13 comments

[ 2.6 ms ] story [ 40.6 ms ] thread
(comment deleted)
Paraphrasing from a comment I can't find anymore:

Identity theft is a PR con job. Think about it - the idea that a criminal can "steal your identity" is patently ridiculous. What they actually do is defraud your bank, or a vendor, or the government, by impersonating you. Instead of taking responsibility for being defrauded and paying for effective countermeasures, these institutions try to convince us that when they get defrauded it is somehow our responsibility. Then they sell us the countermeasures.

It's one of the most impressive strategic manipulations of public understanding that I've ever seen.

You took the words right out of my mouth.

I'd add that we don't formally teach the basics of our credit system (or even our financial system) partly because children would easily poke holes into the accepted explanations.

"Why would a bank let someone pretend to be me? Shouldn't the bank ask for more info?"

"Why does it take forever to know my credit but any business can get in a second?"

"Does the government run the three companies that set your credit score? Why not?"

It's a kind of unconscious, societal embarrassment that manifests as an educational taboo.

We don't talk about what we don't want to think about, or more specifically, our society doesn't teach what it has accepted without critical thinking.

Is cc theft lumped in with "identity" theft? I have had my cc stolen numerous times, but nobody has assumed my identity in order to obtain lines of credit or travel with a passport in my name. My information was in the massive US Personnel Office data breach, but as far as I know, my SSN isn't being used by anyone [yet].

Stupid .gov with their lousy data handling practices.

True, it's not your problem if Capital One gets defrauded. But "identity fraud" is a generic term that comprises the entire suite of ways you and/or your bank can be defrauded, and it's not always the bank's problem.

Sticking to the financial space, the monetary losses are theirs to bear-- they don't try to make you split the difference on losses, do they? You dispute it, they perform a perfunctory investigation, accept the losses and move on.

Same goes for data breaches. $150M gets stolen from "the bank." They don't charge everyone 150M/(N customers) to recoup the loss; they file an insurance claim and life goes on with the same amount of money in everyone's accounts.

But the corollary is that it's not Capital One's problem to unfsck your credit history/reputation after a fraudster has impersonated you to open and bust out of HELOCs, credit cards, utilities, and writing/cashing bad checks in your name. That much is between you, the other affected institutions and the credit bureaus.

Credit history is maintained by third parties who aren't inherently concerned with the validity of your accounts (they get paid the same to report whatever data they have either way), and is tied to a rigid set of credentials that are very difficult to change or re-establish.

(To me, this is the bigger problem with victimization-- it's easy for your "identity to be stolen" or to create fraudulent new ones with or without ties to you but very difficult to be granted a legitimate new identity. Even where successful, the ghosts from your falsified past will still haunt you thanks to the number of fourth-parties who cache and resell stale data.)

If someone socially engineers your credentials out of you and reroutes your direct deposit to a disposable account after having supplied harvested username+password, divining the answers to your security questions, verifying the existing account information and somehow spoofing/bypassing 2FA, is that really the bank's problem? They did their due diligence in verifying your identity. The phishing email you responded to literally gave the fraudster the keys to your paycheck.

Government should have less of an excuse. If someone fraudulently files a tax return in my name, that's a federal criminal matter between the IRS and the thief. Either investigate it or make it harder to commit. The problem is that the schemes are initiated from internet cafes in western Africa and eastern Europe and it's far easier to blame me and make it my problem than to perform international investigations and extradite from countries that we have poor relationships with.

Having just left that industry I'll give you that the preventative- and counter-measures implemented and sold to consumers are both a joke, but these are the fundamental problems they exist to mitigate.

It is a bit like "victim blaming" but as in almost all cases of that, there is obviously good advice that people could follow to avoid being victimized.

Yes, you are right that it is those companies that have been defrauded, not you. But why should those companies trust someone who doesn't follow simple measures to protect themselves and those they do business with?

It cuts both ways.

Should an auto insurance company never raise your rates after theft, even if you repeatedly leave the car running unattended with the doors open?

Sure, the thief bears the responsibility, ultimately... but you're still being careless and the insurance company has every right to drop you or raise your rates.

>Update your computer's firewall, anti-virus and anti-spyware programmes. Up to 80% of cyber-threats can be removed by doing this

Does identity theft usually involve malware? I would think the biggest "cyber-threat" risk is phishing and I don't think firewalls and antivirus are going to help you with that beyond what safebrowsing already does.

Antivirus can actually open you up to certain attacks with memory corruption vulnerabilities in the file parsers that automatically run.

"Antivirus can actually open you up to certain attacks with memory corruption vulnerabilities in the file parsers that automatically run."

Yeah, I thought the idea of firewall == snake oil was pretty well-accepted among computer-literate people. The kind of people who might benefit from it will just make an exception for malicious software without reading the prompts, and power users know what to download.

And in addition to that it makes people even more insecure as it promotes a false sense of security. It seems that having a firewall makes people even more likely to turn their brains off and clicking "yes" on any dialogue without reading it. Favorite quote after finding malware on someone's system: "But I have a firewall, this is impossible!"

But most importantly is probably the viewpoint of the top comment: Banks and other companies have changed the narrative so that users are responsible for their poorly implemented security features.

This is quite absurd, when you think about it.

If the general public would learn and implement even one out of the below list items, they would significantly improve their online security

1. Learn how to type facebook.com into the URL bar vs. Googling for Google, then searching Facebook, then clicking the Facebook ad that redirected to a phishing site (happened to my sister)

2. Use password hygiene (you'd never reuse the same kleenex would you?)

3. Use a password manager

4. Don't be obstinate when computer people try to help you improve your online security.

5. Update your crap, stop clicking Remind Me Later

A dismissive sniff is NOT the proper reaction - those computer nerds aren't wearing spandex anymore deary.

"I don't want to do that!" Well fine, I'll wave goodby as you do the equivalent of driving down the freeway with no doors, no seatbelts, and three flat tires~!

Oh come on: you may make a point of users not caring about security, but in essence it all comes to the entities that actually care: banks, who need to prove it was user's fault; government, whose voters are not going to vote for the president who could not deliver a safe government; shops who pay for chargebacks...

Why don't we just stop trying to make users remember all of the safety measures they've got to take care of (which by the way sound to a layperson more like a cargo cult rather than a genuine problem), and implement proper public-key authentication on all of the websites?

Identity theft is a problem - that's true. But the solution is the practical one and not ideological.

> If the general public would learn and implement even one out of the below list items, they would significantly improve their online security

I wonder if companies could do their part in improving online security by allowing the option of authentication through client side TLS certificates. That, in itself, would eliminate the necessity of the first 3 items in your list.