Bill Introduced to Congress Would Allow ID Theft Restitution 166
verybadradio writes with an article at News.com about a bill introduced into Congress that would allow citizens who have been victimized by identity theft to seek repayment for the money and time spent repairing their credit history. The bill was introduced by Democrat Patrick Leahy of Vermont and Republican Arlen Specter of Pennsylvania. "Last year, 8.4 million Americans were victims of identity theft, and many were left with a bad credit report, which takes months or years to repair, the lawmakers said ... The bill would also eliminate a requirement that the loss resulting from damage to a victim's computer must exceed $5,000 for prosecution; make it a felony to use spyware or keyloggers to damage 10 or more computers; and expand the definition of cybercrime to include extortion schemes that threaten to damage or access confidential information on a computer."
Hmm (Score:5, Interesting)
It all sounds good except this line makes me a bit nervous:
Would threatening to expose a security flaw in a server or website unless it was patched open you up to prosecution under cybercrime laws then? I know that's already fairly shaky ground from a legal standpoint, but would this make it even worse?
New laws really necessary? (Score:3, Interesting)
Usually (Score:4, Interesting)
My usual reaction to identity theft laws is "Aren't existing fraud laws sufficient?"
At least at first glance, however, this bill seems to be doing more, and doing it in a useful manner -- not solely a "well, let's make it more illegal!" type of bill.
The nature of the identity theft crime... (Score:3, Interesting)
Re:why can't we get what the RIAA gets? (Score:3, Interesting)
Oh yes, because those Chinese, Russians, and others located outside the US are so mortally afraid of being sued for a hojillion dollars. The one good thing this law is doing is allowing the victim to recoup some of the loss, and maybe might act as incentive for the credit card companies to actually do something to reduce identity theft. The problem till now is it was always the victims eating the costs of identity theft, not the credit card and credit reporting agencies.
Re:The nature of the identity theft crime... (Score:2, Interesting)
Can we sue the credit reporting agencies? (Score:5, Interesting)
Basically, someone impersonates me. Some bank/merchant/credit card company extends credit without verification. The impersonator defaults. They report me as the deadbeat. That is the scenario. The creditor who mistakenly reported me should be liable for slander. The credit reporting agencies should be considered accessory after the fact. So the real culprits are the people who extend credit without verification and people who report me as a deadbeat without justification. Normally if they have to face full consequences of their action, they will clean up their act and we would not need any special laws for identity theft.
But congress in its infinite stupidity holds the impersonator the responsible for my ruined reputation. The impersonator is liable for lying, cheating, committing forgery and is responsible for all the damage caused to the credulous creditor. And if they call me a deadbeat without proper verification whoever reported me as the deadbeat is responsible for the damage caused to my good name.
As usual it is a credit reporting agency liability protection act being sold to the public as an anti-ID theft law.
Re:Wow... (Score:5, Interesting)
Re:Funny, I thought we had a mechanism for that... (Score:3, Interesting)
The bank was the fraud victim, you're collateral damage. Er, um, no pun intended...
After the fraud uses your personal information to take money from a third party creditor, said creditor unfairly trashes your reputation, since that's the easiest recourse they have. Actual damages inflicted by the creditor in what looks to me like a defamation case might well be difficult to demonstrate, but not impossible: that nasty little clause in your credit card agreements that makes everything go to 31.99% APR if anything derogatory appears on your credit report means the defamation is costing you actual cash.
Re:Usually (Score:3, Interesting)
It's not just at a national level, and it's not just the current administration. Much as I dislike them, I don't think the current administration is all that much worse than previous ones in this regard, and a lot of the fault rests with Congress, not the Executive branch.
I recently served on a grand jury handling general local level stuff. A typical indictment for ID theft would include fraud, atm card fraud (a special law! I'm sure making it super-extra-illegal helped), identity theft (yep, specifically illegal, even though it's hard to see what makes it ID theft instead of just, well, fraud), and usually a couple others.
Re:Oh Not This Again (Score:3, Interesting)
For e-commerce it's even simpler. In our country (Bulgaria) 10 years ago we suffered from too many teen hacker wannabes for whom the greatest fun in the world was stealing credit card info and ordering books for it.
Not only people abroad suffered, but also local citizens. So, for online commerce, the solution is dead simple, when a transaction is carried out, a confirmation link is sent to your email, and you need to click that link to make money move.
Why is this better than the majority of credit cards nowadays? Well.
With mastercard or visa, I input all the information that's required to complete the purchase in the form. No secret remains mine. If this info leaks, anyone can order from my card.
With the email confirmation, I still have the password on my card account which I never input anywhere, where the email is specified. I never enter the password to my email anywhere either.
Second benefit is I get real time notification in my email when someone tries to order with my card. With regular credit card, I only see this 10 days later on my bank statement.
So I guess it's true: the credit card providers DO want the fraud to continue, since they don't implement basic confirmation techniques, despite it's neither complicated nor costly (fine, maybe it'll be costly NOW with so many merchants to update their business process, but common sense wasn't invented yesterday, what were they doing ALL THOSE YEARS..?).
Agree 100% (Score:3, Interesting)
People need to be notified whenever an application is made for a drivers license, bank loan, etc. Until the rightful owner of the SSN responds (eg. via telephone with a PIN), the application cannot proceed.
If people are dumb enough to carry their PIN in their wallet then they should be liable for all losses.
Re: credit cards:
I'd like to see:
a) No storage of credit card numbers by *anybody* other than the card issuer (ie. online merchants like must not store your card numbers anywhere, you need to type it in for each transaction).
b) Any credit card transaction over $100 requires secondary verification (eg. PIN, token ID).
c) More than (say) five credit card transactions in a single day triggers a verification requirement (talk to credit agency on phone, give password, say everything is Ok).
This sort of thing will never happen until the credit card companies become liable for losses. When it is done then the liability can be shifted to the people who didn't look after their PIN, etc.
PS: You can carry PINs securely - I had an account with a bank which gave you a little card with a grid of colored squares on it. The idea was to write the digits of your PIN in positions you'd remember then fill the rest of the grid with random digits. It worked beautifully - I could safely carry my PIN in my wallet and I never forgot where the PIN was. There's no reason why something like this couldn't be printed as standard on the back of all credit cards instead of the stupid signature strip which is too small to sign properly and nobody ever looks at anyway.
FICA contributions (Score:5, Interesting)
That the victim will someday receive larger Social Security checks would be some consolation.
[Yes, this measure would have a negative impact on the illegal immigrant population, because few other groups have any reason to use stolen Social Security numbers when applying for a job.]
Re:Agree 100% (Score:3, Interesting)
How about instead of telling fuzzysandals.com "Here's my credit card number. Tell MasterCard's computer to give you 40 of my dollars.", you connect to MasterCard.com and tell them "Give 40 bucks to fuzzysandals.com on my behalf. Here's their transaction serial number for my order." ?