What do to now? Freeze, I’d say. And breathe.
Consumers continue to wrestle with their options in the wake of news that the Equifax credit reporting agency had been hacked, potentially exposing a majority of Americans to identity theft. It’s a natural impulse to “do something” after an incident like this, but my recommendation is to hit the pause button for a few more days while journalists and consumers keep trying to badger Equifax into revealing more about the incident.
Whatever you do, don’t go buy a service you don’t quite understand after this incident. LifeLock says it’s signed up 100,000 new members since the leak, and that’s just silly. Maybe you’ll ultimately decide a product like LifeLock gives you peace of mind, but there’s no need to sign up right now.
Should I stop everything and freeze my account?
Ultimately, it’s going to be a good idea to place a security freeze on your credit report. But it’s important to know there’s no mad rush. Whoever stole your data has had it since midsummer, at least — so it doesn’t matter if you freeze today or next week some time. So take a couple of days to let the dust settle. That will also let Equifax figure out what the heck it’s doing. It’s obvious the firm was abysmally prepared to deal with the consumer response to this incident. The firm is making decisions on the fly. (Pay us for ID theft protection! Wait, don’t! Pay for a freeze! Wait, it’s free now. And that website? Just forget all the fine print on it.) For the most part, all these changes have been good for consumers, so I think holding out will benefit you.
Wait, what’s a credit freeze?
A credit freeze puts a “lock” on your credit report so no one can access it — critically, so no ID thief can open a new credit account using your information. It is the most proactive way to prevent ID theft. Plenty of folks are recommending freezes as the best response to the hack. Everyone’s situation is different, but a freeze is a good idea for many people — particularly those who have no intention of buying a car or home, or of getting a new credit card any time soon.
Freezes should be distinguished from “fraud alerts,” which can also be placed on your credit files. Fraud alerts are temporary, and less effective. They merely require that creditors take extra care when they issue new credit in your name, and it’s never been terribly clear what that means.
How much does a credit freeze cost?
Well, freezes should be free. They are, in some cases, for victims of identity theft. But fees vary by state (here’s a handy state-by-state chart). And, no, having your data stolen by a hacker doesn’t qualify you as an ID theft victim in the eyes of the credit bureaus. You have to supply a police report for that.
After much outcry, Equifax has announced (in perhaps the subtlest way possible) that it will allow all consumers to freeze their files for free for the next 30 days. The firm took the unusual step of announcing this on Twitter, but only in replies, so it’s not easy to find. At the moment, this news does not appear on the firm’s site for news about the hack.
There are multiple fees associated with freezes. There’s an initial set-up, and then there’s a fee for “thawing” reports, which consumers must do if they ever need to get a loan or engage in other credit-related activity. It appears that consumers who take advantage of this 30-day free freeze will still have to pay later when they thaw.
And, critically, consumers must still pay the two other credit bureaus — Experian and TransUnion — for freezes.
Should I freeze only my Equifax report then?
Probably not. It wouldn’t hurt, but it’s not going to help much. To serve as effective ID theft prevention, all three credit reports must be locked.
How do freezes work, and what’s a PIN?
Consumers who freeze their accounts are assigned a secret code that must be supplied to “thaw” the account. The code is called a PIN. At Equifax, it’s a 10-digit number. The PIN requirement does provide solid protection against would-be ID thieves. Most critically, it slows down the process of identity theft. Criminals who wanted to open a credit card in your name at a retailer couldn’t simply fill out a form in a store. They would have to call the bureau and thaw the account first.
But that leads to the next question …
Are PINs safe? That just sounds like another password to me
Right you are. So far, PINs have served as a solid layer of security for consumers. But with more consumers employing freezes thanks to this incident, you’d better believe hackers are hard at work trying to add credit freeze hacking to their arsenals. And, lo and behold, it’s not that hard. Equifax PIN codes — at least until yesterday — were merely an obvious numeric representation of the date and time a consumer instituted the freeze.
As someone pointed out on Twitter: “OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you’d get PIN 0908171415.”
The firm says it is hard at work figuring out how to issue random freeze PINs instead. Seems like an oversight.
If all this data has been stolen from Equifax, why should I believe this freeze will work?
You shouldn’t. Not completely. But I know people who have placed credit freezes on their reports for nearly 10 years, and they are satisfied. As with all security technologies, nothing is foolproof. But freezes really do add a strong layer of protection against fraud — much stronger than those ID theft prevention services that some people pay $30 a month for.
Why do credit bureaus seem to resist freezes?
Bureaus never wanted freezes in the first place. Remarkably, it took 50 state legislatures passing laws to require that freezes be made available. Still, the bureaus don’t seem anxious to make it available. Why?
Simple: Freezes are an existential threat to their business. The whole point of credit reporting, and credit scoring, is to help businesses market easy credit to consumers. Every time you are offered a credit card by a retailer at checkout, you see why credit freezes would be bad for their business. Freezes would be the death of impulse credit-based purchases. The death of easy credit, really. Think about it. If your file is frozen, you must take a sober, multiday approach to buying a new fridge or a car. That’s sensible for consumers, but bad for retailers and banks.
What other risks are there?
The big risk for consumers is forgetting the PIN. Unlocking — thawing — a credit report when you’ve misplaced the PIN is a nightmare. (It’s also good, since you wouldn’t want a hacker calling the bureau and saying, “I’ve lost my PIN, could you thaw my report?”). So if you go this route, you’d better have a really good system for keeping that thaw procedure information in a safe place. Remember, you quite possibly won’t need to use that information for years. You might move in the interim. You might have a fire. Or, you might just forget. A freeze is a commitment, so be ready to make that commitment. If you aren’t good with organizing paperwork, you should think seriously about weighing that risk against your risk of identity theft.
Ok, so how do I do a freeze already?
The laws governing who can request a consumer report freeze vary from state to state. (Sorry, it’s a terrible system.) First, review the rules for your state here:
Then, go directly to each credit bureau’s freeze website. If you do a web search on “security freeze” yourself, you’re going to be upsold on a lot of different services that sound like freezes, but aren’t. So be careful. Here is where you can find freeze information for each credit bureau:
Sadly, in many cases, freezes aren’t free. The fee schedule — what can be charged to add or remove a credit freeze for different categories of consumers — is pretty complex, and again, varies by state. TransUnion offers this state-by-state fee grid, so you can find out the cost you will likely face if you decide to put your credit on ice.
More from Bob Sullivan:
- “Equifax FAQ: You’ve Got Questions. I Try to Give You Answers”
- “Report Claims Hackers Have Penetrated Deep Into Energy Sector Network”
- “Sick of Overdraft Fees? There’s an App for That”
What’s your plan (if any) for guarding your personal information following the Equifax data breach? Share with us in comments below or on our Facebook page.