18
Nov 15

Report: Everyone Should Get a Security Freeze

This author has frequently urged readers to place a security freeze on their credit files as a means of proactively preventing identity theft. Now, a major consumer advocacy group is recommending the same: The U.S. Public Interest Research Group (US-PIRG) recently issued a call for all consumers to request credit file freezes before becoming victims of ID theft.

everyonegetsafreeze

Each time news of a major data breach breaks, the hacked organization arranges free credit monitoring for all customers potentially at risk from the intrusion. But as I’ve echoed time and again, credit monitoring services do little if anything to stop thieves from stealing your identity. The best you can hope for from these services is that they will alert you when a thief opens or tries to open a new line of credit in your name.

But with a “security freeze” on your credit file at the four major credit bureaus, creditors won’t even be able to look at your file in order to grant that phony new line of credit to ID thieves.

Thankfully, US-PIRG — the federation of state public interest research groups — also is now recommending that consumers file proactive security freezes on their credit files.

“These constant breaches reveal what’s wrong with data security and data breach response. Agencies and companies hold too much information for too long and don’t protect it adequately,” the organization wrote in a report (PDF) issued late last month. “Then, they might wait months or even years before informing victims. Then, they make things worse by offering weak, short-term help such as credit monitoring services.”

The report continues: “Whether your personal information has been stolen or not, your best protection against someone opening new credit accounts in your name is the security freeze (also known as the credit freeze), not the often-offered, under-achieving credit monitoring. Paid credit monitoring services in particular are not necessary because federal law requires each of the three major credit bureaus to provide a free credit report every year to all customers who request one. You can use those free reports as a form of do-it-yourself credit monitoring.”

Check out the USPIRG’s full report, Why You Should Get Security Freezes Before Your Information is Stolen (PDF) for more good advice. In case anything in that report is unclear, in June I posted a Q&A on security freezes, explaining how they work, how to place them and the benefits and potential drawbacks of placing a freeze.

Have you frozen your credit file? If so, sound off about the experience in the comments. If not, why not?

Tags: , , ,

114 comments

  1. I froze my credit reports and my wife’s several weeks ago. It was a quite painless process. If I recall 2 of the places asked typical questions that would help identify me or my wife. The third (Trans Union?) required me to create accounts for me and my wife. The fourth (Innovis) did none of this.

  2. Easy enough, cost a couple bucks (but no more than a month or two of LifeLock) and now protected at the source.
    Consumer is still responsible for doing annual checks, because lenders don’t always check ( example, family pets get issued cards), however, if they do check the’ll reject the application.

    • Last I checked and had mine frozen, then cost is free if you have had a breach of personal information reported to you. I doubt anyone hasn’t had a breach.

    • LifeLock is a joke. After subscribing to their service, I purchased a car, bought a house, and opened up 2 lines of credit and they never notified me once of any of this… the only thing they captured was when I changed my home address to the new house I bought.

  3. I have placed security freezes on my account. The part that bugs me is that I get charged $5 every time to freeze\unfreeze etc. For something that is so important and that can get ruined why is there a charge for this service? To me this is something that should be free for anyone no matter what state they live in.

    • The credit reporting agencies have be getting by with the skin of their teeth to avoid regulation, and I think it is high time to pass law, that if they wan’t to operate in the US, they need a simpler system for customers to protect their credit. Why should we pay over and over again for security that should be baked in?! Besides these agencies are cleaning up on the backs of the consumer as it is. The high cost of credit is partly because the banks pay these grifters too much!

    • I agree. I didn’t make this mess, so I shouldn’t have to pay to protect myself.

      • Almost seems the credit “bureaus” take info. Curious what common disclosure wording is being used in company disclosure agreements to state that credit bureaus will be RETAINING and REUSING all this info on hundreds of millions of people, to further by used to cause harm to the public via falsely created financial accounts under someone elses identity.

    • The fees vary state-by-state and $5 is on the low end; I believe this has to do with how much effort your local State Attorney General wanted to put into the negotiation with the credit industry when the credit freeze requirement was mandated. Probably is also a testament to the power of the credit reporting industry. The latter party knows how much money it would cost them if every Tom, Dick & Harry could easily implement a credit freeze on ‘their’ data without the barrier/pain of a cash fee.

  4. Like Mr. Krebs I’ve always advocated for security freezes, especially for anyone under 18 years old. I you’re not planning any big purchases/loan requests then place a freeze with all three of the credit bureaus (fees vary by state). There are also fees in some cases to lift the freeze – permanently or temporarily. The freeze won’t impact existing relationships you have with banks/employers or when applying for work (if the org runs a credit check). There’s very little reason not to do this. Preventive (freeze) is always better than detective (monitoring).

    • Anon, there are now 4 (four) credit reporting services–as Brian mentioned in his post. While it would be nice to be able to lock one’s credit down for free, I consider $5 a small investment in my safety.

      And Lifelock? What a farce…there’s a waste of money if ever there was one.

  5. Would you also recommend security freezes for your children? Or does having one member of the household cover it? Our kids are still under five…
    Thanks
    Kate

    • These are specific to the person / SSN.
      Though it shouldn’t happen, a 5yr old technically could be granted credit because they have an SSN.

    • The freezes are established using SSN. So children need their own freeze. This is where is gets costly. For example a family of four would require twelve freeze requests in total to cover all three credit bureaus – a cash cow service for them, hence all the chatter about lowering or removing the fees.

      • Actually, there currently are four credit services you need to get account freezes from.

      • However, youngsters are not going to need temporary unfreezing to buy a car or get a mortgage. So, for many years it will be a one-time cost.

        • I tried to apply online for a credit freeze for my 5 year old daughter with Experian. The process is a complete headache. A host of very sensitive documents must be copied and mailed to the credit bureau, along with a check. Ridiculous.

  6. So true! Altho a security freeze can’t stop all types of id theft, it’s the best tool available right now.
    And now is a good time to ask for changes to current state laws so that charges for security freezes are eliminated completely. We asked the Maine legislature this spring to make a security freeze free for everyone in the state (also to include children in the law) and it was approved and enacted – due to the sensitivity about recent huge data breaches. Went into effect here October 15.

    • Yea! See? It CAN be done. The fees are controlled by state laws and the state legislatures. Call and/or write your state legislator(s) today and demand an end to the arbitrary fees for protecting YOUR data. The credit reporting agencies already make money selling your credit profiles to banks and other lenders, there’s NO reason for them to take money out of YOUR pocket, too. But it won’t change until YOU tell your state reps to change the law. Call or write TODAY!

  7. I have been advising my peers of this and get laughed at… the response is always “I have credit monitoring through x, y and z”.

    • Educate them on detective v. preventive controls. I give similar rationale to people when I get on my soap box about only using an ATM/debit card at am established ATM machine – never for purchases. Would you rather deal with having to get money back stolen from you/under your name or borrowed…the answer is pretty clear to me, but not everyone apparently…

  8. I did it a few months ago – largely thanks to Brian’s June post giving me the necessary kick in the pants. I urge all my friends and relatives to do it as well and point them to this blog for more information about the how and the why.

  9. I had credit freezes set, but then discovered I could not access the IRS, Social Security Administration or Medicare websites because they all use Experian to verify identity (appreciate the irony).

    • Why would a credit freeze stop Experian’s identity proofing service from validating who you are? Seems odd.

      • It happened to me and all I had done for my credit report was a Fraud Alert. I was not able to create an account on the Social Security web site.

      • It’s actually a good thing. Basically those verification checks involve accessing your file to generate questions to ask the “applicant” to prove that they’re the referenced person.

        If you freeze your account, the verification checks can’t access your account.

        Anyway, whenever you do need to set up such accounts, they should tell you which credit bureau they use, you then contact the bureau and ask for a temporary thaw. Ideally specifying the entity that will be requesting the information.

        Once your temporary thaw is in effect, you sign up for the account (this is the equivalent of establishing credit), and then in the future, you won’t need to deal with the bureau, you simply log in with your credentials (which unfortunately almost certainly don’t involve 2FA, because the agencies aren’t that competent…).

        If you don’t need an account, just leave the freeze in place, and ignore the agency, if you can’t create an account, no one else should be able to either.

  10. Does the same recommendation apply equally to UK residents? Does anyone have any experience of freezing their records with UK agencies?
    Quote from Wikipedia: In the United Kingdom, the three credit reference agencies are Experian, Equifax and Callcredit.

  11. Don’t forget to include ChexSystems and Clarity Services in the list to be frozen. The payday lenders use them to bypass the big 3, so loans in your name can still occur. I believe the SSA and IRS use Equifax. Go into your local SSA office is you need to create an account and have Equifax frozen. We were able to create our accounts there directly even with the freeze in place.

  12. Get a credit card with a high limit. Then freeze your credit. Use this high limit card only for extremely large purchases. Put a daily cap on the card. If you need a bigger amount, you should have to call the bank to inform them of a big purchase and once its done, reset the card to the cap limit once again.

    If you exceed the amount on the CC, then unfreeze the account long enough to do what you have to do and re-freeze.

  13. I’ve had a freeze with all three bureaus for the past few years. It’s the best “credit” decision I ever made as the piece of mind it gives me is invaluable. I recently purchased a new car too and the freeze was not an inconvenience at all. I simply advised my bank that I had the freeze and asked which bureau they will be checking my credit from. They said TransUnion. So I temporarily lifted the freeze with TransUnion for just 24 hours. It cost $10 and was super easy. I like that you get to choose how long you lift the freeze for too, just in case you need to shop around for different rates etc. Anyone who thinks freezes are an inconvenience or not worth the money is just asking to have their identities stolen. If you put a dollar value on yours/your families identity, I’m guessing it would be way more than the onetime cost for the freezes. Thanks for great reporting as usual Brian. Long time reader, first time commenting.

  14. Freeze your children’s’ credit as well. Someone capturing a young person’s identity can use it for years.

  15. So I wonder why OPM decided to extend the wimpy “credit monitoring” to all those whose identity details were stolen? Why not offer a freeze?

    Any suggestions?

    • It isn’t a product the bureaus want to offer.
      They can only sell that product once. They can sell useless monitoring thousands of times.

  16. It’s wrong for consumers to pay for this lock & unlock. We didn’t create the problem. Guess I should buy stock in the credit bureaus because if everyone locks their reports, the credit bureaus are gonna make a ton of easy money.

    • They already make a ton of money selling your info to various companies, like the ones who send you pre-approved credit cards. Consider the difference between paying for a one-time freeze and being (relative) safe from identity theft, vs. them selling your info over and over so you can get junk mail (and possibly identity theft).

      Yeah, I don’t like giving the credit bureaus money to prevent a problem that’s not of my making, but I do it anyway.

  17. I have freezes in place. Getting them lifted is a major chore, but it’s worth the effort. Tip: don’t lose your PIN.

  18. I’ve had my security freeze for about a year and here is what I don’t like about it:

    1) I live in the WA state and although it was very easy to place a temp lift for the freeze at Experian (which also cost no money), I had to pay $10 to temp lift TransUnion freeze for 30 days. My experience with TransUnion web site was also quite bad.

    2) Placing a temporary lift on your freeze requires some effort and usually takes a little bit of time to kick in. So you have to plan ahead.

    3) And the major pain in the ass about those freezes is that some businesses are not fully equipped to deal with them. Here’s my concrete example. When I was trying to switch car insurance, the guy at Allstate could not pull my “insurance score” because of the freeze. I had to pay $10 at TransUnion to get him a temporary PIN to access my score but his software or something on his end still didn’t let him do it. So he basically didn’t get back to me with the quote because he was unable to access my score. So something tells me that there’re more business like that, that would have no idea how to handle the freeze on an applicant’s account.

  19. I’m sorry if this has already been asked or is a dumb question. If I was to do the freeze could I do it for both my wife and I? Or does she have to call in separately and pay a separate fee to freeze her credit as well?

    Thanks,
    Nate

    • Each person needs to freeze their file with each bureau (there are 4 major that are generally advocated, although one poster noted that payday lenders are apparently using 2 other bureaus, which would make it 6 bureaus times 2 people).

      One thing that would certainly improve matters would be for the states / federal government to maintain a registry of freezes. So you could freeze yourself completely w/ a single stroke, and each bureau would be required to check w/ the state / federal government agency to determine if your file is frozen.

      That would take the annoying fees out of the hands of the agencies and protect against this foolish bureau proliferation problem.

      Such a state law could be easily written (it’s equivalent to a do-not-call registry, or a do-not-offer-me-a-credit-card-unsolicited, well within state/federal purview if someone were to write it).

      If you’re upset with this insanity (you should be), please contact your representative and complain to them (point them to this blog entry — I’m sure @Brian would be happy to talk with them about it).

  20. Sorry, no sale. I’m not going to pay for something that should be free( it’s not ironclad protection anyway as has been noted here and elsewhere ). I get monthly credit scores free through my credit card issuers and three free annual credit reports ( one every four months ), good enough. If someone steals my identity, I file a police report, write a few letters and get free freezes for life. Good luck to those merchants holding the bag, they’ll never see a dime from me. Sorry if that sounds cold, but it’s on them to pressure the credit agencies to change their ways.

    • A lot worse things can happen than just having unauthorized purchases show up on your credit card statement.
      For example, a relative of mine had their identity stolen about 10 years ago. The person who stole my relative’s identity was arrested for an unrelated crime and identified himself as my relative. Because he had never been arrested before, there were no prior fingerprints on file to reveal his real identity. It took my relative years to get that straightened out. Or at least he thought it was straightened out. However not so long ago, it caused problems when he had business at a government agency.

      • And how exactly will a credit freeze will prevent something like what happened to your relative. If someone want’s to steal your identity to cover his criminal tracks( that don’t involve credit related activity ) I don’t see how a credit freeze can stop him.

    • I noticed that Experian was free to freeze. Additionally, it was free for people in certain states to have their account frozen for the first time. Therefore, this could potentially be free for you!

      • Not in my state, it’s $10 x2 ( me & my spouse ) per bureau( there are more than three now) to initiate and another $10 to lift. Not worth it for me.

  21. “Add” a security freeze? Why aren’t credit records “frozen” by default? And why isn’t there legislation in the works to make this the case?

    • ‘If you are not paying for it, you’re not the customer; you’re the product being sold’

      The bureaus are private companies, they created a product (the credit report). They set all the rules for use and sale of this product, until legislators pass laws regulating it.

      Each state has effectively passed a law setting maximum fees for freezing and thawing reports.

      Should a law be passed making reports default to frozen? Absolutely. But, I’m not sure it would survive a constitutional challenge. It’s a strict government intrusion on a corporation. Typically in order for that to work, something has to be given in exchange — see “imminent domain”. One thing that has been offered in the past is monopoly status (copyrights, patents, and more typical monopolies).

    • I think it’s ‘cuz like, if yer not in debt then the terrorists have won.

  22. I put a credit freeze on my accounts years ago. The Illinois Attorney General’s web site has instructions and form letters you can use to create the credit freeze. This is very helpful.
    The only time I’ve needed to use the unfreeze option was during a security check for work. I ask the firm doing the checking which credit agency they are using and that I’ll get back to them with the release code. A quick call to the credit agency (and $10 later), I have the code to unlock my account information. I just call back the security agency, give them the code, staying on the line while they get access and print out the report. That’s it!

  23. I feel this is like turning your key twice on your front door and feeling safe about it. I would discourage Brian from promoting it as a method to “stop worrying” about identity theft.
    Why? Because identity thieves will just have one more thing to steal: the unfreezing password. Considering this password is kept by Experian and other credit bureaus, they will probably sell it at some point in time (joke).
    Also, that doesn’t really keep you from predatory lenders who, to begin with, don’t even check your credit rating and are, unfortunately, the most likely to come break your legs (no joke).

    • Hopefully the bureaus don’t actually retain the PIN, but instead have a salted-PIN which is then hashed and stored with the salt.

      There’s absolutely no reason they should be storing the PIN in plaintext, nor should it be in reversible-encrypted form. If an agency gets this wrong, I’d love to see the lawsuit for failure to use proper procedure for handling data. That should result in (a) bankruptcy of the bureau, and (b) swift call for serious regulation of the market or (c) nationalization of the market.

  24. I’ve been saying this for years. But our experience with the credit companies is that contrary to what they say, they do not actually unlock a freeze for a specific creditor to check. We have paid for this service a couple of times, and even though the credit bureau issued i.d. numbers for the bank to use to unlock our credit, the potential creditors were unable to do so. We just experienced a lot of hassle on the credit bureau end with Lincoln Financial being unable to break the logjam for several days. Also, you will not necessarily be told which of the 4 credit bureaus a potential creditor will check. My advice is when you want to get a car loan or such, pay for a temporary lifting of your freeze for 3 days or so for each of the credit agencies. It’s still not a lot of money–$5 each in Ohio per time. That way your credit will be available when you want it to be and you won’t get a hassle in seeking your financing. Still, we should not have to pay to control access to our credit information that is gathered about us without our consent or knowledge.

  25. Good call. As head of the Identity Theft Council, we’ve been pushing freezes for years. Personally I freeze two of the main bureaus and monitor the third (free with Credit Sesame and Credit Karma) so at least I know if someone is targeting me and how much they know.

    But there are downsides. Crooks are increasingly turning to payday lenders instead, because they typically don’t run credit checks. Freezes, monitoring, and fraud alerts are of no value in such cases.

    Some companies, like Comcast, don’t always run credit checks either, preferring instead to take a deposit. Which leaves some victims with multiple Comcast accounts even with a freeze in place.

    And a freeze only prevents one of the dozen types of identity theft, and usually the least serious. An unauthorized account is one of the easiest cases to resolve.

    Another downside is complacency. In our experience, consumers who freeze think that’s all they need to do to prevent identity theft, and they drop their guard, their vigilance. So it’s smart, but not simple. And good job again Brian. We need more warriors.

  26. I just want to relate my experiences with a credit freeze. I placed freezes with 5 agencies: equifax, experian, transunion, innovis, and chexsystems. I’ve placed all my pin’s in my password manager which is just perfect for storing data like that. A short while ago, I wanted to open a new bank account from an online bank. I first released the freeze with experian because I thought that was the agency being used. When nothing happened with the new account, I called. Then I was informed that there was a freeze on my credit with chexsystems. Ok, I lifted the freeze with that agency. Then I was called by the bank and informed that the freeze was lifted, but there was now a “security hold” (I think they called it that) on the chexsystems account. I then had to call the bank back and answer a bunch of questions from my history posed by checksystems. I did that and and finally got my account. All that took about a week of going back and forth. Without the freeze, it would have taken no time.
    I’ve also read of one story from another person who the interest rate on his mortgage suddenly go up because of the freeze. He claimed that it took him two week of phone calls before he cleared the problem up.
    The bottom line is: a security freeze can be a hassle to deal with, but it’s my experience that the hassles can be overcome and you get a huge amount of peace of mind by having the freeze in place. Doing the security freeze is well worth it.

  27. I had a credit freeze on my accounts which turned into a mini nightmare. First of all, if you want to open a credit card, take out a loan or a mortgage, you need to unfreeze the accounts. There is a charge every time you do this. Furthermore—as in our case—if you forget some of the data [to identify myself I was asked if I opened a credit card in 197– and what I paid for a car back in 2004—seriously??] you will be locked out. We were applying to rent a house and I needed to unlock my credit, I think so they could run a report (it was a few years back) and I couldn’t remember some details. I was five hours away from home and couldn’t “just look in my files.” I forgot how we resolved it but it can be a real pain in the neck. After three times of paying to unfreeze it, we just left it alone.

    Personally, with the increasing number of hacks, I wonder if the government isn’t creating these just to have a reason to chip us. These days I question everything.

  28. I tried to freeze online with Equifax last February after one of your prior recommendations of freezes.

    After entering the data and code verification, at the point where one expects a confirmation and PIN number, the session locked up, with a “We are currently unable to service your request. Please try again later.” Trying again later yielded the same result. Attempts to phone led to an automated attendant that led me around in circles without directing me to an agent. I decided to wait for the PIN by mail.

    Two weeks later, I received a mailed notice that the freeze had been placed on the file and a notification that a new address had been posted within the last 90 days. There was no PIN. It seemed unlikely that my address could have caused the freeze to fail it has been the same for six years.

    For lack of the PIN, either online or by mail, I had no control over the freeze. I responded by letter with photocopied IDs and asked for the freeze to be lifted and it was. At that point I gave up.

    • Just a quick question? Were you at the time running any script blocking software? Because that may have caused the process to fail.

  29. Thanks very much for this post, Brian. I set up credit freezes years ago, when you first recommended them. Neither before that, nor after, have I had any breaches or other issues.

    Thanks so much for all you do, Brian, for all of us!

  30. I just did the security freezes and it was easy. Experian said I didn’t have a record on file, so I had to call, but the others were all done online, and none charge me. Senior citizen discount?

    Thanks for the heads up, Brian.

    • Yes, there are seniors discounts, even for this, but only in <1/3 of the states:

      https://help.equifax.com/app/answers/detail/a_id/75/~/security-freeze-fees-and-requirements

      Seniors Discount (Free):
      Alabama
      Arkansas
      Florida
      Georgia
      Illinois
      Nevada
      New Mexico
      Oklahoma
      Pennsylvania
      Rhode Island
      Washington

      Seniors Discount ($5):
      California
      Delaware

    • What about discounts for married couples? Or are all the costs 2X because you have to file separately for each?

      • Credit report files are per person. Typically the easiest lookup is by SSN. You can have a credit report w/o an SSN (you can’t look it up by ITIN — http://www.experian.com/blogs/ask-experian/2013/09/12/individual-taxpayer-id-number-cannot-be-used-in-place-of-social-security-number/ ).
        Your credit can be tainted/impacted by your spouse, or similar relation, but you each have distinct files.

        Discounts generally only exist because state law requires them. This is a business.

        “What the market will bear” is really the limit. And the way the market bears things is by forcing its legislature to pass laws setting limits.

        If you’re going to try to improve your (state) market, by lobbying your representative(s), please just ask for $0 for freezes instead of family discounts. The effort required to pass a law will be pretty much the same, but the benefits are much greater and will apply to many more people.

    • I also found the credit freeze process to not take too much time, but the $30 I paid and number of different websites I had to go to was ridiculous (5).

      So I decided to create a whitehouse.gov petition: http://wh.gov/iVUzX

      SIGN it and maybe a few common sense actions can be done by executive order (it is possible- Obama executive ordered CHIP and PIN for the government last year)!