What do to now? Freeze, I’d say. And breathe.
Consumers continue to wrestle with their options in the wake of news that the Equifax credit reporting agency had been hacked, potentially exposing a majority of Americans to identity theft. It’s a natural impulse to “do something” after an incident like this, but my recommendation is to hit the pause button for a few more days while journalists and consumers keep trying to badger Equifax into revealing more about the incident.
Whatever you do, don’t go buy a service you don’t quite understand after this incident. LifeLock says it’s signed up 100,000 new members since the leak, and that’s just silly. Maybe you’ll ultimately decide a product like LifeLock gives you peace of mind, but there’s no need to sign up right now.
SHOULD I STOP EVERYTHING AND FREEZE MY ACCOUNT?
Ultimately, it’s going to be a good idea to place a security freeze on your credit report. But it’s important to know there’s no mad rush. Whoever stole your data has had it since mid-summer, at least — so it doesn’t matter if you freeze today or next week some time. So take a couple of days to let the dust settle. That will also let Equifax figure out what the Hell it’s doing. It’s obvious the firm was abysmally prepared to deal with the consumer response the this incident. The firm is making decisions on the fly (pay us for ID theft protection! Wait, don’t! Pay for a freeze! Wait, it’s free now. And that website? Just forget all the fine print on it). For the most part, all these changes have been good for consumers, so I think holding out will benefit you.
WAIT, WHAT’S A CREDIT FREEZE?
A credit freeze puts a “lock” on your credit report so no one can access it — critically, so no ID thief can open a new credit account using your information. It is the most pro-active way to prevent ID theft. Plenty of folks are recommending freezes as the best response to the hack. Everyone’s situation is different, but freeze are a good idea for many folks — particularly those who have no intention of buying a car, a home, or getting a new credit card any time soon.
Freezes should be distinguished from “fraud alerts,” which can also be placed on your credit files. Fraud alerts are temporary, and less effective. They merely require that creditors take extra care when they issue new credit in your name, and it’s never been terribly clear what that means.
HOW MUCH DOES A CREDIT FREEZE COST?
Well, freezes should be free. They are, in some cases, for victims of ID theft. But fees vary by state (here’s a handy state-by-state chart). And no, having your data stolen by a hacker doesn’t qualify you as an ID theft victim in the eyes of the credit bureaus. You have to supply a police report for that.
After much outcry, Equifax has announced (in perhaps the subtlest way possible) that it will allow all consumers to freeze their files for free for the next 30 days. The firm took the unusual step of announcing this on Twitter, but only in replies, so it’s not easy to find. At the moment, this news does not appear on the firm’s site for news about the hack.
There are multiple fees associated with freezes. There’s an initial set-up, and then there’s a fee for “thawing” reports, which consumers must do if they ever need to get a loan or engage in other credit-related activity. It appears that consumers who take advantage of this 30-day free freeze will still have to pay later when they thaw.
And critically, consumers must still pay the other two credit bureaus — Experian and Trans Union — for freezes.
SHOULD I ONLY FREEZE MY EQUIFAX CREDIT REPORT THEN?
Probably not. It wouldn’t hurt, but it’s not going to help much. To serve as effective ID theft prevention, all three credit reports must be locked.
HOW DO FREEZES WORK? WHAT’S A PIN?
Consumers who freeze their accounts are assigned a secret code that must be supplied to “thaw” the account. The code is called a PIN. At Equifax, it’s a 10-digit number. The PIN requirement does provide solid protection against would-be ID thieves. Most critically, it slows down the process of ID theft. A criminal who wanted to open a credit card in your name at a retailer couldn’t simply fill out a form in a store. She or he would have to call the bureau and thaw the account first.
But that leads to the next question…
ARE PIN’S SAFE? THAT JUST SOUNDS LIKE ANOTHER PASSWORD TO ME
Right you are. So far, PINs have served as a solid layer of security for consumers. But with more consumers employing freezes thanks to this incident, you’d better believe hackers are hard at work trying to add credit freeze hacking to their arsenals. And low and behold, it’s not that hard. Equifax PIN codes — at least until yesterday — were merely an obvious numeric representation of the date and time a consumer instituted the freeze. The firm says it is hard at work figuring out how to issue random freeze PINs instead. Seems like an oversight.
OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you’d get PIN 0908171415.
— Tony Webster (@webster) September 9, 2017
IF ALL THIS DATA HAS BEEN STOLEN FROM EQUIFAX, WHY SHOULD I BELIEVE THIS FREEZE WILL WORK?
You shouldn’t. Not completely. But I know people who have placed credit freezes on their reports for nearly 10 years, and they are satisfied. As with all security technologies, nothing is fool-proof. But freezes really do add a strong layer of protection against fraud. MUCH stronger than those ID theft prevention services that some people pay $30 a month for.
WHY DO CREDIT BUREAUS SEEM TO RESIST FREEZES?
Bureaus never wanted freezes in the first place. Remarkably, it took 50 state legislatures to pass laws requiring freezes. Still, the bureaus don’t seem anxious to make this option available. Why?
Simple: Freezes are an existential threat to their business. The whole point of credit reporting, and credit scoring, is to help businesses market easy credit to consumers. Every time you are offered a credit card by a retailer at checkout, you see why credit freezes are bad for their business. Freezes would be the death of impulse credit-based purchases. The death of easy credit, really. Think about it. If your file is frozen, you must take a sober, multi-day approach to buying a new fridge or a car. That’s sensible for consumers, but bad for retailers and banks.
WHAT OTHER RISKS ARE THERE?
The big risk for consumers is forgetting the PIN. Unlocking — thawing — a credit report when you’ve misplaced the PIN is Hell to pay (and, good. You wouldn’t want a hacker calling and saying, ‘I’ve lost my PIN, could you thaw my report?’). So if you go this route, you’d better have a really good system for keeping that thaw procedure information in a safe place. Remember, you quite possibly won’t need it for years. You might move in the interim. You might have a fire. Or, you might just forget. A freeze is a commitment, so be ready to make that commitment. If you aren’t a person who’s good with organizing paperwork, you should think seriously about weighing that risk against your risk of ID theft.
OK, SO HOW DO I DO FREEZE ALREADY?
The rules are different for different states. Sorry, it’s a terrible system. First, review the rules for your state here:
Then, go directly to each credit bureau’s freeze website. If you Google “security freeze” yourself, you’re going to be upsold on a lot of different services that sound like freezes, but aren’t. So be careful. Here are the sites:
Sadly, freezes aren’t free. The fee schedule is actually pretty complex, and varies by state. Trans Union has a very handy state-by-state fee grid (including different fees for different categories of consumers.)
Follow this story: AlertMe
If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Buy something from my NEW LIBRARY AND E-COMMERCE PAGE, click on an advertisement, or just share the story.