It remains unclear whether those responsible for stealing Social Security numbers and other data on as many as 143 million Americans from big-three credit bureau Equifax intend to sell this data to identity thieves. But if ever there was a reminder that you — the consumer — are ultimately responsible for protecting your financial future, this is it. Here’s what you need to know and what you should do in response to this unprecedented breach.
Some of the Q&As below were originally published in a 2015 story, How I Learned to Stop Worrying and Embrace the Security Freeze. It has been updated to include new information specific to the Equifax intrusion.
Q: What information was jeopardized in the breach?
A: Equifax was keen to point out that its investigation is ongoing. But for now, the data at risk includes Social Security numbers, birth dates, addresses on 143 million Americans. Equifax also said the breach involved some driver’s license numbers (although it didn’t say how many or which states might be impacted), credit card numbers for roughly 209,000 U.S. consumers, and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”
Q: Was the breach limited to Americans?
A: No. Equifax said it believes the intruders got access to “limited personal information for certain UK and Canadian residents.” It has not disclosed what information for those residents was at risk or how many from Canada and the UK may be impacted.
Q: What is Equifax doing about this breach?
A: Equifax is offering one free year of their credit monitoring service. In addition, it has put up a Web site — www.equifaxsecurity2017.com — that tried to let people determine whether they were affected.
Q: That site tells me I was not affected by the breach. Am I safe?
A: As noted in this story from Friday, the site seems hopelessly broken, often returning differing results for the same data submitted at different times. In the absence of more reliable information from Equifax, it is safer to assume you ARE compromised.
Q: I read that the legal language in the terms of service that consumers must accept before enrolling in the free credit monitoring service from Equifax requires one to waive their rights to sue the company in connection with this breach. Is that true?
A: Not according to Equifax. The company issued a statement over the weekend saying that nothing in that agreement applies to this cybersecurity incident.
Q: So should I take advantage of the credit monitoring offer?
A: It can’t hurt, but I wouldn’t count on it protecting you from identity theft.
Q: Wait, what? I thought that was the whole point of a credit monitoring service?
A: The credit bureaus sure want you to believe that, but it’s not true in practice. These services do not prevent thieves from using your identity to open new lines of credit, and from damaging your good name for years to come in the process. The most you can hope for is that credit monitoring services will alert you soon after an ID thief does steal your identity.
Q: Well then what the heck are these services good for?
A: Credit monitoring services are principally useful in helping consumers recover from identity theft. Doing so often requires dozens of hours writing and mailing letters, and spending time on the phone contacting creditors and credit bureaus to straighten out the mess. In cases where identity theft leads to prosecution for crimes committed in your name by an ID thief, you may incur legal costs as well. Most of these services offer to reimburse you up to a certain amount for out-of-pocket expenses related to those efforts. But a better solution is to prevent thieves from stealing your identity in the first place.
Q: What’s the best way to do that?
A: File a security freeze — also known as a credit freeze — with the four major credit bureaus.
Q: What is a security freeze?
A: A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it.
Q: What’s involved in freezing my credit file?
A: Freezing your credit involves notifying each of the major credit bureaus that you wish to place a freeze on your credit file. This can usually be done online, but in a few cases you may need to contact one or more credit bureaus by phone or in writing. Once you complete the application process, each bureau will provide a unique personal identification number (PIN) that you can use to unfreeze or “thaw” your credit file in the event that you need to apply for new lines of credit sometime in the future. Depending on your state of residence and your circumstances, you may also have to pay a small fee to place a freeze at each bureau. There are four consumer credit bureaus, including Equifax, Experian, Innovis and Trans Union. It’s a good idea to keep your unfreeze PIN(s) in a folder in a safe place (perhaps along with your latest credit report), so that when and if you need to undo the freeze, the process is simple.
Q: How much is the fee, and how can I know whether I have to pay it?
A: The fee ranges from $0 to $15 per bureau, meaning that it can cost upwards of $60 to place a freeze at all four credit bureaus (recommended). However, in most states, consumers can freeze their credit file for free at each of the major credit bureaus if they also supply a copy of a police report and in some cases an affidavit stating that the filer believes he/she is or is likely to be the victim of identity theft. In many states, that police report can be filed and obtained online. The fee covers a freeze as long as the consumer keeps it in place. Consumers Union has a useful breakdown of state-by-state fees.
Q: But what if I need to apply for a loan, or I want to take advantage of a new credit card offer?
A: You thaw the freeze temporarily (in most cases the default is for 24 hours).
Q: What’s involved in thawing my credit file? And do I need to thaw it at all three bureaus?
A: The easiest way to unfreeze your file for the purposes of gaining new credit is to spend a few minutes the phone with the company from which you hope to gain the line of credit (or research the matter online) to see which credit bureau they rely upon for credit checks. It will most likely be one of the major bureaus. Once you know which bureau the creditor uses, contact that bureau either via phone or online and supply the PIN they gave you when you froze your credit file with them. The thawing process should not take more than 24 hours, but hiccups in the thawing process sometimes make things take longer. It’s best not to wait until the last minute to thaw your file.
Q: It seems that credit bureaus make their money by selling data about me as a consumer to marketers. Does a freeze prevent that?
A: A freeze on your file does nothing to prevent the bureaus from collecting information about you as a consumer — including your spending habits and preferences — and packaging, splicing and reselling that information to marketers.
Q: Can I still use my credit or debit cards after I file a freeze?
A: Yes. A freeze does nothing to prevent you from using existing lines of credit you may have.
Q: I’ve heard about something called a fraud alert. What’s the difference between a security freeze and a fraud alert on my credit file?
A: With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval — by phone or whatever other method you specify when you apply for the fraud alert. To place a fraud alert, merely contact one of the credit bureaus via phone or online, fill out a short form, and answer a handful of multiple-choice, out-of-wallet questions about your credit history. Assuming the application goes through, the bureau you filed the alert with must by law share that alert with the other bureaus.
Consumers also can get an extended fraud alert, which remains on your credit report for seven years. Like the free freeze, an extended fraud alert requires a police report or other official record showing that you’ve been the victim of identity theft.
An active duty alert is another alert available if you are on active military duty. The active duty alert is similar to an initial fraud alert except that it lasts 12 months and your name is removed from pre-approved firm offers of credit or insurance (prescreening) for 2 years.
Q: Why would I pay for a security freeze when a fraud alert is free?
A: Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they are not legally required to do this — and very often don’t.
Q: Hang on: If I thaw my credit file after freezing it so that I can apply for new lines of credit, won’t I have to pay to refreeze my file at the credit bureau where I thawed it?
A: It depends on your state. Some states allow bureaus to charge $5 for a temporary thaw or a lift on a freeze; in other states there is no fee for a thaw or lift. However, even if you have to do this once or twice a year, the cost of doing so is almost certainly less than paying for a year’s worth of credit monitoring services. Again, Consumers Union has a handy state-by-state guide listing the freeze and unfreeze laws and fees.
Q: What about my kids? Should I be freezing their files as well? Is that even possible?
A: Depends on your state. Roughly half of the U.S. states have laws on the books allowing freezes for dependents. Check out The Lowdown on Freezing Your Kid’s Credit for more information.
Q: Is there anything I should do in addition to placing a freeze that would help me get the upper hand on ID thieves?
A: Yes: Periodically order a free copy of your credit report. By law, each of the three major credit reporting bureaus must provide a free copy of your credit report each year — via a government-mandated site: annualcreditreport.com. The best way to take advantage of this right is to make a notation in your calendar to request a copy of your report every 120 days, to review the report and to report any inaccuracies or questionable entries when and if you spot them. Avoid other sites that offer “free” credit reports and then try to trick you into signing up for something else.
Q: I just froze my credit. Can I still get a copy of my credit report from annualcreditreport.com?
A: According to the Federal Trade Commission, having a freeze in place should not affect a consumer’s ability to obtain copies of their credit report from annualcreditreport.com.
Q: If I freeze my file, won’t I have trouble getting new credit going forward?
A: If you’re in the habit of applying for a new credit card each time you see a 10 percent discount for shopping in a department store, a security freeze may cure you of that impulse. Other than that, as long as you already have existing lines of credit (credit cards, loans, etc) the credit bureaus should be able to continue to monitor and evaluate your creditworthiness should you decide at some point to take out a new loan or apply for a new line of credit.
Q: Can I have a freeze AND credit monitoring?
A: Yes, you can. However, it may not be possible to sign up for credit monitoring services while a freeze is in place. My advice is to sign up for whatever credit monitoring may be offered for free, and then put the freezes in place.
Q: Beyond this breach, how would I know who is offering free credit monitoring?
A: Hundreds of companies — many of which you have probably transacted with at some point in the last year — have disclosed data breaches and are offering free monitoring. California maintains one of the most comprehensive lists of companies that disclosed a breach, and most of those are offering free monitoring.
Q: I see that Trans Union has a free offering. And it looks like they offer another free service called a credit lock. Why shouldn’t I just use that?
A: I haven’t used that monitoring service, but it looks comparable to others. However, I take strong exception to the credit bureaus’ increasing use of the term “credit lock” to steer people away from securing a freeze on their file. I notice that Trans Union currently does this when consumers attempt to file a freeze. Your mileage may vary, but their motives for saddling consumers with even more confusing terminology are suspect. I would not count on a credit lock to take the place of a credit freeze, regardless of what these companies claim (consider the source).
Q: I read somewhere that the PIN code Equifax gives to consumers for use in the event they need to thaw a freeze at the bureau is little more than a date and time stamp of the date and time when the freeze was ordered. Is this correct?
A: Yes. However, this does not appear to be the case with the other bureaus.
Q: Does this make the process any less secure?
A: Hard to say. An identity thief would need to know the exact time your report was ordered. Unless of course Equifax somehow allowed attackers to continuously guess and increment that number through its Web site (there is no indication this is the case). However, having a freeze is still more secure than not having one.
Q: Someone told me that having a freeze in place wouldn’t block ID thieves from fraudulently claiming a tax refund in my name with the IRS, or conducting health insurance fraud using my SSN. Is this true?
A: Yes. There are several forms of identity theft that probably will not be blocked by a freeze. But neither will they be blocked by a fraud alert or a credit lock. That’s why it’s so important to regularly review your credit file with the major bureaus for any signs of unauthorized activity.
Q: Okay, I’ve got a security freeze on my file, what else should I do?
A: It’s also a good idea to notify a company called ChexSystems to keep an eye out for fraud committed in your name. Thousands of banks rely on ChexSystems to verify customers that are requesting new checking and savings accounts, and ChexSystems lets consumers place a security alert on their credit data to make it more difficult for ID thieves to fraudulently obtain checking and savings accounts. For more information on doing that with ChexSystems, see this link.
Q: Anything else?
A: ID thieves like to intercept offers of new credit and insurance sent via postal mail, so it’s a good idea to opt out of pre-approved credit offers. If you decide that you don’t want to receive prescreened offers of credit and insurance, you have two choices: You can opt out of receiving them for five years or opt out of receiving them permanently.
To opt out for five years: Call toll-free 1-888-5-OPT-OUT (1-888-567-8688) or visit www.optoutprescreen.com. The phone number and website are operated by the major consumer reporting companies.
To opt out permanently: You can begin the permanent Opt-Out process online at www.optoutprescreen.com. To complete your request, you must return the signed Permanent Opt-Out Election form, which will be provided after you initiate your online request.
I’m already under a fraud alert – but the 90 days are probably close to being up by now. I think Equifax owes us a FREE credit freeze. Their ought to be a law forcing them to do this at MINIMUM! I need to call my legislators and express my outrage – these credit reporting agencies have barely escaped congressional action earlier by making promises they obviously won’t keep. They need a jack boot up their duff!!
I couldn’t agree more. It was Equifax’s system vulnerability that allowed the hacker(s) access to their database that allowed the exposure of my credit data. Now I have to pay them for a freeze in order to mitigate their breech? Free Credit Monitoring really doesn’t prevent anything as Brian points out. If Credit agencies can’t be relied upon to keep our financial data safe they better just freeze everyone’s data NOW (automatic opt-in) and allow us to unfreeze for free via secure PIN when seeking credit.
I believe Equifax is waiving the fee. I froze mine on Monday and it was free. However, not so for TransUnion and Experian.
You need to contact your state’s attorney general and demand this!
Some states already have this. My state doesn’t.
Equifax provides 1 free credit freeze because of this “incident”, but really they AND OTHER agencies should be providing
– UNLIMITED free credit freezes,
– UNLIMITED free temporary credit thaws,
– UNLIMITED free credit unfreezes.
Some states already require this. If your state does not, please DO write to your representatives!
As of this morning, Equifax allowed me to add a security freeze to my credit history for free (I confirmed before posting this that I do live in a state that allows charging a fee).
The other bureaus are still charging the standard fees though.
Anyone know how a freeze affects Credit Karma? Will I still be able to monitor my credit on this site?
Credit Karma actually alerted me that a fraud alert was placed on my file. Everything else appears to be working as normal.
See the following link at Credit Karma:
“I have a security freeze on my credit reports. Can I still use Credit Karma?”
https://help.creditkarma.com/hc/en-us/articles/202041774-I-have-a-security-freeze-on-my-credit-reports-Can-I-still-use-Credit-Karma-
There’s a good article on what to do if your identity is stolen and someone opens a line of credit in your name at http://www.kalzumeus.com/2017/09/09/identity-theft-credit-reports/ . It’s also worth mentioning that the free credit monitoring Equifax is offering will automatically convert to a paid subscription at the end of one year.
I’ve heard that some lenders have taken to not checking the credit of people they loan to, and simply reporting delinquent accounts to the credit reporting agencies. It’s thus important to know that even if you have a freeze in place you’re not necessarily protected from bank fraud.
Equifax clarified it will NOT auto-subscribe after a year.
“Clarification” is their euphemism for “changed our mind”. They were actually requiring CC information and explicitly stated that they were going to convert the accounts to paid, but they got so much backlash, that they had to backpedal.
Same, by the way for the waiver of rights – people weren’t misunderstanding the language. But there was so much backlash, that they had to “clarify”.
Equifax didn’t “clarify,” they back-pedaled. They changed the terms of the offering. On Sep 10 the terms clearly did say they would automatically start billing you for the monitoring after one year.
Great article as usual but I have a question. The ChexSystems site seems to be geared toward individuals who have already had identity theft issues and if you go to sign up for the alert it makes you answer information about the identity theft. Is there some other way that I am not seeing about just signing up as a precaution like you suggest?
Steve, here’s where you need to go on their site: https://www.chexsystems.com/web/chexsystems/consumerdebit/page/securityfreeze/placefreeze/!ut/p/z1/04_Sj9CPykssy0xPLMnMz0vMAfIjo8ziDRxdHA1Ngg18_D1CjAwcXV193I2NvA3dLY31w_EqcDXUj6JEf6AJifrdA_zdgAp8_SyCQ32MDAzMKbMfqACsHwdwNADqj8JrBSgE8CoAeRFVARY_EHJFQW5oaGiEQaZnuqIiAPFFG7E!/dz/d5/L2dBISEvZ0FBIS9nQSEh/
Wow, that was long! Basically, click the link in the article > In the box “Identity Theft”, click “Security Freeze Information” > scroll down, on the left click “Place your Security Freeze at Chex Systems, Inc.”
I wouldn’t blame anyone for not wanting to click on a link posted in comments! LOL
The referenced Consumers Union document for my state (Mississippi) says that I have to be a “identity theft victim” by submitting one of several documents that demonstrate “unlawful use of his or her personal information by another person.” I haven’t observed this unlawful use YET. Alternatively I could submit “using the voluntary programs” but the CU document doesn’t describe how to do this.
Where can I get clarity on this?
This whole thing really pisses me off — they (Equifax) collect our info behind our backs and make money on selling it, and we MUST pay them to freeze that process. Seriously?!
I tried freezing my account with those 4 bureaus about 2 yrs ago when your first article came out, Brian, but then I had to remove it. Here’s why:
1. My annual car insurance premiums went up about $150 because the insurance company couldn’t access my credit file. Worse still, they won’t notify you about it, so your bill will be slowly creeping up. I don’t have any other insurance policies, but I would assume they will also go up. And if you try to ask your insurance agent/adjuster about the freeze, the will tell you that they have no control over it, like mine did.
2. It originally cost me over $40 to freeze it with all 4 companies.
3. It cost me that much as well to remove the freeze. So it’s a two sides process.
4. You’d be surprised how far reaching that Equifax connection goes. For instance, I couldn’t create an account at SSN dot gov without temporarily lifting the freeze. Then it took almost 3 months for their web site to update the data and allow me to create an account.
5. Additional pain in the butt — anything from upping your credit limit to any other transaction at a bank will require you to temporarily lift the freeze. And because the bank will not tell you up front which of the four credit reporting agencies they use, you have to either lift all 4 or ask them for more details, which the clerk filing your application may not know or may not be willing to release due to their security practices. So in other words MAJOR pain the rear! Oh, and did I tell you that you need to do this at least 24 hrs before you go to the bank? So yeah…
6. All those temporary lifts cost me around $10, per agency.
So you count, how much money I wasted and how much headache I have undergone by dealing with those freezes. And all for what? Because those bastards like to make money on selling my info!!!!
Who is your auto insurance company? People should know about this lousy practice.
Most of them do it now. Some states are working on stopping the process.
They are under the impression that people with bad credit are a bad risk for other things. It may be true some of the time, but it is not always true.
…” more than 90 percent of insurance companies look at credit to determine rates”…
progressive.com/newsroom/article/2003/june/kc-credit
My question: Equifax TrustedID Premier mentions pre-approved offers and this BK article mentions “prescreened offers”; does a freeze then block non-prescreened insurance shopping (I’ve shopped auto insurance and changed providers twice in two years)?
2. Further, item 2 of equifaxsecurity2017.com/trustedid-premier states, a lock (freeze) does not prevent access by “companies that have a current account or relationship with you”. I’ve posed this question to Progressive insurance for confirmation.
3. On a side note concerning item 2, it says a Equifax lock (freeze) doesn’t lockout “Federal… government agencies” which is in disagreement with what I understand is the result of a credit freeze by a credit agency that a Federal agency uses.
Part of the Progressive insurance credit team response:
1. Some states are part of credit stability (I didn’t ask what code, act, or whatever) in which the customer’s credit rating will always stay the same or go up, not down.
2. Progressive primarily gets its reports from Experian. Equifax reports are very rarely used.
3. Credit reports are reviewed every 3 years and the customer notified at that time. If erroneously impacted by a credit record review, the credit team can be contacted.
great info here, although I’m sorry you had to go through all of this. thank you for sharing.
Everybody’s pissed of, but fails to understand that this is a result of public apathy to US govt failing to rein in corporations and stop them from preying on the public.
This problem requires COLLECTIVE aggressive action by the public. Allowing them to reach this state and then expressing frustration on blogs is meaningless.
Nice presentation of information! I’ll be sharing this with many people. Thanks.
Thanks for all the useful information. Is there any update as to whether the Equifax data breach included loss of the actual PINs to unfreeze security freezes already in place?
Equifax told me on 9/9 (Saturday) that freeze PINs were not compromised. Hopefully, that’s true.
A while back my buddy, a school teacher, had his W2 stolen in a local cyber attack. I wrote him the following, all which applies to the Equifax breech too:
Jim,
As a cyber security professional I am always dismayed that hacked organizations only offer the clients/employees a subscription to a credit monitoring services. In management’s defense, they are just following the advice of the consultants. Often consultants that get a kickback from monitoring services, so they lead with that. However, there are more and better things to be done.
My advice is:
1.a) Victims should call their bank, credit card & investment companies. They should ask what, if anything, those organizations can do to lock down their accounts explaining that personal information was hacked. Avoid being sold a credit monitoring solution, you only need one (if any).
1.b) Not all personal bank (checking/savings/investment) & credit card accounts offer protection from fraudulent transactions. Meaning that if someone drains the account while posing as you, do you take the hit, or does the bank replace that money and try to find the thief? At some places, you have to ask for, and sometimes, pay for this kind of protection. It really depends on the institution.
2) Victims should review & possibly change any security questions on file at financial institutions, email, social media, etc. that could be guessed by what the hackers took. Other non-financial service providers might have security questions the need updating too.
3) Two-factor (aka 2-step, multi-factor, or token) authentication is important. Each organization will call it something different and implement it in their own way, but nearly all have it in some form. It is that login process where, in addition to a password you must enter a pin that is generated by an app on your phone, or sent via text-message. If they don’t you should switch to one that does. This applies to email, social-media, and financial institutions and your cell phone account at Verizon, AT&T, or whomever.
4) Aggressively monitor your own credit on an annual basis looking for new accounts that you did not authorize. This is really all the monitoring services do for you, but they can’t really know your information like you do. They also tend to look only at one, or two, of the three major credit bureaus. https://www.ftc.gov/faq/consumer-protection/get-my-free-credit-report Beware of any source other than the one authorized by the FTC to pull free reports. Others are scams, or sales-fronts.
What should employers do besides disseminating this information? Give employees time off during business hours to make these calls and address these issues. Understand that it’s probably an hour here, or an hour there, not just one day. Providing access to technical support and/or a common repository of advice among employees to share what they learn would go a long way too.
It is also critical that hacked organizations share information about the attack with others. Often the organization wants to keep everything hush-hush. Understandable, but there are ways to anonymously share information with other organizations. The data is critical to our industry to help stay ahead of the hackers.
For the state I live in, it states that a certified letter + $10 is required to freeze one’s credit for one credit agency. However, I have seen some people comment in previous pieces that they just made a phone to call each of the places to freeze their credit.
Is that because they lived in a state that allowed this to be done over the phone or do all states require certified mail?
I live in a state (Wisconsin) where the state statute requires a certified letter. Nevertheless, all four bureaus allowed me to use their online portals to set freezes this morning.
Best way to look at this is that the various state statutes set minimum requirements that the bureaus must comply with. Nothing stops them from being less restrictive.
Two questions:
1) If my credit file was already frozen, would my data be included in this latest (Sept 2017 – in case there are more) leak?
2) Can I legitimately claim to be a victim of identity theft if my personal data was in the OPM breach or this Equifax (Sept 2017 – in case there are more) breach?
Thanks
So you will be driven to find protection from the company that leaked the information in the first place, information that may have been found without your express permission, by interposing a parasitic ‘service’ that basically ransoms your name and identity, and this in the best of times; never mind when they have been ‘compromised’… I smell a rat…
Why isn’t the FBI all over this?
So much of modern business practice seems like organised crime. It’s like the security game – Microsoft, Apple etc. all hire the best of talent (supposedly) by the legion (apparently), and provide them with the best of tools (we are told), and yet there are still security problems, viruses, hacks, etc. How could this be? Are we all being had? Are all the security problems concocted mechanisms created purely to obsolete perfectly good assets, and facilitate identity and intellectual property theft. Seems more and more that this is the case… How can the ‘best in the world’ consistently get it so wrong, so often?
Thanks Brian for taking the time and effort to write this piece.
Excellent information! I have already shared with 10 people and will share with more. I also appreciate the comments by Dennis warning about potential problems with credit freezes and the comments by Rob. I’m an IT managed services provider responsible for my client’s IT security. Rob, I presume you won’t have a problem with me sharing your comments?
I really doubt Equifax will ever be able identify with any degree certainty which records were the ones actually compromised from the rest they hold on the US population.
It seems to me that due their inability to segregate the records compromised, the information contained in each and the sheer amount of the US population Equifax have on file, the magnitude of the security breach is larger and with more profound consequences than anyone have yet thought.
This represents a systematic problem, and not and individual one and it going to have to be addressed by the administration and the private sector as a whole. Otherwise the methods used today to identify a person will be deemed not binding by the courts.
Or even worse, since the breach is already widely known, continuing to employ the current practices to verify the identity of signatory of any contract would most likely be deemed in court to be gross negligence by other counterparts and as such subject not only to compensatory but punitive damages.
So I wouldn’t worry much with identity theft as the burden is going to fall on the other side.
But since that’s an unsustainable situation to do businesses, both the administration and private sector will have to have to take drastic (nonpartisan) measures before the economy begins to cripple.
Exactly!
And I am amazed at how Americans lack the notion of “systemic problems” and expect that the govt will protect them without the public forcing them to do it and are “pissed off” when they suffer the consequences, but still don’t get it.
You sure know that the society you live in is hostile to humans, when this sort of rubbish is even possible.
Pay for this. What evil.
Great article Brian! Thank you for devoting your time and energy to keeping us all safe. We appreciate your tireless efforts more than you know!
I have a question. TransUnion is offering their TrueIdentity service for free. This is not “free for a week” or some other gimmick. They really seem to be offering this service for free and the free version of the service includes the ability to “lock or unlock access to your credit.” This effectively seems like what we would all want–the ability to login to each credit bureau and decide on our own if our credit should be locked or unlocked at any given moment in time. (Aside: Congress should make this a mandatory free requirement that all credit bureaus must provide).
From a security standpoint, the main advantage of this is that you are in control of locking/unlocking your credit, so you are not relying upon a TransUnion employee who might be tricked. Of course, if an ID thief can get around your TransUnion login/pwd via their website or an employee, that may be another weak link, but hopefully the credit bureaus will move towards strong two-factor authentication after this, like U2F security keys (hint, hint, credit bureaus and congress). The fact that you can lock access to your credit report seems to be the same as a credit freeze, except you don’t have to use the PIN to “thaw” your credit when needed.
What are your thoughts? Below is the TransUnion link comparing the TrueIdentity service with a credit freeze. I have also included one link of a hopefully independent review. I would appreciate hearing your thoughts.
TransUnion: Locking Your Credit Report
https://www.transunion.com/credit-freeze/place-credit-freeze2
MyMoneyBlog: True Identity Review
http://www.mymoneyblog.com/transunion-trueidentity-review.html
That’s not a review, that’s a paid advertisement!
S.
I agree, would like to see further analysis of True Identity VS a regulated credit freeze (besides the cost).
While I understand why Matt says “this is an ad”, the blog posting does seem to point out some minor (IMO) issues about “true identity” but the blog also walks you thru the user interface, so you can see ahead of time, if you are OK with adding yet more information about yourself to TUs pile. (Matt, I have no financial/legal connection to any credit monitoring agency 😉 ).
N
S.
Doah, just reread the FAQ above and found a section addressing the Transunion True Identity product.
It concludes
> I would not count on a credit lock to take the place of a credit freeze, regardless of what these companies claim
So I’m going for a full credit freeze.
One update concerning the Credit Freeze PIN that was posted on the site today:
“1) Adjusted our PIN Generation for Security Freezes
We understand and appreciate that consumers have questions about how a PIN is currently generated for a consumer initiating an Equifax security freeze solution. All consumers placing a security freeze will be provided a randomly generated PIN.”
So I just tried to enroll with Trustid Premier through Equifax because my scheduled date had arrived, and my antivirus software went crazy and said I was being attacked. I use Avast Security. It said “Infection Detected!” “Infection Blocked” and “This site has been marked as a phishing site”. So I did a little research, saw no one else was really saying it was dangerous and tried again. Then it blocked it again and said “This site could have hurt your computer”.
Does anyone know what is going on?
Thanks,
Nels
I got the same thing while trying to register for free service. I guess I’ll have to turn off Avast. Makes me nervous..
I have subscribed to Equifax Complete Family Protection for many years, so my credit report has been locked along with all the other features turned on (fraud protection, etc). Am i still screwed?
Thank you so my for this informative article.
Question regarding Chexsystems. You indicate
” It’s also a good idea to notify a company called ChexSystems to keep an eye out for fraud committed in your name.”
Do you mean we should go ahead and place a freeze there as well? Or what do we do (more exactly) with that one?
P.S. The link in the answer is a bit outdated.
I have had credit freezes in place for years.
What is the easiest way to tell if my equifax credit freeze is still in place, or has been lifted by criminals? (Applying for a new line of credit is not a practical way to test this.)
Can I just contact equifax?
There must be a better way.
Thanks.
Brian,
Does this Equifax breach count as identifty theft if they tell you that your data was included in the theft?
Since you stated that filing a police report for identity theft usually relieves the fees for freezing your accounts I wonder if this will qualify as an event to do the freezes at no charge?
As of this morning (which I found out when I went to set my own freeze), Equifax had waived all state allowed fees for setting security freezes. I was able to set one with them for free, even though I live in a state (Wisconsin) that allows the bureaus to assess a fee for setting a freeze.
However, the other bureaus haven’t taken this step. Given that most states allow the bureaus to require a police report in order to waive the fees, you would have to convince a police department that you are a victim based on the hack alone, without any concrete proof that you were affected individually or that you were harmed. That’s likely a pretty tall order.
I can’t get them to except birth date it’s like it can’t read it ? Everything else works that I wrote it’s for Equifax enrollment.
Thanks so much, Brian. I was about to dump $180/year on credit monitoring for both my wife and me. After reading your suggestions and explanations as well as some reading on Consumer Reports, I decided to go straight for the freezes. Even though it cost $10/each at each credit bureau, it’s cheaper and gives me more peace of mind in the long run.
UPDATE: Q: I read somewhere that the PIN code Equifax gives to consumers for use in the event they need to thaw a freeze at the bureau is little more than a date and time stamp of the date and time when the freeze was ordered. Is this correct?
I just had Equifax create 2 pins for my wife and me. Both are 10 digits in length. I can’t see any reference to the date or time in either PIN. That’s not to say they didn’t use an algorithm that uses the date and time to come up with the PIN however.
Equifax literally changed this policy yesterday. They are now generated random PIN numbers rather than the date/time stamp. They also said they would put in place a way for existing freeze users to change their PIN numbers to a randomly generated number. (Haven’t looked, not sure if that’s in place yet or not.)
Brian, I am confused why the victims of this Equifax breach are being called consumers or customers. I’m probably a victim, but since I’ve never purchased a service from Equifax, nor authorized them to collect my information, why do you and the rest of the media refer to me as a consumer?
Because every month our financial institution(s) send all three credit bureaus a file detailing our credit usage and payments for the previous month. Whether we want to or not we are customers and consumers of their products – there is no opting out.
http://www.optoutprescreen.com looks and feels sketchy…
What is Innovis? I always hear reference to the ‘Big 3’ bureaus (Equifax, Experian and TU). Brian’s is the only site I read regularly that includes Innovis as part of a ‘Big 4’ bureaus.
Just wondering if anyone here had more information about them, and why other sites/news don’t usually lump them in with the other three.
How can I tell if my information was exposed and stolen
I understand about the credit freeze, but if not exposed, is it necessary.
Dave, why would you want to leave your credit and personal information open to absolutely any company willing to pay Equifax? In short, yes, freeze your information. There is no downside to doing so.