Credit Freezes Are Now Free: Here's Why to Get One

American consumers, rejoice! Identity thieves, bummer! Credit freezes, which Equifax, Experian and TransUnion once charged money for, are free as of today (Sept. 21) thanks to a new federal law.

Credit: Steve Heap/Shutterstock

(Image credit: Steve Heap/Shutterstock)

This means that you can now ask each of the Big Three credit-reporting agencies to "freeze" your credit indefinitely, and then temporarily "thaw" it when you need to provide someone access to your credit history, without incurring any fees. Those fees ranged by state but could be as much as $10 per action.

Freezing your credit isn't for everyone. If you're planning to buy a house or car, take out a loan or ask for another kind of extensive credit within the next year or so, you might want to hold off.

But if you've got your lodging, transportation, utilities and credit cards sorted out, there's no real downside to freezing your credit so that no one can get a look at your file without your approval. It won't hurt your credit score. To request it, here are the linked pages at Equifax, Experian and TransUnion.

MORE: What to Do After a Data Breach

This new law, which came about as a result of the Equifax data breach a year ago, and it's not clear how much of an impact it will have on identity theft. But as Brian Krebs, an independent security blogger who has long advocated freezing your credit (and does so himself), says, leaving your credit "unfrozen" makes it very easy for anyone to access your credit report, including your Social Security information.

"There are dozens of private companies that specialize in providing consumer credit reports and scores to specific industries," Krebs wrote in a posting last week discussing the new law.

"In many cases, online access to look up data through these companies is secured by nothing more than a username and password that can be stolen or phished by cybercrooks," Krebs added. "In other cases, it’s trivial for anyone to sign up for these services."

Don't count on anyone else to protect you

In other words, don't count on the credit-reporting agencies to protect your data under normal circumstances. The Equifax data breach proved that there's not much punishment for them if they don't.

The company failed to fully patch its own systems against known vulnerabilities, and let the credit data on more than 150 million people get stolen. Yet only a couple of executives have been prosecuted — not for negligence, but for alleged insider trading of company stock before the breach was publicly revealed.

Freezing your credit wouldn't have stopped your data from being stolen in the Equifax breach. But it would have made it much harder for anyone to use that stolen data to open up a new account in your name.

Credit alerts may no longer be enough

Until now, Tom's Guide has advocated instituting a credit alert, also known as a fraud alert, on your credit file instead of a credit freeze. That's because alerts were easier to implement and cost nothing, and as noted above, a freeze makes it harder for anyone who needs credit to get it. However, while "thawing" a freeze used to take up to five business days, the new law mandates that the thaw happen within an hour of your online or telephone request.

A credit alert means that anyone seeking to extend you credit should take extra steps to verify your identity before doing so, and the credit-reporting agencies should notify you if anyone has inquired with them about extending credit to someone using your name. (Without an alert or a freeze, there's no notification at all.)

Instituting a credit alert is easy — you just go to a specific page (such as this or this) on one of the Big Three's websites to request it. The credit-reporting agency you contact will contact the other two.

Credit alerts used to expire after 90 days, but thanks to this new law, they now last a year. There's no charge to re-up after the initial credit alert expires, and some people just keep implementing new ones.

But the key word governing credit alerts is "should." There's no law that requires a lender from taking extra care to verify your identity. It's entirely voluntarily, which means that it's not really much protection at all.

Even credit freezes aren't perfect

A credit freeze, on the other hand, bans the credit-reporting agencies from coughing up your information to anyone unless you specifically authorize it.

There are exceptions, and some of them are worrisome. It's sensible that law-enforcement agencies, companies with which you already do business and the credit-reporting agencies can still see your data, but according to Equifax, so can debt collectors and background-screening companies that provide services to potential landlords and employers.

"How do companies that provide background screening and credit report data to landlords decide who can sign up as a landlord?" wondered Krebs in last week's blog posting. "Answer: Anyone can be a landlord (or pretend to be one)."

Make credit freezes part of a bigger process

Nonetheless, it's worth instituting a credit freeze for someone who doesn't need a large amount of credit in the near future.

Even if you do take that step, though, you should still continue to request a free credit report from one of the Big Three every four months by going to You should still look over your credit-card statements (and bank statements, if you have a debit card) every month. You should avoid telling strangers your birth date — it's a vital piece of your identity, so don't put it on Facebook.

And you should continue to protect your Social Security number by not disclosing it to anyone who doesn't need it.  Your doctor, for example, should be able to make do with just your insurance-card number.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.