> In my city, the programming unemployment rate is, like, 2%. If you haven't worked for awhile, it's because of your job hunting skills, not your tech stack.
No, it is not due to job hunting skills. It's more like "culture fit" and other types of discrimination.
Suppose Alice is a "victim of identity theft". BigBank gives $10k to Fraudster as a loan, thinking that Alice is the actual recipient. Experian, Transunion and Equifax report this loan as a debt which Alice owes to BigBank.
Who is the real victim? The credit reporting agencies want to convince people that the consumer is the victim, and so Alice bears the burden and risk of clearing her name. But it is the credit reporting agencies inflicting this upon Alice. BigBank is the victim who lost money, and BigBank bears the responsibility for making the mistake of giving out a loan in Alice's name. The Fraudster committed a crime against BigBank, not against Alice. It is Experian, Transunion and Equifax, by holding this fraudulent loan against Alice, who are victimizing Alice.
The idea that Alice was victimized by Fraudster is a concept being perpetuated by the credit reporting agencies as a way to absolve themselves of responsibility, and place the burden upon the consumer, and to avoid realistic identity-verifiction which might slow or complicate the practice of issuing large amounts of debt to the general public.
Precisely. In no way was Alice's identity stolen - that's tautologically impossible. Rather, the bank was defrauded by the criminal - Alice is of not a party to whether or not the bank recovers from its own loss. Alice's ownership is entirely unaffected, though the bank's internal processes might not reflect that - again, their problem, not Alice's.
Further - this rat race, where I have to give ever more intimate details about myself to verify who I am, "for my own protection", seems to only ratchet away my privacy until there is nothing about me left unpublic. Facebook, Banks, Airbnb, Credit Card companies, Telephony companies have ALL given me that line when I resist providing SSN, DoB, or whatever mine-able nugget they're looking for this month. Every time I give out a new kind of private information it inevitably leaks - defeating their point of having asked me - all the while my privacy is left scorched while they move on unconcerned to the next piece of my private life. It's uncomfortable.
> In no way was Alice's identity stolen - that's tautologically impossible.
I see this as you being too strict with your definition of "identity".
We, as people, have multiple identities. We have one with our government, another with our employer, another with our friends, another on pseudonymous websites, etc.
"Stolen identity" in this sense means Alice's attributes (the ones which Big Bank uses to identify a person) have been compromised by a 3rd party. It's not that all of Alice's identity has been compromised -- only a subset of her identity. Sadly that subset almost entirely consists of "something you know" (which the internet usually also knows) rather than "something you have" (like a government-issued ID) or "something you are" (biological traits).
I totally agree about the rat race. I think the credit bureaus are complicit in keeping the burden of credit identity low and the availability of credit reports high in the US, both of which lead to perverse incentives for {credit bureaus, consumers, creditors, governments, etc}. But they aren't alone. Credit card systems {VISA, Mastercard, AMEX, Discover, etc} and credit card merchants have done the same, causing the US to fall far behind other developed countries in consumer security.
Additionally, I've heard horror stories about the effort required for consumers to "prove" to credit bureaus that their identity was stolen. It sounds a lot like the insurance company's policies in The Rainmaker.
> I see this as you being too strict with your definition of "identity".
> We, as people, have multiple identities. We have one with our government, another with our employer, another with our friends, another on pseudonymous websites, etc.
Which is not relevant here, as this is not about different sets of attributes pointing to the same body, but about the exact same set of attributes being claimed to only possibly be pointing to one body (hence they supposedly identify Alice) while it is claimed at the same time that they can be replicated by a "thief", which necessarily implies that they don't identify Alice, and hence are not an identity, therefore tautological impossibility.
For example, it is claimed that being able to say the DoB of Alice is an attribute that identifies Alice's body. Then, it is also claimed that somebody else saying Alice's DoB supposedly is an act of stealing her identity, and that the set of such people is non-empty. Which means that being able to say Alice's DoB is not actually an identity in the first place, much less one that could be stolen.
Right, and this is the point where we, as computer system / information security / software (whatever, but) professionals switch to using the word "authentication", and stop being obtuse about the ambiguity in the multiple definitions of the word "identity".
> For example, it is claimed that being able to say the DoB of Alice is an attribute that identifies Alice's body.
And then we say that the stating the DoB authenticates anyone to make changes to Alice's account.
And then we say this is a terrible idea. And then we are in agreement.
And then we don't have to say completely unhelpful nonsense like the following:
> Then, it is also claimed that somebody else saying Alice's DoB supposedly is an act of stealing her identity, and that the set of such people is non-empty. Which means that being able to say Alice's DoB is not actually an identity in the first place, much less one that could be stolen.
If these credit bureaus insist on conflating the word "identity" with "authentication" then it is up to us, computer / information / system / security professionals to correct this error and continue with more clarity.
Not not to start a one-sided (credit bureaus aren't listening) philosophical argument that nobody was really talking about in the first place. This isn't about ontology, and it never was.
(Ontology is the field of philosophy that asks the question what "is" is, a.k.a. "identity" and it's very interesting but also very much irrelevant to this incident and the problem it poses to badly designed authentication systems)
An important part of our jobs is being able to clearly explain such computer security and authentication concepts to a layman. That includes properly framing the question. Digging into a philosophical argument because you feel you can argue your way around a particular word that is used, only feeds pedantry.
> Right, and this is the point where we, as computer system / information security / software (whatever, but) professionals switch to using the word "authentication", and stop being obtuse about the ambiguity in the multiple definitions of the word "identity".
Except it's nonsensical to switch to "authentication" when the discussion is about how the term "identity theft" is misleading. It's not "authentication theft", it's "identity theft", and that is exactly why it is misleading.
The point is that it is NOT "identity theft", even if that's what people call it. It is more aptly "authentication theft/fraud".
The original point of this comment thread was that the credit reporting agencies want to keep it confusing so that it's not clear who exactly was the victim of the crime, so it's not obvious that the system sucks.
Yes, I agree, and I might have slightly misread what tripzilch wrote to mean that we should avoid the term here in this discussion, which I objected to. Towards the general public, it totally should be framed as an authentication failure, yes, I agree.
I think my point would be that, by discussing the minute semantic / philosophical points of the concept of "identity", you're still letting them frame the discussion that way. It's a word that they choose to describe something which it isn't. First is to just not go along with it, not to dig in and try to beat them on their own territory (if you succeed, you won nothing).
For the same reason I won't go into discussions about the finer moral points when stealing is wrong or not, if the topic is copyright. Especially not get carried into far-fetched analogies such that it is okay if a starving family steals the blueprint for a 3D printed load of bread or whatever.
In that sense, the term "intellectual property" is actually similarly problematic as "identity theft". While it evokes the connotation of "property", intellectual_property is actually just a legal term that stands on its own and derives nothing from the common concept of "property" except where explicitly defined as such.
Except that identity_theft is, afaik, not a legal term. I believe it stems from the idea of the loss of an interconnected number of (mostly electronic) credentials, an adversary could use to, in a sense "become you", and wreck one's life. This then became a serious fear, that was (in the public) not quite blamed on terrible security practices of powerful entities, but on the ever-growing interconnectedness and electronicification of all aspects of our life. In fact literally about the fear that the large amount of data about us in these computer databases, would some day mistaken to be us and identify, regardless of its truth in the real world. But identify_theft has always been painted as a sort of "curse of the modern age", our penance for living in an ever automated society, kind of typical Hollywood morality story.
Except these credit companies seem to be just focusing on the "wreck your life" part, twisting the definition around, that suddenly a security failure with their authentication/credential system gets to be blamed on the general societal menace of identity_theft, mainly because their error has the capability to wreck one's life.
I'm pretty sure Baudrillard or some other person in critical theory / semiotics has written some interesting stuff about this. Now that is a philosophical discussion on this topic that I would actually find worthwhile.
> while it is claimed at the same time that they can be replicated by a "thief", which necessarily implies that they don't identify Alice, and hence are not an identity, therefore tautological impossibility.
Attributes can be replicated -> attributes don't identify Alice
Why do you consider this implication necessary? It sounds nonsensical.
Counterexample: to verify an identity, the verifier must possess a replication the identifying attributes. If replication implies non-identity, then identity verification becomes impossible.
Note that we're speaking of identity in the context of a technical implementation.
> Why do you consider this implication necessary? It sounds nonsensical.
Because it is implied by the definition that is implied by the concept of "identity theft".
Let's assume we define "identity" to mean "any set of attributes of Alice", so widening it essentially as far as possible. Then "is a human", being an attribute of Alice, would become an identity of Alice. Using that definition in the context of identity theft would then lead to the following sort of justification: Alice is responsible for paying back this loan because the person that we gave this loan to was a human and we identified Alice by her attribute of being a human to be the person we gave this loan to.
That doesn't make much sense, does it?
The whole justification for calling it identity theft, and thus blaming the identified person, hinges on the implication that whatever attributes are being used to "identify" Alice do imply that it is in fact uniquely Alice who has those attributes. It only logically works if you can say "those attributes are the attributes of the person that we made the contract with, and they are unique to Alice, therefore Alice is the person we made the contract with", not if your claim is "those attributes are the attributes of the person that we made the contract with, which are shared by a whole bunch of people, therefore Alice is the person we made the contract with".
> Counterexample: to verify an identity, the verifier must have replicated the identifying attributes. If replication implies non-identity, then identity verification becomes impossible.
Erm ... no? Just two obvious examples:
In order to check that you are the person on a picture I have of you, all I need is the picture, no need to have a replica of you.
In order to check that you are in the possession of a private key, all I need is the corresponding public key, not the private key.
Also, if it were the case that identity verification were in fact impossible ... what would be your point then? You don't like the (hypothetical) fact that it is impossible, therefore it is possible?
> Note that we're speaking of identity in the context of a technical implementation.
Actually, we kindof don't. We are really talking about a legal implementation, where there really is no requirement to do anything as a "technical implementation"!?
The original parent posited that we have multiple identities, as in: multiple sets of attributes, each of which uniquely identify us within a certain context.
> Let's assume we define "identity" to mean "any set of attributes of Alice", so widening it essentially as far as possible. Then "is a human", being an attribute of Alice, would become an identity of Alice.
> That doesn't make much sense, does it?
If Alice is the last surviving human being in the universe, it does.
If Alice isn't the last surviving human being in the universe, than the premise of "is a human" as an identity is already nonsensical (because it no longer identifies), hence also any conclusions you derive from that premise are also nonsensical.
> In order to check that you are the person on a picture I have of you, all I need is the picture, no need to have a replica of you.
You haven't checked that it's me, you've checked that it is someone who looks like me.
Within any given context, that may or may not be treated as my identity. Hence, we're back at multiple identities, each in their own context.
> In order to check that you are in the possession of a private key, all I need is the corresponding public key, not the private key.
Which says nothing about identity, only about possession. Whether this possession is taken to be sufficient proof of identity again depends on the context.
> Also, if it were the case that identity verification were in fact impossible ... what would be your point then? You don't like the (hypothetical) fact that it is impossible, therefore it is possible?
Do you believe this hypothetical example to be true? If not, what's your point?
> The original parent posited that we have multiple identities, as in: multiple sets of attributes, each of which uniquely identify us within a certain context.
In which case it's just not a refutation of the tautological impossibility at all. Either something uniquely identifies someone, or it does not. Uniquely identifying someone while at the same time being (trivially) being replicated by somebody else is just a contradiction.
> If Alice is the last surviving human being in the universe, it does.
Seriously?
> If Alice isn't the last surviving human being in the universe, than the premise of "is a human" as an identity is already nonsensical (because it no longer identifies), hence also any conclusions you derive from that premise are also nonsensical.
Which is exactly why "was able to tell us the DoB of Alice" as an identity is nonsensical, and hence any conclusion of the form "therefore, Alice's identity was stolen" is nonsensical as well, correct.
> You haven't checked that it's me, you've checked that it is someone who looks like me.
Which contradicts the claim that the verifier does not need a replica of you how exactly?
> Within any given context, that may or may not be treated as my identity. Hence, we're back at multiple identities, each in their own context.
Which still cannot be stolen. So?
> Which says nothing about identity, only about possession. Whether this possession is taken to be sufficient proof of identity again depends on the context.
Which contradicts the claim that the verifier in a context where it is taken to be sufficient proof of identity does not need the private key how exactly?
> Do you believe this hypothetical example to be true? If not, what's your point?
My point is that I am responding to your argument that was about an implication from that hypothetical case.
So the only way around this is to disregard information about a person other than information that 100% without a doubt identifies that person making a purchase is who they say they are? I am just genuinely curious.
No. It's to accept liability when you make a mistake. If a criminal tricks a bank into giving away money and debiting some random account, the victim is the bank, not whoever happened to own the account.
While I thoroughly agree with everything you've said on the subject thus far...
How does being in possession of a picture, or any other biometric data, help? These data are reproducible, like any other attribute that supposedly identifies only-Alice.
Checking the possession of a picture is not biometry (that would be possession-of-a-picture-metry). Making a picture is biometry (measuring the body, essentially).
The hard problem with biometry is proving to a third party that a certain identity is responsible for a contract, but identification with biometry (convincing yourself that the person before you is the same person that you enrolled earlier) at least works a lot better than asking for essentially public information.
Online loan firm gives money to someone. Months later, they default, so they call who they think is the holder of the debt. That person has no clue what they are talking about. Finds out through first ever credit report they are defrauded. Victim calls loan firm, who requests lots of proof of existence as well as a police report, before they will help them. Process takes weeks. Victim finds out they signed up at Equifax during hack. Now they are in worse shape.
All financial companies are required to have you SSN for reporting income for taxes and also report money movement under the anti-money laundering laws(AML). Know your customer(KYC) requires a financial company to gather documentation and information to verify your identity and to ensure your not on any list of people we're legally not allowed to provide services eg terrorist watch list.
You don't need to provide a SSN to get cell service or provide real information. Lots fraud is done through tethering through burner phones.
Seems KYC as used in the real world doesn't do a very good job of verifying whether the "customer" is Alice or the fraudster... It'd be nice if _that_ requirement had enough teeth to reduce the ability of the financial institution to claim Alice is "the victim"...
Curious how would you verify a user? Right now standard solution is to use public records(LexisNexis), credit history(Experian), fraud detection networks(early warning). Along with a bunch reputation providers around IP(Maxmind,Socure), email(emailage), address. Also government based ID and utility bills etc. This isn't cheap and can costs $10+ to run all these checks.
Even government can't verify people and its problem because people give other people's SSN and DOB when they get arrested which is the worst type of identity theft as it can lead to the victim getting arrested or not getting a job(criminal record showing up in background check).
> You don't need to provide a SSN to get cell service or provide real information. Lots fraud is done through tethering through burner phones.
Don't give them any stupid ideas. This year Germany did exactly that: Require proper identification for purchased SIM cards. Lot's of people used that opportunity for some extra cash by selling pre-activated SIM's through Ebay, after the requirements had been changed.
Too bad they also introduced Euro roaming, so people are still free to buy their anonymous SIM's in other EU countries and use them in Germany.
I guess those are the consequences of a future where your mobile device is used for your personal authentication everywhere by everybody. [0]
I've worked a bit in the industry and around the industry, the worrying thing for me is that it doesn't seem to be working for anyone apart from equifax/experian/call credit.
I have separately worked with one of those companies with a client and their IT staff were utterly incompetent (I won't say which). Loads of different sites, lots of little fiefdoms, utterly inconsistent security policies on each site, blaming everyone but themselves because only half their sites could access a video on a major commercial video provider (not-youtube). We ended up having to host it on AWS cloudfront as none of them had blocked it yet. Their sharepoint could only host a 50mb file, which made their CEO look like a blockhead in the 20 min high def video.
Utterly incapable of hosting a simple video file so all their staff could access it in 2010.
I've also worked with a company one of those companies acquired for $100 million+, holding millions of people's personal details in the UK, with some very sensitive data. Some of the worst IT engineering I have ever seen, a bunch of tools written by the worst out-sourced IT teams I have ever seen (if you've ever worked with C#, these idiots made a project per .cs file. Yes, PER CS FILE. They also wrote the worst SQL I have ever seen, all of the stored procedures seemed to be duplicated but the duplicates had op_ before them. I eventually realised the op_ stood for optimized! They were still terrible and half the program used one set of SQL, the other half the optimised. Whenever I re-wrote one of these 'optimised' queries, I usually knocked it from seconds to milliseconds. Outsourcers in the naughties really did suck that bad, young 'uns).
We've given up huge amounts of privacy, but the scores are utter bullshit and the 2008 crash show what a load of nonsense they are.
A friend even told me at uni he'd got a £1000 loan out to get a good credit rating. You just put the money in an account, pay the capital off every month, lose a little bit of interest and in 2 years you have a shiny credit rating even though it means zilch.
equifax/experian/call credit basically get given all our personal spending habits for free, sell it on to everyone else for crazy money, don't add anything to the economy and as far as i can tell, are a huge security hole.
EDIT: Another anecdote on how incompetent these people are, a couple of years ago someone used my details to scam a few free phones. I got alerted to it when I started receiving insurance contracts for those phones in the post. The phone companies sorted it pronto, almost immediately admitting they'd been scammed, but I wanted to make sure my credit rating hadn't been trashed. In the UK these agencies must provide you with a credit report for a nominal fee so you can check for incorrect details, so I applied to the big 3.
One of them accused me of trying to hack their system because I'd forgotten a security question, eventually told me to fuck off after passing through various layers, then sent me a letter saying they'd detected a hacker trying to access my details. No, you idiots, that was me. Still never got my report from them.
You just put the money in an account, pay the capital off every month, lose a little bit of interest and in 2 years you have a shiny credit rating even though it means zilch.
I don’t really get that - doesn’t it mean that the person who took a loan is relatively responsible and was able to pay their loan back on time?
Any system can be gamed, but I don’t get the impression that credit agencies are attempting to eliminate all risk - after all, it’s obviously possible that someone who has had perfect credit for years might simply run away with your cash! But the system doesn’t have to be perfect, or detect all outliers, to have value.
It seems intuitively obvious that lending to someone who is frequently late with credit repayments is riskier than lending to one who isn’t, and this is the mechanism by which that information is shared.
For £100 you get a shiny credit rating for no risk. That'll get you a mortgage for £100,000s.
In the 60s/70s it was about knowing your bank manager, so he knew you'd be able to pay. I appreciate that it probably benefited a certain type of person, but the new system probably has the same prejudices built in. Now it's all about the ephemeral and easily game-able credit score. Until a few years ago you would get negatively scored for not having a landline.
These scores are utter bullshit, they're simply about if you haven't screwed up yet, they're not actual assessments of your ability to pay or the risk you've exposed yourself to.
Again, I worked in the mortgage industry before the Northern Rock collapse, brokers used to be able to go to those guys and openly fudge people's incomes by calling them self-employed, they had a good credit score so no-one blinked an eyelid, get 105% mortgage, and then lo-and-behold, the bank collapsed. Yes, part of it was that they lost their access to easy bank credit, but another part of it was they lent to hugely risky people.
As a slight-side, my bank was willing to lend me crazy credit card money a few years ago because for 10 years I never missed a payment. In reality in those ten years I went through a patch of being the most business-un-savvy freelancer ever, selling myself at a stupid rate and not putting enough aside to pay my tax bill, to the point where I had to get a loan from a parent to pay it. I was flat broke, almost bankrupt, and these people were willing to lend me almost 9 months of my income.
I was not a good risk.
But because I paid on time for X years before, I was to the credit agencies.
Banks are using actuarial science to make loans. You were (possibly) an outlier. That doesn't matter. All that matters is that their risk models work in aggregate. If they're right enough of the time, they profit. It doesn't have to be perfect.
> In the 60s/70s it was about knowing your bank manager, so he knew you'd be able to pay.
You do recognize how terribly inefficient that is, right? In this day and age its all about scale. Expecting a bank manger to have financial profile of all the clients using his firm is impractical.
For all it's faults, the credit reporting agencies are providing a service. It's not perfect and I think it's best they could do with the information available to them. I expect they will improve their score though once they start incorporating signals from social media and other sources.
You do recognize how terribly inefficient that is, right? In this day and age its all about scale.
Is it, tho'? It is well known that IT doesn't improve productivity[1]; all the benefits of automation get swallowed up in the extra people needed to support and maintain it. So we can assume that the ratio of bank employees to bank customers has remained constant over time. So actually there's no reason for bank's not to operate the old personal-relationship model; they would need to employ the same number of staff to do it, just locate them in branches rather than at head office.
> I don’t really get that - doesn’t it mean that the person who took a loan is relatively responsible and was able to pay their loan back on time?
That's probably the reason why it would increase one's credit rating in a positive way. I have no doubts about these systems being broken in such a way that they consider people who take on credit, paying it back in time, as more "credit-worthy" than people who never needed/wanted to take up a loan.
A bank obviously wouldn't want to miss out on the first group of people, why they couldn't care less about the second group of people from which they make no money in the form of interest.
It's also interesting how these kinds of rating systems seem to be "broken" all over the world. In Germany there is "Schufa", which is not a bank but basically a private company with a de-facto monopoly position in regards to credit ratings in Germany and they are quite infamous for mixing up people and thus giving them a negative rating, often without the people noticing until it's too late and their negative credit check denied them access to a rented flat/credit whatever, after which it's their responsibility to get in touch with Schufa to clear up their misidentification.
> In Germany there is "Schufa", which is not a bank but basically a private company with a de-facto monopoly position in regards to credit ratings in Germany
Just for anyone from Germany reading: There are multiple, less well known agencies that are used by banks and others as well. They are definitely worth keeping an eye on. I will only mention Creditreform Boniversum, Arvato Infoscore, and Bürgel.
What Alice is the victim of is slander, not fraud or identity theft. The bank lent some money to someone who claimed to be Alice (though the bank only relied on the fact that that person knew Alice's SSN as proof of that fact). Then when the bank didn't get paid back, they told a bunch of credit check bureaus that Alice was a credit risk. This was a lie about Alice, which has a material impact on Alice's reputation. The credit agencies then go ahead and repeat that slander.
This is a great description of what is going on with "identity theft". I don't usually like changing the name of something to try to push an agenda, but calling "identity theft" "bank slander" would be good idea.
So presumably a class action law suit against the reporters for slander? Might depend on specifics of the law... Maybe it's time for a better credit reporting agency startup.
Defamation laws differ by state, but in NY for example, I believe libel (slander refers to oral defamation) requires that the perpetrator knew, or should have known, that the statements were false.
The question would then become whether the bank's identity verification procedures satisfy that burden. I think it would be a difficult endeavor, but it would be good to see it tested.
They absolutely should have known it was wrong -- their business is lending money to people! If their procedure is insufficient, they should have fixed this.
I would love to see the banks sued for libel, a massive class action suit. There are real monetery damages it one could put a number on, and the difference between a bad and a good 30 year mortgage will be a big number.
Well, yes, Alice is the victim of slander, and the bank is a victim of fraud. But the important point is that neither of those imply that Alice is responsible for anything.
I haven't dug too deeply into this, but a defamation claim under state law would probably be pre-empted by the Fair Credit Reporting Act. You mostly can't sue them unless you can prove they defamed you with malice or with willful intent.
In this case, maybe you could have a shot by arguing that since the bureaus know that like half the population's information was stolen, they are acting with reckless disregard for whether their statements are true if they don't now do additional investigation to confirm the identity of the subject of their statements in order to mitigate the effects of the breach.
Hmm, I guess you could call it slander if the person and the dossier were perfectly interchangeable. But all the institutions know is that someone has been failing to pay back loans that were issued based on the information in a dossier. After a series of fraudulent loans to "Alice Doe, SSN 123-45-6789" (the file, not the person), when some random shows up at Yet Another State Bank and tries to take out a loan under the same credentials, the credit reporter is right to warn of the risk. They don't know if Human Alice is a risk, but Paper Alice definitely is.
She would be inconvenienced, but that doesn't mean she was slandered.
If someone steals Alice's car and commits a hit-and-run, she will be inconvenienced when the cops show up at her door, but the person who reports her plates won't be committing slander.
If they said they had received word that the car was registered to Alice, that wouldn't be libelous. If they said she was the driver, that would be libelous. If she was charged with murder and they said she was an alleged murderer, that wouldn't be libelous.
"Now back when I worked in banking, if someone went to Barclays, pretended to be me, borrowed £10,000 and legged it, that was "impersonation", and it was the bank's money that had been stolen, not my identity. How did things change?" https://www.lightbluetouchpaper.org/2017/08/26/is-the-city-f...
Agreed. Thought experiment: suppose instead that Fraudster convinced Alice that he represented BigBank, and so Alice was duped and gave her money to Fraudster thinking she was depositing into BigBank.
The only thing she could expect from BigBank was politeness while explaining to her that she was duped. If it's a very friendly bank, she may tie up a manager for a couple hours, but that's it. If she keeps coming back, she'll soon be escorted out by security, or the cops.
Now, what if she started falsely telling others that BigBank took her money, and that significantly affected BigBank's reputation? Are we talking jail time, or just civil penalties?
An even more analogous experiment would have Alice take out a mortgage with BigBank, then receive a fake notice of debt reassignment to BiggerBank, which is actually Mallory. Alice makes mortgage payments to Mallory for many months. Now BigBank is wondering why Alice fell behind on her mortgage.
> Now, what if she started falsely telling others that BigBank took her money, and that significantly affected BigBank's reputation? Are we talking jail time, or just civil penalties?
Probably not jail time, and perhaps not civil penalties. Even civil defamation in US law generally requires knowing falsehood or reckless disregard for the truth, not just mere falsehood, and criminal defamation, where it exists, tends to have high . Unless the bank had provided concrete evidence so solid that it was unreasonable for her not to believe their denial of responsibility, there likely be no legal wrongdoing.
This is very clearly what's going on. Fraud is uncommon enough and the cost of fraud to the banks is smaller than the cost of reducing the velocity of money and loan-making, so the problem will never get fixed so long as it depends on the banks to initiate the fix.
Work at a financial firm and have built a bunch of identity theft detection features. Curious what your fix would be. Identity theft and friendly fraud losses are in the tens of billions annually and identity verification services is a huge industry.
I've never talked about this with anyone who knows the industry so it may be stupid in some obvious way, but I would gladly accept the inconvenience of having to go to my bank in person, carrying official ID, when opening lines of credit, if it would make the whole process secure. Banks could serve the process of relatively slow but reliable authentication for specific financial transactions, and communicate those authorizations to each other. Individuals who need more flexibility could opt out or do something more complicated, at the cost of some risk.
There's some cost to this, but I still suspect quite a few people would accept it.
My information was used to open a fraudulent mortgage loan, then when I asked my bank to not allow opening credit lines or transfers online was told "we can't do that!"
Thats how traditional banks work. You walk in Chase with your government ID to open up an account. It doesn't work. You can get high quality forgeries of government IDs made in China and there's no public DB to verify information on the card. RealID requirement for states to open up their driver license DBs only applies to government agencies(eg: TSA).
Also would you want to go in person to signup for paypal, venmo, etrade, betterment etc?
> Also would you want to go in person to signup for paypal, venmo, etrade, betterment etc?
Honestly, maybe that wouldn't be such a bad idea. A well-designed system would probably wind up contracting the post office for ID verification for online services (since in my country at least, they do a pile of random related stuff).
1. The bank should capture the ID you used the first time you entered and do comparisons. They should also capture your ID when you come in again. This will raise the difficulty of impersonating you and the risk the criminal takes.
2. One thing I didn't think to say, because my bank only exists in North Carolina: geography should matter. If you live in a particular city, opening an account from another state should be seen as suspicious, and merit greater checks. This is the kind of thing some people should be able to relax, but it's probably a good default for most of us.
3. Should I have to go to my bank for PayPal, Venmo, Betterment, eTrade, etc? Those cases don't all sound the same to me. But here's what I'd consider: how often is a person going to need to do this, and does the activity involve requesting credit? We've currently optimized almost exclusively for convenience at the expense of security. I'm proposing that we shift that balance a bit.
This is basically what Vanguard does if they get suspicious about your account security. Basically you have to show up at a notary with photo ID and get a form notarized.
It's probably not hard to forge a social security card and birth certificate if you have the relevant information. From there, a state ID (or maybe even passport) should be possible to get. I don't believe there is any biometric security on either. A determined identity thief might go that far.
This is the old "because a solution is not 100% effective, it's not good" chestnut. This solution would cut down on the theft by over 90%, I'd venture, probably more like 98%. There is huge difference between perpetrating a crime from the safety of a computer and physically walking into a bank to commit it.
$16 billion was stolen from 15.4 million U.S. consumers in 2016, compared with $15.3 billion and 13.1 million victims a year earlier. In the past six years identity thieves have stolen over $107 billion.
The thief would have to physically resemble the victim's photo, height, age, gender, etc, which is some added defense in depth. For instance it would be hard for most males to pass themselves off as a typical female.
> The thief would have to physically resemble the victim's photo
Why? Show up to a government station with your birth certificate, SSN, some telephone and utility bills, and they'll take the thiefs picture and put it on an identity card with your name on it.
That sounds incredibly bad for a first-world country. If that was the case, I'd argue that the entire country is in collapse. As you then have no control over foreigners impersonating locals and manipulating something as serious as elections, never-mind bank-fraud.
Edit: Point being, this needs to be fixed ASAP if you are to move your country into the future. Fix the regulatory/state hurdles that prevent it from happening, and get yourselves National Identification that's secure. Things will flow positively from there.
They don't use the SSN to check for prior IDs issued by other states and/or the Feds, and compare the applicant's photo/gender/age/height/eye color, etc to them first?
About twenty five years ago a bank allowed someone to cash checks with my name on them with all the correct account info on them as well, but was a different race and gender than I am (the banks had video of the customer). They did this about a dozen times for checks for what I assume was just under the amount that would flag it (about $2000) to empty my account over the course of about an hour, using different drive throughs at different branches in Houston, I lived in Austin at the time and had never visited a branch in Houston.
The big architectural flaw is that when I as a consumer prove my identity to company A, that gives company A enough information to impersonate me to company B. Or equivalently, it can give a rogue employee at company A that power, or anybody who hacks company A's database.
The solution is asymmetric cryptography, wherein identity is tied to a public/private keypair, and I can prove I have the corresponding private key without giving the other party the ability to impersonate me. Ideally, the government wouldn't know my private key, either, rather they would just give their own attestation that a given public key is owned by a person with a given name, DoB, SSN, and biometrics.
Along similar lines, any financial account would have its own keypair, with moving money out of the account requiring signing with the private key.
The state of cryptography today is way too obtuse for this to work right now, but I think it could be made more user friendly with specialized hardware to hold the keys and perform the encryption.
The idea that SSNs are secret, but we hand it out to half a dozen organizations is absolutely ludicrous.
Change the way checks are issued/redeemed. Right now the customer is on the hook for 7 years because a check isn't cleared until it goes back to the bank that issued the check . The customer thinks by seeing the money in the account the check was good and can clear a sale. The reality is the bank can take that money back if it is later determined to be false/fake.
Not just bankruptcy. Banks and businesses contract with check verification companies such as ChexSystems. I had a friend who bounced a check and it took him a few weeks to reimburse the bank. By then the bank closed his account and reported him to Chex, who put a 5 year hold on his ability to get another checking account through any bank that used Chex verification (> 90%), essentially blackballed.
That may be so, but the GP was talking about the time it takes checks to clear. IIRC, uncashed checks aren't even valid after 180 days, let alone 7 years.
Negative credit information falls off after 7 years from date of first delinquency.
Always dispute negative credit items; more likely than not, it won't be verified and is usually removed. Otherwise, wait 7 years and then dispute again.
Paper checks are going away. Some of the online banks don't even support them. ACH allows only 60 days to claw back the money(disputes) and with same day clearing requirement we can get rid of 2 day holds.
What are they being replaced with? Yeah, as a young renter I went years without using a check. When buying a home last year I had various inspectors during the process. After buying, I've had electricians, plumbers, contractors, locksmiths, and other consultants. I think one gave me a bill and accepted credit card. The rest preferred checks (to be fair, I didn't seek other forms).
I've tried all sorts of p2p methods over the years. All of the banks are too confusing, obscure, or too limited (i.e. only within their bank). Paypal and credit cards charge a not-insignificant fee. Venmo or Square Cash work fine if your group of friends accept them--but more than half the time, they don't for me.
I often do ACH transfers between my own accounts, but the first time I set it up a cringe a little bit and cross my fingers. It sucks waiting the 2 or 3 days waiting to see something. I can't see small businesses accepting ACH as payment because they want something in hand. If we had the setup I've heard about in Britain or Europe, I can see checks going away, but with as much churn as I've seen in this space in the 20 years since Paypal, nothing seems to stick.
> I've had electricians, plumbers, contractors, locksmiths, and other consultants. I think one gave me a bill and accepted credit card. The rest preferred checks
Try cash? I use cash for almost all transactions like that and have never been turned down :-)
Cash is nice, but the the main point of banks is that I don't have to carry a bunch around. I honestly didn't even use an ATM or carry cash for years. I started carrying cash only when my job reimbursed me for parking (and they only accepted cash). It's also nice for bookkeeping. I can write the account number or purpose on the check itself.
Eve lies to bob, and tells Bob she's Alice. Bob asks Claire, who says
Yes, that's Alice." Bob gives Eve money, and Eve runs off.
This should not be Alice's fault, responsibility to solve, or problem to deal with. It is, because Bob is much, much more politically powerful than he ought to be.
>It is Experian, Transunion and Equifax, by holding this fraudulent loan against Alice, who are victimizing Alice.
I think you're confused. It's BigBank that's falsely placing a debt burden on Alice. The credit reporting agencies are only reporting what they are told. Imagine if Alice doesn't care about her own credit worthiness. Let's say she has no debt, and no intention of acquiring debt. What happens if criminal tricks BigBank? They say, "Alice, you owe us this money." Alice tells BigBank, "No, prove it or pound sand."
What happens then? BigBank goes to the court and tries to get a judgment against Alice for the money owed. If Alice isn't aware of the proceeding, the judge will grant BigBank's request, and now Alice will owe BigBank the money stolen by criminal.
BigBank's poor authentication and the judicial branch are the ones doing the real harm to Alice. If anything, the credit reporting agencies are providing value to Alice by warning her before BigBank goes after her in a secret proceeding and makes the debt hers.
1. Alice does have debt, and does intend to acquire debt in the future, like most people. The presence of this fraudulent debt in her credit report makes credit more expensive and hard to get.
2. Before filing suit and going to court, BigBank makes persistent but usually polite attempts to collect. But when she says "that wasn't me" they don't believe her, because lots of deadbeats say that sort of thing too.
3. Perhaps BigBank sells the debt to a collection agency, which is far more aggressive and (willfully?) ignorant of laws regulating how and when they can contact Alice. Perhaps they call Alice's employer, threaten to garnish her wages (even if they legally can't), or lie about Alice's ability to contest the debt.
4. If Alice is determined enough to keep fighting and go to court, she has still sunk significant time and money into fighting this. It's unlikely she'll be compensated fairly for that.
I agree the credit reporting agency is in some ways helping Alice, and would add that these agencies probably do reduce the rate of fraud overall. But they also have a responsibility to do a good job minimizing errors. We can't expect them to never make a mistake, but they should have some skin in the game when their inaccuracies hurt a credit applicant.
Step 3 is the insidious part. If Alice files a paper with the reporting agencies, they're required to remove the false report. But the collection agency will just as persistently file an equal but opposite paper to reinstate. The reporting agency is legally caught in the middle of he said, she said. And if asked for proof? The collection agency says BigBank told them Alice owed it, and sold them that debt. So now the originator of the loan has harmed the collection agency as well as Alice.
Don't kill the messenger. The credit reporting agencies are doing what they are obligated to do in that business. There needs to be penalties for BigBank beyond the money BigBank lost in the scam perpetrated by criminal.
Blaming the credit reporting agencies for bad credit reports is intellectually lazy. Blaming them for garbage computer security is much more appropriate in this story. A more interesting discussion here would be about the technical details of the hack.
If the credit reporting agencies wishes no responsibility then for all practical purposes they are a database table, nothing more. In that case they must offer their services on the same lines as AWS or Google Cloud. That is guarantee is only on infrastructure uptime and availability and not the quality of information. Note even in this case, a level of liability regarding security is on them.
If you wish to provide a service with a level of guarantee, responsibility and liability comes along with it.
That's exactly the point. BigBank isn't going to warn anyone. It's just going to seek judgement, or sell the debt to shady collectors and write off the difference.
Think about the credit reporting agencies as a rather sloppy "master list" of who owes who money. It seems what is needed are stiff penalties for banks and collection agencies who falsely claim they are owed money. Until then, you can't live in peace. Someone is going to claim you owe them money if you have any money yourself.
The credit agencies report what has been told to them by BigBank. Once the fraud is detected BigBank should update them that Alice does not in fact have a $10,000 loan with them and it would then be removed from Alice's report. If the loan has been determined to be fraudulent and it has not removed from her credit report, BigBank is victimizing her not the credit agencies.
Clearly, both the bank and the individual are victims of the crime.
Generally speaking, the impact to the customer is usually greater, as bank business model aren't dependent on every loan being repaid. Consumers stand to lose money directly and lose the opportunity to access capital.
The credit agency or anyone else who has a breach is usually a negligent third party.
The individual isn't in any way a victim of the crime. A bank used some information presented to them to conclude that they were dealing with Alice when that information was objectively not sufficient to justify that conclusion. That has absolutely nothing to do with Alice. Alice is victimized in the next step by the bank when the bank claims that it somehow is Alice's responsibility that they took someone else for Alice.
Not sure how the individual is victimised by the fraudster here. If the bank had a 100% success rate at detecting fraud with no false positives and no false negatives, then the individual wouldn't need to know and likely would never find out about the impersonation attempt.
The individual is victimised by the bank and the credit reporting agencies by their spread of misinformation.
In some countries when you sign out a loan and a card you get picture snapped. but then this measure would stick banks with loans and not the consumer.
This may damage Alice's reputation temporarily however,
once the bank determines that it has been defrauded, it should make the loan information inaccurate.
I believe the Fair Credit Reporting Act allows Alice to remove inaccurate information from the report?
Agree with your point on Experian absolving itself, but there are many scenarios in which Alice is also the victom of the thief. With enough info about someone, you can steal digital assets too.
This argument is akin to splitting hairs. The fraudster who applied for the loan against BigBank was at fault. The BigBank accepted the Fraud and reported it to the credit agency. The Credit Bureau reports/includes the data provided by BigBank; it's what they do.
If there is a dispute between what BigBank says and what Alice says, it's not necessarily so easy to resolve, and that's the position the Credit Bureau has to deal with.
To absolve the fraudster of the primary fault is ridiculous. That said, this is the problem with difficulties in identity verification, we all want privacy and security at the same time. While they are not mutually exclusive, having both is much more complicated than one or the other.
If it was on the BigBank to always prove that their identity was indeed stolen, it would quickly become unmanageable. People would commit fraud in the opposite direction, by getting a huge loan from some a bank and claiming that their identity is stolen. I'm sure it would be easier than stealing someones identity to do it, and it would obviously involve some necessary actions to avoid being caught but this would drive loan rates through the roof for the average citizen to make up for all the fraud occurring. I agree with you ideologically, but in practicality i do not believe it would work.
This would obviously drive the BigBank to collect some better evidence that the person applying for the loan is who they say they are, which is exactly the incentives we want here.
In that case banks would just have to verify who they were giving money to before they start handing out loans. That doesn't sound particularly unmanagable to me.
I wish I could remember details, but a cofounder or single digit employee of a acquisition Equifax made, elected to forgo their earn out, because they were opposed to working in any capacity for Equifax. I think that they were somehow bullied into revealing their reasoning, to escape penalties in contract (which in any event were unlawful in the UK, I heard this from a employment attorney friend who has super reported cases, ie those which established new law). They were immediately snapped up by a startup in VA. Equifax managed to suppress their credit file completely. Preventing them from even renting a apartment for at least a year, and I believe it was a year before they had been even recognised by a US reporting agency and could open and operate a checking account. This was picked up by The Register, which still was then still Mike Magee's baby, so honourable 1., 2.. I can't find a link from my phone, but even if you never believe me the actual events happened, I bet you had a thought that you would not be surprised if it happened more often.
1.(added to qualify that adjective "honourable" which I apply to individuals not companies, and individuals who risk sacrifice without burdening others. My career is in advertising and I am truly impressed when publishers are able to maintain standards that are able to raise their costs of sales. (a large publisher may not lose a account, but the sale often consumes expensive energy, even only to explain why policies exist. I work far from such high sensitivity issues, as does the company I started around the time of this recollection.)
2. last I spoke to Mike, he was telling me how he simply was never issued his shares in "ElReg" and he was long enough into The Inquirer to think that Limitations applied. But Limitations 80 runs from the time of discovery of tort, not the event of tort. Before the chance arose to catch up, and establish facts, Mike had passed away. RIP a great man and two great journalistic servants to the IT community. I did not establish the facts that were alleged, therefore my statement is hearsay, but protected by the statutory defence of genuine belief, and I had always faith in my source.
Edit: italics removed from footnote, earn out replaced phypo earnings, and great man replaced good man. Mike was exceptional and altruistic to a fault.
Bigbank is the only one in your scenario that actually has monetary loss since they lent out the money and most likely will never get it back. In identity theft, the company has the financial loss. FBI won't investigate unless its over 250k in losses as well.
You certainly can quantify the monetary losses to Alice too. When her credit rating is shit and she buys a car or home, the banks are expert at placing those rates and can tell you exactly how much more she pays. What is more difficult is calculating the loss of what she doesn't even do due to bad credit, like she might not be able to rent the same apartment, she might not even try to buy a car.
She may not have to pay that bank loan back but that doesn't clear her credit up immediately.
Fraud isn't limited to credit. My dad had someone open a savings account in his name and transfer a significant amount of money via ACH. He only found out because he got a welcome or from the bank!
The police investigator told him that the particular fraud that he was a victim to was impacting >500 people and >$5M
> It is Experian, Transunion and Equifax, by holding this fraudulent loan against Alice, who are victimizing Alice.
Credit Reporting agencies report the data passed to them by companies such as banks. In your scenario BigBank thinks it's given a loan to Alice, and when they don't get repaid, report that to the CRAs. Alice is a victim of the thief because her identity was appropriated to secure the funds. BigBank is a victim of the thief because they were defrauded. The CRA is a victim because they were just reporting the information that was provided to them in good faith by their customer BigBank. So saying that the CRAs are "victimizing" Alice is completely false.
Alice bears the burden and risk of clearing her name, just as a victim of car theft bears the burdens of reporting the crime, getting another vehicle, dealing with the any outstanding loans, etc. These burdens are inflicted by the thief, not the bank or CRA.
> perpetuated by the credit reporting agencies as a way to absolve themselves of responsibility, [...] and to avoid realistic identity-verifiction which might slow or complicate the practice of issuing large amounts of debt to the general public.
This completely misunderstands the role of a CRA. The CRA doesn't have to verify identity, it's up to the credit grantor to ensure they are dealing with the person they think they are.
Your comparison is bullshit. I have control over how I secure my car from being stolen. It's complete nonsense to equate that to me being responsible for a bank's failure to protect themselves against fraud where I have no power whatsoever to influence how the bank secures itself against fraudulent loan applications.
Your statement is nonsense. Regardless of your efforts, the best you can ever hope for is to minimize the chance of your car being stolen. You can never prevent it completely. If your car is stolen in spite of your best efforts, are you at fault? Do you still have to deal with the consequences as a victim of that theft?
Which makes your statement (that you have sufficient control to prevent the possibility of theft of your property) completely invalid. You can do everything right, and through no fault of your own have things go wrong.
Yes, really. Having control over how I secure my car does not in any way imply that I can guarantee success. However, as a matter of fact, you can essentially get arbitrarily close to that, it's just a matter of your effort. Which is in contrast to banks being defrauded and blaming me for it, where I can not do anything about how the bank protects itself against the fraud.
The problem is that the power to do anything about the problem and the blame is not aligned, which leads to a situation that is equivalent to the bank leaving the key in the ignition of the unlocked car, not allowing you to change anything about that setup, and then expecting you to foot the bill when the car inevitably does get stolen.
It bugs me when people mix our standard numerals with Roman numerals, such as 12MM to mean twelve million. They are different numerals and the meaning is not defined when they are used together.
And Roman numerals are not like SI suffixes, meaning they are not multiplicative; Roman numerals are additive, so MM is two thousand, not one million. Also, M is an SI suffix, so 12M means twelve million and 12MM just looks like a typo.
Obviously people do not use SI suffixes may not feel the same way, this is just my pet peeve because I use SI suffixes in science.
I'm surprised to learn this is such a common thing that it has a name "California No", and it also reminds me that there is something wrong with the people of California :)
In my experience, someone who can't say no is not being polite; they are being quite rude. Stringing people along is rude. It is far more polite to outright tell someone that you are not interested and then everyone can move along. Even for dating, I can't speak for other people, but a simple "not interested" is more polite than being ambiguous. There is no "growing number" of folks who react violently because violent reactions, in general, have decreased over time -- and if anything, a clear "no" is likely better than being unclear. In my experience someone would be more angry at being misled over a period of time.
You seem judgemental. While I share the same preference for clear, open discourse as others here, I recognise that in some cultures (e.g. Japan where I live) I will be in a distinct minority in this regard. It's only as polite or as rude as cultural norms dictate.
I think a good approach is to recognise the different styles and, where appropriate, to help your counterparty to do so too.
>both don't guarantee true privacy as we can't see the servers.
What do you define as true privacy? Why isn't other privacy "true"?
What do you mean by "see the servers"? Surely you can see them as computers at the other end of a TCP connection, and the server cannot read the cleartext of an E2E encrypted message.
> - if you "see" the flash, thats the last thing youre ever going to see. will blind you.
Maybe not. Richard Feynman claimed to have watched a nuclear explosion with nothing but regular glass between him and the blast. He assumed the glass would block any ultraviolet light and he was not blinded.
By the way, your https certificate for lambdauniversity.com is broken (it is for github, not your domain), and www.lambdauniversity.com/contact returns a 404.
No, it is not due to job hunting skills. It's more like "culture fit" and other types of discrimination.
https://www.techrepublic.com/article/the-myth-of-the-tech-ta...