ID Theft In US Continues Apace Despite Data Breach Laws

4roddas points out an article at Techworld about the continued scourge of identify theft in the US, which begins: "Over the past five years, 43 US states have adopted data breach notification laws, but has all of this legislation actually cut down on identity theft? Not according to researchers at Carnegie Mellon University who have published (PDF) a state-by-state analysis of data supplied by the US Federal Trade Commission (FTC). 'There doesn't seem to be any evidence that the laws actually reduce identity theft,' said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper's authors. Since 1999 the FTC has invited identity theft victims to log information about their cases on its Web site. The data are then made accessible to law enforcement, which uses the information to help analyze crime trends."

Put the onus on financial institutions

[gbulmash]

Plain and simple, the only thing that's going to really make a dent in identity theft is to make identities harder to steal, and that means requiring all the banks and credit card companies to jump through more identity verification hoops before they give someone your money or a line of credit in your name.

Sure, requiring you to go to a licensed notary and have a credit card application notarized might not make it so easy to get credit, but it would also make it harder to get credit in your name.

The banks and credit card companies could do this, but it's more profitable to let people steal your identity and then just jack up fees and interest rates to cover the losses.

- Greg

Re:Put the onus on financial institutions

[sydbarrett74]

Wonderful points. I would also add that if laws/regs forced the onus of losses on the financial institutions themselves (rather than allowing them to write losses off as a cost of business), said firms would rapidly implement better security mechanisms. As it stands, banks have little incentive to prevent these crimes, because the victims have the burden of proof and responsibility for cleaning up the resulting mess.

Re:Put the onus on financial institutions

[homer_s]

If someone "steals my identity" and gets credit, am I responsible for paying the loan or does the financial institution just eat it?

My friend's husband had his SSN stolen and they were convinced that they'd have to repay. They showed me the IL attorney general's website which supported their conclusion.

If that is true, then this problem will not go away. Make the financial institution eat the loss caused by their stupid reliance on a 9-digit number that is not even supposed to be secret.

Re:Put the onus on financial institutions

[QuantumRiff]

Even more than that, I would love to see some laws that simply state the the credit companies have to prove it was you that took out the credit. (you know, innocent to proven guilty, one of the cornerstones of our democracy). Right now, you have to find out what is going on, and then prove to them that you didn't request/use the money. If they would just put the principle of innocent till proven guilty, the banks and credit companies would have to drastically change the way they give credit. (since they have to prove its you!).

I also think much would change if everyone had a right to get their own information that is collected from them. I can get credit reports 1 time a freaking year. thats it. Not to mention all the other companies that collect information about me. Some use that information for things like employment screening. How the hell am I supposed to know that I didn't get a job, because some company I have never heard of claims I had a record. (maybe they mistyped my social security or name...). Employers are scared of lawsuits, and they never tell you why you weren't selected..

Re:Put the onus on financial institutions

[menace3society]

I've been saying this for years. Identity theft, like intellectual property theft, doesn't actually occur. What happens is financial-services fraud, to take advantage of my name and fiscal responsibility to get cash. At no point does anything that properly belongs to me ever get taken, or even leveraged. What gets leveraged are things like Social Security Number (property of the US government) and Credit Rating/Credit Score (property of the various agencies that compile them). I don't get tricked into anything, the bank gets tricked.

The problem is, if you call it 'fraud' then the defrauded entity is on the hook, and that entity gives and lends tons of money to politicians, lawyers, and judges. If you call it 'identity theft,' then it seems more reasonable to blame the person whose name was forged, but (and this is important so it's gonna be in all caps) THE PERSON WHOSE ID IS STOLEN IS NOT THE VICTIM. The bank is, and the whole process from start to finish ought to be the bank's problem.

If we had more strict laws on consumer data protection, this shit wouldn't happen.

Re:Put the onus on financial institutions

[sjames]

What will really fix things is to recognize that what we call 'identity theft' is nothing more than two frauds jammed together.

The first is some scumbag defrauding the bank into giving them money in someone else's name. The second is when the bank tries to pass the buck by making a third party pay the debt back.

The bank's crime is even worse. They commit extortion by threatening to libel (report an adverse credit event resulting in declined loans and higher interest rates) the 'victim of identity theft' unless they pay for the bad debt they didn't have anything to do with.

I fail to see how the bank's behavior is any better than if I were mugged in the park and decided to "make it right" by mugging the next person I see.

Breach notification laws

[computerman413]

Data breach notification are useless when institutions don't know they've been breached. I'm sure there are lots of those cases.

Re:Breach notification laws

[morgan_greywolf]

Yep. And just because companies must notify consumers of a breach doesn't mean any sign that they'll actually do it. Sex offenders are required to notify the sex offender registry when they move. Not all sex offenders do that, either.

The solution is technology

[Jimmy_B]

Your credit card number is not a password, because you have to give it away every time you buy something. If someone wants to steal a credit card number, they can get it from any unscrupulous employee of any business that sells things, which means they'll always succeed. The solution is to replace credit cards with smart cards that use public-key cryptography. That means that your credit card contains a number which you can use to sign transactions and prove that you are authorized to make payments, but you don't have to give every employee of every merchant you buy from the power to impersonate you.

Social security numbers have the same problem, only worse, because you can't just cancel your SSN like you can with a credit card. Banks pretend that your SSN is a password, but there are thousands of people who have access to your social security number and at least one of them will sell it on the black market.

Fixing this mess will cost the banks a lot of money, but they made this mess and it's their responsibility to clean it up. We need the federal government to mandate real security measures, because fraud is quickly becoming the norm.

Re:Get Personal Data off your computer

[deadmongrel]

I have had my identity stolen twice and both time it was a data breach with a merchant I was dealing with. I find it appalling that it is so easy to get a credit or signup for a loan. How about more responsibility on the bank merchant part? The there credit bureaus should be held responsible for this mess. They are making profit using our data and we end up paying to clean it up or monitor it.

So once again...

[tekiegreg]

...we've proven that a piece of paper alone can't stop crime, pollution, educate our kids, etc. it is only the enforcement thereof, or in the case of ID theft, steps to prevent such crime that will ultimately solve our problems.

Long story short, let's move along and work to end the problem, not just write paper against it.

Re:Identity Clearinghouse

[cdrguru]

Problem today is with "identity management" agencies. In Illinois the Governor mandated that the state DMV department (Secretary of State's office) would give driver's licenses to people producing a card from the local Mexican Matricula Consular office. What they do is give you (or anyone else) an ID that says you can then get a valid Illinois driver's license. Verification? None. It seems that birth records aren't well maintained in Mexico so it would be difficult for them to establish if someone was really even from Mexico under the immigration policies in effect in Illinos. Therefore, no ID is required to get this form of identification.

With this as a starting point, you can basically get anything you want in Illinois. If you would like a SSN on your driver's license you can have that as well. Again, no verification or validation is needed. It is required that you be able to write your name.

This same practice occurs in a number of other cities and states as well.

I believe they would feel obligated to provide a translator if someone showed up speaking nothing but Klingon.

Just remember, they aren't stealing your identity, just borrowing it.

Re:Get Personal Data off your computer

[Ihmhi]

How do we even know it's you posting right now?

All jokes aside, banks make tons of profit off of easy credit. When credit is easy for damn near anyone to get, people are (generally) going to run up large bills.

A very good friend of mine had a credit card (I think a Visa) for almost 2 years and they never increased his limit about the initial $500. Why? Delinquent on payments? Nope, it was actually the exact opposite - he paid his bill at the end of every month and on time. He was actually told that he would have to start maintaining a balance (and therefore generate interest) if he wanted his limit to go up.

So he cancelled the Visa card and got an American Express. They took note of his excellent credit record and handed him a card with a much higher limit. He never goes anywhere near it and still pays his bills on time.

Fiscal responsibility is not profitable in the credit and banking industries. If everyone balanced their checkbooks and paid their bills on time, a load of banks and CC companies would go flat broke. That's why things like the minimum payment (which is calculated to make sure you have a balance on the card for 30 years) exist.

since when?

[the+brown+guy]

ID Theft in US Continues Apace Despite Data Breach Laws Since when do laws really stop anything. There are laws against murder, yet people are murdered all the time. They got to get to the root of the problem, and there are ton of comments trying to identify the root, which is probably profit.

Of couse they're not doing anything

[Guppy06]

"Over the past five years, 43 US states have adopted data breach notification laws"

"If you get hacked, you have to tell us, so that we can prosecute you for having lax security and your customers can abandon you." Or, you know, they can keep their mouthes shut, since the reason for these mandatory disclosure laws to begin with is that, unless these companies say anything, nobody but the thief knows they were compromised.

I'm sure that even the use tax laws are more successful.