American consumers, rejoice! Identity thieves, bummer! Credit freezes, which Equifax, Experian and TransUnion once charged money for, are free as of today (Sept. 21) thanks to a new federal law.
This means that you can now ask each of the Big Three credit-reporting agencies to "freeze" your credit indefinitely, and then temporarily "thaw" it when you need to provide someone access to your credit history, without incurring any fees. Those fees ranged by state but could be as much as $10 per action.
Freezing your credit isn't for everyone. If you're planning to buy a house or car, take out a loan or ask for another kind of extensive credit within the next year or so, you might want to hold off.
But if you've got your lodging, transportation, utilities and credit cards sorted out, there's no real downside to freezing your credit so that no one can get a look at your file without your approval. It won't hurt your credit score. To request it, here are the linked pages at Equifax, Experian (opens in new tab) and TransUnion (opens in new tab).
This new law, which came about as a result of the Equifax data breach a year ago, and it's not clear how much of an impact it will have on identity theft. But as Brian Krebs, an independent security blogger who has long advocated freezing your credit (and does so himself), says, leaving your credit "unfrozen" makes it very easy for anyone to access your credit report, including your Social Security information.
"There are dozens of private companies that specialize in providing consumer credit reports and scores to specific industries," Krebs wrote in a posting last week discussing the new law.
"In many cases, online access to look up data through these companies is secured by nothing more than a username and password that can be stolen or phished by cybercrooks," Krebs added. "In other cases, it’s trivial for anyone to sign up for these services."
Don't count on anyone else to protect you
In other words, don't count on the credit-reporting agencies to protect your data under normal circumstances. The Equifax data breach proved that there's not much punishment for them if they don't.
The company failed to fully patch its own systems against known vulnerabilities, and let the credit data on more than 150 million people get stolen. Yet only a couple of executives have been prosecuted — not for negligence, but for alleged insider trading of company stock before the breach was publicly revealed.
Freezing your credit wouldn't have stopped your data from being stolen in the Equifax breach. But it would have made it much harder for anyone to use that stolen data to open up a new account in your name.
Credit alerts may no longer be enough
Until now, Tom's Guide has advocated instituting a credit alert, also known as a fraud alert, on your credit file instead of a credit freeze. That's because alerts were easier to implement and cost nothing, and as noted above, a freeze makes it harder for anyone who needs credit to get it. However, while "thawing" a freeze used to take up to five business days, the new law mandates that the thaw happen within an hour of your online or telephone request.
A credit alert means that anyone seeking to extend you credit should take extra steps to verify your identity before doing so, and the credit-reporting agencies should notify you if anyone has inquired with them about extending credit to someone using your name. (Without an alert or a freeze, there's no notification at all.)
Instituting a credit alert is easy — you just go to a specific page (such as this (opens in new tab) or this (opens in new tab)) on one of the Big Three's websites to request it. The credit-reporting agency you contact will contact the other two.
Credit alerts used to expire after 90 days, but thanks to this new law, they now last a year. There's no charge to re-up after the initial credit alert expires, and some people just keep implementing new ones.
But the key word governing credit alerts is "should." There's no law that requires a lender from taking extra care to verify your identity. It's entirely voluntarily, which means that it's not really much protection at all.
Even credit freezes aren't perfect
A credit freeze, on the other hand, bans the credit-reporting agencies from coughing up your information to anyone unless you specifically authorize it.
There are exceptions, and some of them are worrisome. It's sensible that law-enforcement agencies, companies with which you already do business and the credit-reporting agencies can still see your data, but according to Equifax, so can debt collectors and background-screening companies that provide services to potential landlords and employers.
"How do companies that provide background screening and credit report data to landlords decide who can sign up as a landlord?" wondered Krebs in last week's blog posting. "Answer: Anyone can be a landlord (or pretend to be one)."
Make credit freezes part of a bigger process
Nonetheless, it's worth instituting a credit freeze for someone who doesn't need a large amount of credit in the near future.
Even if you do take that step, though, you should still continue to request a free credit report from one of the Big Three every four months by going to annualcreditreport.com. You should still look over your credit-card statements (and bank statements, if you have a debit card) every month. You should avoid telling strangers your birth date — it's a vital piece of your identity, so don't put it on Facebook.
And you should continue to protect your Social Security number by not disclosing it to anyone who doesn't need it. Your doctor, for example, should be able to make do with just your insurance-card number.
Get it. IdentityForce UltraSecure+Credit is the best overall service for both credit monitoring and identity protection. It also protects your account with two-factor authentication.
Best Data Monitoring
It's worth it. Get LifeLock Ultimate Plus if you're very worried about having your identity stolen and you also need antivirus software. But you can get better credit monitoring for less with IdentityForce UltraSecure+Credit.
Good, but not the best. Identity Guard isn't bad, but for about the same price, IdentityForce UltraSecure+Credit offers more comprehensive personal-data and credit-file monitoring.