Why Lenders Overlook Warning Signs of ID Theft

Hugh Pickens writes "Despite all the new fraud alert tools and increased awareness of the perils of identity theft, incidence of the crime remains at 2003 levels, with about 10 million Americans falling victim every year. Now the NY Times reports that there may be a simple reason for the persistence of ID theft: lenders are too willing to extend credit to just about anybody, even when there are big red flags that indicate fraud. Chris Jay Hoofnagle at UC Berkeley worked with a small sample of six ID theft victims and delved into how they were defrauded. Of 16 applications presented by imposters to obtain credit or medical services, almost all were rife with errors that should have suggested fraud — yet in all 16 cases, credit or services were granted anyway. 'Identity theft remains so prevalent because it is less costly to tolerate fraud,' writes Hoofnagle. 'Adopting more aggressive and expensive anti-fraud measures is extremely costly and jeopardizes customer acquisition efforts.' Hoofnagle says business decisions leave individuals and merchants with some of the externalities of identity theft as victims spend their own money, and more often, valuable personal time dealing with the problem. Hoofnagle suggests that lenders contribute to a fund that will compensate victims for the loss of their time in resolving their ID theft problems."

Re:Here we go..

[WrongSizeGlass]

Can't wait to see how people blame the victim on this one.

I think it's pretty clear that these 'honorable institutions' are actually enablers. Accepting that the cost to compensate individuals is lower than fixing the system sounds awfully familiar ... Ford's Pinto comes to mind as does the recent Toyota situation. They're not killing anyone ... they're just ruining their lives for a while.

Hoofnagle is right

[dontmakemethink]

Settling the fraudulent debt is one thing, being compensated for the runaround is another. If banks are going to save money by enabling ID theft as a matter of policy, they must compensate for when that policy causes damages to their clients in the form of time and money spent correcting the problems. Then we'll see if it's actually better to save on ID theft prevention.

Credit Agencies

[Shotgun]

I've got an idea. How about the credit agencies be required to inform me when they give out reports about me? They already know everything about me, right? If someone is illegitimately getting credit under my name, I'll find out about it. If they have incorrect information, I'll find out about it. The cost of an inquiry would go up by $1(US), the cost of printing and mailing a duplicate report.

The obvious solution to ID Fraud

[rock_climbing_guy]

I have an obvious solution to ID fraud. It must be wrong, or else it would be implemented years ago.

The solution is this: you loan money to Joe and Joe signs his name as David? Wow, too bad for you, lender. You just gave away your money to Joe. David can't be held liable for this since he had no hand in it?

Doesn't it sound like the logical solution. If someone goes to the bank claiming to be me and the bank gives them a loan in my name, then the impetus is on the bank to track down the schmuck who tricked them. The bank ought to be liable for allowing themselves to be duped like this; they shouldn't be allowed to come after me. After all, I didn't do anything!

What's wrong with this solution?

Re:Here we go..

[RAMMS+EIN]

``Can't wait to see how people blame the victim on this one.''

The victims ... are all of us. The fallout of identity fraud is costly, and, eventually, all of society bears that cost. Higher rates for borrowing money, insurance against identity fraud, the enormous cost of cleaning up after your name has been misused, and society missing out on people who would otherwise have been productive members.

It seems to me that the choices we have are trading the inefficiency of a better identification system against the inefficiency of having more failures, and sharing the burden vs. letting a few shoulders carry it all so the rest of us goes unencumbered.

Personally, I think that there should, first of all, be fewer occasions where you need to authenticate. Usually, it doesn't matter who you are, so why require authentication? Secondly, authentication should not always disclose everything. If the same data that I need to hand over to buy a $50 mobile phone can be used to get a $20000 loan, that's a security hole.

Thirdly, when you're lending money, that's your choice. You can charge interest and/or fees to make it worth your while. What you can't do is get someone who wasn't a party to the agreement to be responsible for getting the money back to you. If you lent it to the wrong person based on false credentials, that's your mistake, not that of the person whose credentials were misused. Somehow, institutions seem to be able to strong-arm that person into paying up anyway. I'd like to see the end of that, too.

People give away too much info

[Alain Williams]

I recently wanted an 0845 phone number (a non geographic number in the UK). The vendor (uk2numbers.co.uk) wanted to verify my address. The only suitable document (that had my PO box address) was a credit card statement. So I scanned it, blurred out my credit limit and part of the credit card number. Long story short: they refused to deal with me because I refused to give them a copy with these numbers in full. I refused to give it to them because of security concerns.

It seems evident that most who deal with them just hand this stuff over, and then wonder why they end up being owned.

In the end it turned out good for me since I looked elsewhere and got a much better service on phone numbers - but at the time it looked to me as if I was paying a cost (today) for trying to keep secure (future). They do not need my credit limit for their purposes, I am concerned about what is happening with such information that others have given them; I will report them to the UK ICO [ico.gov.uk].

I know this from experience

[Jason Levine]

I had someone open a credit card in my name. They knew my name, address, date of birth and social security number. What they didn't know, however, was my mother's maiden name. However, the credit card company (*cough* Capital One *cough*) ignored this and let them get a credit card in my name via an online form. Then they immediately changed the address to another address in another state halfway across the country. Then they called up and asked for a $5,000 cash advance before the card was even activated. None of these set off red flags apparently.

The only reason it was caught was that the thieves tried to get the card quickly and so paid for "rush delivery." The card was sent out before the address change went through and it wound up at my door. When I called up, the credit card company first gave me the runaround insinuating that perhaps my wife did it. (Neither of us would ever open a credit card without consulting the other. Much less open an account in the other person's name and then try to get a $5,000 advance.) Then they claimed that they couldn't give me any information because (and this is a nearly direct quote) they'd be "liable if I went out and shot the person." Yes, they were now insinuating that I'd commit murder and then *they* would be sued.

Fine, I had the police call them. But they gave the police the runaround also. They insisted the police call a special "police" number, but apparently only an answering machine staffs that number and nobody returns calls from it.

Basically, the credit card company doesn't care *who* they give a card to because they can write off the fraud and will wind up making a profit either way. Fraudulent charges that consumers pay mean credit card company profits. Fraudulent charges that consumers don't pay are charged back to the merchants for no real loss (to the credit card company, the merchant's out the merchandise). In the end, they don't give a rat's posterior about messed up consumer credit or store losses due to fraud/ID theft. They're making a tidy profit and that's all that matters.

Re:People give away too much info

[Lumpy]

That's why I do not blur those numbers but replace them with fake numbers. the idiots making the decision as to the legitimacy of a document never actually try to verify it so they want to see something that LOOKS legitimate. Honestly anyone with an IQ over 90 can generate a legitimate looking document in 30 minutes on a computer. yet banks and phone companies hire people with an IQ under 60 to verify the legitimacy of documents.

They're totally unaccountable.

[copponex]

Did you know you cannot even compel a credit agency to produce the documentation proving that you owe the claimed debt? Verification involves them contacting the party reporting the debt, saying "This guy owes money, right?" When they reply in the affirmative, that's called "verified."

Financial regulations in the United States are practically non-existent. The reason for uncertainty in our markets has nothing to do with government regulations - it has to do with the total lack of accountability and transparency required. Every five years the scheisters are exposed, and the markets collapse, because everyone - Wall Street, the credit rating agencies, and of course the companies themselves - are in on the take.

Re:Lenders will do nothing until it costs them mon

[medcalf]

Something similar happened to me years ago. A person with my wife's name and who had lived on the same street some years prior had taken out a loan and defaulted on it (among many, many other defaults and legal issues). The lender had sent it to collections. The collections agency called us (presumably looking up name and street), and we told them they had the wrong people. They read off the information we had, and the only thing that matched was the first and last name and the street name. We told them the middle name was wrong (it was X, my wife's is Y) and that the address was wrong (it was 1234, ours was 4321) and so forth. A week later, we had a collections letter at our address with the "corrected" information. We called up the collections company president, and noted the legal trouble he was about to be in if he didn't correct this forthwith (thankfully, we were smart enough not to correct the SSN!), and things got corrected. We no longer give out any PII, and no longer do business over the phone unless we initiate the call. Sad that we had to learn the hard way, but at least it wasn't harder.

Re:Here we go..

[JWSmythe]

I just can't figure why one needs to hand over an SSN to buy even a prepaid phone plan.

    Really?

    My prepaid phone has some basic (and out of date) information on me. No DOB, no SSN.

    Someone I knew had a stalker, arrested multiple times for stalking her. He'd somehow get her phone number. He'd find out when she moved and to where. She resorted to living with friends and moving frequently, but had no cell phone. I bought a prepaid phone with cash. They only asked for the money, and I said "thank you."

    To activate it, I did it online with bogus information. False name, address, etc, etc. I told her, to add minutes, pay cash at any number of stores for a refill card, and I washed my hands of it. For personal reasons, we aren't talking, but she still has her gift phone that doesn't trace back to any real people. At least she can talk stalker free. Well, unless someone tells the stalker what the number is. I told her where to say she lives, works, etc, so everyone knows the decoy information, and very few people know the real information.

    It's not that hard to disappear, you just have to pick your methods correctly. :)

The banks don't give a shit

[rgviza]

Then there's the other factor... to even make the FBI's case load, you need to commit a felony. A felony is more than $5000 USD theft.

What happens is most ID thefts are under this amount so they don't make the FBI's radar. Even when they do, the FBI has bigger fish to fry. They are in line behind frauds that are much bigger so never make the FBI's case load. This enables id thieves to pretty much operate with impunity. No one files a complaint with local law enforcement so neither locals, nor the FBI goes after them.

I had the same guy, in Chicago, use my ID 3 separate occasions with Household bank in 2004 (yes, they kept on issuing loans to the same guy that just ripped them off). Each theft was $4500-4900.

Their collections people kept calling me and my wife, and told my wife I have a mistress in Chicago. She thought this was funny since I was home every night with her and NEVER traveled to Chicago (Indeed I wasn't traveling at all after 2001).

So not only to they enable thieves to ruin your credit, their asshole collections douchebags try to break up your family too. I was able to straighten this out by calling the credit bureau directly, raising a dispute (once for each fraud), at which point Household could not produce my signature, and I'd never lived in Chicago (according to credit bureau records) which enabled me to tell Household they can go fuck themselves and the bureaus simply deleted the non-payment entries in their database.

Very nice... but this could have been a real problem had the fraud been local. I'm not sure I'd have been able to clear it.

AFAIK, just say no.

[gillbates]

I've dealt with things like this before with my bank. The worst I had to do was sign an affidavit that stated I didn't make the fraudulent transaction, and the problem "went away".

Here's something interesting: about 5 years ago, I was called up by someone claiming to be an insurance company, trying to collect a debt that I supposedly owed for a hit and run accident with my "red truck". I do have a red truck. But I had never, as they claimed, been involved in a hit and run accident with it, two years prior to the call.

To make a long story short, the insurance company paid out for someone's totalled car in an accident. The accident report listed the other vehicle as a red Dodge pickup, license plate unknown. The insurance company then sold its "debt" to a collection agency, which then acquired the registrations (via the state DMV, no less) for every red truck registered in Illinois. In spite of the fact that mine was a Chevy, and the accident report was for a Dodge, they called me, trying to get me to pay up. Basically, they were cold-calling truck owners in the hope that someone would admit to the crime.

They called back a few times. Imagine, for a moment, if I had died and my wife had answered the phone. She could have been defrauded into paying a debt which she didn't owe, simply because she didn't know any better. These collection agencies are borderline fraudulent operations. Yet they enjoy legal status.

It's interesting that banks try to pass the cost onto the consumer. But ultimately, it would take very little to show in a court of law that:

1. The bank had a duty to affirm the identity of the borrower.
2. The bank failed that duty, and
3. As a consequence, you lost time/money correcting the situation, therefore,
4. The bank is responsible for your lost time.

Most IT professionals can get between $50 and $100 per hour for there services. Should a bank require me to settle a case of fraud with anything more than a signed affidavit, you can bet I'll be sending them an invoice. After all - they'll charge you an hourly fee for balance reconciliation when you're at fault; therefore, they should expect likewise treatment.

Re:Tell me about it

[GooberToo]

This is exactly why I always say, "identify theft" doesn't exist. This is credit fraud which is encouraged by banks and especially credit reporting agencies. If laws didn't exist specifically to protect banks and credit agencies, we would all be calling them fraudulent organizations and lots of people would be jail. But since lots and lots of politicians financially benefit from fraud, the status quo is actively maintained.

It is impossible to fix credit fraud until lenders and credit agencies are help liable for their willfully fraudulent actions.

Re:Lenders will do nothing until it costs them mon

[KDN]

Here is a trick I did for the above case. I do not give out SSN to anyone I did not call. They (the other end) were not allowed to give out the SSN, they said that they required me to give it to them. To which I responded that I have no way to confirm who they are. Classic Mexican standoff. So I did a simple hash. Lets say your SSN ends in ABCD (these are variables). I had them add AB to CD and tell me the number. If it does not match mine, and it didn't, I know the SSN does not match. If it does, I have a reasonable assurance that they have the correct SSN already. Yeah its not as good as MD5, but its something that I can walk someone over the phone with.

And if they refuse, I score them negatively on my "is this legit or fraud" rating.

Citibank

[AvenNYC]

I can only speak for Citibank, but it wouldn't be too hard for me to believe that all banks are this retarded. They called me a year ago to tell (...ask?) me I had drained my bank account (via my debit card) with two charges from the Philippines (Thousands of dollars). I told them of course not and that they needed to get my money back. I also asked them to not allow charges from overseas in the future and if I needed something from the Philippines I'd call and let them know. They said there was no way to do that, and that any charges from anywhere in the world would continue to be put through. I got my money back within days. I don't see how this makes them any money.