When an enterprise falls victim to a security breach that compromises personally identifiable information (PII) from customers or employees, one of the first announcements executives typically make is that the organization will cover the cost of credit monitoring for a year or two.
At first, credit monitoring service sounds like a good response, but is it really?
Credit monitoring is a service provided by an array of organizations, including credit reporting agencies and independent, third-party monitoring providers.
In an advertisement for one such credit monitoring agency, the CEO tells you his social security number and then offers you a guarantee. Did you ever notice the fine print at the bottom of the ad? It says, "Always protect your social security number. Do not share it unless necessary."
Criminals are wise to the tactics being used by organizations and individuals. The criminals are waiting for your credit monitoring service to lapse before they open accounts in your name, run up bills, and ruin your credit.
The more professional the criminal, the longer they will wait to use your compromised information, even as long as five, eight or 10 years. They have a tremendous backlog to provide them a stream of income for years to come.
Security controls typically fall into two categories, proactive and reactive. It is proactive for you to place a credit freeze on your credit reports at all three credit reporting agencies. It is reactive to utilize a credit monitoring service. Many people believe that credit monitoring is a proactive approach to protecting their credit. However, this is not necessarily the case.
The problem with credit monitoring services is that you are notified only after someone has accessed your credit to open an account in your name. You still have to clean up the mess.
However, when you place a freeze on your credit file, you prevent anyone from opening an account in your name. When an attempt is made to access your credit files, several responses are typical: notification to the lender that a credit freeze has been placed on this report because the person has no credit history; or, notification that the person has a credit freeze on file that prevents opening of additional accounts. (Templates are available for Experian, TransUnion, Equifax here
It is not a question of if your PII will be stolen and misused, but when. Even with efforts such as PCI compliance in the retail sector, enterprises can only do so much. Individuals need to take preemptive action to protect their credit, and be ready for the reality of living in the digital world.
And if you insist on paying a monthly fee for credit monitoring, freeze your credit and send me a check every month. I will send you a nice thank you note.
Ben Halpert, CISSP, is an information security researcher and practitioner and writes monthly about security. Comments, questions and requests can be sent to him at firstname.lastname@example.org; please include SECURITY in the subject line.