Time Running Out for ID Protection Freebie From Equifax

    Consumer Reports offers advice on protecting and monitoring your credit

    Equifax HQ GettyImages-851025522

    In response to last year’s massive data breach at Equifax, the credit bureau, which is based in Atlanta, offered free TrustedID Premier identity protection services to victims and anyone else in the U.S. who wanted it.

    If you haven’t signed up yet, the deadline for getting that freebie for a year runs out Wednesday (Jan. 31). Equifax declined to say how many consumers have enrolled. Here’s where you can sign up.

    After Wednesday, TrustedID Premier will no longer be available to new customers, and it will be discontinued altogether a year later, on Jan. 31, 2019, because it was specifically designed to respond to the breach. So don’t expect it to automatically renew when your free year ends.

    Also on Wednesday, Equifax will launch a new “Lock & Alert” product that will let consumers quickly lock and unlock their Equifax credit report online or via a mobile app. The new product will be free for life and available to all adult U.S. consumers with an Equifax credit report.

    Equifax has also extended the deadline to freeze your credit report for free. While the company had originally given consumers until the end of January, it is now extending that deadline until June 30.

    All this means consumers now have three free options from Equifax to shut identity thieves out of their Equifax credit reports.

    But you may still wonder if you should sign up for the dying TrustedID service for its final year? Grab the new one? What other safeguards are worth pursuing?

    Here’s what you need to know to best protect yourself against identity theft:


    Consumer Reports experts say signing up for the last year of TrustedID by Jan. 31 will offer some benefits, but they caution that no identity protection service negates the need for consumers to take their own steps to guard against identity fraud.

    “If it’s free, I don’t see any harm, can’t hurt,” says Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse, a San Diego consumer education and advocacy organization. Stephens says TrustedID Premier’s three-bureau credit monitoring and its dark-web monitoring for your Social Security number are useful.

    But as identity protection services go, there are better choices if you want to pay someone else to help you prevent, detect, and resolve identity fraud. In December, TrustedID Premier was judged to be a “laggard” by Javelin Strategy & Research, a California firm, which assessed 18 leading identity protection services. Equifax declined to comment.

    Six others were rated as “leaders”: EZShield Platinum, IdentityForce Ultrasecure, ID Watchdog, LegalShield IDShield, LifeLock Ultimate Plus, and TransUnion TrueIdentity.

    Do-It-Yourself Alternatives

    Paid protection can cost $50 to $480 per year for each covered individual. That’s one reason many experts recommend security freezes and fraud alerts as an effective, low cost do-it-yourself alternative.

    A security freeze placed on your credit file will block most lenders from seeing your credit history. And if a prospective lender can’t pull your credit report, it’s unlikely that the lender would issue a new loan. That usually stops identity thieves from setting up fraudulent accounts in your name.

    Most states allow credit bureaus to charge a fee typically ranging from $5 to $10 to place and remove, or “lift,” freezes. Typically, there’s no fee for identity-theft victims who have filed a police report about an incident. Currently, four states prohibit fees for freezes or lifts, according to the United States Public Interest Research Group, a consumer advocacy organization. Four others allow fees for lifts but not freezes.

    There’s no fee to place a fraud alert on your credit report.

    “In general, we would like freezes to be free,” says Justin Brookman, director of consumer privacy and technology at Consumers Union, the policy and mobilization division of Consumer Reports.

    Last November, Consumers Union presented Equifax with a petition signed by 180,000 people demanding that the credit bureau offer free credit freezes to consumers beyond Jan. 31, among other concerns.

    On Tuesday, Equifax announced that it would do that, extending its waiver of fees for placing and lifting security freezes until June 30, 2018. Consumers can either freeze or lock their credit report, not both.

    TrustedID Premier also has a feature that lets consumers lock and unlock their Equifax credit report.

    We don’t have sufficient information at this time to evaluate Equifax’s free Lock & Alert product being released Jan. 31. When we do, we’ll provide an update.

    Whether or not you sign up for free Trusted ID Premier or buy a more robust paid service, you’ll still have to maintain your own vigilance against identity fraud.

    Here are four more ways to lock down your personal finances:

    Activate Two-Factor Authentication

    In today’s world of digital crime and Internet fraud, two-factor authentication is an important extra layer of safety. It requires not just a password but also a second element, such as a code texted to your smartphone, which you have but a crook can’t easily get. Set up and activate two-factor authentication on all your existing mobile banking, savings, credit card, home equity line of credit, and other financial accounts that offer it.

    Most banks that offer mobile banking also authenticate the device you use to access your account. Banks with the most cutting-edge security use yet another factor, biometric authentication, which verifies your identity by using your fingerprint or voice print, or through facial recognition—which criminals can’t easily fake.

    Maximize Your Mutual Fund Security

    Although the Securities and Exchange Commission requires mutual fund companies to have policies reasonably designed to identify, detect, and respond to red flags of identity theft, unlike FDIC-insured banks, these investment companies aren’t required to restore assets stolen by hackers.

    You should call your 401(k) plan provider and other investment managers to learn their fraud protection policies because they can vary from company to company. If your investment company doesn’t explicitly reimburse stolen funds, consider moving your money elsewhere.

    Two of the biggest investment companies, Fidelity and Vanguard, have voluntary online fraud policies that promise to reimburse assets stolen in unauthorized online transactions.

    To get protection, Fidelity and Vanguard require that you follow certain safeguards, which you should be doing anyway, including regularly reviewing your account statements and immediately reporting any errors or suspected fraud; keeping up-to-date security on any computer or other device you use to access your account (firewall, antispyware, and antivirus software); not responding to, clicking a link in, or opening an attachment in an e-mail that you suspect might be fraudulent and that requests personal financial information; and using two-factor authentication.

    Place a Fraud Alert on Credit Reports

    A fraud alert is different from a credit freeze. The fraud alert is a notice on your credit report that warns both current and prospective lenders that they must take reasonable steps to verify your identity before granting credit, such as a new credit card or loan, or extending credit on an existing account.

    You need to request a fraud alert at only one of the big three credit bureaus, which will then pass it on to the other two. You may also want to separately place another alert with Innovis. An alert lasts 90 days. If you’re an ID-theft victim, you can get a fraud alert that stays in place for seven years. But you may be better off with the 90-day alert because that allows you to get a free credit report from each of the four credit bureaus each time you renew the alert.

    Secure Your Smartphone and Email

    How you manage your smartphone and email accounts can be critical to your online security. Your phone is where all your second-factor text message codes are sent and where your mobile banking and other money apps live. Email is where your financial institutions send alerts and password reset links.

    Hackers can hijack your phone and access important information, but “it’s difficult, and if you take only one extra step, a hacker will pass you up and try elsewhere,” says Roger Entner, founder of Recon Analytics, a telecom research firm. Here’s how you can make your phone and email harder targets:

    • Activate two-factor authentication on your email account. When you log in to your email on an unfamiliar computer or phone, you’ll get a text with the necessary code to complete login. A hacker would need that code, too, but can’t get it without your phone. Better yet, download an authenticator app such as Google Authenticator or Microsoft Authenticator, which generates these codes without the need for texts, which can be intercepted.
    • Use a password management app such as LastPass on your computer’s browser and on your phone, advises Russell Vines, Consumer Reports’ director of information security. LastPass creates and plugs different passwords into each of your accounts when you log in, so you don’t have to invent and keep track of dozens of passwords. This eliminates the temptation of using the same password for multiple accounts, which can provide a master key for hackers.
    • Never click unsolicited, unexpected, or suspicious-looking links sent to you by email or text. They could download malware capable of spying on your phone or personal computer activity.
    • Follow other security tips for your phone’s specific operating system using the FCC Smartphone Security Checker, a customizable interactive tool.

    Editor's Note: This article was updated on January 30, 2018 to reflect Equifax's recent decision to allow consumers to freeze their credit reports for free until June 30, 2018.