Many readers wrote in this past week to say they’d finally been officially notified that their fingerprints, background checks, Social Security numbers, and other sensitive information was jeopardized in the massive data breach discovered this year at the Office of Personnel Management (OPM). Almost as many complained that the OPM’s response — the offering of free credit monitoring services for up to three years — won’t work if readers have taken my advice and enacted a “security freeze” on one’s credit file with the major credit bureaus. This post is an attempt to explain what’s going on here.
OPM offices in Washington, DC. Image: Flickr.
Earlier this week I got the following message from a reader:
“I just received official notification that I am affected by the OPM data breach. I attempted to sign up for credit monitoring services with the OPM’s contractor ID Experts at opm.myidcare.com, but was denied these services because I have a credit security freeze. I was told by ID Experts that the OPM’s credit monitoring services will not work for accounts with a security freeze.”
The reader continued:
“This supports my decision to issue a security freeze for all my credit accounts, and in my assessment completely undermines the utility and value of the OPM’s credit monitoring services when individuals can simply issue a security freeze. This inability to monitor a person’s credit file when a freeze is in place speaks volumes about the effectiveness of a freeze in blocking anyone — ID protection firms or ID thieves included — from viewing your file.”
I reached out to my followers on Twitter to gauge their reactions to this. I wrote: “Finish this sentence: Lifting a freeze to enable credit monitoring is like….” Here were some of the notable responses:
@sdweberg 10:22pm …shooting your rottweilers and paying the neighbors a monthly fee to “keep an eye on” your house.
@shane_walton 10:15pm …installing flash to watch a flash video about the evils of flash.
@danblondell 10:13pm …leaving the storm doors open to keep an eye on the tornado
@flakpaket 12:48am …leaving your doors and windows unlocked so that burglars can set off your indoor motion sensors.
@ShermanTheDad 8:25am …taking your gun off safety to check and see if it’s loaded.
Removing a security freeze to enable credit monitoring is foolhardy because the freeze offers more comprehensive protection against ID theft. Credit monitoring services are useful for cleaning up your credit file *after* you’re victimized by ID thieves, but they generally do nothing to stop thieves from applying for and opening new lines of credit in your name.
As I discussed at length in this primer, credit monitoring services aren’t really built to prevent ID theft. The most you can hope for from a credit monitoring service is that they give you a heads up when ID theft does happen, and then help you through the often labyrinthine process of getting the credit bureaus and/or creditors to remove the fraudulent activity and to fix your credit score.
Many of these third party credit monitoring services also induce people to provide even more information than was leaked in the original breach. For example, ID Experts — the company that OPM has paid $133 million to offer credit monitoring for the 21.5 million Americans affected by its breach — offers the ability to “monitor thousands of websites, chat rooms, forums and networks, and alerts you if your personal information is being bought or sold online.” But in order to use this service, users are encouraged to provide bank account and credit card data, passport and medical ID numbers, as well as telephone numbers and driver’s license information.
If you have already been victimized by identity theft (fraud involving existing credit or debit cards is not identity theft), it might be worth signing up for these credit monitoring and repair services. Otherwise, I’d strongly advise my US readers to consider freezing their credit files at the major credit bureaus.
Depending on in which state you reside, there may be a small fee to place and/or thaw a freeze on your credit file, and freezing them at all four major bureaus (Equifax, Experian, Innovis and Trans Union) could cost as much as $60. But this is a small price to pay for peace of mind.
In a report released last month, the consumer US-PIRG urged all consumers to place a security freeze on their credit files. US-PIRG suggests if you already have freezes on your reports, you will need to lift your freezes before signing up for the credit monitoring and reinstate the freezes. If you don’t have freezes on your credit reports yet, sign up for the free credit monitoring first, then place your freezes.
In a perfect world, breached organizations would offer to pay the costs involved in freezing your credit files, but sadly the standard playbook in corporate breach response is to pay for credit monitoring.
PROTECTING DEPENDENTS FROM ID THEFT
One area where credit monitoring makes more sense is with dependents and children under the age of 18. That’s because it’s impossible to freeze a credit file that doesn’t exist, and most minors aren’t going to have one (hopefully).
According to Experian, if your children already have credit reports in their names, one of three things has happened: You have applied for credit in their names and the applications were approved; you have added them as authorized users or joint account holders on one or more of your accounts; someone has fraudulently used their information to apply for credit and they are already identity theft victims.
One way to find out is to visit annualcreditreport.com to apply for a copy of their credit report. The most important precaution parents can take is to keep a close eye on dependent credit files when kids reach their mid-teens. That way, if a credit file materializes for your child because of identity theft, there is still time to sort it out before the kid actually needs a line of credit or loan. However, if your child becomes the victim of ID theft at a very young age, it probably makes more sense to freeze the kid’s credit file.
Most credit monitoring services will allow you to enroll your children as well, but that coverage generally expires after they reach 18. KrebsOnSecurity reader Michael found this out when he tried to sign up his five kids after receiving a notice from the OMB.
“For some reason, coverage for adult children was not provided when I signed up and is discontinued once they reach 18, so at the outset, only 2 of my 5 kids were included even though their data was also compromised,” Michael wrote.
If you’re considering freezing your credit file, have a look at this primer which walks through the various steps needed to place a freeze. It also includes pointers to additional steps that consumers can take to avoid becoming victims of identity theft.
Were you or your family impacted by the OPM breach? How have you responded? Sound off in the comments below.
If I place a Credit Freeze at all agencies, what possible issues would I face when I go to sign up for Social Security and/or Medicare??? What if I choose to create my own account with the IRS which you suggested folks do in another recent article entitled “Sign Up at irs.gov Before Crooks Do It For You”?? Will a company that is already doing credit monitoring for me still be able to do so once a Credit Freeze is in place??? Will I still be able to view FICO scores that I currently get each month from two different Credit Card companies???
I’m trying to learn about what unintended consequences I might create if I initiate credit freezes??? Any help would be much appreciated.
I posted a similar request (see above Bob P question) earlier but it appeared to have failed. So I posted again. Now I see both. Sorry for the duplication.
My husband and i got notices last week. We are house hunting so this throws a monkey wrench in our plans. Shoukd we wait in the credit freeze until we buy?
@Bob P – I have had my credit freeze going since 2006. You will still be able to view your FICO scores with no action.
For other stuff requiring credit verification, like getting a new credit card, loans, etc., you find out which credit bureau the company that needs to access your credit is going to use. Then you call that credit bureau, supply your PIN (that was sent to you for the initial freeze), pay your $10 or so, and then they allow access to your credit report for a week.
I have not done the IRS thing yet but plan to do it this year, so I do not know about that.
If you would need to do this every week, yes, it would be a pain, but, if you only do it every few years, it is, in my view, well worth it.
I recently retired after 26 years with TransUnion and was part of the group that developed our file freeze process, ran their fraud department was the resident fraud and credit expert. A file freeze would not prevent you from signing up for credit monitoring. All file freezes allow for credit file pulls under “exempt” permissible purposes. For example, a collection agency can run your credit report even if it is frozen if they certify they are attempting to collect on a debt. Moreover you bank can run your report if frozen if they certify it is in connection with the review of an existing account with them. Another exempt reason when a consumer requests their own credit file via the credit bureau or a third party site such as ID Experts. To reiterate, a file freeze should not prevent someone from enrolling in credit monitoring.
That’s not what the OPM says:
@OPM…all transactions, that is the pulling a credit report, flagging a file for credit monitoring, etc., requires that the user (or subscriber in credit bureau terms), passes their account number (subscriber code) to the credit bureau when initiating the transaction. There are passwords and other security features too. Behind the scenes that subscriber code is flagged with a multitude of settings. One of those settings is the permissible purpose type. So long as the subscriber code, in this case the one issued to ID Expert’s vendor is set up as a consumer initiated transaction for their own credit report, then the report will be released. The file itself is never frozen. It is simply flagged as frozen and when a transaction is done, depending on the settings with the subscriber code used it will either be released or not. There is a whole 3rd level of security called a file suppression or vault which is the only true way to prevent anyone from seeing your file. However that is reserved for internal use only.
@BK…if you ever want learn more about the credit bureau processes send me an email and we can chat.
@ Steve Reger: However ID Experts has set this up, they are indeed blocking OPM breach victims that have a credit/security freeze in place. The system throws an error message and advises calling customer support.
Stuart is correct: OPM denies service to people who have a security freeze, just as Brian’s reader wrote in the original post.
Steve’s right, in principle. My understanding of the regulation/law, as well as common sense, agrees.
There are permitted purposes NOT affected by freezes, and credit monitoring is one of those purposes.
However, my very real experience over all these years vehemently disagrees; some few credit monitoring services can set up with a freeze already in-place, but many cannot (most obnoxiously, even the credit monitoring services offered by some of the credit bureaus themselves).
Just know that freezing and unfreezing your credit account is easier with some credit bureaus than others. From recent personal experience, make sure you unlock your credit files a few days before needed for 3rd party verification. And don’t misplace your 10-digit PIN Equifax account. The escalation process over a weekend (think multiple calls to a long distance call center) is not a joyful activity. That said, my credit account is indisputably safe since I could barely access it. 😉
@ Steve Roger – Your TransUnion lock/unlock process was a breeze!
I finally got the freeze done.
Interestingly, only one of the credit bureau websites masks the SSN when entering it.
I would put a freeze on my account, but the reason OPM has my data is because they are supposed to be processing a clearance for me. It’s been 9 months, for a simple top secret clearance without a single action on their part. I can’t have a freeze on my account as OPM needs to be able to pull a credit report to process the clearance, yet the reason I need to put a freeze on my credit is because they lost all my data! The irony is just so rediculous.
I just signed up for opm.myidcare.com with my credit already being frozen. I had to call in because they get an error due to the credit freeze in place. They said I will still get 3 years of id insurance and it sounds like some type of legal support to clean up any id theft mess.
I doubt they will be will be that helpful if I end up needing this. Does anybody have experience in actually getting help cleaning up your credit? Do they actually help?
So now that I have credit freeze and have to get an irs.gov account. Is there anything else I need to do for protection?
I wish someone would open credit in my name. Then I could file police report, get free(my state allows a $10 charge per freeze/lift per agency) freezes for life and be done with this credit bureau induced nonsense once and for all.
In Australia we have credit reporting agencies
• Veda Advantage
• Dun & Bradstreet
• Tasmanian Collection Services
• Experian
Looking at their web sites in Australia the only one that offers a freeze (they call it a Ban) is Experian – and that freeze lasts only 21 days – and it seems the onus is on the person requesting the freeze to provide some sort of proof that its needed. quote: extend the ban period where we believe that you have been, or are likely to be, the victim of fraud.
Guess the last thing they want to do is limit their own business income by allowing me to stop the Credit Bureau from handing out a my credit information to anyone who asks. Sigh.
Thank you very much for this article, Brian. I am a federal employee. I signed up for the first credit monitoring offered by OPM because of possible theft of my personnel records. I then put a freeze on my credit reports. I recently was notified by OPM that I also was caught up in the theft of background investigation reports. When I tried to sign up for this credit monitoring, I could not and learned it was because of the freeze. They could not get to my credit reports to access security questions to prove my identify. I eventually learned that I would need to lift the freeze at all three credit reporting agencies–that all three are used, not just one. I have decided not to do that.
I would like to comment about a freeze vs a 90-day fraud alert. With the alert, there is no requirement that merchants notify you if of a credit application. They are simply asked to notify you.
I tired to sign up for on-line access to Social Security but could not because at the time I had a 90-day fraud alert in effect.
it seems to me that I need to (1) sign up for OPM coverage…give that a few weeks to get working and then (2) freeze my accounts. will that not provide the coverage necessary? thanks
I’m wondering that myself. I already setup with the OPM provided service so I’m thinking of going with a freeze. I never could do this before due to having an active clearance. Now I can as part of my “retirement” package. Gee thanks OPM…
What about my fingerprints being stolen. What is anyone going to do with my stolen fingerpirnts in the future?
OT – but has webmd been hacked? I just got a boatload of spam with a webmd domain.
Brian
As with others here, I was blocked from the credit monitoring because I have a freeze in place (from several years back). I have zero confidence in such services so no loss there. A much bigger and immediate concern I have is with fraudulent tax returns. Considering that more than enough information was compromised to make it easy for someone to file or get the info necessary to file, it boggles me that the government isn’t giving us something to remedy this problem. I checked and the Identity Protection PIN is unavailable until sometime in Jan 2016. Even then, only to some states residents (not my state). Have you heard about what’s going on with this program and whether it will be available more generally?
I did a credit freeze with all 4 agencies. Experian sent me a letter that said if I wanted to remove my credit preapproval I needed to fill it out and send it back.
Is this something I should be doing to make sure the freeze is complete?
Thanks
To reinforce Brian’s primer, controls are detective or preventive.
In the case of a credit freeze, consider this a preventive control whereas a monitoring service is a detective control.
Which is more effective at preventing a pregnancy, prophylactic or pregnancy test?
BTW, Brian – Love your articles
Great metaphore – and a corrolary … I call the “Jeez”: do you freeze a married couple’s credit reports, divorce, then one spouse wants to buy a house, all 6 years down the road and the ex has vanished or is in vengeance mode?
So does the prospective house buyer somehow contact the overloaded agent who is buried under applications dating back years, working on an ancient HP running XP, whose password is “signin”, and is learning English have a sane recourse – think credit freeze sounds good.
OPM is breached for massive amounts of personal data including “fingerprints, background checks, Social Security numbers, and other sensitive information” and their response is to get you to sign up with a company who wants to store even more of your personal information?
No thanks, I don’t trust ID Experts any more than I do all of the other entities who have been breached- so not giving them even more info to lose when they are breached.
Golars offering Drilling Services division is committed to innovative products and services to enhance our customer performance and productivity of their drilling, completions and production operations.
drilling services
http://www.golars.com/drilling.html
Why in the world do you have to get a police report before you can get security freezes for free? Shouldn’t a copy of a letter from OPM, T-Mobile, Home Depot, etc… be enough to show you are a victim? It feels like a barrier whose sole purpose is to discourage people from taking doing it.
In order to apply for SSBI TS / Top Secret Clearance, one must divulge the SSN of their spouse and children. However, the service which OPM is paying for does *NOT* include monitoring the spouse’s information whatsoever. This is utterly disappointing and useless.
Spouses will be getting a separate letter.
Thanks for this article, Brian. As a result of reading it, my wife and I (who both got OPM letters) first signed up for the credit monitoring and then applied the security freeze at all four bureaus.
We did not take advantage of the option to add additional personal info (phone numbers, emails, etc) to the credit monitoring, as we figured the less data that’s out there, the better, in case of another breach.
FWIW, A friend who works for a three-letter agency suggested to me that the OPM hackers were not interested in ID theft and more interested in acquiring blackmail info on employees in sensitive positions. He shunned the idea of using the offered free credit monitoring, but likes the idea of freezing credit for purposes outside of a response to this particular hack.
He may be right, but the monitoring might have proved useful for us already. It indicated my wife’s email had been compromised, for which we had no reason to suspect otherwise. Just to be safe, she changed her password.
As for the security freeze, it was simple enough to implement, and looks like it will be simple enough to temporarily lift when we wish to apply for credit in the future. I plan to point several people to your articles on the process as I recommend the freeze to them.
Strangely, even though our state of Maryland allows bureaus to charge $5 a piece for the freeze, only two of the four bureaus did. I wonder if this will be true whenever we lift as well.