ID Theft In US Continues Apace Despite Data Breach Laws 117
4roddas points out an article at Techworld about the continued scourge of identify theft in the US, which begins: "Over the past five years, 43 US states have adopted data breach notification laws, but has all of this legislation actually cut down on identity theft? Not according to researchers at Carnegie Mellon University who have published (PDF) a state-by-state analysis of data supplied by the US Federal Trade Commission (FTC). 'There doesn't seem to be any evidence that the laws actually reduce identity theft,' said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper's authors. Since 1999 the FTC has invited identity theft victims to log information about their cases on its Web site. The data are then made accessible to law enforcement, which uses the information to help analyze crime trends."
Get Personal Data off your computer (Score:5, Interesting)
Re:Put the onus on financial institutions (Score:4, Interesting)
http://www.notarypublicstamps.com/products.asp?StateID=15 [notarypublicstamps.com]
Put the onus on the financial institution monetarily and make it treble damages in addition to jury awarded punitive damages and legal fees. Make it so that it must go before a jury and not ever arbitration. I'd want punitive damages so high their investors suffer and I'd want those damages set aside in a fund to help identity theft victims have damages that don't warrant or won't benefit fro a lawsuit or have emergency needs.
Identity Clearinghouse (Score:5, Interesting)
To register with the clearinghouse, you go to a local government agency where identity is "managed" - e.g., your local DMV. You register there by providing your current contact information, and they ensure that you are the person you claim to be through their normal identification procedures (such as picture ID/driver's license pictures on file). If you later need to change your contact info, you do the same procedure (going to the DMV in person) to prove your identity.
When you apply for credit somewhere, the lender first uses the identifying information you have provided to them (such as name, address, SS#, etc.) to verify your identity with the clearinghouse. If you haven't registered, the clearinghouse just responds that there's no such registrant in their records, and the lender is free to grant credit to the applicant. But if you have registered, the clearinghouse first checks to make sure the information they have on file matches the information the lender provides, and second, they use the information they have on file to contact you directly and ensure that you actually applied for credit with the lender in question. If both of those checks succeed, they respond to the lender with "yes", and if either fails, they tell the lender "no".
This would greatly reduce the instances of people opening lines of credit in other people's names. However, one problem it doesn't address is fraudulent charges to legitimate lines of credit you already have (e.g., stolen/copied credit cards). Credit card issuers and merchants are both often on the hook for most of those sorts of charges, though, so they already take at least some steps to reduce that kind of fraud.
FBI Out to Lunch (Score:4, Interesting)
Feel safer?
One-Time Passwords for Transactions (Score:3, Interesting)
Every transaction should have its own unique PIN attached to the transaction's amount and recipient. Credit cards with chips could do this right now, RSA-password style, generated against the one-time password from the vendor's machine for the transaction, in a data package with the vendor's invoice signed by the vendor's transaction password that my card keeps. In fact it should be transacted over my phone and archived in my personal DB.
This tech is here, and pretty cheap. Banks should pay for it. Their insurance corps should make them pay for it. Until they do, consumers like us will pay most of the costs, especially in a lifetime recovering from a "one-time" ID theft.
Comment removed (Score:5, Interesting)
Comment removed (Score:3, Interesting)
ID theft is trivially easy, today. (Score:4, Interesting)
Re:The solution is technology (Score:5, Interesting)
Credit card companies have very strict rules for merchants that prevent them from validating who a customer is beyond the signature on the card. For instance, they are not allowed to ask for a photo ID. If the card says "check ID" instead of being signed they are not supposed to accept it as it is not signed. The signature indicates that you have accepted the terms of the credit agreement, not any sort of identity verification. Violation of the merchant agreement can result in the merchant account being terminated. These days, a retail store not being able to accept credit cards might as well just fold up shop.
Fraudulent loans and financing are a very small percentage. The FBI mandated that credit card fraud be lumped into "identity theft" a while back and that is where all the numbers are coming from. Unfortunately, there isn't any motivation to fix the problem because the wrong people - the merchants - are paying for the fraud.
Re:Put the onus on financial institutions (Score:3, Interesting)
The reason why it's referred to as identity theft is that fraudsters will use a real identity to open multiple accounts with multiple institutions and leave the bill for the victim to pay. And yes, that's how banks want it to work, they usually draw things out for many months, refuse to admit that it was their fault for having a shoddy system to verify these things.
The cost of this can easily reach into the thousands of dollars for the victim. To suggest that banks just roll over and admit that it was fraud is really missing the point. In most cases they don't, as far as their concerned they should be paid, and the person who got ripped off is them.
I was very fortunate to just lose my email, name and address to spammers when TD Ameritrade had that large breach. I have no way of knowing if they got more, and decided not to use it, or if they will at some point in the future. In the state I live in, I'm not guaranteed a free credit freeze unless Ameritrade were to file a police report admitting it. AFAIK there's no law that says they have to do so and it's very much possible that the week they stop paying for the monitoring, that the information will be used.
Comment removed (Score:4, Interesting)
Re:Put the onus on financial institutions (Score:5, Interesting)
there is more sophisticated type of 'identity theft' that is much more complex, basically, all you need is a mark, a few social security numbers, a couple weeks and a home. every couple of weeks, you use the money you've stolen to acquire more properties, and for each 'fabricated' identity, you take out a new mortgage on a property, legally you can't take out 10 mortgages on one property, but if you work the system, you can get dozens though on the same property, seemingly from different individuals all who appear to be the only owner of that property. this crime scales all the way up to multi-million dollar skyscrapers, at least if you do it right. if you can manage to beat the system long enough you can run away with millions leaving a massive massive debt several millions of dollars greater all belonging to your 'mark;' who, according to all the paper work, did all the signing, even though there was massive massive fraud committed. and for once, banks actually call it fraud. the marks always wind up in prison, they thought they were doing a 'work at home business' helping their lover... they guy i heard about who managed to do all this, did it three times to three different women, but he was too greedy, and never pulled out with the millions he could have... the first thing that happens is they freeze all the assets, if they even suspect someone is doing this, so it's all a matter of pulling out before they know what you've done. it's crazy how easily this kind of identity theft can be done, once you know the whole mortgage system, and how to get a mark to sign all the paperwork, without them knowing what you're up to.
it was on dateline, the guy who kept coming back to the same scam, he even wrote a 'fictional' book, all about how he did all his crimes, sadly the book itself was the most incriminating evidence against him in the crime, all the paper trails led to his 'women.' finding a woman who doesn't know much about running a business, and learning all the skills needed to pull off the crime are way too easy, banks really really want to believe what people are telling them. especially when the paperwork all goes through fine.
Re:FBI Out to Lunch (Score:3, Interesting)
The FBI isn't nearly interested enough in these frauds. Despite how hard it is to find and bring these criminals to justice, that's the FBI's job, and it's good at it when it makes it a priority. Instead, under Bush, the priority has been "terrorism", which has been a cover for all kinds of wasted effort that hasn't secured us, but did help Bush keep going for 8 years. Even Bush's "CyberTerrorism Czars" have all quit in disgust, and Bush hasn't put a credible sheriff in charge of controlling this massive criminal activity.
There's a lot more ID theft and fraud in the past 8 years than when Clinton was president in the late 20th Century. It's like the presidents of the 1920s didn't make the FBI all use or at least understand automobiles, when they became a common tool for crimes, especially in escaping local jurisdictions.
So you can take your vague Bush apologies and dump them on that pile of crap you call "not much caring for the guy, either". The fact is that you voted for him twice , you and your Republican buddies are responsible for our lawless crises, and you have no credibility to bleat about how "this is hard work" like you do when Bush clears brush while the country gets looted. Your Bushy trolls are worse than worthless. You Republicans just aren't up to the job of securing anything, as much as you're constantly whining about how scary the bad guys are.
And stop whining to the mods, who apparently aren't stuck in the kind of Bushy denial you're stuck in.
Two items forgotten here (Score:3, Interesting)
laws, but has all of this legislation actually cut down on identity theft? Legislation does not stop crime. Prosecution stops crime. Besides, these laws are weak. They are unenforcable since they state "if you did something wrong, you must tell us" and obviously if they don't tell they don't get caught. And even if they do tell, there is nothing you can do to stop it and it doesn't make the companies any more likely to take security measures. So these bills are probably a good idea that doesn't go far enough.
#2:
I called Comcast today to register for service (yeah yeah, make fun of me, but they are the only game in town) and they asked me for my SSN. When I told them I couldn't do that, they hung-up on me. So this just shows me that not only is this business as usual, but it is getting worse. 10 years ago nobody would have dared ask for a social security number for something like this. How come things are getting worse while at the same time we are supposedly doing all this stuff to prevent identity theft?
Bottom line: nobody cares, nobody does anything about it. The only ones who do are academics and a vocal minority like Slashdot.