Equifax: What now? My credit freeze primer. Also, don’t over react

Credit freeze fees are confusing. There’s a handy chart at Trans Union’s site.

What do to now? Freeze, I’d say.  And breathe.

Consumers continue to wrestle with their options in the wake of news that the Equifax credit reporting agency had been hacked, potentially exposing a majority of Americans to identity theft.  It’s a natural impulse to “do something” after an incident like this, but my recommendation is to hit the pause button for a few more days while journalists and consumers keep trying to badger Equifax into revealing more about the incident.

Whatever you do, don’t go buy a service you don’t quite understand after this incident.  LifeLock says it’s signed up 100,000 new members since the leak, and that’s just silly. Maybe you’ll ultimately decide a product like LifeLock gives you peace of mind, but there’s no need to sign up right now.

SHOULD I STOP EVERYTHING AND FREEZE MY ACCOUNT?

Ultimately, it’s going to be a good idea to place a security freeze on your credit report.  But it’s important to know there’s no mad rush. Whoever stole your data has had it since mid-summer, at least — so it doesn’t matter if you freeze today or next week some time.  So take a couple of days to let the dust settle. That will also let Equifax figure out what the Hell it’s doing. It’s obvious the firm was abysmally prepared to deal with the consumer response the this incident. The firm is making decisions on the fly (pay us for ID theft protection! Wait, don’t! Pay for a freeze! Wait, it’s free now. And that website?  Just forget all the fine print on it).  For the most part, all these changes have been good for consumers, so I think holding out will benefit you.

WAIT, WHAT’S A CREDIT FREEZE?

A credit freeze puts a “lock” on your credit report so no one can access it — critically, so no ID thief can open a new credit account using your information.  It is the most pro-active way to prevent ID theft.  Plenty of folks are recommending freezes as the best response to the hack. Everyone’s situation is different, but freeze are a good idea for many folks — particularly those who have no intention of buying a car, a home, or getting a new credit card any time soon.

Freezes should be distinguished from “fraud alerts,” which can also be placed on your credit files. Fraud alerts are temporary, and less effective. They merely require that creditors take extra care when they issue new credit in your name, and it’s never been terribly clear what that means.

HOW MUCH DOES A CREDIT FREEZE COST?

Well, freezes should be free. They are, in some cases, for victims of ID theft.  But fees vary by state (here’s a handy state-by-state chart).  And no, having your data stolen by a hacker doesn’t qualify you as an ID theft victim in the eyes of the credit bureaus.  You have to supply a police report for that.

After much outcry, Equifax has announced (in perhaps the subtlest way possible) that it will allow all consumers to freeze their files for free for the next 30 days. The firm took the unusual step of announcing this on Twitter, but only in replies, so it’s not easy to find. At the moment, this news does not appear on the firm’s site for news about the hack.

There are multiple fees associated with freezes.  There’s an initial set-up, and then there’s a fee for “thawing” reports, which consumers must do if they ever need to get a loan or engage in other credit-related activity. It appears that consumers who take advantage of this 30-day free freeze will still have to pay later when they thaw.

And critically, consumers must still pay the other two credit bureaus — Experian and Trans Union — for freezes.

SHOULD I ONLY FREEZE MY EQUIFAX CREDIT REPORT THEN?

Probably not.  It wouldn’t hurt, but it’s not going to help much. To serve as effective ID theft prevention, all three credit reports must be locked.

HOW DO FREEZES WORK? WHAT’S A PIN?

Consumers who freeze their accounts are assigned a secret code that must be supplied to “thaw” the account.  The code is called a PIN. At Equifax, it’s a 10-digit number.  The PIN requirement does provide solid protection against would-be ID thieves.  Most critically, it slows down the process of ID theft.  A criminal who wanted to open a credit card in your name at a retailer couldn’t simply fill out a form in a store. She or he would have to call the bureau and thaw the account first.

But that leads to the next question…

ARE PIN’S SAFE? THAT JUST SOUNDS LIKE ANOTHER PASSWORD TO ME

Right you are. So far, PINs have served as a solid layer of security for consumers. But with more consumers employing freezes thanks to this incident, you’d better believe hackers are hard at work trying to add credit freeze hacking to their arsenals. And low and behold, it’s not that hard.  Equifax PIN codes — at least until yesterday — were merely an obvious numeric representation of the date and time a consumer instituted the freeze. The firm says it is hard at work figuring out how to issue random freeze PINs instead.  Seems like an oversight.

IF ALL THIS DATA HAS BEEN STOLEN FROM EQUIFAX, WHY SHOULD I BELIEVE THIS FREEZE WILL WORK?

You shouldn’t.  Not completely.  But I know people who have placed credit freezes on their reports for nearly 10 years, and they are satisfied. As with all security technologies, nothing is fool-proof. But freezes really do add a strong layer of protection against fraud. MUCH stronger than those ID theft prevention services that some people pay $30 a month for.

WHY DO CREDIT BUREAUS SEEM TO RESIST FREEZES?

Bureaus never wanted freezes in the first place. Remarkably, it took 50 state legislatures to pass laws requiring freezes.  Still, the bureaus don’t seem anxious to make this option available.  Why?

Simple: Freezes are an existential threat to their business.  The whole point of credit reporting, and credit scoring, is to help businesses market easy credit to consumers.  Every time you are offered a credit card by a retailer at checkout, you see why credit freezes are bad for their business.  Freezes would be the death of impulse credit-based purchases.  The death of easy credit, really.  Think about it. If your file is frozen, you must take a sober, multi-day approach to buying a new fridge or a car.  That’s sensible for consumers, but bad for retailers and banks.

WHAT OTHER RISKS ARE THERE?

The big risk for consumers is forgetting the PIN.  Unlocking — thawing — a credit report when you’ve misplaced the PIN is Hell to pay (and, good. You wouldn’t want a hacker calling and saying, ‘I’ve lost my PIN, could you thaw my report?’). So if you go this route, you’d better have a really good system for keeping that thaw procedure information in a safe place.  Remember, you quite possibly won’t need it for years. You might move in the interim. You might have a fire. Or, you might just forget.  A freeze is a commitment, so be ready to make that commitment. If you aren’t a person who’s good with organizing paperwork, you should think seriously about weighing that risk against your risk of ID theft.

OK, SO HOW DO I DO FREEZE ALREADY?

The rules are different for different states. Sorry, it’s a terrible system.  First, review the rules for your state here:

http://www.ncsl.org/research/financial-services-and-commerce/consumer-report-security-freeze-state-statutes.aspx

Then, go directly to each credit bureau’s freeze website.  If you Google “security freeze” yourself, you’re going to be upsold on a lot of different services that sound like freezes, but aren’t.  So be careful. Here are the sites:

Sadly, freezes aren’t free. The fee schedule is actually pretty complex, and varies by state. Trans Union has a very handy state-by-state fee grid (including different fees for different categories of consumers.)

Follow this story: AlertMe

If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Buy something from my NEW LIBRARY AND E-COMMERCE PAGE, click on an advertisement, or just share the story.


About Bob Sullivan 1137 Articles

BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

11 Comments

  1. So if my name pops up on Equifax as being involved does that mean that I fall into the “victim of ID theft” category? Or will I still have to pay to have it locked?

    • Just key in: http://www.freeze.equifax.c the rest will fill in and then hit enter. It will take you to the Equifax site for applying for the freeze. However, I have filled out all the info required over 10 times and the site will finally tell you it is too busy to process your request. Patience, might take you a few days to get the Equifax freeze handled. One note: when keying in the site only put the C on the end, if you put the full COM in it will take you to a different Equifax site. What a mess they are.

  2. So, yes or no – should we sign up for the year-long consumer ID theft watch system that Equifax is offering?

    Will it really be of use if something bad does happen? Or should we opt for something like Lifelock at $10./month?

    I have put a fraud alert on my credit card and my bank accounts. I don’t want to “freeze” so is there anything else I should do?

  3. My husband and I are old enough in California for a free freeze. If we decide to freeze out reports, do we really need to freeze all 3 agencies for each of us, separately? Six different freezes and six different pins?

    We monitor our credit and bank accounts online, and apply for the free credit report each year, staggering them so we are monitoring our credit 3 times a year. Do you think the freeze would offer enough security to offset the nuisance?

  4. I had already placed a credit freeze at all 3 bureaus 2 years ago, after some other breach occurred.

    Of course, now presumably, with the Equifax breach, someone has not only all my data, but my Equifax PIN for my credit freeze, allowing them to use that info to *lift* the credit freeze and then open all the accounts they want, using Equifax.

    I’m hoping that’s enough of a barrier that a lazy thief will move on to someone else, but when things calm down a bit, I may try to contact Equifax to have them generate me a new PIN.

  5. I have tried to put a Freeze on MY account with Equifax MANY times yesterday 9-15-17
    Most times it says Different things, Can’t do now, try later, Found your Info, etc.
    NOW it says to check ONE of (3) Boxes to UN Freeze it. I Never got to the place to Freeze it, and Never got a PIN.
    How do I find out if it is FROZEN ?

  6. Having failed to get any of the three to place a security freeze on mine and my wife’s accounts online on 9/16/17, we decided to go the certified mail route. There is a list of things to include, so I put all that in. I also threatened legal action and consumer complaint if they failed to act with the mailed requests. Totally sucks to waste hours of time, and nearly $80 to get this done. As my mother would have said: “What a racket!”

  7. If one goes to the Equifax site, they have a facility to check to see if your info has been part of the stolen data. The response I received was that I “may” be impacted. I was then given the opportunity to sign up for free for their ID security facility. I wonder, however, if Equifax is making lemonade with the lemon vulnerability that they permitted on their system. Are they just gathering more information on all of us that can be stolen down the road or used to enhance Equifax’s profitability?

3 Trackbacks / Pingbacks

  1. The Equifax FAQ: You've got questions, I try to give you answers — bobsullivan.net
  2. Breach Vouchers & Equifax – Adam Shostack & friends
  3. VIDEO: Latest on the hack -- TU freezes still don't work, Equifax hired a music major, and we know how but not why — bobsullivan.net

Leave a Reply

Your email address will not be published.


*