
Three Years in Identity Theft Hell - ColinWright
https://www.bloomberg.com/news/articles/2017-09-13/my-three-years-in-identity-theft-hell
======
sillysaurus3
Counterintuitively, this is evidence that the Equifax breach isn't necessarily
going to cause massive harm. If someone wanted to impersonate you, they could
already.

I remain hopeful that the full list of 140M SSNs will be posted in full. It's
a rare opportunity: if that happens, the US will have no choice but to finally
switch to a new system. One that doesn't rely on SSNs being private. That's
the absurdity. It is easy to steal your identity because we have allowed it to
be easy.

It's going to be difficult to switch to a new system, but the pain will be
worth it. Imagine if the author could finally have peace of mind because
nobody could impersonate him.

That is a fairytale, admittedly. It's always going to be possible to steal
someone's identity if you're determined. But just look how trivial it is right
now. Your driver's license plus the thief's photo is all they need. And it's
possible to forge: they don't even need to swipe your physical one.

 _Those are “the keys to the kingdom,” said Bo Holland, CEO of AllClear ID, an
identity-monitoring service. “Once you have somebody 's name, social, birth
date, and address, you can go and open new accounts.”_

The SSN shouldn't be the critical key in that list.

[https://youtube.com/watch?v=Erp8IAUouus](https://youtube.com/watch?v=Erp8IAUouus)

~~~
noncoml
> Counterintuitively, this is evidence that the Equifax breach isn't
> necessarily going to cause massive harm. If someone wanted to impersonate
> you, they could already.

This argument doesn't not follow logically. It's like saying you shouldn't
lock your house because if somebody really wants to get in, they will do it.

~~~
larvaetron
It would be analogous to a security breach of a manufacturer's database of
keycuts and corresponding locks, not outright refusing to lock your doors.

~~~
noncoml
Right. That analogy it more correct, but it doesn't make it follow logically.
It's like a someone having the keys and address for each key.

------
Chathamization
> “We demand convenience over security,” Velasquez said.

Banks send a constant stream of credit card offers through the mail and pay
people to use credit cards (with rewards). Stores are always trying to get you
to sign up for their credit cards and offering big discounts if you do, and
car dealerships offer special deals - but only if you agree to finance your
car. People might want more credit, but lets be honest - the financial
industry is doing everything it can to shovel debt onto the American public.

Imagine if a loan shark went door to door in a neighborhood paying residents
$500 to take one of his loans. That seems almost cartoonishly evil, but that's
more or less what the financial industry does. And it's not hard to see why -
the average credit card has an annual interest rate of 15%. Even after you
factor in things rewards and people who don't pay, you're still looking at a
very nice rate of return.

It's hard to see how identity theft isn't directly linked to financial
institutions trying to make credit as easily available and as widespread as
possible. Instead of viewing identity theft as a high price to pay for the
convenience we want, it should be viewed as yet another terrible consequence
of the financial industry's efforts to push as much debt onto Americans as
they can.

------
peteretep

        > In an economic system where U.S.
        > consumers carry $12.73 trillion in
        > household debt, you shouldn’t be able
        > to just call up, say “it wasn't me,”
        > and leave thousands of dollars in
        > obligations by the wayside.
    

Yes, you should, and the banks should be the ones left holding the bag. The
author did _nothing_ wrong, and was victimized by the banks' incompetence at
adequate fraud checks.

------
hendry
I've been a victim of identity theft in Europe. Took many letters to several
police departments in the UK and various states in Germany over the course of
five years...

I've not been stopped at EU airports for awhile but I am still not 100% sure
if my name is on the Interpol blacklist still. The process of clearing your
name is totally opaque. A helpful officer at London MET assured me to
undertake the work to do it.

The amount of times I've had to explain the very concept of "identity theft"
to enforcement is just crazy. And sadly I don't think they fully understand it
most of the time.

I'm a little afraid to travel to eastern Europe, since this "advance fee" for
a VW fraud in my name is particularly common there and I am tired of receiving
threats. Sigh....

------
unabridged
My solution is make a site called credit.gov

This would be the final say in any credit accounts, accounts not listed here
are not legal debt (ie they cannot be collected or sued for)

You can still use SSN for identification but authorization would require more.
I imagine maybe a few different levels of security:

1\. Password (or list of passwords) you can set/change in person at any post
office. The company adding the credit account would need this password to
register the debt.

2\. Yubikey or other auth token you can register at the post office to create
one time passwords for companies creating credit accounts.

3\. Every new credit account requires physical confirmation at the post
office.

Then just setup really good cameras (maybe face scanner or biometric scanner)
at every post office and make it like a 10 year felony to impersonate someone
at the post office. The scammers will be out of the system very quickly.

------
jorgec
In my country, its the bank that has the responsibility to ensure that they
are talking with the right person. If not, then its the bank who will pay, not
the customer.

So, the banks here are pretty annoying, opening an account is a lengthily
process.

~~~
hughperkins
^^^ This. Why is this not in fact the case?

~~~
1024core
Because banks think that if they inconvenience people, they'll lose customers.

Convenience trumps security in the US.

------
rwallace
> There’s a logic to the maze you have to run to expose fraudulent financial
> accounts. In an economic system where U.S. consumers carry $12.73 trillion
> in household debt, you shouldn’t be able to just call up, say “it wasn't
> me,” and leave thousands of dollars in obligations by the wayside.

Perhaps if it was easier to do that, there would be less of the predatory
lending that created such a crippling burden of debt.

------
jakobegger
Why is this only a problem in the US?

I think that one of the reasons is that the US does not have a central
government registry of all the people.

In Austria, we have the „Melderegister“. Every person that stays in Austria is
required to register the address of their current residence. Your name and
address is always in this registry, from the day you are born until you die
(foreigners residing in Austria are also required to register).

Everything relies on this registry — voting rights, taxes, etc.

I think that Banks can check this register to verify your address. So even if
an identity thief is successful in applying for a credit card, that credit
card would be mailed to the victims actual address, so the identity thief
would have to intercept postal mail as well.

So many problems that I read about in the US (using utiliy bills to proof you
are a resident, registering to vote) just sound like a clumsy workaround to
the fact that there is no „Melderegister“.

~~~
aryehof
Countries like Australia do not have a central government registry of _all_
people, unlike most countries, including those in Europe. Each State does have
a register of all births and deaths. There is no national ID. It surprises
many that one is _free_ to carry NO identification.

One can decide to not work (get a tax number), not drive (get a drivers
license), not travel (get a passport), not get free healthcare (get a medicare
card), not vote (evade census'). Unlike most countries, one doesn't need to
register or let anyone know where you live, and there is no national service
(conscription).

It also has very little identity fraud.

------
myrandomcomment
Okay, blocked of time to freeze my credit on Monday.

~~~
matheweis
The pin code they will give you to unlock it is the date/time stamp of when
you locked it.

And, if you happen to forget it, they will unlock it if you can cough up the
very information supposedly compromised in the equifax leak anyway.

~~~
throwaway613834
> And, if you happen to forget it, they will unlock it if you can cough up the
> very information supposedly compromised in the equifax leak anyway.

Wait, what? Any more reading on this?

~~~
interlocutor
Here's the link to "obtain your forgotten or misplaced PIN".
[https://www.experian.com/ncaconline/freezepin](https://www.experian.com/ncaconline/freezepin)
And it says, "provide your e-mail address for faster delivery of your
results."

~~~
throwaway613834
Wow. This whole thing looks like a massive joke. Thanks for the link!

------
siliconc0w
[https://en.wikipedia.org/wiki/Estonian_ID_card](https://en.wikipedia.org/wiki/Estonian_ID_card)
\- everyone get's their own cryptographic certificate. I don't know why banks
aren't pushing for a legit national ID, if anything it would make it easier to
lend and eliminate a lot of expensive fraud.

------
Exuma
So how does one protect against this if freezing is useless because all that
information was leaked anyway?

~~~
ljoshua
Freezing doesn't protect the information, but it does protect your credit
account from being added to. Once frozen, you are almost in a 2FA scenario
where creditors are required to request any new accounts or credit hits, and
the credit agency is required to then obtain your approval using the private
information only you (should) know.

~~~
patio11
_Freezing doesn 't protect the information, but it does protect your credit
account from being added to._

Going to take the liberty of adding to this because the imprecision might
cause some people to develop a poor model of how financial institutions work:
you don't have a "credit account." You have a few firms which have partial
views of your "credit history", sourced by reports from some firms you've
previously done business with before. What a freeze does is that those firms
(CRAs) who could disclose your credit history to a bank will, instead, report
to the bank "That file is frozen."

How is this different from your mental model? Because credit decision is
between a financial institution and a bank -- they don't have to ask anyone
else's permission, including the CRA, to lend you money. They also don't have
to "respect" a freeze on your file; it's purely advisory. It may deter _some_
banks from issuing you _some_ credit but it will likely not deter _all_ banks
from issuing you _all_ credit products.

~~~
sillysaurus3
I'm curious: say you freeze your credit and then take an action that should
negatively affect your credit, e.g. skip out on paying a doctor. What happens?
That's nearly identical to what a fraudster _might_ do, except there is no
fraudster.

How does the system differentiate between someone showing up and doing
something in your name vs you actually showing up and doing something
negative?

~~~
pwg
It works because nearly every institution that would "extend credit" relies on
the reports from these agencies to decide to do so. So when they try to pull a
report (for you or a fraudster) they get back "sorry, frozen" and that causes
them to actually stop and try to actually verify the true identity of the
person requesting the loan. If that is you (the proper owner) then you can
'unfreeze' for the purpose of obtaining the loan. If that is a fraudster, they
will likely not have your pin's to do the unfreeze, so the bank/business says
"no" to the request for money.

[edit: spelling]

~~~
sillysaurus3
I suppose a doctor's office and the dentist are two of the rare exceptions. I
can't think of any others.

(They generally don't ask for payments till the end.)

------
nvahalik
I had my "identity" stolen by someone who tried to open accounts at local
banks after somehow managing to swipe a copy of my drivers license (from our
mail box, as far as we know) and seemingly only was able to rent a Uhaul in my
name (unbeknownst to me until I tried to rent one to move).

The banks kicked him back and he tried forging checks from others (not me).

I filed the reports with the police. And checked my credit. Nothing serious
happened as he seems to have been pretty much thwarted by most places he went.

But then he got caught when he was pulled over for having a brake light out.

All in all I suffered no real harm from this guy. Seems like for the most part
the system works...

~~~
djsumdog
My old flatmate was the victim of identity theft around 2010. After tons of
paperwork, calling banks, closing accounts, working with the police .. he
still lost about $3k that he didn't feel it was worth to try to recover.

You just got lucky and caught it early.

~~~
md_
How did he lose $3k?

I've been curious about the real-world impacts of identity theft for quite
some time. In the article linked, the author's only obvious losses were a) on
the home mortgage (couldn't cosign; worse rate) and b) at the airport, with
TSA (which I don't get; how did his credit rating have an impact on the
secondary security screening?).

It's unclear to me why I should care that much about identity theft, or what a
thief can do. I'm not saying it wouldn't be a huge hassle to get calls from
scammed creditors or be unable to obtain consumer credit, but I am fortunate
enough not to need credit and I already have the credit cards and bank
accounts I need.

There is the whole IRS fraudulent return thing, which could be quite tedious
to sort out and meantime would take real money. But that's about all I can
think of unless you need consumer credit.

~~~
needsilence
You've never lived in a state where your car insurance premium depends on your
credit score, have you. I think you understand perfectly well the problems
identity theft can cause, but you're just being intentionally obtuse.

> It's unclear to me... what a thief can do.

Um... well... how about anything you can do with your identity, except it's
someone else? Do you really not understand why that's a bad thing?

~~~
md_
> You've never lived in a state where your car insurance premium depends on
> your credit score, have you.

Hmm, I don't know, to be honest. That hadn't occurred to me.

> I think you understand perfectly well the problems identity theft can cause,
> but you're just being intentionally obtuse.

Huh? No, I was asking a question. Why would someone be intentionally obtuse
about something like this? I can't figure out how my comment was
misinterpreted, but it certainly was. I apologize for my lack of clarity in
the original post.

> Um... well... how about anything you can do with your identity, except it's
> someone else? Do you really not understand why that's a bad thing?

"Anything you can do" isn't very clear, hence my desire to understand the
threat better. Assuming I have no need for consumer credit (like, actual
loans), it's just not clear to me in which cases a bad credit score can be a
problem. Auto insurance had not occurred to me, so thanks for that example.

Once again, I think you may have misinterpreted my comment in some manner. Do
people really troll each other over, like, identity theft? Weird. But I
wasn't. :)

------
sus_007
I submitted this like 2 days ago :D
[https://news.ycombinator.com/item?id=15247810](https://news.ycombinator.com/item?id=15247810)

~~~
fencepost
Sometimes things get attention and sometimes they don't. Also sometimes it's a
slow news weekend and other times there's a ton happening. Don't ever stress
about whether your submission gets traction.

~~~
sus_007
No worries man, m just sayin

~~~
tomhoward
It might be worth reading Dang's comment history discussing reposts:
[https://hn.algolia.com/?query=dang%20porous&sort=byPopularit...](https://hn.algolia.com/?query=dang%20porous&sort=byPopularity&prefix&page=0&dateRange=all&type=comment)

It feels shitty when someone else gets the points for something you submitted
earlier, but life isn't always fair, and as long as you keep submitting good
content and making good comments, things even out in the end.

~~~
quickthrower2
Plus karma ain't worth jack.

