I Just Dealt with a “Security Freeze,” the Most Effective Tool for Credit Security: It’s Become Super-Easy & Free, after the Equifax Hack Two Years Ago

My recommendation has changed. Here are the websites and links and why and how to do it.

By Wolf Richter for WOLF STREET.

One thing I hafta admit about big American corporations: When they’re exposed to enough hue and cry and get flogged long enough in the media, particularly on WOLF STREET, and get flailed by regulators, Attorneys General, and lawmakers, even as individual and class-action law suits are hailing down on them, they will eventually stop making things worse, and finally do something right.

And it’s a sea change in terms of how easy it is today – thanks to the fallout from Equifax hack in 2017 – to protect your credit and identity from identity theft and other forms of fraud and broader financial and bureaucratic nightmares.

I have always recommended putting a “security freeze” (also called “credit freeze”) on your accounts with the three major credit bureaus in the US — Equifax, Transunion, and Experian – as the most effective way to protect yourself from credit fraud and identity theft. But under the old system, a security freeze was too much hassle and not appropriate for many people. This has changed.

What the heck is a “security freeze?”

A security freeze prevents these credit bureaus from releasing and selling your personal data and credit and financial history that they have gathered over the years.

As part of their business model, credit bureaus sell this data to banks and other firms where you apply for credit, such as a credit card, a mortgage, a personal loan, a cellphone account, or some other form of credit. Your “FICO score” is based on credit bureau data. And they sell some of this data to their “partners” for marketing purposes.

Even the Social Security Administration verifies with Equifax that this is you when you’re trying to set up a my Social Security account online. And yes, definitely do set up that account even if you’re decades away from retirement, before someone else sets one up in your name with data stolen from the Equifax hack.

The Equifax hack was revealed in September 2017. Personal data, including names, Social Security numbers, birth dates, and addresses of 145 million Americans were stolen, along with driver’s license numbers of 11 million Americans.

Armed with this data, a crook could open credit accounts in these people’s names, borrow money, and leave the people struggling with the consequences, including having to fend off lenders, collection agencies, and lawyers that come chasing after them to collect this debt. Victims then also have a hard time applying for new credit. It’s a horror when it happens.

This Equifax hack and the fallout in the media, including on WOLF STREET, shook up the industry.

Placing a security freeze on your account after the hack could prevent the damage from happening. At the time, I provided information on how to do this. But it was a rapidly changing situation, with changed links, overwhelmed servers, shoddily cobbled-together consumer-facing websites that crashed, unanswered phones, and devious hurdles placed by Equifax to distract consumers from actually placing a security freeze on their accounts. Our readers recounted their frustrations and successes and offered helpful tips in hundreds of comments spread over the articles.

But all this has changed.

It has become super-easy to place a security freeze at the three major credit bureaus, and it’s now free. And it’s super-easy to lift the security freeze when you need credit, and it’s also free.

I just went through the procedure of lifting a security freeze that I had put on my account in 2006 (after the University of Texas had informed me that it had been hacked and that all my data from years earlier, including SS number, had been stolen), and that I had never lifted because it would have been a daunting amount of hassles in previous years, not only to lift the security freeze but then to put it back into place.

Top features of the three major credit bureau websites:

  • Functional and easy-to-use.
  • It only takes a few minutes.
  • Placing or lifting a security freeze is free.
  • Placing or lifting a security freeze is effective immediately.
  • You can lift a security freeze either indefinitely or for a specified period, such as one day.
  • You can place or lift a security freeze any day, any time.

So you can place a security freeze today, and when you need to apply for a credit card next March, you can lift the security freeze, apply for a credit card, and then, once you have the card in hand, you can place the security freeze back on your account, or have it placed back on the account automatically.

Here is what I did, including links:

Equifax: I went to the page myEquifax account. Equifax asked for all kinds of information to verify that this is me, which is good. Security matters. Once the account was set up, I unfroze my credit in about 10 seconds, effective immediately. Now I can log in any time to place or lift the security freeze. Next time, I’ll head straight to the login page.

Transunion: I went to the signup page and started setting up my account. Once set up, it took seconds to lift the security freeze. In the future, I’ll head straight to the login page.

Experian: I went to the security freeze page, clicked the appropriate of four buttons (“Remove or lift a security freeze”), which took me to the page where I entered my data. This was easy to do and took a couple of minutes. I was not asked to set up an account, so next time, I will likely go through the same sequence again.

The credit bureaus, particularly Equifax, may attempt to sell you a subscription for additional products. I ignore them. They’re totally useless with a security freeze in place — and nothing comes even close to the security of a security freeze.

My recommendation has changed.

I used to recommend that a security freeze was only appropriate for people who have all the credit cards, bank accounts, and other accounts they need, and who don’t expect to move or buy a home or a car anytime soon; and that a security freeze was too much hassle for people who are moving a lot or establishing credit or planning on buying a house, etc.

Now I recommend that just about everyone with easy access to the internet on their own device put a security freeze on all three credit bureaus, given how easy it is to place it and lift it. Why “on their own device?” Because confidential data exchanged during the process stays on the hard-drive of a computer, and on public computers or work computers others can find this data.

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.



  93 comments for “I Just Dealt with a “Security Freeze,” the Most Effective Tool for Credit Security: It’s Become Super-Easy & Free, after the Equifax Hack Two Years Ago

  1. 2banana says:

    Free and Effective.

    Security freeze from the top 4 credit agencies

    IRS Pin for taxes

    Social Security online account and check regularly for unknown income

    Check credit history for free regularly

    Google your social security number every once in a while

    This saves you at least $25/month from paying for a credit monitoring agency

    • hypocrisy says:

      How about some advice? Real?

      Never use your real name online ever, for anything
      Never use your real ID, never give any ID numbers to anything online

      Always use a ‘cold computer’ for banking, e.g. a computer dedicated to one task

      Never use/watch porn on a computer you use for any kind of business, the reason porn is free, is that 99% the russian mafia puts viruses on your computer to steal banking info from your computer, this is like the number one way they harvest info; By having a cold computer and only using this computer for biz, and then have a junk computer for porn, friends, facebook, wolf, zh, or whatever

      I think most important is not to use real name ever, and use aliases and mix them up frequently, passwords are not much of an issue, except for your cold computer, most systems can guess your password, as trillions of username/password combos are already in databases, so a password is not safety, same for phone messaging, a smart hacker can get an online pin quicker than you, they know your mobile number and they can forward it, before you get the pin

      The problem here is that belonging to a club or services, may make people feel safe, but safe from what? Sure the credit deal is understood for people addicted to debt, they may lock/unlock their addiction, but for people with real assets, you have to be very careful online, in fact for big money, its best to not even have the online enabled. At the very least have maximum’s on your accounts like a few $1k/day transfer max, and make sure that on every transfer every contact avail to you is contacted.

      • Wolf Richter says:

        hypocrisy,

        Yes, living in a cave by yourself ensures that your identity cannot be stolen, and that no one can ever apply for credit in your name because you don’t have a name.

        But for modern people who live in the modern world, buy things the modern way, drive a car that isn’t stolen, and post comments on this site via an internet access provider and an IP address (for example, you’re posting from Ban San Sai, Thailand), living in a cave by yourself and never emerging is not a great option.

        You may not have figured this out yet, but you cannot legally get credit or open other accounts in a made-up alias in the US. And if you use someone else’s name and credentials, you’re committing the exact fraud that a credit freeze protects against.

      • Wendy says:

        Trillions of passwords is so yesterday.

        I have trouble remembering my own passwords, and if I type them in wrong more than twice, my financial account is suspended. So instead of trillions, we are actually talking three, and on some higher security sites, two.

        Your advice on porn sites is useful, but does that include financial porn?

        Lol

      • Scott O says:

        Don’t enter your actual birthday anywhere that it is not required. I’ve entered Jan 1, 1950 (not my birthday) in most places. I get a lot of birthday congratulations on New Years Day.

      • freewary says:

        @hypocrisy

        Anyone trying to follow your advice is wasting their time if they are using and windows, apple or android device to access the internet.

        learn a little about cybersecurity and use linux machines only. No problems since I switched from windows to this in 2004.

    • robt says:

      I naively paid Equifax 15 bucks a month for credit monitoring for quite a while. One day the bank got in touch about suspicious credit card transactions; they were fraudulent. I got in touch with Equifax (who never notified me of anything awry). It took them a half hour to find my account, there supposedly was no suspicious activity.
      Attempted to cancel the ‘service’ immediately, but with some difficulty because they kept trying to sell me more service. This was about a year before the big data breach, which I think was engineered by someone using the name and password admin/admin – if not that, something just as stupid.

    • SocialNetMan says:

      The other issue is not to be ‘celebrity’ a reason that Wolf needs to have a ‘lock’ is because he’s a celebrity you can be sure that 1,000’s of bots, people, machines, worldwide are hacking into his public information, because he is a known-known

      If you unknown, if you don’t use facebook or any social-media, and if you never use your real name, and you keep low profile, and when you do go high profile, you use a faux name, you should be fairly secure.

      IMHO these freezes are about ‘debt’, and people fear another will use your ‘good credit’ to secure debt in your name fraudulently well what can I say? Here’s a good reason to make sure you have a bad score, pay bills late, have collections, don’t make yourself a target.

      Long ago I think these equifax report-scores and what-not were important, especially if you wanted a job at the FBI or any place with background checks, as people debt are easy to manipulate. That said, I really think nobody cares anymore, these days with the kids coming out of college in debt to their eyeballs, it doesn’t mean anything to in the credit score.

      Sure the TSA uses to decide if your a terrorist or not, but then it always boggles the mind, if you were a terrorist wouldn’t you create a profile with a perfect score?

      In summary IMHO I think its all BS.

      Another food for thought, I used to use these reports frequently years ago as a property-manager, so I had the opportunity to run a ‘real’ credit report on myself and family members frequently, and what I found was that over 50% of the input’s were BS, I’m talking just made up stuff, knowing that I always took it with a grain of salt when interviewing prospective tenants, just looking for obvious patterns. In the case of my own family I would frequently find dozens of aliases tied to the social-security number, when I would let them know, I could tell they were well aware, that it was they themselves who were getting car loans using their own social but an alias. So I have to wonder how many people are reporting ‘ID Theft’, when the thief is in the mirror?

      From my experience the ‘report’ they give you for free, and the report that a creditor gets on you are not the same, you get what you pay for.

      But these days the credit-report is about as reliable as a S&P rating, which means that its just some granny in a back room randomly entering numbers. People are rated “AAA”, and “BB” on the whim of normal bored data entry people.

      In summary you can lock all you want, but if your high enough profile, somebody can & will use your ID, and probably block you because they can. They can get your ‘block’ pin quicker than you can. So the most important step is be invisible to the system ( our GOV is a nation of kleptocrats, a GOV of common criminals )

      In west we say ‘squeaky wheel gets the grease’, in asia say they say the “Loudest monkey loses his head”. 100 monkey management, decapitate the loudest monkey, set an example. Here the people screaming the most about ‘ID theft’ are probably the same people that were high profile social-net users to begin with. “With Fame comes much unhappiness”

      • Cynical Engineer says:

        Being “nobody” won’t protect you from fraud/identity theft.

        My introduction to this world was when my phone rang one evening and the gentleman on the other end asked me if I was currently in Las Vegas opening an American Express account at Costco. When I confirmed that I wasn’t doing that, Costco security then detained the guy who was using my name and turned him over to the police. When questioned, he told the detective that he’d bought my identity information from a guy on a street corner in Los Angeles.

        I own and use a paper shredder. I have ALWAYS received my mail at a secured location (usually a USPS Post Office box). But, I have also held a California driver’s license in the past, and as recent media reports document, the CA DMV will sell their database to just about anyone who shows up with money.

        This all happened a decade prior to the Equifax breach. I was also very, very fortunate: Because somebody was arrested in the act of using my identity, I could point the other creditors to the Las Vegas police for official confirmation that a crime had been committed. It would have been a LOT harder to deal with the fraudulent accounts otherwise.

        LOCK YOUR CREDIT INFORMATION unless you WANT to spend hundreds of hours of your time unraveling the resulting mess.

  2. DawnsEarlyLight says:

    I have used it for many years. In some states it has always been free.

    One bureau only took freezing/thawing by mail, but now they all do it online.

    When applying for credit, If you know which bureau(s) they need to check, you only need to thaw the appropriate bureau(s).

    The freeze will not keep someone from fraudulently charging on your card, but it will keep someone from opening a new account pretending to be you.

    • Josh says:

      I did this a few months after the Equifax hack. I did the top 4 credit bureaus (I can’t remember the name of the fourth). It was a complete pain as several of them wanted me to send in proof of who I was including PII. Then they gave me pins that I promptly wrote down somewhere and lost. A few months later I went to buy a new phone and couldn’t do it because I couldn’t unfreeze the credit. Luckily my wife was more on top of this than me and she was able to unfreeze. I’ll have to take another look now.

      • David Rosenberg says:

        Whatever you do, do not lose the pin number they provide to you in order to lift your credit freeze. I misplaced the Experian pin number and it has been a complete nightmare trying to get it released. They ask you for information about cars you might have owned a decade ago or perhaps loans that you’ve had in the last 20 years. There is no way to speak to anyone at the company, I requested a new PIN unfortunately I only go back to the States about every 4 months. So I’m not sure that it will even be valid the next time I return. I agree that it is much easier however is critical to retain this information.

  3. Who Cares says:

    Dumb question probably but if it is so easy to lift the restriction for you wouldn’t it also easy to lift the restriction by the people who have your data from the Equifax hack?

    • nhz says:

      I’m wondering the same – as soon as such credit freeze gets more popular the fraudsters will adapt, too much easy money at stake.

      Difficult for me to judge how well this all works, but based on experience with the Dutch DigiD (digital citizen ID) widespread ID theft and other fraud is a given and government does nothing to protect you from it. On the contrary, they do many things that help the fraudsters with e.g. buying homes or collecting invalid government tax subsidies on your account. Over here you are practically guilty until proven innocent when the crime is committed using ID fraud ;(

    • Heff says:

      I’m just running this thru my head now as my wife and I just did this, but wouldn’t they need the actual username and password of the frozen credit bureau account to lift the restriction? My wife forgot her password and she was on the phone for 30 minutes with Equifax to verify her identity. I suppose anything is possible, but I don’t see that scenario really happening.

    • Just Some Random Guy says:

      Yep. As soon as a security measure is introduced, the criminals figure out a way around it. But it can’t hurt. Think of it like a locking your car door. If someone really wants to steal your car, they’ll unlock the door in no time. But if there are two cars next to each other, one with an unlocked door and one with a locked door, the thief will go for the one with the unlocked door.

    • Wolf Richter says:

      Who Cares,

      It’s certainly not “easy,” though for a good hacker/crook who spends enough time on it, it might not be impossible because online nothing is “impossible.” But it’s hard enough to do.

      Crooks want to set up credit accounts in your name and borrow in your name or buy things in your name. That’s how they make money. They pay some small amount for the data that the hackers stole, hoping that among the thousands or millions of individuals in that data trove there will be some whose data will allow them to set up credit accounts with banks or other lenders. A security freeze prevents that.

      They don’t want to spend time manually trying to figure out how to lift the security freeze with the hacked data they have on an individual. They don’t have the pin. They may not have all the other things that are being asked (just go through the procedure and see).

      They also don’t know if there is even a security freeze on your account because they’re just trying to apply for credit, and if their application is rejected – many are because lenders have their own fraud detection systems – the crooks don’t know why. So now they would have to figure out if the rejection is due to a security freeze or a fraud detection system, and then they’d have to try to use the data they have (and they don’t have the pin) to lift the security freeze at the three bureaus so that they could then try again to set up a credit account in your name…

      And they don’t need to jump through all these hoops in the first place because most Americans (like you, I assume) do NOT have a security freeze on their accounts and are the low hanging fruit – the easy targets. That’s what they’re going after.

      • Wisdom Seeker says:

        This is true for anonymous 3rd party ID thieves, but isn’t it also the case that a large fraction of ID theft is perpetrated by people who are well known to the victim? Sometimes even people who have access to one’s home. The necessary ID-theft defenses against people you’d otherwise trust are quite a bit different. Main thing is to have an unguessable PIN (and more generally, a set of core data and passwords that only you know) and don’t share it … except perhaps with your trusted next-of-kin who will have to deal with all your affairs should you meet an untimely demise.

        • RIPP says:

          From what I recall, the unfreeze PIN is provided by the credit bureau, and it’s something like 10 digits. It’s not something you create or that someone could guess if they know you well enough.

      • Who Cares says:

        Thank you for the extra explanation.
        Going to make a few people less easy targets. And hopefully convince a few others to do so as well.

    • Dennis says:

      99% of people won’t freeze accounts. Hackers will just move on to someone else, if yours is frozen.

    • Max Power says:

      The point is that it’s easy – but only if you have the thawing credentials!

  4. medial axis says:

    The best way to protect your identity from theft is to be anonymous. Pay with cash.

    • Wolf Richter says:

      If you’re in the US, the credit bureaus have your data no matter how you pay. And they sell your data no matter how you pay. They know your address, they know if you rent or own. They know your bank accounts, your income, just about everything.

      • Dumb question if I freeze my credit at all the credit agencies, do I have to unfreeze ALL of them to add new credit. What if I freeze two of the three, am I still safe? I think there actually five? Do I have to freeze all of them, and unfreeze all of them?

        • Just Some Random Guy says:

          Depends on what you need the unfreeze for. For something like getting a new account from Verizon, you need to ask VZ which bureau they use and unfreeze that. But for mortgages or car loans/leases, lenders tend do use more than one. Typically they’ll use all 3 and then take the average or median of the scores, in which case you need to unfreeze all 3.

        • PressGaneyMustDie says:

          Ambrose Pierce:
          To unfreeze you ask whichever lender or business you are dealing with to specify which bureau they use. Most lenders and businesses use one bureau. Then you “thaw” whichever bureau that the merchant uses so you can get that 0/0/0 deal on a Camry from Toyota Motor Credit. After you complete the transaction, you “re-freeze” that bureau’s credit profile of yourself.. There are lenders that use blended credit histories from multiple bureaus but the new trend in high end credit (and now employment) is a hybrid profile of credit bureau/credit card data/grocery store afinity card/large search browser company. I think a good story idea for Wolfstreet would be how easy it is to buy a terrifyingly granular (tech bro term for very specific) profile of a random individual.

        • David G LA says:

          Ambrose-
          I’ve had a freeze in place for about 15 years, and had to lift it about five times. There are websites you can Google that actually list which banks use which agencies and it’s worked for me. I just have to lift the one. You can ask the creditor which agency it uses, but they sometimes don’t even know the answer to this.

      • medial axis says:

        I’m alluding to (true) digital cash, as you likely know. You’d be able to store it in a bank (they’d know your ID etc, of course) and withdraw any amount (say $50) to a digital wallet on your mobile. You’d then be able to spend it (phone to phone or over the internet) without revealing your ID or anything about you (much like physical cash). So, in bar buying beer it’d work like physical cash. Online you’d give a delivery address (which could be a drop off shop/point or whatever). There’s many ways it can be done, some reminiscent of CoD. I’ll not bore you with details.

        The idea is to remove the need for firms to store sensitive info about you – thus reduce vendors’ costs and the worry they won’t look after it as well as you will. We shouldn’t be storing such info with firms that don’t need store it nor showing it to those that don’t need to see it.

        An interesting question is, “Can banks, or any centralised entity, provide true digital cash?”

        • Wolf Richter says:

          Ha, anytime you use your mobile phone for anything, it is tracked to the nth degree. Every app on your phone, plus Google or Apple, plus whoever, track everything you do, everywhere you go, including by tracking the phone’s movements and vibrations via the accelerometer in your phone. And they also know you’re paying in crypto.

        • medial axis says:

          @Wolf

          I’m not talking about being tracked, I’m taking about buying stuff without handing over your bank details and such. It’s not necessary when using true digital cash.

  5. Al Loco says:

    I have Equifax and TU froze for my wife and I. Its been working great but Equifax was a bit of a hastle to verify to unfreeze for a refi.

    This is a total assumption based on hearsay in regards to theives adapting. I have always heard theives get a pool of data. Based on that if they run into a credit freeze they will likely move to the next victims info.

  6. BB says:

    Have been using this strategy for over a year & very happy.

    BTW, when you are going to need to lift the freeze, ask the lender (CC company, whatever) which bureau they will be using. I do, and it usually works. Recently though, a banker told me “it may be any of them”, I told him I did not want the hassle of lifting all three, and if he could not narrow it down, we would not be doing business. He then told me which one- apparently, it was just another hoop to jump through.

    • Wolf Richter says:

      Yes, many banks will say “all three” or “any of the three.” Some, including the SSA, will tell you which one. I doesn’t hurt to ask if you know exactly what you’re going to do. But if you’re shopping for rates, all three need to be unfrozen.

  7. Satya Mardelli says:

    Wolf – I was prompted to freeze my credit bureau accounts when I read your last article. One thing to remember is that, if you are married, you will need to do it twice at each credit bureau. A separate freeze for you and your spouse is required. Most importantly, each freeze will require you to provide a unique PIN to unlock the account at a later date. SAVE THE PIN! I didn’t and it was a complete goat rope one year later when I needed to lift the freeze. As the previous commenter (Josh) noted – save the pin!

    • Lou Mannheim says:

      Yes, save your PIN, Experian wants a physical letter from me to lift the freeze.

  8. Todd says:

    Thanks Wolf!

  9. Iamafan says:

    My wife went through this hell a few years ago. Someone stole her identity and got a credit card on her name using her very old Tennessee address in the eighties. In addition to the freeze, she had to get affidavits with the police, social security, and the bank.

  10. Gershom says:

    Speaking of fraud, efforts by the Fed and bullion banks to smash down gold through naked short selling and dumping of notional (non-existent) paper gold aren’t working. The Fed, morbidly fearful of gold as the only store of wealth that doesn’t represent someone else’s liability, needs to make gold look weak to bolster the dollar now that Powell is on track to rival or surpass Zimbabwe Ben and Yellen the Felon when it comes to the debasement of the dollar.

    When the masses belatedly see what a con game the Fed is playing and start rushing into the safe haven of gold, it’s Game Over for the dollar unless the Fed dramatically hikes interest rates – which would be catastrophic for its asset bubbles and Ponzi markets.

  11. RD Blakeslee says:

    Wolf,

    Do credit card issuers check IDs and credit history of applicants for their card with other credit card issuers?

    The reason I ask: I have an excellent credit rating and have been issued a card from an issuer that I had not previously used, after freezing my credit at all three agencies. How did the new issuers know I was eligible (“pre-qualified”) for their card ?

    • Wolf Richter says:

      RD Blakeslee,

      “Pre-qualified” doesn’t mean much. It’s a marketing thing. You still need to apply for credit and get approved. Same as if you were not pre-qualified.

      But yes, there is a lot of data out there that allows credit card issuers to send you marketing materials, much of this comes from their “partners” — namely companies that you already do business with.

      One thing I do is with each bank, credit card issuer, brokerage account, etc. is to tighten up the “privacy” settings and disallow any and all the sharing of data that I’m able to disallow.

    • Wisdom Seeker says:

      Also worth keeping in mind that there are more than just 3 credit bureaus out there. Possible that your new card issuer used one of the smaller bureaus to identify you as a mark.

  12. Frank says:

    To clean your hard drive use BleachBit its free, set it to overwrite and allow it to clean the free space, I have no pecuniary interest in this software.
    Do not do your banking or finance on public networks, do it at home, preferably not using WiFi, and behind your own routers built in NAT firewall, you will be very difficult, (not impossible), to hack if you follow this simple advice.

    • nhz says:

      I think the biggest risk for the average user (who doesn’t blindly click on any link/email etc.) is massive data leaks/hacks at the big service providers, which is outside ones control. In Europe these are extremely common especially from government agencies that handle very sensitive data like medical records and all kinds of personal/financial/tax info you could use for ID theft and other fraud; US is probably similar.

      • California Bob says:

        re: “I think the biggest risk for the average user (who doesn’t blindly click on any link/email etc.) is massive data leaks/hacks at the big service providers”

        Yep. If you’re a hacker, which would you rather spend your time hacking: an individual’s online account with Amazon, or Amazon’s servers, which contain millions of CC numbers and other vital data (just an example, to my knowledge Amazon has never been hacked–that we know of).

        Whenever possible, I pay with PayPal rather than give my CC to an online business; I figure the fewer businesses that have my info the better and PayPal probably has better security precautions and staff to employ them (maybe not a safe assumption–more of a SWAG). Of course, every time you use a card at a store, gas station or restaurant you’re taking a chance. Someone got ahold of my CC number and ordered a bunch of stuff way out of character for me–vaping products and exotic coffees (I drink Costco’s)–and CitiBank caught if before I even saw the charge; all I was out was the time and effort to change all my online accounts.

        BTW, the fourth agency is Innovis. When I froze my records after the Equifax hack I found Innovis to be the easiest to deal with–at that time, the others were reluctant to give up a cash cow–and they even sent a snailmail confirmation of the freeze.

        • Harrold says:

          Most banks have apps that you can set to notify you anytime your credit card is used. I discovered this out after my credit card number was stolen and used on wild shopping spree at a Walmart in Alabama.

        • David G LA says:

          CA Bob
          The problem with paying with pay pal (as I understand it) is that you lose all of the benefits of paying with a credit card. (Reversing a charge for a merchant dispute or a bad product). I know pay pal has some of these protections, but I prefer my bank’s. I’ve had amazing things reversed after a situation with a seller has gone south.

        • willem says:

          For on-line purchases, Citicard has a great product I’ve been using for years called Virtual Account Numbers. There are both downloadable and web-based versions. It is tied to your CC account, but allows you to generate new numbers for on-line transactions. For each new number you create, you can control how much the credit limit is and when it expires. You can also bump up the limit later or cancel the number at will.

          Any charges you make using the new numbers you create just show up on your regular Citicard CC bill as a normal line item.

          Every time I make an on-line purchase, I create one of these with an amount that is a dollar or two over the purchase price–if anyone else gets the number, it’s useless to them because I’ve already maxed it out with my first purchase.

          This app is terrific for on-line shopping, and really it is the only reason I still have the Citicard.

        • California Bob says:

          David G:

          re: “The problem with paying with pay pal (as I understand it) is that you lose all of the benefits of paying with a credit card.”

          Good point (I haven’t had to dispute a charge for so long it didn’t occur to me).

          CB

    • RagnarD says:

      Seems to me, if ur a big bad guy, how hard is it to either pay someone inside one of these data Warehouses : VISA, banks, Amazon, Equifax, etc. or have one of ur own get hired by them, and then pump out the data to you?

    • Pat McKim says:

      What is “NAT” or NAT Firewall?

  13. unit472 says:

    I had my ID stolen earlier this year. The bank said it was via malware installed on my computer rather than anything they did ( but they would say that wouldn’t they). The problem is once a thief or thieves have your data the bank won’t protect you just themselves. They’ll keep a tight rein on THEIR credit cards but not your actual bank account. I was told I had too much cash in my checking account so I should move it into a new savings account to reduce my vulnerability so I did. Fat lot of good that did as, after my checking account was drained these jokers found my new savings account info and, telefonically, transferred $50,000 out of it back into my checking account.

    It was fascinating in a gruesome sort of way to track the thieves as they attempted, sometimes successfully, to defraud businesses using my data despite all the credit agencies having been notified. If the loan applications fail to go through ( and they apply everywhere) these thieves find other less obvious ways to get money. I just received a bill/cancellation notice from a company called “PayLink”. It, apparently, is some extended warranty auto insurance and I “owed” them $419.40 for a copay or premiums? on my 2008 Nissan Titan. Problem was I no longer owned that Nissan Titan nor had I ever heard of PayLink. My name was spelled wrong and the address lacked my condo number but PayLink had gone ahead and processed the application and, apparently, some transaction for which they were trying to collect. I called them up and told them I didn’t know what they were talking about and good luck trying to collect and that they ought to be more careful as to who their ‘customers’ are.

    Fortunately I’m retired and do not care about my credit rating since I have no need for credit other than a credit card and while SunTrust issued me a new one they wouldn’t unlock it so I just use my Chase card ( which notifies me via email after each transaction). I now don’t use the internet for financial transactions using the mail or landline phone payments via checks. I also ask for paper billing, bank statements and automatic deductions for recurring bills. Going on line to see your bank statements is just too risky. I also don’t do business with SunTrust anymore save for a CD which expires January 24th. Been with them for over 20 years but they have very low quality people in their Atlanta fraud office.

    • nhz says:

      In some cases I suspect the scammers are people who work through or with the banks and CC companies. But these companies will NEVER tell you the details of what happened, too risky in case one of the clients has a good lawyer.

      I remember a case in Netherlands from years ago of a profligate Nigerian scammer who lived the good life for over a year, making countless victims along the way but the police could do nothing they said. In the end he was found to operate from one of the offices of Dutch ABNAMRO (biggest, partly state-owned bank). You could even pay him a visit at the office for cash transactions (the typical “downpayment” for your welldeserved part of a Nigerian fortune) and other sensitive issues; very friendly and well dressed “banker”. It never became quite clear to me now much the bank knew … And there are thousands of guys like this working in my country alone, although most of them keep a lower profile.

      Another story I remember is of people who were robbed from their gold at home, after someone at the bank had provided criminals with a list of all clients who had purchased gold bars. When such info gets out in the open it is almost impossible to put the genie back in the bottle.

      • unit472 says:

        I suspect you are right about bank employees being likely suspects. Some low paid teller or back office employee has, on their computer monitor, access to unlimited wealth. I noticed this right out of college when I worked at Bank of America’s data processing center in San Francisco. Every night the bank printed out the info on every account and a bunch of people we called ‘robots’ would manually sort the data by bank branch and couriers would deliver it to that branch for tellers to reference. So, if you cared to look you could find J.P. Getty’s bank account number and how much he had in his checking account.

        • Max says:

          Unfortunately, I have a brother-in-law who had an accomplice inside a BofA branch in SF, and I found out they were snooping on my and my mother’s accounts. It was this that prompted me to put a credit freeze on the credit agencies – this was in 2016. I was really glad that when the Experian breach occurred, my credit freeze was already in place – and still is. I have no need for credit right now, but if and when I do, it’s simple to unfreeze them. Thank for the good advice, Wolf. My only problem now is I still have the same a ****** brother-in-law.

    • California Bob says:

      One thing to watch for: A tiny debit–usually, a few cents–on a checking account. If someone has stolen your account info, they will often try a small debit before trying to suck the account dry. This happened to my mother a few years ago and, fortunately, she asked me what the small charge was for and we notified the bank immediately and further damage was avoided.

      Check your major accounts daily; most banks and CC companies have ‘an app for that.’

      • Unit472 says:

        You are correct or at least partially, Here is the email I received from SunTrust on June 3rd of this year.

        This e-mail is to notify you that we’ve identified multiple, small electronic payments from VENMO on your account ending in 0093,which could indicate potential unusual activity. Please log in to the SunTrust Mobile App or Online Banking and review your transaction history. If you recognize these transactions, no action is required. If these transactions are unauthorized, contact us immediately at 877.XXX-XXXX

        I did contact SunTrust and told them I had no idea who was behind these transactions or what they were for. Unlike your mother this was just the beginning of my problems. In fact I had already had $500 and $975 transferred from my account to an account at Marcus, Goldman Sach’s retail bank. I have no solution to what to do other than immediately close all your bank accounts and open new ones. SunTrust sure doesn’t have an answer. The problem is for many is if you have auto deposit and payments being run out of your existing bank account. Close it and you then have to notify and redirect all of those and hope you aren’t left in limbo with no auto or health insurance etc. while you scramble to set up alternatives.

        • HowNow says:

          After a contentious mortgage origination, in which the lender asked for every personal piece of info imaginable, for my wife and myself, I went to Wells Fargo and asked if I could change my account numbers while leaving the account intact. The manager said he can do it and assumed that it was related to some risk of identity theft. That must be a condition for them to justify making those changes.
          If I’m ever worried about a credit card being compromised (left at a restaurant or similar), I call in and get a new card. They may want to know that you have lost it.

    • Iamafan says:

      SunTrust. That’s the bank that issued a credit card to the person that stole my wife’s identity. That bank made my wife go through hell even if she never have done business with them before. I agree they were shameful.

  14. Tresho says:

    I tried to freeze my credit with Transunion, Experian and Equifax online in mid-October. The first 2 were very easy to do, and done within 15 minutes for both of them.
    Equifax was a complete MESS, then and up to yesterday. I used the same data online to try to get a credit freeze. Equifax then asked about 4 questions, of which there was the same answer: none of the above. Then Equifax told me they could not process my request online. They promised to send me a letter with further instructions. A week later I got the instructions. I followed them online, and within minutes came to a dead end, once. again. I tried calling their 800 number, registered my complaint. Whoever answered said Equifax would send another letter, which never came.
    I tried again a couple of days ago. I, too, went to the page myEquifax account. After I entered my User ID and PIN, Then I got the page saying “Please give us a call.
    We can’t complete your request at this time.
    Please call the Customer Care team
    888-836-6351”
    So I called that number. After being on hold for 70 minutes without being connected to a customer representative, I gave up. There was another option, to mail them a paper request. This is the info I got & replied to:
    Address: Equifax security freeze,
    P.O. Box 578810
    Atlanta GA 30348
    Include full name
    Current or previous address dating back last 5 years
    Social Security Number
    Date of birth
    Copy of driver’s license
    Brief summary of request.
    ———-
    Equifax is still a very bad actor, IMNSHO.

    • Wisdom Seeker says:

      I had similar issue with Equifax, just trying to check their annual free credit file.

  15. Don Nez says:

    Wolf, I have been using the “temporary freeze” option for many years after having had someone fraudulently use my identity while at a local emergency room. In fact, I just re-newed it yesterday, with TransUnion. I only do it with one of the three agencies as they (TransUnion) said that “they will contact the other two agencies for me, so contacting all 3 is supposedly not necessary. What is your opinion of this; should I contact all three myself, or not? Thank you, Nez

    • Wolf Richter says:

      Equifax on its info page clearly says — and everyone else says — that a credit freeze must be done with each of the three credit bureau individually. I would not rely on anything else. It’s now really easy to do. That’s the whole point.

  16. Dan says:

    Thanks for keeping us up to date on this important issue!

  17. Moelicious says:

    I froze via Chexsystems and was able to open commercial savings and checking accounts at my existing banks. Haven’t tried opening at a new bank/brokerage.

  18. V8 says:

    Just wait till bio metric data gets hacked……

  19. David Hall says:

    I have a LifeLock subscription. They monitor my credit for identity theft and provide insurance.

    • unit472 says:

      Good for you, but here is the deal. Back in the day of paper checks you didn’t have to pay $10/month or whatever LifeLock now charges to secure your bank account. Banks were responsible and that is why they and stores requested ID before you could use a check.

      Its hard to steal a lot of money using a stolen check or a forged signature. A 30 year old male drug addict trying to pose as a 50 year old woman, despite modern PC theory, doesn’t pass the smell test. If all you have to do is insert a credit card into a scanner to pay for things its easy.

    • Wolf Richter says:

      But they don’t fix the issues that you get when your identity is stolen. You have to fix those issues yourself. Ask unit472 here how much fun that is.

      Why would you pay someone to do a lousy job not really protecting you when you can actually protect yourself for free?

      • Pat McKim says:

        Thanks Wolf. The high pressure sales technique and the discussion of the “dark web” that Experian uses and now that they use Norton (which is sooo slooowww) made me realize this is almost as bad a scam as other problems. They aren’t honest.

  20. SomethingStinks says:

    Thanks for the tip Wolf. Any idea if I can do this for a 10 year old. He does not need credit any time soon, but has a SSN. Only places it can leak is either from the school, doctors office, or the IRS where they have him as my dependent.

    • Wolf Richter says:

      Yes you can, at least with Experian, which has a dedicated button for just that on the page that I linked. The others you will have to check.

  21. Boss says:

    You were actually able to freeze your Experian file without a license? Not my experience, although that was several years ago.

    I find it hard to believe Experian allows people to freeze their files with just a social and a date of birth. They tend to be very very very difficult to work with and look for any excuse to keep your file open. They claimed I was not giving them my proper e-mail address, which was absurd since I’ve used multiple e-mail addresses for decades!

    Transunion and Equifax are much easier to deal with.

  22. Ensign_Nemo says:

    I just tried to set up a mySocialSecurity account online.

    The website refused to create an account. I don’t know why.

    I called the help desk and the waiting time is two hours, which exceeds the battery life of my phone.

    God Bless Bureaucracy.

    • California Bob says:

      re: “I just tried to set up a mySocialSecurity account online.

      The website refused to create an account. I don’t know why.”

      I’d stay on top of this; it sounds like someone might have beat you to it.

      I only ‘got online’ with SS a few years ago (I’m 66). My experience was different; totally friction-less. There was some minor issue, and a very nice lady from the SS Admin gave me a call to clear it up; she didn’t seem overly pressured and we chatted amiably for a while (maybe that’s the problem ;).

      On another note, I sold a house a couple years ago for a substantial capital gain. SS has notified me that my benefits for (at least) the next year will be reduced fairly significantly; I thought there was no ‘means test???’

      • Wolf Richter says:

        California Bob,

        If you’re full retirement age, income shouldn’t impact SS. But it sounds like you were not there yet at the time (“I’m 66”). And then it does impact SS. From what I understand, this money they’re not paying you will be added to what they will pay you later, as your payments may increase, so it’s not lost, just deferred. There are good resources on this that explain this whole thing.

        • California Bob says:

          Thanks for the info, Wolf. Frankly, I don’t remember exactly when I signed up, but I started taking my benefit after I hit 65 (and this was a cap gain, not income). Here’s what they said:

          “We will use the new lower MAGI to see if we can make a new decision about your IRMAAs. We cannot make a new decision if your income has changed for a reason other than those listed above, such as receiving one-time income from capital gains.”

          Doesn’t sound like this will be deferred.

    • Wolf Richter says:

      Ensign_Nemo,

      If you have a security freeze in place, you cannot set up an SSA account online. You have to go to the SS office or lift the freeze.

      If you do not have a security freeze in place, and you cannot set up an SSA account on line, it’s time to go to the SS office and find out why. This could be harmless, or it could be big trouble. You need to find out.

      • Ensign_Nemo says:

        I have a security freeze in place. I will probably skip going to the SS office, and just wait until I need to lift the freeze for another reason before I set up the SS account.

      • California Bob says:

        Does this mean you can’t set up the account if you have any security freeze–i.e. on any of the four agencies–or only the one they (presumably) check against?

        Another ‘experience’ I had: my elderly mother wanted to put me on her checking account as a co-signer; BoA insisted on getting my SS number, which I was reluctant to do but relented, then I had to unfreeze one of my credit reports–Equifax IIRC–and, without my asking, they merged a CC acct. I had with them (why couldn’t they just check their own account info?). Though this is actually a convenience, as I can monitor all accounts from my login, they never explained this to me beforehand and it was a bit unnerving.

        The credit agencies have WAY too much power and, as far as I can tell they aren’t regulated or otherwise held accountable (except when they REALLY screw up). We know more about what goes on in the CIA than we do about FICO.

  23. Lurker says:

    Hi Wolf so the freeze will it prevent collection account from being recorded in my credit records if I miss some bill?

  24. twolfe says:

    Have had a security freeze on all 3 credit agencies for years now.

    One unexpected side benefit is that when those pushy store clerks keep nagging you to apply for their store credit card for 10% off your purchase, go ahead and apply. With a credit freeze in place you’ll always get denied the card on the spot but a lot of times they’ll still give you the 10% off as a ‘consolation’.

    • California Bob says:

      There are (at least) five credit agencies:

      I froze the 3 majors, and Innovis. Of all four, Innovis was the easiest and most cooperative (NFI).

      • Wolf Richter says:

        There are over 30 “credit bureaus” in the US. I don’t trust any of them. That’s why I delete all links to them. They may not have ANY of your data, but when you try to do a security freeze there, they say, Yes, please, sure, just fill out this form and put in all your data. And you do this, and NOW they have your data. And NOW you need to worry about them having your data.

  25. Max Power says:

    Great advice, Wolf.

    Everyone should set one of these up!

    I did so about a year ago.

    Everything works fine for me except with Experian. It never lets me unfreeze (using my unfreeze credentials) on their website but it does work when I do it through their automated phone system (again, using the correct credentials). Go figure. I like that you can preset a future expiry date for the thaw.

    I also try to do as much of my banking as possible on the iPad. It seems less vulnerable to malware than the Windows PC. I have a suspicion that most folks who are hacked are probably done so through some kind of malware.

  26. RD Blakeslee says:

    Even after freezing my credit rating accounts, I have been granted credit twice: Once for a new credit card and once to buy an automobile. The auto salesman corroborated my disclosure of my credit score, which I can obtain from several of my online financial accounts upon request.

    So, sophisticated lenders apparently do have “workaround” sources, both to verify who I am (Driver’s license, for example) and my credit score. No problem, so long as their verification is accurate.

  27. Virginia David says:

    The personal risk related to the accuracy of the data from these “credit reporting agencies” now goes beyond personal credit risk. I recently tried to open a statement savings account with a cash deposit at a local branch of Suntrust. They declined to open the account because they could not “verify my identity” with EQUIFAX. Suntrust didn’t know it, but they couldn’t verify my identity because I have a freeze established on my EQUIFAX data. However, Suntrust has no credit risk for a statement savings account only. Their requirement to verify identity is based on government requirements that they take steps to “verify identity” in order to open any account. This expands the use of the “credit agency” data. For instance, what if I apply for a lease and the leasing agent rejects my application because they can not verify my identity with EQUIFAX because they have inaccurate prior address information on me? That makes Wolf’s recommendations to freeze reporting agency personal data and to monitor that data more important for everybody.

    • Wolf Richter says:

      With a credit freeze in place, you cannot open a bank account at a bank where you’re not already a customer. This is universal in the US, not just Suntrust. You used to be able to. But that stopped many years ago. It’s NOT about credit, its about the “Know your customer” rules. Banks want to make sure that you cannot open an account in a fake identity.

  28. MiamiNice says:

    Thanks Wolf for this article

    I followed the process w/o issues with Equifax and Transunion
    But with Experian got an error page stating I have to do it by mail
    Also called the given phone number, but after a lot of time in the phone with the automated system I was told they are closed, to call on working hour (today is Saturday); will call on Monday

  29. Max Igno says:

    As far as I’m concerned, these credit reporting agencies have no business having any of my credit and identity info let alone give it out. Who authorized them to have my info? Did I somehow unwittingly authorize them to have it? If I have not authorized them, then they have stolen it. Equifax, Transunion, and Experian have stolen my info and give it out without me knowing and somehow I am responsible. How can Equifax, Transunion, and Experian give out my stolen info and I am held responsible?

Comments are closed.