Future Tense

Cold Comfort

Why you should freeze your credit report before, not after, your information is compromised.

credit card debt.
Better to freeze now than feel the burn of financial fraud later.

Photo illustration by Juliana Jiménez. Photo by Bevan Goldswain/Thinkstock

You hand over your credit card to an unscrupulous cashier at the frozen yogurt place, or purchase crazily underpriced Ray-Bans from a sketchy website, or realize your card fell out of your pocket on the bus—and a couple of days later, your financial institution calls you about a suspicious transaction. Identity theft in the form of stolen credit card or bank account information has become a nuisance most Americans will deal with at some point. Although financial companies in the United States are slowly improving some aspects of security (chip-enabled cards have finally arrived after years of use in other countries), there seems to be little you can do to prevent your personal information from ending up in the hands of people you’d rather not have it.

Most problems from someone using your existing accounts are resolved fairly easily. With a phone call or two and maybe your signature on an affidavit, the card issuer returns your money, you get a new card, and the only thing worth remarking on is the weird stuff the card-stealing delinquent purchased. Someone once bought a bus ticket from Stockholm to Copenhagen with my Citibank card, which, when I checked, is like a seven-hour trip. If I were spending someone else’s money, I’d buy a plane ticket.

But getting your money back and changing your card number don’t mean that your information is safe. According the New York Times, half of all adults in the United States had some type of personal information exposed to hackers in 2014 alone, and the paper’s nifty/depressing quiz shows what information about you might be circulating online.

That personal information is out there not just because you might have used your credit card at a disreputable website or attempted to help a Nigerian prince’s widow move some money out of the country. Thanks to a background check for a government job in 2009 and some corn-on-the-cob holders on sale at Target in 2013 (sometimes the weird purchases are your own), a good chunk of my personal information is available to those who poke around the darker corners of the Internet. This includes my birthdate, my employment history, and my credit card information, but most worryingly it also includes my Social Security number. A determined criminal can do a lot more damage with my Social Security number and a little personal information than he or she can with only my credit card, and I can’t easily change my Social Security number.

While most incidents of identity theft involve using existing account information, personal information like Social Security numbers can be used to fraudulently open credit card accounts, apply for loans, acquire a cellphone, or even rent an apartment. Unlike with the fairly low-level inconvenience of someone misusing an existing account to facilitate Scandinavian bus travel, you may not be aware of someone opening an account in your name until your credit is ruined or debt collectors start circling. A surprisingly interesting 2013 report from the U.S. Department of Justice highlights that people “who had personal information used to open a new account or for other fraudulent purposes were more likely than victims of existing account fraud to experience financial, credit, and relationship problems and severe emotional distress.” And once you do find out your information has been used to open an account, it can be tremendously difficult to unravel: Nearly one-third of victims “spent a month or more resolving problems” (emphasis mine).

You can’t improve security procedures at the feckless companies with which you do business. But there is an effective way to prevent a malefactor from opening a line of credit in your name: the security freeze. Also known as a credit freeze, it prevents third parties from accessing your credit report. Because lenders and creditors want to know your credit score in order to determine how likely it is that you’ll pay back whatever you borrow, they ask one of three major consumer credit bureaus to view your credit file. A security freeze means this cannot happen without your permission to unfreeze, or “thaw” (clever!), your report. Since a lender won’t extend credit without knowing your credit history, the hacker who acquired your Social Security number and address can’t open an account in your name.

The security freeze option has been around for a little over a decade, but my and others’ anecdotal evidence suggests that most people are unfamiliar with it. There are probably a few reasons for this. For one, banks and credit card companies don’t exactly promote the security freeze. Providing astonishingly easy access to credit is a significant source of revenue for them. (Think of how often you’ve been asked to sign up for a company-branded credit card in a department store or while in coach on a flight somewhere.) Putting up hurdles that make it even a little bit more difficult to open a line of credit isn’t in their financial interest.

Second, imposing a security freeze involves fees and takes some effort on your part, unlike the tepid “credit monitoring” often offered by companies that have been hacked. But we’re talking about a half-hour’s worth of work to set up the freeze, and maybe $40 in fees. (The fees depend on where you live, as outlined in this handy chart from Equifax, and if you’ve been the victim of identity theft, it’s usually free.) Compared with the emotionally distressing month or more you could be dealing with the hassle of a fraudulent account, that sounds like a pretty minor inconvenience, and the fees are about the cost of a few months of a credit-monitoring service if you were to pay out of pocket.

Here’s how the process works. You call or visit the website of each of the main consumer credit bureaus: Equifax, Experian, TransUnion, and, if you’re being thorough, Innovis (a smaller, fourth bureau that also collects financial information about you). You follow the steps for implementing a security freeze, and they give you a PIN for when you want to remove or thaw the freeze. Don’t lose that PIN! Otherwise you have to pay to get a new one. Washington, D.C., where I live, allows the bureaus to charge a $10 fee, so I paid $30 total for my freeze. (Innovis didn’t charge anything.) And that’s it, for the most part. If you want to get a new credit card, lease a car, apply for a mortgage, submit to a background check, or any of the many other things that require a credit check, you’ll need to get the freeze lifted temporarily. The easiest way to do this, as per the excellent KrebsOnSecurity blog, is to contact the company that needs the credit report to see which credit bureau it uses, and then unfreeze your report with that bureau. You’ll probably want to do this at least 24 hours in advance.

Certainly, this is a bit of work and requires some planning. But getting a new line of credit, or leasing a car, or whatever, should be a bit of work! We have mostly pretended that the digital world is a safe space to do business in, because it’s convenient, because we’ve become apathetic to the never-ending news about security breaches, and because we don’t have much choice. But since many companies, including traditional brick-and-mortar retailers, have demonstrated their utter inability to hold on to the vast amounts of information they collect about their customers, the burden of protecting yourself has shifted to the consumer in more significant ways than changing your PINs every now and then or checking your credit report once a year. (Although of course you should do those things, too.)

A security freeze isn’t a panacea, and it can’t protect you from other kinds of identity theft. But considering it, and thinking about other ways you can be proactive in making your personal information a little more secure, should be part of the adjustment we make as we find ourselves in an environment in which no information we put out into the world, whether on- or offline, is entirely secure. Financial institutions and companies have a responsibility to protect their customers, to be sure, but taking some control over how your personal information is used and who has access to it can prevent the most damaging kinds of identity theft. We’ve been leaving our houses mostly unlocked in a neighborhood that’s become increasingly unsafe. Rather than a collective shrug of the shoulders when hearing about the latest break-in, it’s time to think about going through the inconvenience of installing some decent locks.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.