Is It ID Theft Or Was The Bank Robbed?
from the which-one-seems-more-accurate dept
Via Clay Shirky, comes a very good point from Kevin Marks concerning claims of "identity theft," where he notes that identity theft is not actually an identity being stolen but is usually a bank/credit card company being robbed and passing off the blame for their own poor security on the victim. He point to a brilliant comedy routine by Mitchell and Webb that makes this all pretty clear:"They took all the money? That sounds more like a bank robbery."The problem isn't "identity theft." It's bad security and verification processes by a financial institution.
"No, no. If only. 'Cause we could take the hit. No, no. It was actually your identity that was stolen, primarily. It's a massive pisser for you."
"But, it's actually money that's been taken..."
"Yes"
"From you?"
"Kind of."
"I don't know what you want from me other than my commiserations."
"You see it was your identity. They said they were you!"
"And you believed them?"
"Yes, they stole your identity."
"Well, I don't know. I seem to still have my identity, whereas you seem to have lost several thousands of pounds. In light of that, I'm not sure why you think it was my identity that was stolen instead of your money."
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: identity theft, scams, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
Undeniably if I were to go on the street and offer every single little detail of my identity, then I am at fault.
In this day and age it's just a bit too easy to gather enough life detail of another person to convince others that you are them.
However, higher level of verification really cause inconvenience to customers. One of the small local credit union I go to has high level of verification and it's the worst bank I have ever used.
For the web,
-customer selected image to help identify the correct website (prevents phishing)
-password for identifying your computer (needed when you use a computer for the first time)
-Then your regular username/password.
For phone calls
-secret passwords (and they only ask you, what's the first and fourth letter of your password)
-some verify question like the typical your mom's maiden name...etc
I only use this credit union for mortgage so I don't use all these password on a regular basis, at most twice a month. Long and behold one day I failed my online verification, got my account locked. Then I failed on phone verification. Then I forgot the bank card's PIN. Note they always tell you not write anything down. Finally I had to go to the bank and proof my identity to get my account reset. Only to have them reset my PIN only.
Now I just use the band machine to pay mortgage and check balance. Just too much a bother...
[ link to this | view in thread ]
Re:
Your mother's maiden name is a matter of public record. Not exactly the safest "secret" question.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
Oh what a tangled web we weave when first we practice to deceive
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
-customer selected image to help identify the correct website (prevents phishing)
-password for identifying your computer (needed when you use a computer for the first time)
-Then your regular username/password.
Every banking website I've used (not credit card sites though) has used this process. I don't know about you, but I take great comfort in the fact that my bank requires those measures... I mean, you can do pretty much ANYTHING to your account once logged in, so I don't really think it's and inconvenience.
My current bank site requires me to type in my account number and password. The account number isn't very long like some banks, so it's quite easy to remember. Then you answer two security questions (Name of your first pet, etc. Stuff you choose beforehand), then verify that your chosen security picture and quote is shown. If you use cookies you can allow your computer to be verified, and then you only have to answer one security question. It's not foolproof, but it's a great system overall.
[ link to this | view in thread ]
But what is worse than bad verification in creating accounts is hyper-security afterwards. Someone commandeered my friends identity (probably more accurate than "stole") and created a credit card account. When my friend found out, she called the bank and informed them of what had happened. The customer service agent AND her supervisor refused to talk to my friend about the account because she didn't know the security information (pin, answers, etc.). It took her three days to get the bank to acknowledge that she was who she said she was and that the account had been fraudulently opened.
[ link to this | view in thread ]
Re:
I would much rather have someone make fraudulent charges to my credit card; you dispute them and they go away. When someone actually opens accounts in your name you are in for a long hard road to clear that up.
[ link to this | view in thread ]
pop the cork..
Great skit..sometimes though I wish something could just be said and not have to involve humor so people won't get defensive. Banks are not my friend..just can't do it, acquaintances forever be.
[ link to this | view in thread ]
The simple answer is both.
The ID was "stolen" virtually, but it isn't any different from taking your wallet or purse, and having all your ID cards photocopied and read by computer, plus getting a handy list of your mother's maiden name and your pet's name too.
With that information, the person (vritually) visits the bank and makes withdrawls.
They key is this: without the personal information, nothing would happen. The bank isn't going to tolerate someone showing up doing a phonebook or dictionary attack on a password or security test. Without the information, nothing would happen.
It's the typical "I am never to blame" mentality that most people have. You got your information stolen / lifted / copied, that is where the crime(s) started. You are resonsible not to go to somedomain.com/trickystuf/yourbank.com/security-update and type your information in.
[ link to this | view in thread ]
I don't bank online... the risk is withthe wrong people.
IE only
4 digit (that's numbers only folks) password.
Anything _bad_ happens and _you_ assume all risk.
My response is to have nothing to do with online banking.
I didn't set up the rules.
I didn't code their web site.
I don't have any say in their verification process.
It's their site, if they want me to bank online (which is much more cost effective than having me deal with a live human teller) then they need to assume some of the risk.
With a credit card, your responsible for the first $50, they eat the rest if it's used fraudulently. Guess what, credit cards are much more secure as a result. You only use your card locally for purchases less than $100. A charge shows up for a $2,500 purchase in Mexico City, you get a call from your credit card company asking if this is a legit purchase. Why? Because if it isn't they eat it.
Security for most companies is an externality. It doesn't directly effect their bottom line, it effects yours. The problem of course is that only they are in a position to fix it. They won't as long as it's not their problem. Once we make it their problem, then they'll have an incentive clean up their acts.
[ link to this | view in thread ]
Re: Re:
I can't back this up but I heard down south there are a lot more ID theft and bank fraud than in Canada. Perhaps US citizens are more used to this many layers of verification?
I am not against higher level of verification/security, but I do think that banks need to suck up some of the loss just to service the customers better. Credit card fraud has always been rampant but it wasn't until lately that they start requiring a PIN. The companies has always absorb those losses.
And from those huge amount of profits (and increasing fee every year) for banks, I think they can handle some of these loss.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
that said, while the debit card has a 4 diget pin, the Internet banking [at least the bank i use] requires you to use a rather long password. which i could never remember. to the point where i got locked out of my own account at least once.
i just don't bother anymore. use the ATM for regular, normal withdrawals, and actually go into the bank for anything more complex. it's just... massively less hassle.
then again, the banks are all 9-5, Monday to Friday deals [some now open part of Saturday]. catering precisely to, as some wit put it: two types of people: the unemployed, and bank robbers. so maybe it's not that convenient if one actually has a job.
while there is some truth to the whole 'identity theft' angle, in that you very much should do your best to keep your passwords etc secure, and notify the bank if they get stolen or whatever, a password is a key. no more, no less. if you have a safety deposit box, and someone steals your key, copies it, returns the key in such a way that you do not know it was gone, and then one fine day waltzes down to the bank, opens said deposit box, and takes your stuff...
who's liable? you or the bank?
to me, it's the same idea, really. on the one hand, they really shouldn't be able to take your key in the first place. on the other hand, even With the key, they still shouldn't be able to get in if they're not you. the problem is, that internet banking is automated. that's pretty much the Point. it's the functional equivalent of said deposit box being in a vault... but the same key opens the vault as the box. [or in the cases where there's a separate password, the thief stole both keys]
on the Other hand, if someone sets up a false account in your name, and then proceeds to rip off the bank, that's Entirely on them, really.
oh, fun thing: NZ does not have social security numbers, or an equivalent. different entities are not Allowed to have systems that line up by design when assigning you identification numbers for record keeping[fluke chance is a different story]. not even different government departments, i believe. even the Video Rental places typically want photo ID before they'll issue you a card. most places require multiple forms of ID from other entities [passports and drivers licenses preferred] before they'll give you a new document that could be used as even basic ID. and on it goes. it's still not impossible to have one's identity stolen, but it is a lot more hassle.
also, the concept of stealing credit cards from mailboxes before they've been signed is averted, at least for debit cards, by the fact that you can only change the PIN in the bank itself, [or possibly through internet banking, i guess] and either the PIN and the card are both tied to the account, not directly to each other, or the pin is assigned to the card before the card is sent out. so anyone who steals and signs that card, needs to know the PIN too.
it's still possible to use a credit card based purely on your signature matching the one on the card in a lot of places, mind you... but only for credit. you can't actually take money that way. and, of course, when one gets the funky bill, one gets hold of the credit card company and says 'hey, i never bought that. what's going on?'. cue investigation.
umm... it's 7:30 am and i haven't slept yet. i hope that staye dmostly on topic...
[ link to this | view in thread ]
Re:
I never thought of it this way either but having been a victim of ID theft I can attest the attitude of banks and credit card companies regarding 'your' problem.
In my case someone used my ID to apply for credit cards then subsequently a large loan ($15k). Once I got copies of the applications so I could prove I didn't actually take out a loan here's what I found on the application:
1. My middle name was misspelled
2. My employment history was completely wrong. It listed current and former employers I never worked for
3. Telephone number was invalid
4. Street address physically did not exist
5. Personal references and contact information were fictitious
6. Drivers license presented as ID had a different DOB, no picture and was issued from a state that differed from the bogus address on the application
I pointed out to the 'fraud' investigator that even the most rudimentary attempt at verification of the information on the application should have raised red flags. He stated it wasn't their job to verify every bit of information on an application. He also stated that even though the application had fraudulent information that didn't prove that I wasn't the one who submitted the bogus application. The conversation degenerated from there.
In the end I was able to clear up my credit but it was an eye opener to realize that companies handing out money regard you as the primary victim of a crime and that you are guilty until you prove yourself innocent.
[ link to this | view in thread ]
online banking security
My danish bank (actually both the 2 I use nowadays) use a code card with random one-time codes required for each single monetary transaction made in the web-bank. Whenever I've used the 80 codes on my card, I get a new card in the snailmail. Before entering the webbank, I use my SSN and a bank-generated password (10 letters, digits and chars), and one of the codes from the card.
On top of that, the webbank interface works like a charm in FF, Opera, Safari as well as IE8, so I don't need to be a moron and keep on using IE6 on winME or whatever a moron would do...
The hassle of using these codes is really not an issue - especially when taking the benefits into consideration.
Most banks here in Denmark use sort of a dongle file, which you need to store on your computer, which is then queried when making transactions. This solution makes it a bigger hassle to use your work computer to access the web bank, and I believe those solutions also have bigger problems with browser compatibility. But still, it gives a higher level of security.
[ link to this | view in thread ]
Identity theft
So it seems for a few dollars your money would be safe-and if you opt out-do they purposefully let your information out-would like to know statistically how many uninsured versus insured people get ripped off.
[ link to this | view in thread ]
Re:
Lots of people get "socially engineered" to give up their IDs and passwords.
Lots of people lose their wallets and bank cards.
Criminals then use this to defraud the bank. Not sure I see how this kind of situation is the bank's fault.
If I leave my car keys on a bar, someone picks them up and steals my Ford, is it Ford's fault?
[ link to this | view in thread ]
Re:
You (and in the case of this skit, the bank) are automatically assuming that the individual was the one who went to the fake site and entered his/her information in. While that is valid in some instances, it certainly doesn't address all of the ways in which "identity theft" happens.
How often do we see data breaches involving thousands of people's information stolen through no fault of their own? Maybe the bank's systems were hacked. Maybe it was a retailer (TJ Max, amongst others). Maybe it was a credit processor that no one outside a specialized field has heard of, despite the fact they handle transactions for millions of people every day (Heartland). Any of those situations could allow an attacker to get enough information to open an account in the name of a random person who never had visited a bogus site or entered information on a malware infected machine.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Security Questions
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
Never mind that a large percentage of these occurrances are outside the control of the victim.
[ link to this | view in thread ]
Re: Re: Re:
Yes, the bank should be responsible for running a secure, safe system, where a user has a reasonable expectation of security from the bank.
But the user is not just a spectator in this game. We are active players with a role to fill - not to get duped into giving up our credentials. It's not the banks job to protect us from ourselves. At what point do we take responsibility for our own mistakes?
[ link to this | view in thread ]
Banking security
I guess I'm one of those who got suckered by that very phrase 'ID theft' - you're right, I still have my identity, it's just that someone else has been masquerading as myself.
HSBC, amongst others, employs true security by using multi-factor authentication. You get a 'football' similar to the one PayPal and Verisign use, where you input one-use numeric codes to gain access to the account, and to do 'risky' transactions. A local bank of mine sends that code via SMS to my mobile phone, which is another form of multi-factor authentication (assuming my SIM didn't get cloned).
Any bank trying to do anything else is not employing true security, and should be castigated from the highest places.
[ link to this | view in thread ]
But the user is not just a spectator in this game. We are active players with a role to fill - not to get duped into giving up our credentials. It's not the banks job to protect us from ourselves. At what point do we take responsibility for our own mistakes?"
I have found that you are much more likely to hear an individual say 'it was my fault' than you are to the representative of a bank say 'it was our fault'.
When someone (the police never did figure out who) printed up a bunch of checks that had our account number and someone else's name on them, no one at the bank noticed. There were dozens of checks, all cashed within a couple of days, all with our account number and the fake person's name.
Somehow, it just doesn't seem like that much of a hassle to verify that the name on a check matches the one on the account before cashing it.
When we finally noticed what was going on, the bank had no process in place to help us out. No one could answer our questions. We finally went to the corporate office and talked to the only helpful woman we met in the whole experience, and got the whole thing cleared up.
This was over a month later.
The funny part was that and one of her co workers had told her 'you know, you don't have to help these people' before she came to help us.
[ link to this | view in thread ]
Keep your information safely!
[ link to this | view in thread ]
Re: Re: Re: Re:
I'm not saying that users aren't responsible, they are. And there are a lot of stupid people out there. And they pay for it through the hell you have to go through to sort everything out (sometimes takes years). I think that's punishment enough for someone to learn from their mistake.
The problem is that many banks don't take their own security seriously (at least when it comes to customer security). If the bank does EVERYTHING reasonably possible to ensure customer security, goes to every length possible to resolve reports of fraud, then at that point if a breach occurs I will say the bank is clear. However, most banks don't even come close to this. And as the backbone of the country's financial well being (maybe lol), they have a responsibility to be that secure.
[ link to this | view in thread ]