In the last year, Eastern European cybercriminals have stolen Brian Krebs’s identity a half dozen times, brought down his website, included his name and some unpleasant epithets in their malware code, sent fecal matter and heroin to his doorstep, and called a SWAT team to his home just as his mother was arriving for dinner.
“I can’t imagine what my neighbors think of me,” he said dryly.
Mr. Krebs, 41, tries to write pieces that cannot be found elsewhere. His widely read cybersecurity blog, Krebs on Security, covers a particularly dark corner of the Internet: profit-seeking cybercriminals, many based in Eastern Europe, who make billions off pharmaceutical sales, malware, spam, frauds and heists like the recent ones that Mr. Krebs was first to uncover at Adobe, Target and Neiman Marcus.
He covers this niche with much the same tenacity of his subjects, earning him their respect and occasional ire.
Mr. Krebs — a former reporter at The Washington Post who taught himself to read Russian while jogging on his treadmill and who blogs with a 12-gauge shotgun by his side — is so entrenched in the digital underground that he is on a first-name basis with some of Russia’s major cybercriminals. Many call him regularly, leak him documents about their rivals, and try to bribe and threaten him to keep their names and dealings off his blog.
The pattern with credit- and debit-card breaches tends to go something like this: A company like Target or Neiman Marcus announces that thieves may have stolen your card numbers or other information, then the company offers a year of credit-monitoring. But the chastened keeper of your personal data rarely if ever offers to pay for the most potent protection of all: A security freeze on the files that the three big credit bureaus keep on you.
Credit-monitoring is often backward-looking, informing you of new accounts that thieves may have already opened in your name. But a freeze prohibits the bureaus from releasing your credit reports to any company or other entity that doesn’t already have a relationship with you.
This prohibition is crucial, since credit-card issuers, mobile phone providers, loan officers and others in similar roles almost never open a new account for people without seeing a credit report first. If they can’t get access to the credit file, they probably won’t open that new account. Given that this sort of new account fraud can be especially damaging, security freezes are one of the best tools consumers have to protect themselves from identity theft.
To sign up for one, you need to approach each of the three credit bureaus separately, pay a small fee of no more than $10 or so (it depends on your state, and it may be free for identity-theft victims and in other limited situations) and follow their instructions. You can start the process at the following web pages: Equifax: bit.ly/LQEr1D. Experian: ex.pn/1gimBjg. TransUnion: bit.ly/1eKMRV5.
A credit freeze lasts indefinitely, and the only downside is that you’ll need to thaw your files temporarily when you want to give a company or entity access to your credit report. Experian warns that this affects applications for new loans, insurance, government services or payments, rental housing, employment, investments, professional licenses, cellular telephone, utilities, digital signatures and instant-credit applications that come with one-day discounts at stores.
Only about 600,000 people have frozen their files at Experian; Equifax and TransUnion did not provide figures, but their numbers are probably similar, given that most people who do freeze their files do so at all three bureaus.
In practice most people, especially older ones who already have all the credit cards and mortgage loans they need, don’t have cause to give new creditors access to their files more than once or twice a year, if that. For people who seek credit more frequently, but still want the security of a freeze, the thawing process generally takes no more than 15 minutes each time at all three credit bureaus.
To lift the freeze, you’ll need to provide a PIN and other information and may also need to pay a small fee. The bureaus warn on their websites that it could take a few days for the freeze to take effect and for companies to access your credit reports, though if you lift your freeze by phone, the human representatives are generally able to lift it instantly.