ID Theft In US Continues Apace Despite Data Breach Laws

4roddas points out an article at Techworld about the continued scourge of identify theft in the US, which begins: "Over the past five years, 43 US states have adopted data breach notification laws, but has all of this legislation actually cut down on identity theft? Not according to researchers at Carnegie Mellon University who have published (PDF) a state-by-state analysis of data supplied by the US Federal Trade Commission (FTC). 'There doesn't seem to be any evidence that the laws actually reduce identity theft,' said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper's authors. Since 1999 the FTC has invited identity theft victims to log information about their cases on its Web site. The data are then made accessible to law enforcement, which uses the information to help analyze crime trends."

Put the onus on financial institutions

[gbulmash]

Plain and simple, the only thing that's going to really make a dent in identity theft is to make identities harder to steal, and that means requiring all the banks and credit card companies to jump through more identity verification hoops before they give someone your money or a line of credit in your name.

Sure, requiring you to go to a licensed notary and have a credit card application notarized might not make it so easy to get credit, but it would also make it harder to get credit in your name.

The banks and credit card companies could do this, but it's more profitable to let people steal your identity and then just jack up fees and interest rates to cover the losses.

- Greg

Re:Put the onus on financial institutions

[sydbarrett74]

Wonderful points. I would also add that if laws/regs forced the onus of losses on the financial institutions themselves (rather than allowing them to write losses off as a cost of business), said firms would rapidly implement better security mechanisms. As it stands, banks have little incentive to prevent these crimes, because the victims have the burden of proof and responsibility for cleaning up the resulting mess.

Re:Put the onus on financial institutions

[QuantumRiff]

Even more than that, I would love to see some laws that simply state the the credit companies have to prove it was you that took out the credit. (you know, innocent to proven guilty, one of the cornerstones of our democracy). Right now, you have to find out what is going on, and then prove to them that you didn't request/use the money. If they would just put the principle of innocent till proven guilty, the banks and credit companies would have to drastically change the way they give credit. (since they have to prove its you!).

I also think much would change if everyone had a right to get their own information that is collected from them. I can get credit reports 1 time a freaking year. thats it. Not to mention all the other companies that collect information about me. Some use that information for things like employment screening. How the hell am I supposed to know that I didn't get a job, because some company I have never heard of claims I had a record. (maybe they mistyped my social security or name...). Employers are scared of lawsuits, and they never tell you why you weren't selected..

Re:

[SeaFox]

You can get one credit report from each reporting firm per year, and they generally mirror each other. Since there are three firms what you do is get a report from a different firm every four months.

Re:

[foniksonik]

I can get credit reports 1 time a freaking year. thats it.

Huh??? for $48 you can get all 3 reports any time of year you want... as many times as you care to pay $48. I do it 4 times a year if I'm financially active, opening closing accounts, buying a house, a car, etc. If not I do it 2 times a year just to check up on things.

Sure a lower price would be nice (It was only $30 2 years ago). But hey... it's certainly not that expensive when you consider the alternative... ie: ignorance.

Re:

[QuantumRiff]

You don't see a problem with paying money to see that your information that a company has compiled on you is accurate?

Re:

[foniksonik]

No not really... in the same way I don't mind paying money to have my taxes prepared for me. It's a convenience. If I or you cared enough... we could keep all the records ourselves.

Do you have all the records of every payment you ever made on all of your accounts? Do you keep a running spreadsheet of your balance to available credit on revolving credit lines with a time axis multiplier?

Neither do the companies you want to do business with. They don't know you, why should they trust you to pay? Reputation an

Re:Put the onus on financial institutions

[menace3society]

I've been saying this for years. Identity theft, like intellectual property theft, doesn't actually occur. What happens is financial-services fraud, to take advantage of my name and fiscal responsibility to get cash. At no point does anything that properly belongs to me ever get taken, or even leveraged. What gets leveraged are things like Social Security Number (property of the US government) and Credit Rating/Credit Score (property of the various agencies that compile them). I don't get tricked into anything, the bank gets tricked.

The problem is, if you call it 'fraud' then the defrauded entity is on the hook, and that entity gives and lends tons of money to politicians, lawyers, and judges. If you call it 'identity theft,' then it seems more reasonable to blame the person whose name was forged, but (and this is important so it's gonna be in all caps) THE PERSON WHOSE ID IS STOLEN IS NOT THE VICTIM. The bank is, and the whole process from start to finish ought to be the bank's problem.

If we had more strict laws on consumer data protection, this shit wouldn't happen.

Re:

[hedwards]

That's hardly accurate at all. The only thing I can agree with is that with proper data protection laws, this wouldn't happen so frequently.

The reason why it's referred to as identity theft is that fraudsters will use a real identity to open multiple accounts with multiple institutions and leave the bill for the victim to pay. And yes, that's how banks want it to work, they usually draw things out for many months, refuse to admit that it was their fault for having a shoddy system to verify these things.

The

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Put the onus on financial institutions

[kesuki]

"The problem is, if you call it 'fraud' then the defrauded entity is on the hook, and that entity gives and lends tons of money to politicians, lawyers, and judges."

there is more sophisticated type of 'identity theft' that is much more complex, basically, all you need is a mark, a few social security numbers, a couple weeks and a home. every couple of weeks, you use the money you've stolen to acquire more properties, and for each 'fabricated' identity, you take out a new mortgage on a property, legally you can't take out 10 mortgages on one property, but if you work the system, you can get dozens though on the same property, seemingly from different individuals all who appear to be the only owner of that property. this crime scales all the way up to multi-million dollar skyscrapers, at least if you do it right. if you can manage to beat the system long enough you can run away with millions leaving a massive massive debt several millions of dollars greater all belonging to your 'mark;' who, according to all the paper work, did all the signing, even though there was massive massive fraud committed. and for once, banks actually call it fraud. the marks always wind up in prison, they thought they were doing a 'work at home business' helping their lover... they guy i heard about who managed to do all this, did it three times to three different women, but he was too greedy, and never pulled out with the millions he could have... the first thing that happens is they freeze all the assets, if they even suspect someone is doing this, so it's all a matter of pulling out before they know what you've done. it's crazy how easily this kind of identity theft can be done, once you know the whole mortgage system, and how to get a mark to sign all the paperwork, without them knowing what you're up to.

it was on dateline, the guy who kept coming back to the same scam, he even wrote a 'fictional' book, all about how he did all his crimes, sadly the book itself was the most incriminating evidence against him in the crime, all the paper trails led to his 'women.' finding a woman who doesn't know much about running a business, and learning all the skills needed to pull off the crime are way too easy, banks really really want to believe what people are telling them. especially when the paperwork all goes through fine.

Re:Put the onus on financial institutions

[sjames]

What will really fix things is to recognize that what we call 'identity theft' is nothing more than two frauds jammed together.

The first is some scumbag defrauding the bank into giving them money in someone else's name. The second is when the bank tries to pass the buck by making a third party pay the debt back.

The bank's crime is even worse. They commit extortion by threatening to libel (report an adverse credit event resulting in declined loans and higher interest rates) the 'victim of identity theft' unless they pay for the bad debt they didn't have anything to do with.

I fail to see how the bank's behavior is any better than if I were mugged in the park and decided to "make it right" by mugging the next person I see.

Re:

[RAMMS+EIN]

``THE PERSON WHOSE ID IS STOLEN IS NOT THE VICTIM. The bank is, and the whole process from start to finish ought to be the bank's problem.''

So you are saying that the banks have a problem, and they have somehow found a way to make the people whose credentials were used pay for it? How does this work? How can we stop it?

Because, the way I see it, it's like this: Alice has some account with the Bank. Then Eve comes along and uses Alice's credentials to perform transactions. These transactions benefit Eve, but

Re:

[menace3society]

Yes, it's more like this:
Alice has accounts at a Bank. One of the accounts involves credit, so the Bank reports to the Credit Agency. Eve steals Alice's SSN and opens a credit account with Discover. Eve doesn't pay off the account, Discover reports it to the Creditagency, and tries to collect from Alice. Alice tries to get a loan from the Bank for a new car, the Bank gets a report from the Creditagency and refuses the loan. Discover finds out it was the victim of fraud, but instead of pursuing the frau

Re:

[jimicus]

I would also add that if laws/regs forced the onus of losses on the financial institutions themselves (rather than allowing them to write losses off as a cost of business), said firms would rapidly implement better security mechanisms.

Such losses tend to be borne ultimately by the customers rather than the institution. The only way to negate that is to enforce fines so large that passing them onto the customer would actually wind up more expensive in terms of lost custom than simply obeying the law.

Re:

[kaufmanmoore]

What about wire transfers and fake checks? Should we get every check we write notarized as well? It shouldn't be the bank's fault if somebody decides to click that e-mail link or wires money to help someone in Africa.

Re:

[Fulcrum of Evil]

Fake checks? Put the burden on the banks and they'll come up with a system that does positive confirmation within a day or two; right now, checks can fail months after they've settled.

You still write checks?

[Joce640k]

Are you living in the dark ages?

Re:

[cayenne8]

"Are you living in the dark ages?"

Not sure what you mean? Most people I know use checks....how else do you mail in bill payments?

I usually only write checks for rent, I've started paying most everything else online, but, not everyone has a computer hooked to the internet, not to mention so many people are scared to do transactions online dues to ID theft risks.

Re:

[homer_s]

If someone "steals my identity" and gets credit, am I responsible for paying the loan or does the financial institution just eat it?

My friend's husband had his SSN stolen and they were convinced that they'd have to repay. They showed me the IL attorney general's website which supported their conclusion.

If that is true, then this problem will not go away. Make the financial institution eat the loss caused by their stupid reliance on a 9-digit number that is not even supposed to be secret.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[homer_s]

Thanks - that is basically what I've heard.
It is not just the banks though - people are using SSNs to collect other people's unemployment. Good luck trying to get your benefits when you need them most.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[homer_s]

In India we are pretty backward when it comes to this. Unless you have a signed, notarized document, there is not contract or agreement.

It is far from perfect though - forged signatures, corrupt notaries & bad titles increase the cost of doing business. But I'll take that any day over relying on a number that about a thousand people know by now.

Re:

[mh1997]

Put the onus on financial institutions

It already is - kind of - because you are not required to pay for the fraudulant actions, however, we all pay like you said in higher fees and interest rates.

There doesn't seem to be any evidence that the laws actually reduce identity theft,' said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper's authors.

I just can't believe a criminal would break the law! If we could just have stricter jay-walking laws then everyone would be in jail befor

Re:Put the onus on financial institutions

[mrmeval]

Legal notaries can and will commit fraud for a suitable fee but I can get a notary stamp and do it myself cheaper. ;)

http://www.notarypublicstamps.com/products.asp?StateID=15 [notarypublicstamps.com]

Put the onus on the financial institution monetarily and make it treble damages in addition to jury awarded punitive damages and legal fees. Make it so that it must go before a jury and not ever arbitration. I'd want punitive damages so high their investors suffer and I'd want those damages set aside in a fund to help identity theft victims have damages that don't warrant or won't benefit fro a lawsuit or have emergency needs.

Notary probably not even robust enough

[morgan_greywolf]

Sure, requiring you to go to a licensed notary and have a credit card application notarized might not make it so easy to get credit, but it would also make it harder to get credit in your name.

Even a notary might not be robust enough. Almost anybody with a relatively clean criminal record can be a notary in most states -- you pay like $50, tell the judge you want to be a notary, they pull a background check and if you have no felonies or major larcenies on your record -- well, there you go -- the judge will sign theo order making you a notary. You'll have to get your own seal, of course, and these usually are like around $100.

Re:

[a_claudiu]

What about an ID card? I know, I'm from Europe (not UK).

One-Time Passwords for Transactions

[Doc Ruby]

I hate giving my PIN to vendors. I hate typing my PIN on random ATMs - and rarely do it. I hate typing my PIN into authorization keypads at stores, but what can I do?

Every transaction should have its own unique PIN attached to the transaction's amount and recipient. Credit cards with chips could do this right now, RSA-password style, generated against the one-time password from the vendor's machine for the transaction, in a data package with the vendor's invoice signed by the vendor's transaction password t

Re:

[JasterBobaMereel]

Before Chip and PIN, if someone used your card the bank would try and blame you and usually fail (because you were assumed to be careful) now you use your PIN everywhere and it assumed it was your fault ... a win for the banks then ...

Re:

[hkmarks]

In other news: Information still wants to be free.

Yes, yours too.

Re:

[Gazzonyx]

While I agree with your post, I think it could be summed up in another way; the only way identity theft is going to go away is when it is no longer a lucrative venture.

Re:

[erroneus]

I have to completely agree. This problem is THEIR fault and THEIR problem. They lobbied and created this "credit system." The illegal institutionalized [ab]use of the social security number system is just a part of the whole corrupt system. These systems were created as a means to control the risk that financial institutions take when lending money or issuing credit (which is essentially the same thing). This system has been wildly successful and has proven to boost their ability to calculate risk more

Re:

[Zarf]

Are you running for president (of the US)?

Re:

[Malc]

You're right: being proactive and working against this upfront is better than reactively punishing people. I think one point you miss though is more robust and stringent privacy laws, rather than letting businesses/etc self-regulate.

Credit card companies ignore breeches

[Savior_on_a_Stick]

I ran into a company online (acnodes.com) that was revealing full customer credit info, card numbers,k billing address - the whole package. It was just very shoddy web design performed by the lowest bidder.

All that was required was to put in an order number and up popped everyone's info.

I had to cancel the card I used, and then I spent 4 hours trying to get someone interested.

Getting in touch with the site owner in SoCal took a couple of hours, including me explaining the issue repeatedly, and threatening d

Get Personal Data off your computer

[imus]

Search [vt.edu] your files for social security and credit card numbers before hackers do.

Re:Get Personal Data off your computer

[deadmongrel]

I have had my identity stolen twice and both time it was a data breach with a merchant I was dealing with. I find it appalling that it is so easy to get a credit or signup for a loan. How about more responsibility on the bank merchant part? The there credit bureaus should be held responsible for this mess. They are making profit using our data and we end up paying to clean it up or monitor it.

Re:Get Personal Data off your computer

[Ihmhi]

How do we even know it's you posting right now?

All jokes aside, banks make tons of profit off of easy credit. When credit is easy for damn near anyone to get, people are (generally) going to run up large bills.

A very good friend of mine had a credit card (I think a Visa) for almost 2 years and they never increased his limit about the initial $500. Why? Delinquent on payments? Nope, it was actually the exact opposite - he paid his bill at the end of every month and on time. He was actually told that he would have to start maintaining a balance (and therefore generate interest) if he wanted his limit to go up.

So he cancelled the Visa card and got an American Express. They took note of his excellent credit record and handed him a card with a much higher limit. He never goes anywhere near it and still pays his bills on time.

Fiscal responsibility is not profitable in the credit and banking industries. If everyone balanced their checkbooks and paid their bills on time, a load of banks and CC companies would go flat broke. That's why things like the minimum payment (which is calculated to make sure you have a balance on the card for 30 years) exist.

Re:

[mazarin5]

I've taken the best precaution available: My credit is horrible. (Try to get a loan with my name, Mr. Thief!)

Re:

[kesuki]

well, excuse me for not using your tool. i wear a tinfoil hat, and while you do provide source, I'd have to painstakingly check every line of code, to make sure it didn't dump the data somewhere, on some remote web server or something, and i don't need to do that much to make sure my data is cleared. if the built-in data clearing tools of firefox aren't effective, there is a nice little tool called darik's boot and nuke. a mil spec hard drive eraser. i don't quite run it monthly, but it takes me about half

Re:

[sydbarrett74]

Agreed. Theft is theft.

Re:

[sydbarrett74]

Unless that movie/album/application is: a) in the public domain or b) appropriately licensed through CopyLeft, ShareAlike, &c., then downloading such without properly compensating the copyright owners is theft. Like it or not, intellectual property is still someone's property, whether it belongs to the public-at-large or a finite number of private entities. So converting the original implication into its logical inverse doesn't make the latter true.

Re:

[Foobar of Borg]

So much concern here on slashdot on id theft, when most of the readers are busy stealing from others (music, movies, etc.)

Actually, neither of these is theft. The former is fraud and the latter is copyright infringement.

Breach notification laws

[computerman413]

Data breach notification are useless when institutions don't know they've been breached. I'm sure there are lots of those cases.

Re:

[deadmongrel]

And also what is preventing them from not reporting a breach? How easy is it to actually coverup a breach. They can always come back and say "Oops! we did not know someone had breached security measures.

Re:

[morgan_greywolf]

Yep. And just because companies must notify consumers of a breach doesn't mean any sign that they'll actually do it. Sex offenders are required to notify the sex offender registry when they move. Not all sex offenders do that, either.

Re:

[Fulcrum of Evil]

If you were a sex offender, would you notify your neighbors? I wouldn't - in a group of 100 people, at least one would think I was a serial pedophile after his kids and come for me at night. Also, in some places, there isn't any legal place for a SO to live - last I checked, it was illegal to ban someone from a city.

Re:

[morgan_greywolf]

LOL! Im in ur account, stealin' ur identity!!!!

Re:

[infonography]

sarcasm, it's a lost art on slashdot.

Re:

[morgan_greywolf]

Agreed

Have the responsibility be on those responsible...

[Fallen Kell]

There is a very simple fix and it will be to have the costs and time that is needed to fix everything that occurs when someone's identity is stole be put on those responsible for the loss of the information which enabled the identity to be stolen in the first place. This means, if a company has a database which is breached from a known security vulnerability or from complete disregard of standard security practices, that company should be liable to fix the issue, not the customer who's data was lost. Any t

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mpe]

Then they need to make it so it's easy to switch social security numbers if someone is working under yours and not paying taxes (assuming you can prove this of course).

Or even simpler not using SSN's for anything other than their intended purpose in the first place.

The solution is technology

[Jimmy_B]

Your credit card number is not a password, because you have to give it away every time you buy something. If someone wants to steal a credit card number, they can get it from any unscrupulous employee of any business that sells things, which means they'll always succeed. The solution is to replace credit cards with smart cards that use public-key cryptography. That means that your credit card contains a number which you can use to sign transactions and prove that you are authorized to make payments, but you don't have to give every employee of every merchant you buy from the power to impersonate you.

Social security numbers have the same problem, only worse, because you can't just cancel your SSN like you can with a credit card. Banks pretend that your SSN is a password, but there are thousands of people who have access to your social security number and at least one of them will sell it on the black market.

Fixing this mess will cost the banks a lot of money, but they made this mess and it's their responsibility to clean it up. We need the federal government to mandate real security measures, because fraud is quickly becoming the norm.

Re:The solution is technology

[cdrguru]

Banks don't care because it costs them almost nothing to live with the current state of things. Credit card fraud costs the consumer, mostly because merchants get ripped off and have to eat the cost of sales to fraudulent card numbers.

Credit card companies have very strict rules for merchants that prevent them from validating who a customer is beyond the signature on the card. For instance, they are not allowed to ask for a photo ID. If the card says "check ID" instead of being signed they are not supposed to accept it as it is not signed. The signature indicates that you have accepted the terms of the credit agreement, not any sort of identity verification. Violation of the merchant agreement can result in the merchant account being terminated. These days, a retail store not being able to accept credit cards might as well just fold up shop.

Fraudulent loans and financing are a very small percentage. The FBI mandated that credit card fraud be lumped into "identity theft" a while back and that is where all the numbers are coming from. Unfortunately, there isn't any motivation to fix the problem because the wrong people - the merchants - are paying for the fraud.

Re:

[Is0m0rph]

My stupid state Arizona for years and years actually used your SSN as your driver's license number and put it right there on the card.

security?

[CaptainNerdCave]

or is this the same situation as the airlines and many online transactions: the illusion of security?

because joe and jane public know almost nothing about how the banking system works (and most don't seem to care), they don't understand the lack of security. another way to look at it might be to find some way to convince the average american that the government isn't looking our for everyone's interests, that's a tertiary objective. i've had many conversations with people about how various chemicals tha

Re:

[jimicus]

The solution is to replace credit cards with smart cards that use public-key cryptography. That means that your credit card contains a number which you can use to sign transactions and prove that you are authorized to make payments, but you don't have to give every employee of every merchant you buy from the power to impersonate you. .......
Fixing this mess will cost the banks a lot of money, but they made this mess and it's their responsibility to clean it up.

Stop right there. You're taking the classic /. argument which says "It is technically possible to solve this problem, therefore the solution must be implemented".

Thing is, it's been technically possible to solve this problem for years. Go back in time 50 years or so (when people actually had to go into their bank to do anything) and they could have solved it simply by taking fingerprints and keeping someone onsite who was an expert in fingerprint analysis.

The reason that these technical solutions are se

Identity Clearinghouse

[Dachannien]

A long time ago, I wrote up a description of an identity clearinghouse, a government-run agency that allowed lenders to verify a potential borrower's identity without giving the lender any unnecessary information about the borrower's true identity. From the private citizen's side, it's all optional - register with the clearinghouse if you want, and go it alone if you want. From the lenders' side, it's mandatory to check with the clearinghouse before opening a line of credit for someone.

To register with the clearinghouse, you go to a local government agency where identity is "managed" - e.g., your local DMV. You register there by providing your current contact information, and they ensure that you are the person you claim to be through their normal identification procedures (such as picture ID/driver's license pictures on file). If you later need to change your contact info, you do the same procedure (going to the DMV in person) to prove your identity.

When you apply for credit somewhere, the lender first uses the identifying information you have provided to them (such as name, address, SS#, etc.) to verify your identity with the clearinghouse. If you haven't registered, the clearinghouse just responds that there's no such registrant in their records, and the lender is free to grant credit to the applicant. But if you have registered, the clearinghouse first checks to make sure the information they have on file matches the information the lender provides, and second, they use the information they have on file to contact you directly and ensure that you actually applied for credit with the lender in question. If both of those checks succeed, they respond to the lender with "yes", and if either fails, they tell the lender "no".

This would greatly reduce the instances of people opening lines of credit in other people's names. However, one problem it doesn't address is fraudulent charges to legitimate lines of credit you already have (e.g., stolen/copied credit cards). Credit card issuers and merchants are both often on the hook for most of those sorts of charges, though, so they already take at least some steps to reduce that kind of fraud.

Re:

[cdrguru]

Problem today is with "identity management" agencies. In Illinois the Governor mandated that the state DMV department (Secretary of State's office) would give driver's licenses to people producing a card from the local Mexican Matricula Consular [americanpatrol.com] office. What they do is give you (or anyone else) an ID that says you can then get a valid Illinois driver's license. Verification? None. It seems that birth records aren't well maintained in Mexico so it would be difficult for them to establish if someone was

Re:

[foniksonik]

Uhhh... how does this help someone steal an existing identity? Said immigrant gets a NEW driver's license number and a NEW SSN... you're just railing against how easy it is for immigrants to get ID... which doesn't help them perform ID theft in any way.

OTOH if they were letting you pick out a DL and SSN from a list of existing people... well that would just be dumb, but then they'd be actively promoting ID theft...

Re:

[rossz]

Sounds fine, except why does it need to be a government agency? I trust the government less than I would a business that has a vested interest in doing a good job providing a service. It's extremely rare for a government bureaucrat to get fired for incompetence. In business, if someone screws up enough they get shown the door.

Re:

[Dachannien]

Making it a government agency would streamline the process of prosecuting companies that violate lending laws by not consulting the clearinghouse. It would (should) also improve transparency to the public, in terms of government audits and things of that nature, to ensure that the job is being done correctly.

Yeah, I know, the gubment isn't always the most trustworthy organization, but look at the FTC - people seem to like them pretty well, and the identity clearinghouse is right up their alley.

Re:

[rossz]

Making it a government agency would streamline the process ...

ROFLMAO. We're talking about the government here. Do you really believe that? The only government agency that is anywhere close to efficient is the post office (an opinion I did not have until I spent some time in Europe and dealt with their shitty postal service).

Re:

[Dachannien]

I think you misunderstand me. I'm not saying that a government agency would be particularly nimble. I merely mean that it would be even slower and more problematic for a private organization to manage the clearinghouse, when it comes to expecting federal prosecution to go off without a hitch when someone violates the law.

too many notices

[Benjamin_Wright]

It is irresponsible for law and legal practice to bury consumers with an excessive number of data breach notices [blogspot.com]. The notices happen so frequently that their meaning is diluted. --Ben hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html [blogspot.com]

So once again...

[tekiegreg]

...we've proven that a piece of paper alone can't stop crime, pollution, educate our kids, etc. it is only the enforcement thereof, or in the case of ID theft, steps to prevent such crime that will ultimately solve our problems.

Long story short, let's move along and work to end the problem, not just write paper against it.

Some peope here are dead wrong

[LM741N]

The majority of identity theft occurs due to illegal aliens using other people's SS numbers to gain employment. The criminals are in the minority. The solution to this is effective immigration policies, not draconian laws.

Also, its rare for the illegal aliens to take out credit or anything on the SS number. They are just using it for employment purposes and thats it.

Re:

[gujo-odori]

Well, illegal aliens *are* criminals (that word illegal means something) and using someone else's social security number as your own - for *any* reason - is a felony. So again, they're criminals. Perhaps a better way to put it might be "the majority of the criminals are illegal aliens" rather than stating that the criminals are in the minority.

About immigration, I don't think it's mostly our policies that are ineffective, it's the enforcement. We need a southern border that a greased cockroach would find it

Re:

[gujo-odori]

I just want to thank the moderator who correctly modded this as flamebait rather than troll.

Well, for some value of correctly. He *is* a stupid piece of shit, so I could actually go with +1 Insightful.

Thanks, folks, I'll be here all week.

Re:

[gujo-odori]

Being in the IT security industry, I can tell you that the ID theft problem is not being blown out of proportion. In fact, the media are probably under-reporting its actual severity. It doesn't surprise me that data breach laws haven't done anything about the problem, though. Having to tell me after a breach occurs does nothing to prevent the breach.

Additionally, a big part of the problem comes from financial institutionswith poor email hygiene practices. I routinely see email from banks that I could believ

Re:

[DeadChobi]

Stealing my identity, even for tax purposes, despite what you may believe, is still problematic for me. It results in the most interesting situation whereby I end up liable for taxes on wages and earnings which I never in fact earned. In the event this ever happens to me because an illegal immigrant stole my SSN and used it to work, I would be extremely pissed off.

It sounds to me like you're making the assumption that what is happening is completely victimless. Not only does it change one's tax bracket for

FBI Out to Lunch

[Doc Ruby]

The FBI is in charge of protecting Americans from fraud and theft on that scale and across that national and global jurisdiction. But Bush's "Justice" Department isn't interested.

Feel safer?

Re:

[gujo-odori]

I suspect you're not involved in the security industry. I am, so I'm going to comment on this. The FBI is interested, and the DoJ is interested, and they certainly successfully prosecute cases and work very hard at it. I've met some of the people working on the security problem from the LE end of things, and they are very dedicated and talented individuals who are passionate about catching and prosecuting the criminals.

However, they face a lot of problems, none of which can be laid at the feet of Bush, or o

Re:

[Doc Ruby]

Well, I have worked in the "security industry" here in NYC, quite a lot making secure banking/brokerage/insurance infosystems during the late 1990s, and helping the NYC legislature's tech policymaking committee oversee secure NYC's IT (both government and its neighbors in the Financial District). I know quite a lot about both secure technology and government security operations.

The FBI isn't nearly interested enough in these frauds. Despite how hard it is to find and bring these criminals to justice, that's

Re:

[gujo-odori]

You probably support that fool Obama, so you're in no position to criticize anyone else. His answer to our economic problems is to raise taxes. Good luck with that, Barak. Let me know how it works out. Not that Hillary Clinton is any better; her answer to economic problems is also to raise taxes.

By "don't much care for him," I mean that Bush is a tool. He's a false conservative, but he's no liberal, either. The best I can say about him is that he sucks less than Obama or either of the Clintons, and that's d

Re:

[Doc Ruby]

Let's see, you voted for Bush twice, and his rubber stamp Republican Congress any number of times, though you don't like him now. Suddenly, when the results of their Conservative government are undeniable, they're not really "Conservative". I could have told you that any time, that they were lying to you about conserving anything, but you Conservatives can't stand the truth.

Your Bush cut taxes while creating catastrophic, expensive problems. But you think that we shouldn't pay more taxes. I agree. I believe

Re:

[ahmcguffin]

The FBI is more than just out to lunch in Kansas City. When I found out who (Kansas City big name attorney) was using my ID I called the police, they refused to make a report. I filed a complaint and received threats over the phone by officers calling from the police station(caller ID) and threats from officers in uniform knocking on my front door yelling they were going to kick the door in and teach me a lesson. No one would touch it. ACLU claimed they didn't have the resources, Attorneys claimed if they t

Re:

[Doc Ruby]

That is an outrageous story. Did you call the Kansas City Star to tell them about it?

Re:

[Doc Ruby]

Why don't you write a diary about it on the Daily Kos [dailykos.com] blog? If well written (focused on your ID theft, mentioning your other problems only in actual connection with your crisis), it could get some proper attention. Perhaps at first only by other ID activists or people who might know tips for your recovery. Maybe by some journalists who could pressure your DA to act. Or perhaps only as more popular pressure that could force change in 2009, when the Democrats take over and replace your US Attorney (Federal pr

ID theft is trivially easy, today.

[NoobixCube]

ID theft will continue, now that criminals have about 4.5 million people's personal data from those backup tapes the Bank of New York lost. Not to mention all of the other data losses we've heard about on Slashdot. No amount of securing your personal data will help now, unless you plan on changing your date of birth and address. Seriously, that's all it takes. All it took to prove to Medicare (Australian health cover, just a shade short of socialised health) over the phone that I was me, when I needed to change some details, was my date of birth and current address. You put those on almost every form you fill out offline, and if you shop online, you put your address on those too. Date of birth and current address can be used as a lever to "update" someone's Medicare details, and have a new card sent to an ID thief. Medicare counts as a form of ID, so that makes the lever a little bit longer. An ID thief can use the new Medicare card as ID for other changes and updates. Even get a copy of a person's birth certificate sent to them.

Re:

[JasterBobaMereel]

The problem is that credit companies have to accept poor proof of ID because most people have nothing better

All your most basic "personal" details are probably widely known along with you credit card numbers, SSN etc...

Biometrics will not help - how do you prove you are you to get the Biometric info in the first place?

It all comes down to - how can you prove you are you to a stranger - the answer is, you can't!

In other news ...

[Zero__Kelvin]

People still use drugs, murder, carjack, and rape despite laws passed against the behavior. Who'd-a-thunk-it?

Re:

[Zero__Kelvin]

I would never sell my^H^H^H drugs!

Uh?

[Goaway]

Since when are data breach notification laws meant to reduce data breaches?

Sounds familiar

[ErikZ]

ID Theft In US Continues Apace Despite Data Breach Laws

And in other news, people have been shot in in "Gun free zones".

Let's make it illegal to store and share the info.

[Prisoner's Dilemma]

One step that would go a long way to securing information is limiting how many different places store sensitive info. Most of the information businesses collect is for their benefit, not to verify your identity. It's collected and sold, or used for harassing (marketing) to you. It also should not ba able to be shared between each company they call a 'partner'. This should go for any type of information, not just financial.

Additionally, it would help if not so much was public record. If you purchase a house,

Re:

[account_deleted]

Comment removed based on user account deletion

ahmcguffin

[ahmcguffin]

My adopted father has been using my ss number for years. He has done so much damage I may never be able to own a car, have a bank account or anything else. Between the State of Missouri and apparently most other states being able to sell ss numbers and info bulk and credit reporting companies being exempt from recording information that may be wrong it will never be even vaguely manageable. The last 4 years has been an attorney that I won against, he does have friends in high places, the higher the place th

Two items forgotten here

[MobyDisk]

#1:
laws, but has all of this legislation actually cut down on identity theft? Legislation does not stop crime. Prosecution stops crime. Besides, these laws are weak. They are unenforcable since they state "if you did something wrong, you must tell us" and obviously if they don't tell they don't get caught. And even if they do tell, there is nothing you can do to stop it and it doesn't make the companies any more likely to take security measures. So these bills are probably a good idea that doesn't go far enough.

#2:
I called Comcast today to register for service (yeah yeah, make fun of me, but they are the only game in town) and they asked me for my SSN. When I told them I couldn't do that, they hung-up on me. So this just shows me that not only is this business as usual, but it is getting worse. 10 years ago nobody would have dared ask for a social security number for something like this. How come things are getting worse while at the same time we are supposedly doing all this stuff to prevent identity theft?

Bottom line: nobody cares, nobody does anything about it. The only ones who do are academics and a vocal minority like Slashdot.

Re:

[stry_cat]

Actually Comcast has been demanding SSN for at least 10 years. I've been trying that long to get my grandmothers SSN removed from their system.

At this point, Comcast is the only company I do business with that demands SSN (and I only do business with them to pay my grandmother's cable bill which she refuses to cancel). I've had the opposite experience than you as the number of places demanding SSN has dropped significantly in the last decade or so.

At the very least you did the right thing by not givin

since when?

[the brown guy]

ID Theft in US Continues Apace Despite Data Breach Laws

Since when do laws really stop anything. There are laws against murder, yet people are murdered all the time. They got to get to the root of the problem, and there are ton of comments trying to identify the root, which is probably profit.

Re:

[rs232]

"yet people are murdered all the time"

No, its guns that kill people, or more specifically bullets that kill people, go ask the NRA .. :)

What we need is an RFDI chip in each gun that won't fire unless it's fully licensed .. :)

Of couse they're not doing anything

[Guppy06]

"Over the past five years, 43 US states have adopted data breach notification laws"

"If you get hacked, you have to tell us, so that we can prosecute you for having lax security and your customers can abandon you." Or, you know, they can keep their mouthes shut, since the reason for these mandatory disclosure laws to begin with is that, unless these companies say anything, nobody but the thief knows they were compromised.

I'm sure that even the use tax laws are more successful.

reasons why laws don't reduce identity theft ..

[rs232]

'There doesn't seem to be any evidence that the laws actually reduce identity theft,'

Because it's a technological problem that requires a technological fix. A totally new kind of online trading system, one that don't require the use of Credit Cards. I mean does any of this fix the software, err .. NO. Then what use is it, oh .. it makes the lawyers richer .. :)

Like those

[slapout]

People who keep bringing guns in although the sign says "Gun free zone"