It’s been a while since I’ve talked about credit card fraud and identity theft here. There’s still a huge problem with it. Tens of millions of people have already been affected, and millions more are victimized with each passing year.
My friend Skip Evans is currently dealing with a related issue, the use of fraudulent websites that steal the look, feel, and sometimes the original code of a legitimate commerical site in order to “phish” for credit card data from consumers. Skip says that he has been trying to interest various law enforcement agencies to deal with a particular case of this, with little interest so far from those agencies. If he writes that up, I’ll post it here as a guest post.
The first thing I’ll say is a repeat of what I have said before: the solution is not to have individual credit consumers opt into accessory “protection” services. Those services simply offer lightly processed data on transactions to consumers; the consumer still has the burden of assuring that all the transactions are legitimate or not, and taking action if they note suspicious activity. The “protection” services don’t claim to actually protect the consumer, or ameliorate the damages that a consumer may face if they are a victim of identity theft, even if they have those services current and up to date. They might aid a consumer in spotting suspicious activity earlier than they otherwise would, and that is the only utility such programs may have. Ultimately, though, these services are a distraction. Credit card companies appear to regard the burgeoning credit card fraud and identity theft problem not as a cause for their concern and action, but rather as another opportunity to move some money from customer accounts to their own pockets. One provider of “protection” services, given access to customer phone numbers by the credit card company itself, reported over half a billion dollars of business last year. Presumably, the credit card company gets a cut for providing the customer contact info.
The bad guys are, I’m sure, not impressed. If one account becomes closed to them, they still have millions more virtually unprotected victims to pick from. With such abundant opportunities, poor detection, lax enforcement, and high payoff, we should be prepared for more and more criminal activity of this sort until such time as the criminals are competing more with each other for diminishing numbers of victims, or our purveyors of credit and law enforcement decide to treat this problem seriously. Consider the “protection” services from the point of view of the criminal. These hinder them not at all in acquiring a new victim. All that they possibly can do is shorten the period of time in which the victim’s data may be used by the criminal. Criminals already know that their best strategy is to load up the victim’s account with debt as rapidly as possible up to whatever credit limit applies. A period of a few minutes to a few hours should be sufficient to accomplish this in the vast majority of cases, which makes a mockery of the response time of “protection” services.
If we want credit card fraud and identity theft to become a thing of the past, we have to make it both much harder for a criminal to accomplish and much more likely for a criminal to be caught and punished than it is now. How do we do that? Unfortunately, I think that we need a rather fundamental revamping of how credit is offered and managed, a process that will require changes in how credit card companies ply their wares, how credit reporting companies handle consumer data, and how law enforcement deals with these impersonal white collar crime. I don’t have any novel ideas on this score; others have already suggested that consumers should be able to request an embargo on sale of their credit history by credit reporting companies. Obviously, the credit reporting companies dislike any restriction on their ability to market their accumulated data on individual consumers. Consumers should not have to stand ready with shredders for every letter they recieve in the mail, yet nowadays credit card companies routinely send out pre-approved offers of credit with user information already filled in on application forms. Interception of these makes the criminal’s job easy. Another thing that I commonly find is that my credit card companies routinely send me credit-based checks in the mail. I shred these on receipt. The risk for fraud is high with any such instrument, and the postal service is nowhere near a secure channel for materials like ready-to-write credit checks. Steps like these would make the criminal’s job somewhat harder, but they have many other avenues for making an attack upon consumers. There is still the problem of how to make law enforcement much, much more effective at identifying and prosecuting the criminals. If anyone has some ideas for that, let me know.