Slashdot Mirror
ID Theft In US Continues Apace Despite Data Breach Laws
4roddas points out an article at Techworld about the continued scourge of identify theft in the US, which begins: "Over the past five years, 43 US states have adopted data breach notification laws, but has all of this legislation actually cut down on identity theft? Not according to researchers at Carnegie Mellon University who have published (PDF) a state-by-state analysis of data supplied by the US Federal Trade Commission (FTC). 'There doesn't seem to be any evidence that the laws actually reduce identity theft,' said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper's authors. Since 1999 the FTC has invited identity theft victims to log information about their cases on its Web site. The data are then made accessible to law enforcement, which uses the information to help analyze crime trends."
Plain and simple, the only thing that's going to really make a dent in identity theft is to make identities harder to steal, and that means requiring all the banks and credit card companies to jump through more identity verification hoops before they give someone your money or a line of credit in your name.
Sure, requiring you to go to a licensed notary and have a credit card application notarized might not make it so easy to get credit, but it would also make it harder to get credit in your name.
The banks and credit card companies could do this, but it's more profitable to let people steal your identity and then just jack up fees and interest rates to cover the losses.
- Greg
Start a happiness pandemic
Search your files for social security and credit card numbers before hackers do.
So much concern here on slashdot on id theft, when most of the readers are busy stealing from others (music, movies, etc.)
Data breach notification are useless when institutions don't know they've been breached. I'm sure there are lots of those cases.
BWAHHHAAAAA
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
There is a very simple fix and it will be to have the costs and time that is needed to fix everything that occurs when someone's identity is stole be put on those responsible for the loss of the information which enabled the identity to be stolen in the first place. This means, if a company has a database which is breached from a known security vulnerability or from complete disregard of standard security practices, that company should be liable to fix the issue, not the customer who's data was lost. Any time that the customer has to spend dealing with banks, financial institutions, and government groups relating directly to having to fix issues from the stolen identity should be time that is directly charged to the company at a set fee, or the company can directly handle the issues themselves in some fashion.
The next step would be to start putting fines on companies that repeatedly let personal data be stolen or otherwise inappropriately accessed.
Two major things would start happening with laws like the above in place.
1) Personal financial data will no longer be stored
2) Customer information will also no longer be brokered between companies
These are both very good things for the consumer. Yes, there will be the extra hassle of needing to input your data each time you make a purchase online, but you could always setup your browser to store that information and have it auto-complete (not that I recommend doing that). There is no need for companies and business to keep full credit card information of a customer. The last 4 digits should suffice, and in the even of a return, the customer would need to submit the full card number so the return can be processed.
The only times this will cause any kind of problem is when dealing with pre-orders and returns. For a purchase that is happening and being charged at the moment, nothing will need to change, and it will work as normal.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Your credit card number is not a password, because you have to give it away every time you buy something. If someone wants to steal a credit card number, they can get it from any unscrupulous employee of any business that sells things, which means they'll always succeed. The solution is to replace credit cards with smart cards that use public-key cryptography. That means that your credit card contains a number which you can use to sign transactions and prove that you are authorized to make payments, but you don't have to give every employee of every merchant you buy from the power to impersonate you.
Social security numbers have the same problem, only worse, because you can't just cancel your SSN like you can with a credit card. Banks pretend that your SSN is a password, but there are thousands of people who have access to your social security number and at least one of them will sell it on the black market.
Fixing this mess will cost the banks a lot of money, but they made this mess and it's their responsibility to clean it up. We need the federal government to mandate real security measures, because fraud is quickly becoming the norm.
A long time ago, I wrote up a description of an identity clearinghouse, a government-run agency that allowed lenders to verify a potential borrower's identity without giving the lender any unnecessary information about the borrower's true identity. From the private citizen's side, it's all optional - register with the clearinghouse if you want, and go it alone if you want. From the lenders' side, it's mandatory to check with the clearinghouse before opening a line of credit for someone.
To register with the clearinghouse, you go to a local government agency where identity is "managed" - e.g., your local DMV. You register there by providing your current contact information, and they ensure that you are the person you claim to be through their normal identification procedures (such as picture ID/driver's license pictures on file). If you later need to change your contact info, you do the same procedure (going to the DMV in person) to prove your identity.
When you apply for credit somewhere, the lender first uses the identifying information you have provided to them (such as name, address, SS#, etc.) to verify your identity with the clearinghouse. If you haven't registered, the clearinghouse just responds that there's no such registrant in their records, and the lender is free to grant credit to the applicant. But if you have registered, the clearinghouse first checks to make sure the information they have on file matches the information the lender provides, and second, they use the information they have on file to contact you directly and ensure that you actually applied for credit with the lender in question. If both of those checks succeed, they respond to the lender with "yes", and if either fails, they tell the lender "no".
This would greatly reduce the instances of people opening lines of credit in other people's names. However, one problem it doesn't address is fraudulent charges to legitimate lines of credit you already have (e.g., stolen/copied credit cards). Credit card issuers and merchants are both often on the hook for most of those sorts of charges, though, so they already take at least some steps to reduce that kind of fraud.
It is irresponsible for law and legal practice to bury consumers with an excessive number of data breach notices. The notices happen so frequently that their meaning is diluted. --Ben hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html
Benjamin Wright, Dallas, Texas, benjaminwright.us
...we've proven that a piece of paper alone can't stop crime, pollution, educate our kids, etc. it is only the enforcement thereof, or in the case of ID theft, steps to prevent such crime that will ultimately solve our problems.
Long story short, let's move along and work to end the problem, not just write paper against it.
...in bed
The majority of identity theft occurs due to illegal aliens using other people's SS numbers to gain employment. The criminals are in the minority. The solution to this is effective immigration policies, not draconian laws.
Also, its rare for the illegal aliens to take out credit or anything on the SS number. They are just using it for employment purposes and thats it.
My blog
The FBI is in charge of protecting Americans from fraud and theft on that scale and across that national and global jurisdiction. But Bush's "Justice" Department isn't interested.
Feel safer?
--
make install -not war
I hate giving my PIN to vendors. I hate typing my PIN on random ATMs - and rarely do it. I hate typing my PIN into authorization keypads at stores, but what can I do?
Every transaction should have its own unique PIN attached to the transaction's amount and recipient. Credit cards with chips could do this right now, RSA-password style, generated against the one-time password from the vendor's machine for the transaction, in a data package with the vendor's invoice signed by the vendor's transaction password that my card keeps. In fact it should be transacted over my phone and archived in my personal DB.
This tech is here, and pretty cheap. Banks should pay for it. Their insurance corps should make them pay for it. Until they do, consumers like us will pay most of the costs, especially in a lifetime recovering from a "one-time" ID theft.
--
make install -not war
Comment removed based on user account deletion
Comment removed based on user account deletion
Comment removed based on user account deletion
ID theft will continue, now that criminals have about 4.5 million people's personal data from those backup tapes the Bank of New York lost. Not to mention all of the other data losses we've heard about on Slashdot. No amount of securing your personal data will help now, unless you plan on changing your date of birth and address. Seriously, that's all it takes. All it took to prove to Medicare (Australian health cover, just a shade short of socialised health) over the phone that I was me, when I needed to change some details, was my date of birth and current address. You put those on almost every form you fill out offline, and if you shop online, you put your address on those too. Date of birth and current address can be used as a lever to "update" someone's Medicare details, and have a new card sent to an ID thief. Medicare counts as a form of ID, so that makes the lever a little bit longer. An ID thief can use the new Medicare card as ID for other changes and updates. Even get a copy of a person's birth certificate sent to them.
Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
People still use drugs, murder, carjack, and rape despite laws passed against the behavior. Who'd-a-thunk-it?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Since when are data breach notification laws meant to reduce data breaches?
ID Theft In US Continues Apace Despite Data Breach Laws
And in other news, people have been shot in in "Gun free zones".
Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
Do you really believe that notifying people is supposed to somehow deter criminals? Notification is supposed to allow people to deal with a potential threat.
Making lenders responsible for 100% of credit theft costs would deter crime, of course. It would force reasonable authorization procedures to be used.
One step that would go a long way to securing information is limiting how many different places store sensitive info. Most of the information businesses collect is for their benefit, not to verify your identity. It's collected and sold, or used for harassing (marketing) to you. It also should not ba able to be shared between each company they call a 'partner'. This should go for any type of information, not just financial.
Additionally, it would help if not so much was public record. If you purchase a house, there's no reason the amount you payed and your mailing address should be made public. There is no reason ever for a company to need you mother's maiden name.
Many people don't know all the other information that is kept and sold about them. For instance, many places that ask for security questions about your dog, car, or lineage sell your responses. Experian also collects information about you that is not disclosed when your order a credit report like average monthly purchases and what percentage and categories your purchases fall. The document of available information about you just from that company was about 1/2 inch thick.
It's also not good that if you have your oil changed at most service places they sell that information about you. When I had my car totaled by fault of the other driver, his insurance company tried to use the "missing" records of oil changes to devalue what my vehicle was worth. It was good that I keep records when I change my oil other wise I would have had a lot harder time getting them to cover what it was worth.
All said and done, I'd be happy if companies had to PROVE a NEED, not a use for, and information the store or inure heavy penalties.
Comment removed based on user account deletion
Make banks have to verify your identity before they can create ANY new account in your name, and make all such institutions, from banks, to data mining companies, liable for the damage they cause to private citizens through not taking adequate means to protect the data they have on us. The down side to this sort of approach is that it would probably cause a wave of depression-like effects on the banking industry because it would be so difficult to sign people up for credit accounts. However, in the long run, it would be 100% worth the short-term pain.
Comment removed based on user account deletion
because joe and jane public know almost nothing about how the banking system works (and most don't seem to care), they don't understand the lack of security. another way to look at it might be to find some way to convince the average american that the government isn't looking our for everyone's interests, that's a tertiary objective. i've had many conversations with people about how various chemicals that are/were widespread (saccharine, aspartame, vioxx) have taken so long to be removed from the market, if ever. the most common response is that they trust the government to tell them what's ok. there are many more points to these discussions, but i've just made the most important one
8 to 10 years ago, I complained to a bank and MC about one of the first phishing sites. They could not care at all. Anything that might put a customer off, did not matter. They just pass the costs through on their card's 21% interest rates. And the customers pay it. So who is to blame? The banks do not care, the credit cards do not care - and the customers could care less, unless it happens to them, then they expect the bank/card to take care of everything. There is even profitable services to watch out for this - that customer's pay for.
It is not going to change until the profit is taken out of it for the banks, card companies and everyone else.
My adopted father has been using my ss number for years. He has done so much damage I may never be able to own a car, have a bank account or anything else. Between the State of Missouri and apparently most other states being able to sell ss numbers and info bulk and credit reporting companies being exempt from recording information that may be wrong it will never be even vaguely manageable. The last 4 years has been an attorney that I won against, he does have friends in high places, the higher the place the bigger penalty they should get. Credit reporting companies should have to verify information and inform the person they report on who is asking for the information. I have to move by the end of this month and the two places that did checks still come up with a horrendous record that is so large they couldn't approve me but they knew there was no way it could be my record. Too much going on at the same time in too many places. But I still can't get past it. Trying to clear my ID has been a full time job the last 4 years.
prohibition -> fail
war on drugs -> fail
copyright enforcement -> epic fail
securities / corp finance fraud -> fail all the way to the bank
prostitution -> fail with release
If the crime has a profit motive, laws don't stop it. At most they raise costs and increase the barrier to entry thus ensuring only large players (mafia, cartels, governments, corporationis) get to play.
#1:
laws, but has all of this legislation actually cut down on identity theft? Legislation does not stop crime. Prosecution stops crime. Besides, these laws are weak. They are unenforcable since they state "if you did something wrong, you must tell us" and obviously if they don't tell they don't get caught. And even if they do tell, there is nothing you can do to stop it and it doesn't make the companies any more likely to take security measures. So these bills are probably a good idea that doesn't go far enough.
#2:
I called Comcast today to register for service (yeah yeah, make fun of me, but they are the only game in town) and they asked me for my SSN. When I told them I couldn't do that, they hung-up on me. So this just shows me that not only is this business as usual, but it is getting worse. 10 years ago nobody would have dared ask for a social security number for something like this. How come things are getting worse while at the same time we are supposedly doing all this stuff to prevent identity theft?
Bottom line: nobody cares, nobody does anything about it. The only ones who do are academics and a vocal minority like Slashdot.
Orbis terrarum est non altus satis
be fired by the stockholders (I know bashing Microsoft in Slashdot - imagine that!) But seriously, they were in the perfect position to become this. They had the money and they had the universal presence to pull it off. But they proved themselves to be such untrustworthy, scheming pricks that noone in their right mind would follow along. Talk about a missed opportunity. Maybe Google will realize they still have a chance to do this. So far they seem to have done a decent job resisting the temptation to completely abuse the data they already have on us. They are probably the best hope for us here.
"Over the past five years, 43 US states have adopted data breach notification laws"
"If you get hacked, you have to tell us, so that we can prosecute you for having lax security and your customers can abandon you." Or, you know, they can keep their mouthes shut, since the reason for these mandatory disclosure laws to begin with is that, unless these companies say anything, nobody but the thief knows they were compromised.
I'm sure that even the use tax laws are more successful.
By now banks should realise that Chip and PIN system will not combat fraud because it does not deter identity fraud, ATM fraud, stolen card and PIN fraud, card not present fraud, faked fraud etc. the way KEY and PIN system described on website www.xwave.co.uk will. So until banks exploit proposed KEY and PIN system fraud crimes will continue to grow. KEY and PIN system could be treated like international ID card since it will personalise signature and PIN to the right individual in any country in the world. We hope banks and the government would exploit KEY and PIN system before it is too late to stop a fraud boom.
Then they need to make it so it's easy to switch social security numbers if someone is working under yours and not paying taxes (assuming you can prove this of course).
Or even simpler not using SSN's for anything other than their intended purpose in the first place.
Are you living in the dark ages?
No sig today...
The solution to data theft is fairly simple: Focus on those responsible for the loss. Say: 20 years in SuperMax prison for ALL officers, directors and executives of a company that "allows" data to be stolen.
Within a year, there will be zero data losses.
I ran into a company online (acnodes.com) that was revealing full customer credit info, card numbers,k billing address - the whole package. It was just very shoddy web design performed by the lowest bidder.
All that was required was to put in an order number and up popped everyone's info.
I had to cancel the card I used, and then I spent 4 hours trying to get someone interested.
Getting in touch with the site owner in SoCal took a couple of hours, including me explaining the issue repeatedly, and threatening dire legal action before he finally agreed to shut the site down until the hole was fixed.
The local bank that issued that issued the card was closed, so in between attempts to reach the site owner, I tried to interest Visa in the issue.
They couldn't care less.
I finally google for the Visa fraud line, but since this was a security breach, rather than fraud, they weren't interested.
They suggested contacting the local police, who suggested the FB-freakin-I, who suggested Homeland Security.
In the end, no one gave a shit.
ID theft laws won't improve the situation in which I found myself, since it wasn't ID theft - just simple incompetence, and the banks aren't interested unless laws force them to be.
You would think there would be some sort of hotline where consumers could report a breech, the card company could briefly investigate, and on confirmation suspend transactions to that merchant id.
Nope.
'There doesn't seem to be any evidence that the laws actually reduce identity theft,'
.. NO. Then what use is it, oh .. it makes the lawyers richer .. :)
Because it's a technological problem that requires a technological fix. A totally new kind of online trading system, one that don't require the use of Credit Cards. I mean does any of this fix the software, err
davecb5620@gmail.com
People who keep bringing guns in although the sign says "Gun free zone"
Coder's Stone: The programming language quick ref for iPad