ID Theft In US Continues Apace Despite Data Breach Laws

4roddas points out an article at Techworld about the continued scourge of identify theft in the US, which begins: "Over the past five years, 43 US states have adopted data breach notification laws, but has all of this legislation actually cut down on identity theft? Not according to researchers at Carnegie Mellon University who have published (PDF) a state-by-state analysis of data supplied by the US Federal Trade Commission (FTC). 'There doesn't seem to be any evidence that the laws actually reduce identity theft,' said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper's authors. Since 1999 the FTC has invited identity theft victims to log information about their cases on its Web site. The data are then made accessible to law enforcement, which uses the information to help analyze crime trends."

Get Personal Data off your computer

[imus]

Search [vt.edu] your files for social security and credit card numbers before hackers do.

Re:Put the onus on financial institutions

[mrmeval]

Legal notaries can and will commit fraud for a suitable fee but I can get a notary stamp and do it myself cheaper. ;)

http://www.notarypublicstamps.com/products.asp?StateID=15 [notarypublicstamps.com]

Put the onus on the financial institution monetarily and make it treble damages in addition to jury awarded punitive damages and legal fees. Make it so that it must go before a jury and not ever arbitration. I'd want punitive damages so high their investors suffer and I'd want those damages set aside in a fund to help identity theft victims have damages that don't warrant or won't benefit fro a lawsuit or have emergency needs.

Identity Clearinghouse

[Dachannien]

A long time ago, I wrote up a description of an identity clearinghouse, a government-run agency that allowed lenders to verify a potential borrower's identity without giving the lender any unnecessary information about the borrower's true identity. From the private citizen's side, it's all optional - register with the clearinghouse if you want, and go it alone if you want. From the lenders' side, it's mandatory to check with the clearinghouse before opening a line of credit for someone.

To register with the clearinghouse, you go to a local government agency where identity is "managed" - e.g., your local DMV. You register there by providing your current contact information, and they ensure that you are the person you claim to be through their normal identification procedures (such as picture ID/driver's license pictures on file). If you later need to change your contact info, you do the same procedure (going to the DMV in person) to prove your identity.

When you apply for credit somewhere, the lender first uses the identifying information you have provided to them (such as name, address, SS#, etc.) to verify your identity with the clearinghouse. If you haven't registered, the clearinghouse just responds that there's no such registrant in their records, and the lender is free to grant credit to the applicant. But if you have registered, the clearinghouse first checks to make sure the information they have on file matches the information the lender provides, and second, they use the information they have on file to contact you directly and ensure that you actually applied for credit with the lender in question. If both of those checks succeed, they respond to the lender with "yes", and if either fails, they tell the lender "no".

This would greatly reduce the instances of people opening lines of credit in other people's names. However, one problem it doesn't address is fraudulent charges to legitimate lines of credit you already have (e.g., stolen/copied credit cards). Credit card issuers and merchants are both often on the hook for most of those sorts of charges, though, so they already take at least some steps to reduce that kind of fraud.

FBI Out to Lunch

[Doc Ruby]

The FBI is in charge of protecting Americans from fraud and theft on that scale and across that national and global jurisdiction. But Bush's "Justice" Department isn't interested.

Feel safer?

One-Time Passwords for Transactions

[Doc Ruby]

I hate giving my PIN to vendors. I hate typing my PIN on random ATMs - and rarely do it. I hate typing my PIN into authorization keypads at stores, but what can I do?

Every transaction should have its own unique PIN attached to the transaction's amount and recipient. Credit cards with chips could do this right now, RSA-password style, generated against the one-time password from the vendor's machine for the transaction, in a data package with the vendor's invoice signed by the vendor's transaction password that my card keeps. In fact it should be transacted over my phone and archived in my personal DB.

This tech is here, and pretty cheap. Banks should pay for it. Their insurance corps should make them pay for it. Until they do, consumers like us will pay most of the costs, especially in a lifetime recovering from a "one-time" ID theft.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

ID theft is trivially easy, today.

[NoobixCube]

ID theft will continue, now that criminals have about 4.5 million people's personal data from those backup tapes the Bank of New York lost. Not to mention all of the other data losses we've heard about on Slashdot. No amount of securing your personal data will help now, unless you plan on changing your date of birth and address. Seriously, that's all it takes. All it took to prove to Medicare (Australian health cover, just a shade short of socialised health) over the phone that I was me, when I needed to change some details, was my date of birth and current address. You put those on almost every form you fill out offline, and if you shop online, you put your address on those too. Date of birth and current address can be used as a lever to "update" someone's Medicare details, and have a new card sent to an ID thief. Medicare counts as a form of ID, so that makes the lever a little bit longer. An ID thief can use the new Medicare card as ID for other changes and updates. Even get a copy of a person's birth certificate sent to them.

Re:The solution is technology

[cdrguru]

Banks don't care because it costs them almost nothing to live with the current state of things. Credit card fraud costs the consumer, mostly because merchants get ripped off and have to eat the cost of sales to fraudulent card numbers.

Credit card companies have very strict rules for merchants that prevent them from validating who a customer is beyond the signature on the card. For instance, they are not allowed to ask for a photo ID. If the card says "check ID" instead of being signed they are not supposed to accept it as it is not signed. The signature indicates that you have accepted the terms of the credit agreement, not any sort of identity verification. Violation of the merchant agreement can result in the merchant account being terminated. These days, a retail store not being able to accept credit cards might as well just fold up shop.

Fraudulent loans and financing are a very small percentage. The FBI mandated that credit card fraud be lumped into "identity theft" a while back and that is where all the numbers are coming from. Unfortunately, there isn't any motivation to fix the problem because the wrong people - the merchants - are paying for the fraud.

Re:Put the onus on financial institutions

[hedwards]

That's hardly accurate at all. The only thing I can agree with is that with proper data protection laws, this wouldn't happen so frequently.

The reason why it's referred to as identity theft is that fraudsters will use a real identity to open multiple accounts with multiple institutions and leave the bill for the victim to pay. And yes, that's how banks want it to work, they usually draw things out for many months, refuse to admit that it was their fault for having a shoddy system to verify these things.

The cost of this can easily reach into the thousands of dollars for the victim. To suggest that banks just roll over and admit that it was fraud is really missing the point. In most cases they don't, as far as their concerned they should be paid, and the person who got ripped off is them.

I was very fortunate to just lose my email, name and address to spammers when TD Ameritrade had that large breach. I have no way of knowing if they got more, and decided not to use it, or if they will at some point in the future. In the state I live in, I'm not guaranteed a free credit freeze unless Ameritrade were to file a police report admitting it. AFAIK there's no law that says they have to do so and it's very much possible that the week they stop paying for the monitoring, that the information will be used.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Put the onus on financial institutions

[kesuki]

"The problem is, if you call it 'fraud' then the defrauded entity is on the hook, and that entity gives and lends tons of money to politicians, lawyers, and judges."

there is more sophisticated type of 'identity theft' that is much more complex, basically, all you need is a mark, a few social security numbers, a couple weeks and a home. every couple of weeks, you use the money you've stolen to acquire more properties, and for each 'fabricated' identity, you take out a new mortgage on a property, legally you can't take out 10 mortgages on one property, but if you work the system, you can get dozens though on the same property, seemingly from different individuals all who appear to be the only owner of that property. this crime scales all the way up to multi-million dollar skyscrapers, at least if you do it right. if you can manage to beat the system long enough you can run away with millions leaving a massive massive debt several millions of dollars greater all belonging to your 'mark;' who, according to all the paper work, did all the signing, even though there was massive massive fraud committed. and for once, banks actually call it fraud. the marks always wind up in prison, they thought they were doing a 'work at home business' helping their lover... they guy i heard about who managed to do all this, did it three times to three different women, but he was too greedy, and never pulled out with the millions he could have... the first thing that happens is they freeze all the assets, if they even suspect someone is doing this, so it's all a matter of pulling out before they know what you've done. it's crazy how easily this kind of identity theft can be done, once you know the whole mortgage system, and how to get a mark to sign all the paperwork, without them knowing what you're up to.

it was on dateline, the guy who kept coming back to the same scam, he even wrote a 'fictional' book, all about how he did all his crimes, sadly the book itself was the most incriminating evidence against him in the crime, all the paper trails led to his 'women.' finding a woman who doesn't know much about running a business, and learning all the skills needed to pull off the crime are way too easy, banks really really want to believe what people are telling them. especially when the paperwork all goes through fine.

Re:FBI Out to Lunch

[Doc Ruby]

Well, I have worked in the "security industry" here in NYC, quite a lot making secure banking/brokerage/insurance infosystems during the late 1990s, and helping the NYC legislature's tech policymaking committee oversee secure NYC's IT (both government and its neighbors in the Financial District). I know quite a lot about both secure technology and government security operations.

The FBI isn't nearly interested enough in these frauds. Despite how hard it is to find and bring these criminals to justice, that's the FBI's job, and it's good at it when it makes it a priority. Instead, under Bush, the priority has been "terrorism", which has been a cover for all kinds of wasted effort that hasn't secured us, but did help Bush keep going for 8 years. Even Bush's "CyberTerrorism Czars" have all quit in disgust, and Bush hasn't put a credible sheriff in charge of controlling this massive criminal activity.

There's a lot more ID theft and fraud in the past 8 years than when Clinton was president in the late 20th Century. It's like the presidents of the 1920s didn't make the FBI all use or at least understand automobiles, when they became a common tool for crimes, especially in escaping local jurisdictions.

So you can take your vague Bush apologies and dump them on that pile of crap you call "not much caring for the guy, either". The fact is that you voted for him twice , you and your Republican buddies are responsible for our lawless crises, and you have no credibility to bleat about how "this is hard work" like you do when Bush clears brush while the country gets looted. Your Bushy trolls are worse than worthless. You Republicans just aren't up to the job of securing anything, as much as you're constantly whining about how scary the bad guys are.

And stop whining to the mods, who apparently aren't stuck in the kind of Bushy denial you're stuck in.

Two items forgotten here

[MobyDisk]

#1:
laws, but has all of this legislation actually cut down on identity theft? Legislation does not stop crime. Prosecution stops crime. Besides, these laws are weak. They are unenforcable since they state "if you did something wrong, you must tell us" and obviously if they don't tell they don't get caught. And even if they do tell, there is nothing you can do to stop it and it doesn't make the companies any more likely to take security measures. So these bills are probably a good idea that doesn't go far enough.

#2:
I called Comcast today to register for service (yeah yeah, make fun of me, but they are the only game in town) and they asked me for my SSN. When I told them I couldn't do that, they hung-up on me. So this just shows me that not only is this business as usual, but it is getting worse. 10 years ago nobody would have dared ask for a social security number for something like this. How come things are getting worse while at the same time we are supposedly doing all this stuff to prevent identity theft?

Bottom line: nobody cares, nobody does anything about it. The only ones who do are academics and a vocal minority like Slashdot.