Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

ID Theft In US Continues Apace Despite Data Breach Laws

timothy posted more than 6 years ago | from the lack-of-a-parallel-universe-for-experiments dept.

Privacy 117

4roddas points out an article at Techworld about the continued scourge of identify theft in the US, which begins: "Over the past five years, 43 US states have adopted data breach notification laws, but has all of this legislation actually cut down on identity theft? Not according to researchers at Carnegie Mellon University who have published (PDF) a state-by-state analysis of data supplied by the US Federal Trade Commission (FTC). 'There doesn't seem to be any evidence that the laws actually reduce identity theft,' said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper's authors. Since 1999 the FTC has invited identity theft victims to log information about their cases on its Web site. The data are then made accessible to law enforcement, which uses the information to help analyze crime trends."

Sorry! There are no comments related to the filter you selected.

Put the onus on financial institutions (5, Insightful)

gbulmash (688770) | more than 6 years ago | (#23702295)

Plain and simple, the only thing that's going to really make a dent in identity theft is to make identities harder to steal, and that means requiring all the banks and credit card companies to jump through more identity verification hoops before they give someone your money or a line of credit in your name.

Sure, requiring you to go to a licensed notary and have a credit card application notarized might not make it so easy to get credit, but it would also make it harder to get credit in your name.

The banks and credit card companies could do this, but it's more profitable to let people steal your identity and then just jack up fees and interest rates to cover the losses.

- Greg

Re:Put the onus on financial institutions (5, Insightful)

sydbarrett74 (74307) | more than 6 years ago | (#23702363)

Wonderful points. I would also add that if laws/regs forced the onus of losses on the financial institutions themselves (rather than allowing them to write losses off as a cost of business), said firms would rapidly implement better security mechanisms. As it stands, banks have little incentive to prevent these crimes, because the victims have the burden of proof and responsibility for cleaning up the resulting mess.

Re:Put the onus on financial institutions (4, Insightful)

QuantumRiff (120817) | more than 6 years ago | (#23702485)

Even more than that, I would love to see some laws that simply state the the credit companies have to prove it was you that took out the credit. (you know, innocent to proven guilty, one of the cornerstones of our democracy). Right now, you have to find out what is going on, and then prove to them that you didn't request/use the money. If they would just put the principle of innocent till proven guilty, the banks and credit companies would have to drastically change the way they give credit. (since they have to prove its you!).

I also think much would change if everyone had a right to get their own information that is collected from them. I can get credit reports 1 time a freaking year. thats it. Not to mention all the other companies that collect information about me. Some use that information for things like employment screening. How the hell am I supposed to know that I didn't get a job, because some company I have never heard of claims I had a record. (maybe they mistyped my social security or name...). Employers are scared of lawsuits, and they never tell you why you weren't selected..

Re:Put the onus on financial institutions (1)

SeaFox (739806) | more than 6 years ago | (#23707249)

You can get one credit report from each reporting firm per year, and they generally mirror each other. Since there are three firms what you do is get a report from a different firm every four months.

Re:Put the onus on financial institutions (1)

foniksonik (573572) | more than 6 years ago | (#23709373)

I can get credit reports 1 time a freaking year. thats it.

Huh??? for $48 you can get all 3 reports any time of year you want... as many times as you care to pay $48. I do it 4 times a year if I'm financially active, opening closing accounts, buying a house, a car, etc. If not I do it 2 times a year just to check up on things.

Sure a lower price would be nice (It was only $30 2 years ago). But hey... it's certainly not that expensive when you consider the alternative... ie: ignorance.

Re:Put the onus on financial institutions (5, Insightful)

menace3society (768451) | more than 6 years ago | (#23702655)

I've been saying this for years. Identity theft, like intellectual property theft, doesn't actually occur. What happens is financial-services fraud, to take advantage of my name and fiscal responsibility to get cash. At no point does anything that properly belongs to me ever get taken, or even leveraged. What gets leveraged are things like Social Security Number (property of the US government) and Credit Rating/Credit Score (property of the various agencies that compile them). I don't get tricked into anything, the bank gets tricked.

The problem is, if you call it 'fraud' then the defrauded entity is on the hook, and that entity gives and lends tons of money to politicians, lawyers, and judges. If you call it 'identity theft,' then it seems more reasonable to blame the person whose name was forged, but (and this is important so it's gonna be in all caps) THE PERSON WHOSE ID IS STOLEN IS NOT THE VICTIM. The bank is, and the whole process from start to finish ought to be the bank's problem.

If we had more strict laws on consumer data protection, this shit wouldn't happen.

Re:Put the onus on financial institutions (2, Interesting)

hedwards (940851) | more than 6 years ago | (#23702813)

That's hardly accurate at all. The only thing I can agree with is that with proper data protection laws, this wouldn't happen so frequently.

The reason why it's referred to as identity theft is that fraudsters will use a real identity to open multiple accounts with multiple institutions and leave the bill for the victim to pay. And yes, that's how banks want it to work, they usually draw things out for many months, refuse to admit that it was their fault for having a shoddy system to verify these things.

The cost of this can easily reach into the thousands of dollars for the victim. To suggest that banks just roll over and admit that it was fraud is really missing the point. In most cases they don't, as far as their concerned they should be paid, and the person who got ripped off is them.

I was very fortunate to just lose my email, name and address to spammers when TD Ameritrade had that large breach. I have no way of knowing if they got more, and decided not to use it, or if they will at some point in the future. In the state I live in, I'm not guaranteed a free credit freeze unless Ameritrade were to file a police report admitting it. AFAIK there's no law that says they have to do so and it's very much possible that the week they stop paying for the monitoring, that the information will be used.

Re:Put the onus on financial institutions (1)

lorenzo.boccaccia (1263310) | more than 6 years ago | (#23703237)

A side problem is to define what data protection is. As privacy is a grey area of constitution, definition will always be bent toward profit.
Also note that there are law, as the one stated in the summary, which mandates to notify security breaches, but those are totally irrelevant, as corp could just hid the head in the sand and play the didn't know card.
An while we are there, there are data protection law, but protecting data is only half of the problem. The other half are untrained interns, which gave up for the most obvious "social engineering" tricks. SSN are not meant to be authenticated identifier, and using them as such is just plain stupid: if ssn were to be an ubiquitous identifier used wherever authentication is needed, then anyone to which you identify to could use your ssn to identify as yourself on other services.
This is why it is bad, bad, bad to confuse identification with authentication. [thesatya.com]

Re:Put the onus on financial institutions (4, Interesting)

kesuki (321456) | more than 6 years ago | (#23703023)

"The problem is, if you call it 'fraud' then the defrauded entity is on the hook, and that entity gives and lends tons of money to politicians, lawyers, and judges."

there is more sophisticated type of 'identity theft' that is much more complex, basically, all you need is a mark, a few social security numbers, a couple weeks and a home. every couple of weeks, you use the money you've stolen to acquire more properties, and for each 'fabricated' identity, you take out a new mortgage on a property, legally you can't take out 10 mortgages on one property, but if you work the system, you can get dozens though on the same property, seemingly from different individuals all who appear to be the only owner of that property. this crime scales all the way up to multi-million dollar skyscrapers, at least if you do it right. if you can manage to beat the system long enough you can run away with millions leaving a massive massive debt several millions of dollars greater all belonging to your 'mark;' who, according to all the paper work, did all the signing, even though there was massive massive fraud committed. and for once, banks actually call it fraud. the marks always wind up in prison, they thought they were doing a 'work at home business' helping their lover... they guy i heard about who managed to do all this, did it three times to three different women, but he was too greedy, and never pulled out with the millions he could have... the first thing that happens is they freeze all the assets, if they even suspect someone is doing this, so it's all a matter of pulling out before they know what you've done. it's crazy how easily this kind of identity theft can be done, once you know the whole mortgage system, and how to get a mark to sign all the paperwork, without them knowing what you're up to.

it was on dateline, the guy who kept coming back to the same scam, he even wrote a 'fictional' book, all about how he did all his crimes, sadly the book itself was the most incriminating evidence against him in the crime, all the paper trails led to his 'women.' finding a woman who doesn't know much about running a business, and learning all the skills needed to pull off the crime are way too easy, banks really really want to believe what people are telling them. especially when the paperwork all goes through fine.

Re:Put the onus on financial institutions (5, Insightful)

sjames (1099) | more than 6 years ago | (#23703425)

What will really fix things is to recognize that what we call 'identity theft' is nothing more than two frauds jammed together.

The first is some scumbag defrauding the bank into giving them money in someone else's name. The second is when the bank tries to pass the buck by making a third party pay the debt back.

The bank's crime is even worse. They commit extortion by threatening to libel (report an adverse credit event resulting in declined loans and higher interest rates) the 'victim of identity theft' unless they pay for the bad debt they didn't have anything to do with.

I fail to see how the bank's behavior is any better than if I were mugged in the park and decided to "make it right" by mugging the next person I see.

Re:Put the onus on financial institutions (1)

RAMMS+EIN (578166) | more than 6 years ago | (#23706377)

``THE PERSON WHOSE ID IS STOLEN IS NOT THE VICTIM. The bank is, and the whole process from start to finish ought to be the bank's problem.''

So you are saying that the banks have a problem, and they have somehow found a way to make the people whose credentials were used pay for it? How does this work? How can we stop it?

Because, the way I see it, it's like this: Alice has some account with the Bank. Then Eve comes along and uses Alice's credentials to perform transactions. These transactions benefit Eve, but the Bank believes they were authorized by Alice. When the Bank comes to collect from Alice, Alice denies that she authorized the transactions.

The burden of proof is on the Bank to show that Alice authorized the transactions. The bank demonstrates that Alice's credentials were used to authorize the transactions. What happens then depends on the strength of the credentials: if it is reasonable to assume that someone else could have used Alice's credentials, the fact that Alice's credentials were used does not conclusively demonstracte that Alice authorized the transactions. The bank loses. If, on the other hand, the credentials are such that it is reasonable to assume that only Alice could have authorized the transactions (either by using the credentials herself, or by passing on the necessary information to someone else), then, apparently, Alice did authorize the transactions, and she has to pay.

Did I miss anything?

Re:Put the onus on financial institutions (0, Troll)

davester666 (731373) | more than 6 years ago | (#23703155)

You're thinking about this all wrong. George Bush is attacking this problem from the other side, by making the theft of your identity less valuable to the thief.

He's doing it by wreaking the economy of the US, sinking it into what is at least a minor depression.

But with widespread reporting of the poor US economy, the smart ID theft gang's should be targeting Europe and Asia instead of the US...

The George Bush, sneaky like a fox. Or a complete moron.

Re:Put the onus on financial institutions (1)

jimicus (737525) | more than 6 years ago | (#23706183)

I would also add that if laws/regs forced the onus of losses on the financial institutions themselves (rather than allowing them to write losses off as a cost of business), said firms would rapidly implement better security mechanisms.
Such losses tend to be borne ultimately by the customers rather than the institution. The only way to negate that is to enforce fines so large that passing them onto the customer would actually wind up more expensive in terms of lost custom than simply obeying the law.

Re:Put the onus on financial institutions (1)

kaufmanmoore (930593) | more than 6 years ago | (#23702379)

What about wire transfers and fake checks? Should we get every check we write notarized as well? It shouldn't be the bank's fault if somebody decides to click that e-mail link or wires money to help someone in Africa.

Re:Put the onus on financial institutions (1)

Fulcrum of Evil (560260) | more than 6 years ago | (#23703641)

Fake checks? Put the burden on the banks and they'll come up with a system that does positive confirmation within a day or two; right now, checks can fail months after they've settled.

You still write checks? (1)

Joce640k (829181) | more than 6 years ago | (#23706991)

Are you living in the dark ages?

Re:Put the onus on financial institutions (1, Insightful)

homer_s (799572) | more than 6 years ago | (#23702413)

If someone "steals my identity" and gets credit, am I responsible for paying the loan or does the financial institution just eat it?

My friend's husband had his SSN stolen and they were convinced that they'd have to repay. They showed me the IL attorney general's website which supported their conclusion.

If that is true, then this problem will not go away. Make the financial institution eat the loss caused by their stupid reliance on a 9-digit number that is not even supposed to be secret.

Re:Put the onus on financial institutions (4, Interesting)

liquidpele (663430) | more than 6 years ago | (#23702617)

1) If you file a police report and go through all the motions (contact credit companies, etc) you'll most likely win in court. If you don't do all that, it might look like you're just trying to get out of paying.

2) Credit card companies are usually very good about not holding you liable. They've basically built it into their business model though, because if they try to force you to pay, you can just tell them to shove it and then all they can do is make your credit bad (which it already would be). Banks and Taxes can take your house though, they tend to be much harder to convince and you'll want to get a lawyer.

Re:Put the onus on financial institutions (2, Informative)

homer_s (799572) | more than 6 years ago | (#23702635)

Thanks - that is basically what I've heard.
It is not just the banks though - people are using SSNs to collect other people's unemployment. Good luck trying to get your benefits when you need them most.

Re:Put the onus on financial institutions (3, Interesting)

liquidpele (663430) | more than 6 years ago | (#23702979)

Heh. It goes beyond that. People can do all kinds of things with your SS#. Some will forge your birth certificate, then transfer your house to their real (or another fake) identity and then sell it while you're still living there. Basically the buyer is out a lot of $$ unless they got the title insurance (which is pretty standard when buying a house). The main point here is that there are things that are easy to do with another identity, and others where the risk of getting caught goes up a lot. Most thieves stick to getting credit cards and using them online, or using your SS# for a job so they don't have to pay taxes, and then not staying at that job for more than 8 months so that they're gone by the time the company files its taxes (usually illegal immigrants do that as they tend to move around from job to job more).

Re:Put the onus on financial institutions (1)

homer_s (799572) | more than 6 years ago | (#23705063)

In India we are pretty backward when it comes to this. Unless you have a signed, notarized document, there is not contract or agreement.

It is far from perfect though - forged signatures, corrupt notaries & bad titles increase the cost of doing business. But I'll take that any day over relying on a number that about a thousand people know by now.

Re:Put the onus on financial institutions (0)

Anonymous Coward | more than 6 years ago | (#23704999)

people are using SSNs to collect other people's unemployment.

It can get worse -- they can actually create other people.Some years back, I worked with a guy (retired army major) who knew so much about computers it was scary. While in the service, he was given the job of combining the army's personnel and payroll records. Hard to believe, but they were all on tapes in separate locations.

As the work progressed, he found many instances of multiple checks, in different names, being sent every month to the same address. Most were the addresses of high-ranking officers.

When he brought it to the attention of his superiors, he was cautioned not to investigate further -- excuses were proffered to the effect that "These are people in undercover operations" and similar crap.

As he put it, "To watch the Generals' Protective Association spring into action is to witness a thing of beauty."

Re:Put the onus on financial institutions (1)

mh1997 (1065630) | more than 6 years ago | (#23702429)

Put the onus on financial institutions
It already is - kind of - because you are not required to pay for the fraudulant actions, however, we all pay like you said in higher fees and interest rates.

There doesn't seem to be any evidence that the laws actually reduce identity theft,' said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper's authors.
I just can't believe a criminal would break the law! If we could just have stricter jay-walking laws then everyone would be in jail before they commit the big crimes.

Re:Put the onus on financial institutions (0)

Anonymous Coward | more than 6 years ago | (#23702571)

I just can't believe a criminal would break the law! If we could just have stricter jay-walking laws then everyone would be in jail before they commit the big crimes.
You should spend less effort on sarcasm, and more on reading comprehension. The research is investigating whether laws requiring companies to disclose record theft ultimately impacts the frequency of identity theft. This has little to do with the thieves themselves, but rather changing the environment in which they operate.

One might imagine that required disclosure would (a) give companies an incentive to improve security and avoid embarrassment and (b) give customers advance warning to take precautions when their information is stolen. The fact that this isn't working is interesting because it motivates several new conjectures:
  • The disclosure process is not encouraging better security practices.
  • Consumers are not taking precautions when informed of record theft, don't know what precautions to take, or none of the precautions are actually effective.
  • Theft of commercial records is not in fact the dominant source of information in identity theft.

Investigating each of these is a next useful step in figuring out what to do here.

Re:Put the onus on financial institutions (3, Interesting)

mrmeval (662166) | more than 6 years ago | (#23702445)

Legal notaries can and will commit fraud for a suitable fee but I can get a notary stamp and do it myself cheaper. ;)

http://www.notarypublicstamps.com/products.asp?StateID=15 [notarypublicstamps.com]

Put the onus on the financial institution monetarily and make it treble damages in addition to jury awarded punitive damages and legal fees. Make it so that it must go before a jury and not ever arbitration. I'd want punitive damages so high their investors suffer and I'd want those damages set aside in a fund to help identity theft victims have damages that don't warrant or won't benefit fro a lawsuit or have emergency needs.

Re:Put the onus on financial institutions (0)

Anonymous Coward | more than 6 years ago | (#23704983)

Why arbitrarily make identity theft extra expensive with treble damages and a jury trial? If financial institutions bear all the costs, what do you care whether they prevent your identity theft from happening or take care of it after the fact?

They should do what they'll choose to do anyway, which is the cheaper of the two options. What argument is there to do otherwise in a strictly financial realm?

Notary probably not even robust enough (1)

morgan_greywolf (835522) | more than 6 years ago | (#23702565)

Sure, requiring you to go to a licensed notary and have a credit card application notarized might not make it so easy to get credit, but it would also make it harder to get credit in your name.
Even a notary might not be robust enough. Almost anybody with a relatively clean criminal record can be a notary in most states -- you pay like $50, tell the judge you want to be a notary, they pull a background check and if you have no felonies or major larcenies on your record -- well, there you go -- the judge will sign theo order making you a notary. You'll have to get your own seal, of course, and these usually are like around $100.

Re:Put the onus on financial institutions (1)

a_claudiu (814111) | more than 6 years ago | (#23702607)

What about an ID card? I know, I'm from Europe (not UK).

One-Time Passwords for Transactions (2, Interesting)

Doc Ruby (173196) | more than 6 years ago | (#23702611)

I hate giving my PIN to vendors. I hate typing my PIN on random ATMs - and rarely do it. I hate typing my PIN into authorization keypads at stores, but what can I do?

Every transaction should have its own unique PIN attached to the transaction's amount and recipient. Credit cards with chips could do this right now, RSA-password style, generated against the one-time password from the vendor's machine for the transaction, in a data package with the vendor's invoice signed by the vendor's transaction password that my card keeps. In fact it should be transacted over my phone and archived in my personal DB.

This tech is here, and pretty cheap. Banks should pay for it. Their insurance corps should make them pay for it. Until they do, consumers like us will pay most of the costs, especially in a lifetime recovering from a "one-time" ID theft.

Re:One-Time Passwords for Transactions (1)

JasterBobaMereel (1102861) | more than 6 years ago | (#23707247)

Before Chip and PIN, if someone used your card the bank would try and blame you and usually fail (because you were assumed to be careful) now you use your PIN everywhere and it assumed it was your fault ... a win for the banks then ...

Re:Put the onus on financial institutions (1)

hkmarks (1080097) | more than 6 years ago | (#23702645)

In other news: Information still wants to be free.

Yes, yours too.

Re:Put the onus on financial institutions (1)

Gazzonyx (982402) | more than 6 years ago | (#23702689)

While I agree with your post, I think it could be summed up in another way; the only way identity theft is going to go away is when it is no longer a lucrative venture.

Re:Put the onus on financial institutions (1)

erroneus (253617) | more than 6 years ago | (#23702913)

I have to completely agree. This problem is THEIR fault and THEIR problem. They lobbied and created this "credit system." The illegal institutionalized [ab]use of the social security number system is just a part of the whole corrupt system. These systems were created as a means to control the risk that financial institutions take when lending money or issuing credit (which is essentially the same thing). This system has been wildly successful and has proven to boost their ability to calculate risk more accurately and hence boost their profits.

The result on the other side has been catastrophic in my opinion. People are more in debt than they ever should be, and while it's arguable that people should be responsible and knowledgeable enough to know better than to put themselves into too much debt, even a little understanding of human nature reveals that even when people know better, they do it anyway. One can safely assume that the various sales and financial institutions are also well aware of this human flaw and are knowingly actively exploiting it.

It's not "identity theft" in reality. It's exploitation of the credit system. The credit system is not my "identity." They call it identity theft to make it sound like people are taking something away from individuals and automagically shifts the harm and the responsibility to the individuals represented by these numbers and database records. This is **SPIN**. And since it's exploitation of the credit system, it should be identified as such and the harm, blame and responsibility for it placed on the heads of those who use, and control it.

Re:Put the onus on financial institutions (1)

Zarf (5735) | more than 6 years ago | (#23704075)

Are you running for president (of the US)?

Re:Put the onus on financial institutions (1)

Malc (1751) | more than 6 years ago | (#23705005)

You're right: being proactive and working against this upfront is better than reactively punishing people. I think one point you miss though is more robust and stringent privacy laws, rather than letting businesses/etc self-regulate.

Re:Put the onus on financial institutions (0)

Anonymous Coward | more than 6 years ago | (#23707279)

The core problem, imho, has been the explosion of people asking for or demanding your SS# for everything from utility companies to cable companies to renting a car. Take a look at your SS card; it says on it, quite clearly, "Not for identification." The government should never have perverted our SS #'s into a ubiquitous way to identify us.

Perhaps a better idea would be for a UPC code to be stamped on out butts at birth. That way, if someone wanted proof of identity...you could always moon 'em.

Get Personal Data off your computer (5, Interesting)

imus (1229508) | more than 6 years ago | (#23702319)

Search [vt.edu] your files for social security and credit card numbers before hackers do.

Re:Get Personal Data off your computer (4, Insightful)

deadmongrel (621467) | more than 6 years ago | (#23702481)

I have had my identity stolen twice and both time it was a data breach with a merchant I was dealing with. I find it appalling that it is so easy to get a credit or signup for a loan. How about more responsibility on the bank merchant part? The there credit bureaus should be held responsible for this mess. They are making profit using our data and we end up paying to clean it up or monitor it.

Re:Get Personal Data off your computer (3, Insightful)

Ihmhi (1206036) | more than 6 years ago | (#23703477)

How do we even know it's you posting right now?

All jokes aside, banks make tons of profit off of easy credit. When credit is easy for damn near anyone to get, people are (generally) going to run up large bills.

A very good friend of mine had a credit card (I think a Visa) for almost 2 years and they never increased his limit about the initial $500. Why? Delinquent on payments? Nope, it was actually the exact opposite - he paid his bill at the end of every month and on time. He was actually told that he would have to start maintaining a balance (and therefore generate interest) if he wanted his limit to go up.

So he cancelled the Visa card and got an American Express. They took note of his excellent credit record and handed him a card with a much higher limit. He never goes anywhere near it and still pays his bills on time.

Fiscal responsibility is not profitable in the credit and banking industries. If everyone balanced their checkbooks and paid their bills on time, a load of banks and CC companies would go flat broke. That's why things like the minimum payment (which is calculated to make sure you have a balance on the card for 30 years) exist.

Re:Get Personal Data off your computer (1)

mazarin5 (309432) | more than 6 years ago | (#23704289)

I've taken the best precaution available: My credit is horrible. (Try to get a loan with my name, Mr. Thief!)

Re:Get Personal Data off your computer (1)

kesuki (321456) | more than 6 years ago | (#23703081)

well, excuse me for not using your tool. i wear a tinfoil hat, and while you do provide source, I'd have to painstakingly check every line of code, to make sure it didn't dump the data somewhere, on some remote web server or something, and i don't need to do that much to make sure my data is cleared. if the built-in data clearing tools of firefox aren't effective, there is a nice little tool called darik's boot and nuke. a mil spec hard drive eraser. i don't quite run it monthly, but it takes me about half a day to wipe a system, format and reinstall. http://dban.sourceforge.net/ [sourceforge.net]

as far as backup data, i don't restore most of my backup data, and i trust a mil spec drive wiping tool a lot more than i would some tool to 'search' for hidden data on my hdd. yeah i know microsoft internet explorer is terrible at keeping personal data, it probably keeps the credit card number from every time i've purchased something online in one of it's files that it almost never erases...

but that's exactly the kind of data i don't even back up.

Ironic (0, Funny)

Anonymous Coward | more than 6 years ago | (#23702321)

So much concern here on slashdot on id theft, when most of the readers are busy stealing from others (music, movies, etc.)

Re:Ironic (1)

sydbarrett74 (74307) | more than 6 years ago | (#23702381)

Agreed. Theft is theft.

Re:Ironic (0)

Anonymous Coward | more than 6 years ago | (#23703453)

I think of it the other way. If downloading music/movies/software off P2P (or any other means) isn't theft then surely "identity theft" is also not theft.

Re:Ironic (1)

Foobar of Borg (690622) | more than 6 years ago | (#23704421)

So much concern here on slashdot on id theft, when most of the readers are busy stealing from others (music, movies, etc.)
Actually, neither of these is theft. The former is fraud and the latter is copyright infringement.

Breach notification laws (5, Insightful)

computerman413 (1122419) | more than 6 years ago | (#23702323)

Data breach notification are useless when institutions don't know they've been breached. I'm sure there are lots of those cases.

Re:Breach notification laws (1)

deadmongrel (621467) | more than 6 years ago | (#23702495)

And also what is preventing them from not reporting a breach? How easy is it to actually coverup a breach. They can always come back and say "Oops! we did not know someone had breached security measures.

Re:Breach notification laws (2, Insightful)

morgan_greywolf (835522) | more than 6 years ago | (#23702515)

Yep. And just because companies must notify consumers of a breach doesn't mean any sign that they'll actually do it. Sex offenders are required to notify the sex offender registry when they move. Not all sex offenders do that, either.

Re:Breach notification laws (1)

Fulcrum of Evil (560260) | more than 6 years ago | (#23703687)

If you were a sex offender, would you notify your neighbors? I wouldn't - in a group of 100 people, at least one would think I was a serial pedophile after his kids and come for me at night. Also, in some places, there isn't any legal place for a SO to live - last I checked, it was illegal to ban someone from a city.

I am stealing this guys Identity fo post this (0, Troll)

infonography (566403) | more than 6 years ago | (#23702339)

BWAHHHAAAAA

Re:I am stealing this guys Identity fo post this (1)

morgan_greywolf (835522) | more than 6 years ago | (#23702529)

LOL! Im in ur account, stealin' ur identity!!!!

Re:I am stealing this guys Identity fo post this (1)

infonography (566403) | more than 6 years ago | (#23704219)

sarcasm, it's a lost art on slashdot.

Have the responsibility be on those responsible... (1)

Fallen Kell (165468) | more than 6 years ago | (#23702409)

There is a very simple fix and it will be to have the costs and time that is needed to fix everything that occurs when someone's identity is stole be put on those responsible for the loss of the information which enabled the identity to be stolen in the first place. This means, if a company has a database which is breached from a known security vulnerability or from complete disregard of standard security practices, that company should be liable to fix the issue, not the customer who's data was lost. Any time that the customer has to spend dealing with banks, financial institutions, and government groups relating directly to having to fix issues from the stolen identity should be time that is directly charged to the company at a set fee, or the company can directly handle the issues themselves in some fashion.

The next step would be to start putting fines on companies that repeatedly let personal data be stolen or otherwise inappropriately accessed.

Two major things would start happening with laws like the above in place.
1) Personal financial data will no longer be stored
2) Customer information will also no longer be brokered between companies

These are both very good things for the consumer. Yes, there will be the extra hassle of needing to input your data each time you make a purchase online, but you could always setup your browser to store that information and have it auto-complete (not that I recommend doing that). There is no need for companies and business to keep full credit card information of a customer. The last 4 digits should suffice, and in the even of a return, the customer would need to submit the full card number so the return can be processed.

The only times this will cause any kind of problem is when dealing with pre-orders and returns. For a purchase that is happening and being charged at the moment, nothing will need to change, and it will work as normal.

Re:Have the responsibility be on those responsible (1)

liquidpele (663430) | more than 6 years ago | (#23702631)

You're going at the problem from the wrong angle. Identity will *always* be stolen (phishing, etc). You have to make the information not worth anything.

Basically, they should make the credit companies automatically have every single person's account in "theft protection mode" where they contact you by phone or letter to get permission to give out a copy of your credit. This makes it pretty much impossible for someone to get a loan, car, or credit card in your name. Then they need to make it so it's easy to switch social security numbers if someone is working under yours and not paying taxes (assuming you can prove this of course). Or at least make it more of a priority to catch such assholes.

Re:Have the responsibility be on those responsible (2, Interesting)

liquidpele (663430) | more than 6 years ago | (#23702641)

I take that back. They should put the burden on the companies to verify the social security # before hiring the person, or else they have to pay the taxes instead of the person (the thiefs usually don't have any taxes taken out to maximize their profits).

Re:Have the responsibility be on those responsible (1)

mpe (36238) | more than 6 years ago | (#23705815)

Then they need to make it so it's easy to switch social security numbers if someone is working under yours and not paying taxes (assuming you can prove this of course).

Or even simpler not using SSN's for anything other than their intended purpose in the first place.

The solution is technology (4, Insightful)

Jimmy_B (129296) | more than 6 years ago | (#23702415)

Your credit card number is not a password, because you have to give it away every time you buy something. If someone wants to steal a credit card number, they can get it from any unscrupulous employee of any business that sells things, which means they'll always succeed. The solution is to replace credit cards with smart cards that use public-key cryptography. That means that your credit card contains a number which you can use to sign transactions and prove that you are authorized to make payments, but you don't have to give every employee of every merchant you buy from the power to impersonate you.

Social security numbers have the same problem, only worse, because you can't just cancel your SSN like you can with a credit card. Banks pretend that your SSN is a password, but there are thousands of people who have access to your social security number and at least one of them will sell it on the black market.

Fixing this mess will cost the banks a lot of money, but they made this mess and it's their responsibility to clean it up. We need the federal government to mandate real security measures, because fraud is quickly becoming the norm.

Re:The solution is technology (4, Interesting)

cdrguru (88047) | more than 6 years ago | (#23702739)

Banks don't care because it costs them almost nothing to live with the current state of things. Credit card fraud costs the consumer, mostly because merchants get ripped off and have to eat the cost of sales to fraudulent card numbers.

Credit card companies have very strict rules for merchants that prevent them from validating who a customer is beyond the signature on the card. For instance, they are not allowed to ask for a photo ID. If the card says "check ID" instead of being signed they are not supposed to accept it as it is not signed. The signature indicates that you have accepted the terms of the credit agreement, not any sort of identity verification. Violation of the merchant agreement can result in the merchant account being terminated. These days, a retail store not being able to accept credit cards might as well just fold up shop.

Fraudulent loans and financing are a very small percentage. The FBI mandated that credit card fraud be lumped into "identity theft" a while back and that is where all the numbers are coming from. Unfortunately, there isn't any motivation to fix the problem because the wrong people - the merchants - are paying for the fraud.

Re:The solution is technology (1)

Is0m0rph (819726) | more than 6 years ago | (#23703207)

My stupid state Arizona for years and years actually used your SSN as your driver's license number and put it right there on the card.

security? (1)

CaptainNerdCave (982411) | more than 6 years ago | (#23703255)

or is this the same situation as the airlines and many online transactions: the illusion of security?

because joe and jane public know almost nothing about how the banking system works (and most don't seem to care), they don't understand the lack of security. another way to look at it might be to find some way to convince the average american that the government isn't looking our for everyone's interests, that's a tertiary objective. i've had many conversations with people about how various chemicals that are/were widespread (saccharine, aspartame, vioxx) have taken so long to be removed from the market, if ever. the most common response is that they trust the government to tell them what's ok. there are many more points to these discussions, but i've just made the most important one

Re:The solution is technology (1)

jimicus (737525) | more than 6 years ago | (#23706261)

The solution is to replace credit cards with smart cards that use public-key cryptography. That means that your credit card contains a number which you can use to sign transactions and prove that you are authorized to make payments, but you don't have to give every employee of every merchant you buy from the power to impersonate you. .......
Fixing this mess will cost the banks a lot of money, but they made this mess and it's their responsibility to clean it up.
Stop right there. You're taking the classic /. argument which says "It is technically possible to solve this problem, therefore the solution must be implemented".

Thing is, it's been technically possible to solve this problem for years. Go back in time 50 years or so (when people actually had to go into their bank to do anything) and they could have solved it simply by taking fingerprints and keeping someone onsite who was an expert in fingerprint analysis.

The reason that these technical solutions are seldom adopted is because the banks are in business, and the first rule of any business decision is to ask yourself "what is the benefit to the business?".

So (taking numbers out of thin air), if it costs $100 million for a bank to implement a PKI-based smartcard system but this system will only save them from $5 million worth of fraud, then it's not going to happen.

In your particular example, all you're doing is eliminating credit card fraud. Well, all the banks in the UK introduced chips on the cards a couple of years ago and you now need your PIN to authorise a card transaction. Hasn't eliminated fraud at all, it's just made the criminals more sophisticated.

Identity Clearinghouse (4, Interesting)

Dachannien (617929) | more than 6 years ago | (#23702477)

A long time ago, I wrote up a description of an identity clearinghouse, a government-run agency that allowed lenders to verify a potential borrower's identity without giving the lender any unnecessary information about the borrower's true identity. From the private citizen's side, it's all optional - register with the clearinghouse if you want, and go it alone if you want. From the lenders' side, it's mandatory to check with the clearinghouse before opening a line of credit for someone.

To register with the clearinghouse, you go to a local government agency where identity is "managed" - e.g., your local DMV. You register there by providing your current contact information, and they ensure that you are the person you claim to be through their normal identification procedures (such as picture ID/driver's license pictures on file). If you later need to change your contact info, you do the same procedure (going to the DMV in person) to prove your identity.

When you apply for credit somewhere, the lender first uses the identifying information you have provided to them (such as name, address, SS#, etc.) to verify your identity with the clearinghouse. If you haven't registered, the clearinghouse just responds that there's no such registrant in their records, and the lender is free to grant credit to the applicant. But if you have registered, the clearinghouse first checks to make sure the information they have on file matches the information the lender provides, and second, they use the information they have on file to contact you directly and ensure that you actually applied for credit with the lender in question. If both of those checks succeed, they respond to the lender with "yes", and if either fails, they tell the lender "no".

This would greatly reduce the instances of people opening lines of credit in other people's names. However, one problem it doesn't address is fraudulent charges to legitimate lines of credit you already have (e.g., stolen/copied credit cards). Credit card issuers and merchants are both often on the hook for most of those sorts of charges, though, so they already take at least some steps to reduce that kind of fraud.

Re:Identity Clearinghouse (2, Insightful)

cdrguru (88047) | more than 6 years ago | (#23702679)

Problem today is with "identity management" agencies. In Illinois the Governor mandated that the state DMV department (Secretary of State's office) would give driver's licenses to people producing a card from the local Mexican Matricula Consular [americanpatrol.com] office. What they do is give you (or anyone else) an ID that says you can then get a valid Illinois driver's license. Verification? None. It seems that birth records aren't well maintained in Mexico so it would be difficult for them to establish if someone was really even from Mexico under the immigration policies in effect in Illinos. Therefore, no ID is required to get this form of identification.

With this as a starting point, you can basically get anything you want in Illinois. If you would like a SSN on your driver's license you can have that as well. Again, no verification or validation is needed. It is required that you be able to write your name.

This same practice occurs in a number of other cities and states as well.

I believe they would feel obligated to provide a translator if someone showed up speaking nothing but Klingon.

Just remember, they aren't stealing your identity, just borrowing it.

Re:Identity Clearinghouse (1)

rossz (67331) | more than 6 years ago | (#23703369)

Sounds fine, except why does it need to be a government agency? I trust the government less than I would a business that has a vested interest in doing a good job providing a service. It's extremely rare for a government bureaucrat to get fired for incompetence. In business, if someone screws up enough they get shown the door.

And this is why the executives at Microsoft should (0, Offtopic)

Growlor (772763) | more than 6 years ago | (#23704345)

be fired by the stockholders (I know bashing Microsoft in Slashdot - imagine that!) But seriously, they were in the perfect position to become this. They had the money and they had the universal presence to pull it off. But they proved themselves to be such untrustworthy, scheming pricks that noone in their right mind would follow along. Talk about a missed opportunity. Maybe Google will realize they still have a chance to do this. So far they seem to have done a decent job resisting the temptation to completely abuse the data they already have on us. They are probably the best hope for us here.

too many notices (1)

Benjamin_Wright (1168679) | more than 6 years ago | (#23702551)

It is irresponsible for law and legal practice to bury consumers with an excessive number of data breach notices [blogspot.com] . The notices happen so frequently that their meaning is diluted. --Ben hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html [blogspot.com]

So once again... (2, Insightful)

tekiegreg (674773) | more than 6 years ago | (#23702561)

...we've proven that a piece of paper alone can't stop crime, pollution, educate our kids, etc. it is only the enforcement thereof, or in the case of ID theft, steps to prevent such crime that will ultimately solve our problems.

Long story short, let's move along and work to end the problem, not just write paper against it.

Some peope here are dead wrong (1)

LM741N (258038) | more than 6 years ago | (#23702563)

The majority of identity theft occurs due to illegal aliens using other people's SS numbers to gain employment. The criminals are in the minority. The solution to this is effective immigration policies, not draconian laws.

Also, its rare for the illegal aliens to take out credit or anything on the SS number. They are just using it for employment purposes and thats it.

Re:Some peope here are dead wrong (1)

gujo-odori (473191) | more than 6 years ago | (#23702811)

Well, illegal aliens *are* criminals (that word illegal means something) and using someone else's social security number as your own - for *any* reason - is a felony. So again, they're criminals. Perhaps a better way to put it might be "the majority of the criminals are illegal aliens" rather than stating that the criminals are in the minority.

About immigration, I don't think it's mostly our policies that are ineffective, it's the enforcement. We need a southern border that a greased cockroach would find it difficult to sneak across. However, there is one policy that needs to be fixed: we need to end no longer necessary and foolish policies like granting automatic citizenship to anyone born in the United States, regardless of the immigration status of their parents. In most countries, citizenship by birth requires that at least one of the parents be a citizen of that country. In the United States, I would relax that a little: to have citizenship by birth, at least one parent must be either a US citizen or a legal permanent resident, and the other parent must be in the United States legally. In other words, if either of parent is in the United States illegally, no citizenship by birth. To get citizenship in such a case, it should be required that either the legal parent get legal status, or the child petition for citizenship upon turning 18. If we got rid of "anchor babies" we'd solve one part of the illegal alien problem.

Now, before anyone tries to jump on me as being any of a xenophobe, a racist, or $EPITHET_FOR_PEOPLE_WHOSE_POLTIICAL_OPINIONS_YOU_DONT_LIKE, I spent a large part of my life living and working outside the United States, all in countries where people who spoke my language or looked like me were pretty rare, and whose immigration laws are like those I support for the United States. I found that to be totally fair.

Secondly, my wife is a legal immigrant to the United States, is a member of a racial/ethnic group that would certainly be affected by the policy and enforcement changes I support (she's one of those people who don't look like me or natively speak my language, too). She supports them, too. They are reasonable, and are the law in her country of citizenship.

Third, all of our kids were born outside the United States. One was born in a country of which neither of us has citizenship. I don't find it in anyway unreasonable or unfair that our child doesn't have citizenship in that country; after all, she was just born there. That doesn't entitle her to anything. Our kids all have dual-citizenship as citizens of the US and of my wife's country; they shouldn't be entitled to citizenship of a third country just for being born there.

Re:Some peope here are dead wrong (0)

Anonymous Coward | more than 6 years ago | (#23702867)

You know, you sound awfully apologetic in spite of the viewpoint you are expressing. I find that pretty fishy.

Re:Some peope here are dead wrong (0, Flamebait)

gujo-odori (473191) | more than 6 years ago | (#23703063)

And I find you to be a stupid piece of shit. I guess we're even.

Re:Some peope here are dead wrong (1)

gujo-odori (473191) | more than 6 years ago | (#23703903)

I just want to thank the moderator who correctly modded this as flamebait rather than troll.

Well, for some value of correctly. He *is* a stupid piece of shit, so I could actually go with +1 Insightful.

Thanks, folks, I'll be here all week.

Re:Some peope here are dead wrong (0)

Anonymous Coward | more than 6 years ago | (#23703181)

Well, unfortunately, the US govmt doesn't see them as criminals- but instead cheap labor. Still the poster is effectively refuting much of what is said here about ID theft. The US media takes a small number of cases, and blows it all out of proportion until everybody believes they are an ID theft victim. Just like they do with child porno, etc. Everything is a war or an epidemic. Its the media's fault for creating hysteria.

Re:Some peope here are dead wrong (1)

gujo-odori (473191) | more than 6 years ago | (#23703983)

Being in the IT security industry, I can tell you that the ID theft problem is not being blown out of proportion. In fact, the media are probably under-reporting its actual severity. It doesn't surprise me that data breach laws haven't done anything about the problem, though. Having to tell me after a breach occurs does nothing to prevent the breach.

Additionally, a big part of the problem comes from financial institutionswith poor email hygiene practices. I routinely see email from banks that I could believe is deliberately crafted to set their customers up to be phished. It's not deliberate, but it so ill-conceived that it would be easy to believe it was malicious rather than just incompetent. I saw one last week that actually said "If you are concerned about the authenticity of this message, please click here." That was an actual account-related mail from an actual mid-sized US bank. I bullshit you not.

With the FIs routinely doing things like that, it's no wonder that people get phished all the time. The top-drawer phishers, for their part, are very good at what they do. They seem to be building databases of information of what they know about people. Known bank account and credit card numbers, social security number, etc. For some percentage of victims, I'm sure they know at least as much about their marks as the government does, and as much or more than the marks' financial institutions do. Then they send out the "work at home processing our accounts receivable" type spams to build their money mule networks to extract profits from the stolen identities and leave the mules holding the bag.

One of the areas of my work involves best practices for FIs, so I hope that it someday pays off in them not setting their customers up to be phished so much anymore.

Re:Some peope here are dead wrong (1)

DeadChobi (740395) | more than 6 years ago | (#23703435)

Stealing my identity, even for tax purposes, despite what you may believe, is still problematic for me. It results in the most interesting situation whereby I end up liable for taxes on wages and earnings which I never in fact earned. In the event this ever happens to me because an illegal immigrant stole my SSN and used it to work, I would be extremely pissed off.

It sounds to me like you're making the assumption that what is happening is completely victimless. Not only does it change one's tax bracket for the puposes of filing and computation, it changes what we are and aren't eligible for. Essentially, using my identity illegally results in the IRS thinking that I make more money than I actually do. This prevents me from claiming things on my return which I would otherwise be eligible for.

If you think that this is an okay situation, and that I should suck it up since I'm a citizen of the wealthiest nation of the world, then perhaps you should demonstrate your commitment to such a cause by giving away your SSN to an illegal immigrant and then file your tax return.

FBI Out to Lunch (3, Interesting)

Doc Ruby (173196) | more than 6 years ago | (#23702583)

The FBI is in charge of protecting Americans from fraud and theft on that scale and across that national and global jurisdiction. But Bush's "Justice" Department isn't interested.

Feel safer?

Re:FBI Out to Lunch (1)

gujo-odori (473191) | more than 6 years ago | (#23703011)

I suspect you're not involved in the security industry. I am, so I'm going to comment on this. The FBI is interested, and the DoJ is interested, and they certainly successfully prosecute cases and work very hard at it. I've met some of the people working on the security problem from the LE end of things, and they are very dedicated and talented individuals who are passionate about catching and prosecuting the criminals.

However, they face a lot of problems, none of which can be laid at the feet of Bush, or of Clinton before him (and it was during Clinton's presidency that this became a problem; all it's done under Bush's presidency is become a larger problem, even though they are throwing more resources at the problem now than they did under Clinton). Problems they face:

1) The criminals involved in identity theft of profit are mostly not American, nor operating in the United States.

2) The criminals are commonly operating in eastern European countries where enforcement is not good, cooperation from their LE with ours could be much better, and from which extradition is difficult.

3) The problem is *so* large that if every FBI agent were put on cybercrime (regardless of whether they were qualified for it or not), there wouldn't be enough of them to cover all the bases.

I suspect you were just looking for an excuse to post a Bush troll (not that I really blame you - I'm a Republican and I don't much care care for the guy, either) and I'm probably just feeding a troll, but as someone a lot closer to the problem than you are, I couldn't let that misguided and completely wrong dig at the DoJ and FBI go by without debunking it.

There are plenty of FAs where a Bush troll would be totally on topic. This isn't one of them.

And you mods who modded that tripe insightful - even if what he said was true, there's nothing there that would make it over the bar of "insightful." You should be ashamed of yourselves. If not for how dumb you are, than for wasting a mod point on crap.

Re:FBI Out to Lunch (2, Interesting)

Doc Ruby (173196) | more than 6 years ago | (#23703113)

Well, I have worked in the "security industry" here in NYC, quite a lot making secure banking/brokerage/insurance infosystems during the late 1990s, and helping the NYC legislature's tech policymaking committee oversee secure NYC's IT (both government and its neighbors in the Financial District). I know quite a lot about both secure technology and government security operations.

The FBI isn't nearly interested enough in these frauds. Despite how hard it is to find and bring these criminals to justice, that's the FBI's job, and it's good at it when it makes it a priority. Instead, under Bush, the priority has been "terrorism", which has been a cover for all kinds of wasted effort that hasn't secured us, but did help Bush keep going for 8 years. Even Bush's "CyberTerrorism Czars" have all quit in disgust, and Bush hasn't put a credible sheriff in charge of controlling this massive criminal activity.

There's a lot more ID theft and fraud in the past 8 years than when Clinton was president in the late 20th Century. It's like the presidents of the 1920s didn't make the FBI all use or at least understand automobiles, when they became a common tool for crimes, especially in escaping local jurisdictions.

So you can take your vague Bush apologies and dump them on that pile of crap you call "not much caring for the guy, either". The fact is that you voted for him twice , you and your Republican buddies are responsible for our lawless crises, and you have no credibility to bleat about how "this is hard work" like you do when Bush clears brush while the country gets looted. Your Bushy trolls are worse than worthless. You Republicans just aren't up to the job of securing anything, as much as you're constantly whining about how scary the bad guys are.

And stop whining to the mods, who apparently aren't stuck in the kind of Bushy denial you're stuck in.

Re:FBI Out to Lunch (1)

ahmcguffin (1304183) | more than 6 years ago | (#23703605)

The FBI is more than just out to lunch in Kansas City. When I found out who (Kansas City big name attorney) was using my ID I called the police, they refused to make a report. I filed a complaint and received threats over the phone by officers calling from the police station(caller ID) and threats from officers in uniform knocking on my front door yelling they were going to kick the door in and teach me a lesson. No one would touch it. ACLU claimed they didn't have the resources, Attorneys claimed if they took the case the same thing would happen to them. And FBI Agent Mark Holburn claimed I deserved what was going on and refused to do anything. I'll never forget. Or trust the FBI on anything. They are just a local branch of Al Qaeda.

Re:FBI Out to Lunch (1)

Doc Ruby (173196) | more than 6 years ago | (#23703645)

That is an outrageous story. Did you call the Kansas City Star to tell them about it?

Re:FBI Out to Lunch (0)

Anonymous Coward | more than 6 years ago | (#23707759)

No one would cover it, my neighbors were even calling anyone in the media. A former/retired TV reported told me that anything this attorney does he gets away with. And people who fight him end up moving to other parts of the country. I'm the only one who didn't I didn't have the resources then and I still don't.
Actually the majority, not sure of the current stats, used to be around 90% of ID theft is committed by a family member against another. No lost drivers license or data swiped. Although people do steal info that way is accounts for a small part of the problem. (Right now I am having to find a place to move quick. I my knee literally came apart and I am on crutches. To shorten, my landlord is acting illegally but doesn't care. So I'll paragraph threadjack, if anyone knows of someplace in Volker for female with cat, I haven't been able to update my wordpress blog with info or I'd put it up.)

Re:FBI Out to Lunch (1)

Doc Ruby (173196) | more than 6 years ago | (#23709309)

Why don't you write a diary about it on the Daily Kos [dailykos.com] blog? If well written (focused on your ID theft, mentioning your other problems only in actual connection with your crisis), it could get some proper attention. Perhaps at first only by other ID activists or people who might know tips for your recovery. Maybe by some journalists who could pressure your DA to act. Or perhaps only as more popular pressure that could force change in 2009, when the Democrats take over and replace your US Attorney (Federal prosecutor) and probably your regional FBI chiefs with a different staff, who might be less corporate and worthless to the people as the current Bush crew.

ID theft is trivially easy, today. (3, Interesting)

NoobixCube (1133473) | more than 6 years ago | (#23702693)

ID theft will continue, now that criminals have about 4.5 million people's personal data from those backup tapes the Bank of New York lost. Not to mention all of the other data losses we've heard about on Slashdot. No amount of securing your personal data will help now, unless you plan on changing your date of birth and address. Seriously, that's all it takes. All it took to prove to Medicare (Australian health cover, just a shade short of socialised health) over the phone that I was me, when I needed to change some details, was my date of birth and current address. You put those on almost every form you fill out offline, and if you shop online, you put your address on those too. Date of birth and current address can be used as a lever to "update" someone's Medicare details, and have a new card sent to an ID thief. Medicare counts as a form of ID, so that makes the lever a little bit longer. An ID thief can use the new Medicare card as ID for other changes and updates. Even get a copy of a person's birth certificate sent to them.

Re:ID theft is trivially easy, today. (1)

JasterBobaMereel (1102861) | more than 6 years ago | (#23707287)

The problem is that credit companies have to accept poor proof of ID because most people have nothing better

All your most basic "personal" details are probably widely known along with you credit card numbers, SSN etc...

Biometrics will not help - how do you prove you are you to get the Biometric info in the first place?

It all comes down to - how can you prove you are you to a stranger - the answer is, you can't!

In other news ... (1)

Zero__Kelvin (151819) | more than 6 years ago | (#23702699)

People still use drugs, murder, carjack, and rape despite laws passed against the behavior. Who'd-a-thunk-it?

Re:In other news ... (0)

Anonymous Coward | more than 6 years ago | (#23703009)

People still use drugs

You got some? :)

Re:In other news ... (1)

Zero__Kelvin (151819) | more than 6 years ago | (#23703355)

I would never sell my^H^H^H drugs!

Uh? (1)

Goaway (82658) | more than 6 years ago | (#23702707)

Since when are data breach notification laws meant to reduce data breaches?

Sounds familiar (1)

ErikZ (55491) | more than 6 years ago | (#23702907)

ID Theft In US Continues Apace Despite Data Breach Laws

And in other news, people have been shot in in "Gun free zones".

notifications not a deterrence (0)

Anonymous Coward | more than 6 years ago | (#23702909)

Do you really believe that notifying people is supposed to somehow deter criminals? Notification is supposed to allow people to deal with a potential threat.

Making lenders responsible for 100% of credit theft costs would deter crime, of course. It would force reasonable authorization procedures to be used.

Let's make it illegal to store and share the info. (1)

Prisoner's Dilemma (1268306) | more than 6 years ago | (#23702939)

One step that would go a long way to securing information is limiting how many different places store sensitive info. Most of the information businesses collect is for their benefit, not to verify your identity. It's collected and sold, or used for harassing (marketing) to you. It also should not ba able to be shared between each company they call a 'partner'. This should go for any type of information, not just financial.

Additionally, it would help if not so much was public record. If you purchase a house, there's no reason the amount you payed and your mailing address should be made public. There is no reason ever for a company to need you mother's maiden name.

Many people don't know all the other information that is kept and sold about them. For instance, many places that ask for security questions about your dog, car, or lineage sell your responses. Experian also collects information about you that is not disclosed when your order a credit report like average monthly purchases and what percentage and categories your purchases fall. The document of available information about you just from that company was about 1/2 inch thick.

It's also not good that if you have your oil changed at most service places they sell that information about you. When I had my car totaled by fault of the other driver, his insurance company tried to use the "missing" records of oil changes to devalue what my vehicle was worth. It was good that I keep records when I change my oil other wise I would have had a lot harder time getting them to cover what it was worth.

All said and done, I'd be happy if companies had to PROVE a NEED, not a use for, and information the store or inure heavy penalties.

The simple solution (1)

MikeRT (947531) | more than 6 years ago | (#23703053)

Make banks have to verify your identity before they can create ANY new account in your name, and make all such institutions, from banks, to data mining companies, liable for the damage they cause to private citizens through not taking adequate means to protect the data they have on us. The down side to this sort of approach is that it would probably cause a wave of depression-like effects on the banking industry because it would be so difficult to sign people up for credit accounts. However, in the long run, it would be 100% worth the short-term pain.

Gottta remove the PROFIT!!!! (0)

Anonymous Coward | more than 6 years ago | (#23703373)

8 to 10 years ago, I complained to a bank and MC about one of the first phishing sites. They could not care at all. Anything that might put a customer off, did not matter. They just pass the costs through on their card's 21% interest rates. And the customers pay it. So who is to blame? The banks do not care, the credit cards do not care - and the customers could care less, unless it happens to them, then they expect the bank/card to take care of everything. There is even profitable services to watch out for this - that customer's pay for.

It is not going to change until the profit is taken out of it for the banks, card companies and everyone else.

ahmcguffin (1)

ahmcguffin (1304183) | more than 6 years ago | (#23703479)

My adopted father has been using my ss number for years. He has done so much damage I may never be able to own a car, have a bank account or anything else. Between the State of Missouri and apparently most other states being able to sell ss numbers and info bulk and credit reporting companies being exempt from recording information that may be wrong it will never be even vaguely manageable. The last 4 years has been an attorney that I won against, he does have friends in high places, the higher the place the bigger penalty they should get. Credit reporting companies should have to verify information and inform the person they report on who is asking for the information. I have to move by the end of this month and the two places that did checks still come up with a horrendous record that is so large they couldn't approve me but they knew there was no way it could be my record. Too much going on at the same time in too many places. But I still can't get past it. Trying to clear my ID has been a full time job the last 4 years.

have any laws really stopped crime? (0)

Anonymous Coward | more than 6 years ago | (#23703691)

prohibition -> fail

war on drugs -> fail

copyright enforcement -> epic fail

securities / corp finance fraud -> fail all the way to the bank

prostitution -> fail with release

If the crime has a profit motive, laws don't stop it. At most they raise costs and increase the barrier to entry thus ensuring only large players (mafia, cartels, governments, corporationis) get to play.

Two items forgotten here (3, Interesting)

MobyDisk (75490) | more than 6 years ago | (#23703859)

#1:
laws, but has all of this legislation actually cut down on identity theft? Legislation does not stop crime. Prosecution stops crime. Besides, these laws are weak. They are unenforcable since they state "if you did something wrong, you must tell us" and obviously if they don't tell they don't get caught. And even if they do tell, there is nothing you can do to stop it and it doesn't make the companies any more likely to take security measures. So these bills are probably a good idea that doesn't go far enough.

#2:
I called Comcast today to register for service (yeah yeah, make fun of me, but they are the only game in town) and they asked me for my SSN. When I told them I couldn't do that, they hung-up on me. So this just shows me that not only is this business as usual, but it is getting worse. 10 years ago nobody would have dared ask for a social security number for something like this. How come things are getting worse while at the same time we are supposedly doing all this stuff to prevent identity theft?

Bottom line: nobody cares, nobody does anything about it. The only ones who do are academics and a vocal minority like Slashdot.

since when? (2, Insightful)

the brown guy (1235418) | more than 6 years ago | (#23703967)

ID Theft in US Continues Apace Despite Data Breach Laws
Since when do laws really stop anything. There are laws against murder, yet people are murdered all the time. They got to get to the root of the problem, and there are ton of comments trying to identify the root, which is probably profit.

Of couse they're not doing anything (2, Insightful)

Guppy06 (410832) | more than 6 years ago | (#23704725)

"Over the past five years, 43 US states have adopted data breach notification laws"

"If you get hacked, you have to tell us, so that we can prosecute you for having lax security and your customers can abandon you." Or, you know, they can keep their mouthes shut, since the reason for these mandatory disclosure laws to begin with is that, unless these companies say anything, nobody but the thief knows they were compromised.

I'm sure that even the use tax laws are more successful.

KEY and PIN system will deter virtually all fraud (0)

Anonymous Coward | more than 6 years ago | (#23705151)

By now banks should realise that Chip and PIN system will not combat fraud because it does not deter identity fraud, ATM fraud, stolen card and PIN fraud, card not present fraud, faked fraud etc. the way KEY and PIN system described on website www.xwave.co.uk will. So until banks exploit proposed KEY and PIN system fraud crimes will continue to grow. KEY and PIN system could be treated like international ID card since it will personalise signature and PIN to the right individual in any country in the world. We hope banks and the government would exploit KEY and PIN system before it is too late to stop a fraud boom.

A simple answer to a simple problem (0)

Anonymous Coward | more than 6 years ago | (#23708971)

The solution to data theft is fairly simple: Focus on those responsible for the loss. Say: 20 years in SuperMax prison for ALL officers, directors and executives of a company that "allows" data to be stolen.

Within a year, there will be zero data losses.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?