Schneier on Security
A blog covering security and security technology.
« NIST on Security Logs |
| U.S. Government Sensitive but Unclassified Information »
May 18, 2006
How to Get Through Identity Theft
Really good advice, step by step.
Posted on May 18, 2006 at 1:46 PM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Put a statement of identify theft on all three of your credit reports. After that, no new credit can be issued in your name unless the creditor calls the number on the credit report (the number you give them).
This sounds like a good idea even if your identity hasn't been stolen.
Is putting a statement of identity theft on your credit report possible without a police report?
I thought they made it hard to put the hold one?
You can do it through their automated phone system. They don't even ask you for proof that you're a victim of identity theft; it's enough if you believe you MAY become one. You can also choose the two-year "Active Duty" alert without having to prove you're in the military.
Maybe we if all put alerts on our accounts, and force them to call us before issuing credit LIKE THEY SHOULD BE DOING IN THE FIRST PLACE, they'll start doing it by default.
@GM: "Maybe we if all put alerts on our accounts, and force them to call us before issuing credit LIKE THEY SHOULD BE DOING IN THE FIRST PLACE, they'll start doing it by default."
You'd like to think they would, but I'd suggest that the cost of doing the job properly would speak louder and the result would be yet another security measure that would be overlooked in the drive for "efficiency".
The only thing companies care about is cost. When the responsibility (and cost) of identity theft is placed on the shoulders of the entities responsible for issuing the identity or the services that rely on identity (credit, etc), not the 'consumers' (we punters), then we might see more robust security measures.
"You'd like to think they would, but I'd suggest that the cost of doing the job properly would speak louder and the result would be yet another security measure that would be overlooked in the drive for "efficiency".
The only thing companies care about is cost. When the responsibility (and cost) of identity theft is placed on the shoulders of the entities responsible for issuing the identity or the services that rely on identity (credit, etc), not the 'consumers' (we punters), then we might see more robust security measures."
On the other hand, if you request that they call before issuing you credit, and then they don't, they're likely losing the money they're lending. That's probably going to cost more than a phone call.
@Anonymous: I doubt that, actually :(
How are you going to prove that they didn't call?
> How are you going to prove that they didn't call?
Well, this would involve a lot of effort on your part, but if they approved credit without actually contacting you (which they are required to do so), then the credit *bureau* is actually accessory to fraud.
That's a line I imagine they would not be very sanguine about crossing. I'm not discounting the possibility, but I would imagine the credit bureau is required to have an audit trail for this sort of thing (of course, I could be wrong there)...
@Richard Braakman: "How are you going to prove that they didn't call?"
If the law requires that the company has your authorisation, then the onus 'should' be on the company to prove you have so authorised. In the absence of such proof, there should be the assumption that the authorisation has not been given.
Some companies here in Oz record verbal agreements during phone calls for this purpose ...
Maybe I'll figure out how to put my number on your record before you get to it. Then the banks can call me and we can get on with the fraud with confidence.
God what an awful, awful system you have in America.
The simplest, most rational and prudent thing for most lower income people to do would be to opt out altogether; don't use credit for anything, except getting a home loan when you can afford it. And let it be known that you will never apply for a line of credit, and anyone apparently doing so for you is a fraud.
Unfortunately, in America that doesn't seem possible. I was shocked to discover when I visited America a few years ago that no hotels would let me pre-book, and some would not let me stay, because I didn't have a credit card, even though I was solvent enough to pay the whole bill in advance plus a large deposit. (In one town I ended up staying at the YHA -- easily the oldest and wealthiest guy there! -- and had an absolute ball.) The hotels claimed that this was in case I became nostalgic and ran up a $10,000 phone bill; but when I pointed out that they could easily cut off the phone in the unlikely event the bill reached the value of my deposit, whereas under standard credit card rules the merchant holds all the risk if I defaulted, they were rather at a loss to explain their stupid (and extremely rude) policy.
I'm so glad the credit card companies have not yet managed to displace cash in my country, and it is still perfectly possible to live without a credit card or credit rating. (And no, we're neither backward, nor socialists.) But they're trying hard.... less than a decade ago, anyone who used a credit card all the time was generally regarded as a deadbeat, someone who couldn't manage their money. They've already turned it around to the point where some cards at least are regarded as somewhat prestigious.
The irony of this is that industry jargon is the exact opposite; the credit card companies' ideal customer is someone who gets himself into a debt trap he can't climb out from, continually just barely making payments from month to month with no hope of ever paying it off. In industry jargon, a "deadbeat" is someone who pays off his debt on time and never falls into the trap. They hate those guys, and use all sorts of tricks to try to ensnare them. One recent lurk was to change the fine print to change the hour of the day on which the debt falls due to just before the mail arrived, so that people who paid the previous day would find their cheques arrived half an hour late, and they had accidentally defaulted. That was ruled illegal, so instead the companies tried to make sure that due dates fall on the last day of a holiday, in the hopes that people would forget about them, or not have the money to cover it; the courts decided that one IS legal. What's really sweet about this scam is that if you get that payment in even half an hour late, it has been found legal to not only hit you with a "penalty fee" (no legal limit, actual values rapidly approaching three digits), but also to massively increase the interest rate (allegedly because you are now a "higher risk") and -- get this -- that allows other creditors to also automatically increase the rate on any other lines of credit you may have. Wham, bang, thank you mam, one more "good customer", i.e. slave, in the bag.
In 1966, the US Federal government came very close to outlawing credit cards. What a pity; now, incredibly, it's regarded as a legitimate business and it's probably too late.
I guess my point, if I have one, is that the credit industry in the US is already so powerful, so irresponsible and so totally out of control that Bruce's schemes for making them liable for their own mess has very little chance of becoming law.
End of rant. Sorry.
Do you still worry that the IDTheft numbers are being overreported?
Apparently David McIntyre (CEO of TriWest -- the DoD healthcare ) just reported some giant numbers at a CSO conference:
53 million identities have been "stolen" to date at a rate of 19,000 per day, with an average cost to companies of 1,600 hours per incident ($40K-$90K)
Per incident, not per identity, but the numbers are still staggering to hear. That's about 7 IDs million a year.
His written testimony to Congress in 2003 now seems to pale in comparison:
"this crime victimized nearly 1 million Americans last year alone"
I guess we have to agree on what "victimized" means, no? Is someone else's unauthorized possession of your ID information alone sufficient to claim that you are a victim? Or is does active use of the identity (impersonation) necessary before you are a victim? Seems to me that possession is far more sensitive/important here than in traditional forms of impersonation/fraud.
Anyway, it's interesting to consider McIntyre's view of the numbers, especially if you review them back to December 2002 when TriWest themselves had two hard drives stolen that contained the identity information of over 500K people in the military. He claims no one has been defrauded as a result of the TriWest breach. However, after spending millions to help "victims" of that breach, his own ID was stolen from a briefcase he left in his car and actually used for fraud.
So, victim of ID theft and then victim of fraud(ulent use of the ID), or just victim of ID theft after impersonation?
Yes, fair points about the card culture.
I just tried to make a future reservation at a restaurant earlier today and they said they required that I leave a CC number to hold the spot even though it would never be charged. They acted as though this was rational behavior.
It's this kind of nonsense that makes me change my CC numbers regularly (easy to just call the issuer and ask for a new one), and to keep a special "auth" card that I never charge anything to but that I give out when I am forced by companies in the US to provide an account number for a reservation.
Actually, the CC Companies don't really care if you pay off or not. Sure, they'd rather you not..
But, they also don't mind the people like me -- I charge everything and pay off at the end of the month..
Why? Because they get a nice small percentage of every purchase as a transaction fee. So, in reality, that is why they are also more willing to lower my rate. (he charges a lot, we make a money, the rate is irrelevant, make him feel better).
I have a friend who put an identity theft flag in his file after the police found his information in a meth lab. Since then, he's been unable to get a loan, renew his mortage, etc. These statements seem to make sense, until you understand that those who grant credit don't follow the instructions, but stop the process instead.
"The simplest, most rational and prudent thing for most lower income people to do would be to opt out altogether; don't use credit for anything, except getting a home loan when you can afford it."
But without a credit history, your rating would be low or non-existant. You would get a higher rate on your mortgage which would potentially cost thousands of dollars. Hardly a prudent thing to do.
I have a friend who works for Visa... he sells Visa's services to banks (outside of the US). I aksed him whether Visa likes people like me (who pay bills in full and on time) or not. He said that 2/3 of their revenue comes from interest payments and the other 1/3 comes from the ~2% fee that is charged to merchants. So yes, Visa does like consistent (deadbeat) payers like myself, but they like their more debt-heavy customers even more.
Regarding deadbeats... I recently took out an airline affinity credit card (because its free for the first year - then I cancel) managed by Citibank and tried to find out about autopayment on the Citi website. Nothing. I had to call customer service, was put on hold, then they had to send me a form. After doing all thatm the acknowledgement letter says it takes 30-60 days to activate. ??? Considering that this is the cheapest way to manage a deadbeat (lowest payment processing cost), I am somewhat surprised by the hurdle.
While I understand most of their revenue comes from those that pay interest... I'd have to wonder where the majority of their expenses go?
I'd really be curious to see how much they spend on collections...
Now remember.. there's a difference between those that pay interest and still pay on time versus those that steal identity and won't ever wind up paying and the credit card company has to eat.
I'm sure the risk analysis is in their favor which is why they do it. But how much of a fine do you think it would take for that to turn into a non-worthwhile risk?
"The simplest, most rational and prudent thing for most lower income people to do would be to opt out altogether; don't use credit for anything, except getting a home loan when you can afford it. And let it be known that you will never apply for a line of credit, and anyone apparently doing so for you is a fraud."
You can't opt out. Ever. Everyone (legal) has a social security number, and that's enough. Children going off to college have discovered that their IDs were stolen years and years ago, and have just as much trouble as anyone else clearing it up.
the material in the link is **not** the way to handle identity theft. its author "trixare4kids" is a classic victim who might as well be wearing a "kick me" sign.
i was simultaneously appalled and contemptuous at what a craven truckler she was. she advised "when the collection agency needs you to fill out their form, call and make sure they got it."
better yet, don't fill out any forms. you don't need to fill out any forms. this is not a matter of grace on the agency's account, forebearing from hassling an innocent party at its discretion. this is a matter of right, forebearing from hassling an innocent party under pain of being sued up the ying yang.
she even advised to "cajole them into faxing you the form." jesus h. f***ing christ on a harley davidson! the financial services industry loves it when you supplicate, when you abase yourself, when you grovel for their mercy. don't do it! these agencies are not your "creditors", a word which was misused in the piece. you don't owe them a nickel. just one certified letter is enough to put them on notice of the hazard in pursuing you. keep everything on the record (the letter), don't waste a second of your time on the phone with obnoxious strangers who want your money.
and when she "found out where they lived", she called the gas company and all the cellphone companies. good thing for the thief it was her identity stolen and not mine. i suspect that she may be an industry plant.
I have a fraud statement on my credit file. The way it's been handled has been inconsistent, but I don't think it's caused me any significant inconvenience. The way it's handled may also depend on the credit of the person with the fraud statement on their report. If someone has ok credit, the additional risk may not be worth it.
Some companies have been satisfied with verifying that I know the number from my fraud statement. Others ask questions about other accounts on my credit report. These policies miss the point that I, or someone who pretends to be me, can get my credit report, so that information is also not secret.
I applied for a Sam's Club credit account in person once. They told me that they needed to check on something, so I got a call from their credit department on my cell phone and got everything opened in maybe 5 minutes more than it would have taken otherwise. They did ask questions about other accounts on my credit report, but they did so after calling the number in the fraud statement.
In light of this post, I thought of trying to check my own credit report
on freecreditreport.com. Needless to say, I will have to find another
method of doing so. First, I find that the so-called 'secure' pages use
DES for a symmetric cipher, and 168-bit RSA most likely. I resufe to
give out my name, current and previous address, and e-mail address to a
credit report agrigator using DES for their symmetric cipher of choice.
And they say they take security seriously...My credit report is probably
mailed out in plaintext, and arrives at my mailserver; and perfectly
sniffable along the way. I call that extremely insecure, based on the
information contained therein. I wonder if the author of the article
attempted to perhaps get a free credit report from somewhere like
freecreditreport.com? One can only speculate.
Igor, that probably isn't the page you want. Freecreditreport is a credit monitoring service where they check your report periodically and email you any changes. The "free" only applies if you sign up for their service, then cancel before the first month is out. If you want the federally mandated free credit reports, you need www.annualcreditreport.com
Been there, done that. Got a call last year from a collection agency asking for payment. The only thing they had on me was name and SIN. Someone had set up a phone in my name somewhere in Eastern Canada that I had never been. Took me well over 100 hours to get things organized and fixed up. The phone company still has not acknowledged that I am not the one they are looking for the but the collection agency has stopped calling.
Now to monitor my credit reports to ake sure nothing strange shows up.
All I can say is, document every conversation, the date and time they happened, get phone numbers, names of people, as much detail on each call as you can.
What a pain!!!
"It's this kind of nonsense that makes me change my CC numbers regularly (easy to just call the issuer and ask for a new one), and to keep a special "auth" card that I never charge anything to but that I give out when I am forced by companies in the US to provide an account number for a reservation."
Having an "auth" card is an outstanding idea. I also get my cc numbers changed every few years. Any other clever tips?
In some states, it is possible to have a credit 'freeze' put on your account which works the same way that an ID theft warning does, call consumer before any credit is issued. However, our esteemed Federal government has decided that this is not a good idea and will override this in coming legislation. Call your congresspeople!
Of course, if I was a crook who GOT a ss#, the first thing I would do would be to put such a warning on the account and have them call me...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.