By now it has become an expected reaction to a data breach. A company announces it has been breached and, in the press release, it assures victims they will get a couple of years of credit monitoring to help them ward off identity theft.
Just one problem: credit monitoring does next to nothing to prevent identity theft.
That’s right: it is close to useless.
And yet the offer still gets loudly made because breaches keep happening. When wireless carrier T-Mobile revealed in late September that the records of 15 million credit applicants had been breached at a server operated by credit agency Experian, Deutsche Telekom owned T-Mo CEO John Legere wrote in a blog, “Anyone concerned that they may have been impacted by Experian’s data breach can sign up for two years of FREE credit monitoring and identity resolution services.”
If you are a victim – of the T-Mo breach or similar – know that credit monitoring is about as useful to you as a Band-Aid is to a person who just had a finger hacked off in an industrial accident.
That metaphor is bloody but it is also accurate.
Understand: breaches are of different varieties. In many, all that’s lost is a credit card and maybe credit monitoring serves a small purpose in those instances.
In the T-Mo breach, what was stolen was far more potent. According to an Experian statement, “The data acquired included names, dates of birth, addresses, and Social Security numbers and/or an alternative form of ID like a drivers’ license number, as well as additional information used in T-Mobile’s own credit assessment.”
Similar info has been stolen in various breaches of large health insurers and possibly also government agencies.
That kind of information is exactly what a criminal needs to open new credit accounts in a victim’s name, to file bogus tax refund claims using the victim’s Social Security number, to attempt a takeover of an existing checking or savings account in the victim’s name, and down a line of crimes that suddenly are doable because all the information that makes them possible was grabbed by criminals.
Gartner fraud analyst Avivah Litan has offered her review of credit monitoring services: “My advice for consumers has been – sure get [credit monitoring] for free from one of the companies where your data has been compromised (and surely these days there is at least one). But don’t expect it to help much – by the time you get the alert, it’s too late, the damage has been done.”
Security blogger Brian Krebs shared the skepticism: “Having purchased credit monitoring/protection services for the past 24 months — and having been the target of multiple identity theft attempts — I feel somewhat qualified to share my experience with readers. The biggest takeaway for me has been that although these services may alert you when someone opens or attempts to open a new line of credit in your name, most will do little — if anything — to block that activity.”
That’s just it: all a credit monitoring service usually can do is tell a victim when the damage has been done.
Worse: the typical two-year time-frame for the credit monitoring provided after a breach makes the service more useless. Things like Social Security numbers – or similar government issued IDs in other countries – and date of birth don’t change and don’t expire. A wary crook could put a hold on the stolen data for, say, 30 months – then get busy cashing in. Those victims would not know what damage has been done for many months, possibly years.
What can block identity theft before it happens? The advice of multiple experts is that victims of breaches in the T-Mobile vein should instruct any/all credit bureaus that they want a freeze on new credit in their name. (Small fees may be involved.)
Alternatively, place a 90 day fraud alert on your file. It’s free and, supposedly, you will be contacted before a creditor issues new credit in your name.
The key, however, is this: block identity theft before it happens. That’s not easy, but it’s a lot easier than cleaning up the mess after identity theft occurs.