If a credit card company issues a card in your name to someone else, then clearly they didn't do their verification properly.
It should be possible to have all your personal information floating around and still be certain that no one can use that information for anything. I'm pretty sure it works for Sweden where their SSN aren't secret, nor are addresses or phone numbers.
Sure that may mean that you need to show up in the bank, or have a secure government authentication method, but that's not beyond implementation.
Again, this whole industry needs to change. We could cut massive amounts of the estimated $200B loss in the US with just simple things like mandatory chip+pin, 2FA or CCV for online purchases, your credit is always frozen and only unfrozen for a 24 hour period at your specific request (requiring MFA). It is so silly when I have to type in my 5 digit zip at the gas pump (something someone could easily find online or by asking for ID) even though my card has a chip.
As in, weeks or months or years of discussion.
Not talking about credit cards thougn which are kind of a special case, where yes, totally merchant gets screwed.
And that's not a big problem even that it is not nice. The problem is when your company lends money to someone that says it's me. And it becomes my problem. Why?
The company wants a lot of conversions, so it has a low entrance cost. Then that company should pay for that problem, not unrelated third parties.
> Low trust versus high trust society is the thing you need to understand here.
For me, that's just one of the reasons.
Sweden, for example, is a high trust society. But companies are trying to play fair because they are going to be punished otherwise. Isn't that fair?
But, of course, in a society with a lot of corruption, and cheating, and low trust. Companies are going to defend themselves more. As they risk will get more fraudulent transactions that real ones.
All of this costs literal salaries of people who say "no computer says no" at every point. Those people also suffer risk of physical assault.
In the electronic space you need to pay for "social media consultants" and look after twitter and facebook and such. You would be surprised how incredibly expensive the things you seem to take for granted are, to a large organisation which pays proper wages to people.
Practically speaking if your personal details have been disclosed by some douchebag fucking company it is very difficult to distinguish you as a caller from some random internet asshole impersonating you.
Also i don't know have ever been involved in an "it upgrade" project and what it means to have the gas pumps now do different things. I want life to not be like that, but I think you would find its a bit harder than you are imagining.
The way those work in the rest of the world is basically by giro. You control your bank account, and the only possible transaction is you sending out money to other bank accounts. If I provide you a service I need to get paid, I send you a bill, either in paper form (that you can read with your smartphone) or electronically. You look it over and make the decision to pay or not.
The system is not perfect and fraud still exists (mostly in the form of trying to pass a fake bill as a real one), but fraud is much less prevalent than in the US system.
The problem is that that someone else can claim to be me at my address to you (the impersonator), you send the bill to me (the authentic). I look this bill over and decide not to pay because I didn't request these services. Now we have a dispute, all due a third-party who impersonated me.
Unfortunately, this is also exploitable by me to later claim I didn't purchase the service from you, which I might do to avoid paying.
There's currently no easy way for you, as the service provider, to authenticate the request without an out-of-band opt-in (mailing a contract to the same place you'd send the bill to confirm that the services would be paid for), which would delay the delivery of said services. By the time the third-party has received the services and you've sent the bill to the authentic party, the impersonating party is long gone, and the authentic party is left holding the bag as the less powerful party in the exchange/dispute.
I had the reverse situation as an American traveling to Iceland when no chip+pin cards were available to me. I picked up the rental car with an almost empty tank. They point me around the corner--the gas station is automated. I start driving the 50km to reykjavik and cross my fingers.
Later in the trip I get into a similar situation of an automated gas station in a desolate area. I waited until a local came by, offered them cash to use their credit card. They seemed suspicious like it was some sort of scam (I dont blame them), but thankfully that worked out.
I was stuck. I eventually found a shop inside that would sell me a bus ticket if I bought something else.
10101 and 01010 are also valid zip codes.
(00000 usually works too even though it's not a valid zip code)
Here's an arbitrary one I know exists: 85310. Try it next time and see if it works.
The problem with chip-pin, 2FA ...etc is that people would still be vulnerable to fraud. Except in those cases, banks can wash off their hands.
I lost my credit card recently and someone misused it. my bank reverted the transactions immediately. I know they got my back. It's the merchant or the merchant's bank that usually absorbs the cost. It's also a conscious decision the merchant makes to not check an id card for every single purchase. It's a risk they are willing to take and they probably take an insurance to cover for it. They are rewarded with reduced friction in transacting with them and hopefully better revenues as a result. I think it's a system that works good enough. Would I prefer something more secure like Apple Pay - 100%! But I'd take this over being checked for my ID card for any purchase over very trivial amounts.
Now, you may argue that it would never happen with chip-pin...etc. That's not true at all. There are people who can't remember the pin well and would choose to use cash or write the pin in a paper and keep it in their wallet. Exposing themselves to more risk and no protection from the card company either - "hey someone knew your pin so you are responsible for it".
I think with chip+pin it is at least a lot harder to be vulnerable. More and more credit card companies also have an app that you can easily report your card missing/stolen almost instantly. Also, if you have trouble with a 4 digit # of your choosing, then you should stick with cash which is still open to theft but not digital duplication.
 On top of that, Apple has introduced tokenization into its payment system. Like Google Wallet's Virtual Card, this obfuscates the user's actual credit card number, but it does so using a security standard developed by various standards groups and big-name card networks like Visa. It all happens without having to go through another bank as an intermediary supplier of a virtual card.
No? I kind of think of identity theft as any fraud where someone pretends to be someone else to the detriment of the someone else, who needs to deal with the consecquences of whatever the someone did.
There are phone payment methods like Apple Pay and whatever Google uses that protect your identity. The burden should be on the providers of these services to secure themselves.
In a high trust society you are extremely vulnerable to this stuff. Low trust societies do not have this problem in the same way.
The major problem really is that high trust society credit etc are optimising for sign up rate. Any kind of serious personal authentication mechanism will seriously impact conversion rate, which is the giant dashboard they have on the wall. There are whole teams of people whose job it is to make sign ups and conversions better. The fraud team is much smaller and as long as it doesn't impact the top line numbers too much they will be ignored.
It is to be discussed whether the increase in the cost of the service would be worth it though.
I applied for a new CC last year entirely on-line, and had the new card in my hands within a week. They never asked to verify my identity beyond my SSN / DOB / Address, which all seem likely to have been released in at least 3 breaches in the last few years. This is surprising to me, as I've been asked to show ID when opening a local bank account. To me this makes no sense: Why verify customers more stringently when they effectively loan you money than when you loan them money? I guess it may just have something to do with banking laws..
This is all just a long winded way to say that I think that credit card offers, by mail or web, are a problem. They cannot do any meaningful ID verification anymore, now that all info is essentially public. I think they need to partner with some agency that has a physical presence which can do verification of ID via government issued ID. Eg, a bank, merchant, etc, who can look at your driver license, passport, etc, and verify your identity. I suppose they are worried about adding too much friction.
I am sort of surprised more HNers don't understand risk and the tradeoffs involved and seem to be taking an absolutist stance on this.
Equifax is an unforgivable failure of infosec but the general ideas around the risk of it seem like ...
Practically speaking, without significant landscape changes (and yeah equifax counts as one) it has generally been cheaper to trust people and write off the bad apples than to verify more. Or else there would be more verification!
Thats because most applications for homes, high value insurance or financial products are not actual fraud, they are usually consumers having trouble with you shitty process despite your best efforts to optimise for usability.
I don't know fully what the equifaxopocalypse means for americans though.
This is not the issue here. If a bank want to do this, go ahead, as long as they cover the losses. The problematic part is that if a bank gives a loan in my name to someone else, I get punished for it, not the bank.
Or explain that you don't understand the industry or any of the regulatory frameworks involved.
Have you ever accepted a payment?
EDIT: not sure if I misread you, probably responding to a comment in flight. Your initial position seemed to be different to what I read now. I get that "identity fraud" as an industry position is a shitty attempt at moving risk but that was not the comment I was reponding to. Sorry if that sucks.
If I publish your nude pictures in a newspaper, you are similarly not a party to this transaction, but you are hurt by it. This is similar.
Everyone absolutely wants to extend you credit.
They're saying the problem is this:
You want to do business with company A. Company A asks company B for information about you. Company B lies to company A. Now company A won't do business with you, because company B lied about you.
Company B in this scenario is a company like Experian.
Cheaper for the banks, sure. It was cheaper for Ford to pay injury lawsuits than fix their exploding tires. But kind of trade off is illegal for one to make when another party is getting materially hurt — even if on average society is better off; after all, if we confiscated all of bill gates’ wealth, on average society is better off than if he gets to keep it.
You argue that there are reasons for the lack in verifications and then that this is desiderable from a societal point of view.
To the question "should a CC provider cover the expenses on CC give to fraudolent impersonators?" what do you answer?
Indeed. And surely, when they then report you to a credit agency, then this is libel or slander. They have no reasonable basis to make the claim, and it results in severe hardship for you.
As OP says, the idea of "Identity" is a fiction designed to make it the responsibility of the citizen to deal with the "theft".
By definition, if it can be stolen, then it can't be considered an identity.
It may be in the US. Because of Revelation 13:16-17: "16 And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads; 17 And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name."
That's why national ID is difficult to sell here. Sorry.
Part of the resistance to national ID is also a question of federalism - we do not officially have a 'national government' - we have a 'federal government', even though in practice it is hardly federal anymore.
I guess if you got your ID by picking it up with your right hand it still is the mark of the beast.
God's perfect wisdom just keeps getting lost in translation, what a shame!
Choose your poison. Carefully.
Either we have a good functioning way to uniquely identify people or we don't. If you have the former, you could use it for evil, in much the same way as how with the later it is used for evil a lot with the various frauds talked about in the OP.
If the government wants to do evil it will do so with or without national ID, but the ability for fraudsters to do evil is dependent on there being no effective and secure universal identification.
I'm going to guarantee that the NSA tracking profiles on every US citizen don't need national ID cards to pick you out of a crowd. They could build a comprehensive identity database from CCTV and store cameras whenever you buy something to build a complete and hardened profile to identify you with. They have access to way more than enough material to start branding the "undesirables" and having them carted off to gas chambers within a week. We just suffer in the meantime under this false belief that ID cards are the make or break of liberty.
I would prefer shitty nonfunctioning systems which still allow me to use cash and buy a bowl of noodles to the alternative where I need to be more or less authorised to make that transaction. But thats just
We have secure epost for communications between people and the state here in Norway already. The authorities keep pestering me to register to use it so that they no longer have to send me paper documents.
While I see his point, that there's much, much more serious forms of it out there, I still think it's pretty much the same thing, and that just because I could get it more or less taken care of with an hour at the bank and didn't have to go through years and years of pain to get things undone doesn't make it any less identity theft.
Which is kind of the opposite point of the linked rant, I know. He's saying we shouldn't let it be called that so corporations can pin the responsibility on you and wiggle out of any liability.
They provide no reasonable fraud controls, because for card-not-present, the merchant pays for the fraud. The merchant even gives the bank a $20-40 "bonus" in the form of a charge back fee for every occurance.
The bank obviously claims that you are on the hook for something you didn't do, based on a transaction that used insufficient authentication to determine that it was (supposedly) you. Whether it's a credit card number or an SSN that the bank is using as a password even though it is not a secret doesn't really make that much of a difference, does it?
Identity theft is when someone else opens up an entirely new card in your name. Often, you won't even know this happened until you're rejected by a credit check or something, and you see this new delinquent account that you know nothing about.
It's distinctly different and worse from your scenario because it implies a loss of information like SSN which are much harder to deal with. Someone steals your CC#? Replace the card, done. Someone is able to sign up for credit as you? Now you're in a much worse situation, since it's a demonstration that your info is "out there" and people can use it. And stuff like address history, DOB, SSN, are much harder to change.
But per this article, neither is really "identity theft", and that's a pretty interesting way of looking at it, I'd never thought of.
Thankfully, it hasn't happened since. I suspect that the card number was stolen at a particular gas station because this all happened as I was finishing my M.S. degree and once I graduated, I never used my card in that area again and I haven't seen any unauthorized transactions since.
I assume it’s due to old systems and hotel chains not having enough incentive to modernize systems because the vast majority of hotels are franchised, so if there is a chargeback, it’s the franchisee that pays, while the hotel chain still gets their royalty %.
Edit: to avoid cancelation or no show fees, you can even make reservations with a fake card # (4111 1111 1111 1111) and unless the hotel has a deposit policy where they test the card to see if it has the funds it takes a payment to make sure the card has at least $x amount of money, then you can pretty much get away with not showing up at no expense.
Merchants can opt out of AVS in exchange for higher merchant fees.
They can get a merchant deal where they don't require the CVV - Amazon does this
Hotels do this because of international travelers and because most credit card transactions end up becoming card present transactions since you show up to the hotel and tap/swipe your card
Technically there is never a need for a name for a CNP transaction. Merchants have no way of verifying it.
One could cross-check address with electoral roll/DVLA/(other commercial data sources) and verify a lot of transactions (name given was known at the address that matches the card data).
As you mentioned though, we have AVS checks. I can’t understand why we don’t have the ability to also verify the card holder name and/or bank/issuer name via a merchant gateway for CNP transactions.
My data is me, I am my data.
Stealing my credentials and misusing them, as though you were me, is a form of impersonation.
You have a point about insurance, though I would argue that corporations should be required to carry identity theft insurance in proportion to the amount of personal data that they collect and store, for the benefit of the victims created as a result of the theft and misuse of said data.
People put up with it because they are led to believe that it's their problem, just like if someone broke into their home and stole their TV. People would be much less likely to accept the same reasoning from their bank if it were not stated as "Someone stole your identity, we are sorry you have to pay this", but instead as "A third party defrauded us, we are sorry you have to pay this".
So I don't see any point in trying to get millions of people to change what they call it, if that's the other option.
What matters is that the power to actually do something about a problem needs to be aligned with responsibility, so if the bank decides to use unreliable authentication, that's fine, but then they have to bear the responsibility and live with the fact that some people who actually were the real person later claim it wasn't them. If they don't want to bear that responsibility, it's up to them to use reliable authentication so they can actually prove it was you.
Applying for a credit card involves essentially no verification of identity other than asking for some information that is supposedly but not really secret.
And there is a large part of the problem. If equivalent to KYC laws applied to credit cards it would likely cut down on criminal's ability to get credit in someone else's name.
The credit reporting agency is slandering your name by stating that you committed a crime, be it theft, benefit fraud, or failed to pay your creditors or whatever, that you have not.
It is that slander against your good name or good credit that causes the individual all the problems.
Oh, you mean fraud.
I’ve come to understand that the organizations I used to favor, like Google, consider me to be a product and not a customer. Now, I’m realizing that my nation considers me to be a resource and not a person.
Don't be depressed about it. Poke some fun at the owners.
You’re right - it’s tough not to get angry about it given that I can’t individually do much about it.
Laughter is the best medicine (or distraction).
The credit issuer fails to adequately verify the identity of someone applying for credit (the thief) and lets them take out a loan in your name. The thief defaults on the loan. The credit issuer commits libel by reporting that you were the thief to the credit reporting agencies.
There are two crimes contained in every case of "identity theft". Everyday consumers are affected by libel. Credit issuers are affected by fraud (enabled by their own negligence).
If person X opens a credit card in person Y's name and doesn't pay it back, the bank will tell all of the credit agencies that person Y doesn't pay their debts. When person Y eventually finds out about this would they be able to go after the bank for slander?
Isn't that exactly the author's point? In that scenario, the IRS has taken harmful action against you to make up a cost they incurred by falling for someone else's fraud, and they get away with it by calling you the fraudster's victim, not theirs.
Flat out wrong. They nearly always are. They frequently have their credit impacted as a result of non-payments for credit, mortgages, etc. Also, I see "identity theft" as a subset of theft by conversion:
"Theft by conversion occurs when someone wrongfully uses property or funds of another for their own purposes."
A person's name, SSN, address, financial history, credit rating, etc. are all their property. And it is being used without their consent and in blatant violation of other laws that already exist. They clearly are a victim (but not the only victim) of these illegal acts.
Also, let's not forget that it typically takes an enormous amount of time and effort to fully undo the damage. That time alone has a cost - and it has been forcefully taken from the person whose identity has been stolen by the perpetrator(s) of these crimes.
All the pain that you're noting is imposed by the credit system, not the criminal who's "stealing" your identity. We're not victims of the criminal's crime, we're victims of the system's response to that crime. And that's an important distinction. The fact that we treat identity theft any different than if the bank (or other credit-extending institution) was defrauded/robbed through some other means (confidence scheme, armed robbery, etc) isn't correct and if we, as consumers, expect that situation to change, we need to reject biased terminology that frames the issue in the light that the corporations want it to be framed.
Your identity wasn't stolen, the bank was defrauded due to insufficient authentication procedures. When you say it that way, it becomes ridiculous that the consumer should have to endure the ordeal that they currently do.
The goal is to make it clear that when a bank allows someone to falsely represent themselves as me, the bank suffers, not me. They're the ones who messed up.
> ...let's not forget that it typically takes an enormous amount of time and effort to fully undo the damage
Yes, In-fact the only real damage to the so called "victim" is credit rating... ironic since the Equifax leak, really it just outlines that credit reports are not trustworthy due to:
A) High error rate.
B) Integrating shortcomings of corporations.
C) A multiplier of above through data breaches.
Every bank is using 2-auth for sign-in and signing papers. They don’t event accept your hand signature without the 2-auth in addition.
You can’t pay on webpages without 2-auth, so good luck using my card.
All the mail from the Government is digital, and of course with... 2-auth.
I even got a text when my child was born, saying we could now could fill in his name. And both parents had to sign the documents with... (you get it)
Whether it's your fault or not, whether banks assume all fault or not, it is still ultimately your identity (your credit score, your bank accounts, your home) which ends up troubled.
Consider for a moment the tech alternative. If someone hacks their way into my Google mail account and uses it to send out a ton of spam, who is going to suffer the consequences for it? Google, for using insecure sms messages for 2fa and not requiring 2fa for all accounts, or me when my account is closed?
Still, nothing happened to your identity. Your identity is who you are. You still are you.
> Whether it's your fault or not, whether banks assume all fault or not, it is still ultimately your identity (your credit score, your bank accounts, your home) which ends up troubled.
Apart from the fact that none of that is your identity, but rather your reputation, your contract, and your property: No, you actually have it all backwards.
There is no law of nature that implies that if a third party impersonates you to a bank, say, that therefore the bank has to start fraudulently telling people that you don't pay your loans, or harrass you to pay the loan they gave to that third party. Yes, that is a correct description of what banks actually do nowadaya, but the whole point of this discussion is that that should be illegal. The bank should be liable for reputational damage they cause by incorrectly attributing a third party's actions to you, and you'd be surprised how little your "identity" ends up troubled next time the bank is defrauded.
> Consider for a moment the tech alternative. If someone hacks their way into my Google mail account and uses it to send out a ton of spam, who is going to suffer the consequences for it? Google, for using insecure sms messages for 2fa and not requiring 2fa for all accounts, or me when my account is closed?
Are we talking about what google would do, or about what google should be held accountable for?
And calling for a name to be changed is different from criticizing people who use it, some concept need to be expressed and sometimes the only way to meaningfully express them is with an improper term.
If that comment was not meant as a justification, the only interpretation I can come up with is that it's a description of what empirically happens nowadays when something commonly called "identity theft" occurs, in which case I agree it could charitably be read as a reasonably accurate description ... however then it seems like a completely pointless comment, as that is essentially just the premise of the whole discussion, restated in a context where it has no specific relevance whatsoever.
Did I miss something?
Though I also think that criticizing people who use misleading language is legitimate as well, even if the meaning of what they are saying is perfectly clear, as long as you don't confuse the criticism of the form with criticism of the content.
All it is is fraud. Someone defrauded a credit issuer. That they opened an account in my name has nothing to do with it - they could just as well had defrauded the bank by claiming to be John Doe. Will the bank blame me for them leaving the barn door open, and the milk out, too?
See "Verified by Visa", where if used you (the CC holder) are liable for fraud that occurs within that transaction.
What the parent comment is describing is if they open a completely new credit card account under your name.
You are only liable in the first scenario if you used Verified by Visa and someone got your Verified by Visa credentials and used them.
In the second scenario you are not liable under any circumstances, because the fraudster created the Verified by Visa account, not you, so you never had the credentials for the account.
And to be clear it is the bank who is the victim of fraud, not the individual.
If someone uses your information to take advantage of your good credit and get a car loan, then defaults on that loan, guess whose credit score just got hurt? Guess who's going to have a harder time getting a loan for one's own new car?
The whole article stems from the assumption that stealing someone's identity doesn't make that someone a victim. That assumption is blatantly false, and therefore so is pretty much the rest of the article.
Call it what you want, but fraud committed in your name still harms you, and thus still makes you a victim.
No, it doesn't. If someone comes to you and claims that they are John Smith, and you loan them a thousand bucks, only to discover later that the person who you gave the thousand bucks to actually wasn't John Smith, then you, and you alone, are the victim, and you are out of a thousand bucks. Nothing of this has anything to do with John Smith.
Only if you then harass John Smith to pay you a thousand bucks by making fraudulent claims that you loaned him a thousand bucks and tell everyone that John Smith is not credit worthy, then John Smith becomes a victim, specifically a victim of you.
Yes, it tangibly and demonstrably does. It means that the process of establishing/asserting your identity is much harder, since now there's someone else running around with the credentials normally used to assert said identity. You now need to spend time and money invalidating whatever credentials you can and hoping that the ones you can't invalidate aren't actually compromised.
If someone manages to get your Gmail password and use it to send spam, you're still a victim of cybercrime, even though you weren't necessarily a victim of the spamming.
Same thing here. Someone is using your credentials (like SSN and other identifiers) to defraud someone else. Even though you're not the direct victim of that fraud, you're still a victim of identity theft, since your credentials were compromised and used by someone else.
None of that is a harm from the fraud, it's all harm from the bank's unjustified claims .
> If someone manages to get your Gmail password and use it to send spam, you're still a victim of cybercrime, even though you weren't necessarily a victim of the spamming.
If someone manages to get your gmail password from Google, then Google is the victim of cybercrime. If Google then reacts by closing your account, you are a victim of Google.
> Same thing here. Someone is using your credentials (like SSN and other identifiers) to defraud someone else. Even though you're not the direct victim of that fraud, you're still a victim of identity theft, since your credentials were compromised and used by someone else.
If you want to call the behavior of the bank (or whatever) in this situation "identity theft", well, sure. Though I would suggest that that is highly misleading. More appropriate terms would be slander or blackmail, maybe?
"then Google is the victim of cybercrime"
Google's credentials weren't stolen. The user's credentials were stolen. The user is therefore the victim of the theft of credentials - a.k.a. "cybercrime" or - in this case - identity theft.
Google is also arguably a victim of fraud (or some other related crime), sure, but that is entirely separate from the fact that credentials were stolen in the first place.
"behavior of the bank"
Again: the bank's actions are irrelevant to the fact that credentials were stolen in the first place. Sure, it's a pretty shitty credential system, but they are credentials nonetheless, and them being used to impersonate someone makes that someone a victim, plain and simple.
I'm really not sure how else to explain this. Seems pretty cut and dry to me.
Let's forget about the Google example for a moment, as it's not really that great an analogy.
When someone steals your SSN, say, what they have stolen is just your SSN. There is nothing about an SSN that makes it inherently a credential, it's just a unique number signifying you. The only thing that then makes it a de-facto credential is the decision of a bank, say. The bank decides that they will take someone telling them your SSN as proof of your identity, and that is how it becomes a credential. If the bank does not decide to accept knowledge of your SSN as proof of your identity, then there is absolutely no problem with someone stealing your SSN, because then it's not a credential.
This unilateral decision on the part of the bank is what the "identity theft victim" is the victim of. The bank might just as well decide that knowing your first name proves your identity, thus supposedly making your name a credential.
Whoever writes Wikipedia articles, for one: https://en.wikipedia.org/wiki/Credential
Examples of credentials include [...] identification
documents, [...] passwords, user names, [...] and so on.
"it's just a unique number signifying you."
A.k.a. a credential.
"The bank decides that they will take someone telling them your SSN as proof of your identity"
Yes, because this is already commonplace throughout the U.S., including by the U.S. government. We can debate the pros and cons of the current SSN-reliant system all we want, but that doesn't change the fact that an SSN is a credential establishing identity, and that therefore the acquisition of an SSN by an unauthorized party constitutes theft of that credential and - ergo - "identity theft". It also doesn't change the fact that the legitimate owner of that credential was a victim of that actual theft (in addition to whatever actions from the bank in response to other crimes enabled by that theft).
"thus supposedly making your name a credential."
Your name is a credential, per the above definition. It's a shitty credential, yes, and one which is easily forged (and by no means unique, unlike a SSN), but it's a credential nonetheless.
The entire point of the article is that all these harms are not something the identity thief does to you. They are things that the identity thief does to SOME CORPORATION, and then that corporation passes part of the problem on to you. And the phrase "identity theft" is part of the way of thinking that allows the corporations to justify passing the harm on to you.
The short audio clip from Mitchell And Webb that people in here are passing around really explains it best. https://www.youtube.com/watch?v=CS9ptA3Ya9E
It has taken a long time and a lot of media exposure to raise awareness of these two concepts to ordinary people. My parents now know what both identity theft and credit card fraud are - and they understand the basics of how to deal with each.
To start over again with any of these terms because of a nuance of definition and semantics would be extremely counterproductive.
Noting that things bundled under "identity theft" are actually different crimes isn't a novel observation; the whole point of that label is to group the class of crimes where a criminal uses your personal information to perpetrate various kinds of fraud.
For you, the buck should stop (as is the case in much of EU) with saying "prove it was me - or you're not allowed to libel me by putting a bad mark on my credit and falsely claiming that I owe you money". At that point you're not the victim, it's not your problem, and the defrauded institution can choose to either take the losses and continue business as-is or perform their verification duty properly next time.
If you want the public to understand that being impersonated is the fault of the person/institution being duped, it's probably not helpful to use a term that the public understands to mean that the person being impersonated is at fault, whether that interpretation is justified or not.
Or are you saying that you think changing the use of language in such a way does not ever work?
Or something else?
To bad that one was decided a long time ago.
1 :one that hacks
2 :a person who is inexperienced or unskilled at a particular activity
a tennis hacker
4 :a person who illegally gains access to and sometimes tampers with information in a computer system
RMS on Hacking and Cracking
Yet when I say I am a hacker, people often think I am making a naughty admission, presenting myself specifically as a security breaker. How did this confusion develop?
Around 1980, when the news media took notice of hackers, they fixated on one narrow aspect of real hacking: the security breaking which some hackers occasionally did. They ignored all the rest of hacking, and took the term to mean breaking security, no more and no less. The media have since spread that definition, disregarding our attempts to correct them. As a result, most people have a mistaken idea of what we hackers actually do and what we think.
You can help correct the misunderstanding simply by making a distinction between security breaking and hacking—by using the term "cracking" for security breaking. The people who do it are "crackers" (*). Some of them may also be hackers, just as some of them may be chess players or golfers; most of them are not.
It's not identity theft because the other guy hasn't taken it away from you. Either both of you have it or neither does, and the first is just copying and the second is vandalism.