09
May 18

Think You’ve Got Your Credit Freezes Covered? Think Again.

I spent a few days last week speaking at and attending a conference on responding to identity theft. The forum was held in Florida, one of the major epicenters for identity fraud complaints in United States. One gripe I heard from several presenters was that identity thieves increasingly are finding ways to open new mobile phone accounts in the names of people who have already frozen their credit files with the big-three credit bureaus. Here’s a look at what may be going on, and how you can protect yourself.

Carrie Kerskie is director of the Identity Fraud Institute at Hodges University in Naples. A big part of her job is helping local residents respond to identity theft and fraud complaints. Kerskie said she’s had multiple victims in her area recently complain of having cell phone accounts opened in their names even though they had already frozen their credit files at the big three credit bureausEquifax, Experian and Trans Union (as well as distant fourth bureau Innovis).

The freeze process is designed so that a creditor should not be able to see your credit file unless you unfreeze the account. A credit freeze blocks potential creditors from being able to view or “pull” your credit file, making it far more difficult for identity thieves to apply for new lines of credit in your name.

But Kerskie’s investigation revealed that the mobile phone merchants weren’t asking any of the four credit bureaus mentioned above. Rather, the mobile providers were making credit queries with the National Consumer Telecommunications and Utilities Exchange (NCTUE), or nctue.com.

Source: nctue.com

“We’re finding that a lot of phone carriers — even some of the larger ones — are relying on NCTUE for credit checks,” Kerskie said. “It’s mainly phone carriers, but utilities, power, water, cable, any of those, they’re all starting to use this more.”

The NCTUE is a consumer reporting agency founded by AT&T in 1997 that maintains data such as payment and account history, reported by telecommunication, pay TV and utility service providers that are members of NCTUE.

Who are the NCTUE’s members? If you call the 800-number that NCTUE makes available to get a free copy of your NCTUE credit report, the option for “more information” about the organization says there are four “exchanges” that feed into the NCTUE’s system: the NCTUE itself; something called “Centralized Credit Check Systems“; the New York Data Exchange; and the California Utility Exchange.

According to a partner solutions page at Verizon, the New York Data Exchange is a not-for-profit entity created in 1996 that provides participating exchange carriers with access to local telecommunications service arrears (accounts that are unpaid) and final account information on residential end user accounts.

The NYDE is operated by Equifax Credit Information Services Inc. (yes, that Equifax). Verizon is one of many telecom providers that use the NYDE (and recall that AT&T was the founder of NCTUE).

The California Utility Exchange collects customer payment data from dozens of local utilities in the state, and also is operated by Equifax (Equifax Information Services LLC).

Google has virtually no useful information available about an entity called Centralized Credit Check Systems. It’s possible it no longer exists. If anyone finds differently, please leave a note in the comments section.

When I did some more digging on the NCTUE, I discovered…wait for it…Equifax also is the sole contractor that manages the NCTUE database. The entity’s site is also hosted out of Equifax’s servers. Equifax’s current contract to provide this service expires in 2020, according to a press release posted in 2015 by Equifax.

RED LIGHT. GREEN LIGHT. RED LIGHT.

Fortunately, the NCTUE makes it fairly easy to obtain any records they may have on Americans.  Simply phone them up (1-866-349-5185) and provide your Social Security number and the numeric portion of your registered street address.

Assuming the automated system can verify you with that information, the system then orders an NCTUE credit report to be sent to the address on file. You can also request to be sent a free “risk score” assigned by the NCTUE for each credit file it maintains.

The NCTUE also offers an online process for freezing one’s report. Perhaps unsurprisingly, however, the process for ordering a freeze through the NCTUE appears to be completely borked at the moment, thanks no doubt to Equifax’s well documented abysmal security practices.

Alternatively, it could all be part of a willful or negligent strategy to continue discouraging Americans from freezing their credit files (experts say the bureaus make about $1 for each time they sell your file to a potential creditor).

On April 29, I had an occasion to visit Equifax’s credit freeze application page, and found that the site was being served with an expired SSL certificate from Symantec (i.e., the site would not let me browse using https://). This happened because I went to the site using Google Chrome, and Google announced a decision in September 2017 to no longer trust SSL certs issued by Symantec prior to June 1, 2016.

Google said it would do this starting with Google Chrome version 66. It did not keep this plan a secret. On April 18, Google pushed out Chrome 66.  Despite all of the advance warnings, the security people at Equifax apparently missed the memo and in so doing probably scared most people away from its freeze page for several weeks (Equifax fixed the problem on its site sometime after I tweeted about the expired certificate on April 29).

That’s because when one uses Chrome to visit a site whose encryption certificate is validated by one of these unsupported Symantec certs, Chrome puts up a dire security warning that would almost certainly discourage most casual users from continuing.

The insecurity around Equifax’s own freeze site likely discouraged people from requesting a freeze on their credit files.

On May 7, when I visited the NCTUE’s page for freezing my credit file with them I was presented with the very same connection SSL security alert from Chrome, warning of an invalid Symantec certificate and that any data I shared with the NCTUE’s freeze page would not be encrypted in transit.

The security alert generated by Chrome when visiting the freeze page for the NCTUE, whose database (and apparently web site) also is run by Equifax.

When I clicked through past the warnings and proceeded to the insecure NCTUE freeze form (which is worded and stylized almost exactly like Equifax’s credit freeze page), I filled out the required information to freeze my NCTUE file. See if you can guess what happened next.

Yep, I was unceremoniously declined the opportunity to do that. “We are currently unable to service your request,” read the resulting Web page, without suggesting alternative means of obtaining its report. “Please try again later.”

The message I received after trying to freeze my file with the NCTUE.

This scenario will no doubt be familiar to many readers who tried (and failed in a similar fashion) to file freezes on their credit files with Equifax after the company divulged that hackers had relieved it of Social Security numbers, addresses, dates of birth and other sensitive data on nearly 150 million Americans last September. I attempted to file a freeze via the NCTUE’s site with no fewer than three different browsers, and each time the form reset itself upon submission or took me to a failure page.

So let’s review. Many people who have succeeded in freezing their credit files with Equifax have nonetheless had their identities stolen and new accounts opened in their names thanks to a lesser-known credit bureau that seems to rely entirely on credit checking entities operated by Equifax.

“This just reinforces the fact that we are no longer in control of our information,” said Kerskie, who is also a founding member of Griffon Force, a Florida-based identity theft restoration firm.

I find it difficult to disagree with Kerskie’s statement. What chaps me about this discovery is that countless Americans are in many cases plunking down $3-$10 per bureau to freeze their credit files, and yet a huge player in this market is able to continue to profit off of identity theft on those same Americans.

EQUIFAX RESPONDS

I asked Equifax why the very same credit bureau operating the NCTUE’s data exchange (and those of at least two other contributing members) couldn’t detect when consumers had placed credit freezes with Equifax. Put simply, Equifax’s wall of legal verbiage below says mainly that NCTUE is a separate entity from Equifax, and that NCTUE doesn’t include Equifax credit information.

Here is Equifax’s full statement on the matter:

·        The National Consumer Telecom and Utilities Exchange, Inc. (NCTUE) is a nationwide, member-owned and operated, FCRA-compliant consumer reporting agency that houses both positive and negative consumer payment data reported by its members, such as new connect requests, payment history, and historical account status and/or fraudulent accounts.  NCTUE members are providers of telecommunications and pay/satellite television services to consumers, as well as utilities providing gas, electrical and water services to consumers. 

·        This information is available to NCTUE members and, on a limited basis, to certain other customers of NCTUE’s contracted exchange operator, Equifax Information Services, LLC (Equifax) – typically financial institutions and insurance providers.  NCTUE does not include Equifax credit information, and Equifax is not a member of NCTUE, nor does Equifax own any aspect of NCTUE.  NCTUE does not provide telecommunications pay/ satellite television or utility services to consumers, and consumers do not apply for those services with NCTUE.

·        As a consumer reporting agency, NCTUE places and lifts security freezes on consumer files in accordance with the state law applicable to the consumer.  NCTUE also maintains a voluntary security freeze program for consumers who live in states which currently do not have a security freeze law. 

·        NCTUE is a separate consumer reporting agency from Equifax and therefore a consumer would need to independently place and lift a freeze with NCTUE.

·        While state laws vary in the manner in which consumers can place or lift a security freeze (temporarily or permanently), if a consumer has a security freeze on his or her NCTUE file and has not temporarily lifted the freeze, a creditor or other service provider, such as a mobile phone provider, generally cannot access that consumer’s NCTUE report in connection with a new account opening.  However, the creditor or provider may be able to access that consumer’s credit report from another consumer reporting agency in order to open a new account, or decide to open the account without accessing a credit report from any consumer reporting agency, such as NCTUE or Equifax. 

PLACING THE FREEZE

I was able to successfully place a freeze on my NCTUE report by calling their 800-number — 1-866-349-5355. The message said the NCTUE might charge a fee for placing or lifting the freeze, in accordance with state freeze laws.

Depending on your state of residence, the cost of placing a freeze on your credit file at Equifax, Experian or Trans Union can run between $3 and $10 per credit bureau, and in many states the bureaus also can charge fees for temporarily “thawing” and removing a freeze (according to a list published by Consumers Union, residents of four states — Indiana, Maine, North Carolina, South Carolina — do not need to pay to place, thaw or lift a freeze).

While my home state of Virginia allows the bureaus to charge $10 to place a freeze, for whatever reason the NCTUE did not assess that fee when I placed my freeze request with them. When and if your freeze request does get approved using the NCTUE’s automated phone system, make sure you have pen and paper or a keyboard handy to jot down the freeze PIN, which you will need in the event you ever wish to lift the freeze. When the system read my freeze PIN, it was read so quickly that I had to hit “*” on the dial pad several times to repeat the message.

It’s frankly absurd that consumers should ever have to pay to freeze their credit files at all, and yet a recent study indicates that almost 20 percent of Americans chose to do so at one or more of the three major credit bureaus since Equifax announced its breach last fall. The total estimated cost to consumers in freeze fees? $1.4 billion.

A bill in the U.S. Senate that looks likely to pass this year would require credit-reporting firms to let consumers place a freeze without paying. The free freeze component of the bill is just a tiny provision in a much larger banking reform bill — S. 2155 — that consumer groups say will roll back some of the consumer and market protections put in place after the Great Recession of the last decade.

“It’s part of a big banking bill that has provisions we hate,” said Chi Chi Wu, a staff attorney with the National Consumer Law Center. “It has some provisions not having to do with credit reporting, such as rolling back homeowners disclosure act provisions, changing protections in [current law] having to do with systemic risk.”

Sen. Jack Reed (D-RI) has offered a bill (S. 2362) that would invert the current credit reporting system by making all consumer credit files frozen by default, forcing consumers to unfreeze their files whenever they wish to obtain new credit. Meanwhile, several other bills would impose slightly less dramatic changes to the consumer credit reporting industry.

Wu said that while S. 2155 appears steaming toward passage, she doubts any of the other freeze-related bills will go anywhere.

“None of these bills that do something really strong are moving very far,” she said.

I should note that NCTUE does offer freeze alternatives. Just like with the big four, NCTUE lets consumers place a somewhat less restrictive “fraud alert” on their file indicating that verbal permission should be obtained over the phone from a consumer before a new account can be opened in their name.

Here is a primer on freezing your credit file with the big three bureaus, including Innovis. This tutorial also includes advice on placing a security alert at ChexSystems, which is used by thousands of banks to verify customers that are requesting new checking and savings accounts. In addition, consumers can opt out of pre-approved credit offers by calling 1-888-5-OPT-OUT (1-888-567-8688), or visit optoutprescreen.com.

Oh, and if you don’t want Equifax sharing your salary history over the life of your entire career, you might want to opt out of that program as well.

Equifax and its ilk may one day finally be exposed for the digital dinosaurs that they are. But until that day, if you care about your identity you now may have another freeze to worry about. And if you decide to take the step of freezing your file at the NCTUE, please sound off about your experience in the comments below.

Tags: , , , , , , , , , , , , , , , , , , , , ,

160 comments

  1. Oh, I see you tweeted that news five hours ago . . .

  2. Be warned everyone. I just finished a call with the above NCTUE automated system for placing a freeze. All seemed to be going well with my providing the requested information until the end of the call when I was asked to press 1 to place the freeze. There was no pause, and then the system recording told me I would need the PIN I’d been given along with other identifying info to lift or thaw the freeze. I was never given a PIN and the system ended the call when I asked for it. The recording specifically said “there’s been too much confusing input” before disconnecting. I don’t know how to fix this. Also be warned that you will be asked to which of a list of maybe five data collecting organizations you want the freeze applied. The NCTUE is the first on the list, but each is listed by full name, not initials, and it’s confusing.

  3. No record for me but there is one for my husband. The utilities are in his name. Could be the reason I have no record and he does.

  4. Have any expat readers managed to freeze with NCTUE?

    It didn’t like my address numbers. I don’t have a current address, bring an expat… This hasn’t been a problem with the big 4+chex…

  5. John D Stackpole

    Successfully placed a freeze, and requested a report and “score”, at about 1400 hours EDT today, Sunday May 13, via their on-line website.
    I have no idea if it “took”, of course, but I did get an immediate e-mail reply with the un-freeze PIN and other information.

  6. I also placed “security freeze” at http://www.nctue.com/and I was not asked for an email, but a pdf was generated and opened with my pin and freeze info, no charges either.

  7. I was able to freeze NCTUE on their website.

    I also noticed a drop down menu at the top of the form where you can choose NCTUE, Centralized Credit Check System, California Utility Exchange, or New York Data Exchange.

    However when I tried the other 3 and filled out the freeze form, I got an error. I hope that is because they don’t have a record of me. In the case of CA or NY it would make sense because I don’t live in either state.

  8. Think your self lucky.
    In Australia we cannot freeze access to credit reports for more than a few weeks…then its unfrozen again regardless of what you want.
    Writing to the politicians gets responses stating the current rules.
    Seems to complex for them to understand or maybe that just don’t care about it.

  9. Russell Imrie

    Surprise! Attempted to place a freeze NCTUE – twice – “unable to process”

  10. Russell Imrie

    Hmmm – went order my report (1-866-349-5185) – again, “we are unable to process” Time, well, spent.

  11. just put in a freeze using the website… 8am monday morning p.s.t. no issues but the confirmation page provides an easy-to-miss ‘click here’ link that leads to a .pdf that has the pin number buried in the second paragraph… just an fyi.

  12. Peter Pearson

    I think we’re trying to use the credit-reporting system for something it wasn’t designed to do:

    It’s reasonable for lenders to want to share with other lenders what they know about my being a deadbeat. And it’s OK for me to want to use that system to prevent crooks from opening accounts in my name, by putting a freeze on my report. But it’s unnaturally oblique to achieve this by saying, “Don’t tell anybody about my history as a deadbeat,” which is what the freeze is doing.

    What I really want, and what you probably really want, too, is a way to say, the real Me is the person who knows this PIN, or that cryptographic key, or some other method of proving identity, and if you open an account for somebody who can’t pass that test, don’t come crying to me when they cheat you. Since all the fraud we’re trying to address through the credit-reporting system is based on name and social-security number, couldn’t we fix the whole problem with a single official website that specifies a (user-selected) authentication mechanism for each name/SSN pair?

  13. Another very unusual issue with the Equifax Breach site is this: After clicking on the link to determine if one has been impacted by the breach and one provides one’s last name and the last six of their SSN and completes the Captcha, when one clicks on the go-to-next-page page button anti-virus alerts pop up warning that the site is a phishing site and blocks access. Remember, this Equifax page is linked directly to the FTC’s identitytheft.gov website. This is just plain nuts, and needs to be fixed by Equifax ASAP. Anyone home at the FTC?

    • Nope –
      FTC regulators have been systematically de-fanged by the new administration’s appointees in the interests of “economic and consumer liberty.”
      Which is oligarch-speak for, “We want to be able to profit in any way we see fit; poison the water, land and air; and rip people off (caveat emptor), without the government interfering with us.”

    • loren George mckechnie

      Technically there could be a good/BAD reason for the “Antivirus Popup” the previous user was seeing. These are lesser known Scams, in a category called “Fake Tech Support”.

      Equifax has also not followed Domain Security Best practices, and stood up a new domain site, for handing the breach. They should have handled this on their main website, maybe at a page like http://www.equifax.com/2017breach

      Instead they opened the door for scammers/phishers wide open:
      One is phishing/scam site, the other is the “Official Site”

      securityequifax2017.com equifaxsecurity2017.com (Which one is fake?) The former one.

      To add fuel to the fire, the Equifax Social Media team even got confused themselves and actually posted links to the fake scam website, in the haste of the breach. Sending trusting consumers, from the official social media sites, to the scam website.

      More info:
      http://www.businessinsider.com/report-equifax-directed-concerned-consumers-to-a-spoof-site-2017-9

      The key take aways here are:
      #1. Don’t ever follow a link.
      Just like when you get a cold call, from your supposed credit card company. You hang up, and call the number on the back of your card, then ask about the status of your account. In kind, you go to a search engine, and find the official website, for the site you are attempting to visit. Then check the URL bar for a valid SSL certificate. Then login.

      #2. Learn about domains, subdomains, and SSL certificates. While trained professionals can confuse the common user, the common attacks have something which may not seem quite right, to tip of the educated user that a scam is brewing.

  14. Brian, you want to update this very helpful article to note that Massachusetts is also a state that does not permit a fee to be charged to freeze, thaw, or remove a credit freeze, if consumer has filed a police report and has submitted that police report to the credit bureaus. Mass. G.L. c. 93, sec. 62A.

  15. “Fortunately, the NCTUE makes it fairly easy to obtain any records they may have on Americans. Simply phone them up (1-866-349-5185) and provide your Social Security number and the numeric portion of your registered street address…”

    Wait… What??

    In what sense is this “fortunate”, Brian?

    Sounds like a big ass security hole to me!

    • The report gets sent to the mailing address on file. Which means unless someone else lives at your address, you’re going to get the report, not someone else.

  16. Help! Which phone number do we call?
    You’ve listed 2 different NTCUE phone numbers to call in the article.

    1-866-349-5185

    1-866-349-5355

    I tried both numbers and the NTCUE recording voice is the same but something sounded slightly different on the second number….which is kind of unnerving.
    I want to jump on this immediately, but I’m nervous about giving my info out
    I can’t be certain I’m calling the right number.

    Please clarify which number we should call?

    Thanks!

    PS – Love, love, love your column, Brian.
    You have been my go-to source for all things security-related for MANY years!

    Thanks for all you do.

  17. There’s one sure fire way to arrange things so that you’ll never have to worry about ANY of this crap ever again, and you won’t have to pay a dime and won’t have to call any dumbass automated phone systems or go to any web sites and fill out forms or anything.

    You just have to think outside the box.

    In the 1997 movie “Critical Care” directed by Sidney Lumet, Dr. Butz (played by Albert Brooks) makes the point that if you don’t want to suffer the horrible indignity of spending the final days or weeks or months of your life being kept alive, pointlessly, by machines, then the best and most certain way to avoid that fate is to always remain uninsured.

    Similarly, the best and most sure fire way to insure that you’ll never have to worry about having your identity stolen is to go out immediately and do everything you possibly can to utterly ruin your own credit rating, and to thenceforth live strictly in the cash economy.

    Believe me, if there’s nobody who is going to loan -you- money, then you won’t have to lie awake nights worrying about whether or not someone is going to loan money to someone who is just pretending to be you. They can peruse all of the credit reports on you they want, and if the scammers have any brains at all, they will take one look and give you a pass, as they move on to someone with a solid gold credit rating.

  18. Brian:

    Excellent blog post about the NCTUE and its problems. There are more. What fresh hell is this? My first impressions:

    Equifax Operates A Secondary Credit Reporting Agency, And Its Website Appears Haphazard
    http://ivebeenmugged.typepad.com/my_weblog/2018/05/equifax-nctue.html

    George

  19. Denis Hitchcock

    Brian,
    Many thanks for the helpful information. On 5/11/18 I was able to request Disclosure Reports and Freezes by phone for my wife and me. My report arrived by mail on 5/16/18, and we received our Freeze Confirmations and PINs the following day. (We are still waiting for my wife’s report.)
    In my report the date of birth was incorrect (the year was right, 1932, but the day and month were not). I called 1-866-343-2821 to rectify and, after giving the last four digits of my social security number and my address, was told to Fax 1-888-826-0688 a cover letter giving my phone number, photocopies of my driving license and social security card and a request to correct the date of birth.
    Frankly, the less information NCTUE has about me the more comfortable I feel, and so I’m wondering if there would be any down side to leaving the report as is, because if I ever wished to temporarily lift the freeze I would do so with one of the big three?
    I would be most grateful for any advice you can offer.
    Denis

    • I myself have been reticent to request a freeze, or have much interaction at all with any credit agencies. That’s due to primarily to the fact that I have to GIVE them personal information first…information they may not have. And why would I want them to have my information if it’s not necessary? (Equifax is an obvious example of why NOT to give them accurate information, or any.)

      Usually I first try to find out what information any agency has on me, and then decide whether or not to fiddle with it.

      Of course, I don’t have credit cards and use cash almost exclusively. So I suppose that my need for any credit agency is minimal to non-existent.

      Actually, I’d rather let the agencies have wrong information about me, especially if it contributes to my personal and financial privacy.

  20. Great post Brian.

    As alwasy MANY thanks.

    So, let’s just review agencies where both I and my wife have now 1) Executed Freezes and, 2) Submit recurring fraud alerts every 90-days:

    Experian
    Equifax
    Transunion
    Innovus
    Chex Systems
    -and now-
    NCTUE

    Unbelievable!

    JLW

  21. I tried and was unsuccessful. Got this reply:

    We are currently unable to service your request.
    Please try again later.

  22. It’s funny, actually.

    Back on February 9, 2015, I placed a “credit freeze” with both Experian and TransUnion, but NOT Equifax.

    The reason?

    SSL Labs (https://www.ssllabs.com) graded Equifax certificate setup an “F.”

    How very telling…lol.

  23. Thanks BK!

    Just used https://www.nctue.com/consumers and the freeze process was successful. This post appeared while I was on vacation and I didn’t want to use the available computer, so I waited until back at home and used the Ubuntu half of my partitioned machine.

  24. I mailed my request for a freeze on May 10. Two weeks on, there’s been no response at all.

  25. A quick update:

    5/19: Requested freezes for both me and my wife via NCTUE’s “touch-tone” telephony system.

    5/25: Received two confirmation letters — postmarked from Atlanta (i.e. Equifax) — via US Mail, providing 10-digit PINs to allow future “un-freezing”

    Moral of this post: Keep sharp lookout for the “PIN letter.”

Leave a comment