (breached email systems and other accounts)
        Law enforcement databases (breached law enforcement systems)
        Internet-based infrastructure (man-in-the-middle breaching systems)
        Job application tracking systems (breached applicatiion tracking systems)
        Et cetra.

    • Basically, if you’ve ever paid for utilities, worked, rented, owned, or interacted with the state, you probably have a record.

      But, here’s what http://www.wvhomeloans.com/credit3.html says:

      «What type of information do credit bureaus collect and sell?

      Credit bureaus collect and sell four basic types of information:

      •Identification and employment information
      Your name, birth date, Social Security number, employer, and spouse’s name are routinely noted. The CRA also may provide information about your employment history, home ownership, income, and previous address, if a creditor requests this type of information.

      •Payment history
      Your accounts with different creditors are listed, showing how much credit has been extended and whether you’ve paid on time. Related events, such as referral of an overdue account to a collection agency, may also be noted.

      CRAs must maintain a record of all creditors who have asked for your credit history within the past year, and a record of those persons or businesses requesting your credit history for employment purposes for the past two years.

      •Public record information
      Events that are a matter of public record, such as bankruptcies, foreclosures, or tax liens, may appear in your report.»

      There are dozens of bureaus. We* only recommend freezing the big four. Different bureaus specialize in different kinds of records (iirc Innovis, the fourth one, was originally more involved in employment or something but diversified…).

      *I’m lumping myself with Brian and other experts. You can see that I’m a frequent/prolific commenter on this topic and I regularly recommend freezing all four.

  8. I froze my credit at all credit bureaus back in 2006, after my state (Rhode Island) passed a law to make it easy to do (with a letter to each credit bureau). I have been one of the victims of the OPM hack of all my personal info this past year. My response: nothing. Why? All they would do for me, as Brian says, is tell me when my ID has been stolen or credit opened in my name. While nothing is perfect, I feel that having my credit frozen was and remains the only rational action that has any merit to prevent ID theft.

    • Actually, they shouldn’t even do that much. — Since it should be virtually impossible for anyone to open credit in your name since you’ve frozen your reports.

      Good for you.

      Hopefully you’re also evangelizing to your friends, family, and neighbors.

  9. If you were a victim of the OPM breach (or any other personal identity breach), you should complete IRS Form 14039, Identity Theft Affidavit. Use a fillable form at IRS.gov, print, then mail or fax according to instructions. The IRS will provide you a PIN that you will need to use to file your tax return. Without the PIN, someone will not be able to file a return for you and request a tax refund in your name. See: https://www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft
    Hint: Carefully read the form, provide requested ID, etc. The process is designed to sort out the serious from the lazy and stupid. Be the former.

  10. Maybe I’m misinformed (please correct me if I’m wrong), but the whole thing seems like it’s forced on us, and we have no way to opt-out if we want nothing to do with the credit system.

    Of course, being in a state that doesn’t entitle you to freezing for free, you end up having to pay money to apply a freeze. It makes no sense at all to have to fork over money to some “service” that was forced on you so that they handle your information a little bit more securely.

    I for one don’t have any interest in building credit, and take any steps I can to be secure, and yet if I want to be proactive to prevent the ramifications of identity theft, I’m expected to pay these credit bureaus which I don’t even want to have any part of. They took it upon their-selves to store my personal information, when I didn’t agree to it in the first place. Now I’m expected to pay them? Wow!

    “Oh, but you pay taxes, and have a job, so we need to keep your information on file here at the credit bureaus.” Sorry for being a member of a human society! Guess what, in order to survive a person needs to pay taxes and have a job, so how is anyone expected to not be automatically enrolled in credit bureaus’ services? Be jobless? Don’t pay taxes? Move to some imaginary country that doesn’t have this system? Not be born? How can we have no part in this? By the time I was aware of the concerns of identity theft it was already far too late– they already had a file on me. Want to have them shred it even if you have a neutral credit score? Too bad!

    Even if I so much as want to drive a car, I need to get insurance (as it’s mandatory, and rightfully so), which means the insurance company has to run your credit (WHY?!). Too many third parties get to fiddle with this sensitive information, but of course it’s my fault if something goes awry, so I’m expected to fork over cash to freeze my file that I didn’t opt-into having in the first place. I want nothing to do with it!

    Sure you can opt-out of Firm Offers per https://www.optoutprescreen.com/ (and not even indefinitely, you have to re-up every 5 years), but you can’t opt-out of the credit bureaus themselves. I can understand if you abused credit systems and have a negative score, shredding your file would be an easy loophole to get a clean slate day after day. However, for those like myself with no credit and a neutral (or even positive) score, we should be able to opt-out of this nonsense. As far as I know, I have no choice in the matter, and that’s fundamentally wrong.

    • Put the Onus back on them--they messed it up, they can deal with more mess

      I don’t know, maybe I can/should start applying for a new social security number every week to stay ahead of the whole mess and cause more chaos to my record. Let the bureaus figure it out.

    • This is the problem w/ private industry. They do whatever they can to make a buck, until they’re regulated (and even after…).

      Your state hasn’t established strong enough regulations.

      FWIW, in principle, the Federal Government could pass a law establishing a federal credit bureau and banning private bureaus. Such a bureau could easily be set up w/ default frozen and reasonable nationwide rates.

      It won’t happen in the USA anytime soon because one of the two major parties is anti-government and pro-business. They’d claim such a thing is equivalent to the nationalization of healthcare (single-payer is a huge cost saver up here north of the border).

      The best you can do is lobby your local legislature to improve things. You could also try to build a movement for change at the national level. But …

      Also, you could probably try to help strengthen the CFPB: http://www.consumerfinance.gov/ — they’re a rare win, and they’re trying to help you.

  11. At some point free credit freeze/unfreeze has to become the response of the breached companies/organizations/government, instead of the nearly useless “credit monitoring” that has become norm.

  12. The freeze is good, but far from perfect. It only prevents 15-20% of id theft, and only the types that check your credit file first. It does nothing to prevent people from giving your info to police, the IRS or using to get medical services. It also doesn’t prevent utilities from being opened in your name, as they don’t typically check your credit before opening an account, and the collection will certainly be added down the road. Many payday loan companies don’t even check files first, so it doesn’t stop them from providing the loan, it just prevents you from being able to get a real one if necessary.

    • Tommy78, do you have a source on that 15-20% figure? I haven’t seen a lot of good quantitative research on the effectiveness of security freezes vs. credit monitoring vs. fraud alerts, so if you know of one I’d much appreciate a cite/link.

  13. Credit campaigner

    Lots of misinformation here.
    The Bureaus hate freeze. Cuts their rev stream to sell your profile over and over.

    NEVER give your secret freeze PIN to a lender or entity asking to check your credit. Some guy who posted here did just that. Amazing.

    Some states free, some up to $10. (Those states had more effective lobbyists in corrupt Washington to push through bogus fees) disgusting how the public are manipulated by the bureaus and the financial system.

    I teach credit, finance, manufactured spend, leveraging reward credit cards, advanced techniques etc.

    Amazingly the must ignorant sector are older folks. They are of the generation that willingly complies with everything asked of them. They are known as the ‘Trusting Generation’ and a marketeers / ID thief’s dream.

    Give me a young person, and I will destroy the ability of the Bureaus to exploit them, for life.

    Child ID theft is the fastest growing sector of abuse at this time. The thieves get clean slate and you won’t find out until your kid wants to go to college, then you have an unholy mess. Good luck with that.

    Freeze is the best tool available to consumers at this time. It won’t stop CC fraud or all forms of ID theft.
    Be your own advocate and monitor your financial life.

  14. Bandaids on a broken leg. The credit bureaus will always be the weak link in the chain, they are financially beholden to criminals and shady companies to survive. Relying on consumers to do the work a multi billion dollar fraud factory should have been doing all along is silly.

  15. IMO, the retailers who had my CC info stolen due to lack of security/compliance should be held responsible for providing free credit freezing, or credits with the 3 monitoring agencies to do so. If they actually had to pay some $$ instead of the joke that is credit monitoring it might be helpful. I would rather be proactive to this then reactive like the breaches/credit monitoring services are.

    Also, this is the 21st century, why does it have to be such a manual PITA to freeze one’s credit. There should be a 3rd party service with secure authentication practices that can freeze/unfreeze credit with ease after its setup correctly. I want to log in, use 2FA from a mobile device and boom done in 60 seconds.

    I doubt any of this will happen without the govt stepping in.

  16. If you live in any of those states where you have to pay for a security freeze, that means you have to pay to freeze / unfreeze your credit file at *each* of the three major credit bureaus. Now you wind up having to pay triple the cost that any one credit bureau charges, since you can’t be sure which credit bureau is used by a business where you’re opening an account.

    Of course, the credit bureaus aren’t providing security freezes voluntarily, but only because the law requires it. So it comes as no surprise that they’ve implemented it in ways that are cumbersome to use.
    If the credit bureaus truly wanted to provide a service that could help prevent identity theft, they could streamline the whole security freeze process. Why not a smartphone app that allows consumers to give their consent each time a credit bureau gets a request for one’s credit information? If no response is received by the bureau from a consumer within a specified amount of time, the bureau would be free to release the credit information.

    Instead of having to freeze your credit file, then unfreeze it each time you seek credit, the default should be that the credit bureau is prevented from releasing your information unless you provide specific consent via smartphone app (unless you don’t respond within the specified time).

    But I’m sure the credit bureaus would rather continue to hawk useless credit monitoring services instead.

  17. Keep in mind if you have this freeze and you are shopping for a car, asking for credit anywhere it stops you in your tracks until the freeze is removed.

    • Totally valid point – people should certainly be aware of the ramifications of a credit freeze, but how often do people get new cars, loans, etc? I believe these are generally predictable events, so just thaw the freeze before the credit checks. $10-$30 unfreezing credit is negligible cost on a car purchase/loan.

      However if people are chronic credit card rewards chasers, perhaps the ‘fraud alert’ is the best option.

  18. Yep, thanks to OPM, I”ve had a security freeze since the summer–more reassuring than the useless 18 months of “monitoring” by another company that I’d have to disclose my info to.

  19. I recently placed a fraud alert + freeze and while it wasn’t too much time, as a victim of a data breach there is no reason I should have to pay for it and jump through all these hoops.

    SIGN this wh.gov petition if you agree with me: http://wh.gov/iVUzX

    I call for an executive order (like Obama’s CHIP and PIN executive order last year) for common sense consumer protections for data breaches involving core personal information (SSN, DL, financial, health) include:

    * Automatically placing 90 day credit fraud alerts on behalf of victims immediately after notification and provide the option to enable an indefinite credit fraud alert without waiting for an identity theft incident

    * Provide option for free credit freezes and thaws indefinitely without waiting for an identity theft incident

    * Build on FACTA and redesign annualcreditreport.com to handle adding, removing, and thawing credit freezes and fraud alerts across ALL credit related bureaus

    * A minimum of 5 yrs of free ID/credit monitoring service chosen by the victim from a marketplace. Additional free 2 yrs for each subsequent breach victim experiences

    • Also, interesting notes I learned from placing my freezes:

      * Placing a freeze at Innovis and ChexSystems was free, despite being in CA.
      * If you are a victim of the Experian TMobile breach, placing a freeze is free. I didn’t click on any special link, so perhaps they figured this out by my SSN?
      * Equifax and TransUnion both charged me the standard $10 fee in CA.

      Innovis and Chex offer it for free, and the others don’t – do we need any more evidence that the fees are totally arbitrary?!?

      from https://www.experian.com/data-breach/t-mobilefacts.html as of 11/20/2015:

      Q: How do those impacted by the breach involving T-Mobile data place a security freeze on their Experian credit reports?

      A: Those impacted by the breach involving T-Mobile data may place a security freeze at Experian – at no cost and without providing a police report — by calling 866-243-2385 or adding it online here.

  20. Those whose personal info was stolen through the OPM breach can get ID monitoring and credit monitoring for free. After reading your post I chose to freeze my credit with all 4 institutions. The next day I signed up for the free ID and credit monitoring from the breach (clearly not thinking about their inability to monitor my credit after it was frozen). The freeze prevented them from getting to my credit but they can still monitor my ID for theft. I think that will work out fine. The freeze is working already! Thanks!

    • I’m a federal employee and got caught up both in the OPM breach and the theft of background investigation reports. I signed up for the credit monitoring after I was notified of the OPM breach. I then put a freeze on my credit reports with the 4 credit reporting agencies as well as ChexSysytems, as Brian has recommended. Last week I tried to sign up for the credit monitoring offered because of the background investigation theft, but could not because of the freeze I had placed. The question I have: should I temporarily remove the freeze to sign up for this second credit monitoring or is the freeze sufficient? I have learned that I would have to remove the freeze from the 3 major credit reporting agencies They use all 3 to confirm your identity.

  21. Last February — after the BCBS breach — I froze mine. No problem doing this online (free in this state) except for Experian (said I didn’t answer a question correctly or something). Had to use certified snail mail for Experian.

  22. Four reporting agencies? I thought there were only three; Transunion, Experian, and Equifax? What is the fourth?

  23. I live in the UK and asked Experian’s over here to put a security freeze on my account but they informed me this is not available!

  24. I’m a federal employee and got caught up both in the OPM breach and the theft of background investigation reports. I signed up for the credit monitoring after I was notified of the OPM breach. I then put a freeze on my credit reports with the 4 credit reporting agencies as well as ChexSysytems, as Brian has recommended. Last week I tried to sign up for the credit monitoring offered because of the background investigation theft, but could not because of the freeze I had placed. The question I have: Should I temporarily remove the freeze to sign up for this second credit monitoring, or is the freeze sufficient? I have learned that I would have to remove the freeze from the 3 major credit reporting agencies They use all 3 to confirm your identity.

    • I can’t speak for the OPM breach, but I froze first by accident as well. When I tried to enable identity theft monitoring online, I was met with error messages that it could not be completed. Instead, I called Experian’s ProtectMyID directly and they were able to enroll me over the phone – the rep on the phone said he thought it would still work even with the credit freeze in place, but didn’t sound definitive about it.

      Anyway, the identity theft monitoring is probably only worth it for the insurance guarantee in case you become a victim, not for any actual protection. The best protection is still going to be the freeze.

  25. Thank you!