Are Fraud Alerts Useless?
Wednesday, June 03, 2009
Monday's blog post discussed the findings of the Annual Survey by the ITRC of identity fraud victims' perspectives. The report included a section about victims who were unable to clear their records of the damage done by identity thieves and fraud:
"Many [victims] reported that the factors complicating their ability to clear negative records involved issues beyond their control, such as: inability to get a police report, credit accounts being reposted on credit reports, fraud alerts are being ignored, and the inability to prove innocence even with a police report. These factors may indicate system failures by various entities involved in resolving the victim’s case. Other situations appeared to be more consumer/victim related such as: I gave up (too many hours), don’t know how to clear my report, and family related issues."
In the survey, about 23% of respondents, who were unable to clear their records, reported that "My imposter is still active - fraud alerts are being ignored." On page 20 of the report, the ITRC's Julie Ferguson concluded:
"The failure of fraud alerts is a three-pronged problem. We have seen that when a consumer sets a fraud alert with one bureau, it does not always propagate to the other two bureaus 40% of the time. The second problem is that not all creditors place phone calls to consumers but use challenge questions at the point of sale. Unfortunately, the thief might know that information and when consumers do not receive a phone call they may perceive the alert is ignored. I also believe a fundamental problem is not being addressed, the fact that businesses write off the losses instead of prosecuting the suspect, which allows the criminals to continue to use the stolen information even after the consumer has cleaned it up. There ramifications for an identity thief are minimal and the odds of getting caught, arrested and prosecuted, I liken to winning the lottery or being struck by lightening.”
I agree with Ferguson. There definitely are several problems at work here.
First, the Fraud Alert tool always seemed weak to me, because potential lenders could easily ignore it. One could argue that this is an ethical problem among potential lenders. I often wondered if the Fraud Alert tool was simply a method for credit reporting agencies to claim that they offer consumers some protection, while still being able to sell as many credit reports as possible.
Second, as a victim of IBM's data breach, I have always wanted the strongest protection available for my sensitive personal and financial information. I first tried the Fraud Alert tool after IBM notified me its data breach, and later renewed my Fraud Alert on my own. When I compared the Fraud Alert tool to the Security Freeze tool, the Fraud Alert tool seemed weak. Ultimately, I added a Security Freeze to my credit reports since IBM never recovered its lost/stolen data tapes and my sensitive personal data is still out there exposed to criminals.
Third, I have written repeatedly about how the Security Freeze tool is not available nationwide for C.L.U.E. insurance reports. And, most consumers I have talked with are unaware of the regional and second-tier credit reporting agencies like Innovis. To me, these are gaps in the financial system that allow criminals to operate more easily than otherwise.
Thanks for that George,
While it is true that the FCRA does call for creditors to contact people with fraud alerts issued prior to issuing new credit accounts, few actually do that or only run checks weekly or monthly. So, basically fraud alerts are only partially effective. I have argued this point with the companies that make a living setting fraud alerts. If you look at the recent ruling in Federal Court Experian v.Lifelock you will see that the courts agree. I can't state it enough but a real identity theft service is not one that promises to stop identity theft because it cannot be done. A good service is one that provides early warning of possible fraud, full restoration, and reprentation for victims. When a person becomes a victim they are much more likely to have repeat episodes. A good company will document the fraud and the paper trail for subsequent issues as well. A good company has a working relationship with federal, state, private database companies, and law enforcement agencies. They can effectively make ammendments, or change record entries that have been made resulting from fraud. They will provide restoration services that are performed by forensic licensed investigators who are empowered both by license and POA to act on behalf of the identity theft victim client.
We should not be so possessed by asking a service to stop identity theft and more focused on what they will do for us when we become a victim of fraud. Identity theft is no different than any crime. We cannot stop mayhem, we cannot stop robbery, we cannot stop fraud of any kind. What makes us think that we can stop identity theft? Realistically what we can do is to empower ourselves for when it happens. How much do you pay in auto insurance? Is it worth it? When you have to file a claim it is worth its weight in gold. How much is your identity worth?
Posted by: John Taylor | Wednesday, June 03, 2009 at 01:22 PM
John:
Thanks for the comment. I agree with most of your comment above. My question is this: how is a consumer to tell or evaluate a "good service" that provides full restoration and representation of victims? How can a consumer tell which service has the best fraud documentation practices, and the best working relationships with government agencies, database companies, and law enforcement?
In my experience, most consumers I've talked with are still learning the basics:
a) the sensitive personal data they should protect,
b) protect their identity and home computer
c) monitor their credit reports for fraud/accuracy
That is scary enough for many consumers. Regarding restoration services, people tell me they'll deal it when and if it happens. I've been reading about ID-theft services for almost two years, and it is hard to tell which service has the "best" restoration and victim representation services. I've yet to see any statistics (e.g., resolution rates, reimbursement rates, etc.) by independent evaluations of the various restoration services to help consumers.
Maybe Consumer Reports is working on something in this area.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Thursday, June 04, 2009 at 08:54 AM
Thanks George,
The best way in my opinion is to look at who the company is. Who are the directors? Are they privacy professionals or are they marketing or software people? As you know I represent the Identity Theft Shield. The restoration and client representation is handled by Kroll Fraud Solutions. Here is a link to the relevent Kroll web page that covers the basics of the service.
http://www.krollfraudsolutions.com/breach-products-and-services/investigation-restoration.aspx
The product is the only service in existence where Kroll has partnered with another company to create such a program. It was begun in 2003, long before the world recognized ID theft as a real global threat. It was designed as being future proof in that no one knows or knew at the time how identity theft would manifest itself in the future. Kroll took the position that no matter how a client finds themselves a victim, whether it is from the credit bureaus, the IRS, resulting from a false arrest, from being denied insurance due to false CLUE attachments, denied air flight due to a watchlist entry of a clients drivers license, etc. Kroll will perform the restorative services. Kroll did not take the position that they are going to stop ID theft, but instead their philosophy is to provide a good early warning system via the credit bureaus which are the most common first indication of ID theft, and to prevent the fallout from ID theft with a restoration performed by Federally LICENSED forensic investigators no matter how ID theft occurs. Is it perfect? Absolutely not. Is it the best thing going? Yes, without a doubt. Any company that engages in false hubris as to how good they are is suspect to me. Kroll is not like that. They rely on a 35 year track record of solving privacy and security issues for Sovereign governments, multi-national corporations in 26 countries throught the world, and since 2003 for individuals. They have for years worked with companies who have experienced data breaches to handle all the forensic work to unravel the crime if there aws one in the first place. When Harvard had a massive breach in 2007 Kroll was in place to solve it, notify all p[otential victims, contain the damage within 39 minutes, and protect Harvard from legal damages.
The Identity Theft Shield is only available by way of Pre-Paid Legal Services Associates. I make that and the legal service plans available to employee groups as an employee benefit. There is no software solution to identity theft. There is no legal solution to identity theft. There is no methodology that will stop it from happening any more than there is for any crime. We have to rely on two things. First, that the majority of us will do the right thing, and second that we protect ourselve from those who don't share that philosophy. Identity theft is an international crime that crosses all cultures, and legal systems. Try to wrangle that! The smart thing to do is to protect yourself as best you can.
Posted by: John Taylor | Thursday, June 04, 2009 at 11:16 AM