1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OPM Breach: Credit Monitoring vs. Freeze

Discussion in 'KrebsonSecurity' started by RSS, Dec 2, 2015.

  1. RSS

    RSS New Member Member

    Many readers wrote in this past week to say they’d finally been officially notified that their fingerprints, background checks, Social Security numbers, and other sensitive information was jeopardized in the massive data breach discovered this year at the Office of Personnel Management (OPM). Almost as many complained that the OPM’s response — the offering of free credit monitoring services for up to three years — won’t work if readers have taken my advice and enacted a “security freeze” on one’s credit file with the major credit bureaus. This post is an attempt to explain what’s going on here.

    [​IMG]
    OPM offices in Washington, DC. Image: Flickr.


    Earlier this week I got the following message from a reader:


    “I just received official notification that I am affected by the OPM data breach. I attempted to sign up for credit monitoring services with the OPM’s contractor ID Experts at opm.myidcare.com, but was denied these services because I have a credit security freeze. I was told by ID Experts that the OPM’s credit monitoring services will not work for accounts with a security freeze.”

    The reader continued:


    “This supports my decision to issue a security freeze for all my credit accounts, and in my assessment completely undermines the utility and value of the OPM’s credit monitoring services when individuals can simply issue a security freeze. This inability to monitor a person’s credit file when a freeze is in place speaks volumes about the effectiveness of a freeze in blocking anyone — ID protection firms or ID thieves included — from viewing your file.”

    I reached out to my followers on Twitter to gauge their reactions to this. I wrote: “Finish this sentence: Lifting a freeze to enable credit monitoring is like….” Here were some of the notable responses:

    @sdweberg 10:22pm …shooting your rottweilers and paying the neighbors a monthly fee to “keep an eye on” your house.

    @shane_walton 10:15pm …installing flash to watch a flash video about the evils of flash.

    @danblondell 10:13pm …leaving the storm doors open to keep an eye on the tornado

    @flakpaket 12:48am …leaving your doors and windows unlocked so that burglars can set off your indoor motion sensors.

    @ShermanTheDad 8:25am …taking your gun off safety to check and see if it’s loaded.

    Removing a security freeze to enable credit monitoring is foolhardy because the freeze offers more comprehensive protection against ID theft. Credit monitoring services are useful for cleaning up your credit file *after* you’re victimized by ID thieves, but they generally do nothing to stop thieves from applying for and opening new lines of credit in your name.

    As I discussed at length in this primer, credit monitoring services aren’t really built to prevent ID theft. The most you can hope for from a credit monitoring service is that they give you a heads up when ID theft does happen, and then help you through the often labyrinthine process of getting the credit bureaus and/or creditors to remove the fraudulent activity and to fix your credit score.

    Many of these third party credit monitoring services also induce people to provide even more information than was leaked in the original breach. For example, ID Experts — the company that OPM has paid $133 million to offer credit monitoring for the 21.5 million Americans affected by its breach — offers the ability to “monitor thousands of websites, chat rooms, forums and networks, and alerts you if your personal information is being bought or sold online.” But in order to use this service, users are encouraged to provide bank account and credit card data, passport and medical ID numbers, as well as telephone numbers and driver’s license information.

    If you have already been victimized by identity theft (fraud involving existing credit or debit cards is not identity theft), it might be worth signing up for these credit monitoring and repair services. Otherwise, I’d strongly advise my US readers to consider freezing their credit files at the major credit bureaus.

    Depending on in which state you reside, there may be a small fee to place and/or thaw a freeze on your credit file, and freezing them at all four major bureaus (Equifax, Experian, Innovis and Trans Union) could cost as much as $60. But this is a small price to pay for peace of mind.

    In a perfect world, breached organizations would offer to pay the costs involved in freezing your credit files, but sadly the standard playbook in corporate breach response is to pay for credit monitoring.

    PROTECTING DEPENDENTS FROM ID THEFT

    One area where credit monitoring makes more sense is with dependents and children under the age of 18. That’s because it’s impossible to freeze a credit file that doesn’t exist, and most minors aren’t going to have one (hopefully).

    According to Experian, if your children already have credit reports in their names, one of three things has happened: You have applied for credit in their names and the applications were approved; you have added them as authorized users or joint account holders on one or more of your accounts; someone has fraudulently used their information to apply for credit and they are already identity theft victims.

    One way to find out is to visit annualcreditreport.com to apply for a copy of their credit report. The most important precaution parents can take is to keep a close eye on dependent credit files when kids reach their mid-teens. That way, if a credit file materializes for your child because of identity theft, there is still time to sort it out before the kid actually needs a line of credit or loan. However, if your child becomes the victim of ID theft at a very young age, it probably makes more sense to freeze the kid’s credit file.

    Most credit monitoring services will allow you to enroll your children as well, but that coverage generally expires after they reach 18. KrebsOnSecurity reader Michael found this out when he tried to sign up his five kids after receiving a notice from the OMB.

    “For some reason, coverage for adult children was not provided when I signed up and is discontinued once they reach 18, so at the outset, only 2 of my 5 kids were included even though their data was also compromised,” Michael wrote.

    If you’re considering freezing your credit file, have a look at this primer which walks through the various steps needed to place a freeze. It also includes pointers to additional steps that consumers can take to avoid becoming victims of identity theft.

    Were you or your family impacted by the OPM breach? How have you responded? Sound off in the comments below.

    Continue reading...
     

Share This Page