In the aftermath of the Great Equifax Breach of 2017, many consumers are asking, “Should I freeze my credit?”
Equifax said that hackers stole personal data, including Social Security numbers, birth dates, addresses and even some driver’s license numbers, from an estimated 143 million Americans. About 210,000 credit card accounts were also jeopardized, according to Equifax. The company said it discovered the “unauthorized access” on July 29 but kept mum about it until last week. In terms of cybersecurity breaches, this one was pretty much the motherlode ― not because it surpassed the Yahoo breach of December 2016 with 1 billion users affected but because this one occurred on the watch of a company charged with protecting our personal data.
The Federal Trade Commission announced it is investigating the Equifax incident, and the Consumer Financial Protection Bureau is looking into the company’s response to the breach. Members of the House Judiciary, Financial Services, and Energy and Commerce committees have all called for hearings on the matter. And politicians on both sides of the aisle have demanded an explanation.
Consumers, searching for ways to be proactive, may freeze their credit. Plenty of cybersecurity experts suggest that it’s just one of the things consumers can do to protect themselves. Here are some things to think about before you do:
Freezing your credit, at least at the moment, is a major hassle.
While a credit freeze may stop someone from pretending to be you and applying for a credit card or taking out a car loan, it also will block you from doing the same. Once you put a credit freeze on your files, you have to lift it when you want to use your credit and then reestablish the freeze afterward.
To put a credit freeze in place, you must contact each of the three credit reporting agencies separately (Equifax is one of the three) at the companies’ credit freeze portals. If you don’t contact all three, you basically have no “freeze.”
And good luck on that one.
Just getting through to Equifax via its website or phone system has become a job for Superman. Mere mortals just can’t do it. Between the site crashing and the phone lines being jammed, The New York Times asked in all seriousness: Do Equifax’s website and phone systems actually [even] work at this point?
Times columnist Ron Lieber reported that some people are waiting until the middle of the night to use Equifax’s security freeze website and then still failing to get through. “It’s like trying to get Bruce Springsteen tickets, except nobody wants to see this particular show.”
There’s lots of frustration ― and rage ― being expressed on Twitter as well.
Freezes are not for everyone.
A credit freeze is not like a bathroom faucet that you can easily turn on and off. For one, you will be charged a fee each time you touch it.
But there’s something else to ask yourself: Just how much confidence do you have in the credit bureaus at the moment to know they will respond quickly and accurately if you want to turn off a freeze so that you can buy a house or a car?
Reminder: They haven’t actually been able to answer the phone or keep their websites operational.
Credit security experts advise that if you know you will be applying for a loan soon, hold off on freezing your credit. Maybe they haven’t been able to get through on the phone either?
Credit freezes are not the salve for your Equifax wound.
When you put a freeze on your report at a credit bureau, it means that that bureau won’t release your information when a company requests it. So if someone applies for a line of credit with a bank, the bank will pull your credit report and see that it’s frozen. Theft thwarted.
But a credit freeze doesn’t do a thing to protect any data that has already been compromised. While a freeze prevents new lines of credit from being opened, it doesn’t stop thieves from going on a shopping spree with your already-breached credit card number.
Systems to prevent misuse of credit cards are already in place.
The good news is that most financial institutions already have ways to flag questionable transactions. You probably know this firsthand if you’ve ever traveled out the country and didn’t let the nice folks at MasterCard know you were on the move. What happens is they will try to reach you, and if that doesn’t work, they will freeze your credit card. And you may just learn about it as you attempt to pay the check at a fancy restaurant in Paris.
(Most credit card companies ask that you let them know your travel plans to avoid credit interruption over suspicious purchases.)
Credit card companies pay attention to where and how you shop. A large online purchase of electronics sent to an address you’ve never used is going to raise a red flag, and you will likely be contacted and asked to verify it. Credit cards also protect you against unauthorized purchases if you let them know about them. If the merchant can’t produce evidence that you bought an item, there is an excellent chance you won’t have to pay for it. If an account has been compromised, it will be closed immediately and a new account opened and the cards for it sent to you overnight.
All of which makes credit and bank cards a bit more protected because of industry efforts to police their use. A credit freeze won’t do anything close to that.
And just as a footnote: The FTC Consumer Sentinel Data Book reports that most credit card theft originates from us giving out our account numbers over the phone. So maybe we should be a little more cautious in that regard.
A freeze could actually expose you to more harm.
When you put a freeze on your report, you will be given a secret PIN that allows you to freeze and unfreeze your report at will ― assuming you can get through to the three companies. But having a PIN is problematic for one big reason: What happens if cyber-thieves hack into the vault of a company that maintains your credit freeze? You know, kind of like what just happened to Equifax?
For what it’s worth, Equifax made no new friends when it began handing out PINs after the breach. As reported on Twitter by Tony Webster and confirmed elsewhere, Equifax’s secret PINs were just the date and timestamp of when you initiated the freeze. Webster tweeted, “If you froze your credit today [Sept 8 2017 at] 2:15pm ET for example, you’d get PIN 0908171415.”
Once Equifax learned of the problem, it switched to random number generation. But for those consumers who froze their credit before the random number generator was installed, changing a PIN to something different from the original timestamp requires written correspondence to Equifax, reported David Berlind, editor of ProgrammableWeb.
Nothing like customer service being the first casualty in a disaster.