There Are No Perfect Solutions for Identity Theft; But Experts and a Victim Have Ideas

(Los Angeles Times/TNS) – Identity theft happened to me. It could happen to you. Our systems enable bad actors to commit identity fraud and generally get away with it. But it doesn’t have to be this way.
In my experience as a victim of identity theft, and as a reporter interviewing experts about the problem, I’ve encountered a few ideas for how to fix things. Some are small, detail-oriented changes that would make life easier for victims and harder for thieves. Some are medium-sized: policies or programs that would make it harder to commit this crime. And some are big-picture things that would provide broader protections for our increasingly online lives. I’ve organized them here roughly in order from “doable” to “daunting.”

No, there isn’t a perfect solution to this problem. But I am not someone to throw my hands up and say, “Well, it would be hard, so we shouldn’t try.”
As always, there’s an individual responsibility component to prevention. Here’s what to do to prevent identity theft and what to do if you think you might be a victim.
But I did everything right, short of gluing my wallet to my hand, and it happened to me anyway. Personal responsibility has its limits. Becoming a victim of a crime shouldn’t force you into an unpaid part-time job cleaning up after the perpetrators, like it did me.

Here’s what we could do.

• Make it so hard inquiries don’t impact frozen credit reports. I froze my credit reports with all three major bureaus (Equifax, Experian and TransUnion). But when thieves tried to use my identity to get loans, score-dinging hard inquiries still landed on my account. What is the point of freezing your file if it can still get ice-picked by a car dealership or a department store credit card?

• Add more information about fraud to mail from financial institutions and from data breaches. I received a number of pieces of mail in 2019 that thanked me for applying for various credit cards and loans, but they also said my request could not be approved because my credit was frozen and included information on how to unfreeze it. These types of letters could also include information about what to do if you weren’t the one who made the request.

Notifications about data breaches are even murkier: Most are “not worth the paper they’re written on,” said Eva Velasquez, the CEO of the Identity Theft Resource Center. If your information has been found in a hack, you should get information that spells that out and tells you what to do next to protect yourself.

• Create a system to flag stolen driver’s licenses to banks and police. The California DMV needs a system to flag stolen driver’s licenses to banks and law enforcement. This already exists in some states, but not here.

The people who stole my wallet went on to open two checking accounts and a new cell phone account (with a new phone, of course), rent a car, rent a hotel room, and get into an accident with a different car where they presented my driver’s license and claimed to be me. I had reported my license stolen to both the police and the California DMV before all of that happened.

• Include financial crimes and cybercrimes in national tracking statistics. Much of our collective perception of crime in America comes from the FBI’s Uniform Crime Reports, or UCR.

“The UCR is the metric that the media and government use to actually measure the state of crime in the United States,” Velasquez said. But right now, “we are getting a very incomplete and borderline false narrative” from it, because it does not track financial crimes or cybercrimes.

Shima Baughman, a criminal law professor at the University of Utah College of Law, said the lack of tracking from the FBI disincentivizes local police departments from investigating and solving these types of crimes. She compared it to taking a test you knew you wouldn’t be graded on. And without a single, firm metric, it’s harder for the public to be aware of the extent of this type of crime, and less likely that people will demand change.

Many experts think the entire system is due for a serious overhaul, but updating it to track financial crimes would be a start.

• Enforce the FTC Act and punish companies that have lax security practices. Companies have legal obligations under the Federal Trade Commission Act to protect your data.

Mohammad Tajsar, a senior staff attorney for the ACLU Southern California, said federal investigators “have the mechanisms to be able to go after these companies, as they should. The problem is they’re just not well-funded, they’re not well-resourced.”

• Create a system that alerts you when your identity is used. If someone uses your Social Security number to open a new checking account, you might not hear about it until that person has already gone on a bad-check-writing spree. Velasquez said we need a system where you’re alerted any time someone uses your identity signifiers, like your Social Security number, to create a new bank account or open a line of credit. In other words, a place where you can (digitally) slam a big red button: “Freeze my identity!”
If this system existed, you could have the option to “freeze” your Social Security number, instead of piecemeal credit reports. (In addition to the three major credit bureaus, there are specialized credit reporting agencies that build reports on you that companies can refer to before you open checking accounts, new utilities, payday loans, store financing — all kinds of things.)

• End authentication processes that use only static data. Social Security numbers are not secure identifiers. A cashier or bank teller glancing at the tiny photo on your driver’s license is not bulletproof verification. Right now, many processes to make sure people are who they say they are rely on so-called static data — things that don’t change.

Pretty much everyone agrees that the Social Security number is a bad way to identify people, but we haven’t arrived at a perfect alternative yet. Biometric data aren’t infallible, and a lot of people might chafe at having to use a fingerprint or facial identification to do something like access their bank account or write a check. California is testing digital IDs, and there are pros and cons. But we could use a combination of Social Security numbers and more dynamic types of data to create stronger layers of security.

• Enhance efficacy and accessibility standards for the credit bureaus. The credit bureaus exist in a strange space: They are private businesses, but you cannot opt out of them collecting your data or maintaining a file on you unless you completely opt out of using banks.

They are heavily regulated, but the standards we have now for accessibility and efficacy fall short. At the bare minimum, their websites should be fully functional; instead, I found persistent, frustrating error messages when trying to dispute inaccuracies. You should also be able to trust that the data the bureaus collect is well-protected, and that you’ll have some satisfying recourse if they are hacked.

• Pass laws that limit data collection, sharing and selling. Certain health care entities cannot share your information without your consent. Thanks to the pandemic, we’re all hopefully very familiar with HIPAA by now. But no similar federal legislation exists for your financial or other sensitive information.
“There is an insatiable corporate and governmental appetite for data,” Tajsar said. “We’ve created a system where there’s a massive amount of powerful entities that are addicted to people’s information.”
Companies you use and websites you visit can package and sell the data they obtain about you to partners or advertisers — pretty much whomever they want. And it can be sold again and again. And then whoever buys it can basically use it however they want. Data brokers spend millions on lobbying every year to ensure it stays that way.

In California, we have the California Consumer Privacy Act and the California Privacy Rights Act, but federal laws could enhance privacy and security no matter where you live.

• A cultural attitude shift about convenience vs. privacy. Legislatures can’t pass a law that says “everyone must care more about protecting their personal information.” But we can all choose to embrace practices that add marginally more inconvenience in exchange for enhanced digital privacy and protection.
“We need a societal shift from the notion that convenience trumps everything,” Velasquez said.

• More structured resources for victims of crimes committed online. Victims of cybercrimes — identity theft, of course; but also social media account takeovers and impersonation; cyber harassment and stalking; and financial scams, to name a few — often have little recourse. There is no one place you can go to report cybercrimes that has resources to investigate them. You can file reports with the FTC and the FBI. The FTC will then give you some steps to take on your own, and the FBI says it may refer your report to local enforcement. No one from either bureau ever followed up with me about my own reports. You can report it to your local police, like I did, which can be a lot more frustrating than filling out a form online, and just as unlikely to result in meaningful action.

This is a systemic problem, which is why there isn’t a single, easy solution. It shouldn’t be so easy to buy all the information you need to steal people’s identities online. It shouldn’t be so hard to find the people who do that. It shouldn’t take dozens of hours of unpaid labor to untangle yourself from the fallout of someone else’s crime.

Victims are unlikely to report the crime to police, police are unlikely to even investigate the ones that do get reported to them, and those reported crimes don’t show up in national crime statistics — so there’s less public outcry that might pressure police into caring more, or pressure lawmakers into passing legislation that would contain the data problem, or pressure credit bureaus into making it easier to resolve disputes.

What we have is a piecemeal system in which no one entity takes responsibility for preventing, reporting, investigating or solving cybercrimes. Victims like me feel as though no one cares, and no one will do anything about it.

Something has to change.