Credit Security Freeze Is Often More Trouble Than It’s Worth
It seems as though every few weeks there’s another retailer announcing the theft of some of its customers’ credit or debit card information. Such mega-breaches, like the ones affecting Target and Home Depot customers in 2013 and last year, have haunted tens of millions of consumers. There are an unknown number of unreported cases involving banks that quietly notify their customers they’re getting a new credit or debit card because of a reported breach at some undisclosed merchant.
One of your first reactions when any of this happens might be to consider freezing your credit file or adding a fraud alert to warn credit issuers that your information may have been compromised. But a security freeze is often an unnecessary and potentially costly step that could complicate your life. A fraud alert, while less troublesome, probably won’t achieve anything more than peace of mind.
However, there are other important measures you should take to protect yourself when your card data is stolen. Here’s what you need to know.
Understanding security freezes
When you initiate a security or credit freeze at all three major credit bureaus, you’ll be denying most companies access to your credit file. That typically prevents anyone from opening credit in your name. Obviously, you don’t want a thief applying for a loan or a credit card with your name on it. But to do that, a scammer would have to have your Social Security number, date of birth and other sensitive personal information.
Because most merchant data breaches involve only the theft of credit and debit card numbers, thieves don’t obtain the details they need to apply for credit. Even the theft of your debit card personal identification number would not be enough. So a security freeze most likely won’t help you. And it could make your life difficult.
One reason is that a freeze blocks not only thieves from opening credit in your name, but everyone else as well. So you’ll be unable to obtain a credit card or loan unless you lift the freeze at any credit bureau the lender checks when granting credit. This is not only burdensome, but can be costly. Depending on your state, you may be charged fees to freeze and unfreeze your file, unless you’re already a victim of identity theft, or in some jurisdictions, a minor or elderly.
Under Texas law, for instance, credit bureaus can charge non-identity theft victims $10 to freeze their files and another $10 to unfreeze them. To remove the freeze for just one creditor, non-victims can be charged $12.
In New Jersey, initiating a freeze is free for everyone, but the state allows the bureaus to charge $5 to lift it.
It can get even more expensive if you lose the personal identification number the credit bureau gave you when you initiated the freeze. For a replacement PIN, you can be charged $5 to $10, depending on the state and whether you’re an identity theft victim.
One big exception is South Carolina, where bureaus aren’t allowed to charge anyone to initiate or remove a freeze or replace a PIN.
You can find summaries of state security freeze laws on the website of the credit bureau Equifax.
The fraud alert alternative
A less burdensome and free alternative to initiating a security freeze is to place a fraud alert on your credit file. But as with a freeze, an alert is designed to prevent someone from obtaining credit in your name, which, again, is unlikely following a merchant breach that involves only card data.
Unlike a security freeze, an alert won’t prevent anyone from looking at your credit file. But before granting credit, companies must take reasonable steps to verify that it’s you who are making the request. You need only place an alert at one credit bureau, which will notify the others. An alert lasts only 90 days. There’s also an extended fraud alert, which lasts for seven years. But to get one, you must submit an identity theft report from a law enforcement agency.
What you should do.
If a merchant tells you thieves may have stolen your Social Security number or other sensitive data, consider a fraud alert or even a security freeze.
If the breach involves only your card data, here are the steps you should take.
Change your account numbers. The first step is to change the numbers of the affected accounts. That likely will happen automatically if a merchant or bank discovers your information may have compromised.
But you should request an account number change on your own if you lost your cards, think someone may have stolen the numbers or seen unauthorized charges or withdrawals on your bank statements.
Just be sure to provide the new account numbers to any merchants whose bills you have set for automatic payment from a credit or debit card. If you don’t, you could end up with a missed payment fee.
Consider a fraud alert. A fraud alert might be worth considering as an extra precaution or if you’re concerned the breach may have involved more than card data. You can do that at any of the major credit bureaus, Equifax, Experian or TransUnion.
Immediately review your accounts. Go online to find out whether anyone has made unauthorized withdrawals from your checking account or charges to the compromised credit card. Then carefully check your monthly statements for any unauthorized activity and report any problems immediately. Under federal law and most car issuer policies, you won’t be liable for unauthorized activity you report right away.
Examine your credit reports. Check your credit reports at each of three credit reporting agencies. You can do that at AnnualCreditReport.com, where you’re entitled to one free report from each of the major credit bureaus every 12 months.
It’s unlikely that you’ll find any credit opened in your name, but it’s a good idea to play it safe. Also, you may be able to detect unauthorized activity in your existing accounts.
Accept credit monitoring. If there’s a breach, the merchant typically will offer you a year or so of free credit monitoring, which will notify you whenever anyone accesses your credit file. It can’t hurt, and credit monitoring typically gives you extra benefits, such as additional free access to your credit reports. When the free period expires, don’t let the credit bureau talk you into paying to continue the service. It’s generally not worth it.
Be on guard. Watch out for scammers who may try contacting you, pretending to be your bank or a merchant. With your former account numbers in hand and knowledge of the data breach, the scammer might claim to be from an institution’s fraud department in an effort to trick you into handing over sensitive data, such as your new account numbers, or even worse, information needed to apply for credit in your name.
That’s a particular danger if a merchant notifies you that email addresses were stolen along with card data, as was the case in the Home Depot breach.
Never provide account numbers or any other info to someone who contacts you, no matter how legitimate they seem. If you think the call may be valid, hang up and call back. But don’t use the number the caller gave you. It could be a fake, too. Obtain the contact information separately.