May 9, 2018

I spent a few days last week speaking at and attending a conference on responding to identity theft. The forum was held in Florida, one of the major epicenters for identity fraud complaints in United States. One gripe I heard from several presenters was that identity thieves increasingly are finding ways to open new mobile phone accounts in the names of people who have already frozen their credit files with the big-three credit bureaus. Here’s a look at what may be going on, and how you can protect yourself.

Carrie Kerskie is director of the Identity Fraud Institute at Hodges University in Naples. A big part of her job is helping local residents respond to identity theft and fraud complaints. Kerskie said she’s had multiple victims in her area recently complain of having cell phone accounts opened in their names even though they had already frozen their credit files at the big three credit bureausEquifax, Experian and Trans Union (as well as distant fourth bureau Innovis).

The freeze process is designed so that a creditor should not be able to see your credit file unless you unfreeze the account. A credit freeze blocks potential creditors from being able to view or “pull” your credit file, making it far more difficult for identity thieves to apply for new lines of credit in your name.

But Kerskie’s investigation revealed that the mobile phone merchants weren’t asking any of the four credit bureaus mentioned above. Rather, the mobile providers were making credit queries with the National Consumer Telecommunications and Utilities Exchange (NCTUE), or nctue.com.

Source: nctue.com

“We’re finding that a lot of phone carriers — even some of the larger ones — are relying on NCTUE for credit checks,” Kerskie said. “It’s mainly phone carriers, but utilities, power, water, cable, any of those, they’re all starting to use this more.”

The NCTUE is a consumer reporting agency founded by AT&T in 1997 that maintains data such as payment and account history, reported by telecommunication, pay TV and utility service providers that are members of NCTUE.

Who are the NCTUE’s members? If you call the 800-number that NCTUE makes available to get a free copy of your NCTUE credit report, the option for “more information” about the organization says there are four “exchanges” that feed into the NCTUE’s system: the NCTUE itself; something called “Centralized Credit Check Systems“; the New York Data Exchange; and the California Utility Exchange.

According to a partner solutions page at Verizon, the New York Data Exchange is a not-for-profit entity created in 1996 that provides participating exchange carriers with access to local telecommunications service arrears (accounts that are unpaid) and final account information on residential end user accounts.

The NYDE is operated by Equifax Credit Information Services Inc. (yes, that Equifax). Verizon is one of many telecom providers that use the NYDE (and recall that AT&T was the founder of NCTUE).

The California Utility Exchange collects customer payment data from dozens of local utilities in the state, and also is operated by Equifax (Equifax Information Services LLC).

Google has virtually no useful information available about an entity called Centralized Credit Check Systems. It’s possible it no longer exists. If anyone finds differently, please leave a note in the comments section.

When I did some more digging on the NCTUE, I discovered…wait for it…Equifax also is the sole contractor that manages the NCTUE database. The entity’s site is also hosted out of Equifax’s servers. Equifax’s current contract to provide this service expires in 2020, according to a press release posted in 2015 by Equifax.

RED LIGHT. GREEN LIGHT. RED LIGHT.

Fortunately, the NCTUE makes it fairly easy to obtain any records they may have on Americans.  Simply phone them up (1-866-349-5185) and provide your Social Security number and the numeric portion of your registered street address.

Assuming the automated system can verify you with that information, the system then orders an NCTUE credit report to be sent to the address on file. You can also request to be sent a free “risk score” assigned by the NCTUE for each credit file it maintains.

The NCTUE also offers an online process for freezing one’s report. Perhaps unsurprisingly, however, the process for ordering a freeze through the NCTUE appears to be completely borked at the moment, thanks no doubt to Equifax’s well documented abysmal security practices.

Alternatively, it could all be part of a willful or negligent strategy to continue discouraging Americans from freezing their credit files (experts say the bureaus make about $1 for each time they sell your file to a potential creditor).

On April 29, I had an occasion to visit Equifax’s credit freeze application page, and found that the site was being served with an expired SSL certificate from Symantec (i.e., the site would not let me browse using https://). This happened because I went to the site using Google Chrome, and Google announced a decision in September 2017 to no longer trust SSL certs issued by Symantec prior to June 1, 2016.

Google said it would do this starting with Google Chrome version 66. It did not keep this plan a secret. On April 18, Google pushed out Chrome 66.  Despite all of the advance warnings, the security people at Equifax apparently missed the memo and in so doing probably scared most people away from its freeze page for several weeks (Equifax fixed the problem on its site sometime after I tweeted about the expired certificate on April 29).

That’s because when one uses Chrome to visit a site whose encryption certificate is validated by one of these unsupported Symantec certs, Chrome puts up a dire security warning that would almost certainly discourage most casual users from continuing.

The insecurity around Equifax’s own freeze site likely discouraged people from requesting a freeze on their credit files.

On May 7, when I visited the NCTUE’s page for freezing my credit file with them I was presented with the very same connection SSL security alert from Chrome, warning of an invalid Symantec certificate and that any data I shared with the NCTUE’s freeze page would not be encrypted in transit.

The security alert generated by Chrome when visiting the freeze page for the NCTUE, whose database (and apparently web site) also is run by Equifax.

When I clicked through past the warnings and proceeded to the insecure NCTUE freeze form (which is worded and stylized almost exactly like Equifax’s credit freeze page), I filled out the required information to freeze my NCTUE file. See if you can guess what happened next.

Yep, I was unceremoniously declined the opportunity to do that. “We are currently unable to service your request,” read the resulting Web page, without suggesting alternative means of obtaining its report. “Please try again later.”

The message I received after trying to freeze my file with the NCTUE.

This scenario will no doubt be familiar to many readers who tried (and failed in a similar fashion) to file freezes on their credit files with Equifax after the company divulged that hackers had relieved it of Social Security numbers, addresses, dates of birth and other sensitive data on nearly 150 million Americans last September. I attempted to file a freeze via the NCTUE’s site with no fewer than three different browsers, and each time the form reset itself upon submission or took me to a failure page.

So let’s review. Many people who have succeeded in freezing their credit files with Equifax have nonetheless had their identities stolen and new accounts opened in their names thanks to a lesser-known credit bureau that seems to rely entirely on credit checking entities operated by Equifax.

“This just reinforces the fact that we are no longer in control of our information,” said Kerskie, who is also a founding member of Griffon Force, a Florida-based identity theft restoration firm.

I find it difficult to disagree with Kerskie’s statement. What chaps me about this discovery is that countless Americans are in many cases plunking down $3-$10 per bureau to freeze their credit files, and yet a huge player in this market is able to continue to profit off of identity theft on those same Americans.

EQUIFAX RESPONDS

I asked Equifax why the very same credit bureau operating the NCTUE’s data exchange (and those of at least two other contributing members) couldn’t detect when consumers had placed credit freezes with Equifax. Put simply, Equifax’s wall of legal verbiage below says mainly that NCTUE is a separate entity from Equifax, and that NCTUE doesn’t include Equifax credit information.

Here is Equifax’s full statement on the matter:

·        The National Consumer Telecom and Utilities Exchange, Inc. (NCTUE) is a nationwide, member-owned and operated, FCRA-compliant consumer reporting agency that houses both positive and negative consumer payment data reported by its members, such as new connect requests, payment history, and historical account status and/or fraudulent accounts.  NCTUE members are providers of telecommunications and pay/satellite television services to consumers, as well as utilities providing gas, electrical and water services to consumers. 

·        This information is available to NCTUE members and, on a limited basis, to certain other customers of NCTUE’s contracted exchange operator, Equifax Information Services, LLC (Equifax) – typically financial institutions and insurance providers.  NCTUE does not include Equifax credit information, and Equifax is not a member of NCTUE, nor does Equifax own any aspect of NCTUE.  NCTUE does not provide telecommunications pay/ satellite television or utility services to consumers, and consumers do not apply for those services with NCTUE.

·        As a consumer reporting agency, NCTUE places and lifts security freezes on consumer files in accordance with the state law applicable to the consumer.  NCTUE also maintains a voluntary security freeze program for consumers who live in states which currently do not have a security freeze law. 

·        NCTUE is a separate consumer reporting agency from Equifax and therefore a consumer would need to independently place and lift a freeze with NCTUE.

·        While state laws vary in the manner in which consumers can place or lift a security freeze (temporarily or permanently), if a consumer has a security freeze on his or her NCTUE file and has not temporarily lifted the freeze, a creditor or other service provider, such as a mobile phone provider, generally cannot access that consumer’s NCTUE report in connection with a new account opening.  However, the creditor or provider may be able to access that consumer’s credit report from another consumer reporting agency in order to open a new account, or decide to open the account without accessing a credit report from any consumer reporting agency, such as NCTUE or Equifax. 

PLACING THE FREEZE

I was able to successfully place a freeze on my NCTUE report by calling their 800-number — 1-866-349-5355. The message said the NCTUE might charge a fee for placing or lifting the freeze, in accordance with state freeze laws.

Depending on your state of residence, the cost of placing a freeze on your credit file at Equifax, Experian or Trans Union can run between $3 and $10 per credit bureau, and in many states the bureaus also can charge fees for temporarily “thawing” and removing a freeze (according to a list published by Consumers Union, residents of four states — Indiana, Maine, North Carolina, South Carolina — do not need to pay to place, thaw or lift a freeze).

While my home state of Virginia allows the bureaus to charge $10 to place a freeze, for whatever reason the NCTUE did not assess that fee when I placed my freeze request with them. When and if your freeze request does get approved using the NCTUE’s automated phone system, make sure you have pen and paper or a keyboard handy to jot down the freeze PIN, which you will need in the event you ever wish to lift the freeze. When the system read my freeze PIN, it was read so quickly that I had to hit “*” on the dial pad several times to repeat the message.

It’s frankly absurd that consumers should ever have to pay to freeze their credit files at all, and yet a recent study indicates that almost 20 percent of Americans chose to do so at one or more of the three major credit bureaus since Equifax announced its breach last fall. The total estimated cost to consumers in freeze fees? $1.4 billion.

A bill in the U.S. Senate that looks likely to pass this year would require credit-reporting firms to let consumers place a freeze without paying. The free freeze component of the bill is just a tiny provision in a much larger banking reform bill — S. 2155 — that consumer groups say will roll back some of the consumer and market protections put in place after the Great Recession of the last decade.

“It’s part of a big banking bill that has provisions we hate,” said Chi Chi Wu, a staff attorney with the National Consumer Law Center. “It has some provisions not having to do with credit reporting, such as rolling back homeowners disclosure act provisions, changing protections in [current law] having to do with systemic risk.”

Sen. Jack Reed (D-RI) has offered a bill (S. 2362) that would invert the current credit reporting system by making all consumer credit files frozen by default, forcing consumers to unfreeze their files whenever they wish to obtain new credit. Meanwhile, several other bills would impose slightly less dramatic changes to the consumer credit reporting industry.

Wu said that while S. 2155 appears steaming toward passage, she doubts any of the other freeze-related bills will go anywhere.

“None of these bills that do something really strong are moving very far,” she said.

I should note that NCTUE does offer freeze alternatives. Just like with the big four, NCTUE lets consumers place a somewhat less restrictive “fraud alert” on their file indicating that verbal permission should be obtained over the phone from a consumer before a new account can be opened in their name.

Here is a primer on freezing your credit file with the big three bureaus, including Innovis. This tutorial also includes advice on placing a security alert at ChexSystems, which is used by thousands of banks to verify customers that are requesting new checking and savings accounts. In addition, consumers can opt out of pre-approved credit offers by calling 1-888-5-OPT-OUT (1-888-567-8688), or visit optoutprescreen.com.

Oh, and if you don’t want Equifax sharing your salary history over the life of your entire career, you might want to opt out of that program as well.

Equifax and its ilk may one day finally be exposed for the digital dinosaurs that they are. But until that day, if you care about your identity you now may have another freeze to worry about. And if you decide to take the step of freezing your file at the NCTUE, please sound off about your experience in the comments below.


163 thoughts on “Think You’ve Got Your Credit Freezes Covered? Think Again.

  1. Mike

    Not a technical comment here…

    A few odd (or bizarre) thoughts struck me while reading this and the Equifax opt-out article linked at the end.

    First, this sounds like trying to get teenage girls to quit gossiping about you, and being extorted by them for it. Next, there seem to be a lot of legal loophole to allow the gossipers to continue via another gossiper. Lastly, the love of money is the root of all kinds of evil.

  2. Robert L.

    Thank you again Brian! This important article also has explained to me why 2 of my Credit Card banks, when I needed to verify unexpected purchases, their “Security” pages came up with Chrome’s “Look out, all ye who enter here” message..

  3. Leo

    I assume that this NCTUE operates in the USA only.
    Brian, can you confirm this?

    If a telecommunications company (a utility) can get away with this, you can only image the number of other companies that would be interested in doing the same thing. Is this a slippery slope?

    1. crony

      Utility companies can get away with just about anything. Highly regulated means cronyism

  4. CJ

    ​The problem with FREE Credit Freezes is that Pranksters, friends of my teenage kids, etcetera might lock My Credit.
    I think a small fee will discourage most troublemakers.
    (Probably, not as bad as “swatting”, but I’d rather not find out).

    1. Dennis

      This is an utterly ridiculous statement. How about first verifying your identity before doing the free freeze? Do you really think that your vindictive gf would not be willing to pay $20 to mess up your account?

    2. Frank

      Do pranksters and friends of your teenage kids know your SSN etc? If so, you have bigger problems than the possibility of them freezing your credit. Also, I’m pretty sure the chance of them thinking of / choosing that as their prank is zero. It would be the lamest prank of all time. “Yo guys, I have the perfect prank: let’s make her credit more secure! She won’t find out for a few years and then she’ll have to make some phone calls HAHAHA it’ll be so great!”

  5. Dennis

    Oh, good. Let me freeze this one too. What number is it? 4th? 5th? So in the future if they come up with a new EFTARD credit reporting agency I will pony up another $3 to $10 to freeze, then thaw and unfreeze my account there as well. No problem!

    1. Candy

      “In the future” …it will cost over $50 to freeze or unfreeze…count on it!

  6. chester roberts

    Thank you for doing all the leg work on a freeze for which I knew nothing!! Also, you are correct you better write fast for that pin number.

  7. Bruce

    I didn’t try to freeze my NCTUE credit report, but I see they are now using Let’s Encrypt for their certificate authority. I suppose we’ll find out on July 4th whether they set it up correctly.

  8. Mac

    When you call 866-349-5355, it lets you choose between putting a freeze with NCTUE…and three other entities.

    Brian, did you go through the process of freezing all four?

    Thanks.

    1. BrianKrebs Post author

      I chose the NTCUE, since it seemed to reason that all of the other contributing members were members of the NCTUE.

  9. Shawn

    How does this play into the LifeLock and other Credit Monitoring services? Do they even have the ability to check and monitor this type of activity? If so, good on them! The whole pay for freeze is silly, it’s an industry, they are going to make money off of you or the people requesting your credit, someone has to replace that revenue.
    I like the freeze it and if I need to I will thaw it. That works for older established folks, but the instant gratification of todays youth and even younger adults, I’m not sure how they will take that.
    Great Article, yet another cat and mouse game that only the few really get. Where is the national coverage of this and why hasn’t Legislation been quicker.

  10. Gordon Ross

    Brian, *thank you* for catching this. Yes, it’s frustrating as all get out and makes me very angry, but it is what we are stuck with at the moment.

    I called the NCTUE phone number and froze my credit easily. My problem was that it asked for which freeze I wanted and listed four. The first was NCTUE, Inc; I do not remember the other three. Do you know which option I should have selected?

    As others have noted, others can freeze your credit if they know your ssn.

    Again, thank you for all the work you do Brian. I appreciate it very much.

  11. Nick

    Does anyone know if Optoutprescreen.com sends you a confirmation letter for permanent opt out?

  12. JasonR

    While I appreciate the phone numbers and into in the article and trust Krebs, and while the NCTUE main website was linked, a more specific link has all the relevant info on it and I’d rather get it right from the horses mouth as I’m entering in my SSN and potentially CC payment info:

    http://www.nctue.com/Consumers

    1. Michelle

      Thank you for the link. Of course, the site is not responding after I clicked the link about freezes. I’ll mail them a request after I get my report from them.

  13. Muffin

    I just called the 866 number and placed a freeze with NCTUE using their automated system. They said they would mail me a confirmation. Thanks so much, Brian.
    One question: At the beginning of the call, they asked if I was placing a freeze with several organizations and named each one. I think there were about three and there was an additional one in California. I only did NCTUE. Should I do the other two also?

    1. brodie7838

      Personally I’d vote yes on the basis that if someone were to steal your identity and try to open an account with the other organizations, the freeze would apply – you might not live in CA or NYC, but the ID thief might. The chances someone would use your identity to run up an electric bill in a specific location like that are probably slimmer than other possibilities, but better safe than sorry.

  14. Richard

    I keep getting a reCAPTCHA error upon form submission. And they haven’t updated their submission site to Let’s Encrypt, just their main site.

    1. Ralph Haygood

      Me too. I tried six times, four times using the visual CAPTCHA and twice using the audio CAPTCHA. I’m quite confident my responses to at least the audio CAPTCHA were correct. Evidently, they’ve failed to deploy reCAPTCHA correctly, which is consistent with the other evidence of technical incompetence on display here.

    2. Frank

      Me too, tried two different browsers. In Firefox I can solve it and I get the green checkmark, but when I click Submit it says “reCaptcha error”. In Brave, with “shields” down, all default settings and no extensions, I can’t even click the reCaptcha.

  15. brodie7838

    Comcast also uses the NCTUE – I got a letter from them after my rate apparently went up (no notification on that from Comcast of course) and eventually the account’s outstanding balance grew to the point that it was reported (also no notification from Comcast on that either).

    On an aside, Comcast is the only recurring monthly utility that I am *never* able to keep track of. It changes all the time even when I send them a check for the exact amount every month, the account is either past due or has an excess positive balance. Tried setting them up on eBill with my bank and that bit me when they suddenly charged me $300 for no apparent reason.

    1. brodie7838

      I forgot to mention that I was able to set up a credit freeze online awhile back with the NCTUE without many of the issues that Brian outlined here. There’s no excuse for the state of their portal the way that it is today. I also ended up contesting the Comcast thing I mentioned in my other comment and it went pretty much as expected; the negative mark is still on my report but marked as paid in full. They didn’t seem to really care that the error was on Comcast’s side and there wasn’t any opportunity to appeal after that.

  16. Chris

    I would think that the best way to address this situation is to have a lawsuit filed. The only way these companies react is when you hit their pocket books.

  17. Robert

    Brian’s comment: “(i.e., the site would not let me browse using https://). This happened because I went to the site using Google Chrome,”

    This is why I’ve downloaded lots of old browsers as well as portable browsers. Yes some may have security issues, so user beware (disabling java script may make them safer but unusable at some sites).

    I keep a variety of browsers on a flash drive I keep with me and even when I’m at the public library and their system baulks and refuses to allow me access to a web site, for whatever reason, I pop in the flash, fire up my browser and surf.

    Plan on freezing yet another account, thanks Brian. So far no one has used my identity for anything, that I’m aware of anyway.

    1. Frank

      Or, in any modern browser, you can just click “Advanced” and allow a temporary exception.

      1. Bruce Hobbs

        Yes, Frank, you should do that every time you get the warning. You will never be scammed, trust me.

        1. Frank

          I don’t, but in the rare cases when I ignore the warning, I do it the way I explained rather than use an older, less secure version my browser (and have to plug in a flash drive just to do so like that person said). Not seeing the warning at all because you’re on an old browser doesn’t make the problem disappear (but go ahead and make jabs at me instead of the person using a 2012 browser to avoid security warnings).

  18. Harry Johnston

    I’m missing something here – what stops identity thieves from pretending to be you and unfreezing your report? Why can’t the same procedure be applied to prevent them from pretending to be you to take out credit?

    1. Moike

      The only thing that prevents a thief from unfreezing your credit and taking out a loan is the freeze code. Protect this much more than any normal computer password: don’t store it on an electronic device unless it is well protected.

      > Why can’t the same procedure be applied to prevent them from pretending to be you to take out credit?

      That would be the case after credit is frozen.

      1. Reader

        Oh please.
        A signed letter by mail is all they request to unfreeze, if the PIN is lost. They make it easy because they profit off every interaction with you.

        They don’t require a blood sample or even a sworn statement. A letter will do.

    2. Frank

      The pin number that gets created when you freeze your account, which is then required for unfreezing it.

  19. david C

    I live in the UK and am a paying member of Experian. They do not even offer “credit freezes”,

  20. Adam Leader

    Thank you so much for this info. I found it very useful and successfully completed the NCTUE freeze.

  21. Stratocaster

    Though the logo on Equifax’s own homepage does not look like the one included in this post, the latter bears a disturbing resemblance to the corporate logo for Enron. And we know how well that ended.

  22. Kevin

    Just tried placing my freeze for my wife and I. The online option of course didn’t work at all so I went through the 800 number as you suggested. The freeze went through for myself but for some reason they wouldn’t allow my wife’s freeze to take place… now we have to mail-in a request to their PO BOX. It’s not super clear exactly what we’re supposed to say in this request besides just writing down our name, address, SSN, and DOB in some letter… nice and sketchy.

    And yes, they say your PIN and CONF number wayyyy too fast.

  23. Scott

    This is getting ridiculous. We need tough Federal and State legislation to truly protect people’s identity. There must be serious financial penalties, along with prison sentences, for the executives at credit bureaus and other companies who play loosey-goosey with our information.

  24. Michelle

    Thank you for the information. I had two identity theft attempts prior to the announcement of the Equifax breach. These happened less than a month apart. Luckily, Credit Karma warned me immediately I had fraud alerts at the three bureaus too.
    That’s when I froze my credit (free of charge since I was a victim of fraud). Then, after the breach announcement, I froze Innovis and ChexSystem.

    Is EVERYTHING owned by Equifax? Also, “TrustedID” monitoring from Equifax is a huge joke. I can only get information from November 2017.

    I just called the number you gave for this and ordered my report. I will freeze this also. My employer is not on the salary sharing site and neither is my previous employer. That covers the last 20 years or so.

  25. Robert Holmes

    I googled an email address for Nctue and found admin@nctue.com.

    Surprisingly I got a reply from the Executive Director, Alan Moore.

    He said that the online form will work with Internet Explorer. Unfortunately I don’t have any devices with Internet Explorer and when I last checked neither did 97.3 percent of the world, lol. I haven’t used it in years.

    He did say that Chrome and Foxfire would work if you “unlocked” them. I toggled off “Protect you and your device from dangerous sites under advanced setting thinking that is what he meant by unlock. Alas it was to no avail.

    I don’t think – actually I know, it is not asking too much that their form work with the most popular browsers.

    Perhaps everyone should let him know how they feel about this mess via the email above?

    1. BrianKrebs Post author

      Right. The site was likely designed a decade ago and never touched since. I tried this freeze page with the latest versions of Microsoft Edge (the replacement for IE), Mozilla Firefox and Chrome, and it failed on all three.

  26. DelilahtheSober

    Thank you, Brian. After reading this post I called and requested a copy of my profile using the NCTUE automated system.

  27. Topnotcher

    We have to stop the bleed, Equifax is too big. Anti-trust.

  28. Dumbfounded

    Maybe I missed it, but I gather we should also put a credit freeze with Innovis (mentioned in second paragraph)?

  29. Website Knowhow

    I plan on reading your article but your site is not mobile friendly. Talking about updating old tech, please have your web developer make sure your theme on this blog is responsive. It’s super hard to read on mobile. Thanks for all the info. I look forward to reading it when I can get to an actual desktop.

Comments are closed.