Since the Equifax
dumpster fire breach, I’m still on the fence about freezing my credit.
Perhaps this is surprising. After all, now that my information, along with 143 million others, has likely been taken by who-knows-who for who-knows-what purpose, it might seem like an obvious move to try to restrict what can be done with it.
But hasty decisions are not helpful here. The proverbial horse has left the barn here. Your information is already stolen. Yes, it’s possible that someone is gearing up to take out a giant loan in your name right now, but with 143 million accounts to choose from, there’s just as much chance that you’re just somewhere in the queue.
Also, as I don’t trust the credit agencies, I don’t want to pay them for something that shouldn’t need to be paid for.
Luckily, there’s a small chance that we might not have to soon.
The credit freeze
So let’s review. A credit freeze puts a hold on the release of your credit report, helping to ensure that only you can access it.
Wait, that’s not true by default?
Not really. To be able to do things with your credit, someone must have your personal information, such as your address and social security number. And no one’s getting that unless one of the three major credit agencies were hacked…oh.
Basically, anyone has your information if they want it.
But fear not! You can pay for a credit freeze, which in practice means that you are given a secret code which prevents anyone else from using your information to get a new credit card or loan, unless they have that code.
How many problems can you spot in that situation?
Problem 1: Where is this code stored?
The code, so far as I can deduce, is usually a numeric PIN.
This code is stored on the credit agencies’ computers. So right away, the security of this thing goes right out the window.
But then again, passwords are rarely stored on computers as plain text. Your password on your own computer is encrypted in a way that makes it difficult to decode the password from the encrypted one.
But not impossible. And cracking a numeric password is orders of magnitude easier than one with letters and special characters.
So whoever got our information presumably has our credit freeze PINs too.
Problem 2: Can the PIN be retrieved?
Even if they don’t have the PIN, it’s maddeningly easy to get access it.
Check it. On this Experian “forgot your PIN” page, you can go through that process to recover your PIN. You will be asked a number of questions that “only you” will know. Questions like previous addresses, mortgage owners, credit card applications etc.
But this is the very information that is available in the breached reports!
And even if not, a little internet sleuthing will probably net anyone this information. In fact, it’s not unheard of for people to use their own internet searches to find their own information. (Do you remember exactly when your mortgage or student loans, or even credit card applications were originated?)
So your PIN is easily retrieved.
Problem 3: What does that PIN consist of?
One would like to think that the PIN we get is random and not determinable.
You can probably guess by now that this isn’t always the case.
Equifax, the star of this show, was up until recently, doing something incredibly boneheaded. It was creating the PIN based on the date and time stamp of the credit freeze.
This is incredibly stupid. Like putting 1-2-3-4-5 on your luggage.
Yes, they’ve changed this process right now. But again, who feels like they are losing confidence in this whole thing?
Problem 4: Why are we paying for this privilege?
This is the part that gets me. This process, insecure and probably pointless as it is, isn’t free.
You have to pay for the credit freeze, and then pay to thaw or unfreeze again.
Each time. At each agency.
But at least one lawmaker is looking at ending this insanity. Elizabeth Warren, senator from Massachusetts, and who don’t forget helped establish the Consumer Financial Protection Bureau, has now introduced the Freedom from Equifax Exploitation Act. This would ensure that all freezes and thaws would remain free.
Which is a good thing, considering we’re basically paying the company for their own negligence. Raise your hand if you’re not into that.
You can freeze if you want to
Yes, you can freeze your credit if you want. It’s a good idea, and if you’ve been a victim of actual identity theft, it’s imperative.
This site has links to how to sign up with all the agencies, with websites, addresses, and phone numbers.
But I’m going to hold off for now. I predict there’s going to be some movement in this space, and I want to wait until the changes trickle down to us. Since all of our information is already stolen, I’m not convinced that a few days or weeks will make much of a difference.
But make sure to get your credit reports in the meantime.
Latest posts by Mike Pumphrey (see all)
- The investment hat trick: The health savings account (HSA) - October 16, 2017
- This is why I don’t pick stocks - October 12, 2017
- If you don’t understand it, don’t invest in it - October 9, 2017