Why Lenders Overlook Warning Signs of ID Theft

Hugh Pickens writes "Despite all the new fraud alert tools and increased awareness of the perils of identity theft, incidence of the crime remains at 2003 levels, with about 10 million Americans falling victim every year. Now the NY Times reports that there may be a simple reason for the persistence of ID theft: lenders are too willing to extend credit to just about anybody, even when there are big red flags that indicate fraud. Chris Jay Hoofnagle at UC Berkeley worked with a small sample of six ID theft victims and delved into how they were defrauded. Of 16 applications presented by imposters to obtain credit or medical services, almost all were rife with errors that should have suggested fraud — yet in all 16 cases, credit or services were granted anyway. 'Identity theft remains so prevalent because it is less costly to tolerate fraud,' writes Hoofnagle. 'Adopting more aggressive and expensive anti-fraud measures is extremely costly and jeopardizes customer acquisition efforts.' Hoofnagle says business decisions leave individuals and merchants with some of the externalities of identity theft as victims spend their own money, and more often, valuable personal time dealing with the problem. Hoofnagle suggests that lenders contribute to a fund that will compensate victims for the loss of their time in resolving their ID theft problems."

Here we go..

[BVis]

Can't wait to see how people blame the victim on this one.

Re:Here we go..

[WrongSizeGlass]

Can't wait to see how people blame the victim on this one.

I think it's pretty clear that these 'honorable institutions' are actually enablers. Accepting that the cost to compensate individuals is lower than fixing the system sounds awfully familiar ... Ford's Pinto comes to mind as does the recent Toyota situation. They're not killing anyone ... they're just ruining their lives for a while.

Re:Here we go..

[Shakrai]

Ford's Pinto comes to mind as does the recent Toyota situation

The "Toyota situation" has been blown completely out of proportion. Whatever problems may exist with Toyota automobiles have long since been buried under sensationalist "OMG, if you own a Toyota you are going to die!!!" media headlines and politicians looking to build "I'm tough on big business" street cred. It's been alleged that 37 people have died due to problems with Toyota's in the last ten years. That's a drop in the bucket compared to the number of people who have died in old fashioned automobile accidents. Even if you accept that all of those were due to a design flaw (which hasn't been proven yet) it hardly seems worth all of this FUD.

I don't own a Toyota but if I did I wouldn't be afraid to drive it. I'd be more worried about getting killed because of the stupidity of a fellow driver than I would be about being killed by a design flaw in my own automobile.

Re:Here we go..

[Shakrai]

If you steal someone's identity and scam a bank out of $1,000, then there is more than one victim: namely, the person whose identity you stole, and the bank (or broadly, its shareholders)

If the ID theft involved a credit card account then you can add the merchant(s) to your list of victims. When a credit card charge is disrupted it's the merchant who winds up taking the hit.

Re:Here we go..

[RAMMS+EIN]

``Can't wait to see how people blame the victim on this one.''

The victims ... are all of us. The fallout of identity fraud is costly, and, eventually, all of society bears that cost. Higher rates for borrowing money, insurance against identity fraud, the enormous cost of cleaning up after your name has been misused, and society missing out on people who would otherwise have been productive members.

It seems to me that the choices we have are trading the inefficiency of a better identification system against the inefficiency of having more failures, and sharing the burden vs. letting a few shoulders carry it all so the rest of us goes unencumbered.

Personally, I think that there should, first of all, be fewer occasions where you need to authenticate. Usually, it doesn't matter who you are, so why require authentication? Secondly, authentication should not always disclose everything. If the same data that I need to hand over to buy a $50 mobile phone can be used to get a $20000 loan, that's a security hole.

Thirdly, when you're lending money, that's your choice. You can charge interest and/or fees to make it worth your while. What you can't do is get someone who wasn't a party to the agreement to be responsible for getting the money back to you. If you lent it to the wrong person based on false credentials, that's your mistake, not that of the person whose credentials were misused. Somehow, institutions seem to be able to strong-arm that person into paying up anyway. I'd like to see the end of that, too.

Re:Here we go..

[Migraineman]

Actually, that's the root of the problem. When the credit card company pushes the burden of loss onto the merchant, they have no incentive to shoulder the expense of stopping fraud. If they had to absorb the loss themselves, and were prohibited from shoving this onto the merchants, you can bet their attitude toward fraud would change immediately.

Re:Here we go..

[sjames]

This just goes to show exactly how despicable the banks have become. The guy making 40K is the only blameless person in the whole deal. The ID thief, is of course to blame for committing a crime. The bank had the opportunity to verify their ID more carefully and take other measures to catch the actual criminal, but doesn't bother because it's much easier to just extort the losses from the guy making 40K by hiring someone to make harassing phone calls, threaten him with expensive court proceedings, and spread libelous claims that he is a bad credit risk. In extreme cases, the bank might even lie to the courts and the sheriff to get them to take the money from him at gunpoint.

The guy making 40K had nothing whatsoever to do with any of it. The banks have somehow convinced everyone that the combination of person defrauds bank plus bank extorts the losses from a 3rd party to be a new crime committed by the fraudster against the bank's victim.

Tell me about it

[cybrthng]

Bank fraud is why i shutdown my business after losing about 15k. Banks make a LOT of money milking the merchants with fees & services to create a "Safe shopping facade" but to screw you over in the end. What sucks even worse is that the consumer always wins in the end regardless or not if the consumer is legit or fraud and the banks LIKE it that way.

Banks make a lot of money in playing the high risk game and its screws everyone over in the end.. someone is paying for it.

Re:Tell me about it

[GooberToo]

This is exactly why I always say, "identify theft" doesn't exist. This is credit fraud which is encouraged by banks and especially credit reporting agencies. If laws didn't exist specifically to protect banks and credit agencies, we would all be calling them fraudulent organizations and lots of people would be jail. But since lots and lots of politicians financially benefit from fraud, the status quo is actively maintained.

It is impossible to fix credit fraud until lenders and credit agencies are help liable for their willfully fraudulent actions.

Hoofnagle is right

[dontmakemethink]

Settling the fraudulent debt is one thing, being compensated for the runaround is another. If banks are going to save money by enabling ID theft as a matter of policy, they must compensate for when that policy causes damages to their clients in the form of time and money spent correcting the problems. Then we'll see if it's actually better to save on ID theft prevention.

Credit Agencies

[Shotgun]

I've got an idea. How about the credit agencies be required to inform me when they give out reports about me? They already know everything about me, right? If someone is illegitimately getting credit under my name, I'll find out about it. If they have incorrect information, I'll find out about it. The cost of an inquiry would go up by $1(US), the cost of printing and mailing a duplicate report.

Re:Credit Agencies

[mcelrath]

You seem to be under the illusion that credit agencies are legitimate businesses, interested in the welfare of their customers, and you are their customer.

Let me fix that for you: Credit reporting agencies are a blackmail and extortion ring that somehow are allowed to legally exist. They don't give a shit that your information is correct or not, or if someone defrauds you. If you get defrauded, they're happy to just put it in the report. After all, if you get defrauded, you're a risk, aren't you? Still not their problem.

No one has ever been contacted by a credit agency, unsolicited, to verify the accuracy of information in their file.

The only way your idea will come to pass is if it is legislated.

Personally I think a better idea is to just get rid of credit agencies. Make holding information about a person without their knowledge or consent illegal. Require that anyone holding information (of a certain nature) about a person notify that person of the content and existence of that data on a regular basis. Thus holding information about people becomes expensive, and illegitimate extortion operations like credit agencies would be forced (economically) to improve.

Re:Credit Agencies

[ptbarnett]

How about the credit agencies be required to inform me when they give out reports about me? They already know everything about me, right?

You can get this service, for a fee. Unfortunately, you have to pay for it.

Also, you can put a fraud alert on your credit file. That forces the lender to contact you directly to confirm your application. Unfortunately, you have to renew it every 60-90 days, at all 3 credit reporting agencies. Of course, you can pay a fee to have someone do it for you.

I've been paying for this service for a few years. I don't like it, but it's a necessary evil after my birth certificate was stolen during a burglary at the home of another family member.

Re:Credit Agencies

[infinite9]

You seem to be under the illusion that credit agencies are legitimate businesses, interested in the welfare of their customers, and you are their customer.

Let me fix that for you:

You're completely right. The Fair Isaac score is a measure of how likely a creditor is to make money from you. If you're a victim of identity theft, then you may cost the creditor money. So you necessarily get a lower score.

The credit reporting system is an ingenious scam. They've created a number from nothing. Then tied this number to behaviors they want to see from you. Don't go into enough debt? You get a low score. Don't pay reliably? You get a low score. It's a worthless shiny object that you've been conditioned to pursue.

They flood television with commercials spouting propaganda for the current system of credit. Responsible people pay their bills on time, even if it means they have to feed their kids crap food for dinner, or pull them out of private schools, or avoid taking them to the doctor because they can't afford it. Responsible people establish and maintain a good credit history. Responsible parents teach their kids about credit and help them get their first credit card. It's a confidence game. You groom the mark. Then you fleece them. You give up your hard-earned money so that a number in a computer doesn't drop.

Here's how it is folks: take care of yourself and your family first, even if your credit score takes a hit. You can't eat your credit score. It won't keep you warm in the winter. And if you have no desire to finance anything, then your credit score is utterly irrelevant.

The obvious solution to ID Fraud

[rock_climbing_guy]

I have an obvious solution to ID fraud. It must be wrong, or else it would be implemented years ago.

The solution is this: you loan money to Joe and Joe signs his name as David? Wow, too bad for you, lender. You just gave away your money to Joe. David can't be held liable for this since he had no hand in it?

Doesn't it sound like the logical solution. If someone goes to the bank claiming to be me and the bank gives them a loan in my name, then the impetus is on the bank to track down the schmuck who tricked them. The bank ought to be liable for allowing themselves to be duped like this; they shouldn't be allowed to come after me. After all, I didn't do anything!

What's wrong with this solution?

Re:The obvious solution to ID Fraud

[P-Nuts]

Mitchell and Webb covered this

Re:The obvious solution to ID Fraud

[HangingChad]

What's wrong with this solution?

The banks spend millions on lobbyists to fight making the laws more fair to the consumer. Otherwise your solution would already be law.

Banks start whining that making them responsible would raise the cost of extending credit. Good. Credit should be harder to get.

Re:The obvious solution to ID Fraud

[noidentity]

Exactly. I don't get why I should have any part in them giving money to someone who claimed to be me. It wasn't me. Sorry you guys lost money, but it's your problem, not mine. I never agreed to any of it, so fuck off and deal with your loss. Next.

ID theft is due to the pure negligence of lendors

[stox]

If lendors had to pay for the damage they cause, the problem would disappear overnight. They should be responsible, not the poor victims, for cleaning up the mess. Sadly, they do not care, as it costs them nothing.

Less about greed, more about legacy...

[Manip]

You have to keep in mind that a lot of systems that check people's IDs, Credit Cards, and Applications are built on top of legacy systems that were designed to work using modems and other terminals. I mean, yes, they have lovely UIs and web-sites but you rip all that stuff away and the entire process runs on the same communications channel as it did in 1990.

Credit Cards address information is often only checked in a very vague way. Since there is no encoding standards and since the address often winds up as one string you have to be very easy going about what passes and what doesn't. For example this might be the string you get in (all examples are valid/legal):
"123 Fake Street TownName State Country POCODE"
"123 FakeStreetTownNameStateCountryPOCODE"
"POCODE"
"123 Fake Street"

And this is the information you have to validate - Address Line 1, Line 2, Line 3, Line 4, Line 5 (Country), POCode (Post Code/Zip code). See the problem?

Bad incentive alignment

[MetricT]

Lenders are being completely rational from their perspective. They get paid for creating a market for loans. If they don't issue loans, they don't get paid.

They are using Other People's Money by packaging the resulting debt into CDO's and selling them off, so they don't have an incentive to look too closely at how credit-worthy the individual is. It's a bad combination of negative externalities and information asymmetry. It's a market failure that requires government regulation to fix.

Its not "ID Theft" its FRAUD

[AnnoyaMooseCowherd]

What annoys me is that by coming up with the spin incantation "ID Theft", banks have been able to make what is actually their problem your problem

Its not "ID Theft" its FRAUD

Before "ID Theft" existed, con artists would regularly pretend to be someone they weren't in order to steal things. If I pretend to be an engineer from the local telephone company in order to con my way into an old ladies house and steal her purse, no one would even think for a minute that the telephone company should foot the bill, but when someone pretends to be me and convinces a bank to give them some money on that basis, apparently it is ok for the bank to turn round and try to get me to pay for the result of their gullibility.

People give away too much info

[Alain+Williams]

I recently wanted an 0845 phone number (a non geographic number in the UK). The vendor (uk2numbers.co.uk) wanted to verify my address. The only suitable document (that had my PO box address) was a credit card statement. So I scanned it, blurred out my credit limit and part of the credit card number. Long story short: they refused to deal with me because I refused to give them a copy with these numbers in full. I refused to give it to them because of security concerns.

It seems evident that most who deal with them just hand this stuff over, and then wonder why they end up being owned.

In the end it turned out good for me since I looked elsewhere and got a much better service on phone numbers - but at the time it looked to me as if I was paying a cost (today) for trying to keep secure (future). They do not need my credit limit for their purposes, I am concerned about what is happening with such information that others have given them; I will report them to the UK ICO.

Re:People give away too much info

[Lumpy]

That's why I do not blur those numbers but replace them with fake numbers. the idiots making the decision as to the legitimacy of a document never actually try to verify it so they want to see something that LOOKS legitimate. Honestly anyone with an IQ over 90 can generate a legitimate looking document in 30 minutes on a computer. yet banks and phone companies hire people with an IQ under 60 to verify the legitimacy of documents.

I know this from experience

[Jason+Levine]

I had someone open a credit card in my name. They knew my name, address, date of birth and social security number. What they didn't know, however, was my mother's maiden name. However, the credit card company (*cough* Capital One *cough*) ignored this and let them get a credit card in my name via an online form. Then they immediately changed the address to another address in another state halfway across the country. Then they called up and asked for a $5,000 cash advance before the card was even activated. None of these set off red flags apparently.

The only reason it was caught was that the thieves tried to get the card quickly and so paid for "rush delivery." The card was sent out before the address change went through and it wound up at my door. When I called up, the credit card company first gave me the runaround insinuating that perhaps my wife did it. (Neither of us would ever open a credit card without consulting the other. Much less open an account in the other person's name and then try to get a $5,000 advance.) Then they claimed that they couldn't give me any information because (and this is a nearly direct quote) they'd be "liable if I went out and shot the person." Yes, they were now insinuating that I'd commit murder and then *they* would be sued.

Fine, I had the police call them. But they gave the police the runaround also. They insisted the police call a special "police" number, but apparently only an answering machine staffs that number and nobody returns calls from it.

Basically, the credit card company doesn't care *who* they give a card to because they can write off the fraud and will wind up making a profit either way. Fraudulent charges that consumers pay mean credit card company profits. Fraudulent charges that consumers don't pay are charged back to the merchants for no real loss (to the credit card company, the merchant's out the merchandise). In the end, they don't give a rat's posterior about messed up consumer credit or store losses due to fraud/ID theft. They're making a tidy profit and that's all that matters.

Re:One slight problem

[david_thornley]

If it's the bank's decision to lend or not, then the bank should take responsibility for fraud. Suppose Joe borrows money under my name fraudulently, from a bank I don't personally do business with. I have had no opportunity to influence the security of the bank's system, except politically. I have had no market influence, not being a customer. The decision of what level of fraud to accept is the bank's.

Any cost pushed off on me is an externality for the bank, since they don't have to pay, and they aren't even losing a customer. Therefore, market forces will not create incentives for banks to reduce fraud below what is best for their balance sheets. In the situation where I can be forced to repay the loan, there is no incentive for the bank to avoid fraudulent loans, and the amount of fraudulent loans increase until everybody's doing it as a matter of self-defense.

In general, the cost of a loss is best assigned to those with the ability to avoid the loss. That way, the market pushes them to the correct balance of preventing and accepting the loss.

Risk - Insurance - Investments -Investor's Risk

[sherriw]

This is why they can get away with it; Lenders sign up as many new lending accounts as possible. They have certain % that will default or are fraudulent. They buy insurance for this risk. The insurance company sells insurance policies which it says have a certain risk (low compared to the # they sell) of actually being claimed on. An insurance policy is something that keeps making money (with a certain % risk of being claimed on). These policies are sold as investment instruments (insurance bonds) to investors. Investors like you and me. They are put into people's pension funds, 401Ks, RRSPs, wrapped into various types of funds. And bingo.... it is now you and I who are carrying the risk. Magic.

They're totally unaccountable.

[copponex]

Did you know you cannot even compel a credit agency to produce the documentation proving that you owe the claimed debt? Verification involves them contacting the party reporting the debt, saying "This guy owes money, right?" When they reply in the affirmative, that's called "verified."

Financial regulations in the United States are practically non-existent. The reason for uncertainty in our markets has nothing to do with government regulations - it has to do with the total lack of accountability and transparency required. Every five years the scheisters are exposed, and the markets collapse, because everyone - Wall Street, the credit rating agencies, and of course the companies themselves - are in on the take.

MOD PARENT INSIGHTFUL

[ikoleverhate]

If I fall for a phishing scam because I'm convinced the site I'm looking at is owned by my bank, isn't that the bank having it's ID stolen? So if the phishers get me to give them money, the bank pays it back right? Obviosuly not, that would be crazy. Just because it was done in the bank's name doesn't mean it's the bank's responsibility. Surely then, it's just as crazy that private individuals have to pay back banks who get scammed, just becuase it's done in their name.

Re:One slight problem

[bendodge]

Even DNA checks are not good enough for this (as cases involving identical twins have shown), so the actual solution is very, very hard.

Just take a thumbprint with the signature. That's good enough to cover 99% of the cases. (If someone is rich enough that someone else will make a thumbcap to match, then you're getting into real cloak-and-dagger. But most crooks are dumb.) Inkpads are cheap. Even though the bank likely can't verify the thumbprint immediately, it will be invaluable to the police when the fraud is investigated.

PCI Does Nothing To Stop This

[gcatullus]

This is exactly why PCI compliance won't do much to stem identity theft. The institutions that get the benefit of credit cards, i.e. the issuers like Visa/Mastercard, have nothing to gain from preventing it and everything to gain from allowing it. If Visa card is fraudulently obtained and used, Visa loses absolutely nothing. The person whose identity was stolen loses time and effort to get things reversed, the merchant loses because the charges will be charged back, and the merchant loses again because she pays fees for the original transaction and fees for the chargeback. The issuers actually make MORE money when this happens. Visa/Mastercard don't even have to game the system, they are the system. PCI stands for payment card industry. Foisting all security onto the merchants is one small step removed from blaming the consumer.

The banks don't give a shit

[rgviza]

Then there's the other factor... to even make the FBI's case load, you need to commit a felony. A felony is more than $5000 USD theft.

What happens is most ID thefts are under this amount so they don't make the FBI's radar. Even when they do, the FBI has bigger fish to fry. They are in line behind frauds that are much bigger so never make the FBI's case load. This enables id thieves to pretty much operate with impunity. No one files a complaint with local law enforcement so neither locals, nor the FBI goes after them.

I had the same guy, in Chicago, use my ID 3 separate occasions with Household bank in 2004 (yes, they kept on issuing loans to the same guy that just ripped them off). Each theft was $4500-4900.

Their collections people kept calling me and my wife, and told my wife I have a mistress in Chicago. She thought this was funny since I was home every night with her and NEVER traveled to Chicago (Indeed I wasn't traveling at all after 2001).

So not only to they enable thieves to ruin your credit, their asshole collections douchebags try to break up your family too. I was able to straighten this out by calling the credit bureau directly, raising a dispute (once for each fraud), at which point Household could not produce my signature, and I'd never lived in Chicago (according to credit bureau records) which enabled me to tell Household they can go fuck themselves and the bureaus simply deleted the non-payment entries in their database.

Very nice... but this could have been a real problem had the fraud been local. I'm not sure I'd have been able to clear it.

AFAIK, just say no.

[gillbates]

I've dealt with things like this before with my bank. The worst I had to do was sign an affidavit that stated I didn't make the fraudulent transaction, and the problem "went away".

Here's something interesting: about 5 years ago, I was called up by someone claiming to be an insurance company, trying to collect a debt that I supposedly owed for a hit and run accident with my "red truck". I do have a red truck. But I had never, as they claimed, been involved in a hit and run accident with it, two years prior to the call.

To make a long story short, the insurance company paid out for someone's totalled car in an accident. The accident report listed the other vehicle as a red Dodge pickup, license plate unknown. The insurance company then sold its "debt" to a collection agency, which then acquired the registrations (via the state DMV, no less) for every red truck registered in Illinois. In spite of the fact that mine was a Chevy, and the accident report was for a Dodge, they called me, trying to get me to pay up. Basically, they were cold-calling truck owners in the hope that someone would admit to the crime.

They called back a few times. Imagine, for a moment, if I had died and my wife had answered the phone. She could have been defrauded into paying a debt which she didn't owe, simply because she didn't know any better. These collection agencies are borderline fraudulent operations. Yet they enjoy legal status.

It's interesting that banks try to pass the cost onto the consumer. But ultimately, it would take very little to show in a court of law that:

1. The bank had a duty to affirm the identity of the borrower.
2. The bank failed that duty, and
3. As a consequence, you lost time/money correcting the situation, therefore,
4. The bank is responsible for your lost time.

Most IT professionals can get between $50 and $100 per hour for there services. Should a bank require me to settle a case of fraud with anything more than a signed affidavit, you can bet I'll be sending them an invoice. After all - they'll charge you an hourly fee for balance reconciliation when you're at fault; therefore, they should expect likewise treatment.