I spent a few days last week speaking at and attending a conference on responding to identity theft. The forum was held in Florida, one of the major epicenters for identity fraud complaints in United States. One gripe I heard from several presenters was that identity thieves increasingly are finding ways to open new mobile phone accounts in the names of people who have already frozen their credit files with the big-three credit bureaus. Here’s a look at what may be going on, and how you can protect yourself.
Carrie Kerskie is director of the Identity Fraud Institute at Hodges University in Naples. A big part of her job is helping local residents respond to identity theft and fraud complaints. Kerskie said she’s had multiple victims in her area recently complain of having cell phone accounts opened in their names even though they had already frozen their credit files at the big three credit bureaus — Equifax, Experian and Trans Union (as well as distant fourth bureau Innovis).
The freeze process is designed so that a creditor should not be able to see your credit file unless you unfreeze the account. A credit freeze blocks potential creditors from being able to view or “pull” your credit file, making it far more difficult for identity thieves to apply for new lines of credit in your name.
But Kerskie’s investigation revealed that the mobile phone merchants weren’t asking any of the four credit bureaus mentioned above. Rather, the mobile providers were making credit queries with the National Consumer Telecommunications and Utilities Exchange (NCTUE), or nctue.com.
“We’re finding that a lot of phone carriers — even some of the larger ones — are relying on NCTUE for credit checks,” Kerskie said. “It’s mainly phone carriers, but utilities, power, water, cable, any of those, they’re all starting to use this more.”
The NCTUE is a consumer reporting agency founded by AT&T in 1997 that maintains data such as payment and account history, reported by telecommunication, pay TV and utility service providers that are members of NCTUE.
Who are the NCTUE’s members? If you call the 800-number that NCTUE makes available to get a free copy of your NCTUE credit report, the option for “more information” about the organization says there are four “exchanges” that feed into the NCTUE’s system: the NCTUE itself; something called “Centralized Credit Check Systems“; the New York Data Exchange; and the California Utility Exchange.
According to a partner solutions page at Verizon, the New York Data Exchange is a not-for-profit entity created in 1996 that provides participating exchange carriers with access to local telecommunications service arrears (accounts that are unpaid) and final account information on residential end user accounts.
The NYDE is operated by Equifax Credit Information Services Inc. (yes, that Equifax). Verizon is one of many telecom providers that use the NYDE (and recall that AT&T was the founder of NCTUE).
The California Utility Exchange collects customer payment data from dozens of local utilities in the state, and also is operated by Equifax (Equifax Information Services LLC).
Google has virtually no useful information available about an entity called Centralized Credit Check Systems. It’s possible it no longer exists. If anyone finds differently, please leave a note in the comments section.
When I did some more digging on the NCTUE, I discovered…wait for it…Equifax also is the sole contractor that manages the NCTUE database. The entity’s site is also hosted out of Equifax’s servers. Equifax’s current contract to provide this service expires in 2020, according to a press release posted in 2015 by Equifax.
RED LIGHT. GREEN LIGHT. RED LIGHT.
Fortunately, the NCTUE makes it fairly easy to obtain any records they may have on Americans. Simply phone them up (1-866-349-5185) and provide your Social Security number and the numeric portion of your registered street address.
Assuming the automated system can verify you with that information, the system then orders an NCTUE credit report to be sent to the address on file. You can also request to be sent a free “risk score” assigned by the NCTUE for each credit file it maintains.
The NCTUE also offers an online process for freezing one’s report. Perhaps unsurprisingly, however, the process for ordering a freeze through the NCTUE appears to be completely borked at the moment, thanks no doubt to Equifax’s well documented abysmal security practices.
Alternatively, it could all be part of a willful or negligent strategy to continue discouraging Americans from freezing their credit files (experts say the bureaus make about $1 for each time they sell your file to a potential creditor).
On April 29, I had an occasion to visit Equifax’s credit freeze application page, and found that the site was being served with an expired SSL certificate from Symantec (i.e., the site would not let me browse using https://). This happened because I went to the site using Google Chrome, and Google announced a decision in September 2017 to no longer trust SSL certs issued by Symantec prior to June 1, 2016.
Google said it would do this starting with Google Chrome version 66. It did not keep this plan a secret. On April 18, Google pushed out Chrome 66. Despite all of the advance warnings, the security people at Equifax apparently missed the memo and in so doing probably scared most people away from its freeze page for several weeks (Equifax fixed the problem on its site sometime after I tweeted about the expired certificate on April 29).
That’s because when one uses Chrome to visit a site whose encryption certificate is validated by one of these unsupported Symantec certs, Chrome puts up a dire security warning that would almost certainly discourage most casual users from continuing.
On May 7, when I visited the NCTUE’s page for freezing my credit file with them I was presented with the very same connection SSL security alert from Chrome, warning of an invalid Symantec certificate and that any data I shared with the NCTUE’s freeze page would not be encrypted in transit.
When I clicked through past the warnings and proceeded to the insecure NCTUE freeze form (which is worded and stylized almost exactly like Equifax’s credit freeze page), I filled out the required information to freeze my NCTUE file. See if you can guess what happened next.
Yep, I was unceremoniously declined the opportunity to do that. “We are currently unable to service your request,” read the resulting Web page, without suggesting alternative means of obtaining its report. “Please try again later.”
This scenario will no doubt be familiar to many readers who tried (and failed in a similar fashion) to file freezes on their credit files with Equifax after the company divulged that hackers had relieved it of Social Security numbers, addresses, dates of birth and other sensitive data on nearly 150 million Americans last September. I attempted to file a freeze via the NCTUE’s site with no fewer than three different browsers, and each time the form reset itself upon submission or took me to a failure page.
So let’s review. Many people who have succeeded in freezing their credit files with Equifax have nonetheless had their identities stolen and new accounts opened in their names thanks to a lesser-known credit bureau that seems to rely entirely on credit checking entities operated by Equifax.
“This just reinforces the fact that we are no longer in control of our information,” said Kerskie, who is also a founding member of Griffon Force, a Florida-based identity theft restoration firm.
I find it difficult to disagree with Kerskie’s statement. What chaps me about this discovery is that countless Americans are in many cases plunking down $3-$10 per bureau to freeze their credit files, and yet a huge player in this market is able to continue to profit off of identity theft on those same Americans.
EQUIFAX RESPONDS
I asked Equifax why the very same credit bureau operating the NCTUE’s data exchange (and those of at least two other contributing members) couldn’t detect when consumers had placed credit freezes with Equifax. Put simply, Equifax’s wall of legal verbiage below says mainly that NCTUE is a separate entity from Equifax, and that NCTUE doesn’t include Equifax credit information.
Here is Equifax’s full statement on the matter:
· The National Consumer Telecom and Utilities Exchange, Inc. (NCTUE) is a nationwide, member-owned and operated, FCRA-compliant consumer reporting agency that houses both positive and negative consumer payment data reported by its members, such as new connect requests, payment history, and historical account status and/or fraudulent accounts. NCTUE members are providers of telecommunications and pay/satellite television services to consumers, as well as utilities providing gas, electrical and water services to consumers.
· This information is available to NCTUE members and, on a limited basis, to certain other customers of NCTUE’s contracted exchange operator, Equifax Information Services, LLC (Equifax) – typically financial institutions and insurance providers. NCTUE does not include Equifax credit information, and Equifax is not a member of NCTUE, nor does Equifax own any aspect of NCTUE. NCTUE does not provide telecommunications pay/ satellite television or utility services to consumers, and consumers do not apply for those services with NCTUE.
· As a consumer reporting agency, NCTUE places and lifts security freezes on consumer files in accordance with the state law applicable to the consumer. NCTUE also maintains a voluntary security freeze program for consumers who live in states which currently do not have a security freeze law.
· NCTUE is a separate consumer reporting agency from Equifax and therefore a consumer would need to independently place and lift a freeze with NCTUE.
· While state laws vary in the manner in which consumers can place or lift a security freeze (temporarily or permanently), if a consumer has a security freeze on his or her NCTUE file and has not temporarily lifted the freeze, a creditor or other service provider, such as a mobile phone provider, generally cannot access that consumer’s NCTUE report in connection with a new account opening. However, the creditor or provider may be able to access that consumer’s credit report from another consumer reporting agency in order to open a new account, or decide to open the account without accessing a credit report from any consumer reporting agency, such as NCTUE or Equifax.
PLACING THE FREEZE
I was able to successfully place a freeze on my NCTUE report by calling their 800-number — 1-866-349-5355. The message said the NCTUE might charge a fee for placing or lifting the freeze, in accordance with state freeze laws.
Depending on your state of residence, the cost of placing a freeze on your credit file at Equifax, Experian or Trans Union can run between $3 and $10 per credit bureau, and in many states the bureaus also can charge fees for temporarily “thawing” and removing a freeze (according to a list published by Consumers Union, residents of four states — Indiana, Maine, North Carolina, South Carolina — do not need to pay to place, thaw or lift a freeze).
While my home state of Virginia allows the bureaus to charge $10 to place a freeze, for whatever reason the NCTUE did not assess that fee when I placed my freeze request with them. When and if your freeze request does get approved using the NCTUE’s automated phone system, make sure you have pen and paper or a keyboard handy to jot down the freeze PIN, which you will need in the event you ever wish to lift the freeze. When the system read my freeze PIN, it was read so quickly that I had to hit “*” on the dial pad several times to repeat the message.
It’s frankly absurd that consumers should ever have to pay to freeze their credit files at all, and yet a recent study indicates that almost 20 percent of Americans chose to do so at one or more of the three major credit bureaus since Equifax announced its breach last fall. The total estimated cost to consumers in freeze fees? $1.4 billion.
A bill in the U.S. Senate that looks likely to pass this year would require credit-reporting firms to let consumers place a freeze without paying. The free freeze component of the bill is just a tiny provision in a much larger banking reform bill — S. 2155 — that consumer groups say will roll back some of the consumer and market protections put in place after the Great Recession of the last decade.
“It’s part of a big banking bill that has provisions we hate,” said Chi Chi Wu, a staff attorney with the National Consumer Law Center. “It has some provisions not having to do with credit reporting, such as rolling back homeowners disclosure act provisions, changing protections in [current law] having to do with systemic risk.”
Sen. Jack Reed (D-RI) has offered a bill (S. 2362) that would invert the current credit reporting system by making all consumer credit files frozen by default, forcing consumers to unfreeze their files whenever they wish to obtain new credit. Meanwhile, several other bills would impose slightly less dramatic changes to the consumer credit reporting industry.
Wu said that while S. 2155 appears steaming toward passage, she doubts any of the other freeze-related bills will go anywhere.
“None of these bills that do something really strong are moving very far,” she said.
I should note that NCTUE does offer freeze alternatives. Just like with the big four, NCTUE lets consumers place a somewhat less restrictive “fraud alert” on their file indicating that verbal permission should be obtained over the phone from a consumer before a new account can be opened in their name.
Here is a primer on freezing your credit file with the big three bureaus, including Innovis. This tutorial also includes advice on placing a security alert at ChexSystems, which is used by thousands of banks to verify customers that are requesting new checking and savings accounts. In addition, consumers can opt out of pre-approved credit offers by calling 1-888-5-OPT-OUT (1-888-567-8688), or visit optoutprescreen.com.
Oh, and if you don’t want Equifax sharing your salary history over the life of your entire career, you might want to opt out of that program as well.
Equifax and its ilk may one day finally be exposed for the digital dinosaurs that they are. But until that day, if you care about your identity you now may have another freeze to worry about. And if you decide to take the step of freezing your file at the NCTUE, please sound off about your experience in the comments below.
I want to request these companies to remove my data from their systems.
Question is, do they have any legal trump card to continue to hold my data and sell it at a whim?
Can anyone just open a company to collect peoples data and sell it like they do?
I’m thinking: I’d rather pay the state-fee to a database maintainer listing all the Equifax database-operated entities to spam–turn the spam more their direction since I’ve been on the receiving end of Equifax-led postal spam, credit card offers, etc, etc.
Outside of Europe, yes, more or less, anyone can maintain any information they like about anyone and generally sell it however they like.
In Europe, it’s possible that the “Right to be forgotten” and GPDR may change how things apply.
Sadly there really aren’t any good laws in North America for this stuff. As an analog, HIPAA at least gives you some protection for your medical information (or at least its handling).
What we have is a patchwork of state regulations most of which at best cover data beach notification (e.g., California [1]).
I haven’t found anything covering data retention. And really, data retention laws are probably the only way to address part of this– if an entity can’t show a continuing reason to retain records about someone, it should be forced to destroy or make them generally unavailable after some period of time…
[1] https://oag.ca.gov/privacy/databreach/reporting
I just called the number you posted and froze my credit on NCTUE. It was very easy and they made no mention of a charge (I live in Texas). Thanks very much for all your good advice on credit freezes.
So, I too was unable to access the NCTUE website from anything. Upon calling, as stated there are 4 options to choose from to freeze your credit. They are the NCTUE, the Centralized Credit Check System, the New York Data Exchange, and the California Utility Exchange. I was able to successfully freeze my credit reporting on NCTUE with no problems, though as mentioned, I did have to repeat the PIN and Confirmation numbers 3x. I then repeated the process for each of the other three options.
For each of the options, I was unable to freeze my credit. I presume this is because NCTUE may cover all of them. Or, for the State-based exchanges, perhaps it was because I am not a resident of either of those States. However, they told me I could request via mail, the freezing of my credit reporting.
For those interested (and forgive me if this has been posted already), send your name, address, SSN, and DOB to Exchange Security Center, P.O. Box 105561, Atlanta, GA, 30348.
To remove the freeze, send your PIN and two forms of ID (utility bill, or paystub).
To temporarily lift the freeze, send your PIN and date range for when the lift should be in place. You can also include the organization to whom you would like the credit report to be sent.
This was the same message for all three other options, which is why I assume that NCTUE covers them all.
They also provided a web address that doesn’t seem to work for me at all. https://www.exchangeservicecenter.com/freeze. I hope this helps people, and I hope I’m not just reiterating what someone else has posted.
I was able to freeze my credit on NCTUE with no problems. We called back twice to do the same for my husband, and was told it couldn’t be processed. Any ideas on why that would be?
Was able to freeze my credit by phone, no charge (over 65). Really long winded explanation of the process, but when that was done the rest was easy.
Brian, great report. The web site didn’t work for me either. Used to get the freeze in via phone with no charge.
It amazes me how a company like Equifax can get away with all this.
The consumer should have the right to unfreeze their files for free whenever they wish.
Data protection in the US is very weak.
No surprise really as there are no consequenses for these messes thay make!
Again, we are the product, not the customer.
These companies should not be able to have our data, but they do. Uggg!
Thank you, Brian, for this information.
I was able to put a freeze on both my and my husband’s credit reports and order the report and score all through your comprehensive information. I also placed the 5 year “opt-out” order. I was able to use the telephone options with no charges incurred.
This in addition to “the big 3” credit reporting companies and Innovis and created a Social Security account (now, before we need it).
On a side note, I typed out a 2 page comprehensive set of directions for our friends and family members. To date less than 10% have chosen to freeze their accounts at all.
Thank you for keeping the rest of us “up to speed”!
Oh, we froze Chex Systems, too!
Froze NCTUE just now. No certificate errors. No charges as a TN resident.
Equifax: “..nor does Equifax own any aspect of NCTUE.”
However, operated [as stated by BK, whois, and Privacy Policy] and supported by Equifax. NCTUE pays operational bills; Equifax releases citizen data, again for malicious reasons.
Brian – I was able to successfully place the freeze via the NCTUE website..no charge.. Thanks for the great info and keep the home fires burning!
Already froze the other 4 hackBureaus–
http://www.nctue.com/Consumers directs to—
https://www.exchangeservicecenter.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
Over my 26 years at TransUnion I found some of the worst ID theft to remediate was identified through fraudulent utility bills, namely cell phones. When someone used a victims name and SSN, then applied for a credit card, auto loan or the like it would query one or more of the bureau databases. If the respective file was frozen the application process usually ended. Same if the file was suppressed (a different form of “freezing” the bureaus use). However the utility companies, as Brian is reporting, didn’t run credit reports. Instead they would do “header” checks. The legacy product name at TransUnion was “SSN Trace.”
A typical credit check would take an applicant’s name, address and SSN and then return a matching credit file, if not frozen or suppressed. A SSN Trace took only the applicant’s SSN and then returned only the header information for files that had a matching SSN. The challenge here is that the returned information is reduced by a need to also match on say name and address. So returned to the utility company were all the identities showing up under the input SSN and hence the problem (beyond the back it bypassed the fact a file may have been suppressed or frozen).
Under one SSN could be multiple credit files. Sometimes they had similar names. Often in cases of synthetic ID fraud the names were completely different. Same true where you had undocumented people using someone else’s SSN. If my name is Steve and someone named Sally was using my SSN, the SSN Trace would return both the names Steve and Sally along with know addresses and DOB’s. Also included might be employment and phone information.
The calls TransUnion would frequently get related to “true” people would apply to get a cell phone and be denied saying another name came up under their SSN. However TransUnion had no process to disclose to the caller all the names under the SSN. So Steve calls in and says another name is showing up. TransUnion sends Steve his credit report but nothing relating to Sally as that is a different credit report. So Steve is stuck trying to fix something that is given to the phone company by a credit bureau but hidden from Steve.
Then, even if Steve finds out that Sally is using his SSN, it is extremely difficult to get that cleaned up. Because it isn’t Steve, only his SSN.
Header information is a different beast and file freezes or suppression won’t stop it from going out. Nor will any fraud alerts. I have so suspect that is a good part of the issue referred initially in this article.
Beats the article title, “Think You’ve Got Your Credit Freezes Covered? Think Again”. That’d mean dear BK readers, again are not covered, when a freeze isn’t a freeze with the same entity, NCTUE (backend-back-handed, run by Experian) .
let me get this right, Steve, you are saying that creditors may approve a credit request solely on the header report? and access to that header report is not controlled by a credit freeze?
I was just able to freeze via the NCTUE website. No charge. I live in TX. It did not offer me a PIN however so maybe my credit is now in a state of glacial deep freeze. That would be just fine with me.
Your website is SO useful! We (my husband and I) froze all our credit (from your past article) and now after this last article from you, have done this. I have Microsoft Edge and the website did not work for me so I called on our phone and successfully froze mine, and then called back and successfully froze my husband’s! Thank you so much.
Brian: I wish I had known you had a speaking engagement in Florida. I live in Florida and read your website posts every single day. I would have attended. Have you considered adding a sub-header somewhere for your site for “Upcoming Events”?
Thanks, but I generally do not advertise when I am traveling. If the venue I am speaking at wishes to do so, that is up to them of course.
Wise opsec.
Definitely true Robert! If I were Brian, I’d definitely have a concealed carry permit as well! It is not like he has no enemies!
The credit freeze screen for NCTUE has a dropdown where it seems you will need to file up to 4 freezes. Anyone else see this?
With AT&T, top fraud Telco and Equifax, top data fraudsters, what could possibly go wrong?
Thank you, Brian.
The website repeatedly refused my Captcha entries, and the telephone number repeated reported “We are unable to verify your information at this time.” I ended up writing two physical letters, one for NCTUE and the other for the Centralized Credit Check System.
I’m torn between describing them as clowns or parasites.
A simple solution is for all credit reference agencies to always only send the credit report to the individual/consumer, who can then choose whether to forward to the potential creditor or not. The CRAs can provide a validation code to the creditor to verify the authenticity of the report.
This doesn’t work for the same reason that certified copies of school transcripts must be sent directly from the school to the interested party: the subject of the inquiry has reason to tamper with the data.
s. 2362 [1] mentioned by Brian is the right fix to this, but no one sounds hopeful about it. I’m impressed to see someone in Congress figured out this fix or was willing to listen to the right people even if it is unlikely to be passed.
[1] https://www.reed.senate.gov/news/releases/reed-introduces-bill-to-help-consumers-protect-their-personal-credit-information
It’s about time our legislators act on this and probably some (like many of us) are not aware of thes “shadow” credit reporting agencies. Write your representatives to push for action.
Great report and thanks for the heads up
Tried to place freeze today 5/11 10am eastern. The phone number said it could not be processed and no PIN was given. Then I went online and it appeared the freeze was in place (however again I do not have my PIN) so I could not unfreeze for a specific company (there was no option to freeze) making me think the freeze was placed. Borked….new one on me….
I applaud the efforts of the utility companies to share information to help customers, however I think the best methods are security deposits and refund credits when a history with that company has been established (1 year).
Time to think of solutions outside of these money making credit freezes? I’m getting older and have no debt, I paid cash for my cars, saved for my kids’ education, saved for retirement, etc. Do I need good credit.. for what? Is it time to start paying late on my AT&T and DirectTv bills just to destroy my good credit score, so a malicious actor can’t open credit in my name? Every time I see these, know your credit score TV commercials, I’m wishing I had a ‘never lend to this deadbeat’ score.
HA! Excellent point – it would be easier to simply destroy one’s own good credit than to play whack-a-mole with the myriad of reporting agencies and their despicable practices!
Able to freeze by phone; got pin and conf #. No charge due to state. Already had freeze on big three plus innovis and chex. Never heard of this one before.
The site is working now.
Personally, I’d like to see a law that requires credit reporting agencies to pay a % to the person whose record is being sold, sort of like music royalties. They are selling our personal information, so we should be entitled to a cut of the profit.
I used IE11 and had no problem placing a freeze here: https://www.exchangeservicecenter.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
NCTUE online security freeze for CA was free and easy. No such luck with California Utility Exchange – I repeated the same steps as NCTUE and got the incredibly useless “Please try again later.” referenced in your piece. Thank you for your excellent reporting.
I know the credit freeze works because when I bought my last vehicle, I specifically told the sales manager NOT to run my credit until I gave them the OK because of the freeze. Well, he ran it and I then received 3 letters of decline. I was quite annoyed he didn’t listen, but felt good about the fact that it really worked.
How about Early Warning? I believe they are a competitor to ChexSystems that the banks themselves run. . I searched their site and found that I could get a report, if one exists, However they tell me to f*ck-*ff if I want to opt-out. Right here: https://www.earlywarning.com/consumer-info/about-early-warning.html
There is also Telecheck. I don’t know if they are a threat or not. They are used by merchants to decide if they should take your check. Here too, you can request your report, but I have no idea if I couldn’t find anything to let me opt-out.
Look at Symantec’s plunge:
https://finance.yahoo.com/chart/SYMC
33% in extended trading!
The board is performing an internal investigation, based off complains of an ex-employee, and SYMC has notified the SEC . . .
After several tries, I was unable to freeze my account by phone or online with NCTUE. I ended up emailing Alan Moore, Executive Director of NCTUE, and he messaged me back within 5 minutes to let me know that Equifax is the vendor that NCTUE uses to manage the database and that he’ll have someone reach out to me regarding this issue.
Would’ve been nice when I froze my account with Equifax last year, they’d have an option to freeze NCTUE at the same time.