Externalities and Identity Theft

Chris Hoofnagle has a new paper: "Internalizing Identity Theft." Basically, he shows that one of the problems is that lenders extend credit even when credit applications are sketchy.

From an article on the work:

Using a 2003 amendment to the Fair Credit Reporting Act that allows victims of ID theft to ask creditors for the fraudulent applications submitted in their names, Mr. Hoofnagle worked with a small sample of six ID theft victims and delved into how they were defrauded.

Of 16 applications presented by imposters to obtain credit or medical services, almost all were rife with errors that should have suggested fraud. Yet in all 16 cases, credit or services were granted anyway.

In the various cases described in the paper, which was published on Wednesday in The U.C.L.A. Journal of Law and Technology, one victim found four of six fraudulent applications submitted in her name contained the wrong address; two contained the wrong phone number and one the wrong date of birth.

Another victim discovered that his imposter was 70 pounds heavier, yet successfully masqueraded as him using what appeared to be his stolen driver's license, and in one case submitted an incorrect Social Security number.

This is a textbook example of an economic externality. Because most of the cost of identity theft is borne by the victim -- even with the lender reimbursing the victim if pushed to -- the lenders make the trade-off that's best for their business, and that means issuing credit even in marginal situations. They make more money that way.

If we want to reduce identity theft, the only solution is to internalize that externality. Either give victims the ability to sue lenders who issue credit in their names to identity thieves, or pass a law with penalties if lenders do this.

Among the ways to move the cost of the crime back to issuers of credit, Mr. Hoofnagle suggests that lenders contribute to a fund that will compensate victims for the loss of their time in resolving their ID theft problems.

Posted on April 14, 2010 at 6:57 AM • 66 Comments

Comments

Markus FelberApril 14, 2010 7:26 AM

Under German law creditors must not report contested claims to credit report agencies. And they are liable if damage arises from their reporting.

So the creditors have strong obligation to check the identity of their debtor and have records that will hold in court.

AppSecApril 14, 2010 7:56 AM

" Either give victims the ability to sue lenders who issue credit in their names to identity thieves, or pass a law with penalties if lenders do this."

Victims suing corporations -- no one person will have the finances (most likely) to go that route. It would have to be a class action lawsuit (and I thought I had heard about that happening in some cases).

The best way to deal with this is fines of significant value with an increasing amount on violation over some period of time.

TimApril 14, 2010 7:56 AM

Speaking of identity theft, what is the purpose of those fake people facebook bots?

kog999April 14, 2010 8:58 AM

Speaking of identity theft, what is the purpose of those fake people facebook bots?

Spam, Phishing, and spreading malware

MikeApril 14, 2010 9:01 AM

I agree completely with Bruce's assessment of the situation. During my Master's degree, I had a class called Identity Theft. Most of the students were appalled at how easy this was. Our professors reminded us that American businesses are amoral - meaning have no morals (as opposed to bad morals). This means that they will do whatever they can to make money - usually legally. Bruce points out a very good example of this principle. Legislation is going to be the only way to fix this problem. However, I am for the ability of both the victims being able to sue and for the banks being fined.

Crosbie FitchApril 14, 2010 9:05 AM

A good start would be to deprecate the term "Identity theft". One cannot 'steal' identity.

It is of course a very useful notion though, to be used by those who have failed to ascertain identity (of an impostor) to exculpate themselves of blame, e.g. to blame the person impersonated for failing to secure their identity from theft (a nonsense).

BradApril 14, 2010 9:16 AM

Better than allowing the victim to sue: put the burden of proof on the lender to collect.

Eva impersonates Alice, and Bob issues credit to Eva. If Bob tries to collect from Alice, all Alice should have to do is say "that's not me" and that should be the end of the conversation. If Bob believes that Alice is trying to defraud him, he can take her to court and convince a judge or a jury that he is owed money. This will dramatically tighten lending practices, but it will also massively curtail identity theft.

Also, as long as we're discussing Econ 101, Mr. Hoofnagle's solution of having lenders contribute to a fund for identity theft victims fails for a different reason: the tragedy of the commons. If defrauded individuals are paid out of a common fund that all lenders pay equally in to, then no individual lender has any incentive to reduce fraud. Instead, the worst lenders can "free ride" on the fund, knowing that they are paying less money into the system then they are earning by tolerating fraud. To internalize a negative externality like this one, the losses need to be borne privately by each guilty party, not socialized over the entire industry.

AlApril 14, 2010 10:10 AM

I live in the UK. Sometimes my bank phones me up, they then ask me to prove my identity, but I have no way to prove who they are. When I tell them that I cant prove who they are and they could easily be a fraudster, they just dont understand what I'm talking about.

I always hang up, then call the number I know for my bank and then start the conversion again.

I find this behaviour by UK banks rather stupid as it encourages people to trust who they are talking to when someone phones them up.

Why cant they do something like "We need to talk, please call the number on the back of your bank card and quote ref XYZ".

Ironically they send lots of emails telling me to ignore emails from them unless specific information is quoted in the email and to be very careful of phishing scams as the internet is big and scary!

paulApril 14, 2010 10:29 AM

@Brad:

that only works if you impersonate someone with the resources to hire a good lawyer and pursue attorney's fees. Otherwise the company sues, or threatens to sue, and if the cost of settling is less than the cost of hiring a lawyer Alice will settle.

How about automatic triple damages? If you negligently give credit, you pay the victim of the identity fraud costs plus three times the amount for which credit was extended. It might seem that there's a moral hazard here because people can make money from leaving their personal information around to be used for impersonation, but there really isn't, because guarding personal information every moment of the day isn't something people should have to do.

Crosbie FitchApril 14, 2010 10:31 AM

Al, that is a well known man-in-the-middle vulnerability:

1) Fraudster Bert rings bank pretending to be customer.
2) Fraudster Bill (in next room) rings customer pretending to be bank.
3) When the bank asks Bert for secret code, Bert relays the question to Bill.
4) Bill obtains answers to bank's questions by asking customer and relaying answer to Bert.
5) Once Bert has passed 'security' he transfers funds.
6) Bill asks customer if they want to upgrade to a premium banking service, or other question to incite the customer to end the call.

Banks have a blind spot in that they KNOW they're genuine, and no-one could possibly 'steal their identity' aka impersonate them. It's only the great unwashed they think they need to worry about. That's why they don't do as you suggest.

PaeniteoApril 14, 2010 10:32 AM

I don't quite get it...
Isn't there a significant cost involved for the lender, too?
After all, he won't get the money back?!

ShaneApril 14, 2010 10:49 AM

"The inverse relationship between
privacy and public identity -- logically and chronologically -- suggests that
privacy is a cause, if not the principle cause, of identity theft."

Shame on you, Lynn LoPucki.

HJohnApril 14, 2010 10:57 AM

@Paeniteo: Isn't there a significant cost involved for the lender, too?
_______

It's a big complicated how lenders make their money. I believe they get a fee for each transaction from the merchant. I suspect some people complain to the merchant rather than the credit card company and some merchants do reimburse the victim (in which case, the lender keeps the fee).

Some fraudsters, believe it or not, do make some payments on their fraudulent credit cards. Few pay it all, but some do when they want a card and can't get it themselves (this is rare, but some do it to hide their identies, like affair expsense if they are married, they need a card but don't want that resort on their record). Some pay the minimums until it is maxed out then quit, rather than run the risk of collecting too many cards they use just one month.

Victims don't always get their money back either. Lenders and merchants aren't too enthusiastic about giving them money. Like if one sell something on eBay, gets paid, and the customer says they didn't receive it. The seller doesn't think it is his fault, maybe the USPS, maybe a thief, maybe the buyer is lying so they get the goods and their money back. It's the "It's not my fault" defense that makes institutions relluctant to give money to someone.

ShaneApril 14, 2010 11:02 AM

@Paeniteo

"I don't quite get it..." Read the paper :P

Just one example:

"Once an account is opened, credit issuers have found many ways to mitigate financial risks from identity theft. For instance, in some cases, liability for fraudulent charges is imposed upon merchants. A recent report by LexisNexis finds that merchants absorb $100B in losses annually because of identity theft, while financial institutions lose about $11B."

HJohnApril 14, 2010 11:09 AM

@Shane: ""Once an account is opened, credit issuers have found many ways to mitigate financial risks from identity theft. For instance, in some cases, liability for fraudulent charges is imposed upon merchants. A recent report by LexisNexis finds that merchants absorb $100B in losses annually because of identity theft, while financial institutions lose about $11B."
_______________

Precisely.

And to translate: If there are $100B in financial losses absorbed by merchants, I'm pretty sure that is $100B that the fianncial institutions keep, which is a $100B in profit for a $11B loss. They'll take it, I'm sure.

The only reason merchants put up with it is because the costs of not accepting plastic is too high. I still don't fully understand why merchants dont' verify customers better, but I suspect that it is partly due to the risks of turning legitimate customers off by making them feel suspect.

DanielApril 14, 2010 11:17 AM

I never thought I'd ever raise to the defense of corporations, let alone banks but this is a case of becoming obsessed by trees and losing sight of the forest.

(1) Banks are not designed to store value. If they did that, a bed mattress would do. They are designed to promote liquidity in the economic system; to get the money out from underneath the bed mattress.

(2) Whatever the precise losses to identity theft they pale in comparison to liquidity provided to the system.

Identity theft is a great example of a "reverse tragedy of the commons". What is bad for individuals in specific is good for the system in general.

It is most amusing and ironic that Bruce would make this post on the heels of a post about risk. Internalizing the responsibility for identity theft poses a very real and high risk that the entire system would collapse.

AndrewApril 14, 2010 11:19 AM

Paeniteo,

The lender (generally) won't get the lent money back when they lend to fraudsters, but that is not where their big loss occurs.

When lenders tighten the process of ascertaining identity, they run the very real risk of losing customers who don't like the "red tape."

Their experience tells them that the vast majority of "bad" credit applications are from people who are just careless or sloppy--not fradusters.

So, they weigh the cost of good identity checking (a lot of lost customers) versus sloppy identity checking (a few lost loans) and decide that it is better for their business to swallow a few fraudulent loans than to drive away lazy customers (who generally will pay a lot extra is penalties and fees).

DanielApril 14, 2010 11:25 AM

"but I suspect that it is partly due to the risks of turning legitimate customers off by making them feel suspect. "

It's not a risk; it's a certainty. When I go to a pub to drink some brews I don't want to be quizzed. I go to relax and have fun.

I've said it before I'll say it again. The need to verify is failure from the beginning. Security is not about the enlargement of consciousness but about the enlargement of the unconscious.

ShaneApril 14, 2010 11:33 AM

@Daniel

IAMAE, but gimme a break. Who is the cheapest cost avoider in the context of identity theft? The consumer? The merchant? Not by a long shot. How can a consumer avoid fraud when he/she has absolutely zero inside knowledge about the risk preferences of a financial institution with which he/she hasn't even established a relationship? That consumer is at the mercy of the institution's decision on what risk is acceptable, ie whether or not that particular institution is willing to extend credit to an impostor under the consumer's name despite glaring inconsistencies in the personal information provided.

The banks do this now, because they have nearly zero financial incentive *not to. Your doomsday 'collapse' scenario is just the kind of FUD that keeps them raking in the dough to the detriment of (yes) the individuals, but also the merchants.

This isn't just about Joe HadMyIDStolen, this is about the costs borne across the board by acts of fraud, and how the liabilities for such are shouldered absurdly asymmetrically by the entities in the absolute worst position to prevent them in the first place: the consumers.

HJohnApril 14, 2010 11:39 AM

@Daniel: "It's not a risk; it's a certainty. When I go to a pub to drink some brews I don't want to be quizzed. I go to relax and have fun. I've said it before I'll say it again. The need to verify is failure from the beginning. Security is not about the enlargement of consciousness but about the enlargement of the unconscious.
_____________

This is why I long questioned the effectiveness of having to sign the back of a credit card. This places the business in a no-win situation:
1. We have to trust a cashier, perhaps a minimimum wage teenager, to be able to effectively analyze signature comparisons. Bad idea.
2. We'd have to expect that same cashier to have the nerve to tell a customer he wasn't authorizing the transaction because the signatures don't match. Since signatures on plastic look different than signatures on paper, the risk of ticking off a good customer wrongly are very high.

If it were common practice, I don't think most customers would mind being IDed when paying with credit cards. Most don't feel too threatened when buying a drink. The key is common...if the two people in front of me breeze through even with higher dollar purchases, and the same cashier asked for my ID to use a credit card, I may be offended that i wasn't afforded the same level of trust.

HJohnApril 14, 2010 11:48 AM

@Shane: shouldered absurdly asymmetrically by the entities in the absolute worst position to prevent them in the first place: the consumers.
__________

Precisely.

My wife cleaned up an ID theft mess before we met. She bore most the burden even though:
1. She had no control when the fraudster obtained her information through work (she had legitimate access).
2. She wasn't present when the financial istitutions issued fraudulent cards in her name.
3. She wasn't present when the fraudster used the cards. (not to mention, even if they verfieid signatures, the fraudster signed my wife's name in the fraudsters handwriting).
4. She wasn't present when services were issued using her SSN in the fraudsters actual name.
5. She only detected this 10 full months after it started when she ran a credit report.

If you ask me, only the people in a position to prevent or detect something should be liable for it. That's the only system that lines up incentives properly. People and entities are a lot more careful when they are liable for their actions. But when it is someone else's problem...

DanielApril 14, 2010 11:48 AM

Shane. You have to go back to the fundamentals. Why do banks even exist at all? They are social tools designed to promote social purposes. Put another way, why should banks be in the identity theft protection business? If the economic purpose of banks is to promote monetary liquidity why should they be engaged in economic activity that works counter to their purpose? That makes no sense whatsoever.

The question is who is best to bear the burden for the cost of identity theft. And "the merchants" or the "the consumers" is a good answer because they are the ultimate beneficiaries of commerce; the bank is just the middleman.

ShaneApril 14, 2010 11:55 AM

"Put another way, why should banks be in the identity theft protection business?"

Because they are in the best, nay, nearly the *only position to do so. Explain to me how a consumer is supposed to prevent a malicious person from using their personal data, again despite glaring inconsistencies, to obtain a line of credit from a bank with which the consumer has no prior relationship?

"If the economic purpose of banks is to promote monetary liquidity why should they be engaged in economic activity that works counter to their purpose?"

That is precisely the point here. Currently, the activity of lending to fraudsters does *not counter their purpose. The losses they incur are far under the limit of what is acceptable, since the costs are shouldered (currently) by the merchant and the consumer.

MikeAApril 14, 2010 11:57 AM

@Hjohn --
This is why I long questioned the effectiveness of having to sign the back of a credit card. This places the business in a no-win situation
--

The signature is not so the clerk can verify. It's actually the "I agree to all the terms of the credit agreement, including the part where the company can raise the interest rate and start charging it from the millisecond of purchase even if I pay my bill in full at the time I am billed" that allows the credit-card company to maximize their profits from you.

BTW: if you think signatures on paper and plastic differ, you should think about what signatures on a poorly maintained (is there any other kind?) electronic signature capture device look like. :-)

HJohnApril 14, 2010 12:07 PM

@MikeA: "The signature is not so the clerk can verify. It's actually the "I agree to all the terms of the credit agreement, including the part where the company can raise the interest rate and start charging it from the millisecond of purchase even if I pay my bill in full at the time I am billed" that allows the credit-card company to maximize their profits from you."

I dont' disagree. Whatever the intended purpose is, it's useless. How many credit card companies ever see the signature, must less know when it was actually signed.

I had a funny experience with this years ago (before I stopped signing my cards). When I was out to lunch, I won't name the hut where I bought some pizza, they cashier pointed out I hadn't signed the back, so I signed it, then signed the receipt. He actually compared the receipt I just signed in front of him to the card I just signed in front of him. (Darn the luck if they didn't match.)
______________
@MikeA: BTW: if you think signatures on paper and plastic differ, you should think about what signatures on a poorly maintained (is there any other kind?) electronic signature capture device look like. :-)"

I totally agree, but I didn't mention this in my example because cashiers usually don't see your card when you do that. I was thinking it though...but my rant got too long.

:)

DanielApril 14, 2010 12:24 PM

The problem, Shane, is that "because they can" has ever been the excuse of tyrants in every age. It may be true that the banks are in the best position to do something about fraud but if that's true then the better answer is to move fraud prevention out of the banking system and put it somewhere else. I don't think it's a wise solution to say that society should prevent fraudsters from running amok at banks by hamstringing banks.

When banks lend money they don't know they are lending to fraudsters ahead of time. Nor is it socially efficient for them to do national security level clearances on every customer before they lend money.

I do think that banks could do a better job with even minimal security checks. I do think that fraud prevention is a worthwhile goal. Unlike Bruce, however, I just don't think it makes sense to turn banks into identity verification institutions when that does not go to the heart of their economic purpose.

AMApril 14, 2010 12:36 PM

The problem of ID theft is a damaged credit reports. In other words, I wouldn't care too much if someone posed as me to obtain credit were it not for the negative consequences for my own future credit-worthiness. Therefore, we should make it easier for victims to clear their name. If I can just shrug off credit obtained in my name by a thief and let the lender worry about getting his money back, wouldn't this be sufficient? No fines or heavy regulation required.

First TimerApril 14, 2010 12:42 PM

@Daniel

I think the point is that banks are not spending time coming up with efficient and meaningful fraud protection becasue they don't have to. If you change the ballance of the equation, do honestly think the banks would just pack up and go home? No. Very quickly some good money would go into researching a fraud prevention system because the banks would be forced to protect themselves.

They *could* work up a decent fraud prevention system now. But because the do not have to, and havenear-zero risk from fraud, they do not. As someone else said, corporations are amoral. Their only concern is with their bottom line. To effect change, you need to alter the equations that result in their bottom line.

They are in the single best place in the process to detect and prevent fraud. No one else can do so with anything approaching real effectiveness, unless we start coming up with things like a LSA (Lending Security Administration). . Can you imagine if all credit applications had to go through some sort of agency first?

No, put it onto the banks to fix the problems they allow to happen, and they'll get fixed quickly. If the bank makes a mistake, they should pay. Not the merchants, and not the customers.

Mind you...

The cost of fraud protection in this scenario is going to be pushed onto the consumer and the merchants anyway. That's the way markets work. To say that the banking system would implode if we enforced their responsibility in fraud makes no sense to me.

So the costs would still be carried by the customers and merchants. Only it would be distributed evenly (for varying definitions of evenly), whereas now it works like some sort of peverse "reverse lotery."

ShaneApril 14, 2010 12:48 PM

@Daniel

"It may be true that the banks are in the best position to do something about fraud but if that's true then the better answer is to move fraud prevention out of the banking system and put it somewhere else."

*Sigh*

"Put it somewhere else" has been the status quo for decades. That is precisely the problem, that it has always been "put somewhere else", namely, not in the most effective place, rather, in the least effective place.

No one is advocating for turning banks into anything but banks, what they are advocating is forcing banks to bear the costs of their OWN bad decisions, instead of 'putting it somewhere else'.

Banks check your credit scores already, to assess the risk of lending you money. It only follows that they ought to verify that you are who you say you are as well, since the real consumer cannot simply teleport everywhere their name and SSN is being used on a credit application to dispute its legitimacy.

Banks shouldn't really be *forced to do anything, least of all check identities, yet they *should be forced to bear the costs of their own decisions, good or bad.

Currently they do not. So, sadly, your suggestions as to how to mitigate identity fraud (rather, your lack of suggestions), has already been tried, and continues to fail miserably.

ShaneApril 14, 2010 12:53 PM

To clarify my own statement: "Banks shouldn't really be *forced to do anything, least of all check identities [...]"

Banks should do what they feel is economically beneficial for them, and should have the freedom to do so. That is how our markets work.

However, again, they should be held accountable for those decisions, not the consumer, and most especially when the consumer is the victim of new account fraud.

Seth BreidbartApril 14, 2010 1:02 PM

When a bank tells a merchant "You accepted a fraudulent credit card for a $1000 transaction so, even though you called us and we told you the card was good and gave you an approval code, we're taking back the money" the bank doesn't have $1000 profit, the fraudster does. The bank might have a slight profit (fees) depending on how much it (legally) defrauds the merchant for.

Forget "identity theft"; that's a red herring. The issue is a thief committing fraud by claiming to be somebody else. When looked at that way, it's clear that the loss should be borne by whoever extends him credit based on his claim (and compensation from any entity other than the thief should depend on, at least, whether the direct victim took reasonable precautions).

Someone did an interesting test: he took a credit application the bank had mailed him, tore it up, taped it back together, filled it out with a different address (and other errors), and sent it in. It was approved.

David ThornleyApril 14, 2010 2:34 PM

@Daniel: It doesn't actually matter whether the bank checks for fraud or somebody else, as long as the party making the checks takes financial responsibility for them. Once that happens, the strictness of the checks will be governed by market pressure.

However, if banks aren't responsible for the checks, they will either destroy the economy by allowing fraudsters to steal from merchants with near-impunity, or they will eventually be subject to government regulation, and that will be suboptimal for everybody.

The best thing is for banks to be responsible for their own decisions. The next best thing is for banks to contract out identity verification to somebody else who is financially responsible, and governed by market forces.

DanielApril 14, 2010 2:41 PM

"I think the point is that banks are not spending time coming up with efficient and meaningful fraud protection becasue they don't have to."

I don't want banks to spending time coming up with efficient and meaningful fraud protection because I don't believe that a task that banks *should* be doing. Point blank: it's not their job. The fact that other institutions are not doing their job, once again, should not be a bank's problem.

No matter how you twist it the fundamental argument for banks getting involved in identity theft is based upon ability and not desirability. I agree that banks can be given the ability to do what you suggest; I just don't believe that will produce socially desirable outcomes.

AppSecApril 14, 2010 2:47 PM

@Shane:
If I recall correctly (it has been a number of years), those credit score checks do not require exact matches.

Of course, this is all for naught as you still have to have some basis for proving that you are you.. And in the case of you claiming a fraud, you have to have the ability to prove you were not the one who made the request for credit or the purchase.

DanielApril 14, 2010 2:48 PM

"The best thing is for banks to be responsible for their own decisions."

That's a red herring. Banks are responsible for their own decisions already. The debate is over how far they should go to justify those decisions. Again, if you force banks to perform national security level checks on every customer before they lend money you will bog down the lending system. But the purpose of the lending system is to free up money, not bog it down in endless red tape.

What this position basically boils down to is that banks profitability should be based upon how well or how ill they perform identity verification. Stuff and nonsense. That's not the purpose of banks.

ShaneApril 14, 2010 2:57 PM

@AppSec

"you have to have the ability to prove you were not the one who made the request for credit or the purchase."

Sure, you do, after the fact and provided that you somehow become magically aware of the fraudulant account(s) before irreversible harm is done to your name/credit/etc.

Again, it is the most costly and least effective way to prevent fraudulant accounts from being opened, as it does nothing to prevent them from being opened, just from staying open perpetually.

@Daniel

"Banks are responsible for their own decisions already."

That's laughable. Surely you can't be serious? After two fucking trillion dollar bail-outs?

Gimme a break. The only red herring here is the BS that the financial system would collapse if banks were to be held accountable for investing their money into fraudulent credit applications.

AppSecApril 14, 2010 3:04 PM

@Shane:
I think you misunderstood.

If the banks are held more liable for their decisions, then two things are going to happen:
1) More processing (I won't say "bogged down", because in all honesty, it could be built such that there's no significant time loss) will occur at time of lending funds.

2) If an action is claimed to be fraudulent, then there will be greater responsibility on the victim proving that the bank acted in appropriately. As in this case, the bank would become the defendant and the amount of data required to remove the charge would be greater because the risk of penalties is greater.

ShaneApril 14, 2010 3:09 PM

@AppSec

Ah, I think I did misunderstand. I do agree, given more accountability, banks would certainly fight claims of fraud much harder than they do currently.

Kyle WilsonApril 14, 2010 3:28 PM

It seems clear to me that if an institution (say a bank) extends credit to someone (who is not me) in my name and without my authorization then they should be completely responsible for all of the consequences of that extension of credit. This includes fraudulent charges and any credit reporting issues. Neither the merchant who sold goods using the credit line nor the person whose identity was used should bear any responsibility. Neither had any involvement and neither can readily prove a negative. Let the banks decide whether the losses are excessive (and thus how much they want to spend on positively identifying those they do business with) and place the burden of proof when reporting bad credit on those same institutions (as they are causing individuals significant harm by fraudulently reporting bad behavior for someone other than the actual miscreant). They should bear the costs associated with a bogus report of bad credit (and if they extend credit to someone in my name without my clear authorization and then essentially libel me by publishing false information about my financial behavior they have caused significant harm).

David ThornleyApril 14, 2010 3:48 PM

@AppSec: Why would the responsibility be on one of the victims to prove the bank acted improperly? Certainly if the bank is trying to collect money from me, it's the bank's responsibility to document that I owe it money. They might get more aggressive about it, but the burden of proof wouldn't change.

There have been problems with chip-and-pin cards, which the bank arbitrarily designated secure, but those could be opted out of (possibly at the cost of having more problems with credit cards).

Chris HoofnagleApril 14, 2010 4:06 PM

@Daniel, you're making an excellent point--clamp down too much on credit, and the effect could be worse than what is experienced by identity theft victims. OTOH, the current situation makes it economically efficient to look the other way even when obvious signs of fraud are present. Real costs are passed off to victims, such as X5 in my study who spent 1,000 hours of personal time rectifying the situation in a case where the consumer reporting agencies (all 3) flagged the transactions as suspicious. X5 actually caught the impostor, who was prosecuted. In the end X5 got nothing in restitution, because X5 did not suffer any financial loss, according to the court.

I'm not suggesting that banks become identity clearinghouses. I'm just arguing that they are profiting from an economic activity that they fully control. The harms causes by it should be internalized. So, if banks wanted to, they could continue sloppy granting so long as they pay up for it.

@Brad, the problem you raise is easily addressed by keying participation in the fund to levels of risk or amount of credit granting. You know, the shredded credit application raised by Seth Breidbart above was granted probably because many banks use *fully automated* processing. Seems like if you're willing to take that risk, you should also accept the consequences.

There are other problems--what about fake identity theft victims? How to apportion damages?

I suggest that victims should be paid minimum wage * the average # of hours it takes to rectify. That statistic is tracked by the FTC, and such a compensation plan would create incentives to make it easier for victims to clear their names.

ShaneApril 14, 2010 4:11 PM

@Chris

"Seems like if you're willing to take that risk, you should also accept the consequences."

Absolutely.

Great paper by the way.

JeremyApril 14, 2010 4:25 PM

@Daniel: "That's a red herring. Banks are responsible for their own decisions already. The debate is over how far they should go to justify those decisions."

No one is suggesting that banks be required by law to perform a specific level of scrutiny. The suggestion is that banks should pay the cost when a fraudster slips past their scrutiny (i.e. when the bank elects to extend credit to a person who turns out to be a fraud), and then the bank is free to adjust their level of scrutiny to whatever they feel is commensurate with the risk.

If you honestly believe that banks already suffer the costs that result from extending credit to fraudsters, then you should be pointing out how this suggestion is ALREADY implemented, not arguing that it would be dangerous or undesirable to implement it. And if you believe anything else, then writing that banks are already responsible for their own decisions is deliberately misleading, at best. Your position is inconsistent.

Furthermore, your argument that allowing this level of fraud is better than clamping down might possibly be a good reason not to increase scrutiny, but it is NOT a valid argument against making the banks liable. If the current system is really economically preferable to the alternative, then the banks should be able to charge their customers some fee such that banking will remain profitable even after absorbing the losses due to fraud. If forcing banks to internalize the risks of their actions actually somehow causes the banks to collapse, that means that the losses exceed the benefits, and we'd be better off without them.

Mauro SApril 14, 2010 6:34 PM

Greetings from Brazil.

It never ceases to amaze me how in a “democracy” with “the government of the people, by the people, for the people” has the decks stacked do much in favor of corporations – especially financial ones - against individuals (a.k.a. “the people”).

It’s not a question of “banks combating identity theft”. It’s a simple basic human right: not to have this “identity theft” disgrace up on you if it’s none of your fault. It’s so clear to me that the financial institutions should carry the entire burden for their lack of awareness – or whatever you call it. Picture the reverse situation: when you get a bad check you don’t expect that the financial institution to pay for it, do you? You should have known better and take precautions, right?

When my maid in Brazil goes to a store to buy a new $300 TV set in ten installments, the store not only checks her up – including against industry-maintained “black lists”, they also call my land line to check her info with me. Piece of cake, the thing just works. If they make a mistake or are conned, taught luck for them.

The US is a country with more than a million foreclosures and with no investment banker in jail after scooping trillions of dollars from the World’s economy, plus holding everybody’s well-being for ransom – and getting it! In any civilized place the whole of Wall Street should have been torched by angry mobs.

The US became a police state full of gutless people running afraid of the Boogie Man (Bin Laden & Co) and lining the pockets of fat cats that create neither jobs nor riches but for themselves. 236 years ago you guys started a revolution because of tea! TEA! Now you happily go to the slaughterhouse like lambs giving up your houses, your good names your freedoms and your dignity (at least in airports).

In my “undeveloped” country the term “identity theft” does not exist – despite there being a lot of other “normal” thefts (cars, jewels etc). And the losses from this “subprime loans” scam of Galactic proportions affected just a few gamblers – who lost their ill advised bets - and posed no systemic threat to the financial system.

I should have my kids learn Mandarin instead of English.

MadScottApril 14, 2010 7:21 PM

Isn't there an issue of tort law here - someone being held to a contract they aren't actually a party to?

Call me naive (and yes I know what a mess this actually turns into), but I'm just saying...

SkorjApril 14, 2010 7:44 PM

The fundamental problem with this dicussion is that "the lender" and "the loan originator" are often not the same company.

* The loan originator (merchant in a credit card scenario) is in a position to validate claims of identity, but as they seldom bear the risk of loan default, trying to push the burden of "loan default through identity theft" onto them seems impractical.

* The lender (or lender-of-the-moment, for loans that are frequently sold) is the natural place to put the burden of "loan default through identity theft", but is not in position to validate claims of identity.

Bruce says we should "verify transactions, not identity", but I'm not sure what that means. Sounds nice, though - in the case of credit card transactions, banks do a reasonable job of flagging unusual transactions, and usually-fraudulent transactions. I'm not sure I see how this works with other sorts of lending, though.

AppSecApril 14, 2010 8:40 PM

@David Thornley:
The "victim" is no longer the person who was impersonated. The "victim" becomes the lender because the lender is the one who has to pay the finds. The customer is "inconvienced" by time/effort but in the end it is the lender who ultimately will be considered the one to blame and is thus the defendant of the accusation.

At least, that'd be my interpretation if I'm a financial instution under those guidelines (but IANAL).

DanielApril 14, 2010 11:47 PM

Jeremy.

Again, this comes back to the question "What is a bank?" The bank never bears any costs. Think about that for a moment. A bank never bears any costs. They are just the middleman. They take money from savers and lend it to borrowers.

When you talk about a bank taking a loss what you are saying is that savers must eat that loss, usually by lower interest rates on deposits. But that reality is a social problem. Because if banks don't pay out enough interest the money goes right back under the mattress again.

It might be helpful if you began to conceive banks more akin to water or electric utilities. Because they perform very similar functions. Do some reading on the "free rider problem". My most basic argument (and this is for Chris H.) is that Identity Theft is the free rider problem applied to the banking system. The way you solve the free rider problem (most of the time) is that you don't.

averrosApril 15, 2010 3:58 AM

@Daniel: "Why do banks even exist at all? They are social tools designed to promote social purposes" ... "(1) Banks are not designed to store value. If they did that, a bed mattress would do. They are designed to promote liquidity in the economic system; to get the money out from underneath the bed mattress." ... "Put another way, why should banks be in the identity theft protection business?" ... "That makes no sense whatsoever."

I'm afraid it's you who makes no sense whatsoever. I guess you studied economics in an American school - generally, one cannot come up with that much nonsense on his own.

First of all, banks are NOT "social tools", they are for-profit businesses whose sole raison d'etre is to make profit for their owners. They achieve that goal by what amounts to fraud - by misrepresenting at-risk investments and loans as safe deposits and by engaging in counterfeiting (that's how the fractional reserve system works - by creating multiple ownership claims to the same part of real wealth).

Secondly, keeping money under the matress *is* socially good - the "hoarded" money represents present gains from goods being produced and sold, but delayed consumption of other goods. I.e. the person who keeps money under the matress has produced more than consumed - so the resulting positive difference in the material wealth becomes available to other people for the time the money is kept under the mattress. It also increses purchasing value of other people's savings, thus increasing the base for capital investment. In other words, money stashed away is a passive investment in the economy at large. In case of hard money (and resulting deflation due to raising productivity and quantity of goods per coin) this "investment" would actually yield positive return in real terms.

Besides, the "hoards" are savings. The capital can only come from savings. Monetary sheingangans do nothing but stealthily transfer it from some people to other.

Finally, banks do NOT increase liquidity - they take *already liquid* cash deposits and convert them into less liquid loans. In the best case, they are merely intermediaries between cash owners who wish to put their money at risk and lower liquidity in return for interest. Generally, they fraudulently pretend to keep deposits fully liquid and risk-free while doing exactly the same thing as above.

The "social function" of banks used to be safe storage (of value, money, other things - you know, in safes) and convenient transfer - that was when banks charged fees for deposits. It became simple criminality cloaked in pseudo-economic bullshit and protected by the system of political patronage.

HJohnApril 15, 2010 8:22 AM

This reminds me of how my father's furniture store used to work. If my father set someone up on a payment plan, and the turned out to have impersonated another person, it would be his problem. He wouldn't dream of expecting the person they impersonated to pay up. If he found the perpetrator he could sue them or have them charged.

Alternately, for higher end purchases, he could set them up with a lender. They would run a credit report or any checks and loan the money. If someone was impersonated, it would fall on the party (or parties) that made the error to eat the loss, and go after the perpetrator if they could be found. Never on the person impersonated...they aren't at fault and aren't involved.

I fail to see why credit card companies and financial institutions should be different. They should not be able to pass the costs of their screw ups onto the people who were impersonated.

If someone steals a car, do we even dream of making the car owner responsible for what the car is used for? Of course not, that's victimizing the victim a second time.

I'm against the government meddling in methodology. The goverment should not require specific solutions, it should simply place blame and consequence on the appropriate party and let that party come up with the best solutions, which will probably be a combination of prevention, detection, and eating some losses.

DavidApril 15, 2010 9:09 AM

@Skorj: As the US system works....

There is an association of banks making up, say, the Visa system. You might consider this a cartel. The individual banks accept applications, and issue Visa cards. This is the main decision point, and the point least likely to bear costs.

Merchants sign up for the system because they really have no choice. They are often limited by their contracts how much they can check on their customers. (It may violate their agreement to demand ID, for example.) In event of fraud, they're the ones who typically eat the loss.

Individuals have credit cards for various reasons. If they are good about looking for fraudulent charges on their own cards, they can avoid being charged for them fairly easily. (I suggest certified mail with return receipt for the dispute letter.) They have of course no good safeguards against credit cards fraudulently issued in their name to somebody else, since they won't get the statements. This leaves them open to massive inconvenience and perhaps financial loss.

Credit card fraud perpetrators are taking legal risks, since what they're doing is criminal, but if they're not caught they make the profits here.

benjamyn999April 15, 2010 10:19 AM

Al (UK). I have a series of questions to determine if the alleged bank calling in the UK is the real bank. Usually I don't know the answer to them, but neither does my bank. Q1 : What is the name of the bank chairman? Q2: On what date each month do I have my statement sent? Q3: What colour is the bank card you are phoning about? (I rarely know that without looking). When I point out that if they don't know this stuff, they can't be the bank, they fade away....

arctanckApril 15, 2010 10:30 AM

@averros: agree with you, but maybe not on the liquidity bit.

@Daniel: Think banks do improve liquidity, very efficiently moving money in a global scale. This helps getting money to wherever or whoever needs money quickly. But what I don't like is the amount of credibility given to financial institutions such that money can be over-blown in value in the form of credit, enabled by shaky risk assessment, diversification etc. And I think this created the mess we have seen.

The system will probably collapse like you said if banks or countries start tightening the amount of money around by too much, because it has already gone this far. If we have not come this far, what would have happen? I think we will be living without the kind of excesses we are seeing nowadays, which I think it's good! Capitalism has already promoted too much creation of useless stuff around that is just wasting resources at the expense of nature. Time to rethink whether such big credits are really necessary in the first place, as I have serious concerns on where the world is going.


MikeAApril 15, 2010 10:55 AM

I was apparently not sufficiently clear, so, despite it being late-to-the-gate, I want to re-iterate:
HJohn wrote in response to my:

@MikeA: "The signature is not so the clerk can verify. It's actually the "I agree to all the terms of the credit agreement,

HJohn:
I don't disagree. Whatever the intended purpose is, it's useless. How many credit card companies ever see the signature, must less know when it was actually signed.

It is not useless because it serves precisely the purpose that the card company wants: It allows them to arbitrarily add charges to your bill, and if you complain, they can point to the agreement that _YOU_ agreed to (by signing the back of your card), and it's up to you to prove you didn't (in which case any purchase you made with that card are fraudulent, possibly criminal). As has been mentioned here many times, a signature is _not_ really for verification of identity. If it was, then the long-standing practice of illiterate people signing with an 'X' would not have any legal force. Yet it does, because it is the act of signing, not the signature, that counts as affirmation of the agreement. IANAL, but as I said, we've been over this many times here.

> He actually compared the receipt I just signed in front of him to the card I just signed in front of him.

Because his part, as specified in his merchant agreement, is only to refuse an unsigned card, so that if you object to 26%/day interest on new purchases, from time of purchase, and somehow managed to get your unsigned card into court, all the charges on that card can be bounced back to the merchants. Of course, it's really a "belt and suspenders", because the agreement probably (they vary) also says that by calling the 800-number to "activate" the card, _or_ by using the card for any purchase, you also agree to it in its entirety.

RayApril 15, 2010 11:12 AM

@Daniel: I'll give you credit for being persistent. ;-)

"It might be helpful if you began to conceive banks more akin to water or electric utilities."

Does anyone else think it is a little disingenuous to compare the business practices of banks to those of natural monopolies? I strongly suspect that whether or not their bank carried the costs associated with the risks of issuing credit would probably be near the bottom of the list of a CEO's "to-do" list if they were regulated as tightly as a public utility (which banks are not, despite your protestations to the contrary).

On an unrelated yet curious note, if banks were regulated as tightly as utility companies, I suspect you would never hear about banking CEOs getting multi-million dollar bonuses...

anonymousApril 15, 2010 1:28 PM

Aren't the lenders already accomplices if they allow such clearly fraudulent applications pass without any additional checks? Besides, should the presence of gross errors automatically invalidate the claims, so that the lenders are in fact the ones committing the fraud?

JeremyApril 15, 2010 2:14 PM

@Daniel: "The bank never bears any costs...When you talk about a bank taking a loss what you are saying is that savers must eat that loss, usually by lower interest rates on deposits."

WTF? Banks have profits and expenses. To claim those are not costs (or not borne by the bank) simply because they can react by charging their customers more is tantamount to saying that NO business EVER suffers a cost because they can charge their customers more in response. The things you are saying cannot be remotely true without stripping these terms of all useful meaning.

For the record, this is (at least) the third *mutually exclusive* argument you have levied against the suggestion that banks should be liable for fraud:

1) That could cause banks to collapse, and we'd be worse off
2) Banks already bear the costs of their decisions, so the proposal is meaningless
3) Banks never bear any cost, as a matter of definition, so the proposal is meaningless

Any two of those arguments are contradictory. None of them are cogent individually, either, for reasons already explained in detail that you have flatly ignored.

As far as I can tell, you don't actually have anything resembling a coherent position, you're just hoping to muddy the terminology to the point that no one can contradict you because no one has a clue what you're saying.

JoeApril 15, 2010 8:02 PM

Banks already spend money on locks, vaults, etc to keep cash secure. I don't see why they wouldn't be willing to invest in systems to reduce fraud if they were held more accountable.

TonyApril 16, 2010 12:00 AM

I'm confused how the bank ties the fraudulent account to a specific individual when items like the SSN or address are incorrect on the original application. Surely the innocent victim here has a good case against the bank for making indefensible assumptions when tying the account to them.

Mauro SApril 16, 2010 5:58 AM

@Tony

There comes another problem (or maybe another aspect of the same problem): justice is very expensive in the USA, so only the rich individuals and big corporations can afford it.

In Brazil, if somebody (bank, merchant) blacklists you for no just reason, it’s like you won a small lottery ticket. It’s cheap and easy to sue the company and get some money for the trouble (“moral damage” is the term). Not much, like US$5k-20k, but enough for the trouble. A junior lawyer would work on contingency and happily get a 20% cut for working like 10-20 hours. I myself once sued the phone company who blacklisted me unfairly and I got $10k as compensation. I asked (and got) an injunction ordering them to un-blacklist me while the lawsuit was running so my good credit was not damaged but for a few weeks.

Needless to say, banks and merchants are extra careful not to blacklist anyone by mistake and are super accommodating if you call them in case they do make a mistake –you are doing *them* a favor, not the other way around. A couple of years ago I had a similar problem with BankBoston and called them when they sent me an angry notice by mail; when they found out they were going to blacklist me for their own fault they melted in apologies and fixed everything in no time and with no further intervention from me.

Of course, a place where only the rich can afford justice is not a “just” place to live.

John David GaltApril 16, 2010 10:55 AM

I support the idea of "internalizing the externality." But having all lenders contribute to a fund doesn't do the job, because it penalizes all lenders equally. The whole point of "internalizing the externality" is to give those who create the problem an incentive to solve it, which means that lenders which are more careful should profit by it.

Therefore I suggest an alternative solution: lenders who are found to have negligently lent to imposters should not be entitled to repayment. The imposter should still be required to pay the debt, but the money should go to the insurance fund or some other public good.

Scott HApril 16, 2010 8:45 PM

Think of it this way: multiple wrongs. First, the fraudster poses as another to obtain monetary or other gain. Then the first victim (the lender or service provider defrauded) transfers the loss to a new victim, the person spoofed. A second wrong has occurred.
I also do not agree with spreading the cost among the other customers. It should be prohibited to perform the transfer of loss. It should be prohibited to spread the loss. Stop the loss at it's source. It would be far more economical and efficient.

Clive RobinsonJune 7, 2010 3:22 AM

@ Mark T,

"Red flag rules.. will they help here if everyone wil start asking your ID?"

Simple answer,

It will provide more oportunity for ID Theft by "business employees" either first hand or second hand.

Oh and it will make "Dumpster Diving" more successfull as well...

And usefully start driving people back to a "cash in your pocket" life style. Which would have a detremental effect on both the credit and marketing industries which cann't be bad 8)

Even though I usually pay cash for everything I can I still get idiots asking for my ID for whatever stupid reason they can think off. However I usualy say to people asking for my ID,

"Provide written proof of who you are, and that you are a fit and proper person under EU and UK law to have access to such data, further that you have the required training and knowledge and that you have lawfull authority to do so?"

Usually a look of "does not compute" passes across their face. It is even funnier when it is a Police Officer. Unfortunatly in the UK judges still have this quaint notion that a Police Uniform is "lawfull authority" as the victims in many many countries know uniforms are easy to obtain and wear and thus convay no information as to lawfull authority at all.

philGAugust 20, 2010 4:53 AM

Data collection:
Identity theft is an insidious evil of the computer age. We all tend to believe that if "it" is stored on a computer it must be the truth, and no one really realises how easily data can be changed and manipulated.

In this age data is collected in numerous ways - RFIDs on your credit card or passport show what you buy and where. A lot of stores use RFID as stock control. These RFID tags are activated by passing a reader - anywhere. So many products carry RFID now - WalMart just announced they will be including them. Automated toll systems carry RFID therefore it can be seen that your voyage in a car has happened and at what time. The same holds true for public transport passes.

All the discount cards and loyalty cards carry RFID and so it can be seen that it is comparatively easy to build a personal profile of what an individual is purchasing, where they are, what credit rating they have and so, so much more.

This leaves the field wide open for identity theft. There is more data on any one individual these days than there ever has been and personally I would find it odd if this data is not being stored somewhere. In much the same way as CCTV information is stored.

There is a good article to this at a site called Time to Awaken and includes many links to similar information sources.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..