I feel like companies like this should have to register a data breach like this in a national register, and then should someone become a victim of identity theft, the companies on that register associated with that person should bear the costs associated with that theft (importantly without the victim having to show that it was a direct result of that breach). E.g. John Smith ss#123-45-6789 (T-mobile, Experian) has a false refund filed in his name, $10k in legal costs associated with clearing his name, t-mobile and experian each owe him $5k…
Until companies are held accountable for the negative externalities they are causing, this won’t end.
You shouldn't become a victim when a bank opens a fraudulent account.
The law shouldn't be that someone else has to pay the costs, the law should be that you tell them to prove it was you that acted to open an account and they go pound sand if they can't do that.
Yes - “identity theft” in common usage has been a phenomenally successful effort by financial companies to shift the cost of their negligence to the consumer.
Yes even the name itself implies the burden should be bourne by the individual. It's a fantastically successful disinformation campaign. We should refuse to call it "identity theft" and call it "identity fraud" instead.
This is the correct terminology. If someone opens an account with a bank using false credentials that’s just fraud. And the victim here is the bank, not the individual.
> Libel is a method of defamation expressed by print, writing ... that is injurious to a person's reputation, ... or injures a person in his/her business or profession.
Note, the person who "had their identity stolen" (that phrasing is an absurdity, twisted language designed to obscure and defraud the truth) was never a party to the deal. The only parties relevant here are the bank and the person that defrauded the bank. The only victim is the bank. Nobody here is arguing that this problem doesn't exist for real people, we're saying that it's insane that it even exists at all.
> ... no consumer may bring any action or proceeding in the nature of defamation, ... or negligence with respect to the reporting of information against any ... person who furnishes information to a consumer reporting agency ... except as to false information furnished with malice or willful intent to injure such consumer.
In order for it to be a willful intent to injure, they have to believe it's not you and report that is is in order to knowingly tarnish your reputation. Generally if they publish bad data about you it's because the data they have is bad. It's not because out of all the accounts at JP Morgan Chase or Wells Fargo or wherever some faceless drone decided your faceless account needs to be specifically and maliciously lied about.
Opening an account or the existence of one isn't "negative information."
Sure, but I meant if they're reporting you to a credit agency for owing money or whatever. That is them publishing false information about you that will have negative consequences for you.
It's false information though, if the person hasn't opened an account. It might or might not be negative based on what the recipient of that information deduces, but it's definitely false.
The problem would be intent: my understanding is that in the U.S. at least you would have to show that they knew it was false when they published it or refused to correct it. If they simply say “technical error, we fixed it” I think your odds of reaching that bar would be quite daunting.
My identity was stolen after the equifax breach. The only cost to me was the gas it took to drive to the police station. Verizon and AT&T had automated systems where I input some information and the key part was having a police report number from the local PD. Once I had the police report everything was removed including the credit reporting. I had to call enterprise rent a car to get some stuff cleared but they even removed an overdue parking ticket from Santa Clara (never been to California).
Nordstrom was the only proactive party they called me immediately when they noticed someone filing out a credit card application in another state.
My (limited) understanding is that this is the financial companies problem in every case except for when your payment information is stolen. In which case it becomes a hot potato of whoever is out the money is the one who is liable.
If a bank extends credit to someone without doing their due diligence, they’ve definitely been defrauded but that’s between them and the crook, not the person the crook was claiming to be.
The Fair Credit Reporting Act of 1970 was/is promoted as a great milestone in helping people to get protection from secret databases that companies were creating on the whole populous. That part was true and it did prevent this problem that was arising of mass secret corporate dossiers on everyone (but secret government dossiers on everyone, of course still fine). On the other-hand, it gave the credit bureaus legal protection in creating these databases and people could only recover actual or statutory damages, attorney's fee, court costs and punitive damages if the violation was willful.[1]
Since all those false reports ("identity thefts") are never willful on the part of banks and other lenders, there is almost no penalties that can be brought. The consumer bringing the most reasonable charge of libel against a credit bureau is specifically prohibited by this law, if the credit bureaus follow all of the rules (allowing people to see their reports, removing false info (good luck with that), etc.). If not a case of regulatory capture at the time, then at least this law needs to be updated given how important credit reports have become, how easy fraudsters can get your report tarnished, and how hard it is to get your reports corrected.
I agree. Surely there are cases where people have sued the bank or whatever provider for opening an account in their name. It seems like I should just be able to send them a certified letter that says no, i didn't open that account, please close and correct your credit reporting unless you have proof otherwise. If you don't comply I'll see you in my nearest small claim court. Seems like it would be an open and shut case.
Alternative: Banks are incentivized to better authenticate people, rather than relying on faulty KBA and public IDs like SSNs—information that is often leaked and can be phished.
That being said, none of the compromises described in the comment chain thus far required action on the part of the consumer; they all involved compromises of third-party companies. Like T-Mobile.
Bank has to prove its you if there are debts. Just knowing your personal info isn’t enough. End of the day bank is eating the loss. The challenger banks lose millions in fraud per year with fake accounts.
Recently a lot of EU/UK banks allow you to open an account simply by shooting one or two videos from your phone. You usually have to say something specific (to prove it wasn't a pre-recorded video) and also show your ID card / passport as identification, but that's it!
that's weird... you can do some stuff here over the phone, but it's a videocall, and you have to record your documents from all angles, but that's for existing customers with a registered phonenumber and banking app.
This is one example (another one is allowing people who cannot read or write to create legally-binding video statements) where it would be handy to be able to prove that a particular video came straight from a camera.
This falls under the general heading of "remote attestation" technology (as the person I am replying to probably already knows).
The US has passports.
The states do. They're called a driver's license. IDs are also issued to those that don't drive.
It's a great idea to have for financial security. It's an even better idea to require them for election security.
In the U.S., I've opened all of my checking accounts and credit card accounts online. The only thing I've ever had to do in person was sign for a home mortgage.
...at first blush, I like this line of thinking, but I wonder what the side effects would be. If banks make it much harder to open accounts, that might hurt poorer folks the most, and perpetuate inequality.
Not the person you’re replying to, but every well-intentioned regulation has a negative impact on someone. It’s always worth asking who, and whether there’s some way to mitigate the impact on people who are already struggling to make ends meet.
Being poor is incredibly expensive and exhausting.
It seems a bit weird to try to fight inequality by reducing regulations on banks and make it easier for them to blame consumers for the banks mistakes.
I consider myself a liberal, I'm broadly in favor of more regulation, and I might even be in favor of this regulation given something to assuage my initial concerns (because as I said, I like the idea).
But I believe there are also lots of well-intentioned but bad regulations, and so they need to be considered carefully!
Well, if you were a bank, and you knew you would be on the hook for a zillion dollars per fraudulent account, wouldn’t you respond by being way mire rigorous about who can open accounts? The potential profit no longer outweighs the potential liability, so you’d certainly want more forms of ID—you might even want to start fingerprinting customers or some such.
Even well-intentioned regulators are pretty incompetent given the fact they work for the government and all the nonsense that entails. Add in the fact that most regulators are just shills for whatever companies they're supposed to be regulating and "striking a sensible balance" between any two ideals seems pretty unlikely.
Why would adding an identity check or additional process harm poor people the most?
It may harm the rich the most, in my opinion, since retailers wouldn’t as easily be able to trick you into a new credit card as part of the checkout process.
People with stable living situations can more easily keep track of all their official paperwork and spend the time needed to understand the application process. They also have more access to the internet to do things remotely.
Poor people are more often in less stable living situations and it's easier to lose track of documentation. Not to mention unhoused people who don't have a safe place to keep track of things either and often don't have up to date identification in the first place. Also, with less access to the internet to do things remotely it's more common to need to take time off work to go to a physical branch which may be very far away, requiring taking multiple busses just to prove their identity.
Of course adding more security is important, but it has tradeoffs like this that harm the poor that need to be considered.
That is the law. But your legal rights are worthless if you can't afford a lawyer, and only in very specific circumstances does the law say the losing party has to pay the winner's fees.
Unfortunately, the US government doesn't take identity theft seriously from a criminal prosecution perspective. At least not when it's affecting regular Americans.
On the bright side, identity theft insurance is very inexpensive because costly claims are rare. Most homeowners insurance policies include identity theft coverage.
THe cost of identity theft is only partially monetary. A huge component is the ongling (sometimes lifetime) fight to reclaim your person, reputation and wel... identity. My homeowner policy may cover the cost of a fraudulently issued credit card, but no one at my insurance company will spend days, weeks and years trying to straighten out my credit issues and chasing down the many knock-on effects the fraud is going to cause.
Agreed. I was the victim of identity theft when I was 11 or 12. Someone opened up a bunch of accounts in my name and went wild. My mom spent countless hours on the phone with the credit agencies back then (which is more than most people would have done), got in touch with lawyers, etc., but it didn’t actually solve anything because when I was 18, there was still stuff on my credit report, which took another year and another period of resubmitting the same paperwork, affidavits, and other information to say that no, when I was 12 years old, I did not open an account with X credit card company or rent an apartment with X place, which delayed my own ability to get credit as an adult.
More than 20 years later, I still have to pay for credit monitoring services because sometimes I’ll see stuff from the 1990s resurface and I have a backlog of documents that I have to deal with to get stuff straightened out.
When I moved to Seattle a few years ago, suddenly my credit report was empty. As in totally blank. I didn’t have any open credit cards at the time (personal choice; I’ve sense had a change of heart and have embraced trying to use credit cards to my advantage, always paying them off each month), but it showed nothing. Which was weird for a person in her 30s. This made renting an apartment difficult, despite having nearly double the required income. It turns out, when removing false claims off the report for the umpteenth time, everything was erased. I eventually got that sorted out but I still have no idea if my credit report is actually accurate, except that my score is in the 800s now thanks to said credit cards.
The only upside is that I’ve become so desensitized to the entire process that every time Equifax or some big database is hacked, I’m almost blasé about it. I’ve gone through this so many times, I know the drill. I know the time sink. I know the process. Whatever.
But insurance doesn’t solve that. It’ll cover the cost of the monitoring services and maybe some legal costs in the event you have to actually take something to court, but it won’t recover the time you have to deal with the insurer or the agencies themselves. In fact, I’d gladly pay a fee if it meant that not only would my shit be monitored, but someone would sit on the phone and submit all the paperwork on my behalf. Because that’s the part that is the most infuriating.
There are lots of reasons for insurance. One kind of insurance (liability) is to protect you in case you screw up. Other kinds of insurance (e.g., uninsured motorist, fire, etc.) are to protect you in case other people screw up.
Absolutely—AFLAK for identity insurance. The free attach plans are pretty thin, most retail contracts will include their man hours to waste away with the credit card companies and fair Isaac / credit bureaus — but it’s obviously more $ than “free with purchase”
Plus money for the wasted time and stress this causes. Often people won’t be responsible for huge financial outlays once these issues are resolved, but it can take countless hours and an unmeasurable about of stress to get there.
> should someone become a victim of identity theft
The only reason identity theft is a thing is because federal law[1] doesn't allow consumers to sue creditors or credit bureaus for inaccurate information about the consumer unless they were doing it out of malice.
If the law was changed to allow consumers to sue them for damages, you can bet that they will be far more diligent in verifying the identity of the person they're entering into a contract with.
Sure, but the problem stems from a malicious actor fraudulently saying they're someone else and having the same info to back that up as the person themselves would, kind of like credential stuffing attacks on websites. Short of doing some sort of facial recognition (like id.me's selfies[0] perhaps), if someone knows your SSN and where you lived as a child, how do credit bureaus verify identity?
This is the point of national IDs, trust anchors, identity proofing, etc.
Credit reporting agencies and financial service providers should be required to use a government provided identity provider (Login.gov is getting there; it’s currently only offering identity services to federal agencies and select state and local governments) or in person proofing with government IDs to verify identity. If they don’t, they are entirely liable for the transaction(s) and related losses, instead of rolling the dice with security question voodoo and foisting the liability on consumers.
Solve digital identity and you solve identity fraud.
It's hard and there is a lot of weird pushback against national ID cards. E.g. In the UK they had it and then abolished it after public backlash. To me it's utterly backwards to not have one and then point the finger at banks as if they can have a magical investigation and "due diligence" department that can solve fraud and figure out who is who.
Retail stores in the US are required to verify the age of those purchasing tobacco products and alcoholic beverages. They typically limit the types of identification they accept and they could lose their license to sell those products if they sell to those who are under age.
There's absolutely no reason why banks can't do something similar (actually more stringent) when extending a line of credit. The PATRIOT act in the US requires banks to verify the identity of those trying to open an account or secure a mortgage loan, so requiring something similar for lines of credit shouldn't be out of the question.
The root cause of the issue is the law I referenced in the comment[1] that started this subthread. If consumers were able to sue banks and credit bureaus for false information, then banks would have much more incentive to be more diligent. Right now, they can offer "identify theft protection" service where the consumer has to pay them instead. That doesn't give them incentive to be more diligent, and, quite possibly, has the opposite effect.
>Right now, they can offer "identify theft protection" service where the consumer has to pay them instead. That doesn't give them incentive to be more diligent, and, quite possibly, has the opposite effect.
And then the identity thieves will just have to fake those. What's next, calling your landlord for a reference and asking them to send a photo of you to check that it matches the photo you submitted? The goal posts are guaranteed to move.
>And then the identity thieves will just have to fake those.
Are you really just handwaving being able to make fake passports or fake government issued identification cards, as if that is basically the same as just knowing someone’s SSN and a couple other pieces of information about them? What a ridiculous argument. ID cards are required to have multiple security features to prevent reproduction without highly specialized equipment, to prevent altering or tampering with existing cards, and to have multiple ways of detecting counterfeiting or altering of cards. There is no “what’s next” because identification cards are already incredibly secure.
No, I am a big advocate of offloading the security/verification to the government. I.e. National ID Cards, which are definitely hard to fake and I agree with you fully.
The person I was responding to mentioned "multiple forms of identification". At the moment (and I could be wrong) some of these valid forms of identification are things that can be bootstrapped, faked or social-engineered into getting relatively easily. E.g. municipal bills, driver's licenses, birth certificates issued from hospitals, etc. (e.g. look at here for UK https://www.hsbc.co.uk/help/banking-made-easy/help-us-identi... ). Once you get one of those, you can with effort start acquiring more and more of those other ones. And they would all be 100% legitimate and not fake, which is the crux of the "identity theft" problem, as you can't prove who you are even with real documents as the other person has real ones too! I guess I used the term "fake" in my original response a bit loosely.
Point is, we're skirting around the real issue. We have no "chain of proof" or "evidence" from the time you were born to the point in time that you have to start using your identity for formal things. It's all based on layers and layers of multiple people, possibly incorrectly, "vouching" for you by saying you are who you say you are.
This doesn’t really feel like a real problem in first world countries. While it is possible to get a drivers license or birth certificate fraudulently, it is definitely not easy. And each step of the way, you are taking a huge risk of being found out and facing severe punishment, especially since many of these forms of ID require to see you in person, and take/verify your picture or other biometrics (passports, driver’s license, biometric residence permit, national identity card, etc). It is a huge amount of time and effort, where you are exposing a significant amount of your own biometric information, in order to commit some sort of financial crime using that identity. That is orders of magnitude more risky and more difficult than using some pieces of information you stole off the internet to commit a financial crime, also over the internet, without exposing any biometric information about yourself.
Then, when the “real” person asserted the falsehood of your identity, regardless of your real ID cards, it would still be easily provable that you were not the real person. For instance the real person could have their parents verify their identities and certify that the birth certificate you both have a copy of is legitimately tied to the real person and not you. Unlike now, where you can just walk away from some fake accounts and internet information, there is biometric data linking you to multiple serious crimes.
Is it something that could happen, and probably does? Sure. Is it something that would happen even 1% as often as identity theft related financial crimes happen under the current system? Absolutely not. It feels like the current problem is banks being robbed because they are storing their money in a cabinet next to the glass front door, and you are arguing that if banks build vaults and security systems that bank robbers will just bring huge industrial drills with diamond coted bits to break into the vault over multiple hours while bypassing the security system. Sure, they could do that, but bank robberies will still drop to almost nothing compared to before.
With passports and real id standard driver's licenses along with other photo ID, I imagine it would be a lot more difficult for a fraudster to open a line of credit in someone else's name in person as easily as they could do now.
Running with this idea, then as a customer, John Smith shouldn't have to even think about 10k worth of legal costs to clear his name. It should be cleared for him.
Basically multiple layers of regulation in the form of consumer protection laws that put the onus on businesses to be accountable for what they do. You can't blame the victim for having their identity stolen just because they chose T-Mobile over a competitor, or expect them to fight the case in court (which most people won't do because it's too expensive).
A lot of incidents get reported to the state attorney general offices that the customers reside in, as well, but that is less convenient to keep an eye on since there are 50 of them.
These don't really make the news because there are just too many of them to keep up with. One of my clients recently had to send breach notifications to all their customers and it did not even make the local papers. This is a town of 20k people where nothing ever happens and apparently that wasn't enough to waste ink on.
The takeaway here is that there is infinite work available for security incident responders, if you are looking for a change of pace.
You could get your identity stolen from many different places. Just because your location data was leaked, doesn't mean T-Mobile should be on the hook carte blanche for any identify theft you face in the future.
Can you really not see this leading to massive fraud?
It seems like a great incentive to not have leaks, share information, or hold onto information they don't actually need.
Cell phone companies ask for social security numbers (SSNs) to do a credit check when opening post-paid accounts. Most people don't know any better, so the give out their SSNs. The companies can just delete the SSN after they use it once, but they don't. That should be on them. If I was a company, I would not want to take on any more responsibility than necessary. These companies decided to take on the responsibility, so it is on them.
There already is massive fraud. It is just committed by huge corporations that use their size and money to shield themselves from accountability. Which is the better scenario? The current one where companies, that are already proven to have negligently allowed someone’s data to be leaked, drag out and exhaust legitimate claimants against them, allowing them to profit off their negligent activities and leave countless regular people as victims with little to no compensation. Or one where legitimate claimants are able to quickly get compensation, but also claimants that were victims of a company’s negligence, but their identity theft did not come directly from that negligence.
The “fraud” you imagine would require both that a company is negligent with someone’s data, exposing them to the risk of identity theft, and that the same person is the victim of identity theft in a totally unrelated way or unrelated reason. That isn’t guilty until proven innocent, because it is proven that the company was negligent and did allow data to be leaked. If it makes you feel better, we could just fine them $10,000 for each person’s data that was leaked right off the bat, and then hold that for all future claims where those people end up having their identity stolen.
Wouldn't the register be metadata about the breach? Why would it include the actual breached data? This would be essentially "Have I been Pwned" with some legislative teeth and funding - perhaps from the penalities imposed on the offenders!
Until companies are held accountable for the negative externalities they are causing, this won’t end.