Shostack + Friends Blog Archive


The real problem in ID theft

In “Reckoning day for ChoicePoint [link to no longer works], “Rich Stiennon writes:

The real culprit is actually ChoicePoint itself and the three bureaus. By creating what is supposedly a superior solution than the old fashioned way of granting credit (knowing your customer, personal references, bank references, like they do it in most of the rest of the world) they have created a system that is prone to identity theft and over extended borrowers.

He’s right. The players at the heart of identity theft in the U.S. are the credit bureaus. But, what they’ve done is more than just creating a system which is prone to identity theft. Let’s review how the credit bureaus work. They serve businesses by selling information about creditworthiness. Their customers (businesses extending credit) are happy to charge higher rates for people with poor credit, so there is little incentive for the business or the bureau to eliminate errors from the credit data. Worse, as the problem of identity theft becomes more widespread, the credit agencies can sell “credit monitoring” services to consumers and “enhanced authentication” to businesses and make even more money.

The credit agencies now run TV commercials touting credit monitoring, threatening people with identity theft. They don’t quite say “nice credit score you’ve got there. Shame if we were to do something to it,” but they come close.

Small wonder it’s hard to address the problem.

Rich closes:

I suggest that the FTC, various Attorneys General, and the trial lawyers, target the credit reporting industry for reform. Maybe we can starve the cyber criminals out by making identities less valuable goods.

I think it would be simpler to remove their exemption from libel law. The credit agencies share default data just fine. They should have to share remedial data as well, or be accountable for the costs which they impose by their negligence.

4 comments on "The real problem in ID theft"

  • Consider the similar case of the phone companies prior to the do-not-call registry….
    1. They have your basic info including phone number.
    2. They sell this information to phone marketers.
    3. They sell you a blocking service to stop phone marketers.
    4. You can’t tell them not to share your data.
    Its a pretty nice racket to get both sides to pay you….

  • Catherine Leyen says:

    Ever heard of wireless skimming?
    It’s the newest type of identity theft, and our product, the Armadillo Dollar is the only answer. Check out the only solution to this new vulnerability using radio-frequency information to steal identities and money from Americans. has a list of prevention tactics more complete than most seen so far.

  • Adam says:

    Silly me, i thought the answer was to nuke the cards with chips in them.

  • PHB says:

    Every time I have got a new telephone number in the US I have had a series of calls from debt collection services going after the old owner of the number. I used to think that they were deadbeats, now I realize that these are just another type of scam calls.
    One of the good features of VOIP systems is that you can block particular numbers.

Comments are closed.