There's been enough leaks from DMVs, credit bureaus, credit cards, and a myriad of businesses that require an SSN for verification checks by now that if every SSN wasn't already in the hands of attackers I would be surprised.
Don't forget the federal government itself. I've still got 1 year remaining from the 10 years of monitoring I got from the OPM breach wayyy back when.
Related, any company offering monitoring should be required to pay for a serialized version. The 10-20 or so settlements that require monitoring in my lifetime have been useless because I already have it for a longer period.
Same. It works out every time there's some class action over a spill because I can show that I have the credit monitoring and ask for the $3 or whatever from the lawsuit. A few more years of leaks and I'll have enough to buy a lego set for all the trouble.
Yes, this is actually a common way of getting out of debt. Often times the "proof" for a debt is lost in the tangled web of debt collection, and by the time someone comes around to collect, there's no tangible evidence the debt was valid.
It's a best practice to request proof of any outstanding debt before paying collections, and I've personally seen cases where friends have gotten out of a debt that went to collections simply by asking for proof, and when it wasn't provided, poof it went away.
I'm a sucker, and don't take advantage of this, but I don't blame anyone who does. Keep good records, and it won't be a problem!
I'm not a lawyer, but I'd imagine that claiming that for cards that are legitimately yours would be considered fraud and would probably land you in more hot water than the initial debt would.
Do you really think it's that easy? Any junior investigator could examine the purchases and tie them to you. If the card was really opened fraudulently it would be easy to show that the goods were shipped somewhere completely isolated from the cardholder.
It's not that easy when there's 2 or 3 degrees of separation between the source of debt and the collector. And also, what collections agency is going to go through that sort of trouble unless it's for maybe tens/hundreds of thousands of dollars?
You don't think is possible to have an accomplice to ship the goods too? PO box under a fraudulent ID? Ship to random locations and pick it up before the home owner gets it?
I wrote my comment on the premise that "why can't a cardholder lie and claim they never accrued the debt [on a specific card]". If an investigator analyzes all purchases from the card and finds many of the purchases were things you took possession of, or hotels you stayed at, etc, that's evidence against the liar who falsely claimed to be a victim of so-called 'identity theft'. It's very hard to launder purchases without some trail leading back to you.
by the time it gets sold once and you are 5 years in, the evidence is vapor. if its tied to assets, or large enough, they will come for them tho because bounties.
I’m not sure specifically what context we’re talking about. In court, sure. Talking to debt collectors? They aren’t the police, in the very least you aren’t under any obligation to answer any questions you don’t want to, right?
I don’t recall, I’d have to look in my records, why don’t you send me whatever proof you have and I’ll if I can find anything?
These are pretty slimy businesses, they should be treated as such.
> I’m not sure specifically what context we’re talking about. In court, sure. Talking to debt collectors? They aren’t the police, in the very least you aren’t under any obligation to answer any questions you don’t want to, right?
As far as the question of if something is or isn't fraud, why would the context matter? As far as I know fraud has nothing to do with perjury or being under oath. If you intentionally lie to a debt collector in order to get out of a legitimate debt, I think that would fit the definition of fraud.
> credit bureau industries are obviously impossible to run safely and should be destroyed
I am not sure I agree with that premise.
I would say there are literally no incentives to secure that data and no penalty for leaking it. Hence for profit businesses will never operate this securely.
I think it’s the same conclusion but a worthy distinction
There's no way for someone to make an identifier that's also a secret secure. You could have huge penalties, give the corporate death penalty, and you'd simply see old insecure companies replaced with new insecure companies. Add a real death penalty for the CEO, and you'd just find all the new companies are run by people who have nothing left to lose (or death row inmates suddenly find they have a bunch of new opportunities).
Secure identification is a solved problem, you have a public part and a hidden secret part. Everyone knows your public part, but the companies never knows your secret part so they can't impersonate you.
This is what other countries are doing, this is a solved problem so identify theft shouldn't happen any more in any competently run country.
That doesn't solve the whole problem. Identity is fundamentally about what you are. What you have, or what you know, are merely proxies, and they need to be connected to you in a trusted way, which is hard to do in a robust and efficient way.
Or, in other words, when you misplace your private key, you don't want to irrecoverably lose everything you have. Fortunately, the world isn't some nightmarish cryptocurrency dystopia - there are ways to prove you owned the lost credentials and keep the ownership of what you had. The flip side of it is that someone else can prove they own your stuff too, with enough effort.
It solves the problem of having to give the company enough information for them to steal your identity in order to do business with them. That isn't a power companies should have over you, and those who do should be extremely heavily regulated to ensure their data protection is top level quality.
This way it isn't a big deal if small businesses leak data, since they don't have the important parts, so they don't need to be regulated that hard.
You may be taking a narrow view of "the problem". Stella Rimington,
head of British (internal) intelligence (MI5) courageously spoke some
clear truth a couple of decades ago. She said there isn't and cannot
be a reliable connection between information and an active body in the
world with agency. In other words, she thought "identity" is a weak
idea and forcefully opposed the idea of "ID cards".
Individuals may occasionally be of interest in intelligence, but less
than you think. Identity really comes from banking, law and medicine
so that we don't give the wrong person money, drugs or put the wrong
person in jail. It's low-level, procedural, civic stuff.
Beyond that there's a lot more dark, unwanted applications of identity
and we forget how much it is a cultural artefact of the
individualistic society we presently inhabit.
We do have plenty of nearly-good ways of _re_cognising_ a living
person, if we have previously "cognised" them. Images, voices, faces,
and various biological scans are all limited and likely to be defeated
with coming technology.
So separating "trust" (as expected behaviour) from identity is a major
challenge, and a most fascinating one. They are not the same thing.
Could you share a quote or source for others to check out what she said? It sounds very interesting, I'd love to read or listen to what she had to say there.
These [0,1,2] are press opinions on her opposition to ID back then.
The woman behind all that is far more interesting, but I can't find
you more direct sources. She's a writer (fiction) too and may have
expressed more in her autobiography or stories after coming out.
No I don't think she would approve of any zealous solutionism. Not
that I personally drink tea with her, but from what I've read SR
occupies that class of intellect that deals in philosophical
fundamentals of human affairs high above the 'technician' who says "Oh
we've solved this with new fangled thing X now". And I'd bet my
comfiest boots on some "certificate authority" being compromised
before the ink is dry on this comment. I mean... look at what the
title of this thread is about. :)
I think it is not theoretically impossible, but it is we live in a world where these services are offered by race-to-the-bottom-of-the barrel providers (to merge a couple expressions).
Then it's called "Identity Theft", and deflected back to you as your problem to resolve. But, it's no big deal. I'm sure everyone everywhere qualifies for a year's worth of free credit monitoring.
> it's called "Identity Theft", and deflected back to you as your problem to resolve
Not really. At that point it becomes an open question that both sides will furiously try to resolve in their favour.
What you're advocating (and I agree with) is biasing the odds in favour of the allegedly defrauded. For example, if you file an affadavit of identity theft with a credit bureau (or court), collections on that item are suspended for a fixed amount of time.
When someone uses my SSN to set up a loan, I'm not the victim, the bank is. There's no such thing as identity theft. That's just good marketing and a genius slight-of-hand to move the responsibility and blame away from the entity that allowed itself to be defrauded.
> When someone uses my SSN to set up a loan, I'm not the victim, the bank is
If someone steals your car and uses it to run over a pedestrian, both you and the pedestrian are victims. They're far more damaged. And you aren't at any fault, even if you e.g. didn't lock it or even left it with the keys in. It's still going to create a mess for you.
Fraud involving a stolen identity is similar. The defrauded is most damaged. But the person whose identity was used is also in a mess. Obviously, if a bank has a loan in your name it's going to need to talk to you to straighten things out. And the way it would prefer things be straightened out is also, obviously, that the loan be paid versus poofed. (And on the other side, there are also going to be people who borrowed money who claim they never did.)
If someone steals my car and kills someone with it, I'm not liable for murder. I just had a car stolen.
If someone who looks nothing like me steals my passport and convinces someone to loan them a bunch of money, I'm not liable for that money, the person who loaned money to someone without checking the photo is just out of luck.
If the bank does the above, suddenly it's my problem for "getting my identity stolen".
> If someone steals my car and kills someone with it, I'm not liable for murder. I just had a car stolen.
Right. You're a victim. And you'll probably be involved in the process of investigating and resolving the manslaughter.
> If someone who looks nothing like me steals my passport and convinces someone to loan them a bunch of money, I'm not liable for that money
Right. But you're obviously going to be involved in sorting out that mess, even if that begins and ends with "fuck off."
> If the bank does the above, suddenly it's my problem for "getting my identity stolen"
How? If someone opens a credit line in my name in a foreign country, and I'm never contacted about it, it's not my problem. It only becomes my problem if they try to take my stuff.
Identity theft is in the same category, from the victim's perspective, as a bank error. If a bank mistakenly initiates foreclosure proceedings against me, that's their mistake. But it's my problem. That's the basic reality of the situation. (For a lower-level analog, if you accuse the wrong person of a crime to a police officer, that's your mistake. But it's their problem.)
What you're recognising is how much more powerful the bank is than you or me. Given how common identity theft is, they shouldn't be given the benefit of doubt they (or anyone else) would if they had a piece of paper purporting to promise something from us to them. But we have to recognise this isn't a return to the status quo; we're creating an exception.
> point is that if the bank gives someone a loan in my name, I'll have to prove it wasn't me, it's not the bank who has to prove it was me
They do. When they file for e.g. foreclosure, they're submitting proof to competent authorities. You're disputing that proof because it's bad proof. But they--and the authorities--don't know that. It looks like regular proof. It's a conventional adversarial set-up. It's just incredibly unequal.
What I'm getting at is this isn't some weird switcheroo. It's how contracts work in general.
I think you two don’t really disagree, one of you is describing what ought to be and the other is describing how the system is currently rigged, unfortunately.
> If someone steals your car and uses it to run over a pedestrian, both you and the pedestrian are victims. They're far more damaged. And you aren't at any fault, even if you e.g. didn't lock it or even left it with the keys in. It's still going to create a mess for you.
The degree of which the individual is victimized is a direct result of the bank's efforts to push all fault and responsibility to the person who had their information used for the fraud. I would argue that the bank is victimized by the fraudster and the bank chooses to transfer the fallout of the victimization to the individual.
Of course, the difference in your example and the identity use is that one is tangible and the other is not. If someone steals your car, you've lost your car. If someone 'steals' your identity, you haven't lost it.
> Obviously, if a bank has a loan in your name it's going to need to talk to you to straighten things out. And the way it would prefer things be straightened out is also, obviously, that the loan be paid versus poofed. (And on the other side, there are also going to be people who borrowed money who claim they never did.)
True, but it shouldn't be my responsibility to prove I didn't take a loan, but instead the bank's responsibility to prove that I did once I make the claim. If they don't like the work involved, then they should perform better due diligence before giving out money, or accept this risk as a cost of doing business.
> If someone steals your car, you've lost your car. If someone 'steals' your identity, you haven't lost it.
Valid. Imagine it's a car you never use, didn't care for and won't replace. The inconvenience of being proximate to a crime is what I'm getting at.
> it shouldn't be my responsibility to prove I didn't take a loan, but instead the bank's responsibility to prove that I did once I make the claim
I know only one person who went through full-blow identity theft. Most of the consequence was in halting creditor actions. They weren't proving they didn't take out the loan as much as disqualifying attempts to seize their stuff. What made it stressful was there being no way to know when you're out of the woods.
> If someone steals your car and uses it to run over a pedestrian, both you and the pedestrian are victims. They're far more damaged. And you aren't at any fault, even if you e.g. didn't lock it or even left it with the keys in. It's still going to create a mess for you.
A more fitting analogy: Imagine a bad actor buying a car that strongly resembles your own (same make, model, year, and color), then they convince the DMV to give them a duplicate of your license plate. In this analogy, the DMV is the bank.
The bad actor runs over a pedestrian. Sure, it may be a headache to prove that it wasn't actually your car, but once you do so, how much of the responsibility should you hold?
> may be a headache to prove that it wasn't actually your car, but once you do so, how much of the responsibility should you hold?
This is a good analogy. You shouldn’t hold any responsibility. But you’ll still have a problem that takes a lot of work to resolve. The impetus of resolving that falls to you.
Technically, there is legal precedent in Canada that concluded unsolicited credit services are not legally binding. i.e. unless you personally asked/signed a request for some service, it is illegal to issue a bill for that service. These laws were a consequence of early credit-cards mass-mailing campaigns that just issued debt products to random people. Today, many legal cons still issue bogus invoices to companies everyday for things no one asked for... and sometimes you have to be careful how you handle the response (ahem, Google appliances... cough cough...)
Accordingly, up North an individual is only responsible for a few hundred dollar fee under fraudulent use of a credit card situation. i.e. even if you don't catch the billing errors fast enough to lock your card, you are generally not responsible for a criminals use of credit services without your knowledge.
When we were starting out, I made the mistake of paying for our IP lawyers dubious Lexis Nexsus subscription for a year, and then was hit 4 years later with a collection agents bill (initially we thought it was a scam)... because the former employee just kept using the service. Note, because I had initially agreed to pay for the journal subscription, my lawyer said it was cheaper to just pay them the $14k to get the matter settled (we were displeased as you could imagine.)
The lesson here, is be very careful about saying "yes" to things when you don't fully understand the consequences. There are unethical people that make their income from legal shenanigans pulled on new businesses.
