Posts Tagged: credit freeze

Mar 18

Checked Your Credit Since the Equifax Hack?

A recent consumer survey suggests that half of all Americans still haven’t checked their credit report since the Equifax breach last year exposed the Social Security numbers, dates of birth, addresses and other personal information on nearly 150 million people. If you’re in that fifty percent, please make an effort to remedy that soon.

Credit reports from the three major bureaus — Equifax, Experian and TransUnion — can be obtained online for free at — the only Web site mandated by Congress to serve each American a free credit report every year. is run by a Florida-based company, but its data is supplied by the major credit bureaus, which struggled mightily to meet consumer demand for free credit reports in the immediate aftermath of the Equifax breach. Personally, I was unable to order a credit report for either me or my wife even two weeks after the Equifax breach went public: The site just kept returning errors and telling us to request the reports in writing via the U.S. Mail.

Based on thousands of comments left here in the days following the Equifax breach disclosure, I suspect many readers experienced the same but forgot to come back and try again. If this describes you, please take a moment this week to order your report(s) (and perhaps your spouse’s) and see if anything looks amiss. If you spot an error or something suspicious, contact the bureau that produced the report to correct the record immediately.

Of course, keeping on top of your credit report requires discipline, and if you’re not taking advantage of all three free reports each year you need to get a plan. My strategy is to put a reminder on our calendar to order a new report every four months or so, each time from a different credit bureau. Continue reading →

Dec 17

The Market for Stolen Account Credentials

Past stories here have explored the myriad criminal uses of a hacked computer, the various ways that your inbox can be spliced and diced to help cybercrooks ply their trade, and the value of a hacked company. Today’s post looks at the price of stolen credentials for just about any e-commerce, bank site or popular online service, and provides a glimpse into the fortunes that an enterprising credential thief can earn selling these accounts on consignment.

Not long ago in Internet time, your typical cybercriminal looking for access to a specific password-protected Web site would most likely visit an underground forum and ping one of several miscreants who routinely leased access to their “bot logs.”

These bot log sellers were essentially criminals who ran large botnets (collections of hacked PCs) powered by malware that can snarf any passwords stored in the victim’s Web browser or credentials submitted into a Web-based login form. For a few dollars in virtual currency, a ne’er-do-well could buy access to these logs, or else he and the botmaster would agree in advance upon a price for any specific account credentials sought by the buyer.

Back then, most of the stolen credentials that a botmaster might have in his possession typically went unused or unsold (aside from the occasional bank login that led to a juicy high-value account). Indeed, these plentiful commodities held by the botmaster for the most part were simply not a super profitable line of business and so went largely wasted, like bits of digital detritus left on the cutting room floor.

But oh, how times have changed! With dozens of sites in the underground now competing to purchase and resell credentials for a variety of online locations, it has never been easier for a botmaster to earn a handsome living based solely on the sale of stolen usernames and passwords alone.

If the old adage about a picture being worth a thousand words is true, the one directly below is priceless because it illustrates just how profitable the credential resale business has become.

This screen shot shows the earnings panel of a crook who sells stolen credentials for hundreds of Web sites to a dark web service that resells them. This botmaster only gets paid when someone buys one of his credentials. So far this year, customers of this service have purchased more than 35,000 credentials he’s sold to this service, earning him more than $288,000 in just a few months.

The image shown above is the wholesaler division of “Carder’s Paradise,” a bustling dark web service that sells credentials for hundreds of popular Web destinations. The screen shot above is an earnings panel akin to what you would see if you were a seller of stolen credentials to this service — hence the designation “Seller’s Paradise” in the upper left hand corner of the screen shot.

This screen shot was taken from the logged-in account belonging to one of the more successful vendors at Carder’s Paradise. We can see that in just the first seven months of 2017, this botmaster sold approximately 35,000 credential pairs via the Carder’s Paradise market, earning him more than $288,000. That’s an average of $8.19 for each credential sold through the service.

Bear in mind that this botmaster only makes money based on consignment: Regardless of how much he uploads to Seller’s Paradise, he doesn’t get paid for any of it unless a Carder’s Paradise customer chooses to buy what he’s selling.

Fortunately for this guy, almost 9,000 different customers of Carder’s Paradise chose to purchase one or more of his username and password pairs. It was not possible to tell from this seller’s account how many credential pairs total that he has contributed to this service which went unsold, but it’s a safe bet that it was far more than 35,000.

[A side note is in order here because there is some delicious irony in the backstory behind the screenshot above: The only reason a source of mine was able to share it with me was because this particular seller re-used the same email address and password across multiple unrelated cybercrime services]. Continue reading →

Oct 17

Fear Not: You, Too, Are a Cybercrime Victim!

Maybe you’ve been feeling left out because you weren’t among the lucky few hundred million or billion who had their personal information stolen in either the Equifax or Yahoo! breaches. Well buck up, camper: Both companies took steps to make you feel better today.

Yahoo! announced that, our bad!: It wasn’t just one billion users who had their account information filched in its record-breaking 2013 data breach. It was more like three billion (read: all) users. Meanwhile, big three credit bureau Equifax added 2.5 million more victims to its roster of 143 million Americans who had their Social Security numbers and other personal data stolen in a breach earlier this year. At the same time, Equifax’s erstwhile CEO informed Congress that the breach was the result of even more bone-headed security than was first disclosed.

To those still feeling left out by either company after this spate of bad news, I have only one thing to say (although I feel a bit like a broken record in repeating this): Assume you’re compromised, and take steps accordingly.

If readers are detecting a bit of sarcasm and cynicism in my tone here, it may be that I’m still wishing I’d done almost anything else today besides watching three hours worth of testimony from former Equifax CEO Richard Smith before lawmakers on a panel of the House Energy & Commerce Committee.

While he is no longer the boss of Equifax, Smith gamely agreed to submit to several day’s worth of grilling from legislators in both houses of Congress this week. It was clear from the questions that lawmakers didn’t ask in Round One, however, that Smith was far more prepared for the first batch of questioning than they were, and that the entire ordeal would amount to only a gentle braising.

Nevertheless, Smith managed to paint an even more dismal picture than was already known about the company’s failures to secure the very data that makes up the core of its business. Helpfully, Smith clarified early on in the hearing that the company’s customers are in fact banks and other businesses — not consumers.

Smith told lawmakers that the breach stemmed from a combination of technological error and a human error, casting it as the kind of failure that could have happened to anyone. In reality, the company waited 4.5 months (after it discovered the breach in late July 2017) to fix a dangerous security flaw that it should have known was being exploited on Day One (~March 6 or 7, 2017).

“The human error involved the failure to apply a software patch to a dispute portal in March 2017,” Smith said. He declined to explain (and lawmakers inexplicably failed to ask) how 145.5 million Americans — nearly 60 percent of the adult population of the United States — could have had their information tied up in a dispute portal at Equifax. “The technological error involved a scanner which failed to detect a vulnerability on that particular portal.”

As noted in this story, Smith admitted that the data compromised in the breach was not encrypted:

When asked by representative Adam Kinzinger of Illinois about what data Equifax encrypts in its systems, Smith admitted that the data compromised in the customer-dispute portal was stored in plaintext and would have been easily readable by attackers. “We use many techniques to protect data—encryption, tokenization, masking, encryption in motion, encrypting at rest,” Smith said. “To be very specific, this data was not encrypted at rest.”

It’s unclear exactly what of the pilfered data resided in the portal versus other parts of Equifax’s system, but it turns out that also didn’t matter much, given Equifax’s attitude toward encryption overall. “OK, so this wasn’t [encrypted], but your core is?” Kinzinger asked. “Some, not all,” Smith replied. “There are varying levels of security techniques that the team deploys in different environments around the business.”

Smith also sought to justify the company’s historically poor breach response after it publicly disclosed the break-in on Sept. 7 — roughly 40 days after Equifax’s security team first became aware of the incident (on July 29). As many readers here are well familiar, KrebsOnSecurity likened that breach response to a dumpster fire — noting that it was perhaps the most haphazard and ill-conceived of any major data breach disclosure in history.

Smith artfully dodged questions of why the company waited so long to notify the public, and about the perception that Equifax sought to profit off of its own data breach. One lawmaker noted that Smith gave two public speeches in the second and third weeks of August in which he was quoted as saying that fraud was a “a huge opportunity for Equifax,” and that it was a “massive, growing business” for the company.

Smith interjected that he had “no indication” that consumer data was compromised at the time of the Aug. 11 speech. As for the Aug. 17 address, he said “we did not know how much data was compromised, what data was compromised.”

Follow-up questions from lawmakers on the panel revealed that Smith didn’t ask for a briefing about what was then allegedly only classified internally as “suspicious activity” until August 15, almost two weeks after the company hired outside cybersecurity experts to examine the issue.

Smith also maneuvered around questions about why Equifax chose to disclose the breach on the very day that Hurricane Irma was dominating front-page news with an imminent landfall on the eastern seaboard of the United States.

However, Smith did blame Irma in explaining why the company’s phone systems were simply unable to handle the call volume from U.S. consumers concerned about the Category Five data breach, saying that Irma took down two of Equifax’s largest call centers days after the breach disclosure. He said the company handled over 420 million consumer visits to the portal designed to help people figure out whether they were victimized in the breach, underscoring how so many American adults were forced to revisit the site again and again because it failed to give people consistent answers about whether they were affected. Continue reading →

Sep 17

Here’s What to Ask the Former Equifax CEO

Richard Smith — who resigned as chief executive of big-three credit bureau Equifax this week in the wake of a data breach that exposed 143 million Social Security numbers — is slated to testify in front of no fewer than four committees on Capitol Hill next week. If I were a lawmaker, here are some of the questions I’d ask when Mr. Smith goes to Washington.


Before we delve into the questions, a bit of background is probably in order. The new interim CEO of Equifax — Paulino do Rego Barros Jr. — took to The Wall Street Journal and other media outlets this week to publish a mea culpa on all the ways Equifax failed in responding to this breach (the title of the op-ed in The Journal was literally “I’m sorry”).

“We were hacked,” Barros wrote. “That’s the simple fact. But we compounded the problem with insufficient support for consumers. Our website did not function as it should have, and our call center couldn’t manage the volume of calls we received. Answers to key consumer questions were too often delayed, incomplete or both.”

Barros stated that Equifax was working to roll out a new system by Jan. 31, 2018 that would let consumers “easily lock and unlock access to their Equifax credit files.”

“You will be able to do this at will,” he continued. “It will be reliable, safe, and simple. Most significantly, the service will be offered free, for life.”

I have argued for years that all of the data points needed for identity thieves to open new lines of credit in your name and otherwise ruin your credit score are available for sale in the cybercrime underground. To be certain, the Equifax breach holds the prospect that ID thieves could update all that stolen data with newer records. I’ve argued that the only sane response to this sorry state of affairs is for consumers to freeze their files at the bureaus, which blocks potential creditors — and ID thieves — from trashing your credit file and credit score.

Equifax is not the only bureau promoting one of these lock services. Since Equifax announced its breach on Sept. 7, big-three credit bureaus Trans Union and Experian have worked feverishly to steer consumers seeking freezes toward these locks instead, arguing that they are easier to use and allow consumers to lock and unlock their credit files with little more than the press of a button on a mobile phone app. Oh, and the locks are free, whereas the bureaus can (and do) charge consumers for placing and/or thawing a freeze (the laws freeze fee laws differ from state to state).


My first group of questions would center around security freezes or credit freezes, and the difference between those and these credit lock services being pushed hard by the bureaus.

Currently, even consumer watchdog groups say they are uncertain about the difference between a freeze and a lock. See this press release from Thursday by U.S. PIRG, the federation of state Public Interest Research Groups, for one such example.

Also, I’m curious to know what percentage of Americans had a freeze prior to the breach, and how many froze their credit files (or attempted to do so) after Equifax announced the breach. The answers to these questions may help explain why the bureaus are now massively pushing their new credit lock offerings (i.e., perhaps they’re worried about the revenue hit they’ll take should a significant percentage of Americans decide to freeze their credit files).

I suspect the pre-breach number is less than one percent. I base this guess loosely on some data I received from the head of security at Dropbox, who told KrebsOnSecurity last year that less than one percent of its user base of 500 million registered users had chosen to turn on 2-factor authentication for their accounts. This extra security step can block thieves from accessing your account even if they steal your password, but many consumers simply don’t take advantage of such offerings because either they don’t know about them or they find them inconvenient.

Bear in mind that while most two-factor offerings are free, most freezes involve fees, so I’d expect the number of pre-breach freezers to be a fraction of one percent. However, if only one half of one percent of Americans chose to freeze their credit files before Equifax announced its breach — and if the total number of Americans requesting a freeze post-breach rose to, say, one percent — that would still be a huge jump (and potentially a painful financial hit to Equifax and the other bureaus).


So without further ado, here are some questions I’d ask on the topic of credit locks and freezes:

-Approximately how many credit files on Americans does Equifax currently maintain?

-Prior to the Equifax breach, approximately how many Americans had chosen to freeze their credit files at Equifax?

-Approximately how many total Americans today have requested a freeze from Equifax? This should include the company’s best estimate on the number of people who have requested a freeze but — because of the many failings of Equifax’s public response cited by Barros — were unable to do so via phone or the Internet.

-Approximately how much does Equifax charge each time the company sells a credit check (i.e., a bank or other potential creditor performs a “pull” on a consumer credit file)?

-On average, how many times per year does Equifax sell access to consumer’s credit file to a potential creditor?

-Mr. Barros said Equifax will extend its offer of free credit freezes until the end of January 2018. Why not make them free indefinitely, just as the company says it plans to do with its credit lock service?

-In what way does a consumer placing a freeze on their credit file limit Equifax’s ability to do business?

-In what way does a consumer placing a lock on their credit file limit Equifax’s ability to do business?

-If a lock accomplishes the same as a freeze, why create more terminology that only confuses consumers?

-By agreeing to use Equifax’s lock service, will consumers also be opting in to any additional marketing arrangements, either via Equifax or any of its partners? Continue reading →

Sep 17

Experian Site Can Give Anyone Your Credit Freeze PIN

An alert reader recently pointed my attention to a free online service offered by big-three credit bureau Experian that allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian.

Experian's page for retrieving someone's credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.

Experian’s page for retrieving someone’s credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.

The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).

After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!

The final authorization check is that Experian asks you to answer four so-called “knowledge-based authentication” or KBA questions. As I have noted in countless stories published here previously, the problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

What’s more, many of the companies that provide and resell these types of KBA challenge/response questions have been hacked in the past by criminals that run their own identity theft services.

“Whenever I’m faced with KBA-type questions I find that database tools like Spokeo, Zillow, etc are my friend because they are more likely to know the answers for me than I am,” said Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI).

The above quote from Mr. Weaver came in a story from May 2017 which looked at how identity thieves were able to steal financial and personal data for over a year from TALX, an Equifax subsidiary that provides online payroll, HR and tax services. Equifax says crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering KBA questions about those employees.

In short: Crooks and identity thieves broadly have access to the data needed to reliably answer KBA questions on most consumers. That is why this offering from Experian completely undermines the entire point of placing a freeze.  Continue reading →

Sep 17

The Equifax Breach: What You Should Know

It remains unclear whether those responsible for stealing Social Security numbers and other data on as many as 143 million Americans from big-three credit bureau Equifax intend to sell this data to identity thieves. But if ever there was a reminder that you — the consumer — are ultimately responsible for protecting your financial future, this is it. Here’s what you need to know and what you should do in response to this unprecedented breach.

Some of the Q&As below were originally published in a 2015 story, How I Learned to Stop Worrying and Embrace the Security Freeze. It has been updated to include new information specific to the Equifax intrusion.

Q: What information was jeopardized in the breach?

A: Equifax was keen to point out that its investigation is ongoing. But for now, the data at risk includes Social Security numbers, birth dates, addresses on 143 million Americans. Equifax also said the breach involved some driver’s license numbers (although it didn’t say how many or which states might be impacted), credit card numbers for roughly 209,000 U.S. consumers, and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”

Q: Was the breach limited to Americans?

A: No. Equifax said it believes the intruders got access to “limited personal information for certain UK and Canadian residents.” It has not disclosed what information for those residents was at risk or how many from Canada and the UK may be impacted.

Q: What is Equifax doing about this breach?

A: Equifax is offering one free year of their credit monitoring service. In addition, it has put up a Web site — — that tried to let people determine whether they were affected.

Q: That site tells me I was not affected by the breach. Am I safe?

A: As noted in this story from Friday, the site seems hopelessly broken, often returning differing results for the same data submitted at different times. In the absence of more reliable information from Equifax, it is safer to assume you ARE compromised.

Q: I read that the legal language in the terms of service that consumers must accept before enrolling in the free credit monitoring service from Equifax requires one to waive their rights to sue the company in connection with this breach. Is that true?

A: Not according to Equifax. The company issued a statement over the weekend saying that nothing in that agreement applies to this cybersecurity incident.

Q: So should I take advantage of the credit monitoring offer?

A: It can’t hurt, but I wouldn’t count on it protecting you from identity theft.

Q: Wait, what? I thought that was the whole point of a credit monitoring service?

A: The credit bureaus sure want you to believe that, but it’s not true in practice. These services do not prevent thieves from using your identity to open new lines of credit, and from damaging your good name for years to come in the process. The most you can hope for is that credit monitoring services will alert you soon after an ID thief does steal your identity.

Q: Well then what the heck are these services good for?

A: Credit monitoring services are principally useful in helping consumers recover from identity theft. Doing so often requires dozens of hours writing and mailing letters, and spending time on the phone contacting creditors and credit bureaus to straighten out the mess. In cases where identity theft leads to prosecution for crimes committed in your name by an ID thief, you may incur legal costs as well. Most of these services offer to reimburse you up to a certain amount for out-of-pocket expenses related to those efforts. But a better solution is to prevent thieves from stealing your identity in the first place.

Q: What’s the best way to do that?

A: File a security freeze — also known as a credit freeze — with the four major credit bureaus.

Q: What is a security freeze?

A: A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it.

Q: What’s involved in freezing my credit file?

A: Freezing your credit involves notifying each of the major credit bureaus that you wish to place a freeze on your credit file. This can usually be done online, but in a few cases you may need to contact one or more credit bureaus by phone or in writing. Once you complete the application process, each bureau will provide a unique personal identification number (PIN) that you can use to unfreeze or “thaw” your credit file in the event that you need to apply for new lines of credit sometime in the future. Depending on your state of residence and your circumstances, you may also have to pay a small fee to place a freeze at each bureau. There are four consumer credit bureaus, including EquifaxExperianInnovis and Trans Union.  It’s a good idea to keep your unfreeze PIN(s) in a folder in a safe place (perhaps along with your latest credit report), so that when and if you need to undo the freeze, the process is simple.

Q: How much is the fee, and how can I know whether I have to pay it?

A: The fee ranges from $0 to $15 per bureau, meaning that it can cost upwards of $60 to place a freeze at all four credit bureaus (recommended). However, in most states, consumers can freeze their credit file for free at each of the major credit bureaus if they also supply a copy of a police report and in some cases an affidavit stating that the filer believes he/she is or is likely to be the victim of identity theft. In many states, that police report can be filed and obtained online. The fee covers a freeze as long as the consumer keeps it in place. Consumers Union has a useful breakdown of state-by-state fees. Continue reading →

Aug 16

A Life or Death Case of Identity Theft?

Identity thieves have perfected a scam in which they impersonate existing customers at retail mobile phone stores, pay a small cash deposit on pricey new phones, and then charge the rest to the victim’s account. In most cases, switching on the new phones causes the victim account owner’s phone(s) to go dead. This is the story of a Pennsylvania man who allegedly died of a heart attack because his wife’s phone was switched off by ID thieves and she was temporarily unable to call for help.

On Feb. 20, 2016, James William Schwartz, 84, was going about his daily routine, which mainly consisted of caring for his wife, MaryLou. Mrs. Schwartz was suffering from the end stages of endometrial cancer and wasn’t physically mobile without assistance. When Mr. Schwartz began having a heart attack that day, MaryLou went to use her phone to call for help and discovered it was completely shut off.

Little did MaryLou know, but identity thieves had the day before entered a “premium authorized Verizon dealer” store in Florida and impersonated the Schwartzes. The thieves paid a $150 cash deposit to “upgrade” the elderly couple’s simple mobiles to new iPhone 6s devices, with the balance to be placed on the Schwartz’s account.

“Despite her severely disabled and elderly condition, MaryLou Schwartz was finally able to retrieve her husband’s cellular telephone using a mechanical arm,” reads a lawsuit (PDF) filed in Beaver County, Penn. on behalf of the Schwartz’s two daughters, alleging negligence by the Florida mobile phone store. “This monumental, determined and desperate endeavor to reach her husband’s working telephone took Mrs. Schwartz approximately forty minutes to achieve due to her condition. This vital delay in reaching emergency help proved to be fatal.”

By the time paramedics arrived, Mr. Schwartz was pronounced dead. MaryLou Schwartz died seventeen days later, on March 8, 2016. Incredibly, identity thieves would continue robbing the Schwartzes even after they were both deceased: According to the lawsuit, on April 14, 2016 the account of MaryLou Schwartz was again compromised and a tablet device was also fraudulently acquired in MaryLou’s name.

The Schwartz’s daughters say they didn’t learn about the fraud until after both parents passed away. According to them, they heard about it from the guy at a local Verizon reseller that noticed his longtime customers’ phones had been deactivated. That’s when they discovered that while their mother’s phone was inactive at the time of her father’s death, their father’s mobile had inexplicably been able to make but not receive phone calls. Continue reading →

Aug 16

SSA: Ixnay on txt msg reqmnt 4 e-acct, sry

The U.S. Social Security Administration says it is reversing a newly enacted policy that required a cell phone number from all Americans who wished to manage their retirement benefits at The move comes after a policy rollout marred by technical difficulties and criticism that the new requirement did little to prevent identity thieves from siphoning benefits from Americans who hadn’t yet created accounts at for themselves.

In an announcement last month, the SSA said all new and existing ‘my Social Security’ account holders would need to provide a cell phone number. The SSA said the numbers would be used to send recipients an 8-digit code via text message that needs to be entered along with a username and password to log in to the site.

But sometime in the past few days, apparently, the SSA decided to rescind the cell phone rule.

“We removed the requirement to use a cell phone to access your account,” the agency noted in a message posted to its mySocial Security portal. “While it’s not mandatory, we encourage those of you who have a text capable cell phone to take advantage of this optional extra security. We continue to pursue more options beyond cell phone texting.”

Hopefully, those options will include using the U.S. Mail to send Americans a one-time code that needs to be entered at the SSA’s Web site to complete the sign-up process. I should note that the SSA is already mailing out paper letters via snail mail to Americans who’ve signed up for an SSA account online; they’re just not using that mailing to securely complete the signup and authentication process.

Here’s a redacted letter that a friend of mine received and shared the other day after signing up for an account online. It merely explains what the agency already explained about the texting policy via its Web site.

A letter that the Social Security Administration sends out via the U.S. Mail for every American who signs up to manage their benefits at

A letter that the Social Security Administration sends out via the U.S. Mail for every American who signs up to manage their benefits at

The SSA does still offer the text message feature as part of what it calls “extra security” options. These extra options by the way do include the sending users a special code via the U.S. Mail that has to be entered on the agency’s site to complete the signup process. If you choose to enable extra security, the SSA will then ask you for:

  • The last eight digits of your Visa, MasterCard, or Discover credit card;
  • Information from your W2 tax form;
  • Information from a 1040 Schedule SE (self-employment) tax form; or
  • Your direct deposit amount, if you receive Social Security benefits.

Sadly, crooks won’t go through the more rigorous signup process — they’ll choose the option that requires less information. That means it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online. Continue reading →

Dec 15

OPM Breach: Credit Monitoring vs. Freeze

Many readers wrote in this past week to say they’d finally been officially notified that their fingerprints, background checks, Social Security numbers, and other sensitive information was jeopardized in the massive data breach discovered this year at the Office of Personnel Management (OPM). Almost as many complained that the OPM’s response — the offering of free credit monitoring services for up to three years — won’t work if readers have taken my advice and enacted a “security freeze” on one’s credit file with the major credit bureaus. This post is an attempt to explain what’s going on here.

OPM offices in Washington, DC. Image: Flickr.

OPM offices in Washington, DC. Image: Flickr.

Earlier this week I got the following message from a reader:

“I just received official notification that I am affected by the OPM data breach. I attempted to sign up for credit monitoring services with the OPM’s contractor ID Experts at, but was denied these services because I have a credit security freeze. I was told by ID Experts that the OPM’s credit monitoring services will not work for accounts with a security freeze.”

The reader continued:

“This supports my decision to issue a security freeze for all my credit accounts, and in my assessment completely undermines the utility and value of the OPM’s credit monitoring services when individuals can simply issue a security freeze. This inability to monitor a person’s credit file when a freeze is in place speaks volumes about the effectiveness of a freeze in blocking anyone — ID protection firms or ID thieves included — from viewing your file.”

I reached out to my followers on Twitter to gauge their reactions to this. I wrote: “Finish this sentence: Lifting a freeze to enable credit monitoring is like….” Here were some of the notable responses:

@sdweberg 10:22pm …shooting your rottweilers and paying the neighbors a monthly fee to “keep an eye on” your house.

@shane_walton 10:15pm …installing flash to watch a flash video about the evils of flash.

@danblondell 10:13pm …leaving the storm doors open to keep an eye on the tornado

@flakpaket 12:48am …leaving your doors and windows unlocked so that burglars can set off your indoor motion sensors.

@ShermanTheDad 8:25am …taking your gun off safety to check and see if it’s loaded.

Removing a security freeze to enable credit monitoring is foolhardy because the freeze offers more comprehensive protection against ID theft. Credit monitoring services are useful for cleaning up your credit file *after* you’re victimized by ID thieves, but they generally do nothing to stop thieves from applying for and opening new lines of credit in your name.

As I discussed at length in this primer, credit monitoring services aren’t really built to prevent ID theft. The most you can hope for from a credit monitoring service is that they give you a heads up when ID theft does happen, and then help you through the often labyrinthine process of getting the credit bureaus and/or creditors to remove the fraudulent activity and to fix your credit score. Continue reading →

Nov 15

Report: Everyone Should Get a Security Freeze

This author has frequently urged readers to place a security freeze on their credit files as a means of proactively preventing identity theft. Now, a major consumer advocacy group is recommending the same: The U.S. Public Interest Research Group (US-PIRG) recently issued a call for all consumers to request credit file freezes before becoming victims of ID theft.


Each time news of a major data breach breaks, the hacked organization arranges free credit monitoring for all customers potentially at risk from the intrusion. But as I’ve echoed time and again, credit monitoring services do little if anything to stop thieves from stealing your identity. The best you can hope for from these services is that they will alert you when a thief opens or tries to open a new line of credit in your name.

But with a “security freeze” on your credit file at the four major credit bureaus, creditors won’t even be able to look at your file in order to grant that phony new line of credit to ID thieves.

Thankfully, US-PIRG — the federation of state public interest research groups — also is now recommending that consumers file proactive security freezes on their credit files.

“These constant breaches reveal what’s wrong with data security and data breach response. Agencies and companies hold too much information for too long and don’t protect it adequately,” the organization wrote in a report (PDF) issued late last month. “Then, they might wait months or even years before informing victims. Then, they make things worse by offering weak, short-term help such as credit monitoring services.”

The report continues: “Whether your personal information has been stolen or not, your best protection against someone opening new credit accounts in your name is the security freeze (also known as the credit freeze), not the often-offered, under-achieving credit monitoring. Paid credit monitoring services in particular are not necessary because federal law requires each of the three major credit bureaus to provide a free credit report every year to all customers who request one. You can use those free reports as a form of do-it-yourself credit monitoring.”

Check out the USPIRG’s full report, Why You Should Get Security Freezes Before Your Information is Stolen (PDF) for more good advice. In case anything in that report is unclear, in June I posted a Q&A on security freezes, explaining how they work, how to place them and the benefits and potential drawbacks of placing a freeze.

Have you frozen your credit file? If so, sound off about the experience in the comments. If not, why not?