Practical privacy and simple cybersecurity.
TheNewOil.org

An Important Update About Credit Freezes in the United States

This will be a short but important post. This past week, I was forced to use my credit for fiber internet. I’ll be moving to a new place shortly, and while we had two choices of internet provider (both terrible), only one offered fiber for this location and I’ve become rather spoiled by my current fiber speeds (my current ISP is not available at the new location). After a couple failed attempts at social engineering, I agreed to go ahead and submit to a credit check. My threat model is relatively low, and I take other measures to protect myself – such as freezing my credit and using a reputable VPN on my entire router – so while I didn’t want to hand over my information I was willing to in this case knowing that my resulting exposure – even in a data breach – would be relatively low and my other options weren’t great. I was surprised to learn that there have been some changes to the credit freeze management process since the last time I did it, and I wanted to make my other privacy-minded people aware of it.

How it Used to Work

If you're unfamiliar with a what a credit freeze does or how it works, in short it makes it impossible to open a new account or even check your credit report without being unlocked first. As many of my readers my know – especially if you’ve read my site – it used to be that all three major agencies (Equifax, Experian, and TransUnion) worked the same: you apply for a credit freeze, they send you the PIN, you guard that PIN with your life cause I can speak from experience that replacing it is a long and painful process, and if you ever want/need to unfreeze your credit for any reason – like to open a new account or buy a house – you use that PIN to unfreeze it. I also strongly encourage my readers to institute a fraud alert every year as a second layer of protection as some clever social engineers have found ways around the PIN requirement.

What’s New

Currently, Experian still works on the PIN-based method. You can go their website and create or lift a freeze without ever creating an account or signing in. Equifax and TransUnion however, now require you to make an account to manage your freezes with them. It’s an annoying but straightforward change.

What I Recommend

No doubt some will be asking if I think this is a change worth worrying about. Should we stop freezing our credit because we have to make an account? Should we resist making an account? First off, you should still absolutely freeze your credit. The 2017 Equifax data breach proved that these companies have garbage security, do not take your privacy or security seriously, will face absolutely no consequences when they screw up, and you will not receive any kind of compensation or have any recourse (I’m still waiting on my <$10 settlement payment that was agreed to in July of 2019). These companies don’t care about you, won’t protect you, and have no incentive to do so. Take the responsibility into your own hands.

Having said that, my advice is to make your accounts right now for two reasons. First is the fact that these companies already know everything about you and are tracking you. Whether you sign up for an account or not doesn’t change that. Just to clarify: there are ways to severely limit how effectively these companies can stalk you. I outline several on my website, and there are countless other great resources I recommend that expand on these principles and have even more advice. What I’m not saying is “they’re gonna track you and there’s nothing you can do about it,” what I am saying is that whether or not you create an account has no impact on the quantity or quality of their efforts to track you. You have nothing to lose by signing up for an account, but rather you have something to gain: control of that account. Even if you plan to never use your credit ever again, it’s best to plant your flag now. Security expert Brian Krebs describes “planting your flag” as basically making an account so that nobody else can pretend to be you later. This is a perfect example. If you feel that you never plan to use credit again and therefore you don’t need an account to manage a freeze, a criminal who finds your information on the dark web could still theoretically make that account on your behalf and now they can manage your freeze and disable it to open new accounts in your name – classic identity theft. It’s better for you to create that account with an email address you control and a strong password than to risk letting a criminal find enough information to pose as you and take control of that account. Thanks to the 2017 Equifax data breach and public record people search sites, it’s very conceivable that a criminal could find all the information they need to easily create that account and control your credit. Plant your flag even if you never plan to use credit again.

If you do plan to use your credit someday in the future but not right now, I still encourage you to go ahead and make those accounts now that you’ve read this. As I can promise you from my experience this past week, it sucks to want access to your credit right now and be unable to do so. Apparently I had already created an Equifax account and lost the login information, and both their automated systems and human were unable to verify me so I had to mail in documentation. At the time of writing I’m still waiting for that to resolve. All for some stupid fiber internet. Thank god this isn’t an emergency like needing to replace a car or find housing. Now that you’re aware of this, please make sure to take care of this now before you need it, or plant your flag before cybercriminals do. Also, I don’t normally ask this, but please share this blog around with your American friends and family. This is a change that completely flew below my radar and while I don’t claim to be Mr Know-It-All, if I missed it I’m certain almost everyone else has, too. I’m sure that Equifax and TransUnion made zero effort to broadcast this change. Let’s let everyone know so they don’t get blindsided or caught unaware.

Click here to create a MyEquifax account and click here to create a TransUnion account, or alternately just search for them yourself on your preferred privacy-respecting search engine.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...