Later this month, all of the three major consumer credit bureaus will be required to offer free credit freezes to all Americans and their dependents. Maybe you’ve been holding off freezing your credit file because your home state currently charges a fee for placing or thawing a credit freeze, or because you believe it’s just not worth the hassle. If that accurately describes your views on the matter, this post may well change your mind.
A credit freeze — also known as a “security freeze” — restricts access to your credit file, making it far more difficult for identity thieves to open new accounts in your name.
Currently, many states allow the big three bureaus — Equifax, Experian and TransUnion — to charge a fee for placing or lifting a security freeze. But thanks to a federal law enacted earlier this year, after Sept. 21, 2018 it will be free to freeze and unfreeze your credit file and those of your children or dependents throughout the United States.
KrebsOnSecurity has for many years urged readers to freeze their files with the big three bureaus, as well as with a distant fourth — Innovis — and the NCTUE, an Equifax-operated credit checking clearinghouse relied upon by most of the major mobile phone providers.
There are dozens of private companies that specialize in providing consumer credit reports and scores to specific industries, including real estate brokers, landlords, insurers, debt buyers, employers, banks, casinos and retail stores. A handy PDF produced earlier this year by the Consumer Financial Protection Bureau (CFPB) lists all of the known entities that maintain, sell or share credit data on U.S. citizens.
The CFPB’s document includes links to Web sites for 46 different consumer credit reporting entities, along with information about your legal rights to obtain data in your reports and dispute suspected inaccuracies with the companies as needed. My guess is the vast majority of Americans have never heard of most of these companies.
Via numerous front-end Web sites, each of these mini credit bureaus serve thousands or tens of thousands of people who work in the above mentioned industries and who have the ability to pull credit and other personal data on Americans. In many cases, online access to look up data through these companies is secured by nothing more than a username and password that can be stolen or phished by cybercrooks and abused to pull privileged information on consumers.
In other cases, it’s trivial for anyone to sign up for these services. For example, how do companies that provide background screening and credit report data to landlords decide who can sign up as a landlord? Answer: Anyone can be a landlord (or pretend to be one).
SCORE ONE FOR FREEZES
The truly scary part? Access to some of these credit lookup services is supposed to be secured behind a login page, but often isn’t. Consider the service pictured below, which for $44 will let anyone look up the credit score of any American who hasn’t already frozen their credit files with the big three. Worse yet, you don’t even need to have accurate information on a target — such as their Social Security number or current address.
KrebsOnSecurity was made aware of this particular portal by Alex Holden, CEO of Milwaukee, Wisc.-based cybersecurity firm Hold Security LLC [full disclosure: This author is listed as an adviser to Hold Security, however this is and always has been a volunteer role for which I have not been compensated].
Holden’s wife Lisa is a mortgage broker, and as such she has access to a more full-featured version of the above-pictured consumer data lookup service (among others) for the purposes of helping clients determine a range of mortgage rates available. Mrs. Holden said the version of this service that she has access to will return accurate, current and complete credit file information on consumers even if one enters a made-up SSN and old address on an individual who hasn’t yet frozen their credit files with the big three.
“I’ve noticed in the past when I do a hard pull on someone’s credit report and the buyer gave me the wrong SSN or transposed some digits, not only will these services give me their credit report and full account history, it also tells you what their correct SSN is,” Mrs. Holden said.
With Mr. Holden’s permission, I gave the site pictured above an old street address for him plus a made-up SSN, and provided my credit card number to pay for the report. The document generated by that request said TransUnion and Experian were unable to look up his credit score with the information provided. However, Equifax not only provided his current credit score, it helpfully corrected the false data I entered for Holden, providing the last four digits of his real SSN and current address.
“We assume our credit report is keyed off of our SSN or something unique about ourselves,” Mrs. Holden said. “But it’s really keyed off your White Pages information, meaning anyone can get your credit report if they are in the know.”
I was pleased to find that I was unable to pull my own credit score through this exposed online service, although the site still charged me $44. The report produced simply said the consumer in question had requested that access to this information be restricted. But the real reason was simply that I’ve had my credit file frozen for years now.
Many media outlets are publishing stories this week about the one-year anniversary of the breach at Equifax that exposed the personal and financial data on more than 147 million people. But it’s important for everyone to remember that as bad as the Equifax breach was (and it was a total dumpster fire all around), most of the consumer data exposed in the breach has been for sale in the cybercrime underground for many years on a majority of Americans — including access to consumer credit reports. If anything, the Equifax breach may have simply helped ID thieves refresh some of those criminal data stores.
It costs $35 worth of bitcoin through this cybercrime service to pull someone’s credit file from the three major credit bureaus. There are many services just like this one, which almost certainly abuse hacked accounts from various industries that have “legitimate” access to consumer credit reports.
THE FEE-FREE FREEZE
According to the U.S. Federal Trade Commission, when the new law takes effect on September 21, Equifax, Experian and TransUnion must each set up a webpage for requesting fraud alerts and credit freezes.
The law also provides additional ID theft protections to minors. Currently, some state laws allow you to freeze a child’s credit file, while others do not. Starting Sept. 21, no matter where you live you’ll be able to get a free credit freeze for kids under 16 years old.
Identity thieves can and often do target minors, but this type of fraud usually isn’t discovered until the affected individual tries to apply for credit for the first time, at which point it can be a long and expensive road to undo the mess. As such, I would highly recommend that readers who have children or dependents take full advantage of this offering once it’s available for free nationwide.
In addition, the law requires the big three bureaus to offer free electronic credit monitoring services to all active duty military personnel. It also changes the rules for “fraud alerts,” which currently are free but only last for 90 days. With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval — by phone or whatever other method you specify when you apply for the fraud alert.
Under the new law, fraud alerts last for one year, but consumers can renew them each year. Bear in mind, however, that while lenders and service providers are supposed to seek and obtain your approval if you have a fraud alert on your file, they’re not legally required to do this.
A key unanswered question about these changes is whether the new dedicated credit bureau freeze sites will work any more reliably than the current freeze sites operated by the big three bureaus. The Web and social media are littered with consumer complaints — particularly over the past year — about the various freeze sites freezing up and returning endless error messages, or simply discouraging consumers from filing a freeze thanks to insecure Web site components.
It will be interesting to see whether these new freeze sites will try to steer consumers away from freezes and toward other in-house offerings, such as paid credit reports, credit monitoring, or “credit lock” services. All three big bureaus tout their credit lock services as an easier and faster alternative to freezes.
According to a recent post by CreditKarma.com, consumers can use these services to quickly lock or unlock access to credit inquiries, although some bureaus can take up to 48 hours. In contrast, they can take up to five business days to act on a freeze request, although in my experience the automated freeze process via the bureaus’ freeze sites has been more or less instantaneous (assuming the request actually goes through).
TransUnion and Equifax both offer free credit lock services, while Experian’s is free for 30 days and $19.99 for each additional month. However, TransUnion says those who take advantage of their free lock service agree to receive targeted marketing offers. What’s more, TransUnion also pushes consumers who sign up for its free lock service to subscribe to its “premium” lock services for a monthly fee with a perpetual auto-renewal.
Unsurprisingly, the bureaus’ use of the term credit lock has confused many consumers; this was almost certainly by design. But here’s one basic fact consumers should keep in mind about these lock services: Unlike freezes, locks are not governed by any law, meaning that the credit bureaus can change the terms of these arrangements when and if it suits them to do so.
If you’d like to go ahead with freezing your credit files now, this Q&A post from the Equifax breach explains the basics, and includes some other useful tips for staying ahead of identity thieves. Otherwise, check back here later this month for more details on the new free freeze sites.
What people don’t know is the website Quizzle(dot) com is a good source of obtaining a person credit report if you know a persons last four digits of their social security number long with enough personal information.
Years ago , on that website you didn’t even need a persons last four digits of their social security number , credit information was pretty easy to obtain just with Knowledge-Based Authentication
The biggest joke from quizzle is their “verification questions”. I think they just recently may have finally changed it, but out of the 3 questions asked, one was always “what state was your ssn issued?”…. Really? A 5 year old could figure that out with a quick Google search and still have time to spare to answer the remaning 2 questions, one being about most recent loan which was always the “none of the above” answer, the remaining question being one easily found on white pages. It’s all the illusion of security, and quite frankly it’s a slap in the face
I assume pranksters etcetera will delight in freezing other peoples credit info now that the price has gone to zero.
I agree and am disappointed that this crap is available online.
A better system is for the credit bureaus to require a signed letter by mail for freeze/unfreeze and all credit inquiries and requests, postmarked in the state where the consumer resides.
1) this makes any fraudulent request a federal crime, instead of mere mischief
2) the 50 cent cost of mailing a letter, the slower speed of mail, and the postmark requirement would:
A) deter some thieves and pranksters
B) make apprehending criminals easier
And that inconvenience would stop many from freezing at all.
A crook has no benefit from freezing it, they’d rather it be unfrozen so they can make fraud loans or whatever.
I doubt that.
I could be as easy as calling them up, they mail you a form, and you mail it back. Or print off the form online, sign it, mail it in.
It’s the same thing you have to do now if you forget the assigned “thaw” PIN code to unfreeze a file, and no one is claiming that’s a hardship.
No one needs a spur-of-the-moment, instant online ability to freeze or unfreeze a credit file. It just invites problems, pranks, and potential use by illegal aliens and ID theft criminals impersonating legal US residents.
What about “un-freezing” a credit report? Is it free?
We’ll freeze reports once but un-freeze them every time some company legitimately needs access – from a mortgage to changing mobile phone providers. Today I believe all the major bureaus (TU, Equifax, Experian) charge about $10 to un-freeze each time (and they’ll automatically re-freeze after a specified period.
From the story: “But thanks to a federal law enacted earlier this year, after Sept. 21, 2018 it will be free to freeze and unfreeze your credit file and those of your children or dependents throughout the United States.”
Oh, you expected us to read the article before asking any questions?? What’s up with that?? 😉
Brian, it’s been free for at least a month now. We did our’s last month on all 4. Live in FL.
That’s because your governor just signed a bill that made them free for people in Fla.
Beware using both the freeze and the lock at the same time. I had to call and get one of them undone before the other could be undone, I still don’t know which was which.
I had another problem, one of the big three sets its unlocks to occur at midnight, and the re-lock also occurs at midnight, so it’s not possible to unlock for a 24-hour period. You always end up unlocking for 48 hours minimum.
Finally, the banks and other agencies that you want to allow to see the report, could do so using a one-time code from one agency, but their own mechanisms don’t allow it.
This system is so badly broken, it’s ripe for very onerous legislation.
I had a Lock at Experian since last fall. Online today, I created an Experian freeze account and was asked if I wanted to “change” the lock to a freeze. Changed in minutes.
I was able to freeze mine sans fee on 8/24/18. I had been trying since the day the new law was signed back in May and the fee wasn’t lifted until some time in August. I even went as far as calling the bureaus and a rep from one of them said they were rolling the fee-free feature state-by-state, but by September 21 it would cover the whole United States.
It’s unfortunate that we need to affect a freeze at all bureaus individually. A far more user friendly way would be to have a central clearing house that was queried prior to releasing credit information. Something like the the federal Do Not Call Registry.
Of course that would make things too easy for consumers and would cut into the profits of the bureaus. In addition, the government would probably be involved in its implementation and we all know the disaster that would result in.
Yup, private industry is SOOOOO much better than the government.
Oh wait! It was private industry that gave away all of our data! I guess you think that we should privatize the military as well?
OPM breach. Look it up.
Those idiots in government had a perfectly secure system, until they connected their networks to the Internet.
Same with the VA and every public hospital. Connect and get breached.
You’d think they’d learn from the private sector, but no.
Government is just another place where power meets incompetent idiocy.
I had a freeze on my credit report for about 5 years but recently lifted it completely since Equifax would no longer allow me to lift the freeze online even though I had my 10-digit PIN. They need to make the process of temporarily lifting much easier, I would like to see a mobile app that allowed you to lift all three or at the very least mobile apps for all the major players. I will try again now that it’s free but won’t hold my breath that they make it any easier.
This is good news, but it pisses me off that it is even necessary. At what point do the laws get changed from “opt out” to “opt in” here in the US? When will there be real penalties for flagrant stupidity displayed by all of these huge enterprises that we citizens have no options as far as dealing with them! I know that I never told experian, for example, I approved them holding and selling my information. (Yes, I realize it was buried under some “third parties as required…”.) At what point will all of these entities that collect, store, and sell our personal information be held accountable, and be shuttered as a business when they fail to safeguard our information?
Is there even any efforts with regards to standardizing requirements for safeguarding data?
Todd wrote: “At what point will all of these entities that collect, store, and sell our personal information be held accountable, and be shuttered as a business when they fail to safeguard our information?”
That’s a question you should be asking your senators and congressmen.
I agree, but the answer is they will never be held accountable.
All the companies make far too much money & the politicians are easily bought! Yeah I know, I’m a tin foil hat wackjob!
nope as long as it’s for profit!
Thanks for this Brian. I have not heard from any other sources that freezes and temporary thaws are now free. As a couple we invested $60+ at your advice last year to freeze our credit with the big 5. It was a headache when applying for a few things, having to figure out which credit bureau they were using and placing a temporary thaw for a fee – but it was worth it. Nice to know these temporary thaws will be free going forward.
FINALLY
Is this just for personal credit reports? I have an LLC, I believe I should freeze reporting for it but can I?
Thanks as always, Brian, for great reporting!
I froze all mine last year, then when my car insurance renewed, my rates went way up and I got a letter from the company stating it was because they could not pull a credit report on me. So I had to do temp thaws and submit information in writing to them. Til this day, they have not yet rechecked.
Looks like you need a new insurance company.
Mine doesn’t do that.
Progressive Insurance may do a check every 3 years on renewal date, mainly using Experian.
And to think all it took was 150 million citizens getting their personal data compromised. Thanks Equifax!
“Later this month, all of the three major consumer credit bureaus will be required to offer free credit freezes to all Americans and their dependents.”
You keep using the word “Americans” in your reporting to mean “people living in America”. There’s about 45 *millions* of non-Americans in America, and AFAICT this law applies to them as well.
Hopefully, but presumably it also applies to Americans living overseas…
There isn’t a single label to describe all impacted individuals.
“People with credit files in the United States” is pretty awkward…
I haven’t needed any new credit in over 15 yrs. Certainly, I can’t be alone.
Frozen and expected to remain so for the next 40 yrs.
Brian,
It’s not just Equifax, Experian and TransUnion. It’s all the CRAs.
See section 301 of the Economic Growth, Regulatory Relief, and Consumer Protection Act at https://www.congress.gov/bill/115th-congress/senate-bill/2155/text?format=txt/
(2) Placement of security freeze.–
(A) In general.–Upon receiving a direct request from a consumer that a consumer reporting agency place a security freeze, and upon receiving proper identification from the consumer, the consumer reporting agency shall, free of charge, place the security freeze…
The new law amends the FCRA, using its definition of a CRA in section in section 603(p), which does NOT just pick out Equifax, Experian and TransUnion.
https://www.consumer.ftc.gov/articles/pdf-0111-fair-credit-reporting-act.pdf
Why is FTC is suggesting that this law only applies to Equifax, Experian and TransUnion?
I’m sure someone can correct me if I’m wrong, but not all credit reporting agencies allow freezes. What the FCRA guarantees is that consumers have a right to view the info these companies have on them and correct any inaccuracies.
The federal freeze law uses the FCRA definition of CRA but includes its own exceptions on top of that:
(4) EXCEPTIONS.—A security freeze shall not apply to the making of a consumer report for use of the following:
…
(H) Any person using the information in connection with the underwriting of insurance.
(I) Any person using the information for employment, tenant, or background screening purposes.
(J) Any person using the information for assessing, verifying, or authenticating a consumer’s identity for purposes other than the granting of credit, or for investigating or preventing actual or potential fraud.
CRAs that only provide reports for any of the excluded purposes will not have to offer freezes. CRAs that provide reports for both excluded and non-excluded purposes will have to offer freezes, but will not be required to respect them when providing reports for an excluded purpose. Furthermore, the federal law preempts state laws that may provide stronger protection or apply to more CRAs.
Thanks for the info, Anon.
Vote Republican!
Never vote Republican!
Brian – the EGRRCPA takes the FCRA definition of a CRA, and forces those CRAs to allow a freeze for free.
The FCRA definition of a CRA is:
603(p) The term “consumer reporting agency that compiles and maintains files on consumers on a nationwide basis” means a consumer reporting agency that regularly engages in the practice of assembling or evaluating, and maintaining, for the purpose of furnishing consumer reports to third parties bearing on a consumer’s credit worthiness, credit standing, or credit capacity, each of the following regarding consumers residing nationwide:
(1) Public record information.
(2) Credit account information from persons who furnish that information regularly and in the ordinary course of business.
I can’t see how that doesn’t cover ChexSystems, Innovis, National Consumer Telecom & Utilities Exchange, The Work Number etc.
Okay. As I’ve written, Innovis already offers a free freeze, as do the NCTUE, Work Number and ChexSystems.
https://krebsonsecurity.com/2018/05/another-credit-freeze-target-nctue-com/
https://krebsonsecurity.com/2017/11/how-to-opt-out-of-equifax-revealing-your-salary-history/
https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/
Brian: Yes, and I appreciated your articles… but the issue here is not which CRAs offer a freeze, but whether all CRAs are obliged by the new law to offer free freezes/unfreezes and make the process accessible.
One of the secure application design principles is to provide security controls enabled by default, then let users opt out. Is it that hard to apply this idea here?
Their core business model is selling everyone’s personal info. If even a fraction of the public was able to successfully prevent them from getting information they would go bankrupt. They will lie, cheat, or steal to keep on giving out information they shouldn’t have in the first place.
Interesting how my credit is frozen, yet my CC companies can give me my FICO score online through their site. However, upon asking for a credit line increase they state they cannot access my credit file due to being frozen…hmmmm
A freeze has no impact on existing accounts.
This is great! Are we free to share the article on Facebook?
Regarding the Centralized Credit Check System (CCCS)– I called the number to freeze NCTUE report and was prompted to press 2 to freeze CCCS) –that resulted in a recording reciting a lot of info about what info is needed to freeze, unfreeze, lift tem, but then sends one to the following website to actually do the job: https:www.exchangeservicescenter.com/freeze. That url (without or with the final “/freeze” does not open. I googled “exchange services center” – Firefox says the site is improperly configured and a security risk and won’t open the page, Chrome turns up 0; Safari lets one open to the ( purported ?) website and navigate to a form for requesting a freeze – I am afraid to fill in the form with the requested identifying info (among other things, my SSN) on this website’s form under the circumstances.
I did type the website properly when I was trying to reach it- with the //, which I inadvertently omitted from my prior comment.
And btw, tried also to deal with the NY Data Exchange, following the prompt for that one– same outcome; sends one to that same website: https://www.exchangeservicescenter.com/freeze
Nadz: It’s https://www.exchangeservicecenter.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
Thanks again for your fine article Mr. Brian! Now on to a really pressing matter: Can you help a poor sucker like me redeem a Coke reward? 🙂 Regards
I’ve followed these for years and I still don’t understand why you never advocate for more than just working within these incredibly inefficient and corrupt business processes rather than pushing to close them down. With 46+ separate dumpster fires and more springing up all the time maybe running around with a tiny fire extinguisher is not the solution.
In fact, I HAVE advocated for making these modern-day dinosaurs a thing of the past. In the interim, the best thing you as a consumer can do is push for change at the legislative level via your representatives, and more importantly enact a freeze across the board so that these companies can’t continue to profit by selling your credit report. Imagine the impact on these companies if a significant portion of America did so.
It seems like a never ending cycle. Every month or so another one of these 46+ or similar ilk manage to lose a few thousand to a few million of our identities and nothing we can do besides play whack a mole. Nobody ever goes to jail.
50 years ago there was no credit system and people could afford the things in their life, now you have car insurance companies gouging people for half their life over student debt accrued decades earlier or medical problems.
Like many issues in America today, how do you convince those representatives to change when a good portion of their income is through the very bad actors who would suffer if brought to justice?
I wonder if this has anything to do with Equifax extending “until further notice” the free TrustedID monitoring they provided after last year’s breach.
The message I just received is visible at: https://pbs.twimg.com/media/Dm769TZXsAEkvZ7.jpg
The cynic in me says all Equifax devs are working on the free credit freeze code deployment and so can’t spend the time needed to write the “bulk close” routines needed for TrustedID 🙂
are we certain a thaw is free as well? or just a temporary thaw?
mr krebbs
Will this work if you have a VPN installed? Surely that will hide the original location and therefore prevent Victor from initialising any actions?
People should know that if you freeze your credit report it may take weeks to process a loan application. The credit bureaus may tell you if and when your lending institution can receive a credit report but expect serious delays. Such inconvenience consumes an inordinate amount of time burden upon everyone involved. Been there done that.
In our state, its been free for more than a decade – ours (my wife and I) has been frozen for over a decade. Our FICO score hovers around 830 due to the near zero hits on the credit file.
I have been looking at freezing my childrens accounts and it seems that I can only do this if they are under 16. They can not freeze their own accounts until 18. What happens between 16-18?