Hopefully you weren’t one of those kids who heard a noise in the middle of the night and pulled the covers up over your head to protect you from the monster under the bed. Or in the closet. Or in the hallway. Or staring in the bedroom window. And, hopefully you’re not a grownup who does it either.
The point is: are credit monitoring services the equivalent of pulling a blanket over your head to provide you with the appearance of security? Or do they offer real blanket protection?
Security expert, Brian Krebs, of Krebs on Security, who’s often been the target of identity theft because of his efforts uncovering cybercrime, has thoroughly investigated whether credit monitoring services are really worth having. Following is what he’s discovered. Note: it’s been edited to fit our format.
Having purchased credit monitoring/protection services for the past 24 months — and having been the target of multiple identity theft attempts — I feel somewhat qualified to share my experience with readers. The biggest takeaway for me has been that although these services may alert you when someone opens or attempts to open a new line of credit in your name, most will do little — if anything — to block that activity. My take: If you’re being offered free monitoring, it probably can’t hurt to sign up, but you shouldn’t expect the service to stop identity thieves from ruining your credit.
Avivah Litan, a fraud analyst at Gartner Inc., said offering credit monitoring has become the de facto public response for companies that experience a data breach, whether or not that breach resulted in the loss of personal information that could lead to actual identity theft (as opposed to mere credit card fraud).
“These are basically PR vehicles for most of the breached companies who offer credit report monitoring to potentially compromised consumers,” Litan said. “Breached companies such as Target like to offer it as a good PR move even though it does absolutely nothing to compensate for the fact that a criminal stole credit card mag stripe account data. My advice for consumers has been – sure get it for free from one of the companies where your data has been compromised (and surely these days there is at least one). But don’t expect it to help much – by the time you get the alert, it’s too late, the damage has been done. It just shortens the time to detection so you may have a slightly improved chance of cleaning up the damage faster. And you can get your credit reports three times a year from the government website for free which is almost just as good so why pay for it ever?”
FRAUD ALERT BREAKDOWN
Normally, I place fraud alerts on my credit file every 90 days, as allowed by law. This step is supposed to require potential creditors to contact you and obtain your permission before opening new lines of credit in your name. You merely need to file a fraud alert (also called a “security alert”) with one of the credit bureaus (Equifax, Experian or Trans Union). Whichever one you file with is required by law to alert the other two bureaus as well.
Most consumers don’t know this (few consumers know the names of the three main credit bureaus), but there is actually a fourth credit bureau that you should alert: Innovis. This bureau follows the same rules as the big three, and you may file a fraud alert with them….
Fraud alerts last 90 days, and you can renew them as often as you like (a recurring calendar entry can help with this task); consumers who can demonstrate that they are victims or are likely to be victims of identity theft can apply for a long-term fraud alert that lasts up to 7 years (a police report and other documentation may be required).
I’m not sure what happened last year, but I believe some fraudsters managed to apply for credit in my name right after my 90-day fraud alert had expired. In any case, I received a call from AllClearID (formerly Debix), a credit monitoring service that I’ve used for nearly two years now. AllClearID called to tell me someone had made several applications for credit with Capital One.
AllClearID quickly conferenced in a representative from Capital One’s fraud team, but Capital One wouldn’t tell us anything about the application unless I gave them every piece of information about me they didn’t already have. We went round and round with Capital One for hours about this, but got nowhere; I refused to hand over more personal information just to prove to them I wasn’t the one who made the application, and each new representative we spoke with made us retell the story from the beginning.
In all, I had several fraudulent applications for credit in my name, and while none of them were granted, each resulted in a “hard pull” against my credit file. Anytime a creditor pulls your credit file for the purposes of checking an application for new credit, it dings your credit score down a few notches. And as Evan Hendricks writes in his primer on the credit industry (Credit Scores & Credit Reports: How the System Really Works, and What You Can Do), “the worse your credit score, the more you pay for mortgages, loans, credit cards, and insurance. Conversely, the better your credit score, the more favorable terms you will get on interest rates and premiums.”
Unfortunately, another thing that often happens with fraudulent applications is that thieves use only part of your real information — mixing your name and Social Security number with an alternate address, for example. This is what happened on two of the fraudulent applications for credit in my name, with the result that this incorrect data was added to my credit file.
AllClearID has been tremendously professional, and quickly alerted me each time Capital One pulled my credit file. But the company could do nothing to stop creditors from pulling my file, or fraudsters from making new applications in my name. The biggest help they’ve been so far is in getting Capital One to remove the fraudulent (score-dinging) credit pulls from my file, and in scrubbing the fraudulent data from my credit file (actually, that part is ongoing: Trans Union has steadfastly ignored requests to remove bogus addresses on my file, necessitating AllClear’s filing of an official complaint with the Consumer Financial Protection Bureau).
I asked several experts that I trust for their views on credit monitoring services in general, and to explain their benefits and weaknesses. I also wanted to know why none of the credit monitoring services will offer to renew 90-day fraud alerts on behalf of customers.
Julie Ferguson, a board member of the Identity Theft Resource Center, said a lawsuit by Experian against Lifelock effectively killed that service for virtually all credit monitoring services, with the exception of Equifax. “After Experian sued Lifelock, none of the banks wanted to distribute and sell it as a service,” Ferguson said. “Equifax will still. Nobody else does anymore, not even Experian.”
Ferguson also stressed that there are varying levels of protection services offered by the credit bureaus and private companies, and that although many of them are priced similarly ($10-$15 per month), they vary widely in the services they provide. Take, for example, the ProtectMyID package that Experian contracted with Target to offer customers following last year’s massive data breach. The service will monitor your credit report daily and alert you of any changes, and includes up to $1 million in identity theft protection insurance. The service also offers users a fraud resolution agent if identity theft does surface, and it provides a free copy of the user’s credit report (Experian is required by law to provide a free copy of your credit report each year anyway, via annualcreditreport.com). Those who sign up for the free service still have to pay extra to see a copy of their credit scores
“The ‘protection’ provided by these services is really all over the map once you delve into the services they provide,” Ferguson said. “Some will give you credit monitoring only on one credit bureau, while others will monitor your file at all three.”
Avivah Litan…rattled off a long list of reasons why credit monitoring services aren’t much use to most consumers.
-Most won’t tell you if a new wireless or cable service has been taken out in your name.
-They do nothing to monitor your bank account transactions, credit card accounts (for fraudulent charges), retirement accounts, brokerage accounts, loyalty accounts and more. And these are all areas where consumers should be very concerned about account takeover.
-They do nothing to tell you if a bad guy has hijacked your identity for non-financial purposes, i.e. to get a new driver’s license, passport or other identity document. Of course a bad guy impersonating a consumer using a forged identity document can end up in prison, causing lots of problems for the victim whose identity was hijacked.
-They do nothing to stop tax fraud (typically tax refund fraud) against you. Same is true for other government benefit programs, i.e. Medicare fraud, Medicaid fraud, welfare fraud, and Social Security fraud.
“In short, they only give consumers limited help with a very small percentage of the crimes that can be inflicted on them,” Litan said. “And consumers can get most of that limited help for free via the government website or free monitoring from a breached entity where their data inevitably was compromised.”
DO THESE SERVICES HELP AT ALL?
“They help if it’s too hard for you to look through your free credit report and make sense of all the activity in it,” Litan said. “Also they can alert you faster than the free credit report does, depending on timing of the infraction and when you look at your free credit report.”
Litan added that some services — such as Lifelock — have a few extra bells and whistles. For example, Lifelock sometimes gets information (such as from the Early Warning System) when profile information on your bank account has changed (e.g. change of address).
“They also have access to most mobile carrier account application data,” Litan said. “Equifax has some extra utility company data. So, some of these firms have access to some extra data than can help in other scenarios.”
While most plans offer identity theft insurance — usually advertised as up to $1 million — most of that is coverage consumers already have under existing laws and Visa/MC zero liability rules, Litan says.
“On top of that they reimburse ID theft victims for some legal fees and some minor expenses like postage stamps,” Litan said. “But if someone takes out a mortgage in your name and now you owe the bank $100k or more – nobody covers that, and that’s what they need to cover.”
Ferguson said credit monitoring services are most useful for people who have already been victimized or for those who are likely to be victimized (by a jilted spouse/lover, or stalker, for example). For those individuals, it makes sense to purchase a plan that offers triple credit bureau monitoring for maximum protection. The main downside of this approach is that a fraudulent application for credit can result in a deluge of alerts, emails and phone calls from all three bureaus simultaneously.
ALTERNATIVES TO CREDIT MONITORING
As mentioned above, placing a fraud alert on your credit file every 90 days is the cheapest (as in free) way to block creditors from granting new lines of credit in your name, and from unnecessarily dinging your credit score.
You are entitled to a free copy of your credit report from each of the three major credit bureaus annually. The only site you need to obtain this free copy is annualcreditreport.com, or by phone via 877-322-8228. Everywhere else will try to sell you a report, or offer a “free” report if you agree to sign up for some kind of subscription service — usually credit monitoring.
If you have been the victim of identity theft, or if you don’t anticipate needing to take out a loan or apply for new lines of credit anytime soon and you’d rather not deal with fraud alerts, placing a freeze on your credit file may be the smarter option.
A security freeze gives consumers the choice to “freeze” or lock access to their credit file against anyone trying to open up a new account or to get new credit in their name. As Consumers Union writes, “when a security freeze is in place at all three major credit bureaus, an identity thief cannot open a new account because the potential creditor or seller of services will not be able to check the credit file.
When the consumer is applying for credit, he or she can lift the freeze temporarily using a PIN so legitimate applications for credit or services can be processed.”
Forty-nine states and the District of Columbia now have laws on the books allowing consumers to freeze their credit (Michigan is the holdout). Many of these laws allow the placement of a freeze for free if the consumer has a police report documenting an identity theft episode; for those without an ID theft scare notched on their belt, most states allow for the placement of a freeze for a $10 fee. See this site for more details on the various state freeze laws and instructions on how to obtain them.
Consumers also can reduce their exposure to identity theft by opting out of unsolicited credit card or insurance offers. Doing this, via www.optoutprescreen.com, or 888-5OPT-OUT, should block most unsolicited applications and reduce the incidence of identity theft. Doing so removes your name, address and personal identifiers from lists supplied by the Equifax, Experian, TransUnion and Innovis credit reporting agencies that are used for preapproved and pre-screened offers of credit or insurance.
ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.
ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix™ Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.
The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.
For more information, visit www.threatmetrix.com or call 1-408-200-5755.
Join the cybersecurity conversation by visiting the ThreatMetrix blog, Facebook, LinkedIn and Twitter pages.