
A Bloomberg reporter’s account of trying to get back his name and credit rating - pseudolus
https://www.bloomberg.com/news/articles/2019-08-12/i-lost-my-identity-to-a-fraudster-and-it-took-six-years-to-clean-up-the-mess
======
arbuge
> Social Security numbers are the keys to the kingdom. In this country, people
> get a unique number when they’re born, and the Social Security
> Administration tells them it’s secret and valuable. Then we use that number
> to pay taxes, to get government benefits, to apply to college, to get a
> mortgage, to apply for a car loan, to open a bank account, to track our
> credit. We’re asked to hand over this number again and again to institutions
> that have failed to guard it.

This is the problem right here.

To that sorry list, I would add medical providers' offices (doctors and
dentists), all of which seem to request social security numbers for some
reason on their patient intake forms, when all they should need is the
patients' insurance information as printed on their insurance card.

~~~
PeterisP
Regarding all the Social Security number issues, it somehow reminds me the
Onion title "‘No Way To Prevent This,’ Says Only Nation Where This Regularly
Happens" (I know USA is not literally the only one, but almost) - plenty of
places have something similar to that number, but USA is pretty much unique is
treating simply knowing it as some kind of identity proof. "Something you (and
a bunch of others) know" doesn't cut it.

~~~
zaarn
In Germany we too have a SSN. Only my employers know it, it can be changed.
I've never ever had anyone but the tax office or my employer ask for it.

~~~
wongarsu
The German SSN is also trivial to query (if you don't have it at hand your
employer can just phone the pension insurance) and is somewhat predictable.
It's also only used for tax/pension purposes; if you steal mine you can
basically only gift me money.

The closer equivalent in Germany is probably the Personalausweisnummer (ID
card number). Basically everyone has an ID card, and sometimes the number of
the ID card is used as age verification or is written down as part of identity
verification at a bank or similar. Assuming you verified that the ID card is
genuine it's a good unique identifier that survives name changes; however its
usefulness doesn't come from secrecy but the forgery-proof piece of plastic
it's printed on. Also you can change it at any time within a few weeks by just
getting a new ID card, and it naturally expires every ten years or so.

I think a fundamental problem in the US is the requirement to verify identity
via phone. In Germany that's just assumed to be impossible without a
prearranged passphrase; when opening a bank account you verify identity by
showing ID at the bank or a postal station or by waving your ID in front of a
webcam during a live call.

~~~
lonelappde
How do securely obtain access to a remote system that wants you legal
identity? Or do German companies allow access to any bot willing to pay?

~~~
wongarsu
I can't think of a use case where this happens here?

\- If you want to pay bills you just do a bank transfer (they are free and
fast within the EU), transferring the money to a published bank account with
my invoice id or similar in the subject. If somebody else wants to pay my
invoice neither I nor the company will have any objections, so no need for
authentication.

\- If I want to check a bank account or a credit account or something similar
I have a password that was set up when the account was created

\- If I want to set up an account I can authenticate either via webcam
(showing off the security features of my ID card) or via PostIdent (where I
have to go to a post office)

\- When talking on the phone you have an authentication problem (unless a
"phone passphrase" is prearranged, but for anything with lasting consequences
you usually have to send them a written version per email or snail mail for
papertrail reasons anyways, or alternatively they send you a confirmation per
snail mail that you can object to in a reasonable time frame.

The new ID card has online features that in theory solve the problem
completely for online systems, but few places implement that so far.

------
momokoko
What does "identity theft" have to do with the person being impersonated? They
have nothing to do with these transactions. It is not my fault Wells Fargo was
tricked into giving someone a bank account under false pretenses. Why in the
world does that have anything to do with me? And why in the world is Wells
Fargo not liable for damages?

~~~
dangero
You're right of course, but I wonder if the status quo were to suddenly change
so that banks are liable, would credit suddenly restrict and cause a recession
or worse?

~~~
pwg
More likely, the banks would respond by being more vigilant at verifying the
identity documents as valid before accepting the crooks word for it.

So it might take a day to open an account (while the bank does the
verification they should have done anyway), instead of five minutes, but the
financial world would continue on as normal.

And, this would shift the work onto the entity best suited to performing the
work instead of forcing the work onto the victim.

------
dev_dull
Here’s[1] an early picture of a social security card where it says plainly
it’s not for identification purposes.

What’s the better solution — the government making it so you can change your
ssn? Or legislation that shifts the liability burden of identification
entirely onto the lender?

1\. [https://www.shutterstock.com/image-photo/old-blank-social-
se...](https://www.shutterstock.com/image-photo/old-blank-social-security-
card-isolated-514414771)

~~~
delinka
Well ... the card isn't ever presented as ID AFAIK. The number on the other
hand ... the number is presented all the effin' time.

~~~
ghaff
Yep. I haven't had a physical SSN card for decades. (Was in a wallet that got
stolen and I never replaced.)

The _only_ time it's come close to being an issue was recently when needing to
renew a drivers license with a REALID compliant one. One of the requirements
was proof of SSN which I only had through my previous year's W-2 form because
it actually isn't printed on many things these days.

------
chrbarrol
I don't know how common this is in other countries but in Norway we have a
common system called BankID which is pretty much the de-facto way to identify
yourself when applying for government services, bank loans or basically
anything else "important". It usually consists of a two-factor authenticator
issued by your bank, a password and your "birth number" (basically SSN) if you
have all three as far as any bank or the government is concerned you "are" the
person. However since it is so robust I don't think it can be exploited unless
you royally fuck up. I wonder how the per capita identity theft cases in
Norway are compared to the US because of this system, I would think much
lower.

~~~
wesammikhail
It isn´t BankID that´s robust. In fact, as a federation service, it is
probably one of the worst maintained ones in human history.

The thing that makes identity theft harder in Scandinavia is the fact that
Person-nr (SSNs) are public information. I can look up anyone´s SSN via a
quick search (using [https://upplysning.se](https://upplysning.se) for
instance). Yet I can do very little with that information (compared to the
US). That said however, it is possible to ruin someone´s life here as well if
you really wanted to, it would just take a little bit more work.

------
plaidfuji
Maybe the most ridiculous aspect of US credit reporting: federal law only
mandates that you be able to obtain a free copy of your report once per year -
why is this not “whenever the hell you want”? It just generates a PDF from
their database!

~~~
harryh
FWIW you can get a free copy of your TransUnion and Equifax reports for free
from CreditKarma. It's great and will pull a new report once a week.

They don't work with Experian, but you can create an account with them
directly for free and get a copy updated monthly.

~~~
mindslight
First, CreditKarma makes their money by spreading the surveillance profiles on
you to other surveillance companies that wouldn't otherwise have that data.

Second, the main thing that requesting a copy of your surveillance dossiers
does is make you responsible for refuting any incorrect information in it, as
you have now been notified of it. This fuels the ongoing perverse incentive
wherein the surveillance companies are relying on you to do their diligence
for them.

If you want to push back against this offensive system, engage with these
parasitic pests as little as possible. Barring some sea-change like the US
adopting the GDPR wholesale, this is the only choice available to you.

~~~
harryh
First, that is not accurate. CreditKarma makes money by showing you ads for
credit cards.

Second, that is also not accurate. You are no more or less legally responsible
for the contents of your credit report based on whether you have recently
pulled a copy.

~~~
mindslight
Does CreditKarma actually run their ad targeting and delivery system entirely
in house? Even if so, that is still one more surveillance company that has
your dossier that otherwise wouldn't...

And you're really going to have to back up that second point, because a very
basic legal principle is having to respond to notices in a timely manner. If I
have a private file on my computer that says "harryh owes me $100" for years,
you can't possibly be responsible for that. If I send you a notice saying you
owe me $100 for some plausible reason, and you don't refute it within a few
months, you've now implicitly accepted that state of affairs and my case has
grown much stronger.

Knowing that the surveillance companies merely _could_ be conspiring to defame
me doesn't imply that I need to investigate their activities just in case. But
as soon as I have knowledge that they _actually are_ , then I am forced to
either let that state of affairs stand or go after them for libel.

~~~
harryh
If you go to a bank to get a loan and they say "No, your credit sucks" telling
them "I've never seen my credit report before" isn't going to change anything.

~~~
mindslight
Of course, because being a passive consumer who only asks a counterparty for
your options never changes anything.

What you say is "I need a copy of the exact information you're basing this
decision on", and inform the bank and its sources what statements are actually
not true. If the bank defers to trusting the surveillance bureaus, and the
surveillance bureaus refuse to recant the false statements, then you have a
strong case for libel with actual damages _on top of_ the procedural recourse
in the industry-written laws.

~~~
patio11
I am not a lawyer, but I likely have had more at-bats with the credit
reporting agencies and financial institutions on this and related issues than
almost all lawyers and, I mean this literally, every other person on HN.

I think you will, if you consult an attorney, be advised that you are unlikely
to prevail in your cause of action under a libel theory. Your lawyer is likely
going to point to the pre-emption parts of FCRA, specifically 15 U.S.C. §
1681h(e) and 15 U.S.C. § 1681t(b).

The general tenor of this conversation is going to be "When Congress wanted to
regulate the credit reporting industries, they and interested parties made a
trade: a very consumer-friendly state machine and _freedom to operate the
state machine._ Part-and-parcel to this trade was radically reducing legal
risks to the financial industry and CRAs outside of the state machine. If
you're going to claim that Congress didn't want to pre-empt state laws, you're
going to be walking uphill against legislative history, the plain text of the
statute, and every canon of statutory construction."

Separate from the legal issue, I think HNers might be surprised to learn that
the state machine pretty routinely achieves the objectives. A determined,
literate, and well-organized person will routinely achieve the outcome they
desire from it, even with the other side of process being the largest lenders
in America. This is a _surprising_ result in consumer lending when reasoning
from first principles ("Shouldn't Bank of America's legal team always or
approximately always crush a Kansan grandmother?") but I believe, from a few
hundred at-bats, it to be true.

~~~
mindslight
I know of your personal experience, and thank you for your response. I
actually hadn't realized that the surveillance bureaus had regulatory-captured
general legal immunity so openly. So yes, I was overstating the legal
situation thinking they would be better on the hook for libel. Frankly this
overbearing immunity should be a talking point of every "identity theft"
article, but unfortunately those articles are written from a perspective that
is still wed to the primacy of this system.

> _I think HNers might be surprised to learn that the state machine pretty
> routinely achieves the objectives_

None of these stories really focus on irreversible damages (besides eg SIM
swapping stealing cryptocurrency), but rather the time taken dealing with that
"state machine". Diligently checking your own dossier is doing the
surveillance bureau's work for them - adding to this perverse incentive where
they don't bother doing the diligence of verifying loan applicants hoping that
consumers will be responsible for guarding use of public identifiers
associated with them.

A quick reading of the FCRA still doesn't show any statutory timeline within
which surveillance subjects ("consumers") are required to verify the dossiers
on themselves - compared to say regulation E which requires that you verify
your legitimate account ledgers at least every month and a half (please
correct me if I missed something). I'm not the type to be continually applying
for new credit cards for whatever incentive they're offering, so dealing with
any backscatter from identity fraud is purely a cost to me. The less I involve
myself with their system, the more I can handle its involuntarily burden in
"batch mode".

------
gnicholas
> _In this country, people get a unique number when they’re born_

Fun fact, social security numbers are not unique. [1] Apparently 40 million of
them have been assigned to multiple names, and there's a 1 in 7 chance that
any given SSN is not unique.

[https://www.nbcnews.com/technolog/odds-someone-else-has-
your...](https://www.nbcnews.com/technolog/odds-someone-else-has-your-ssn-
one-7-6C10406347)

------
ggm
I skimmed so apologies if this doesn't resonate or was answered, but here in
OZ we have what is called "100 points" tests which demands more than one item
of ID, and not just knowing the value, but a 'what you hold is who you are'
receipt from a government agency.

The burden of proof for KYC is higher basically. Not that fraud and identity
fraud don't happen: we have some very famous cases of land titles being swung
on wafer-thin proof of identity, which lost people significant amounts of
money.

I just feel the US 'social security number' thing is a problem which is in
large part of US state/federal making: you drove too hard to a single
weakness. Much like your voting fraud risk, you took it too far.

------
Ididntdothis
To me the worst is that there seems no way to clean this up. Like the story
when he applies for a mortgage and they tell him not to bother. At least at
this point you would expect somebody to take a look and clean this up. But
instead the machine keeps going.

~~~
patio11
> when my wife and I went to apply for a mortgage, our agent at the bank told
> us not to even bother including my name and assets

I think there exists a difference in what the author is communicating happened
here and what actually happened here.

I'm presently in the process of applying for a mortgage. I'm married. My wife
will, pretty much inevitably, be told not to bother filling out her half of
the application. This is not because the loan officer, a commission-seeking
sales employee of the mortgage originator, believes she is unlikely to be
approved for a mortgage. This is because the loan officer is accurately
advising _the juice is not worth the squeeze._

The loan officer sitting down with my wife and I is going to say "Mrs.
McKenzie, your situation is complicated to explain. His really isn't. Do you
want to spend many hours documenting it in a fashion which will not change our
decision on how much house you can afford or what your mortgage rate will be?"

I understand that this is not the way that people are socialized to think
about credit, but understanding the business process here would cause one to
have a very different understanding of the amount of actual damage sustained
here.

------
Wowfunhappy
> Two-factor authentication for bank and credit card accounts would be a
> start. Banks should probably make it harder to get a new credit card than to
> log in to Gmail. Creating a web of multi­channel identity verification using
> devices we carry around all day already—conveniently equipped with
> fingerprint scanners—would likely make some types of fraud more difficult.

Would it, though?

To protect against the type of problem in the article, the second factor would
need to come from some sort of official government database. Otherwise, I
could just walk into any bank where my victim didn't already have an account
and say "Hi, I'm so and so, and I'd like to open an account and sign up for a
credit card."

Also, it's not as though iPhones actually send a copy of _your fingerprint_ to
the bank. Actually doing so—and relying on it—would introduce a host of other
problems.

------
manjana
We have the CPR (Central Person Registry)-number in Denmark which is handed
over to various authorities and can also be misused for fraud, to which degree
I'm unsure of- but I have heard of some nasty debt issues people struggled to
get out of. What's worse is that the generating algorithm is based off of your
date of birth and if you have date of birth for the victim you can run the
algorithm rather easily and come up with 10-20 potential CPR-numbers (I can't
remember the exact num., but it's approximately in that range) whereas one is
the valid for the person you wish to defraud.

EDIT: Unsure about possible CPR candidates when reversing CPR numbers.. There
have been some updates to the way it's working post 2007.

~~~
draggnar
Wouldn’t you typically have to also use Nem-ID to log in to some new service?

Nem-ID is a central login system, where you get mailed a physical printout of
keys that act as two-factor authentication across financial and other services
(at least that’s how it was, I think some new system is underway).

I.e the cpr number on its own is not valuable without the login info for
services that use nem-Id.

The system seemed to work pretty well and I’m surprised to not see it more
widespread.

~~~
manjana
You can still create phone subscriptions and order medicine and from what I
can read quickly on the internet people have in recent years been frauded with
smart-loans, leases and some similar stuff.

------
_bxg1
This is one of the rare highly-charged issues in our country that's also
bipartisan, and it's been rapidly gaining space in the public awareness in
recent years. I wouldn't be surprised if some legislation actually makes it to
the floor. In an era of broad dissatisfaction with the US government, this
seems like easy political points waiting to be scored.

------
harryh
patio11 has a great writeup on how to deal with these sorts of problems should
they ever happen to you. It is a _very good_ writeup.

[https://www.kalzumeus.com/2017/09/09/identity-theft-
credit-r...](https://www.kalzumeus.com/2017/09/09/identity-theft-credit-
reports/)

Short summary:

\- do everything in writing instead of over the phone so there is a paper
trail

\- make sure you are writing to the right people on the other end

\- present professionalism

\- be calm and persistent. it can be a pain but you can definitely get this
stuff fixed.

------
_bxg1
> The good news? With so much stolen information in circulation, there’s
> almost certainly an oversupply of raw materials for fraud and an undersupply
> of willing criminals.

This is what I've always used as cold comfort. Given the degree of anarchy on
the side of the actual data, and given that society hasn't totally collapsed
yet, it must be that deterrence by companies and prosecutors is good enough on
its own to keep fraud from happening everywhere it could. Even though chances
are high that your information is out there, chances remain relatively low
that you'll actually be targeted. Of course you still want to keep yourself
out of that minority by freezing your credit, etc., but it's something.

~~~
mattnewton
Right, it's privatized profits from having a cheaper insecure system with
lower sign-up friction, and socialized losses because uninvolved third parties
and law enforcement have to pick up the pieces and find the guy to make an
example of.

------
todipa
I wish someone would compile a series of actions that I could take to prevent
this from happening.

~~~
18pfsmt
One way to minimize risk is to put a security freeze on one's credit report.

[https://www.consumer.ftc.gov/articles/0497-credit-freeze-
faq...](https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs)

~~~
todipa
Just tried to implement a freeze on Equifax. They couldn't verify my identity.
Now I have to send a letter. Found a sample - [https://media.dojmt.gov/wp-
content/uploads/Z-Sample-Security...](https://media.dojmt.gov/wp-
content/uploads/Z-Sample-Security-Freeze-Request-Letter.pdf)

Still looking for other samples but what is incredible is that they want me to
send them a copy of my Social Security Card.

They have to find a better solution to verifying identities.

------
blhack
I know it’s sortof a dirty word, but this to me is one of the things that a
blockchain solves.

You cannot steal an address on the blockchain.

I mean my god, imagine if somebody rewrote bitcoin, except there were no
private keys, and the public keys were only 9 digits long.

~~~
mattnewton
I think, while there may be a technical solution, the bigger problems are with
the business and legal incentives around the credit industry today. Many of
the things that make our credit system a nightmare for security, also lower
friction for opening new accounts and engaging with the banking system. In my
view, the banks are effectively offloading the security costs to law
enforcement and unrelated third party individuals, in order to reap the
benefits of less friction with signup.

If you want a blockchain credit system, you need to solve that convenience
problem, as well as a bunch of other kinds of support problems (what happens
when you lose your key? Are you just screwed, and if not, what happens when
the recovery mechanism is compromised?), and the banks currently have no
incentive to do so (see chip and pin for a similar but smaller case study with
the credit industry). Barring large legislation that shifts liabilities onto
financial institutions from individuals and law enforcement, we won't see them
invest in solving this either.

~~~
ghaff
While there are better practices and worse practices, there's also just a
tradeoff between convenience and how thoroughly identity is vetted.

Imagine you forgot your 15 digit randomized password to Google and their
response was either a shrug or a requirement to come to an office in Mountain
View with multiple forms of government ID between the hours of 9-5 weekdays.
(And 2FA doesn't change the basic equation because smartphones, keys, and one-
time pads can all be lost.)

That's a somewhat nonsensical extreme example obviously but using physical
mail to addresses of record and things like that have often been used to
enhance security for certain types of reactions. You're a digital nomad, are
just traveling, just moved and didn't update records, or are actually
homeless? Too bad.

And this is in a country where pretty much any sort of Voter ID law is
controversial because they do disenfranchise many voters.

------
bookofjoe
[http://archive.is/K79zy](http://archive.is/K79zy)

------
m-p-3
Mirror (and paywall bypass)

[https://ipfs.io/ipfs/QmXf6RkeMR1xGZ2DqWJiCytrGzvkPAPgjHmRthC...](https://ipfs.io/ipfs/QmXf6RkeMR1xGZ2DqWJiCytrGzvkPAPgjHmRthC8VTjYjT/)

[https://cloudflare-
ipfs.com/ipfs/QmXf6RkeMR1xGZ2DqWJiCytrGzv...](https://cloudflare-
ipfs.com/ipfs/QmXf6RkeMR1xGZ2DqWJiCytrGzvkPAPgjHmRthC8VTjYjT/)

------
Alex_Romanov
Can you change your Social Security number in USA?

~~~
lisper
Yes, but it's not easy:

[https://faq.ssa.gov/en-US/Topic/article/KA-02220](https://faq.ssa.gov/en-
US/Topic/article/KA-02220)

------
onetimemanytime
why was he stopped at airports? Under investigation but not enough to arrest
or what?

~~~
excalibur
The fraudulent activity got his name put on a government watchlist, probably
while the perpetrator was still actively posing as him. Once you get on these
lists, it can be extremely difficult or impossible to get back off.

------
amingilani
Hi there, non-paywall link, anyone?

~~~
gumby
I deleted Bloomberg cookies and the paywall went away. I think you get three
articles.

~~~
giancarlostoro
Reminds me of the days I would peruse PSCode and delete cookies to reset their
join-wall.

------
jamesmadison66
credit freeze

