My Identity Was Stolen, Then TransUnion Let The Fraudster Unfreeze My Accounts

Image courtesy of (frankieleon)

One of the smart things to do when your identity has been stolen is to contact the three major credit reporting agencies — TransUnion, Equifax, and Experian — to discuss placing a temporary fraud alert and credit freeze on your accounts. But as one Consumerist reader found out, all it takes to remove those restrictions is the same information that any good ID thief already knows about you.

“My mother has been the victim of an ongoing identity theft problem,” writes Consumerist reader Chuck, noting that his mom followed the advice on the Federal Trade Commission’s IdentityTheft.gov website and placed a fraud alert and credit freeze with all three of the credit bureaus.

Fraud alerts are free, and make it more difficult for someone to open new accounts in your name. When an alert is placed on a report, a business must verify the person’s identity before it issues new credit in their name.

A credit freeze — generally free for identity theft victims — prevents lenders and others from accessing a consumer’s credit report in response to a new credit application. With a freeze in place, even the bona fide account holders will need to take special steps if they want to apply for any type of credit or unfreeze the account.

Things were fine for a while, Chuck says, until his family discovered that TransUnion had allowed the fraudster who stole his mother’s identity to lift the credit freeze on her account over the phone, even though she’d taken the precaution of setting up a unique PIN to protect the account.

“What is the point of issuing a PIN if you’re not going to require it for a lift of credit freeze? Especially on an account with an existing fraud alert,” Chuck asked Consumerist.

Companies like TransUnion — and many others that deal with customers’ personal information — provide a PIN that a consumer must provide in order to access or make changes to their accounts.

Unfortunately, humans are fallible and sometimes they forget their PINs. To make sure these folks aren’t forever frozen out of their own accounts, many companies offer a work-around. In the case of TransUnion, a locked-out customer can get around the PIN requirement by answering a slew of personal questions, a rep for the company confirms to Consumerist.

The problem is, the sort of questions asked for these sort of ID-verification tests — “Which of these streets have you lived on?” “Which of the following phone numbers have you previously had?” — are often the kinds of thing that a good ID thief either already has access to or knows how to obtain. As the case of FamilyTreeNow shows, a surprising amount of this sort of information is already publicly available.

While the authentication process is “constantly evolving and the questions are created in a way that would make it difficult for a fraudster to answer,” the TransUnion rep admits that, in cases like Chuck’s mom’s, “it’s possible that someone else could fraudulently complete this process if they already had significant personal financial information about a consumer.” The rep contends, however, that such incidents are rare.

Unfortunately, for Chuck’s mother, she was one of those rare cases, as the fraudster did have a wealth of information about her and was able to lift the freeze, thereby gaining access to her accounts again.

“It’s a pretty helpless feeling when the companies who control our credit can’t even manage to keep it safe,” Chuck tells Consumerist.

The TransUnion rep notes that the company does have another layer of security built-in when customers can’t remember their PIN: After unfreezing an account and providing a new PIN, TransUnion sends a written confirmation to the user by mail.

Because of this written confirmation, the company would expect to hear back from a consumer if a PIN change was not initiated by him or her.

However, not everyone is obsessed with checking their email, and many people have multiple accounts that they check at varying intervals, so it could be hours or even days before an affected account-holder is aware someone unfroze their account.

The TransUnion rep tells Consumerist in a statement that it apologizes for any inconvenience Chuck’s mother may have experienced.

“At TransUnion, we take security very seriously and do our best to provide a maximum amount of consumer protection, while ensuring consumers can have access to their own information,” the rep says.

When asked what could be done to prevent this sort of problem from occuring TransUnion recommended that Chuck and his mother visit the very same IdentityTheft.gov that led them to put the freeze in place to begin with.

We tried asking the FTC for more specific advice for people caught in this ID theft loop, but a rep for the agency could only urge consumers who have issues with identity theft protection to contact the FTC either via its online Consumer Complaint Assistant or over the phone at 877-382-4357.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.