I spent a few days last week speaking at and attending a conference on responding to identity theft. The forum was held in Florida, one of the major epicenters for identity fraud complaints in United States. One gripe I heard from several presenters was that identity thieves increasingly are finding ways to open new mobile phone accounts in the names of people who have already frozen their credit files with the big-three credit bureaus. Here’s a look at what may be going on, and how you can protect yourself.
Carrie Kerskie is director of the Identity Fraud Institute at Hodges University in Naples. A big part of her job is helping local residents respond to identity theft and fraud complaints. Kerskie said she’s had multiple victims in her area recently complain of having cell phone accounts opened in their names even though they had already frozen their credit files at the big three credit bureaus — Equifax, Experian and Trans Union (as well as distant fourth bureau Innovis).
The freeze process is designed so that a creditor should not be able to see your credit file unless you unfreeze the account. A credit freeze blocks potential creditors from being able to view or “pull” your credit file, making it far more difficult for identity thieves to apply for new lines of credit in your name.
But Kerskie’s investigation revealed that the mobile phone merchants weren’t asking any of the four credit bureaus mentioned above. Rather, the mobile providers were making credit queries with the National Consumer Telecommunications and Utilities Exchange (NCTUE), or nctue.com.
Source: nctue.com
“We’re finding that a lot of phone carriers — even some of the larger ones — are relying on NCTUE for credit checks,” Kerskie said. “It’s mainly phone carriers, but utilities, power, water, cable, any of those, they’re all starting to use this more.”
The NCTUE is a consumer reporting agency founded by AT&T in 1997 that maintains data such as payment and account history, reported by telecommunication, pay TV and utility service providers that are members of NCTUE.
Who are the NCTUE’s members? If you call the 800-number that NCTUE makes available to get a free copy of your NCTUE credit report, the option for “more information” about the organization says there are four “exchanges” that feed into the NCTUE’s system: the NCTUE itself; something called “Centralized Credit Check Systems“; the New York Data Exchange; and the California Utility Exchange.
According to a partner solutions page at Verizon, the New York Data Exchange is a not-for-profit entity created in 1996 that provides participating exchange carriers with access to local telecommunications service arrears (accounts that are unpaid) and final account information on residential end user accounts.
The NYDE is operated by Equifax Credit Information Services Inc. (yes, that Equifax). Verizon is one of many telecom providers that use the NYDE (and recall that AT&T was the founder of NCTUE).
The California Utility Exchange collects customer payment data from dozens of local utilities in the state, and also is operated by Equifax (Equifax Information Services LLC).
Google has virtually no useful information available about an entity called Centralized Credit Check Systems. It’s possible it no longer exists. If anyone finds differently, please leave a note in the comments section.
When I did some more digging on the NCTUE, I discovered…wait for it…Equifax also is the sole contractor that manages the NCTUE database. The entity’s site is also hosted out of Equifax’s servers. Equifax’s current contract to provide this service expires in 2020, according to a press release posted in 2015 by Equifax.
RED LIGHT. GREEN LIGHT. RED LIGHT.
Fortunately, the NCTUE makes it fairly easy to obtain any records they may have on Americans. Simply phone them up (1-866-349-5185) and provide your Social Security number and the numeric portion of your registered street address.
Assuming the automated system can verify you with that information, the system then orders an NCTUE credit report to be sent to the address on file. You can also request to be sent a free “risk score” assigned by the NCTUE for each credit file it maintains.
The NCTUE also offers an online process for freezing one’s report. Perhaps unsurprisingly, however, the process for ordering a freeze through the NCTUE appears to be completely borked at the moment, thanks no doubt to Equifax’s well documented abysmal security practices.
Alternatively, it could all be part of a willful or negligent strategy to continue discouraging Americans from freezing their credit files (experts say the bureaus make about $1 for each time they sell your file to a potential creditor).
On April 29, I had an occasion to visit Equifax’s credit freeze application page, and found that the site was being served with an expired SSL certificate from Symantec (i.e., the site would not let me browse using https://). This happened because I went to the site using Google Chrome, and Google announced a decision in September 2017 to no longer trust SSL certs issued by Symantec prior to June 1, 2016.
Google said it would do this starting with Google Chrome version 66. It did not keep this plan a secret. On April 18, Google pushed out Chrome 66. Despite all of the advance warnings, the security people at Equifax apparently missed the memo and in so doing probably scared most people away from its freeze page for several weeks (Equifax fixed the problem on its site sometime after I tweeted about the expired certificate on April 29).
That’s because when one uses Chrome to visit a site whose encryption certificate is validated by one of these unsupported Symantec certs, Chrome puts up a dire security warning that would almost certainly discourage most casual users from continuing.
The insecurity around Equifax’s own freeze site likely discouraged people from requesting a freeze on their credit files.
On May 7, when I visited the NCTUE’s page for freezing my credit file with them I was presented with the very same connection SSL security alert from Chrome, warning of an invalid Symantec certificate and that any data I shared with the NCTUE’s freeze page would not be encrypted in transit.
The security alert generated by Chrome when visiting the freeze page for the NCTUE, whose database (and apparently web site) also is run by Equifax.
When I clicked through past the warnings and proceeded to the insecure NCTUE freeze form (which is worded and stylized almost exactly like Equifax’s credit freeze page), I filled out the required information to freeze my NCTUE file. See if you can guess what happened next.
Yep, I was unceremoniously declined the opportunity to do that. “We are currently unable to service your request,” read the resulting Web page, without suggesting alternative means of obtaining its report. “Please try again later.”
The message I received after trying to freeze my file with the NCTUE.
This scenario will no doubt be familiar to many readers who tried (and failed in a similar fashion) to file freezes on their credit files with Equifax after the company divulged that hackers had relieved it of Social Security numbers, addresses, dates of birth and other sensitive data on nearly 150 million Americans last September. I attempted to file a freeze via the NCTUE’s site with no fewer than three different browsers, and each time the form reset itself upon submission or took me to a failure page.
So let’s review. Many people who have succeeded in freezing their credit files with Equifax have nonetheless had their identities stolen and new accounts opened in their names thanks to a lesser-known credit bureau that seems to rely entirely on credit checking entities operated by Equifax.
“This just reinforces the fact that we are no longer in control of our information,” said Kerskie, who is also a founding member of Griffon Force, a Florida-based identity theft restoration firm.
I find it difficult to disagree with Kerskie’s statement. What chaps me about this discovery is that countless Americans are in many cases plunking down $3-$10 per bureau to freeze their credit files, and yet a huge player in this market is able to continue to profit off of identity theft on those same Americans.
EQUIFAX RESPONDS
I asked Equifax why the very same credit bureau operating the NCTUE’s data exchange (and those of at least two other contributing members) couldn’t detect when consumers had placed credit freezes with Equifax. Put simply, Equifax’s wall of legal verbiage below says mainly that NCTUE is a separate entity from Equifax, and that NCTUE doesn’t include Equifax credit information.
Here is Equifax’s full statement on the matter:
· The National Consumer Telecom and Utilities Exchange, Inc. (NCTUE) is a nationwide, member-owned and operated, FCRA-compliant consumer reporting agency that houses both positive and negative consumer payment data reported by its members, such as new connect requests, payment history, and historical account status and/or fraudulent accounts. NCTUE members are providers of telecommunications and pay/satellite television services to consumers, as well as utilities providing gas, electrical and water services to consumers.
· This information is available to NCTUE members and, on a limited basis, to certain other customers of NCTUE’s contracted exchange operator, Equifax Information Services, LLC (Equifax) – typically financial institutions and insurance providers. NCTUE does not include Equifax credit information, and Equifax is not a member of NCTUE, nor does Equifax own any aspect of NCTUE. NCTUE does not provide telecommunications pay/ satellite television or utility services to consumers, and consumers do not apply for those services with NCTUE.
· As a consumer reporting agency, NCTUE places and lifts security freezes on consumer files in accordance with the state law applicable to the consumer. NCTUE also maintains a voluntary security freeze program for consumers who live in states which currently do not have a security freeze law.
· NCTUE is a separate consumer reporting agency from Equifax and therefore a consumer would need to independently place and lift a freeze with NCTUE.
· While state laws vary in the manner in which consumers can place or lift a security freeze (temporarily or permanently), if a consumer has a security freeze on his or her NCTUE file and has not temporarily lifted the freeze, a creditor or other service provider, such as a mobile phone provider, generally cannot access that consumer’s NCTUE report in connection with a new account opening. However, the creditor or provider may be able to access that consumer’s credit report from another consumer reporting agency in order to open a new account, or decide to open the account without accessing a credit report from any consumer reporting agency, such as NCTUE or Equifax.
PLACING THE FREEZE
I was able to successfully place a freeze on my NCTUE report by calling their 800-number — 1-866-349-5355. The message said the NCTUE might charge a fee for placing or lifting the freeze, in accordance with state freeze laws.
Depending on your state of residence, the cost of placing a freeze on your credit file at Equifax, Experian or Trans Union can run between $3 and $10 per credit bureau, and in many states the bureaus also can charge fees for temporarily “thawing” and removing a freeze (according to a list published by Consumers Union, residents of four states — Indiana, Maine, North Carolina, South Carolina — do not need to pay to place, thaw or lift a freeze).
While my home state of Virginia allows the bureaus to charge $10 to place a freeze, for whatever reason the NCTUE did not assess that fee when I placed my freeze request with them. When and if your freeze request does get approved using the NCTUE’s automated phone system, make sure you have pen and paper or a keyboard handy to jot down the freeze PIN, which you will need in the event you ever wish to lift the freeze. When the system read my freeze PIN, it was read so quickly that I had to hit “*” on the dial pad several times to repeat the message.
It’s frankly absurd that consumers should ever have to pay to freeze their credit files at all, and yet a recent study indicates that almost 20 percent of Americans chose to do so at one or more of the three major credit bureaus since Equifax announced its breach last fall. The total estimated cost to consumers in freeze fees? $1.4 billion.
A bill in the U.S. Senate that looks likely to pass this year would require credit-reporting firms to let consumers place a freeze without paying. The free freeze component of the bill is just a tiny provision in a much larger banking reform bill — S. 2155 — that consumer groups say will roll back some of the consumer and market protections put in place after the Great Recession of the last decade.
“It’s part of a big banking bill that has provisions we hate,” said Chi Chi Wu, a staff attorney with the National Consumer Law Center. “It has some provisions not having to do with credit reporting, such as rolling back homeowners disclosure act provisions, changing protections in [current law] having to do with systemic risk.”
Sen. Jack Reed (D-RI) has offered a bill (S. 2362) that would invert the current credit reporting system by making all consumer credit files frozen by default, forcing consumers to unfreeze their files whenever they wish to obtain new credit. Meanwhile, several other bills would impose slightly less dramatic changes to the consumer credit reporting industry.
Wu said that while S. 2155 appears steaming toward passage, she doubts any of the other freeze-related bills will go anywhere.
“None of these bills that do something really strong are moving very far,” she said.
I should note that NCTUE does offer freeze alternatives. Just like with the big four, NCTUE lets consumers place a somewhat less restrictive “fraud alert” on their file indicating that verbal permission should be obtained over the phone from a consumer before a new account can be opened in their name.
Here is a primer on freezing your credit file with the big three bureaus, including Innovis. This tutorial also includes advice on placing a security alert at ChexSystems, which is used by thousands of banks to verify customers that are requesting new checking and savings accounts. In addition, consumers can opt out of pre-approved credit offers by calling 1-888-5-OPT-OUT (1-888-567-8688), or visit optoutprescreen.com.
Oh, and if you don’t want Equifax sharing your salary history over the life of your entire career, you might want to opt out of that program as well.
Equifax and its ilk may one day finally be exposed for the digital dinosaurs that they are. But until that day, if you care about your identity you now may have another freeze to worry about. And if you decide to take the step of freezing your file at the NCTUE, please sound off about your experience in the comments below.
Great article, more people should be reading articles like this to protect themselves.
I like the idea of initially frozen credit files. There has to be a provision where consumers must authorize EACH inquiry with multi-factor authentication. The penalties for fraud also need to be very harsh. Brazil or Turkey have effective penal models. Quite the deterrent
Great reporting Brian. Some to these topics might remain hidden unless you reported them.
” Simply phone them up at 1-866-349-5185 and provide your Social Security number “. And the operator keeps a copy of the SS number which will be sold to the weirdo lurking in the company parking lot.
LOL. Tried the number Brian provided to place the freeze and, after entering the required info: “We are unable to process your request using this automated system.” Apparently there is an alternate mail-in request process.
I’m hoping their inability to process means they don’t have my information, and not rather that the phone system is now mirroring the online system…
I suggest everyone take a moment to write their Senators (both of them!) and ask to know why the Senator is not supporting Sen Reed’s bill. Every Senator has an online letter tool at https://www.senate.gov/general/contact_information/senators_cfm.cfm
Truth is, most of the other 99 Senators probably aren’t even aware of it, and the deep-pocketed credit bureaus want it that way.
I could deal with some of the rollbacks going on if we had Glass-Steagall back in place. The Frank-Dodd protection bill was amended to evade re-instating Glass-Steagall. Does Ried’s bill include a Glass-Steagall reinstatement?
So the world explodes in uproar because FB sold their customers data – data the users freely (albeit unwittingly/unmindfully/ignorantly) put on FB’s servers in exchange for…whatever ‘free’ service….
But when an agency whose sole purpose is to mine our financial data and sell it to whomever is willing to pay a buck loses it, and then intentionally misleads the public and investigators, and (as it appears now) built in backdoors to get around credit freeze laws (buy creating multiple companies to allow access to the same data) continues to operate with little consequence for its failures and deceit….well….shame on us!
If everyone of you who contacted an elected official over FB would do the same for Equifax maybe we could get somewhere.
I called up the IRS – was trying to change my address
So to get my refund. Found out the IRS depends on Equifax
to provide address changes. All I could think of was the vulnerabilities.
Lara
Thank you Mr Krebs, after reading this and having had to deal with these credit report firms, I have come to the inescapable conclusion that there should (has to be) a company, that will charge one fee to contact, go through the convoluted, deliberate, and unnecessarily complicated and different for each firm, process to start a fee for freezing your credit report. If a company like that doesn’t exist, I suggest that it would be a very good service business to be involved in. At some time in the future, I like to see you tackle the problem and this or other suggestions as to ways how to deal with it. Thanks and keep up the good fight…
I wouldn’t entrust that kind of power to any single company. The only single entity I would trust with that kind of power is me. Imagine if that single company suffered a breach (and given the concentration of power they would be a HUGE target).
Thank you Brian for posting this. I work in the credit industry and had no idea this “bureau” existed, let alone the tangled web of where its data feeds are coming from, and which shell companies are a part of it.
I used their IVR to pull a report from them…going to be interested to see what information they have on me vs. the “formal” big 3 bureaus.
Thanks again!
Like the scammers that dodge the system by going ‘out of business’ and re-emerging with the same business model under a new name, this will apparently be the game for the foreseeable future: the credit bureaus will continually roll out new branches under new names for the instant credit checkers to use.
Why can’t the government establish a Do Not Grant list?
I still do not understand why its a no brainer for someone to put a credit freeze on their accounts. It should be free, oh but wait, I live in FL where we are #1 in fraud…….
It’s funny how the economies in the EU are doing quite well, and people there are doing fine by USA standards:
https://www.quora.com/How-do-American-and-Western-European-living-standards-compare
Yet the EU has the GDPR, which is a requirement around data retention and protection that would seriously reduce the risk that parasites like Equifax could even exist, let alone leak all citizens’ data indiscriminately with little consequence.
It’s pretty clear that no matter what you think of the overbearing bureaucracy in Brussels, the imposition of the GDPR is consistent with a society that has political systems that are responsive to the needs of the citizens to be protected from the sort of exploitation Americans experience from FB and Equifax.
It’s equally clear that in the USA the government is incapable of implementing such protection. It’s a bit silly to parrot “freedom” and “democracy” as strong American virtues when the government “of the people, by the people and for the people” is entirely suborned by those who have no interest in the welfare of those same people beyond taking their money.
Since you’re a fan of quora.com, you likely know that there are more than 20 credit reporting agencies in Europe, and approximately 33% of them share data.
GDPR isn’t going to change the risk exposure inherent in that charming bit o’ happiness.
It was easy to freeze my credit report with NCTUE. However it refused to freeze my credit report with the
“Centralized Credit Check Systems“ or the the New York Data Exchange. They said it had to be done by snail mail only.
Thank You Brian for this great information. You provide an outstanding service. Keep up the good work!!
Thank you Brian. When I called the number to place the freeze, I was given four different options for where to place the freeze. I chose option #1. Did you re-dial and place multiple freezes using each option?
Thanks Brian.
On the NCTUE page for freezing there is a drop-down in the middle of the page titled “Please select the exchange data report you want to use” and gives you the four sub-entities. Do you interpret this to mean that a person has to freeze their data for each sub-entity, one at a time?
Thanks again for your good work.
Thank you Brian! When I dialed the number to place the freeze, I was given four different freeze options. I chose option #1. Did you dial multiple times and place multiple freezes using each option?
Recently heard an FBI cybercrimes agent mention Innovis as the fourth credit agency as well. Another head for the credit hydra
Wow! I might be stupid or naïve but I’ve never placed a freeze on my credit simply b/c it’s too late, the horse has left the barn AND there will always be security gaps like this one.
I’m a total skeptic when it comes to data security, if you operate on the web at all, your data is out there to be mined. That is the risk you take.
Thanks Brian, appreciate your work.
Thanks, Chuck. But it’s not just about mining your data. Recovering from identity theft can very often take years, many hours of frustrating paperwork and phonecalls, and possibly thousands of dollars in legal fees and other outlays. It is true that your SSN, DOB etc. are out there for sale in the Deep and Clear Webs. But that is not the same as having to reverse the effects of identity theft and identity fraud, which is simply a major hassle that I wouldn’t wish on anyone.
Hello Mr. Krebs
Upon searching the interwebs for Centralized Credit Check Systems
I found this http://www.cwclaw.com/publications/alertDetail.aspx?id=794
Centralized Credit Check Systems or “CCCS” was created by California Public Utilities Commission in 1985 see the pdf below
articles(.)latimes(.)com/1989-07-20/local/me-4909_1_public-utilities
PDF document
docs(.)cpuc(.)ca(.)gov/PublishedDocs/Published/G000/M207/K256/207256717.PDF
Of course searching California state government websites
Both CPUC and Secretary of State (business entity) I find no such company exists
From my brief research the name appears to be “Centralized Credit Check System” (no “s”). Doing a Google search for that exact string yields various filings and documents including at the Exchange Service Center, where one can place a freeze on one’s account with the Centralized Credit Check System. It’s also mentioned in abbreviated form as the CCCS.
Tried the NCTUE Website via Chrome (so yes, got the cert. error before surfing to https://www.exchangeservicecenter.com/Freeze/Freeze.htm), kept receiving “reCAPTCHA Error – Please resubmit details below.” on the ‘Submit’, even though I clicked “I’m not a robot” each time. Used the tel# to freeze for NCTUE (option 1); will now seek to do so for the others (except CUE)….
For options 2 (CCCS) and 3 (NYDE), same experience as noted by blownfuse and Niteprowl2: file-freeze request rejected, use USMail instead.
Why would anyone trust any social media website such as FB, my space, instagram, wassup, and the likes with their real info? Quit all of them and it will solve part of the problem. The rest ?? Well, in this digital era, our personal information is in many data bases and that will be hard to protect from our end. We are left to trust the entities in charge of those data bases will do all they can to protect what has been entrusted to them.
This is a lose lose situation trying to protect your personal info. These agencies are worse than criminals. They are like organized crime in my opinion.
Just called and eventually got freeze placed but it was torture via IVR. Designed for callers to drop off as there is a 6+ minute long stretch of lengthy information that’s not instruction, just data dump as if NCUTE had their narrator read the fine print of their 10k.
Also, at 4 mins. during the lengthy data dump they actually tell you to call the same number that you’ve just dialed! (Also, deadend at their https, got Chrome’s unsafe alert and proceeded to a page not found).
At 6 mins. during the data dump, narrator stops and then asks for your SS# – with no indication that you’re now going to begin the process. Jeepers what a mess.
It is high time we stop calling this “identity theft” and start calling it “bank negligence”. Yes, straightening out the aftermath can be a hassle, but if someone else took out a loan in your name, the FCRA does not give the lender immunity for reporting that loan to credit bureaus. If someone raids your existing personal (not business) bank accounts by using information available online, the bank is liable. To call all this “identity theft” is to blame the victim.
Banks cut corners on authentication to increase business. That’s a reasonable risk. But it’s their risk, not ours.
@Peter Dordal: You are absolutely right, it should not be called identity theft. It is much more broad than bank negligence though.
Why should an “Identity Theft” “victim” be left cleaning up after the negligence of banks, utilities, lenders, IRS, SSA, landlords, etc. that grant credit or other service/product of value to a fraudster?
The ID theft victim is only a victim because of passing the buck (or debt) onto them instead of the fraudster and lender. The ID theft victim is only in the fraudulent transaction because of fraudulent use of their name.
The fraudster cannot be trusted to cleanup the mess, they just don’t work that way. The lender should be responsible for cleaning up the mess, it was their mistake.
What to call the situation besides “Identity Theft”? Something that captures the full issue beyond just “Bank negligence” would be best.
Organized crime–including corporate crime, white-collar crime, institutional crime?
The website didn’t work for me either, but I successfully froze with the IVR. Painful, unpleasant process.
Thanks for the great article!
The only question is? What should the average joe do about this issue ??
Don’t hold your breath waiting for this Congress to pass any consumer-friendly legislation. The laws concerning the fees charged for freeze/unfreeze requests vary from state to state, so the state legislatures would be the place to lobby for relief. Call or write your *state* representatives today and demand that they prohibit the extortion. It’s *your* money – 1.4 billion dollars of it.
Why are we still playing this game by their rules on their terms? Their entire business model is a failure and always will be. There is no way to STEAL data on billions of people while spending enough to protect it and still make a profit.