Slashdot Mirror
Why Lenders Overlook Warning Signs of ID Theft
Hugh Pickens writes "Despite all the new fraud alert tools and increased awareness of the perils of identity theft, incidence of the crime remains at 2003 levels, with about 10 million Americans falling victim every year. Now the NY Times reports that there may be a simple reason for the persistence of ID theft: lenders are too willing to extend credit to just about anybody, even when there are big red flags that indicate fraud. Chris Jay Hoofnagle at UC Berkeley worked with a small sample of six ID theft victims and delved into how they were defrauded. Of 16 applications presented by imposters to obtain credit or medical services, almost all were rife with errors that should have suggested fraud — yet in all 16 cases, credit or services were granted anyway. 'Identity theft remains so prevalent because it is less costly to tolerate fraud,' writes Hoofnagle. 'Adopting more aggressive and expensive anti-fraud measures is extremely costly and jeopardizes customer acquisition efforts.' Hoofnagle says business decisions leave individuals and merchants with some of the externalities of identity theft as victims spend their own money, and more often, valuable personal time dealing with the problem. Hoofnagle suggests that lenders contribute to a fund that will compensate victims for the loss of their time in resolving their ID theft problems."
Can't wait to see how people blame the victim on this one.
Never underestimate the power of stupid people in large groups.
Bank fraud is why i shutdown my business after losing about 15k. Banks make a LOT of money milking the merchants with fees & services to create a "Safe shopping facade" but to screw you over in the end. What sucks even worse is that the consumer always wins in the end regardless or not if the consumer is legit or fraud and the banks LIKE it that way.
Banks make a lot of money in playing the high risk game and its screws everyone over in the end.. someone is paying for it.
Settling the fraudulent debt is one thing, being compensated for the runaround is another. If banks are going to save money by enabling ID theft as a matter of policy, they must compensate for when that policy causes damages to their clients in the form of time and money spent correcting the problems. Then we'll see if it's actually better to save on ID theft prevention.
War as we knew it was obsolete
Nothing could beat complete denial
- Emily Haines
I've got an idea. How about the credit agencies be required to inform me when they give out reports about me? They already know everything about me, right? If someone is illegitimately getting credit under my name, I'll find out about it. If they have incorrect information, I'll find out about it. The cost of an inquiry would go up by $1(US), the cost of printing and mailing a duplicate report.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
The solution is this: you loan money to Joe and Joe signs his name as David? Wow, too bad for you, lender. You just gave away your money to Joe. David can't be held liable for this since he had no hand in it?
Doesn't it sound like the logical solution. If someone goes to the bank claiming to be me and the bank gives them a loan in my name, then the impetus is on the bank to track down the schmuck who tricked them. The bank ought to be liable for allowing themselves to be duped like this; they shouldn't be allowed to come after me. After all, I didn't do anything!
What's wrong with this solution?
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
If lendors had to pay for the damage they cause, the problem would disappear overnight. They should be responsible, not the poor victims, for cleaning up the mess. Sadly, they do not care, as it costs them nothing.
"To those who are overly cautious, everything is impossible. "
You have to keep in mind that a lot of systems that check people's IDs, Credit Cards, and Applications are built on top of legacy systems that were designed to work using modems and other terminals. I mean, yes, they have lovely UIs and web-sites but you rip all that stuff away and the entire process runs on the same communications channel as it did in 1990.
Credit Cards address information is often only checked in a very vague way. Since there is no encoding standards and since the address often winds up as one string you have to be very easy going about what passes and what doesn't. For example this might be the string you get in (all examples are valid/legal):
"123 Fake Street TownName State Country POCODE"
"123 FakeStreetTownNameStateCountryPOCODE"
"POCODE"
"123 Fake Street"
And this is the information you have to validate - Address Line 1, Line 2, Line 3, Line 4, Line 5 (Country), POCode (Post Code/Zip code). See the problem?
Considering how lending institutions generally operate, it makes more sense that they are making a bigger profit off of "ID Protection" insurance, than they take in actual losses from ID theft.
The only solution I see is to introduce regulation that forces the lenders to pay the cost of ID theft instead of the victims.
Lenders are being completely rational from their perspective. They get paid for creating a market for loans. If they don't issue loans, they don't get paid.
They are using Other People's Money by packaging the resulting debt into CDO's and selling them off, so they don't have an incentive to look too closely at how credit-worthy the individual is. It's a bad combination of negative externalities and information asymmetry. It's a market failure that requires government regulation to fix.
What annoys me is that by coming up with the spin incantation "ID Theft", banks have been able to make what is actually their problem your problem
Its not "ID Theft" its FRAUD
Before "ID Theft" existed, con artists would regularly pretend to be someone they weren't in order to steal things. If I pretend to be an engineer from the local telephone company in order to con my way into an old ladies house and steal her purse, no one would even think for a minute that the telephone company should foot the bill, but when someone pretends to be me and convinces a bank to give them some money on that basis, apparently it is ok for the bank to turn round and try to get me to pay for the result of their gullibility.
This [ ] left intentionally [ ]
It seems evident that most who deal with them just hand this stuff over, and then wonder why they end up being owned.
In the end it turned out good for me since I looked elsewhere and got a much better service on phone numbers - but at the time it looked to me as if I was paying a cost (today) for trying to keep secure (future). They do not need my credit limit for their purposes, I am concerned about what is happening with such information that others have given them; I will report them to the UK ICO.
The only workable solution is to have some way of absolutely and uniquely guaranteeing that the person who claims to be "X" can only be "X" and cannot be anyone else. Even DNA checks are not good enough for this (as cases involving identical twins have shown), so the actual solution is very, very hard.
Of course the simpler solution is for the banks to not lend anything to anyone.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
ID theft is not the crime. It is just another form of fraud where the organizations that grant credit are not the ones who suffer when the fraud is committed against them. ID theft did not really exist until one could get credit based on simply a Social Security Number and little else. It was not that long ago where I worked that old stacks of large green bar print out paper covered on one side with peoples names, Social Security Numbers, and addresses were just taken home by virtually everyone for use by their children as scrap paper on which to draw with crayons. I would bet that anyone who was in IT back in the 1980's will remember this as normal. Back then a "stolen" identity had no value. Things that have no value are not usually stolen. It was only when the credit card companies MADE an identity have value that "Identity Theft" became something that was worth stealing. If some enterprising attorney would find a way to put together a nice class action law suit against the companies that control the issuance of credit and set a precedent that THEY were liable if credit was granted fraudulently in someones name who did not request it then ID theft would cease to exist since it would no longer be an externality
Lenders will not do anything until it costs them more money to get it wrong than to get it right. I have recently been the target of a fraud. The bank has called me 4 times in the past year about this account. They have my name and my home telephone number. They have the wrong home address, nothing right except the state. They have the wrong SSN. They have the wrong birth month, day, and year. The birth year is off more than 30 years. The card has my name and some other guy (I'm not even going there). How much do you need to get wrong before you refuse this guy? How did they get my phone number? My suspicion is that the original phone number was incorrect so they just looked up anyone with my name in my state and updated it.
Twice I hung up on the bank because I thought they were a telephone phishing attack trying to get me to hand over PII (They were asking my SSN, my home address, my birthdate). The last two times I've talked to their fraud department saying that whomever this is is not me and has no PII even close to me.
I had someone open a credit card in my name. They knew my name, address, date of birth and social security number. What they didn't know, however, was my mother's maiden name. However, the credit card company (*cough* Capital One *cough*) ignored this and let them get a credit card in my name via an online form. Then they immediately changed the address to another address in another state halfway across the country. Then they called up and asked for a $5,000 cash advance before the card was even activated. None of these set off red flags apparently.
The only reason it was caught was that the thieves tried to get the card quickly and so paid for "rush delivery." The card was sent out before the address change went through and it wound up at my door. When I called up, the credit card company first gave me the runaround insinuating that perhaps my wife did it. (Neither of us would ever open a credit card without consulting the other. Much less open an account in the other person's name and then try to get a $5,000 advance.) Then they claimed that they couldn't give me any information because (and this is a nearly direct quote) they'd be "liable if I went out and shot the person." Yes, they were now insinuating that I'd commit murder and then *they* would be sued.
Fine, I had the police call them. But they gave the police the runaround also. They insisted the police call a special "police" number, but apparently only an answering machine staffs that number and nobody returns calls from it.
Basically, the credit card company doesn't care *who* they give a card to because they can write off the fraud and will wind up making a profit either way. Fraudulent charges that consumers pay mean credit card company profits. Fraudulent charges that consumers don't pay are charged back to the merchants for no real loss (to the credit card company, the merchant's out the merchandise). In the end, they don't give a rat's posterior about messed up consumer credit or store losses due to fraud/ID theft. They're making a tidy profit and that's all that matters.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
The credit card companies and banks are wanting to shift the residual risk to the customers. That's why they want you to pay for "SafeProtect" etc. for which you have to pay in advance so they monitor any ID thefts. My question is shouldn't they already be doing that? If yes, then why do they want you to pay for it? Cost reduction in my humble opinion.
This is why they can get away with it; Lenders sign up as many new lending accounts as possible. They have certain % that will default or are fraudulent. They buy insurance for this risk. The insurance company sells insurance policies which it says have a certain risk (low compared to the # they sell) of actually being claimed on. An insurance policy is something that keeps making money (with a certain % risk of being claimed on). These policies are sold as investment instruments (insurance bonds) to investors. Investors like you and me. They are put into people's pension funds, 401Ks, RRSPs, wrapped into various types of funds. And bingo.... it is now you and I who are carrying the risk. Magic.
Did you know you cannot even compel a credit agency to produce the documentation proving that you owe the claimed debt? Verification involves them contacting the party reporting the debt, saying "This guy owes money, right?" When they reply in the affirmative, that's called "verified."
Financial regulations in the United States are practically non-existent. The reason for uncertainty in our markets has nothing to do with government regulations - it has to do with the total lack of accountability and transparency required. Every five years the scheisters are exposed, and the markets collapse, because everyone - Wall Street, the credit rating agencies, and of course the companies themselves - are in on the take.
If I fall for a phishing scam because I'm convinced the site I'm looking at is owned by my bank, isn't that the bank having it's ID stolen? So if the phishers get me to give them money, the bank pays it back right? Obviosuly not, that would be crazy. Just because it was done in the bank's name doesn't mean it's the bank's responsibility. Surely then, it's just as crazy that private individuals have to pay back banks who get scammed, just becuase it's done in their name.
In the past few months I've had some checks stolen. All the checks were used at the same grocery store and they used the electronic scan thing where they pretty much run the check kind of like they do a debit card. I went to the grocery store ( Harvey's Supermarket....I'm outing them because of how shady this is.) the same day I noticed the check was ran and asked the manager if they still had the check because I wanted to see how it was signed. He told me they do not keep copies of the checks and explained the electronic system they use. I asked him 'So you guys don't ask to see identification when someone is writing a check?' ( I personally believe anytime a check or debit/credit transaction is made presenting an ID should be required. ) his reply was.....'Well, we use to, but then I ended up spending so much time in court because of all the people we were catching writing fraudulent checks that we quit checking IDs'. So I'm like 'So, you quit checking IDs because you were catching so many people?'....his reply...'Well, I know it sounds bad but yeah.'. So I'm like, 'Well that is just great.'. It's pretty obvious if you check someones ID and the name on the ID is not the same as the name on the check that something is up. I mean, come on....your catching people and have to go to court over it so you just stop checking? What kind of shit is that? It really sucked, they don't have a copy of the check, do not keep the original check and since they do the electronic scan I can't see a copy of the check with my online banking ( like every other check I write ) so there was no way to do anything about it. I was pretty much assed out of quite a bit of money and ended up with a couple of bounced checks which ended up costing me more money because of the fees that bounced checks incur. I ended up having to cancel quite a few of my checks just to make sure I wouldn't have more of them written fraudulently which cost me more money. It was a total let down because my bank would not reimburse me and Harvey's Supermarket were surely not going to reimburse me. I was just shocked at the logic. I'm sure there is a good car analogy for this situation but I'm not to good with car analogies....maybe something like the police saying.....'Well, we kept catching people with stolen cars when we set up a roadblock in this neighborhood, it was causing us so much paperwork and court time so we decided to just stop setting up roadblocks in that area.' What a bunch of hosers!
Something similar happened to me years ago. A person with my wife's name and who had lived on the same street some years prior had taken out a loan and defaulted on it (among many, many other defaults and legal issues). The lender had sent it to collections. The collections agency called us (presumably looking up name and street), and we told them they had the wrong people. They read off the information we had, and the only thing that matched was the first and last name and the street name. We told them the middle name was wrong (it was X, my wife's is Y) and that the address was wrong (it was 1234, ours was 4321) and so forth. A week later, we had a collections letter at our address with the "corrected" information. We called up the collections company president, and noted the legal trouble he was about to be in if he didn't correct this forthwith (thankfully, we were smart enough not to correct the SSN!), and things got corrected. We no longer give out any PII, and no longer do business over the phone unless we initiate the call. Sad that we had to learn the hard way, but at least it wasn't harder.
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
This is exactly why PCI compliance won't do much to stem identity theft. The institutions that get the benefit of credit cards, i.e. the issuers like Visa/Mastercard, have nothing to gain from preventing it and everything to gain from allowing it. If Visa card is fraudulently obtained and used, Visa loses absolutely nothing. The person whose identity was stolen loses time and effort to get things reversed, the merchant loses because the charges will be charged back, and the merchant loses again because she pays fees for the original transaction and fees for the chargeback. The issuers actually make MORE money when this happens. Visa/Mastercard don't even have to game the system, they are the system. PCI stands for payment card industry. Foisting all security onto the merchants is one small step removed from blaming the consumer.
Then there's the other factor... to even make the FBI's case load, you need to commit a felony. A felony is more than $5000 USD theft.
What happens is most ID thefts are under this amount so they don't make the FBI's radar. Even when they do, the FBI has bigger fish to fry. They are in line behind frauds that are much bigger so never make the FBI's case load. This enables id thieves to pretty much operate with impunity. No one files a complaint with local law enforcement so neither locals, nor the FBI goes after them.
I had the same guy, in Chicago, use my ID 3 separate occasions with Household bank in 2004 (yes, they kept on issuing loans to the same guy that just ripped them off). Each theft was $4500-4900.
Their collections people kept calling me and my wife, and told my wife I have a mistress in Chicago. She thought this was funny since I was home every night with her and NEVER traveled to Chicago (Indeed I wasn't traveling at all after 2001).
So not only to they enable thieves to ruin your credit, their asshole collections douchebags try to break up your family too. I was able to straighten this out by calling the credit bureau directly, raising a dispute (once for each fraud), at which point Household could not produce my signature, and I'd never lived in Chicago (according to credit bureau records) which enabled me to tell Household they can go fuck themselves and the bureaus simply deleted the non-payment entries in their database.
Very nice... but this could have been a real problem had the fraud been local. I'm not sure I'd have been able to clear it.
Don't kid yourself. It's the size of the regexp AND how you use it that counts.
I've dealt with things like this before with my bank. The worst I had to do was sign an affidavit that stated I didn't make the fraudulent transaction, and the problem "went away".
Here's something interesting: about 5 years ago, I was called up by someone claiming to be an insurance company, trying to collect a debt that I supposedly owed for a hit and run accident with my "red truck". I do have a red truck. But I had never, as they claimed, been involved in a hit and run accident with it, two years prior to the call.
To make a long story short, the insurance company paid out for someone's totalled car in an accident. The accident report listed the other vehicle as a red Dodge pickup, license plate unknown. The insurance company then sold its "debt" to a collection agency, which then acquired the registrations (via the state DMV, no less) for every red truck registered in Illinois. In spite of the fact that mine was a Chevy, and the accident report was for a Dodge, they called me, trying to get me to pay up. Basically, they were cold-calling truck owners in the hope that someone would admit to the crime.
They called back a few times. Imagine, for a moment, if I had died and my wife had answered the phone. She could have been defrauded into paying a debt which she didn't owe, simply because she didn't know any better. These collection agencies are borderline fraudulent operations. Yet they enjoy legal status.
It's interesting that banks try to pass the cost onto the consumer. But ultimately, it would take very little to show in a court of law that:
Most IT professionals can get between $50 and $100 per hour for there services. Should a bank require me to settle a case of fraud with anything more than a signed affidavit, you can bet I'll be sending them an invoice. After all - they'll charge you an hourly fee for balance reconciliation when you're at fault; therefore, they should expect likewise treatment.
The society for a thought-free internet welcomes you.
Here is a trick I did for the above case. I do not give out SSN to anyone I did not call. They (the other end) were not allowed to give out the SSN, they said that they required me to give it to them. To which I responded that I have no way to confirm who they are. Classic Mexican standoff. So I did a simple hash. Lets say your SSN ends in ABCD (these are variables). I had them add AB to CD and tell me the number. If it does not match mine, and it didn't, I know the SSN does not match. If it does, I have a reasonable assurance that they have the correct SSN already. Yeah its not as good as MD5, but its something that I can walk someone over the phone with.
And if they refuse, I score them negatively on my "is this legit or fraud" rating.
I can only speak for Citibank, but it wouldn't be too hard for me to believe that all banks are this retarded. They called me a year ago to tell (...ask?) me I had drained my bank account (via my debit card) with two charges from the Philippines (Thousands of dollars). I told them of course not and that they needed to get my money back. I also asked them to not allow charges from overseas in the future and if I needed something from the Philippines I'd call and let them know. They said there was no way to do that, and that any charges from anywhere in the world would continue to be put through. I got my money back within days. I don't see how this makes them any money.