Slashdot Mirror
New Legislation to Combat Identity Theft
coondoggie writes to tell us the Washington Post is reporting that new legislation in a numbers of states and the District of Columbia allows consumers to place a "security freeze" on their credit files. "For the millions of consumers who receive notice each year that their personal or financial data was lost or stolen, a preemptive security freeze can offer peace of mind. It blocks businesses and potential fraudsters from gaining access to a consumer's credit report and score and from granting new lines of credit in the consumer's name. In many states, consumers who want to remove the freeze can use a special identification number to unlock access to their credit file."
about time
Enjoy Every Sandwich
... this seems to do absolutely nothing unless you know your credit security has been breached.
Yeah, that's a good idea... So how many ID-Ten-T consumers are going to carry this number around -- in their wallets/purses or leave them unsecured in a filing cabinet? When will legislators get a clue that most people are complete ignorant about the security of almost anything?
My blog
>> Under current federal law, individuals can place a 90-day "fraud alert" on their credit files ... merely notifies the consumer if an inquiry has been made
>> Under the proposed "Identity Theft Prevention Act," consumers would need to spend $30 to place a credit freeze on their files that covers all three major credit reporting bureaus.
>> Committee Chairman Daniel Inouye (D-Hawaii) and ranking Republican Ted Stevens (Alaska)
This is good, and also stunning ... the stunning part being the fact that a Democrat and a Republican are actually working together.
That number wouldn't happen to be...
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Maybe if this sig is witty or clever enough, someone will love me...
They should tell the reporting agencies they have 30 days, and then they have to stop using SSN.
How they fix it it their business.
OTOH, with ID theft becoming more common, reporting agency will eventually be worthless since no one can depend on their reports anymore.
The Kruger Dunning explains most post on
Just give us one time keys.
If I can use a piece of important information only once before it changes then nobody can replay it.
Incidentally, how do you prove you are you to actually put the freeze/unfreeze in place?
liqbase
I wonder how many people will give up their secret security freeze number to phishers?
Two wrongs don't make a right, but three lefts do.
Whoever lets someone use a stolen identity to get a loan or credit card or whatever should be responsible for all damages. That means forgiving the loan and restoring the credit of the victim as well as paying damanges if the victim's credit history took a hit.
Seriously, it's not my job to make sure you verify the identity of your clients and I shouldnt have any consequences if you dont do it right.
Also, anybody who loses data used to steal an identity should be responsible for the consequences. If you run over a pedestrian on a sidewalk you pay te medical bills right?
There's a private company (Lifelock is the one I hear on the radio all the time) that also has the ability to lock down your credit. No new legislation required, it would seem. Of course, that costs money so maybe this legislation just enables individuals to lock their credit at the taxpayer's expense.
This is also supposed to stop those pre-approvals that constantly clog up your mailbox... (well, mine at least.)
More Twoson than Cupertino
Really, how many people who haven't been the victims of fraud are going to spend money AND TIME putting these "freezes" on their records?
Instead, why not "freeze" them by default?
Then if the customer WANTS to open a new credit account, the fee to "unfreeze" can be rolled into the new account.
If the customer wants someone to do a credit check on him, the fee can be rolled into the new account OR paid by the organization doing the check.
Why pass a law that doesn't, by default, protect EVERYONE?
Yes, I've gone back to cold, hard cash. Sure, I keep a credit card for emergency purposes (road break-downs and such), but I don't really use it much. I don't buy things over the Internet, and yep, I check my listed credit history with the credit bureaus.
What is it, something like 20,000 separate laws "controlling" the ownership and use of guns, yet we still get VaTech?
And, of course, whenever those don't work, why, we'll just PASS MORE LAWS!
How great to be a politician, where you're never graded on what you actually do, just what you SAY.
Any technology distinguishable from magic is insufficiently advanced.
Still can't catch me coppahs!
We figured out a long time ago that it's easier to elect seven judges than to elect 132 legislators.
I could make a very long winded post about this, but what I believe is really very simple: all personal info should be private by default.
Any time anyone wants any of of my personal info, be it SS#, Credit Report, phone number, address, email address, et al. they should be required to get my authorization before it can be released or even used. Kinda like medical/health info except done a lot more robustly. I'd go so far as to advocate serious jail time for individuals who abuse my personal info, for instance all the laptops that various government agencies manage to lose. I'd hope the threat of years in a federal penitentiary would do the trick.
I'm not holding my breath, but it pisses me off to no end that I have to maintain so much of a defense of my information.
Politicians are like diapers - they should be changed frequently and for the same reasons.
What keeps the perp from stealing your identity, freezing your record, and then using the ID number they give him to loot your accounts while you're locked out?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
http://yro.slashdot.org/article.pl?sid=07/05/08/12 22239
And what lobbyists were in on this "legislation"? Hmmmm, do you think the credit bureaus and the banks? Hmmmm????
Sorry, whenever there's "Legislation" I automatically think that the industry lobbyists wrote it.
I prefer Flambe as apposed flamebait.
The Post also ran a much longer, more in-depth piece looking at the process of passing freeze legislation in Delaware, easily the most banking- and business-friendly state in the union. That piece is here
One highlight, which looks at the role of the Consumer Data Industry Association (CDIA), the lobbyist group that works for the data broker industry and the credit bureaus:
"Goldberg, who has worked with advocates in more than a dozen states to enact freeze legislation, said that in 2005 the CDIA and the credit-reporting agencies shifted their strategy. They no longer were outright opposed to credit-freeze laws; instead, they worked to convince states to allow the bureaus to charge as much as possible when consumers place, lift or remove credit freezes. "The credit reporting agencies clearly want consumers to pay more for the security freeze than we certainly think they should," Goldberg said. "But given that those same agencies collect all of this sensitive financial data about consumers and then turn around and sell it, we think they should also have the obligation to protect the consumer, and that's where the security freeze comes in.
...because you never know who you're dealing with.
I'm still amiss as to how people can still get their personal data stolen and their lives ruined by thieves in this way. To me, the biggest problem is the credit reporting agencies themselves who are very anti-consumer. By that, I mean they will very easily and quickly put on a bad credit remark, but are slow to remove it if it's a mistake. Even then, the whole idea of verifying identity in financial transactions is very loose to these guys who only require a name and SSN.
This is one of the problems that requires long-overdue federal legislation to remedy. It needs to consist of the following:
* Complete elimination of the use of SSNs by non-governmental agencies to track individuals, including employers and insurers
* Disallowing tracking numbers for enumeration of individuals to remain the same across any two or more private organizations
* Requirement of independently-verifiable photo and/or hashed/digitally-signed/analog biometric verification of the purchaser for large purchases on credit (not all of the above necessarily - even an original copy of a fingerprint plus a photograph of the person with the contract would be sufficient)
* Increased onus on creditors to prove that the alleged debtor was, in fact, the person responsible for the purchase or transgression in question via the identification as above
* Severe criminal penalties (up to life imprisonment) and civil penalties ($250,000 or triple the value of the offense, whichever is greater, per offense) for those who purposely attempt to steal identities, subvert the security measures for the purpose of identity theft, or facilitate the reporting of false information on debtors for which adequate steps have not been taken to verify identity
* Mandatory FIPS-based security for the storage of personal information
* Withholding of derogatory credit information that is in dispute during the time that affected individuals are making a proper challenge to said derogatory information
Do all of that, and what you'll find is that this problem will vaporize overnight. It won't prevent other problems such as outright credit card theft (for which there are separate solutions anyway), but it will cut this problem off where it needs to be cut off.
Call me paranoid, naysayer, whatever - but I agree with other posters who say that everyone's report should be frozen by default, and no information should ever be allowed to be accessed (or, arguably, even exist) without your express written consent.
Deja Moo: The distinct feeling that you've heard this bull before.
I've had a 7-year credit freeze for more than 5 years. This isn't something new - it's always been available to someone whose identity has been stolen.
Why does it take $10 to flag a row in a database table as being "frozen"?
How about creating systems whereby peoples' identities aren't stolen in the first place. How about not using a single unique identifier (SS#) to conduct all business, et all. This only addresses things after the fact.
We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
This is a stupid idea. The government already has loads and loads of information at their fingertips that they could use to track down and stop a huge number of identity thieves. I don't know about exact numbers but you can bet that there are at least tens of thousands of easy-to-find criminals in the IRS data bases. Most illegal immigrants use someone else's SSN to work. You would think that 10 different names under the same SSN would be a flag to track this problem down and capture the perpetrator but they never do anything. The government doesn't care about identity thieves. They pass ridiculous laws now and then to make it look like they do but there are lots of easy things that they could do with little effort if they just cared to try. It's only if bank records of US senators are compromised that sets off even the faintest alarm. Even then, there's a lot of media attention on the subject but in the end nothing ever happens.
So why not pass a law that says that banks are responsible for all the debt racked up in such accounts. That might focus the banks minds a little on making sure that the customer really is who (s)he says (s)he is.
Then just to make it really clear that the government would like everyone to stop relying on SSN as a valid form or idendification, ssn.gov should post every single SSN ever issued together with name and birthdate.
credit pay the cost. If someone's credit data is used to make a fraud purchase let the merchant lose out and not be allowed to issue a negative credit comment. If they falsely issue the negative credit let them be liable for damages. Pretty soon people will do the background checking that they should have done all along. The problem goes away.
Sure this is great if your identity is stolen to use your credit to rip some business off. But it does NOTHING to prevent people from using your identity when pulled over for a traffic ticket. It happened to me. Here in California all you need to do is tell a cop you don't have your ID, then give them someone else's information so they can run through the computer, when it checks out, they write that person a ticket with the other person's name. That person drives off scot free and a few monthes later you get a warrant out for your arrest for Failure to Appear in court. Let me tell you the pit in your stomach when you are wrongly accused of a crime, your insurance refuses to renew you, your local DMV refuses to renew your license, you get to drive to work with no license and insurance and you can't even go into a bar because your drivers license cannot be renewed. Of course you only find out about this just before your license is about to expire, when you need a license the most because you have no way of looking up your driving records for free. Then you get to go to court, in my case in Northern California when I live in San Diego to prove using ATM slips, credit card reciepts, and your signature and a picture of your car that you not only don't match the description of this person but that you have tons of paper trail to prove you never left your home town and tons of witnesses to say you were at work that day. Its a huge hassle. Why not make cops take a finger print of anyone they pull over if they can't provide ID, or take their picture. Can a police officer on here please explain to me why they just trust a criminals word when they are giving a name and address that it is as good as a CA Drivers License, that is pathetic.
Wait for it...
3...
2...
1...
0...
"Hello, US Credit Agency? Someone locked my account and set up a password for it without my permission. What do I do?"
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Send multiple Arnold Schwarzenegger clones back in time to help recover your stolen identity.
If girls liked guys that were interested in them for their brains, they'd date zombies.
This sounds so much like how Microsoft handles security. Make something so intrusive and such a pain to use, that no one uses it. Then you can blame the user/consumer for failing to use the available security.
Someone else suggested making the credit companies responsible for the losses. Personally, I think we should make the credit _reporting_ companies responsible. I guarantee you they will implement a reasonable security solution rather quickly if that happened. When they could end up paying for a $10,000 credit card charge because they gave your credit info to a "business" in Moscow, they might start thinking a little smarter instead of taking the (?) $10 fee from every Tom, Dick, or Ivan.
-- Will program for bandwidth
The real solution is to completely overhaul the information broker industry and move to a system where the subject of the credit information has total control over who gets to access the data. That's how it should've been from the get go.
That's going to happen about at the same time hell freezes over though, because it would mean no profits for the information thieves.
In Soviet Russia, I ruled you
Special identification number? I think mine was posted a few thousand times on Digg the other day.
if the government is really serious about allowing its citizens to keep their private data private maybe they could start with halting the MASS amount of sensitive information the government itself "loses" every year. last year the FBI alone had thousands of laptops lost or stolen. that is just ridiculous.
because the banking industry is run by jews.
...that check your credit history before deciding to hire you? Would a freeze on your accuont unfairly deny you a job because your shit got stolen?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Sounds like in many cases you have to pay for the privilege of having your credit protected. Why should we have to pay a for-profit company money to secure our credit?
We need federal legislation signed making credit card companies or any organization extending credit civilly and criminally liable for identity theft. In other words if someone under the guise of you opened a Citibank VISA account in your name and rung it up, Citibank could then be sued by you and/or prosecuted for extending credit to someone whose identity was not properly verified.
THEN you'd see some changes taking place. Instead of "oops, sorry" they'd be faced with saying "oops, here's six million for our mistake."
I mean, these guys own the system. They make money off us from their ownership of it. They should be responsible for securing it.
Who the f*** decided that sentences on the Internet shall no longer be formatted with two spaces after a period?!
Two-spaces-after-a-period is an old mechanical typerwriter thing that has long been obsoleted by modern word processors and modern print fonts and is entirely irrelevant in electronically represented text.
...when you're stealing someone's identity now from a database, be sure to also steal the unlock key.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
There seems to be a lot of confusion about Credit Freeze. Many states do offer it for free. http://www.creditlock.com/ has organized credit freeze relevant information, fees, procedures, etc... in a very convenient system, initiated through an interactive map. It is complimentary to members, and membership is negligeable. Hopefully, if a federal law is ultimately passed, all such requirements will be streamlined....
I've had mine locked for about 18 months now. When I went to buy my new house, I had to call up and let them know to allow it in. Two of them had methods to perform these actions online, the other had a phone number that was about as easy as the national do-not-call list.
Doesn't the FCRA already allow for this?