Why Lenders Overlook Warning Signs of ID Theft

Hugh Pickens writes "Despite all the new fraud alert tools and increased awareness of the perils of identity theft, incidence of the crime remains at 2003 levels, with about 10 million Americans falling victim every year. Now the NY Times reports that there may be a simple reason for the persistence of ID theft: lenders are too willing to extend credit to just about anybody, even when there are big red flags that indicate fraud. Chris Jay Hoofnagle at UC Berkeley worked with a small sample of six ID theft victims and delved into how they were defrauded. Of 16 applications presented by imposters to obtain credit or medical services, almost all were rife with errors that should have suggested fraud — yet in all 16 cases, credit or services were granted anyway. 'Identity theft remains so prevalent because it is less costly to tolerate fraud,' writes Hoofnagle. 'Adopting more aggressive and expensive anti-fraud measures is extremely costly and jeopardizes customer acquisition efforts.' Hoofnagle says business decisions leave individuals and merchants with some of the externalities of identity theft as victims spend their own money, and more often, valuable personal time dealing with the problem. Hoofnagle suggests that lenders contribute to a fund that will compensate victims for the loss of their time in resolving their ID theft problems."

Here we go..

[BVis]

Can't wait to see how people blame the victim on this one.

Tell me about it

[cybrthng]

Bank fraud is why i shutdown my business after losing about 15k. Banks make a LOT of money milking the merchants with fees & services to create a "Safe shopping facade" but to screw you over in the end. What sucks even worse is that the consumer always wins in the end regardless or not if the consumer is legit or fraud and the banks LIKE it that way.

Banks make a lot of money in playing the high risk game and its screws everyone over in the end.. someone is paying for it.

ID theft is due to the pure negligence of lendors

[stox]

If lendors had to pay for the damage they cause, the problem would disappear overnight. They should be responsible, not the poor victims, for cleaning up the mess. Sadly, they do not care, as it costs them nothing.

Less about greed, more about legacy...

[Manip]

You have to keep in mind that a lot of systems that check people's IDs, Credit Cards, and Applications are built on top of legacy systems that were designed to work using modems and other terminals. I mean, yes, they have lovely UIs and web-sites but you rip all that stuff away and the entire process runs on the same communications channel as it did in 1990.

Credit Cards address information is often only checked in a very vague way. Since there is no encoding standards and since the address often winds up as one string you have to be very easy going about what passes and what doesn't. For example this might be the string you get in (all examples are valid/legal):
"123 Fake Street TownName State Country POCODE"
"123 FakeStreetTownNameStateCountryPOCODE"
"POCODE"
"123 Fake Street"

And this is the information you have to validate - Address Line 1, Line 2, Line 3, Line 4, Line 5 (Country), POCode (Post Code/Zip code). See the problem?

That's the best solution they could come up with?

[gnarl]

Considering how lending institutions generally operate, it makes more sense that they are making a bigger profit off of "ID Protection" insurance, than they take in actual losses from ID theft.
The only solution I see is to introduce regulation that forces the lenders to pay the cost of ID theft instead of the victims.

Bad incentive alignment

[MetricT]

Lenders are being completely rational from their perspective. They get paid for creating a market for loans. If they don't issue loans, they don't get paid.

They are using Other People's Money by packaging the resulting debt into CDO's and selling them off, so they don't have an incentive to look too closely at how credit-worthy the individual is. It's a bad combination of negative externalities and information asymmetry. It's a market failure that requires government regulation to fix.

Re:Here we go..

[Anonymous Coward]

Well let's be realistic, a Bank an take a $1000 hit and still operate. I am also sure there is some sort of insurance for that, if there isn't they will still carry on. However, if that's a person's last $1000 or a portion of that money needed to go to pay for food or rent, they are royally screwed. I'd say, yes there are 2 victims, but lets look at this from a practical standpoint, the guy making $40K/year has more to lose being defrauded, than the Bank that probably has a couple of hundred million under its belt.

Its not "ID Theft" its FRAUD

[AnnoyaMooseCowherd]

What annoys me is that by coming up with the spin incantation "ID Theft", banks have been able to make what is actually their problem your problem

Its not "ID Theft" its FRAUD

Before "ID Theft" existed, con artists would regularly pretend to be someone they weren't in order to steal things. If I pretend to be an engineer from the local telephone company in order to con my way into an old ladies house and steal her purse, no one would even think for a minute that the telephone company should foot the bill, but when someone pretends to be me and convinces a bank to give them some money on that basis, apparently it is ok for the bank to turn round and try to get me to pay for the result of their gullibility.

Re:Here we go..

[Shakrai]

Ford's Pinto comes to mind as does the recent Toyota situation

The "Toyota situation" has been blown completely out of proportion. Whatever problems may exist with Toyota automobiles have long since been buried under sensationalist "OMG, if you own a Toyota you are going to die!!!" media headlines and politicians looking to build "I'm tough on big business" street cred. It's been alleged that 37 people have died due to problems with Toyota's in the last ten years. That's a drop in the bucket compared to the number of people who have died in old fashioned automobile accidents. Even if you accept that all of those were due to a design flaw (which hasn't been proven yet) it hardly seems worth all of this FUD.

I don't own a Toyota but if I did I wouldn't be afraid to drive it. I'd be more worried about getting killed because of the stupidity of a fellow driver than I would be about being killed by a design flaw in my own automobile.

Re:The obvious solution to ID Fraud

[HangingChad]

What's wrong with this solution?

The banks spend millions on lobbyists to fight making the laws more fair to the consumer. Otherwise your solution would already be law.

Banks start whining that making them responsible would raise the cost of extending credit. Good. Credit should be harder to get.

One slight problem

[petes_PoV]

The bank lends some money to Joe. Joe denies ever having seen it, says it must've been David using Joe's assumed name. When the bank challenges Joe and says "but here's the proof that your identity was used", Joe replies "dam' clever these identity theft people, you really should tighten up your procedures". Same standoff, different people benefit and get blamed. Now I'm not saying the banks are blameless - they obviously rely to heavily on shoddy checks to ensure the applicant is who they say they are. However, once you make them take the hit, all that will happen is they pass on the costs to the customers by increasing their charges. Which is what they'll do in every situation, anyway.

The only workable solution is to have some way of absolutely and uniquely guaranteeing that the person who claims to be "X" can only be "X" and cannot be anyone else. Even DNA checks are not good enough for this (as cases involving identical twins have shown), so the actual solution is very, very hard.

Of course the simpler solution is for the banks to not lend anything to anyone.

ID Theft is not a crime

[Gim Tom]

ID theft is not the crime. It is just another form of fraud where the organizations that grant credit are not the ones who suffer when the fraud is committed against them. ID theft did not really exist until one could get credit based on simply a Social Security Number and little else. It was not that long ago where I worked that old stacks of large green bar print out paper covered on one side with peoples names, Social Security Numbers, and addresses were just taken home by virtually everyone for use by their children as scrap paper on which to draw with crayons. I would bet that anyone who was in IT back in the 1980's will remember this as normal. Back then a "stolen" identity had no value. Things that have no value are not usually stolen. It was only when the credit card companies MADE an identity have value that "Identity Theft" became something that was worth stealing. If some enterprising attorney would find a way to put together a nice class action law suit against the companies that control the issuance of credit and set a precedent that THEY were liable if credit was granted fraudulently in someones name who did not request it then ID theft would cease to exist since it would no longer be an externality

Re:Credit Agencies

[Anonymous Coward]

I like your plan, but it would first require the approval of the credit agencies and $1 million in lobbying (by the credit agencies) before any congressman would sponsor such a bill. Unless of course some influential consumer advocacy group can out-lobby the credit agencies, but none come to mind.

Your plan would only work if you use the strategy that got us health reform. The bill has to be written by the enablers (banks and credit agencies). The bill would mandate that all Americans be required to pay for credit monitoring, with government subsidies for the poor. Then everyone would get a monthly statement of their credit activity. Democrats will debate for a public option, then drop the charade and pass the bill without one.

Re:Here we go..

[Migraineman]

Actually, that's the root of the problem. When the credit card company pushes the burden of loss onto the merchant, they have no incentive to shoulder the expense of stopping fraud. If they had to absorb the loss themselves, and were prohibited from shoving this onto the merchants, you can bet their attitude toward fraud would change immediately.

Shifting the risk

[rajats]

The credit card companies and banks are wanting to shift the residual risk to the customers. That's why they want you to pay for "SafeProtect" etc. for which you have to pay in advance so they monitor any ID thefts. My question is shouldn't they already be doing that? If yes, then why do they want you to pay for it? Cost reduction in my humble opinion.

Re:One slight problem

[david_thornley]

If it's the bank's decision to lend or not, then the bank should take responsibility for fraud. Suppose Joe borrows money under my name fraudulently, from a bank I don't personally do business with. I have had no opportunity to influence the security of the bank's system, except politically. I have had no market influence, not being a customer. The decision of what level of fraud to accept is the bank's.

Any cost pushed off on me is an externality for the bank, since they don't have to pay, and they aren't even losing a customer. Therefore, market forces will not create incentives for banks to reduce fraud below what is best for their balance sheets. In the situation where I can be forced to repay the loan, there is no incentive for the bank to avoid fraudulent loans, and the amount of fraudulent loans increase until everybody's doing it as a matter of self-defense.

In general, the cost of a loss is best assigned to those with the ability to avoid the loss. That way, the market pushes them to the correct balance of preventing and accepting the loss.

Re:Credit Agencies

[mcelrath]

You seem to be under the illusion that credit agencies are legitimate businesses, interested in the welfare of their customers, and you are their customer.

Let me fix that for you: Credit reporting agencies are a blackmail and extortion ring that somehow are allowed to legally exist. They don't give a shit that your information is correct or not, or if someone defrauds you. If you get defrauded, they're happy to just put it in the report. After all, if you get defrauded, you're a risk, aren't you? Still not their problem.

No one has ever been contacted by a credit agency, unsolicited, to verify the accuracy of information in their file.

The only way your idea will come to pass is if it is legislated.

Personally I think a better idea is to just get rid of credit agencies. Make holding information about a person without their knowledge or consent illegal. Require that anyone holding information (of a certain nature) about a person notify that person of the content and existence of that data on a regular basis. Thus holding information about people becomes expensive, and illegitimate extortion operations like credit agencies would be forced (economically) to improve.

MOD PARENT INSIGHTFUL

[ikoleverhate]

If I fall for a phishing scam because I'm convinced the site I'm looking at is owned by my bank, isn't that the bank having it's ID stolen? So if the phishers get me to give them money, the bank pays it back right? Obviosuly not, that would be crazy. Just because it was done in the bank's name doesn't mean it's the bank's responsibility. Surely then, it's just as crazy that private individuals have to pay back banks who get scammed, just becuase it's done in their name.

Re:One slight problem

[bendodge]

Even DNA checks are not good enough for this (as cases involving identical twins have shown), so the actual solution is very, very hard.

Just take a thumbprint with the signature. That's good enough to cover 99% of the cases. (If someone is rich enough that someone else will make a thumbcap to match, then you're getting into real cloak-and-dagger. But most crooks are dumb.) Inkpads are cheap. Even though the bank likely can't verify the thumbprint immediately, it will be invaluable to the police when the fraud is investigated.

PCI Does Nothing To Stop This

[gcatullus]

This is exactly why PCI compliance won't do much to stem identity theft. The institutions that get the benefit of credit cards, i.e. the issuers like Visa/Mastercard, have nothing to gain from preventing it and everything to gain from allowing it. If Visa card is fraudulently obtained and used, Visa loses absolutely nothing. The person whose identity was stolen loses time and effort to get things reversed, the merchant loses because the charges will be charged back, and the merchant loses again because she pays fees for the original transaction and fees for the chargeback. The issuers actually make MORE money when this happens. Visa/Mastercard don't even have to game the system, they are the system. PCI stands for payment card industry. Foisting all security onto the merchants is one small step removed from blaming the consumer.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Here we go..

[sjames]

This just goes to show exactly how despicable the banks have become. The guy making 40K is the only blameless person in the whole deal. The ID thief, is of course to blame for committing a crime. The bank had the opportunity to verify their ID more carefully and take other measures to catch the actual criminal, but doesn't bother because it's much easier to just extort the losses from the guy making 40K by hiring someone to make harassing phone calls, threaten him with expensive court proceedings, and spread libelous claims that he is a bad credit risk. In extreme cases, the bank might even lie to the courts and the sheriff to get them to take the money from him at gunpoint.

The guy making 40K had nothing whatsoever to do with any of it. The banks have somehow convinced everyone that the combination of person defrauds bank plus bank extorts the losses from a 3rd party to be a new crime committed by the fraudster against the bank's victim.

Re:Credit Agencies

[infinite9]

You seem to be under the illusion that credit agencies are legitimate businesses, interested in the welfare of their customers, and you are their customer.

Let me fix that for you:

You're completely right. The Fair Isaac score is a measure of how likely a creditor is to make money from you. If you're a victim of identity theft, then you may cost the creditor money. So you necessarily get a lower score.

The credit reporting system is an ingenious scam. They've created a number from nothing. Then tied this number to behaviors they want to see from you. Don't go into enough debt? You get a low score. Don't pay reliably? You get a low score. It's a worthless shiny object that you've been conditioned to pursue.

They flood television with commercials spouting propaganda for the current system of credit. Responsible people pay their bills on time, even if it means they have to feed their kids crap food for dinner, or pull them out of private schools, or avoid taking them to the doctor because they can't afford it. Responsible people establish and maintain a good credit history. Responsible parents teach their kids about credit and help them get their first credit card. It's a confidence game. You groom the mark. Then you fleece them. You give up your hard-earned money so that a number in a computer doesn't drop.

Here's how it is folks: take care of yourself and your family first, even if your credit score takes a hit. You can't eat your credit score. It won't keep you warm in the winter. And if you have no desire to finance anything, then your credit score is utterly irrelevant.

Re:Here we go..

[Shakrai]

The first NSF fee is because your account *MIGHT* become overdrawn. It's like a warning shot. They still charge you

I find that a little hard to believe. Got a link to the bank policy where they state that they do that?

Something like 75% of a banks income, comes from NSF fees.

And 98% of all statistics are made up on the spot.....

Re:Here we go..

[RAMMS+EIN]

``(As an aside where are all the people who say that stealing Intellectual Property isn't theft on this--if you steal my identity, I still have it)''

I happen to be one of those people, which is why I prefer speaking of "identity fraud" rather than "identity theft".

Re:The obvious solution to ID Fraud

[noidentity]

Exactly. I don't get why I should have any part in them giving money to someone who claimed to be me. It wasn't me. Sorry you guys lost money, but it's your problem, not mine. I never agreed to any of it, so fuck off and deal with your loss. Next.