Hacker News new | past | comments | ask | show | jobs | submit login
Stop Calling it ‘Identity Theft’ (securitybytes.io)
361 points by herghost on Sept 27, 2017 | hide | past | web | favorite | 181 comments

Regardless of what you call it, the fact that someone using your information to take out loans and signing all sorts of contracts should never be your problem.

If a credit card company issues a card in your name to someone else, then clearly they didn't do their verification properly.

It should be possible to have all your personal information floating around and still be certain that no one can use that information for anything. I'm pretty sure it works for Sweden where their SSN aren't secret, nor are addresses or phone numbers.

Sure that may mean that you need to show up in the bank, or have a secure government authentication method, but that's not beyond implementation.

Exactly, some of this is semantics. To me, a skimmer duplicated card isn't identity theft. Taking my identifying information and opening new credit is.

Again, this whole industry needs to change. We could cut massive amounts of the estimated $200B loss in the US with just simple things like mandatory chip+pin, 2FA or CCV for online purchases, your credit is always frozen and only unfrozen for a 24 hour period at your specific request (requiring MFA). It is so silly when I have to type in my 5 digit zip at the gas pump (something someone could easily find online or by asking for ID) even though my card has a chip.

Low trust versus high trust society is the thing you need to understand here. You live in a high trust society which means that, in general, it is more efficient to optimise for conversion rate than to deny valid but incompetent or "unable to provide all the details" consumers.

While that might be true to a degree, chances are that what is really going on here is that it is more profitable to externalize the costs of insufficient authentication to unsuspecting people. While both result in higher profits, one does so by actually increasing the value that is being created while the other does so by making a third party pay, possibly even more than the increase in profit, so one of them is more efficient for society, while the other is just more efficient for the company but might still even be less efficient for society overall.

I understand, but in practice the fraud liability when it comes to identifying parties between two huge companies is very, very clearly laid out.

As in, weeks or months or years of discussion.

Not talking about credit cards thougn which are kind of a special case, where yes, totally merchant gets screwed.

> it is more efficient to optimise for conversion rate than to deny valid but incompetent or "unable to provide all the details" consumers.

And that's not a big problem even that it is not nice. The problem is when your company lends money to someone that says it's me. And it becomes my problem. Why?

The company wants a lot of conversions, so it has a low entrance cost. Then that company should pay for that problem, not unrelated third parties.

> Low trust versus high trust society is the thing you need to understand here.

For me, that's just one of the reasons.

Sweden, for example, is a high trust society. But companies are trying to play fair because they are going to be punished otherwise. Isn't that fair?

But, of course, in a society with a lot of corruption, and cheating, and low trust. Companies are going to defend themselves more. As they risk will get more fraudulent transactions that real ones.

It's not a question of trust it's a question of where the legal liability falls.

I understand what you are saying but that just means that the consumer pays for that in any case (in higher prices or interest rates or ...). Using your verbiage, I would like it to be even "higher" trust so that I don't have to pay for fraud that seems almost trivial to prevent.

It is not trivial to prevent at all. You need to spend money and fraud prevention effort at every trust point.

All of this costs literal salaries of people who say "no computer says no" at every point. Those people also suffer risk of physical assault.

In the electronic space you need to pay for "social media consultants" and look after twitter and facebook and such. You would be surprised how incredibly expensive the things you seem to take for granted are, to a large organisation which pays proper wages to people.

Practically speaking if your personal details have been disclosed by some douchebag fucking company it is very difficult to distinguish you as a caller from some random internet asshole impersonating you.

Not attacking you but you've lost me. How does switching to chip+pin at the gas pump instead of zip code cost "salaries of people" or "risk of physical assault"? There might be a cost to upgrade the panels to read the chip but they need upgraded anyway with electro-mechanical locks to prevent skimmers anyway. There are also savings in police, courts, incarceration, etc. This won't stop all obviously, but there is a subset of criminals who perform CC fraud because it is so easy and hard to get caught.

Chip and pin switch is the best case. Think about all your other accounts. Gas, power, water, fines, etc.

Also i don't know have ever been involved in an "it upgrade" project and what it means to have the gas pumps now do different things. I want life to not be like that, but I think you would find its a bit harder than you are imagining.

> Think about all your other accounts. Gas, power, water, fines, etc.

The way those work in the rest of the world is basically by giro. You control your bank account, and the only possible transaction is you sending out money to other bank accounts. If I provide you a service I need to get paid, I send you a bill, either in paper form (that you can read with your smartphone) or electronically. You look it over and make the decision to pay or not.

The system is not perfect and fraud still exists (mostly in the form of trying to pass a fake bill as a real one), but fraud is much less prevalent than in the US system.

If I provide you a service I need to get paid, I send you a bill, either in paper form (that you can read with your smartphone) or electronically. You look it over and make the decision to pay or not.

The problem is that that someone else can claim to be me at my address to you (the impersonator), you send the bill to me (the authentic). I look this bill over and decide not to pay because I didn't request these services. Now we have a dispute, all due a third-party who impersonated me.

Unfortunately, this is also exploitable by me to later claim I didn't purchase the service from you, which I might do to avoid paying.

There's currently no easy way for you, as the service provider, to authenticate the request without an out-of-band opt-in (mailing a contract to the same place you'd send the bill to confirm that the services would be paid for), which would delay the delivery of said services. By the time the third-party has received the services and you've sent the bill to the authentic party, the impersonating party is long gone, and the authentic party is left holding the bag as the less powerful party in the exchange/dispute.

The zip code at gas pumps is not just a poor security measure, it also blocks international travellers like me from obtaining any fuel sometimes!!!

No it doesn't. Usually gas pumps are set to accept 00000 for foreign cards and sometimes there's instructions for Canadians cards to substitute the letters for 0s. (ABC123=000123) Even if the pump blocks foreign cards altogether (and it usually won't), you can always use your card to pay inside.

I tried researching this last time it came up. Yeah, if you're from Canada you can run it through that formula (sucks if you didn't look that up before you left home). Nobody in the thread had luck with 00000 or something similar. I didn't really see clear instructions for other countries. It sucks if you need gas outside of business hours.

I had the reverse situation as an American traveling to Iceland when no chip+pin cards were available to me. I picked up the rental car with an almost empty tank. They point me around the corner--the gas station is automated. I start driving the 50km to reykjavik and cross my fingers.

Later in the trip I get into a similar situation of an automated gas station in a desolate area. I waited until a local came by, offered them cash to use their credit card. They seemed suspicious like it was some sort of scam (I dont blame them), but thankfully that worked out.

Yeah I had a similar problem in Canada. Got to the airport, tried to buy a bus ticket to get downtown from the automated kiosk. It asked for the pin on my credit card, which it doesn't have of course.

I was stuck. I eventually found a shop inside that would sell me a bus ticket if I bought something else.

I was travelling through the states a few weeks ago with a few friends. Neither zeros nor substitution ever worked for any of us.

Just make a note of the zip code of some random address in the neighbourhood. A hotel or even the airport will do. At least that has worked for me. The system doesn't seem to care that that zip code has nothing to do with my Norwegian issued American Express corporate credit card.

12345 is a valid zip code, it has a single address associated with it - General Electric in Schenectady, NY.

10101 and 01010 are also valid zip codes.

(00000 usually works too even though it's not a valid zip code)

I'm not positive, but I think zip verification fails open on foreign cards.

Here's an arbitrary one I know exists: 85310. Try it next time and see if it works.

I wouldn't be surprised if 90210 is outrageously over represented...

Or 02134.

I like to use '90210'

When I was a teenager in the 90s I worked at a chain store that had the policy of asking customers for their zip code at checkout to collect data on who was shopping. People sometimes would get really mad (and I mean really mad) that I was asking them, and since it was before the internet went mainstream people had not been conditioned to give out personal information yet/were unfamiliar with big data/weren't getting anything in return for their zip code. So in order to confuse the system (and avoid upsetting anyone - I am conflict avoidant) I would solely use 90210 as the zip code of all our shoppers, despite being on the other side of the country from Beverly Hills. I conspired to get my coworkers to do the same. A quarter of a century later I still feel minor gratification that I stuck it to the man.

When a store offers the option of entering a phone number instead of using a physical "loyalty card", I've found that XXX-867-5309 nearly always works, where XXX is your local area code (for me, it's 206).

I'm partial to giving my address as 1060 West Addison St., Chicago, IL 60613.

That Wrigley Field, for those not from Chicago.

Wrigley Field is the home of the Chicago Cubs, a Major League Baseball team, for those unfamiliar with American sports.

My wife and I went on vacation and didn't have the proper "club card" for the store. 867-5309 worked as a phone number, and was issued to a "Jenny".

I've had some success using the first 5 digits of a 6-digit Indian postal code.

A commenter below already mentions the difference between high-trust and low-trust society. I'm from a country which has a notoriously low-trust society. Opening a credit card or bank account is notoriously hard. It's so hard that a large portion of the society is left out of the system.

The problem with chip-pin, 2FA ...etc is that people would still be vulnerable to fraud. Except in those cases, banks can wash off their hands.

I lost my credit card recently and someone misused it. my bank reverted the transactions immediately. I know they got my back. It's the merchant or the merchant's bank that usually absorbs the cost. It's also a conscious decision the merchant makes to not check an id card for every single purchase. It's a risk they are willing to take and they probably take an insurance to cover for it. They are rewarded with reduced friction in transacting with them and hopefully better revenues as a result. I think it's a system that works good enough. Would I prefer something more secure like Apple Pay - 100%! But I'd take this over being checked for my ID card for any purchase over very trivial amounts.

Now, you may argue that it would never happen with chip-pin...etc. That's not true at all. There are people who can't remember the pin well and would choose to use cash or write the pin in a paper and keep it in their wallet. Exposing themselves to more risk and no protection from the card company either - "hey someone knew your pin so you are responsible for it".

I agree the system has to protect both sides and that may not always pan out completely. I'm genuinely curious what you think would work better. All systems have drawbacks. Some of them may be systemic but those are harder to abuse than a waiter writing down your CC # and selling that to people who encode them on magstripes.

I think with chip+pin it is at least a lot harder to be vulnerable. More and more credit card companies also have an app that you can easily report your card missing/stolen almost instantly. Also, if you have trouble with a 4 digit # of your choosing, then you should stick with cash which is still open to theft but not digital duplication.

If you are really interested, read this ArsTechnica article [1]. Interesting tidbit [2]. This makes it far superior to even chip+pin. You have to enable TouchId to use Apple Pay - there's the 2FA which doesn't requiring writing it down. It never sends the real cc number - no way for the waiter to even see it. It's a shame it's not catching up. Even in a tech-savvy city like SF it's adoption is abysmal.

[1] https://arstechnica.com/gadgets/2014/10/how-mobile-payments-...

[2] On top of that, Apple has introduced tokenization into its payment system. Like Google Wallet's Virtual Card, this obfuscates the user's actual credit card number, but it does so using a security standard developed by various standards groups and big-name card networks like Visa. It all happens without having to go through another bank as an intermediary supplier of a virtual card.

* To me, skimmer duplicated card isn't identity theft.*

No? I kind of think of identity theft as any fraud where someone pretends to be someone else to the detriment of the someone else, who needs to deal with the consecquences of whatever the someone did.

Some banks offer virtual credit card numbers for one time use. It works great online.

There are phone payment methods like Apple Pay and whatever Google uses that protect your identity. The burden should be on the providers of these services to secure themselves.

None of this works for you as a person if your easily look up-able information can be used to apply for credit.

In a high trust society you are extremely vulnerable to this stuff. Low trust societies do not have this problem in the same way.

The major problem really is that high trust society credit etc are optimising for sign up rate. Any kind of serious personal authentication mechanism will seriously impact conversion rate, which is the giant dashboard they have on the wall. There are whole teams of people whose job it is to make sign ups and conversions better. The fraud team is much smaller and as long as it doesn't impact the top line numbers too much they will be ignored.

ok... i think the point is that it should be mandated by law to have chip+pin(+maybe contactless)+CCV with credit cards, and also two factor authentication for most online transaction. Whether the current business model does not provide these assurances is inconsequential: it can be imposed as a customer protection law.

It is to be discussed whether the increase in the cost of the service would be worth it though.

They are good buffers. They are basically prepaid cards that can be refilled. Not sure about any assurances for fraud(probably none) but what is taken can be minimized.

it's not silly, it's infuriating. I can't pay at the pump with my card, because I don't have a US ZIP (I do have a perfectly secret PIN that I can use everywhere in Europe, but US doesn't seem to care about that)

US credit card companies do not do a lot of ID verification when opening accounts.

I applied for a new CC last year entirely on-line, and had the new card in my hands within a week. They never asked to verify my identity beyond my SSN / DOB / Address, which all seem likely to have been released in at least 3 breaches in the last few years. This is surprising to me, as I've been asked to show ID when opening a local bank account. To me this makes no sense: Why verify customers more stringently when they effectively loan you money than when you loan them money? I guess it may just have something to do with banking laws..

This is all just a long winded way to say that I think that credit card offers, by mail or web, are a problem. They cannot do any meaningful ID verification anymore, now that all info is essentially public. I think they need to partner with some agency that has a physical presence which can do verification of ID via government issued ID. Eg, a bank, merchant, etc, who can look at your driver license, passport, etc, and verify your identity. I suppose they are worried about adding too much friction.

Because bank accounts have different (and stricter) anti-money laundering and KYC laws.

Which, no offense to our government, is just stupid. I'm much more concerned about ID theft than I am about terrorism, which is the supposed motivation for the know your customer stuff.

I think those laws were originally designed for "normal" crime, as what-to-do-with-illict-money is a common problem for anything resembling organized crime.

Ing. Direct ask for copy of your documents to be sent by mail

which you obtain by posting craigslist "$30/hour work at home" ad

This is a wonderful idea but it is not cognisant of risk or user experience.

I am sort of surprised more HNers don't understand risk and the tradeoffs involved and seem to be taking an absolutist stance on this.

Equifax is an unforgivable failure of infosec but the general ideas around the risk of it seem like ...

Practically speaking, without significant landscape changes (and yeah equifax counts as one) it has generally been cheaper to trust people and write off the bad apples than to verify more. Or else there would be more verification!

Thats because most applications for homes, high value insurance or financial products are not actual fraud, they are usually consumers having trouble with you shitty process despite your best efforts to optimise for usability.

I don't know fully what the equifaxopocalypse means for americans though.

> it has generally been cheaper to trust people and write off the bad apples than to verify more

This is not the issue here. If a bank want to do this, go ahead, as long as they cover the losses. The problematic part is that if a bank gives a loan in my name to someone else, I get punished for it, not the bank.

Tell me which party to the transaction you are as you make this rational decision.

Or explain that you don't understand the industry or any of the regulatory frameworks involved.

Have you ever accepted a payment?

EDIT: not sure if I misread you, probably responding to a comment in flight. Your initial position seemed to be different to what I read now. I get that "identity fraud" as an industry position is a shitty attempt at moving risk but that was not the comment I was reponding to. Sorry if that sucks.

The party who gets a call from collectors or who is denied credit.

If I publish your nude pictures in a newspaper, you are similarly not a party to this transaction, but you are hurt by it. This is similar.

I apologise but I think you have a poor understanding of the way this stuff works.

Everyone absolutely wants to extend you credit.

No, you're missing the poster's point.

They're saying the problem is this:

You want to do business with company A. Company A asks company B for information about you. Company B lies to company A. Now company A won't do business with you, because company B lied about you.

Company B in this scenario is a company like Experian.

Cheaper for whom?

Cheaper for the banks, sure. It was cheaper for Ford to pay injury lawsuits than fix their exploding tires. But kind of trade off is illegal for one to make when another party is getting materially hurt — even if on average society is better off; after all, if we confiscated all of bill gates’ wealth, on average society is better off than if he gets to keep it.

I read many of your comments on this post and still do not seem to get your point.

You argue that there are reasons for the lack in verifications and then that this is desiderable from a societal point of view.

To the question "should a CC provider cover the expenses on CC give to fraudolent impersonators?" what do you answer?

>then clearly they didn't do their verification properly.

Indeed. And surely, when they then report you to a credit agency, then this is libel or slander. They have no reasonable basis to make the claim, and it results in severe hardship for you.

As OP says, the idea of "Identity" is a fiction designed to make it the responsibility of the citizen to deal with the "theft".

By definition, if it can be stolen, then it can't be considered an identity.

> that's not beyond implementation

It may be in the US. Because of Revelation 13:16-17: "16 And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads; 17 And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name."

That's why national ID is difficult to sell here. Sorry.

Yet bank accounts typically require at least a copy of state-issued ID to open, all without national ID!

Part of the resistance to national ID is also a question of federalism - we do not officially have a 'national government' - we have a 'federal government', even though in practice it is hardly federal anymore.

You don't need national ID if every state issues a real ID document. There's no European wide ID but national IDs of all EU countries are accepted everywhere by law and it works.

I don't think mrweasel's comment was proposing national ID as a solution to "identity theft". It was just positing that solutions must exist other than keeping identifying information secret.

You seem to be under the impression that the national ID in Sweden is in the form of some kind of tattoo?

> receive a mark in their right hand

I guess if you got your ID by picking it up with your right hand it still is the mark of the beast.

I thought barcodes are already the mark of the beast.


Then it was RFIDs, then Obamacare, then...

God's perfect wisdom just keeps getting lost in translation, what a shame!

US already has national IDs. They're called Social Security Numbers.

CGPGrey did an excellent video on this topic: https://www.youtube.com/watch?v=Erp8IAUouus

Well shit thats what peope don't get. You accept a shitty system that kinda works or a national system that works super well that looks like modern fascism with good biometrics.

Choose your poison. Carefully.

Since when is providing a way to identify people facism? This isn't the 18th century. Economics are global. You cannot just use the fact you've known the shopkeep your whole life as an authentication service.

Either we have a good functioning way to uniquely identify people or we don't. If you have the former, you could use it for evil, in much the same way as how with the later it is used for evil a lot with the various frauds talked about in the OP.

If the government wants to do evil it will do so with or without national ID, but the ability for fraudsters to do evil is dependent on there being no effective and secure universal identification.

I'm going to guarantee that the NSA tracking profiles on every US citizen don't need national ID cards to pick you out of a crowd. They could build a comprehensive identity database from CCTV and store cameras whenever you buy something to build a complete and hardened profile to identify you with. They have access to way more than enough material to start branding the "undesirables" and having them carted off to gas chambers within a week. We just suffer in the meantime under this false belief that ID cards are the make or break of liberty.

I upvoted you and I think you made your point well, I just feel the opposite way to you. Thanks btw :)

I would prefer shitty nonfunctioning systems which still allow me to use cash and buy a bowl of noodles to the alternative where I need to be more or less authorised to make that transaction. But thats just me.

> a secure government authentication method, but that's not beyond implementation

We have secure epost for communications between people and the state here in Norway already. The authorities keep pestering me to register to use it so that they no longer have to send me paper documents.

Is it actually secure or is that just the marketing ploy of the government?

I don't really know. I've never heard of any exploits but that could be because it might simply not be an attractive enough target.

Mitchell & Webb did a sketch on this over ten years ago: https://www.youtube.com/watch?v=CS9ptA3Ya9E It's worth a listen.

I was going to post this, just be warned anyone who was meant to be working, the Mitchell & Webb "related videos" on YouTube is an incredibly addictive spiral.

I keep thinking of this sketch every time I see this sentiment expressed recently.

Beat me to it.

Someone used my credit card number and went on a spending spree with it about six months ago, and I had to get my details changed and a new number issued. Since then I've been referring to it as having my identity stolen. Not too long ago I met a guy who worked for a credit union, and he ripped me a new one for it, saying "you didn't get your identity stolen, that's just credit card fraud!"

While I see his point, that there's much, much more serious forms of it out there, I still think it's pretty much the same thing, and that just because I could get it more or less taken care of with an hour at the bank and didn't have to go through years and years of pain to get things undone doesn't make it any less identity theft.

Which is kind of the opposite point of the linked rant, I know. He's saying we shouldn't let it be called that so corporations can pin the responsibility on you and wiggle out of any liability.

Your case is distinctly different from “identity theft.” They simply got an existing card number (by skimmg, by writing it down while holding your card, by dumping the database of some ecommerce website, etc.) They didn’t pretend to be you and ask a bank for a new line of credit. Your case is most assuredly credit card fraud and nowhere near identity theft.

It's both "credit card fraud", and "gross negligence" on the part of the banks for not implementing a long overdue secure payment system.

There's no incentive for banks or credit card companies to fix online CC fraud, because it costs them nothing.

They provide no reasonable fraud controls, because for card-not-present, the merchant pays for the fraud. The merchant even gives the bank a $20-40 "bonus" in the form of a charge back fee for every occurance.

Or maybe it isn't?

The bank obviously claims that you are on the hook for something you didn't do, based on a transaction that used insufficient authentication to determine that it was (supposedly) you. Whether it's a credit card number or an SSN that the bank is using as a password even though it is not a secret doesn't really make that much of a difference, does it?

Yeah, that's not what's commonly understood to be "identity theft". If someone steals your credit card then you call up your credit card company, say "that's not me" and they drop the charges from your account. Happens to essentially everyone who uses credit cards.

Identity theft is when someone else opens up an entirely new card in your name. Often, you won't even know this happened until you're rejected by a credit check or something, and you see this new delinquent account that you know nothing about.

It's distinctly different and worse from your scenario because it implies a loss of information like SSN which are much harder to deal with. Someone steals your CC#? Replace the card, done. Someone is able to sign up for credit as you? Now you're in a much worse situation, since it's a demonstration that your info is "out there" and people can use it. And stuff like address history, DOB, SSN, are much harder to change.

But per this article, neither is really "identity theft", and that's a pretty interesting way of looking at it, I'd never thought of.

6-7 years ago, someone stole my debit card number and bought a bunch of random items. I found out within a few days, was able to have my money returned to my account and a new card issued, then three months later it happened again. Again, I reported it to my credit union, had the money returned to me and the card replaced.

Thankfully, it hasn't happened since. I suspect that the card number was stolen at a particular gas station because this all happened as I was finishing my M.S. degree and once I graduated, I never used my card in that area again and I haven't seen any unauthorized transactions since.

someone committed credit card fraud by stealing your identifying information. maybe that's a more technically accurate description?

The industry term is application fraud - its a subtype of credit card fraud. It requires identity theft/identity fraud in the same way card not present fraud may require someone to break a database or spread a keylogger.

To use a credit card you need not just the name but also the credit card number and possibly the csv and your zip code.

Many hotel systems (at least Marriott/Hilton/IHG/Choice) have system’s that allow transactions with only the 15 or 16 digit card number and expiration. No need for name/billing address/zip/PIN or CVV code.

I assume it’s due to old systems and hotel chains not having enough incentive to modernize systems because the vast majority of hotels are franchised, so if there is a chargeback, it’s the franchisee that pays, while the hotel chain still gets their royalty %.

Edit: to avoid cancelation or no show fees, you can even make reservations with a fake card # (4111 1111 1111 1111) and unless the hotel has a deposit policy where they test the card to see if it has the funds it takes a payment to make sure the card has at least $x amount of money, then you can pretty much get away with not showing up at no expense.

The address part is AVS[0] - where the digits from the address are verified against the card.

Merchants can opt out of AVS in exchange for higher merchant fees.

They can get a merchant deal where they don't require the CVV - Amazon does this[1]

Hotels do this because of international travelers and because most credit card transactions end up becoming card present transactions since you show up to the hotel and tap/swipe your card

[0] https://en.wikipedia.org/wiki/Address_Verification_System

[1] https://security.stackexchange.com/questions/21168/how-does-...

> No need for name

Technically there is never a need for a name for a CNP transaction. Merchants have no way of verifying it.

There's address hash matching on our CNP transactions (in UK).

One could cross-check address with electoral roll/DVLA/(other commercial data sources) and verify a lot of transactions (name given was known at the address that matches the card data).

Literally no intelligent company would do that as it’s extremely unreliable.

As you mentioned though, we have AVS checks. I can’t understand why we don’t have the ability to also verify the card holder name and/or bank/issuer name via a merchant gateway for CNP transactions.

Technically no way of verifying your identity so "Good Enough" wins the day.

Yup. OP is concern trolling.

My data is me, I am my data.

Stealing my credentials and misusing them, as though you were me, is a form of impersonation.

If you are having to spend your time and resources to clean up a mess that was not of your making, not to mention prove yourself innocent of making it, then you are most certainly a victim in some sense.

You have a point about insurance, though I would argue that corporations should be required to carry identity theft insurance in proportion to the amount of personal data that they collect and store, for the benefit of the victims created as a result of the theft and misuse of said data.

But the point is that the bank is who makes you a victim by baselessly asserting that you are responsible for their blunders. You are not the victim of someone pretending to be you, the bank is. You are the victim of the bank making you spend resources on cleaning up their failure.

This only matters because a measure of blame is assigned to the victims. Even if we switch the words around and call it bank fraud, individual whose identity was copied will still be the one to endure the pain and effort of putting their affairs back in order.

Except it probably doesn't, framing matters.

People put up with it because they are led to believe that it's their problem, just like if someone broke into their home and stole their TV. People would be much less likely to accept the same reasoning from their bank if it were not stated as "Someone stole your identity, we are sorry you have to pay this", but instead as "A third party defrauded us, we are sorry you have to pay this".

Identity Theft sounds better than, "someone pretending to be me has lead corporations, agencies, and other bureaucrats who have control and influence on my life to mistakenly attribute another person's actions to me, costing me time, damage to my reputation and money." And then all those other things.

That, I think, is how this article is trying to re-frame the conversation. If we describe someone using my details to take out a loan in my name as "identity theft", then it sounds like the onus is on me to sort it out and (possibly) absorb some of the cost of doing so. If we describe it as "credit fraud", then that makes it clear that the problem lies with the loaning organisation, is independent of me, and I should suffer no consequences.

Either way, "identity theft" or "credit fraud", the onus is on someone other than the corporation that let it happen. It's the victim, or the criminal, but neither of them blame the corporation with the name alone.

So I don't see any point in trying to get millions of people to change what they call it, if that's the other option.

I think the point is to change the way people think about the situation. If you reframe the problem for enough people, it might become an issue politicians campaign with.

Exactly, but as I pointed out, they've failed to reframe it so that the company is at fault. It's still the same thing under those 2 names. They're putting all that work into a new name that doesn't do what they want.

It does, but that's because the companies who benefit from it being seen as your fault for being careless or unlucky rather than theirs for being lackadaisical in their verification process are the ones with the marketing departments.

That is exactly the point. All sorts of companies and government have shaved off every possible cost of operation, in this case verification of identity, and then try to pass on this operational debt on to you when someone games their system. I couldn't care less if the phone company never checked identities, but when I say "that wasn't me" whenever they serve me €2000 bills I think they should just wave the case and clear my name. That €2000 is still nothing compared to what they save on proper verification mechanisms.

Playing devils advocate, the issue is that if there’s zero responsibility on your end, then it’s also easy to claim it wasn’t you when it really was.

Responsibility on your end only makes sense if you actually have control over whatever you are supposed to be responsible for. So, responsibility to not share a secret password with a third party? Fine! Responsibility to pay a bank money because the bank believed some criminal when they said they were you? Not OK!

What matters is that the power to actually do something about a problem needs to be aligned with responsibility, so if the bank decides to use unreliable authentication, that's fine, but then they have to bear the responsibility and live with the fact that some people who actually were the real person later claim it wasn't them. If they don't want to bear that responsibility, it's up to them to use reliable authentication so they can actually prove it was you.

Define “reliable authentication” then. Most banks already require government ID (which is fakeable generally) due to KYC laws. What more is standardized so they could use it?

To open a bank account. Not to open a credit card account.

Applying for a credit card involves essentially no verification of identity other than asking for some information that is supposedly but not really secret.

> Not to open a credit card account.

And there is a large part of the problem. If equivalent to KYC laws applied to credit cards it would likely cut down on criminal's ability to get credit in someone else's name.

Technically, isn't the real problem is one of slander?

The credit reporting agency is slandering your name by stating that you committed a crime, be it theft, benefit fraud, or failed to pay your creditors or whatever, that you have not.

It is that slander against your good name or good credit that causes the individual all the problems.

> "someone pretending to be me has lead corporations, agencies, and other bureaucrats who have control and influence on my life to mistakenly attribute another person's actions to me, costing me time, damage to my reputation and money."

Oh, you mean fraud.

The Mitchell and Webb clip about this is great: https://www.youtube.com/watch?v=CS9ptA3Ya9E

What amazes me is - Why the social security number was ever used as an identity number in the first place. This number should simply be used to trace your account with the social security department when you retire. The practice by institutions to use the last four digits of your social security as some sort of de facto secret number is not only foolish but laughable that no one has a problem with it. I should be able to freely float my social security number and not expect to have my identity stolen.

CGP Gray did a really good video[1] about this recently. The short version is that it's the least terrible mechanism presently available for uniquely identifying and disambiguating American citizens.

[1] https://www.youtube.com/watch?v=Erp8IAUouus

I’m American.

I’ve come to understand that the organizations I used to favor, like Google, consider me to be a product and not a customer. Now, I’m realizing that my nation considers me to be a resource and not a person.

It's always been like that, what changed was the advertising.

Don't be depressed about it. Poke some fun at the owners.

Haha that’s fair.

You’re right - it’s tough not to get angry about it given that I can’t individually do much about it.

Laughter is the best medicine (or distraction).

We should just call it "libel".

The credit issuer fails to adequately verify the identity of someone applying for credit (the thief) and lets them take out a loan in your name. The thief defaults on the loan. The credit issuer commits libel by reporting that you were the thief to the credit reporting agencies.

There are two crimes contained in every case of "identity theft". Everyday consumers are affected by libel. Credit issuers are affected by fraud (enabled by their own negligence).

There is a question I've been pondering in the wake of all of these data breaches but I'm not a lawyer so my assessment doesn't necessarily reflect what the law says.

If person X opens a credit card in person Y's name and doesn't pay it back, the bank will tell all of the credit agencies that person Y doesn't pay their debts. When person Y eventually finds out about this would they be able to go after the bank for slander?

Libel, not slander. Slander is spoken, libel is written or otherwise published. I'm not a lawyer, but probably. Since you'd have to prove that the bank made false statements of fact to get the credit agency to remove the fraudulent debt from your record anyway you'd necessarily have gathered plenty of evidence to help your case.

While I get the author's point, the problem is that for a lot of us in the US (those primarily impacted by Equifax I believe, unless they do work overseas as well), if someone claims to be me and gets the IRS to send my income tax refund to them, they are not going to mea culpa and send me the refund too. I'm just hosed.

they are not going to mea culpa and send me the refund too

Isn't that exactly the author's point? In that scenario, the IRS has taken harmful action against you to make up a cost they incurred by falling for someone else's fraud, and they get away with it by calling you the fraudster's victim, not theirs.

while that's fair, they also state "The only way I get to be victim is if one of these organisations is duped and then they can’t or won’t address their mistakes or shortfalls and therefore they choose to pass the buck to me." And in this particular case, there is no recourse and you're certainly a victim. Last year there was something going on that they increased the fraud prevention-esque refunds with delays for a majority of people filing. Hopefully the IRS does similar this go around (and going forward).

"The term ‘Identity Theft’ implies, and its usage accepts, that the person whose identity is being stolen is the victim. They’re almost always not."

Flat out wrong. They nearly always are. They frequently have their credit impacted as a result of non-payments for credit, mortgages, etc. Also, I see "identity theft" as a subset of theft by conversion: https://definitions.uslegal.com/t/theft-by-conversion/ "Theft by conversion occurs when someone wrongfully uses property or funds of another for their own purposes." A person's name, SSN, address, financial history, credit rating, etc. are all their property. And it is being used without their consent and in blatant violation of other laws that already exist. They clearly are a victim (but not the only victim) of these illegal acts.

Also, let's not forget that it typically takes an enormous amount of time and effort to fully undo the damage. That time alone has a cost - and it has been forcefully taken from the person whose identity has been stolen by the perpetrator(s) of these crimes.

I think you're proving the authors point by misunderstanding it. Using the term 'Identity Theft' buys into the way that the corporations involved want us to think about the credit market. It allows them to take a crime against them and allow it to blow back against someone that was not a party to the fraud. But what the Equifax hack is now forcing people to confront is that no consumer is able to keep their information private. The system won't allow it. So forcing consumers to be in any way culpable for what is actually fraud against the corporation that is extending credit is wrong and we need to adjust our terminology to make this explicit.

All the pain that you're noting is imposed by the credit system, not the criminal who's "stealing" your identity. We're not victims of the criminal's crime, we're victims of the system's response to that crime. And that's an important distinction. The fact that we treat identity theft any different than if the bank (or other credit-extending institution) was defrauded/robbed through some other means (confidence scheme, armed robbery, etc) isn't correct and if we, as consumers, expect that situation to change, we need to reject biased terminology that frames the issue in the light that the corporations want it to be framed.

Your identity wasn't stolen, the bank was defrauded due to insufficient authentication procedures. When you say it that way, it becomes ridiculous that the consumer should have to endure the ordeal that they currently do.

The point here isn't that the targets of identity theft don't suffer, the point is that the institutions facilitating the fraud are the true perpetrators of the damage and that calling it "identity theft" makes it sound like the perpetrator is the person committing the fraud.

The goal is to make it clear that when a bank allows someone to falsely represent themselves as me, the bank suffers, not me. They're the ones who messed up.

I think you miss the point. Sure if I have my identity stolen bad things happen to me, but I am not the victim of the crime. The bank is. Someone has defrauded the bank and stolen money from them; the bank then turns around and says, no, the money was not stolen from the bank, it was stolen from you. In reality, if the bank gives someone else my money, this is fraud. This is theft. The bank is under contract to give my money to only me, and they have broken this contract. So either they have given the thief their own money (which means someone has committed fraud against the bank, with no relation to me at all) or they have given someone else my money (which means the bank has defrauded me and stolen from me). The only way I am a victim of 'identity theft' is if we allow the bank to decide the money they gave away to some random person actually belonged to me; they should not be able to do this. It is identical to the bank withdrawing money from my account and reporting it as corporate profit, fraud and theft. There are two possibilities: I am the victim and the bank is the perpetrator of fraud, or the bank is the victim and the thief is the perpetrator of fraud. 'Identity theft' as a phrase suggests a ridiculous notion, that the thief is the perpetrator and I am the victim, which suggests I am somehow related to someone who happened to rob my bank.

> Flat out wrong. They nearly always are. They frequently have their credit impacted as a result of non-payments for credit, mortgages, etc...

> ...let's not forget that it typically takes an enormous amount of time and effort to fully undo the damage

Yes, In-fact the only real damage to the so called "victim" is credit rating... ironic since the Equifax leak, really it just outlines that credit reports are not trustworthy due to:

    A) High error rate.

    B) Integrating shortcomings of corporations.

    C) A multiplier of above through data breaches.
None of which are the "victims" fault. Credit-reports are now rightfully meaningless and "Identity Theft" was never easier to argue as a misnomer to a subcategory of fraud... the business being defrauded, as the true victim, held accountable for losses from incompetence.

I can’t remember one place in Norway where this is still possible.

Every bank is using 2-auth for sign-in and signing papers. They don’t event accept your hand signature without the 2-auth in addition.

You can’t pay on webpages without 2-auth, so good luck using my card.

All the mail from the Government is digital, and of course with... 2-auth.

I even got a text when my child was born, saying we could now could fill in his name. And both parents had to sign the documents with... (you get it)

Quicker one: start calling it 'identity fraud'

Still missing the point in my opinion. Nothing is happening to my identity, it is their verification mechanisms which are failing.

Well, something did happen to your identity - someone else associated a bunch of fraudulent purchases with it.

Whether it's your fault or not, whether banks assume all fault or not, it is still ultimately your identity (your credit score, your bank accounts, your home) which ends up troubled.

Consider for a moment the tech alternative. If someone hacks their way into my Google mail account and uses it to send out a ton of spam, who is going to suffer the consequences for it? Google, for using insecure sms messages for 2fa and not requiring 2fa for all accounts, or me when my account is closed?

> Well, something did happen to your identity - someone else associated a bunch of fraudulent purchases with it.

Still, nothing happened to your identity. Your identity is who you are. You still are you.

> Whether it's your fault or not, whether banks assume all fault or not, it is still ultimately your identity (your credit score, your bank accounts, your home) which ends up troubled.

Apart from the fact that none of that is your identity, but rather your reputation, your contract, and your property: No, you actually have it all backwards.

There is no law of nature that implies that if a third party impersonates you to a bank, say, that therefore the bank has to start fraudulently telling people that you don't pay your loans, or harrass you to pay the loan they gave to that third party. Yes, that is a correct description of what banks actually do nowadaya, but the whole point of this discussion is that that should be illegal. The bank should be liable for reputational damage they cause by incorrectly attributing a third party's actions to you, and you'd be surprised how little your "identity" ends up troubled next time the bank is defrauded.

> Consider for a moment the tech alternative. If someone hacks their way into my Google mail account and uses it to send out a ton of spam, who is going to suffer the consequences for it? Google, for using insecure sms messages for 2fa and not requiring 2fa for all accounts, or me when my account is closed?

Are we talking about what google would do, or about what google should be held accountable for?

I cannot understand the lack of linguistic empathy in this kind of reply; many commenters are clearly using the term "identity theft" with a precise meaning, basically to descibe when somebody else is able to impersonate you. answering by a dictionary lookup of the words definition is entirely offtopic in my opinion.

And calling for a name to be changed is different from criticizing people who use it, some concept need to be expressed and sometimes the only way to meaningfully express them is with an improper term.

Well, except that this (sub-)thread was about how "identity" is a misleading word to use in this context, which is why I read falcolas' comment as a justification for why it is actually not misleading, which is why I focused on how that justification falls short.

If that comment was not meant as a justification, the only interpretation I can come up with is that it's a description of what empirically happens nowadays when something commonly called "identity theft" occurs, in which case I agree it could charitably be read as a reasonably accurate description ... however then it seems like a completely pointless comment, as that is essentially just the premise of the whole discussion, restated in a context where it has no specific relevance whatsoever.

Did I miss something?

Though I also think that criticizing people who use misleading language is legitimate as well, even if the meaning of what they are saying is perfectly clear, as long as you don't confuse the criticism of the form with criticism of the content.

this whole thread is about the cognitive implications caused by the linguistics behind the term 'identity theft.' The GP is really digging deep into the real essence of this issue. Changing what it is called shows that the onus of responsibility to remediate the issue should be entirely on the credit issuing corporations.

Someone getting a credit card from Wells Fargo under my name has nothing to do with me.

All it is is fraud. Someone defrauded a credit issuer. That they opened an account in my name has nothing to do with it - they could just as well had defrauded the bank by claiming to be John Doe. Will the bank blame me for them leaving the barn door open, and the milk out, too?

If they can.

See "Verified by Visa", where if used you (the CC holder) are liable for fraud that occurs within that transaction.

That is if someone uses a credit card account that you opened without your permission.

What the parent comment is describing is if they open a completely new credit card account under your name.

You are only liable in the first scenario if you used Verified by Visa and someone got your Verified by Visa credentials and used them.

In the second scenario you are not liable under any circumstances, because the fraudster created the Verified by Visa account, not you, so you never had the credentials for the account.

"ID-check failure" ?

I prefer just plain "fraud", though if you want to stick qualifiers on it, "authentication" or "validation" seem better fits.

How about just plain: fraud?

And to be clear it is the bank who is the victim of fraud, not the individual.

"The term ‘Identity Theft’ implies, and its usage accepts, that the person whose identity is being stolen is the victim. They’re almost always not."


If someone uses your information to take advantage of your good credit and get a car loan, then defaults on that loan, guess whose credit score just got hurt? Guess who's going to have a harder time getting a loan for one's own new car?

The whole article stems from the assumption that stealing someone's identity doesn't make that someone a victim. That assumption is blatantly false, and therefore so is pretty much the rest of the article.

Call it what you want, but fraud committed in your name still harms you, and thus still makes you a victim.

> Call it what you want, but fraud committed in your name still harms you, and thus still makes you a victim.

No, it doesn't. If someone comes to you and claims that they are John Smith, and you loan them a thousand bucks, only to discover later that the person who you gave the thousand bucks to actually wasn't John Smith, then you, and you alone, are the victim, and you are out of a thousand bucks. Nothing of this has anything to do with John Smith.

Only if you then harass John Smith to pay you a thousand bucks by making fraudulent claims that you loaned him a thousand bucks and tell everyone that John Smith is not credit worthy, then John Smith becomes a victim, specifically a victim of you.

"No, it doesn't."

Yes, it tangibly and demonstrably does. It means that the process of establishing/asserting your identity is much harder, since now there's someone else running around with the credentials normally used to assert said identity. You now need to spend time and money invalidating whatever credentials you can and hoping that the ones you can't invalidate aren't actually compromised.

If someone manages to get your Gmail password and use it to send spam, you're still a victim of cybercrime, even though you weren't necessarily a victim of the spamming.

Same thing here. Someone is using your credentials (like SSN and other identifiers) to defraud someone else. Even though you're not the direct victim of that fraud, you're still a victim of identity theft, since your credentials were compromised and used by someone else.

> Yes, it tangibly and demonstrably does. It means that the process of establishing/asserting your identity is much harder, since now there's someone else running around with the credentials normally used to assert said identity. You now need to spend time and money invalidating whatever credentials you can and hoping that the ones you can't invalidate aren't actually compromised.

None of that is a harm from the fraud, it's all harm from the bank's unjustified claims .

> If someone manages to get your Gmail password and use it to send spam, you're still a victim of cybercrime, even though you weren't necessarily a victim of the spamming.

If someone manages to get your gmail password from Google, then Google is the victim of cybercrime. If Google then reacts by closing your account, you are a victim of Google.

> Same thing here. Someone is using your credentials (like SSN and other identifiers) to defraud someone else. Even though you're not the direct victim of that fraud, you're still a victim of identity theft, since your credentials were compromised and used by someone else.

If you want to call the behavior of the bank (or whatever) in this situation "identity theft", well, sure. Though I would suggest that that is highly misleading. More appropriate terms would be slander or blackmail, maybe?

The fact that this is identity theft - and that the person whose credentials were used is indeed a victim - has absolutely zero to do with the bank's behavior. It has everything to do with the fact that credentials were stolen and used to impersonate someone else.


"then Google is the victim of cybercrime"

Google's credentials weren't stolen. The user's credentials were stolen. The user is therefore the victim of the theft of credentials - a.k.a. "cybercrime" or - in this case - identity theft.

Google is also arguably a victim of fraud (or some other related crime), sure, but that is entirely separate from the fact that credentials were stolen in the first place.

"behavior of the bank"

Again: the bank's actions are irrelevant to the fact that credentials were stolen in the first place. Sure, it's a pretty shitty credential system, but they are credentials nonetheless, and them being used to impersonate someone makes that someone a victim, plain and simple.

I'm really not sure how else to explain this. Seems pretty cut and dry to me.

There is one very important unstated assumption in all of this: Who defines what is considered credentials?

Let's forget about the Google example for a moment, as it's not really that great an analogy.

When someone steals your SSN, say, what they have stolen is just your SSN. There is nothing about an SSN that makes it inherently a credential, it's just a unique number signifying you. The only thing that then makes it a de-facto credential is the decision of a bank, say. The bank decides that they will take someone telling them your SSN as proof of your identity, and that is how it becomes a credential. If the bank does not decide to accept knowledge of your SSN as proof of your identity, then there is absolutely no problem with someone stealing your SSN, because then it's not a credential.

This unilateral decision on the part of the bank is what the "identity theft victim" is the victim of. The bank might just as well decide that knowing your first name proves your identity, thus supposedly making your name a credential.

"Who defines what is considered credentials?"

Whoever writes Wikipedia articles, for one: https://en.wikipedia.org/wiki/Credential

    Examples of credentials include [...] identification
    documents, [...] passwords, user names, [...] and so on.
A social security number would fall under either "username" or "password", depending on how it's used, and the SS card itself would fall under "identification documents".

"it's just a unique number signifying you."

A.k.a. a credential.

"The bank decides that they will take someone telling them your SSN as proof of your identity"

Yes, because this is already commonplace throughout the U.S., including by the U.S. government. We can debate the pros and cons of the current SSN-reliant system all we want, but that doesn't change the fact that an SSN is a credential establishing identity, and that therefore the acquisition of an SSN by an unauthorized party constitutes theft of that credential and - ergo - "identity theft". It also doesn't change the fact that the legitimate owner of that credential was a victim of that actual theft (in addition to whatever actions from the bank in response to other crimes enabled by that theft).

"thus supposedly making your name a credential."

Your name is a credential, per the above definition. It's a shitty credential, yes, and one which is easily forged (and by no means unique, unlike a SSN), but it's a credential nonetheless.

You're missing the point. Obviously yes your credit score gets hurt, and yes you sometimes have the hassle of recovering money, re-establishing your identity, etc.

The entire point of the article is that all these harms are not something the identity thief does to you. They are things that the identity thief does to SOME CORPORATION, and then that corporation passes part of the problem on to you. And the phrase "identity theft" is part of the way of thinking that allows the corporations to justify passing the harm on to you.

The short audio clip from Mitchell And Webb that people in here are passing around really explains it best. https://www.youtube.com/watch?v=CS9ptA3Ya9E

You're missing my point. Just because the person whose identity was stolen was not the direct/intended victim does not mean that said person is not a victim at all.

The bank is the victim of the crime. The person whose identity was stolen is a victim of the bank's negligence in properly identifying people.

Credit card fraud and identify theft are distinct threats with distinct solutions. On underground forums they're also distinct products obtained and sold in different ways (cvvs/dumps vs fullz).

It has taken a long time and a lot of media exposure to raise awareness of these two concepts to ordinary people. My parents now know what both identity theft and credit card fraud are - and they understand the basics of how to deal with each.

To start over again with any of these terms because of a nuance of definition and semantics would be extremely counterproductive.

Regarding the way social security numbers are used in the US. It’s the first thing you learn in security I’d say; don’t ever ever ever use identifiers as passwords.

If someone commits fraud in your name, and you suffer the consequences of their actions, then you're one of the victims of their fraud.

Noting that things bundled under "identity theft" are actually different crimes isn't a novel observation; the whole point of that label is to group the class of crimes where a criminal uses your personal information to perpetrate various kinds of fraud.

It is identity theft in that they are posing as you to so they can perform fraud. It's identity as a societal thing like id with you name but their picture. Being able to do this remotely like credit charges(can be in brick n mortars though) etc just means normally they just need enough info. Once again it is mor societal concept of how we identify people we don't know.

The point is they're not stealing my identity from me, but from a third party. Why should I be on the hook for the consequences of someone else's negligence?

Really, they aren't stealing an identity at all, they are simply stealing information about you. Saying that someone stole your identity because they know non-secret information about you is about as sensible as saying that someone stole your body when they stole a picture of you. If a bank accepts someone showing a picture of you as proof that they are you, they are simply being an idiot.

Identity and the means to establish identity are the same thing as far as anyone is concerned in the current US model though

What about the term "identity theft" suggests that you should be on the hook?

The idea that there is a victim, and that's you. You had a bad thing done to you and are now the worse. In fact nothing was done to you -- some big stupid corporation gave money to a criminal is what happened. The big stupid corporation would prefer that this be seen as : you owe them the money because they thought the criminal was you.

The term suggests that you are the victim of the impersonation, when in fact the lender is the sole victim that should get hurt by that crime.

For you, the buck should stop (as is the case in much of EU) with saying "prove it was me - or you're not allowed to libel me by putting a bad mark on my credit and falsely claiming that I owe you money". At that point you're not the victim, it's not your problem, and the defrauded institution can choose to either take the losses and continue business as-is or perform their verification duty properly next time.

I kindof think that's a pointless question!? Even if that is an unjustified interpretation of the term, it still is an empirical fact that most people understand it that way and that corporations use this empirical fact in order to frame their failure as somebody else's.

If you want the public to understand that being impersonated is the fault of the person/institution being duped, it's probably not helpful to use a term that the public understands to mean that the person being impersonated is at fault, whether that interpretation is justified or not.

It's no different to intellectual property theft. It doesn't matter where it is taken from, but who the property belonged to and who was being deprived.

I would call it "losing my sh!t" but I have already lost it even if I didnt really opt-in in the first place. And now I have lost it so much I have nothing left to lose...makes you wonder about a credit collapse huh. With everyone's personal information freely available I wonder if free credit monitoring would even matter.

It's short for "identity data theft". You can't actually steal an identity.

The cases given are already under regulatory protection and so have their own terminology. There are kinds of thefts which leave the bit trail pointing to someone, when they shouldn't be. If the bit trail is not crossing major regulatory boundaries, but is affecting things like what Google knows about someone's personal preference or what items Facebook decides to show in his/her feed, or some personally incriminating things is done to them in the digital world (ex the recent post about upwork), the fact that folks may trust the bit trail more than they trust the person can be damaging esply if in-person contact is not the norm. In all these cases it involves someone taking an identifying token and pretending to be you for a while. The taking is done without permission, so it amounts to stealing. So I don't see a particular harm in bucketing this category of activity as "identity theft".

It should be called "Reputation Theft". Because what the criminal is doing is harming _your_ reputation with companies that _you_ want to do business with in the future.

No, the criminal is not doing anything like that. It's the company that is harming your reputation with them by blaming somebody else's actions on you.

Identity theft means a specific thing. It doesn't mean someone is pretending to be physically you. what did I just read?

But if one fraudulent use involving your identity enables a different fraudulent use and then another so that is becomes multiple cases such that it impunes my character then i would call that identity theft.


Be civil. Don't say things you wouldn't say face-to-face. Don't be snarky.



Please stop violating the guidelines with uncivil or unsubstantive comments.


So, if everyone did switch to saying "the bank was defrauded by someone impersonating me", you think that would have no effect on how banks perform authentication vs. if everyone says "my identity was stolen"?

Or are you saying that you think changing the use of language in such a way does not ever work?

Or something else?

Identity theft is not a joke, Jim! Millions of families suffer every year!

Just like don't call people using computers for illegal activity a Hacker.

To bad that one was decided a long time ago.

Is HackerNews a place solely for news about people using computers for illegal activity?

Definition of Hacker: https://www.merriam-webster.com/dictionary/hacker

1 :one that hacks

2 :a person who is inexperienced or unskilled at a particular activity

    a tennis hacker
3 :an expert at programming and solving problems with a computer

4 :a person who illegally gains access to and sometimes tampers with information in a computer system

RMS on Hacking and Cracking

Yet when I say I am a hacker, people often think I am making a naughty admission, presenting myself specifically as a security breaker. How did this confusion develop?

Around 1980, when the news media took notice of hackers, they fixated on one narrow aspect of real hacking: the security breaking which some hackers occasionally did. They ignored all the rest of hacking, and took the term to mean breaking security, no more and no less. The media have since spread that definition, disregarding our attempts to correct them. As a result, most people have a mistaken idea of what we hackers actually do and what we think.

You can help correct the misunderstanding simply by making a distinction between security breaking and hacking—by using the term "cracking" for security breaking. The people who do it are "crackers" (*). Some of them may also be hackers, just as some of them may be chess players or golfers; most of them are not.


Well , if we're just going to go on rants about words, then I'm going to bring up that old pro-piracy thing.

It's not identity theft because the other guy hasn't taken it away from you. Either both of you have it or neither does, and the first is just copying and the second is vandalism.

Piracy, not privacy, correct? :-)

Haha oops.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact