
The New ID Theft: Millions of Credit Applicants Who Don’t Exist - jkuria
https://www.wsj.com/articles/the-new-id-theft-thousands-of-credit-applicants-who-dont-exist-1520350404
======
thisisit
> Mr. Lyles secured credit cards often using fictional names and numbers the
> Social Security Administration hadn’t yet assigned.

So, the credit reporting companies cannot verify if the SSN is real or not?
That sounds like the worst identity verification system.

~~~
TehCorwiz
SSNs aren't supposed to be used for identification. That said the Social
Security Administration does have a site that allows for validating SSNs. It
appears to be geared toward employers verifying SSNs for employment (and
therefor tax purposes), the terms may preclude using it for credit reporting
purposes.

[https://www.ssa.gov/employer/ssnv.htm](https://www.ssa.gov/employer/ssnv.htm)

The root problem here is that they're using a public number which was never
designed for identification purposes and has no security. The solution would
be a national ID, or expansion of the US Passport with in-built security
measures. Although that goes over like a lead balloon whenever it's brought
up.

~~~
toomuchtodo
So only issue credit cards to people with a passport, and give them a
statement credit to cover the application fee (premium annual fee cards
already cover the cost of precheck/global entry, this isn't a stretch). It's
even possible the finance industry could negotiate with the US government a
lower rate for passports at scale, thereby turning it into a defacto national
ID system.

This is just finance industry whining that their system sucks and they want to
offload the costs onto the government to manage the fraud.

EDIT: "In January, Accenture PLC listed synthetic-identity fraud as one of the
biggest threats facing banks in 2018, saying it would be “costing banks
billions of dollars and countless hours as they chase down people who don’t
even exist.”

That pays for a lot of passports!

Disclaimer: Am in finance industry, but not credit issuance.

~~~
dublinben
Lawful permanent residents and other residents of the US who are not eligible
for a US passport may also want to avail themselves of the benefits of a
credit card. Fewer than half of US Citizens have a passport, and they may all
want a credit card as well.

~~~
TehCorwiz
Lawful permanent residents also have a green-card or other immigration related
ID number which can serve the same purpose. They likely also possess a foreign
passport which could be used in the same way.

Less than half of the eligible population of the US votes also. That doesn't
mean that it's a bad idea, just that it's not taken advantage of.

EDIT: a word.

------
mnm1
I commend the people doing this. Credit card companies and banks have been
pushing the burden of identity theft onto the consumer for way too long, a
burden that clearly is the bank's fault in every single case. Maybe now
they'll start to take fraud seriously. I hope more shadow id theft happens
until the banks start doing their duty and protecting customers. The more
money they lose, the better it is for everyone else. Thank you, synthetic id
"thieves."

~~~
empath75
You should be able to sue banks if they fraudulently extend credit to someone
else in your name. It's not your fault that their identity verification
methods are terrible.

~~~
mnm1
How is this not already possible?

------
neonate
[http://archive.is/LdEX8](http://archive.is/LdEX8)

~~~
amenod
I wish I had an option to blacklist all paywalled sites (from my list only, of
course).

------
naftaliharris
Two super interesting things about this kind of fraud which make it especially
tricky to catch and deal with:

1\. Unlike with ID theft, there's no consumer victim. With ID theft,
eventually the victim will find out about it, (by getting a call from a
collections agent or seeing the trade on their credit report). They'll then
contact the lender or the bureau, and contest the validity of the loan. The
end result is that the lender gets a stream of loans that are labeled as
identity theft losses. Since there's no consumer victim with synthetic fraud,
though, lenders don't get this stream of labeled data and have a hard time
knowing which of their losses are synthetic fraud (and which are just ordinary
credit losses).

2\. Synthetic fraud cuts right through typical ID theft prevention systems. ID
theft prevention is about checking whether the applicant is the same as the
identity they're using to apply for credit. So you check if the email the
applicant uses matches the identity, (e.g. don't want john.doe@gmail.com used
as the email for Jane Smith), you check the phone number, you check if the
applicant can complete KBA (knowledge based authentication, e.g. questions
about previous addresses), you check the billing address, and so forth. But
synthetic identities have their own aged phone numbers, emails, addresses, and
credit histories, and so all of these verifications go through without any
flags raised. Essentially the ID theft prevention system was checking whether
the applicant is the same as the identity that they're using, but with
synthetic fraud the applicant _created_ the identity.

Source: my startup focuses heavily on preventing synthetic fraud for lenders,
(PM me for details).

~~~
bb88
I know you're not asking for my advice, but you're pushing the dirt around
here.

You're not solving the problem of ID Theft, you're just making it more likely
that the criminals who are going to do it are going to use it are going to use
ID's of real people.

Congrats and all for figuring it out how to do it, and for developing a market
around it. But to me, encouraging banks to continue to make loans with just a
web site or app seems like a really bad idea.

Edited to add:

Data is not a person. A person is a person.

------
zellyn
Open question for hacker news denizens: why don't the three main credit
bureaus let you register your SSN, and get alerts in an app whenever someone
tries to take out a loan? I'd sign up for that in a heartbeat.

Hit me up with the unintended downsides :-)

~~~
toomuchtodo
Credit Karma does this for free.

[https://www.creditkarma.com/credit-
monitoring](https://www.creditkarma.com/credit-monitoring)

~~~
s73v3r_
They sell your data so they can sell you loans and credit cards, though.

~~~
toomuchtodo
My understanding is they don’t sell your data, but they do use it to recommend
you financial products they make a commission from. I’m happy to be proven
wrong.

~~~
theandrewbailey
That's what "selling your data" means anymore.

~~~
namibj
No, as long as they do not give it out to third parties. It is the same way
Facebook does not sell your data, yet makes money from it.

~~~
s73v3r_
It's still selling the data.

------
reaperducer
I'm surprised that this is seemingly a new phenomenon. The article states that
it really picked up in 2012.

I remember there was a program for the Commodore 64 that would pull random
information from a data array to create fake identities, complete with
addresses and ZIP codes.

------
syntaticSugar
Paywall uhhhhhg

~~~
dang
Please see
[https://news.ycombinator.com/newsfaq.html](https://news.ycombinator.com/newsfaq.html)
and
[https://news.ycombinator.com/item?id=10178989](https://news.ycombinator.com/item?id=10178989)
and don't do this here.

