ID Theft In US Continues Apace Despite Data Breach Laws

4roddas points out an article at Techworld about the continued scourge of identify theft in the US, which begins: "Over the past five years, 43 US states have adopted data breach notification laws, but has all of this legislation actually cut down on identity theft? Not according to researchers at Carnegie Mellon University who have published (PDF) a state-by-state analysis of data supplied by the US Federal Trade Commission (FTC). 'There doesn't seem to be any evidence that the laws actually reduce identity theft,' said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper's authors. Since 1999 the FTC has invited identity theft victims to log information about their cases on its Web site. The data are then made accessible to law enforcement, which uses the information to help analyze crime trends."

Put the onus on financial institutions

[gbulmash]

Plain and simple, the only thing that's going to really make a dent in identity theft is to make identities harder to steal, and that means requiring all the banks and credit card companies to jump through more identity verification hoops before they give someone your money or a line of credit in your name.

Sure, requiring you to go to a licensed notary and have a credit card application notarized might not make it so easy to get credit, but it would also make it harder to get credit in your name.

The banks and credit card companies could do this, but it's more profitable to let people steal your identity and then just jack up fees and interest rates to cover the losses.

- Greg

Re:Put the onus on financial institutions

[sydbarrett74]

Wonderful points. I would also add that if laws/regs forced the onus of losses on the financial institutions themselves (rather than allowing them to write losses off as a cost of business), said firms would rapidly implement better security mechanisms. As it stands, banks have little incentive to prevent these crimes, because the victims have the burden of proof and responsibility for cleaning up the resulting mess.

Re:Put the onus on financial institutions

[mrmeval]

Legal notaries can and will commit fraud for a suitable fee but I can get a notary stamp and do it myself cheaper. ;)

http://www.notarypublicstamps.com/products.asp?StateID=15

Put the onus on the financial institution monetarily and make it treble damages in addition to jury awarded punitive damages and legal fees. Make it so that it must go before a jury and not ever arbitration. I'd want punitive damages so high their investors suffer and I'd want those damages set aside in a fund to help identity theft victims have damages that don't warrant or won't benefit fro a lawsuit or have emergency needs.

Re:Put the onus on financial institutions

[QuantumRiff]

Even more than that, I would love to see some laws that simply state the the credit companies have to prove it was you that took out the credit. (you know, innocent to proven guilty, one of the cornerstones of our democracy). Right now, you have to find out what is going on, and then prove to them that you didn't request/use the money. If they would just put the principle of innocent till proven guilty, the banks and credit companies would have to drastically change the way they give credit. (since they have to prove its you!).

I also think much would change if everyone had a right to get their own information that is collected from them. I can get credit reports 1 time a freaking year. thats it. Not to mention all the other companies that collect information about me. Some use that information for things like employment screening. How the hell am I supposed to know that I didn't get a job, because some company I have never heard of claims I had a record. (maybe they mistyped my social security or name...). Employers are scared of lawsuits, and they never tell you why you weren't selected..

Re:Put the onus on financial institutions

[homer_s]

Thanks - that is basically what I've heard.
It is not just the banks though - people are using SSNs to collect other people's unemployment. Good luck trying to get your benefits when you need them most.

Re:Put the onus on financial institutions

[menace3society]

I've been saying this for years. Identity theft, like intellectual property theft, doesn't actually occur. What happens is financial-services fraud, to take advantage of my name and fiscal responsibility to get cash. At no point does anything that properly belongs to me ever get taken, or even leveraged. What gets leveraged are things like Social Security Number (property of the US government) and Credit Rating/Credit Score (property of the various agencies that compile them). I don't get tricked into anything, the bank gets tricked.

The problem is, if you call it 'fraud' then the defrauded entity is on the hook, and that entity gives and lends tons of money to politicians, lawyers, and judges. If you call it 'identity theft,' then it seems more reasonable to blame the person whose name was forged, but (and this is important so it's gonna be in all caps) THE PERSON WHOSE ID IS STOLEN IS NOT THE VICTIM. The bank is, and the whole process from start to finish ought to be the bank's problem.

If we had more strict laws on consumer data protection, this shit wouldn't happen.

Re:Put the onus on financial institutions

[hedwards]

That's hardly accurate at all. The only thing I can agree with is that with proper data protection laws, this wouldn't happen so frequently.

The reason why it's referred to as identity theft is that fraudsters will use a real identity to open multiple accounts with multiple institutions and leave the bill for the victim to pay. And yes, that's how banks want it to work, they usually draw things out for many months, refuse to admit that it was their fault for having a shoddy system to verify these things.

The cost of this can easily reach into the thousands of dollars for the victim. To suggest that banks just roll over and admit that it was fraud is really missing the point. In most cases they don't, as far as their concerned they should be paid, and the person who got ripped off is them.

I was very fortunate to just lose my email, name and address to spammers when TD Ameritrade had that large breach. I have no way of knowing if they got more, and decided not to use it, or if they will at some point in the future. In the state I live in, I'm not guaranteed a free credit freeze unless Ameritrade were to file a police report admitting it. AFAIK there's no law that says they have to do so and it's very much possible that the week they stop paying for the monitoring, that the information will be used.

Re:Put the onus on financial institutions

[kesuki]

"The problem is, if you call it 'fraud' then the defrauded entity is on the hook, and that entity gives and lends tons of money to politicians, lawyers, and judges."

there is more sophisticated type of 'identity theft' that is much more complex, basically, all you need is a mark, a few social security numbers, a couple weeks and a home. every couple of weeks, you use the money you've stolen to acquire more properties, and for each 'fabricated' identity, you take out a new mortgage on a property, legally you can't take out 10 mortgages on one property, but if you work the system, you can get dozens though on the same property, seemingly from different individuals all who appear to be the only owner of that property. this crime scales all the way up to multi-million dollar skyscrapers, at least if you do it right. if you can manage to beat the system long enough you can run away with millions leaving a massive massive debt several millions of dollars greater all belonging to your 'mark;' who, according to all the paper work, did all the signing, even though there was massive massive fraud committed. and for once, banks actually call it fraud. the marks always wind up in prison, they thought they were doing a 'work at home business' helping their lover... they guy i heard about who managed to do all this, did it three times to three different women, but he was too greedy, and never pulled out with the millions he could have... the first thing that happens is they freeze all the assets, if they even suspect someone is doing this, so it's all a matter of pulling out before they know what you've done. it's crazy how easily this kind of identity theft can be done, once you know the whole mortgage system, and how to get a mark to sign all the paperwork, without them knowing what you're up to.

it was on dateline, the guy who kept coming back to the same scam, he even wrote a 'fictional' book, all about how he did all his crimes, sadly the book itself was the most incriminating evidence against him in the crime, all the paper trails led to his 'women.' finding a woman who doesn't know much about running a business, and learning all the skills needed to pull off the crime are way too easy, banks really really want to believe what people are telling them. especially when the paperwork all goes through fine.

Re:Put the onus on financial institutions

[sjames]

What will really fix things is to recognize that what we call 'identity theft' is nothing more than two frauds jammed together.

The first is some scumbag defrauding the bank into giving them money in someone else's name. The second is when the bank tries to pass the buck by making a third party pay the debt back.

The bank's crime is even worse. They commit extortion by threatening to libel (report an adverse credit event resulting in declined loans and higher interest rates) the 'victim of identity theft' unless they pay for the bad debt they didn't have anything to do with.

I fail to see how the bank's behavior is any better than if I were mugged in the park and decided to "make it right" by mugging the next person I see.

Get Personal Data off your computer

[imus]

Search your files for social security and credit card numbers before hackers do.

Re:Get Personal Data off your computer

[deadmongrel]

I have had my identity stolen twice and both time it was a data breach with a merchant I was dealing with. I find it appalling that it is so easy to get a credit or signup for a loan. How about more responsibility on the bank merchant part? The there credit bureaus should be held responsible for this mess. They are making profit using our data and we end up paying to clean it up or monitor it.

Re:Get Personal Data off your computer

[Ihmhi]

How do we even know it's you posting right now?

All jokes aside, banks make tons of profit off of easy credit. When credit is easy for damn near anyone to get, people are (generally) going to run up large bills.

A very good friend of mine had a credit card (I think a Visa) for almost 2 years and they never increased his limit about the initial $500. Why? Delinquent on payments? Nope, it was actually the exact opposite - he paid his bill at the end of every month and on time. He was actually told that he would have to start maintaining a balance (and therefore generate interest) if he wanted his limit to go up.

So he cancelled the Visa card and got an American Express. They took note of his excellent credit record and handed him a card with a much higher limit. He never goes anywhere near it and still pays his bills on time.

Fiscal responsibility is not profitable in the credit and banking industries. If everyone balanced their checkbooks and paid their bills on time, a load of banks and CC companies would go flat broke. That's why things like the minimum payment (which is calculated to make sure you have a balance on the card for 30 years) exist.

Breach notification laws

[computerman413]

Data breach notification are useless when institutions don't know they've been breached. I'm sure there are lots of those cases.

Re:Breach notification laws

[morgan_greywolf]

Yep. And just because companies must notify consumers of a breach doesn't mean any sign that they'll actually do it. Sex offenders are required to notify the sex offender registry when they move. Not all sex offenders do that, either.

The solution is technology

[Jimmy_B]

Your credit card number is not a password, because you have to give it away every time you buy something. If someone wants to steal a credit card number, they can get it from any unscrupulous employee of any business that sells things, which means they'll always succeed. The solution is to replace credit cards with smart cards that use public-key cryptography. That means that your credit card contains a number which you can use to sign transactions and prove that you are authorized to make payments, but you don't have to give every employee of every merchant you buy from the power to impersonate you.

Social security numbers have the same problem, only worse, because you can't just cancel your SSN like you can with a credit card. Banks pretend that your SSN is a password, but there are thousands of people who have access to your social security number and at least one of them will sell it on the black market.

Fixing this mess will cost the banks a lot of money, but they made this mess and it's their responsibility to clean it up. We need the federal government to mandate real security measures, because fraud is quickly becoming the norm.

Re:The solution is technology

[cdrguru]

Banks don't care because it costs them almost nothing to live with the current state of things. Credit card fraud costs the consumer, mostly because merchants get ripped off and have to eat the cost of sales to fraudulent card numbers.

Credit card companies have very strict rules for merchants that prevent them from validating who a customer is beyond the signature on the card. For instance, they are not allowed to ask for a photo ID. If the card says "check ID" instead of being signed they are not supposed to accept it as it is not signed. The signature indicates that you have accepted the terms of the credit agreement, not any sort of identity verification. Violation of the merchant agreement can result in the merchant account being terminated. These days, a retail store not being able to accept credit cards might as well just fold up shop.

Fraudulent loans and financing are a very small percentage. The FBI mandated that credit card fraud be lumped into "identity theft" a while back and that is where all the numbers are coming from. Unfortunately, there isn't any motivation to fix the problem because the wrong people - the merchants - are paying for the fraud.

Identity Clearinghouse

[Dachannien]

A long time ago, I wrote up a description of an identity clearinghouse, a government-run agency that allowed lenders to verify a potential borrower's identity without giving the lender any unnecessary information about the borrower's true identity. From the private citizen's side, it's all optional - register with the clearinghouse if you want, and go it alone if you want. From the lenders' side, it's mandatory to check with the clearinghouse before opening a line of credit for someone.

To register with the clearinghouse, you go to a local government agency where identity is "managed" - e.g., your local DMV. You register there by providing your current contact information, and they ensure that you are the person you claim to be through their normal identification procedures (such as picture ID/driver's license pictures on file). If you later need to change your contact info, you do the same procedure (going to the DMV in person) to prove your identity.

When you apply for credit somewhere, the lender first uses the identifying information you have provided to them (such as name, address, SS#, etc.) to verify your identity with the clearinghouse. If you haven't registered, the clearinghouse just responds that there's no such registrant in their records, and the lender is free to grant credit to the applicant. But if you have registered, the clearinghouse first checks to make sure the information they have on file matches the information the lender provides, and second, they use the information they have on file to contact you directly and ensure that you actually applied for credit with the lender in question. If both of those checks succeed, they respond to the lender with "yes", and if either fails, they tell the lender "no".

This would greatly reduce the instances of people opening lines of credit in other people's names. However, one problem it doesn't address is fraudulent charges to legitimate lines of credit you already have (e.g., stolen/copied credit cards). Credit card issuers and merchants are both often on the hook for most of those sorts of charges, though, so they already take at least some steps to reduce that kind of fraud.

Re:Identity Clearinghouse

[cdrguru]

Problem today is with "identity management" agencies. In Illinois the Governor mandated that the state DMV department (Secretary of State's office) would give driver's licenses to people producing a card from the local Mexican Matricula Consular office. What they do is give you (or anyone else) an ID that says you can then get a valid Illinois driver's license. Verification? None. It seems that birth records aren't well maintained in Mexico so it would be difficult for them to establish if someone was really even from Mexico under the immigration policies in effect in Illinos. Therefore, no ID is required to get this form of identification.

With this as a starting point, you can basically get anything you want in Illinois. If you would like a SSN on your driver's license you can have that as well. Again, no verification or validation is needed. It is required that you be able to write your name.

This same practice occurs in a number of other cities and states as well.

I believe they would feel obligated to provide a translator if someone showed up speaking nothing but Klingon.

Just remember, they aren't stealing your identity, just borrowing it.

So once again...

[tekiegreg]

...we've proven that a piece of paper alone can't stop crime, pollution, educate our kids, etc. it is only the enforcement thereof, or in the case of ID theft, steps to prevent such crime that will ultimately solve our problems.

Long story short, let's move along and work to end the problem, not just write paper against it.

FBI Out to Lunch

[Doc+Ruby]

The FBI is in charge of protecting Americans from fraud and theft on that scale and across that national and global jurisdiction. But Bush's "Justice" Department isn't interested.

Feel safer?

Re:FBI Out to Lunch

[Doc+Ruby]

Well, I have worked in the "security industry" here in NYC, quite a lot making secure banking/brokerage/insurance infosystems during the late 1990s, and helping the NYC legislature's tech policymaking committee oversee secure NYC's IT (both government and its neighbors in the Financial District). I know quite a lot about both secure technology and government security operations.

The FBI isn't nearly interested enough in these frauds. Despite how hard it is to find and bring these criminals to justice, that's the FBI's job, and it's good at it when it makes it a priority. Instead, under Bush, the priority has been "terrorism", which has been a cover for all kinds of wasted effort that hasn't secured us, but did help Bush keep going for 8 years. Even Bush's "CyberTerrorism Czars" have all quit in disgust, and Bush hasn't put a credible sheriff in charge of controlling this massive criminal activity.

There's a lot more ID theft and fraud in the past 8 years than when Clinton was president in the late 20th Century. It's like the presidents of the 1920s didn't make the FBI all use or at least understand automobiles, when they became a common tool for crimes, especially in escaping local jurisdictions.

So you can take your vague Bush apologies and dump them on that pile of crap you call "not much caring for the guy, either". The fact is that you voted for him twice , you and your Republican buddies are responsible for our lawless crises, and you have no credibility to bleat about how "this is hard work" like you do when Bush clears brush while the country gets looted. Your Bushy trolls are worse than worthless. You Republicans just aren't up to the job of securing anything, as much as you're constantly whining about how scary the bad guys are.

And stop whining to the mods, who apparently aren't stuck in the kind of Bushy denial you're stuck in.

One-Time Passwords for Transactions

[Doc+Ruby]

I hate giving my PIN to vendors. I hate typing my PIN on random ATMs - and rarely do it. I hate typing my PIN into authorization keypads at stores, but what can I do?

Every transaction should have its own unique PIN attached to the transaction's amount and recipient. Credit cards with chips could do this right now, RSA-password style, generated against the one-time password from the vendor's machine for the transaction, in a data package with the vendor's invoice signed by the vendor's transaction password that my card keeps. In fact it should be transacted over my phone and archived in my personal DB.

This tech is here, and pretty cheap. Banks should pay for it. Their insurance corps should make them pay for it. Until they do, consumers like us will pay most of the costs, especially in a lifetime recovering from a "one-time" ID theft.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

ID theft is trivially easy, today.

[NoobixCube]

ID theft will continue, now that criminals have about 4.5 million people's personal data from those backup tapes the Bank of New York lost. Not to mention all of the other data losses we've heard about on Slashdot. No amount of securing your personal data will help now, unless you plan on changing your date of birth and address. Seriously, that's all it takes. All it took to prove to Medicare (Australian health cover, just a shade short of socialised health) over the phone that I was me, when I needed to change some details, was my date of birth and current address. You put those on almost every form you fill out offline, and if you shop online, you put your address on those too. Date of birth and current address can be used as a lever to "update" someone's Medicare details, and have a new card sent to an ID thief. Medicare counts as a form of ID, so that makes the lever a little bit longer. An ID thief can use the new Medicare card as ID for other changes and updates. Even get a copy of a person's birth certificate sent to them.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Two items forgotten here

[MobyDisk]

#1:
laws, but has all of this legislation actually cut down on identity theft? Legislation does not stop crime. Prosecution stops crime. Besides, these laws are weak. They are unenforcable since they state "if you did something wrong, you must tell us" and obviously if they don't tell they don't get caught. And even if they do tell, there is nothing you can do to stop it and it doesn't make the companies any more likely to take security measures. So these bills are probably a good idea that doesn't go far enough.

#2:
I called Comcast today to register for service (yeah yeah, make fun of me, but they are the only game in town) and they asked me for my SSN. When I told them I couldn't do that, they hung-up on me. So this just shows me that not only is this business as usual, but it is getting worse. 10 years ago nobody would have dared ask for a social security number for something like this. How come things are getting worse while at the same time we are supposedly doing all this stuff to prevent identity theft?

Bottom line: nobody cares, nobody does anything about it. The only ones who do are academics and a vocal minority like Slashdot.

since when?

[the+brown+guy]

ID Theft in US Continues Apace Despite Data Breach Laws Since when do laws really stop anything. There are laws against murder, yet people are murdered all the time. They got to get to the root of the problem, and there are ton of comments trying to identify the root, which is probably profit.

Of couse they're not doing anything

[Guppy06]

"Over the past five years, 43 US states have adopted data breach notification laws"

"If you get hacked, you have to tell us, so that we can prosecute you for having lax security and your customers can abandon you." Or, you know, they can keep their mouthes shut, since the reason for these mandatory disclosure laws to begin with is that, unless these companies say anything, nobody but the thief knows they were compromised.

I'm sure that even the use tax laws are more successful.