Monitoring your Credit – Should you Lock or Freeze?

In my Cybersecurity 101 post I discussed the top 3½ things you should do to improve your security online. One of these was to regularly monitor your credit using Credit Karma so you would know if your credit score was changing and more importantly if someone had queried the credit agencies outside your knowledge. One of the first indications that your identity has been compromised may come from inquiries against your credit.

Earlier this year, the U.S. Congress modified consumer protection laws requiring all three of the major credit reporting agencies to allow all consumers to freeze and thaw their credit for FREE. While this is a good thing, it is important to understand the benefits and limitations that come with freezing your credit. The benefit is easy: Once your credit is frozen at all three agencies, NO ONE (see exceptions at end)—not even you (or Credit Karma)—can access your credit in any form or fashion, and this protection is enforced by federal law, meaning should someone gain access, then the credit agency would have some explaining to do.

On the surface, one might think it’s a no-brainer, I will just freeze my credit until I need it, thinking they don’t plan on applying for a loan or refinancing their mortgage (especially with rates going back up). Just freeze it and forget it, right? Unfortunately, our credit information is being accessed more than we might think. If you apply for insurance, even a new quote on your homeowners or auto, many insurance companies will first query your credit and base your rate on that score. If they cannot access your credit, they may or may not tell you that. They may simply quote you a higher rate. The online instant quotes many times do this (I’ve tested it). You may be shopping in a new store and they have a great offer if you sign up for one of their credit cards. You fill out the form and the associate comes back in a few minutes and whispers to you, “I’m sorry but your credit was denied.” (Been there done that.) They don’t know that your credit is frozen, only that the automated process they use denied it. Employers many times will make a credit check part of their pre-employment as well as ongoing employment checks, and there are many more.

Even if you are very internet savvy and think you can just hop online whenever you need and quickly thaw your report, you should know that you must do this for all three agencies, each time and they do not make this an easy process. I personally used to believe this and locked our credit for three years. During that time, I had to thaw it no less than seven times and each time it was painfully frustrating—and I’m a geek! During this freeze/thaw process, I had the distinct impression they purposefully make it difficult and frustrating on purpose, because if your credit is frozen, they cannot sell it. After three years of irritation, I stopped freezing our credit and just monitored it with Credit Karma.

However, they do make locks very easy to use, they even have smartphone apps that allow you to lock and unlock with a simple “push of a button.” Great you say, “I will just lock my credit and unlock on demand.”  But, what exactly is a credit lock? Well, none of the agencies make this really clear.  What is clear is that when your credit is locked (not frozen), it is not protected by federal law so if someone does access your information and steals your identity, you have no recourse with the credit agency. Another major difference is it appears that when you lock your credit, the agencies can still sell your information to third parties (credit card companies), but all three do state that hard pulls, the type of inquiry performed when applying for credit are not allowed.

So, which, if either, is right for you? This recent article on Nerd Wallet gives some good examples that we would recommend you use as guidelines. [Note, this article states the Experian lock option is only part of a paid plan, but I have found that no longer to be the case. They do have a free option.]

Regardless of which option you choose, I do recommend that you sign up for a free account on all three services and go through at least the lock/unlock process so you will know how to do it quickly, should the need arise. If you are feeling industrious, go through the freeze/thaw process once as well. Make sure you save your PIN (currently only required on Experian) in your password manager as you cannot thaw or remove the freeze online without it. All of the credit agencies currently require additional steps to freeze/thaw that are not required with locks, and the processes are separate, meaning you cannot perform the lock and freeze on the same website/login, which is what can make this process even more frustrating.

Hopefully, Congress will go one step further and make this a one-step process where you can lock or freeze your report with one agency and they are required to report it to the other three, like they do with the fraud report. Until then, I’m hoping some industrious third party (Credit Karma are you listening?) will provide that option in an easy to use app. THAT is something I would pay a small monthly fee to use.

Following is from the Equifax site as of October 2018. My experience has been different from this, so your mileage may vary.

If my Equifax credit report is locked or frozen, who can access it:
Freezing or locking your Equifax credit report will not prevent access to your credit file at any other credit reporting agency. Freezing or locking your Equifax credit report prevents access by potential creditors and lenders, but there are exceptions. These exceptions may include:

• Companies like Equifax Global Consumer Solutions, which provide you with access to your credit report or credit score, or monitor your credit report as part of a subscription or similar service;
• Companies that provide you with a copy of your credit report or credit score, upon your request;
• Federal, state, and local government agencies and courts in certain circumstances;
• Companies using the information in connection with the underwriting of insurance, or for employment, tenant or background screening purposes;
• Companies that have a current account or relationship with you, and collection agencies acting on behalf of those whom you owe;
• Companies that authenticate a consumer's identity for purposes other than granting credit, or for investigating or preventing actual or potential fraud; and
• Companies that wish to make pre-approved offers of credit or insurance to you. To opt out of such pre-approved offers, visit www.optoutprescreen.com.

Mobile Device Security

The vast majority of mobile devices today are either from Apple (iPhone and iPad), which all run Apple’s proprietary iOS, or they are running a version of Android from Google. Most security researchers consider the Apple iOS to be far more secure than Android for the following primary reason*:

Apple strictly controls their operating system, and only Apple-approved apps can be installed on their devices. Every vendor that uses Android can, and typically does, modify it. As a result, there are hundreds of different versions and varieties of Android on millions of devices. Security updates are typically the responsibility of the different vendors, and newer versions from Google may never be available for your device.

*In all cases, we are assuming that you have NOT “jailbroken” your device (opened a backdoor to its built-in security to allow you (and others) to install software from outside the vendor approved methods) and you apply all patches as they become available.

For this reason, I use and recommend only Apple devices as I consider them the most secure mobile devices currently available.

While there have been some bugs and exploits of Apple devices, Apple has been quick to fix them. The number of instances where devices have actually been compromised is believed to be very small and typically a result of user error and/or carelessness. You can decrease the likelihood of exposing your devices to problems by doing the following:

1. Keep the device updated.
2. Be very selective on the apps that you install. If you let your children/grandchildren play games on your iPad, then you may not want to use that device for banking.
3. Don’t connect your mobile device to any computers you do not own and control.
4. Avoid public Wi-Fi or use a VPN if you must.

If you already own an Android device and cannot or will not switch to Apple, then you may want to consider installing security software from one of the major vendors. Webroot, our first choice for your desktop/laptop, also has software for Apple and Android.  If you use an Android device to do anything other than basic email, we recommend you install security software to help protect that device. Before purchasing the security software, make sure it works with the version of Android on your device.

Amazon Kindle

I have owned Kindles since Amazon first released them and love it. The Kindle runs a customized version of Android, but it cannot run a lot of the apps in the Google Play store. While Amazon updates the Kindle software periodically, and I think it is a wonderful device, I do not and would not use it for doing anything sensitive (i.e., banking). I use my Kindles for reading books, streaming video and ordering stuff from Amazon. If your email provider supports multi-factor authentication (Google) then I would consider it likely safe for email purposes. While I have tested Gmail on the Kindle and my wife uses it for that purpose, I still prefer the iPhone/iPad for that purpose as they are more secure.

Travel

Finally, if you are traveling and find it necessary to use public Wi-Fi (and of course always with a VPN), then I would recommend you install Webroot on those devices, even Apple devices. You simply cannot be certain of what is going on “under the covers” when using public Wi-Fi.