Monday, September 11, 2017

The Equifax Breach and Freezing Your Credit Reports

In the wake of the Equifax breach, I have received a number of questions about what happened and what we should do to protect ourselves from identity theft. Identity theft is a significant financial risk to retirement. Fraud risk is number 13 on "the list" (Retirement is Risky Business – Here's a List.)

The Problem

Identity theft can hurt us financially in several ways but the two aspects I'll discuss here are theft from an existing financial account (PayPal, credit cards, Amazon, a broker, etc.) and thieves creating new financial accounts in your name.

Here are two examples of theft from an existing financial account.

Three or four times a year I am contacted by one of my credit card companies to inform me that they have detected fraud in my account, often before I even see it. Their solution is to issue a new card with a new account number. That fixes one problem but causes others because three or four times a year I have to change my card number at places that store it like Netflix and Amazon. Another time, Amazon informed me that someone had ordered a $4,000 TV from my account but that they had stopped the order because it was clearly fraudulent.

Most of these incidents work out OK, except for the inconvenience, because my credit cards are insured against fraud by the issuer.

A lot of elder theft and fraud, however, is committed by family members. If a family member steals your credit card, Social Security check or ATM card, you probably won't be reimbursed unless you are willing to file legal charges against that family member. Sadly, you need to take extra precautions to protect your PINs, passwords and other vital information from family members. Remember that many of them will have physical access to your computer.

The second risk involves someone stealing your identity and opening a new account in your name. Unless you are vigilant, they can use these accounts undiscovered for some time and you will have the nightmare of proving you aren't responsible for the charges. The accounts they open could be anywhere from PayPal to a home equity loan.

Who Steals Your Identity?

Often, the hacker who steals your identity is not the person who steals your money. Hackers steal personal information and sell it to fraudsters over the Internet. (The magic of specialization.) Thanks to the Internet, the hackers and fraudsters can be anywhere in the world. Russia, North Korea, and Eastern European countries are common homes for this activity, but it happens everywhere.

What does this mean to you? It means that you can take extensive precautions to ensure that you protect your valuable identity information only to see the thieves just steal it from someone you do business with who also has your information. 

The latter is largely beyond your control. You can't control your personal information that Experian or Target keeps and has promised to protect.

Where Do Thieves Find Your Information?

They can look over your shoulder for your password while you log onto the Internet or enter your PIN at an ATM. They could steal your wallet. They can steal your credentials while you use a public Wi-Fi connection at a coffee shop (I use a VPN to protect against this.) They could hack into your computer. But, the least-cost approach is to steal millions of ID's at a time from places like Equifax, Target, and Yahoo.[1]

If bank-robber Willie Sutton were an identity thief, he'd explain his attacks on large companies by saying, "Because that's where your data is."

Why rob your home, steal your wallet or hack into your PC to steal one ID when a thief can hack Yahoo and steal millions?

If the Home Depot breach was a bank robbery, the recent hack of the credit-reporting agency Experian was like robbing the Federal Reserve.

Should you freeze your credit reports? Yup.
[Tweet this]

The Credit Reporting Agencies

There are three major credit reporting agencies, Experian, TransUnion, and Equifax. Most people have a file at all three, which should (but doesn't always) contain the same information about you. (You should check all three regularly at to correct any discrepancies.)

In addition to the three major agencies, there are about 40 others[2], most of which specialize. You should focus on the top three (and perhaps Innovis.)

When you apply for a new credit card, an apartment lease, or a reverse mortgage, for example, the company accepting your application will first check your credit record. Unless you have frozen your credit report at the credit-reporting agency they choose to check, this will be done easily and will not be reported to you.

This simplifies your life but, unfortunately, it also simplifies the life of the thief opening an account in your name.

Freezing Your Credit Reports

You also have the option of "freezing" your credit reports at these reporting agencies. If you order the agencies (plural, it only makes sense to freeze all three) to freeze your reports, they will provide you with a PIN number to unfreeze the account when you need to.

The bad guys can't open an account in your name without your PINs. This is less convenient for you because you have to unfreeze your reports when you want to open a new account. (This is typically less inconvenient for retirees because we tend to open fewer new accounts.)

My reports have been frozen for years, so when I recently opened a new account the lender called me to tell me that he couldn't run a credit check because my credit report was frozen. I try to remember this and unfreeze the account when I submit an application, but I often forget.

I asked the lender which agency his company uses and was told Experian. I knew then that I only needed to unfreeze the Experian reports so I logged onto, entered my PIN, and unfroze the account.

I could choose to unfreeze it for everyone or for one specific lender so I chose the latter. I could also unfreeze it until I chose to freeze it again or for a specific time period, so I chose to unlock my credit reports for this single lender at one agency (Experian) for five days, after which the account would once again be frozen to everyone.

Inconvenient? Yes, it cost me a few more days in the application process because I had forgotten about the freeze, but not nearly as inconvenient as identity theft.

Credit Monitoring Services

Many companies, including the reporting agencies, offer a service to monitor your credit report. Note that this is not the same as monitoring your credit accounts. After a breach, the hacked companies inevitably offer a year of free credit report monitoring service to help repair their image. "Free" is a fair price for this service and I generally take them up on it.

The problem with these services is that they won't notice a problem until your creditor reports it to the credit-reporting agency. (Again, they monitor your credit report at the agencies, not your actual Visa or PayPal accounts.) This is somewhat akin to checking the obituaries each morning to see if you're in them.

You may have seen a TV commercial that shows a bank being robbed while a security guard just watches. "Aren't you going to do something?" a customer asks while lying face down on the floor.

"Oh, I'm not a security guard," he responds. "I'm a security monitor. My job is to tell you when your bank is being robbed. By the way, your bank is being robbed."

The credit report monitoring services are even less useful. They tell you that your bank was robbed, not that it is being robbed.

Protecting Against Fraudulent Accounts

Though credit freezes won't stop the first problem I described, someone accessing your existing financial accounts, they can prevent someone from opening a financial account in your name.

I protect my existing accounts with two-factor authorization everywhere it is available.[3] I also set up email notifications on every financial account that offers them to immediately notify me of unusual transactions, like those for large amounts or charges outside the U.S. Lastly, I set up email notifications for accounts that don't offer this service at[4]

For the second risk, someone opening an account in your name, I highly recommend that everyone — especially retirees, since they open fewer new accounts and may be more financially vulnerable — freeze their credit reports at all major credit reporting agencies. It may cost a few bucks, depending on your state laws[5] and it will be a little inconvenient, but it is worth the effort.

Here are some directions if you choose to freeze your credit reports.
  • Assume that your ID has already been stolen. That's the safest assumption and it's probably true. Many IDs have been stolen and the thieves are waiting for someone to buy them. Maybe they just haven't gotten around to yours — yet. Once you accept this fact, you will focus more on how to protect yourself after your information has been stolen.
  • Log on to all three credit reporting agencies (links below under "References") and freeze your credit reports.[6-8] Follow their directions. You will need to provide a good deal of personal financial information to do this online so they can be sure that you are you, but you always have the option of calling the phone number they provide.
  • Don't do this, of course, over a public Wi-Fi network.
  • Request a freeze at the smaller agency, Innovis, because as the Washington Post asks, "Why not?"[9]
  • Some concerns have been raised regarding weak PINs provided the agencies and whether PINs were stolen in the Equifax breach.[10] Equifax says they were not, but not everyone is willing to trust Equifax' word right now. To play it safe, you might want to change your PIN if you already had one. Equifax says they will add that ability immediately and begin providing more random PIN numbers, as well. 
I'll be changing my PIN because, well. . ., "why not?"


[1] 2017 Data Breaches - The Worst Breaches, So Far | IdentityForce®.

[2] Credit Reporting Agencies: Big 3 & Alternative Bureaus | WalletHub®.

[3] Two-factor authentication: What you need to know (FAQ) - CNET.

[4] Mint: Money Manager, Bill Pay, Credit Score, Budgeting & Investing.

[5] Details of credit freeze laws in all 50 states.

[6] TransUnion Fraud Alert

[7] Equifax Alerts

[8] Fraud Alert Center at Experian

[9] Innovis Security Freeze.

[10] After Equifax Breach, Here's Your Next Worry: Weak PINs, New York Times.

Friday, September 8, 2017

Social Security Claiming and Pig Races

The retirement planning question I am asked most frequently is when to claim Social Security benefits. I received a letter from a reader and a question from a friend at the local cafe on this topic just in the past three days.

Another friend sitting three rows behind me at a baseball game once stood up in the middle of an inning and shouted, "Hey, Dirk, what is the break-even age for claiming Social Security benefits?"

Since most Americans have not saved nearly enough for retirement, when to claim is often moot. Most people need their benefits right away and can't afford to delay them. But, if you can afford to wait, let me try again to explain why you probably should.

Here's the comment from a reader.
"My wife and I will retire in 4 or five years at about 66. We will each have small pensions and access to a little investment income. Social Security will be the 4th revenue stream. A financial adviser really wants us to wait until 70 to claim Social Security, but I'm concerned that we will have to erode our investments during that 4 or 5 year wait. Trying to forecast what that will cost us in lost investment income vs the higher Social Security benefit when claimed later is like betting on the pig races at the fair. An educated guess, a WAG, a stab in the dark. It doesn't help with the confidence and security we seek in retirement."  – Chris
(Isn't it interesting how often pigs come up in my retirement blog? I need to give that some thought. Think Like a Bayesian Pig.)

Chris, I believe the reason you are not getting a satisfying answer is that you're not asking the right question.

I deduce from your comment that you understand that if you live a long time, you will be better off financially by delaying claiming your Social Security benefits but, if you don't live a long time, you will be better off claiming them right away.

You are having difficulty deciding whether to bet that you will live a long time or a short time after you retire. You might as well bet on that pig race because just as you have no idea which pig is fastest, you have no idea how long you will live.

Social Security retirement benefits are a form of insurance. In fact, Social Security is the commonly used term for the federal Old-Age, Survivors, and Disability Insurance (OASDI) program. Before we delve into old-age insurance, let's consider a more familiar form of insurance, auto insurance.

By car insurance industry estimates, you will file a claim for a collision about once every 17.9 years.[1] That isn't terribly interesting information because you might not be average. You might go 30 years without an accident or have one tomorrow.  Planning your retirement or buying insurance based on averages is a very serious fallacy. Insurance should protect you from catastrophes, not from average losses.

You might ask – though, you probably don't — why you should pay thousands of dollars each year for car insurance when there is a 50% chance that you won't have an accident for nearly 18 years.

The answer is simple. A car accident could be financially catastrophic. Without insurance, it might cost you $40,000 to replace a car, not to mention hospital bills and a million-dollar liability judgment. So, we pay insurance premiums hoping that we never need to file a claim in order to avoid a potentially catastrophic outcome.

That's the definition of insurance. We accept a small, guaranteed loss (the cost of insurance premiums or delayed Social Security benefits) in exchange for protecting us from an unlikely but potentially catastrophic loss.

A reader asks: Is claiming Social Security benefits harder than betting on pig racing?
[Tweet this]

How does that relate to delaying Social Security benefits, a.k.a., Old-Age, Survivors, and Disability Insurance?

Delaying Social Security benefits is like purchasing additional longevity insurance. The equivalent premium payment is forgoing some Social Security benefits that we would otherwise receive if we claimed at age 62.

The equivalent catastrophic loss in retirement is becoming impoverished when we are very old. Delaying claiming Social Security benefits is a way to buy more longevity insurance. Said differently, it's a way to transfer some guaranteed income early in retirement to provide more income later in retirement should we live to be very old.

This is the catch, of course. We don't know if we will live a very long time and, if we don't, we will have given up those early benefits for no reason, like buying auto insurance and never needing to file a claim.

When we buy auto or life insurance, we don't know if we will have a huge accident or die while dependents still need our job income, either. We may be paying those premiums with no return and, in fact, we hope we are. We don't make a bet on when those things might happen, we buy insurance to protect ourselves if they happen because an uninsured loss could be really bad. The alternative is to hope we're lucky.

Short retirements are cheaper than long retirements. Let's assume that you will need $50,000 a year to cover your living expenses after you retire. A retiree who leaves the workforce at age 62 and dies at age 67 will need $250,000 to fund retirement. A worker who retires at age 62 and lives to age 92 will need $1.5M to fund retirement.

(Both numbers are actually smaller than this when we consider the time value of money, but let's keep it simple for now.)

In other words, if you don't live long, your retirement will be relatively cheap and if you become quite old it will be relatively expensive.

When you delay claiming Social Security benefits and only live a short time, you will reduce your income but it won't hurt much because you will also have a cheap retirement. If you live a long time, you will increase your income by delaying claiming and you will need the additional income because you will have a long, expensive retirement.

Now, let's look at the alternative bet of claiming your benefits early.

If you live only a short time after retiring, you will have maximized your Social Security income for a scenario in which your retirement wasn't that long or expensive. If you live a long time, you will have minimized your Social Security income for a scenario in which your retirement is relatively expensive.

The goal of delaying claiming your Social Security benefits is to make sure you have more money in the worst case scenario, living a very long, very expensive retirement. It's like taking some small, certain losses by buying car insurance to avoid an improbable catastrophic loss if you have the big accident.

Now, Chris, I suspect that you're trying to place a bet on whether or not you will live a long time. If you're healthy, you can't know how long you will live. If you're going to place that bet, you're correct, you might as well bet on the pigs.

A better way to frame this decision is as a purchase of additional longevity insurance to protect your household against a very long, expensive retirement instead of framing it as a bet on how long you might live.

Your comment says, "It doesn't help with the confidence and security we seek in retirement."

If it's confidence and security you seek, buy insurance. You get that by delaying claiming Social Security benefits as long as you can afford to do so, thereby taking the catastrophic scenario, inadequate income in old age, off the table.

You also say, "Trying to forecast what that will cost us in lost investment income vs the higher Social Security benefit when claimed later is like betting on the pig races at the fair."

You're trying to compare two very different things. Your investment portfolio is a liquid asset with no longevity guarantee — you can outlive your portfolio. Annuities and Social Security benefits are illiquid but they will provide income if you live to 120. You probably need both.

Like not knowing how long you will live, you can't know how much investment income this decision will cost you. You can only guess. If your investments go south, you will have been much better off with more Social Security income, and vice versa.

Since you don't know how long you will live or how your investments will turn out over the long term, the trick is to make sure you have an adequate floor of Social Security benefits, fixed annuities and the like to protect against a very long life and poor investment results. Invest what's left for upside potential and liquidity.[2] That will tell you whether delaying benefits is a good strategy for your personal situation.

It's a somewhat complicated optimization, but presumably, that's why you asked your advisor for help in the first place.

Delaying claiming Social Security retirement benefits is the most cost-effective longevity insurance you can buy. If you think of it as insurance and not a bet on how long you will live, you may find it makes more sense than pig races.


". . . no one knows the best asset allocation in advance", Does The 4% Rule Work Around The World?, Wade Pfau.

NOTE: My blog seems to be having problems accepting comments, as it does from time to time. Sorry, I hope to have that corrected soon. Meanwhile, you may need to click the "comments:" link in the very last line of the post that begins " 1 comment:" to display the comment entry box. If that doesn't work, you can email me at


[1] How Many Times Will You Crash Your Car? Forbes magazine.

[2] The Retirement Café: Build a Floor, Place a Bet.