How to alleviate the problem of identity and credit hacks?

by on September 19, 2017 at 12:49 am in Economics, Law, Web/Tech | Permalink

Here is one proposal:

What if I told you that the credit rating companies already had a system to verify identities before opening new accounts — but, because this would be a minor inconvenience, and a drag on their profits, they only allow this status to last for 90 days for any given account unless a police report can be filed, and furthermore, while they may claim that they’ll do this, it’s not actually a legal requirement? From a Krebs on Security piece from 2015 (as ever, Krebs is two years ahead of the zeitgeist):

“With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval — by phone or whatever other method you specify when you apply for the fraud alert … Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they’re not legally required to do this.”

That’s right: a solution to the ongoing insane catastrophe which is the American credit system already exists. The infrastructure and process for it is already in place. But thanks to regulatory capture, an inability to understand the scale of data hacks that modern technology enables, or sheer incompetence, it only exists on a case-by-case, opt-in, short-term solution.

Obviously everybody should have this verification — “two-factor authentication,” if you will — turned on and kept on. This would not be a panacea, of course. Security hipsters will loudly protest that phones and email are terrible second authentication factors that no one should even consider using. Phone and email are not ideal, but the point is, universalizing this existing solution would hugely improve matters for a relatively trivial cost.

That is from Jon Evans.  I still would like to know what is the social cost of identity theft.  Furthermore, what is the cost of identity theft as a ratio of the cost of some people simply not paying borrowed money back?

Everyone is all a-flutter on this issue, and attacking Equifax, but I am looking for more reliable information before voicing an opinion.

1 Dan Lavatan-Jeltz September 19, 2017 at 1:00 am

It is easy for someone to verify identity when granting credit, but the people who grant credit are too stupid and lazy to do this and deserve to lose all their money and their investors money. This is entirely their problem to deal with, and it isn’t like Equifax has useful information on anyone anyway. If you want to profit from it buy put options on their stock. I for one, would never allow someone granting credit to contact me.

2 Joël September 19, 2017 at 9:29 am

+1.

3 v5 September 19, 2017 at 2:51 pm

“isn’t like Equifax has useful information on anyone anyway.” Yeah….as someone who work in credit, this is 100% not true.

4 Dan Lavatan-Jeltz September 19, 2017 at 10:37 pm

None of their information has anything to do with people’s ability to pay. I’ll give you a few examples. At one point, I could not get a cell phone due to credit checks. At the time I had hundreds of thousands in the bank and had never failed to pay a legitimate debt on time. Had they asked, I would have prepaid the maximum amount of airtime usable in the month. But they were too stupid to do this.

Another time AT&T fraudulently reported I failed to pay a bill, even though I had never and would never enter into any contractual relationship with them. They were later indited for slamming.

V5 we all know exactly what type of person you are. Much of their information is substantially inaccurate, and the rest has little to do with creditworthiness. I suspect you will fail at everything important to you.

5 Boris_Badenoff September 19, 2017 at 4:29 pm

The problem is that if lenders make the mistake, the onus is on the consumer to catch & fix it. Once some identity thief has taken out an equity loan on your home, you will play hell getting it straight. In the meantime, your credit is hit when the thief doesn’t make payments, but the notices don’t come to you! People have not found out until they were in foreclosure.

Best short-term solution is to freeze your own credit at all three major agencies. You can free them when you need to make a new loan, then refreeze. In some states there is a fee agencies may charge for this service, others get it free.

6 Boonton September 19, 2017 at 7:34 pm

A home equity loan requires a notary coming to your home to sign off on a lien on your property plus filing the papers with the county. I’m sure it can be pulled off by a fraudster but he is going to need a bit more than just your Social Security # and birthdate.

7 Dan Lavatan-Jeltz September 19, 2017 at 10:39 pm

They were not in foreclosure, the parties to the fraud may have mistakenly believed that, but they would lose at trial. I have had orders granting my pro se civil petitions issued at no cost to me. The problem is people are afraid of the law and give into criminals, including the ones at Equifax.

8 Adrian Ratnapala September 19, 2017 at 2:22 am

I don’t know how much social cost there is, but I predict from the structure of the situation that people’s behaviour does not factor it in fully.

1. We don’ tfind out: If some criminal with my credit card number has stolen a few hundred dollars from me, then I might not even notice if the purchases are spread out. I am even less likely if to find if someone uses my identity to perpetrate a fraud on some third party.

2. Long causal chains: In the unlikely event I *do* find out about crimes commited in my name, it’ll be a big deal because the police are knocking on my door. Clearing my name would probably be a very bad experience. But the possility of this happening his remote from my mind.

3. Moral hazard: Rather like health care we don’t care about costs because we are already bearing the spread-out cost. If I detect someone has purchesed stuff with my card number, the bank reimburses me and then spreads the cost over all their depositors.

9 JonFraz September 19, 2017 at 1:04 pm

Banks have gotten very, very good at detecting potentially fraudulent activity on an existing account, and there are some fairly strong legal protections for people that happens to. The big problems is identity thieves opening new accounts in someone else’s name– who usually does not learn of the problem until they are denied credit due to past due bills, or collection agencies start calling.

10 byomtov September 19, 2017 at 1:20 pm

identity thieves opening new accounts in someone else’s name– who usually does not learn of the problem until they are denied credit due to past due bills,

Anecdotally, this appears to be ridiculously easy. I had a credit card opened in my name at an address with no association whatsoever with me. It was a few years ago and I have forgotten how I learned about it, but I was amazed that the company would send out a card without even checking the address.

11 prior_test3 September 19, 2017 at 3:11 am

Actually Tyrone, right? Making a rare appearance?

12 Arnold Layne September 19, 2017 at 5:10 am

Re waiting >1 week to comment on Equifax because he was “looking for more reliable information before voicing an opinion:”

No more reliable information has emerged. The cited piece is opinion. The information on the hack has been there for a while and about as reliable as information on other issues that get commented on regularly here on MR.

More likley: he was waiting for an opinion to emerge that fit with his priors and didn’t shake up his identity too much.

The silence on Equifax from the Libertarians has been a welcome wakeup call that my tribe isn’t as immune to cognitive biases as I’d thought.

13 Ted Craig September 19, 2017 at 6:45 am

One of the biggest issues with ID theft is the tools we use to verify identity. SSNs were meant for government pensions, diver’s licenses were meant for vehicle operation and mother’s maiden names were meant for family allegiance. They’re all fairly weak, especially in the digital age.

14 Axa September 19, 2017 at 7:19 am

There are alerts on credit situation changes. If someone obtains a credit card with your data, you get notified…… https://www.transunion.com/product/trueidentity-free-identity-protection

However, the notifications system only works for people: a) who is not cognitively overloaded, i.e. the rich , and b) people who is intelligent enough to avoid thinking “it’s only a remote possibility that it happens to me”.

15 The Engineer September 19, 2017 at 8:27 am

“a) who is not cognitively overloaded, i.e. the rich”

Good god, that is one of the dumber social science theories, i.e. the poor have too much on their mind to behave in bourgeois ways.

16 Alan Goldhammer September 19, 2017 at 7:32 am

For anyone who is internet savvy, theft is only a nuisance. Over the years I can count 4-5 occasions when a credit card was compromised. On one occasion it was four days before international travel and I had to argue with Chase that they needed to get me a new card within 24 hours or they would never see my business again (they complied). It’s pretty simple to maintain two VISA cards one for internet purchases and one for non-internet. In this way one always has a back up card.

Regarding personal information, one should assume it is all out there. The only secure and inexpensive way to deal with this is to place credit freezes with the various bureaus (this is the Krebs suggestion). As noted the various fraud programs that companies offer are less robust. The websites these days try to drive everyone to solutions that carry a monthly fee and at least one of them hides their credit freeze page pretty well.

We can expect various states to move ahead with stronger consumer protections with our dysfunctional Congress slowly doing some “fact finding.”

17 Axa September 19, 2017 at 7:43 am

Also, the lynching of Equifax is not related to poor security standards or deficient regulations. It’s because Equifax managers sold company stock after the hack was discovered. This was perceived as “totally not fair” by the public. https://www.bloomberg.com/news/articles/2017-09-18/equifax-stock-sales-said-to-be-focus-of-u-s-criminal-probe

The DoJ will determine if their actions are legal or not. However, they’re already scum for the public opinion.

18 Boris_Badenoff September 19, 2017 at 4:37 pm

At least one of the reported “stock sales by insiders” was the exercise of options, a common part of many executive pay packages. That was likely coincidental: those options become worthless if not exercised by expiration, & selling the resulting stock is routine.

However, if insiders sold stock they held after the initial, smaller hack that wasn’t made public right away, that could be a violation.

19 Mitch Berkson September 19, 2017 at 7:47 am

So is there some web-scraping form-filling app which enables one to renew the freeze every 90 days?

20 Moelicious September 19, 2017 at 9:26 am

A freeze is permanent until the user enters a PIN and unfreezes it. The alert is what is temporary.

21 Gary Leff September 19, 2017 at 7:51 am

There’s been a huge drive, not just on the part of credit ratings agencies but on the part of lenders, to drive down the cost of obtaining credit. To offer immediacy. Some will make numbers available for use right away. Or approved credit available immediately for use on the purchase that a consumer was in the middle of making when they were pitched the credit product.

To get consumer adoption we’ll soon see auto-population of app-based payment systems (Apply Pay, Samsung Pay) with new card numbers. We’ll likely see an option to immediately populate Uber, Netflix, and Amazon with a new card (not just for convenience of course but also because a card company knows you don’t ever want to cancel the default payment card for your food deliveries and other on demand services, switching costs are a pain).

So it shouldn’t be surprising that processes which raise the cost of immediately approving credit and getting it into the hands of consumers is rejected.

Not all lenders will verify identity when there’s a fraud alert on your credit file, some will reject you out of hand. So fraud alerts are a pain for consumers. Of course if the default state was that all credit requests had to be verified by a human then lenders would need to change this practice. There’s a consumer loss here though raising the transaction costs involved in obtaining credit.

By the way my data was hacked and here’s why I’m not worried about it:
http://viewfromthewing.boardingarea.com/2017/09/17/im-not-worried-equifax-security-breach-data-hacked/

22 dearieme September 19, 2017 at 8:01 am

“I am looking for more reliable information before voicing an opinion.” I don’t think you understand this journalism lark.

23 Enrique September 19, 2017 at 8:46 am

I would also like to know, What is the social cost of preventing identity theft!!! (See Coase, 1960.)

24 A Definite Beta Guy September 19, 2017 at 9:20 am

Absolute agreement that there is a lot of easy pickings for ID on credit. Equifax also sucks. They had a known security flaw since March that they refused to patch and will suffer most likely trivial consequences. Despite imposing huge costs on the majority of American households.

25 Urso September 19, 2017 at 11:26 am

woah hold on, let’s wait for some reliable information before we do something insane like criticize a Fortune 500 company.

26 Moelicious September 19, 2017 at 9:38 am

“Everyone is all a-flutter on this issue, and attacking Equifax, but I am looking for more reliable information before voicing an opinion.”

Based on headlines, the IRS paid the following in fraudulent returns (i.e. identity theft):

$5.8 billion (2013)
$3 billion (2014)

According to articles, the IRS has blocked MILLIONS of fraudulent tax returns over the past few years. That’s real money.

In 2016, identity theft cost more than $16 billion and affected 15 million people:

https://www.cnbc.com/2017/02/01/consumers-lost-more-than-16b-to-fraud-and-identity-theft-last-year.html

And how much money do retailers and financial firms spend on security to prevent identity theft? Probably a lot.

If someone charges stuff to your credit card it’s not a big deal to dispute it and get a new card. But good luck if fraudsters take out a $50k student loan using your PII. Or they get your bank or BD’s customer support people to email a new password after they gain access to your email account. Or they go to a wireless carrier’s store with your PII and have them assign your phone number to a device they control in order to bypass two factor authentication.

27 Moelicious September 19, 2017 at 9:41 am
28 Boonton September 19, 2017 at 7:38 pm

Do we have incidents of fraudsters taking out $50K student loans in people’s names? I suspect such a fraud would require much more than just having someone’s SSI number and birthdate.

29 FE September 19, 2017 at 5:05 pm

Here is a 2014 DOJ study that estimated $1,343 per victim, $15.4 billion total. The 2012 total was $24.6 billion. https://www.bjs.gov/content/pub/pdf/vit14.pdf

Here is your Bloomberg colleague describing what it’s like to be hounded by bill collectors, hassled at the airport, and unable to obtain credit for the 3 or so years it takes to recover your identity. Not sure how to account for that as part of the social cost.
https://www.bloomberg.com/news/articles/2017-09-13/my-three-years-in-identity-theft-hell

30 Boonton September 19, 2017 at 7:49 pm

Credit card debt is about $1T in the US.15.4B then is about 1.5% of the total. Given credit card interest rates are easily 20% even in these low interest rate times, writing off $14.5B a year is easily dismissed by them as a cost of doing business. The Bloomberg article is distressing although it sounds like in that case the fraudster was a bit more sophisticated, not only did he open numerous accounts but also had secured a drivers’ license.

31 FE September 19, 2017 at 8:46 pm

The DOJ study I linked to was looking at losses suffered by individuals, not the banks. There isn’t much explanation of what the losses consisted of.

32 Boonton September 19, 2017 at 7:53 pm

I happen to agree. Assuming I watch Credit Karma for any new, unknown accounts, and police my credit card for unauthorized transactions, then my risk seems somewhat low.

Comments on this entry are closed.

Previous post:

Next post: