When Fraudsters Attack

If credit monitoring is a burglar alarm that goes off when someone steals your identity, a fraud alert is a deadbolt that prevents break-ins. At least, that's how it's supposed to work. By law, you can place a temporary fraud alert on your credit report, requiring lenders to verify your identity before issuing credit in your name. And if you tell one credit bureau to set up a fraud flag, it's obliged to notify the other two. But such alerts expire after 90 days. To address the lapses in coverage, companies such as Debix, LifeLock, LoudSiren, and TrustedID will renew alerts every three months for $9 to $13 a month.

These services set their alerts in different ways. LifeLock and TrustedID contact the bureaus and set the alert. Debix (which powers LoudSiren) provides its own contact number for lenders. When a creditor calls the number, Debix's automated voice network calls your phone and lets you approve or deny the transaction by entering a PIN. Debix can call up to three numbers until it finds you.

But in real-world tests, our results varied widely. After signing up for TrustedID, one of our testers applied for instant credit at The Gap. Store employees saw the fraud flag, called the Gap's internal credit division (operated by GE Money Bank), and put our tester on the phone to answer multiple-choice questions about his finances.

Another tester signed up for LifeLock and applied for a card at a different Gap store; he was granted instant credit after showing the store clerk his driver's license. In that case, LifeLock CEO Todd Davis admits, the fraud alert did not get set on the date it was requested. After requesting the alert a second time, our tester applied for another card and was asked to verify his identity more stringently. Davis adds that, either way, our tester would have been protected by LifeLock's service guarantee (see "The 'Million Dollar' Question").

In our in-store Debix test, the creditor verified our tester's identity by putting him on the phone with the store's credit department, bypassing Debix's automated system. According to Julie Fergerson, Debix's vice president of emerging technologies, "80 percent" of creditors call Debix to verify transactions--but they are not under any legal requirement to do so. Creditors can verify your identity in other ways, such as by sending a letter that asks you to mail them copies of W-2 statements, utility bills, or other documents.

In rare instances, creditors may issue credit without bothering to check your report. That seems to be what happened to Davis, who gained notoriety by publishing his Social Security number on LifeLock's home page and daring anyone to steal it. A Fort Worth, Texas, man promptly used Davis's identity to obtain a $500 loan. Davis says that many low-amount lenders don't pull credit reports, which is why the Fort Worth creditor didn't see the fraud flag that LifeLock had placed on its CEO's credit report.

"This person would have been able to get the loan no matter what form of protection was in place," says Mike Prusinski, LifeLock's vice president of communications. "As soon as Todd was aware of the problem, he reported it to LifeLock--and the remediation services investigated, found the source of the identity theft, stopped additional attempts by this same person to buy cell phones and other goods, and prevented any other consequences from the identity theft such as damage to a credit score."

In February, Experian sued LifeLock, claiming that federal law prohibits corporations from setting fraud alerts for consumers, and calling LifeLock's marketing practices fraudulent.

"LifeLock claims it can prevent identity theft, but that's simply not true," says Experian spokesperson Rod Griffin. "By the time a credit report has been pulled, the person's identity has already been stolen. It gives people a false sense of security."

Davis says he can't comment on an active lawsuit but would "welcome the chance to work out a business solution [with Experian] that will continue to protect consumers."

Griffin won't say whether Experian will take legal action against other fraud-alert firms. TrustedID CEO Scott Mitic notes that the law allows consumers or their "personal representatives" to set flags, and says that his company has a good relationship with the bureaus. Debix pays one bureau for the right to set flags, Fergerson says, but she declines to identify which one. As we went to press, Identity Guard announced that it would stop setting alerts for consumers "because Experian asked us to stop," says Intersections' Walston.