After the uproar about the Equifax hack, Congress did do something. And credit freezes are now a lot easier to place and lift.
Starting September 21, 2018, placing or lifting a “credit freeze” – aka “security freeze” – will be free for all Americans in all states. In response to the Equifax-hack uproar and the grassroots movement it triggered, after the personal data of nearly half of all adult Americans had been stolen, Congress passed a bill in May that contained a provision about credit freezes. This provision becomes effective in three days.
It requires that all three major consumer credit bureaus – Equifax, Experian, and TransUnion – make credit freezes and unfreezes available for free in all states. Under most existing state laws, credit bureaus were able to charge a fee for placing and lifting a credit freeze. This could add up: for an effective credit freeze, you need to freeze your accounts at all three major credit bureaus, and pay each of them – and then pay each of them again to unfreeze those accounts if you want to apply for a credit card or loan.
The new law also requires credit bureaus to fulfill consumer requests for a credit freeze within one business day if made online or by phone, and within three business days if made by snail-mail.
Why is this important?
Credit bureaus collect personal and financial data on just about all adult Americans, whether they know it or not. These dossiers are extensive. They include the Social Security number, date of birth, address history, credit-card history, loan history, bank relationships, payments history, etc.
These dossiers are used to build a “credit report.” This is an extensive file (not just a credit score) that shows in detail your entire credit history – such as mortgages, other loans, credit cards, late payments, etc. These reports are sold – you’re the product – to third parties, such as lenders, credit-card promoters, and others.
Credit bureaus hate credit freezes because they cut into their revenues. But years ago, state laws forced them to make credit freezes available, though credit bureaus could make the process of freezing and unfreezing the account cumbersome, time-consuming, and costly. Now, under the new federal law, it’s easier and free.
When you put a credit freeze on your account with the three credit bureaus, they can no longer release this report to third parties, and it becomes impossible to open a credit-card account or bank account in your name – impossible for you as well as identity thieves.
After you place credit freezes on your accounts and then want to open a new loan account or open an account with the Social Security administration (yes!), you need to first lift the credit freezes.
All this has now become a lot easier, faster, and as of September 21, free.
Identity theft is hitting Equifax-hack victims
During the Equifax hack that was first disclosed a year ago, the personal data, including birth dates and Social Security numbers, of over 148 million Americans (according to the latest Equifax estimates) were stolen. These were the crown jewels for identity thieves.
Since then, 21% of the victims have seen “unusual” activity on their accounts, according to a survey by the Identity Theft Resource Center. Of these victims:
- 24% had a new credit-card account opened in their name
- 34% experienced changes to an existing credit card
- 23% had other accounts opened in their name, including loans, debit cards, bank accounts, and cable, internet, or utility accounts.
- 10% had some sort of medical identity issue, including receiving a medical bill or collection notice for services they never received, learning that medical records were compromised, or discovering another person’s information on their medical records.
- 4% had either state or federal taxes filed fraudulently in their name to collect a refund.
- Other issues included email flagged as being on the dark web.
A credit freeze at the three major credit bureaus cannot prevent all forms of identity theft and fraud, but it’s the single biggest and most effective defense mechanism consumers in the US can deploy.
Since I first started reporting on the Equifax hack last September, I included the links to the credit-freeze pages at the credit bureaus. The credit bureaus have changed those links several times, perhaps to make it more confusing. Here are the updated and functional new links to the pages of the three major credit bureaus where you can request or lift a credit freeze (aka security freeze):
- Equifax info and more links or go directly to the form
I initiated a security freeze with the major credit bureaus in 2010 after the University of Texas at Austin, where I’d gotten my MBA years earlier, notified me that all my data, including Social Security number, had been stolen. It was the Wild West of credit freezes. It was cumbersome, took weeks, and had to be done by a combination of fax, mail, and phone that involved a lot of road blocks they put in my way. But it was a great decision.
As a positive side-effect, it stopped most of the “pre-approved” cash-advance and credit-card promos that showed up in the mail – an identity theft risk if they fall into the wrong hands – since credit bureaus could no longer sell my data to promoters.
Making credit freezes & unfreezes available to all Americans for free in a quick and convenient manner is one of the best little things Congress has done for US consumers, and was long overdue.
Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:
Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.
Identity theft victim here. Didn’t happen as a result of the Equifax hack. It was part of a burglary.
That being said, I didn’t have any problems getting my credit frozen at any of the “big three” agencies. But I couldn’t understand why any American couldn’t do the same thing as a matter of course.
Now they can.
So if a hacker (who has stolen your identity) can convince the credit agent they are you then they can freeze or unfreeze your credit for free, right?
In theory it might be possible. But this is very hard to do, given the safeguards in place to prevent this. You will encounter those safeguards when you try to freeze or unfreeze your credit. That’s why it was such a huge hassle to do it.
Two-Factor Authentication? Blockchain for this industry???
I’ve been in an endless loop with Experian trying to get a “one-time PIN” – taken me two months so far – “no” online, “wrong form” returned mail – ARRRRGH!. This is some really great news and I hope everyone does the smart thing! No excuses now!
Thanks for the heads up, Wolf!
Definitely gonna go and get set this up.
About d**n time! I refused to pay fees to freeze but will do so now that it’s finally free. The idea that someone can aggregate data about you and then charge you a fee to prevent them from releasing your data to anyone they like is almost as outrageous as the idea that they can sell your data to anyone they like.
People should defend their natural right to ownership of their own personal data, and not give those rights away willy-nilly.
Thanks for reporting this Wolf!
Thanks to Wolf I put a freeze on a year ago. I have good credit and my data was stolen (You can check to see if your personal data was stolen on the Equifax site). So the bad guys know who to go after.
Wolf, I still get the numerous airline credit card offers, most of the others have stopped. Apparently I agreed to these when I signed up for the mileage plans ?
Any company you have or had a “customer relationship” with is unaffected by the freeze.
That’s not correct. A company that you have or had a relationship with CANNOT get your credit report. I know from personal experience that it works. My own bank that I’d been doing business with for years couldn’t get my credit report, and therefore could NOT issue me a credit card (my cards are with other banks).
However, existing relationships (bank, credit card companies, mortgage lenders) get what little they need, such as a FICO score, to maintain the relationship with you, and so your bank relationship doesn’t get cut when you put a credit freeze on your account. But your credit report is off-limits.
I froze my credit when I read one of your previous articles. Another tidbit of useful information: your credit monitoring services will still work and will be able to access your credit score and update it to reflect balance changes, etc. This is good because it was one of my initial concerns. I do not know if this works if you sign up for credit monitoring after you freeze your credit. My guess would be no.
Credit freezes should be the default. I wonder if they’ll include an unreadable disclaimer that precludes you from suing them for damages resulting from past breaches.
I needed to temporarily ‘unfreeze’ my Experian report a while ago; they seemed to try to make it as difficult and cumbersome as possible (kept me on hold for a half-hour). Equifax–the original culprit–has an app that makes it relatively easy.
There is a at least one other credit monitoring/reporting agency called Innovis. I initiated a freeze with them; of all the agencies they were the most accomodative.
I’d be curious to see what permissions you gave Equifax by downloading thier app.
It’s been a while, but IIRC I just needed the same login info needed for their ‘TrustedID’ website, which appeared to have been slapped together after the breach (it may have been around longer, but I’d never heard of it). It’s a simple app, consisting of a large ‘Locked/Unlocked’ slider. Now I’m wondering if ‘lock’ is the same as ‘freeze,’ or have they figured out a semantic way to avoid a total freeze?
He’s not talking about the sign-in stuff.
He’s saying that by downloading and using their app you’ve quite possibly given them access to every single piece of information that passes through your phone, including your location history (whereabouts) and anything else that could be recorded, monitored or logged by Google, your phone provider, Facebook, etc. Many apps have very very poor data-security protocols and they don’t always tell you what they’re doing with all your information either.
Bottom line: avoid the app unless you have no choice. But avoid the app anyway if the counterpart has interests opposed to yours … such as a business model that profits by collecting and selling your personal data and profiling you…
Update: A few days ago I got a letter from Innovis informing me that an address–my ex-wife and son’s–had been added to my credit report. When I called to ask, basically, WTF?, Innovis customer service rep said that it was because my son closed out a CD in a credit union account I had added him to so he could get basic banking services and a credit card. The agent offered to send me a credit report; I said, essentially, ‘Sure, whatever.’ Today, I got an oversized letter from Innovis with my complete credit report and history, free of charge, along with a ‘California Summary of Rights,’ a ‘Federal ID Theft Summary of Rights’ and a ‘Federal Summary of Rights.’
I recently sold a house in the BA and paid off the mortgages of a couple of investment properties, and I got confirmation of all transactions. I have NFI in this company, but I have to say I’m impressed by the service. Anybody know the story of Innovis?
Now I hope people make use of this. Heck I would if I lived in the US because how unbeliable unsafe stuff online is.
There’s a minor error in the story. All three credit bureaus allow you to put an initial freeze on for free. It’s only subsequent unfreezes and refreezes for which they charge $5 each. [You may be correct in that statutorily they are able to charge for initial freeze; I’m just saying how they’ve been operating.] Don’t know whether you were charged when you put your freeze on in 2010; I was able to do so for free last year.
THE real challenge isn’t so much the freeze, though granted all three have crappy web pages, which are hard to find, and site navigation is difficult, plus you have to keep their non-intuitive verification codes somewhere you can find them, otherwise you get permanently locked out [it’s not like you can reregister under another name].
The prob is that most people, myself included, don’t realize that credit checks are used for much more than loans. For example, you have to remember to unfreeze for job background checks, when you try to rent an apartment, and a whole lot of other things which escape me right now. I’m assuming the use of credit checks has expanded way beyond its original intent, much like usage of social security numbers.
Until Sep 21, credit bureaus have to conform only to state law. In some states, the credit freeze must be free. In most states, credit bureaus can charge a fee. Whether or not they’re currently charging a fee in those states, after the uproar last year, is up to the credit bureaus. But after Sep 21, no credit bureau in any state can charge a fee under federal law.
“The prob is that most people, myself included, don’t realize that credit checks are used for much more than loans. For example, you have to remember to unfreeze for job background checks, when you try to rent an apartment, and a whole lot of other things which escape me right now. I’m assuming the use of credit checks has expanded way beyond its original intent, much like usage of social security numbers.”
Very true. After my father died, my mother wanted to remove my father and put me on their joint checking account (note a death certificate was required). BofA wanted to run a credit check with Experian-see above–and couldn’t/wouldn’t give me a simple reason why (I spent a couple hours getting ‘unfroze’ temporarily). I had a credit card with BoA that I didn’t use anymore, after this transaction my mom’s checking and savings accounts showed-up when I checked into the CC account (to confirm the balance remained zero). While this was a convenience, it was a bit scary.
Wolf, it seems that this will be an ongoing saga; i.e. the credit agencies appear to have deliberately obfuscated the credit freeze issue (either that, or they’re horribly incompetent). Maybe we could ‘park’ this discussion so we can share horror stories or, at least revisit this issue frequently?
I think I should have started a separate discussion board when I first wrote about the Equifax hack a year ago. On all the articles combined, there are many hundreds of comments. They’re still accessible under each article but commenting is now turned off on them (a time function). I should have started a commenting board on this topic as a separate item and keep it open permanently. But now it’s a little late.
However, I will revisit the topic periodically when there is some kind of change or revelation.
I will eventually have to unfreeze my credit freeze for the first time in many years. This will test the paper-system that was used at the time to get this credit freeze done. If this turns out to be an “interesting” experience, I might share it.
Credit bureaus are third parties in all transactions. Perhaps Congress finally acknowledged that forcing payment to freeze credit files was akin to extortion, and set a dangerous precedent. These are companies that no one does business with directly, and they collect and sell information on people without their permission or knowledge. They, along with FICO scores, are a key part of the debt matrix that keeps Americans in hock to the banks. Even though they are now free, you can bet this fact won’t be advertised.
That sounds like a step in the right direction, but I am still astounded by how slack the system must be to allow so much fraud to take place. I cannot imagine it would be hard for the ratings agency, or other ( e.g. passport authority) to e.g. issue a simple code card to each person (similar that banks do) and have obligation to crosscheck it to open any new line of credit, or to withdraw from existing account beyond a chosen level. There you have one physical document that is kept out of the way apart from exceptional circumstance, if it is lost or you think it compromised you freeze accounts etc. till a new one is issued. The database that handles the verification is kept hyper secure, and all other existing verification must be passed also. An option like this should be offered as standard by “the authorities” given they permit entities to create credit in anyone’s name on what is otherwise slack or flawed procedure. Too simple I suppose ?…..
I’ve worked systems security for over thirty years and there is no such thing as a “hyper secure” database despite what someone has possibly implied or said.
There are (4) other Credit Reporting Agencies I didn’t know existed. If there should be a government provided function this is one of them. I would imagine insider identity theft is big-time.
DO NOT give any but the top three credit bureaus your data and social security number — not even to check. Chances are they don’t have this data. And that’s the best security you have. If there is nothing to freeze, you don’t need to freeze it.
But once YOU give them the data, they have it forever, and then you do need a freeze.
Re “government provided function” – LOL. The government is NOT any better at protecting your personal data. Just ask anyone with a security clearance who had their entire life history (and many relatives’) hacked a few years ago.
IF you want personal data security, what you need is a legal environment that gives the holders of your data really, really strong incentives not to get hacked. I’m talking go-out-of-business, go-to-jail-for-a-decade type incentives. The sheer fact that Equifax hasn’t been boycotted into oblivion tells everyone involved that there’s not much concern about data theft. So nothing will change and hacks will get worse.
I was in the military at the time and was one of those people with a TS clearance whose file was stolen (including the electrons of my fingerprints). But even before that, the military had lost my PII (Personally Identifying Information) four times. #1: an employee mass-emailed an unencrypted spreadsheet containing the PII of ~200 servicemembers (including me), their spouses and children. No, the employee did not get fired or even disciplined. #2: an employee faxed the printout of a spreadsheet containing the PII of my entire unit, ~100 servicemembers, to the front desk of a hotel. No, the employee did not get fired or even disciplined. #3: an employee in D.C. loaded the PII of thousands of servicemembers (including me) onto a laptop, took the laptop out of the building (to telework from home), left the laptop in his car, and the car got broken into and the laptop stolen. No idea if he was fired or disciplined. #4: Repeat of #3. And, the government travel credit card lost my PII. And, the military healthcare provider lost my PII. So I’ve had a credit freeze since around 2008. My advice to anyone enlisting is to freeze your credit as soon as possible after the initial enlistment phase.
In 2009 I frose all credit accounts as I figured cheats would try to hack my credit with the economy in free fall. I did not care about the cost of those freezes. Seems to me those credit agengies have too much control. Those credit accounts get too much free info on me and I could care less about the cost to freeze them.
Will a global credit freeze also be free?
There is another credit bureau, Innovis. Why is it never mentioned? Shouldn’t your credit be frozen there too?
I don’t recommend it, or against it. This is a smallish outfit. There is a good chance they do not have your data. If you want to freeze your credit with them, you have to give them your data that they might not have had before. Now they have the data forever, and you do need to freeze your credit with them.
Also, few banks and credit-card companies, if any, use Innovis for credit checks. I know Social Security doesn’t use Innovis (They use Equifax, as we learned). So it’s not useful to freeze your credit with a bureau that banks and credit card companies don’t use to verify credit and open accounts.
thanks for the info and God bless. i took literally only 5 min or less per agency to freeze credit data. it was a snap. thanks immensely for the 3 links.