Identity theft and the threat it poses to Americans has long been one of our recurring concern here at The Nestmann Group. The first time I mentioned identity theft in my writings was in 1999. Two years later, in the sixth edition of my book, How to Achieve Personal and Financial Privacy in a Public Age, I wrote:
Identity theft is the fastest growing crime in America and according to credit bureau data, by 1998, nearly half a million people were victims of it every year. Someone – often a person never met – secretly assumes your identity by convincing a bank or credit card company that they are “you,” then proceeds to enrich themselves at your expense. And the better your credit, the easier it is for you to become a victim.
The problem is so serious that The Washington Post and USA Today both ran front-page stories on identity theft. Trans Union, one of the three largest US credit bureaus, reports receiving more than 1,900 phone calls daily from individuals complaining that someone has stolen their identity.
Twenty years later and not much has changed, other than the problem becoming much worse. Virtually every adult-aged American (and perhaps 25% of children) has had some aspect of their identity stolen, thanks to pervasive data thefts like these:
Yahoo (More than three billion user accounts exposed in 2013,)
First American Financial Corp. (885 million user records, including bank account records, Social Security numbers, wire transactions, and other mortgage paperwork stolen in 2019.)
Verifications.io (763 million unique email addresses exposed in 2019. Many records also included names, phone numbers, IP addresses, dates of birth, and genders.)
Facebook (540 million user records exposed in 2019, including comments, likes, reactions, account names, and Facebook IDs.)
Marriott (500 million guest records exposed in 2018, including names, contact information, passport numbers, travel information, and other personal information. Credit and debit card numbers, and expiration dates of more than 100 million customers were also stolen.)
Equifax (148 million credit files stolen in 2017, including names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. The attack occurred because Equifax failed to patch a software vulnerability it had known about months before the breach occurred.)
Despite this sordid record, hackers can easily circumvent the best way to prevent identity theft – placing a security freeze on your credit file. In 2017, cyber-security researcher Brian Krebs demonstrated that it’s almost child’s play for a hacker to undo your credit freeze authorization at Experian, one of the “Big Three” consumer credit bureaus. And despite the existence of this vulnerability being known for at least four years, Experian hasn’t bothered to fix it.
If you have a credit freeze in effect at Experian, to unfreeze your account, you must first enter your name, Social Security number, and date of birth. This information is readily available to hackers on the “dark web.” Next, you need to answer five multiple-choice questions. Just one of those questions requests an answer that is relevant to your credit history and only the credit bureau would presumably know.
If you answer that question – the answer to which could already be in a hacker’s hands – Experian will send the PIN to unlock your credit file to any email address in the world. And, importantly, not necessarily the email address you have on file. Nor will Experian bother to send notification to the email address you’ve previously provided. It’s also not possible to set up two-factor authentication (2FA) to beef up security through their system.
However, Experian does offer a “solution”: its CreditLock service. If you’re willing to pay up to $25 per month, Experian will send you alerts when someone tries to access your credit file. You’ll also be able to enable 2FA.
Experian and other companies handling sensitive data can force you to pay a premium to secure it because you don’t own the information they compile on you. That allows them to transfer the risk of cyberattack from themselves to you without you being able to do much about it. In a nutshell, that’s why credit bureaus, banks, e-mail services, and other companies holding confidential information have such a miserable record protecting it.
Congress worsened the problem in 2017, when it effectively banned class-action lawsuits against many financial institutions, including banks and credit bureaus. Consumers can still sue these institutions individually, but because they’re not the ones who stole your data, it’s hard to make a case against them.
The systems in place to safeguard our data have failed in every conceivable way to deliver the most basic requirements for integrity. Certainly, a short-term solution to defend yourself from identity theft is to put a security freeze on your credit files, even if the systems credit bureaus use to administer them are deeply flawed.
Follow these links to get started:
However, as we’ve stated many times over the years, the only permanent solution is to recognize that everyone should have an ownership right to their own data. Ownership gives you the right, but not the obligation, to share it with others. If you chose to share it, you’d be paid a tiny royalty every time someone accessed it or exchanged it. And those you shared it with would have a legal obligation to protect it. If they failed to do so, you could hold them accountable.
This proposal wouldn’t shut down credit bureaus or data aggregators. They’d just need to start paying you a small royalty every time they use your data and, of course, start protecting it better. Since most people don’t mind releasing data about themselves in exchange for tangible benefits, this type of market is already flourishing.
We need more control over the electronic versions of our lives. Giving individuals ownership rights to their own personal information establishes a framework from which to take back control.