Is It ID Theft Or Was The Bank Robbed?

from the which-one-seems-more-accurate dept

Via Clay Shirky, comes a very good point from Kevin Marks concerning claims of “identity theft,” where he notes that identity theft is not actually an identity being stolen but is usually a bank/credit card company being robbed and passing off the blame for their own poor security on the victim. He point to a brilliant comedy routine by Mitchell and Webb that makes this all pretty clear:

“They took all the money? That sounds more like a bank robbery.”
“No, no. If only. ‘Cause we could take the hit. No, no. It was actually your identity that was stolen, primarily. It’s a massive pisser for you.”
“But, it’s actually money that’s been taken…”
“From you?”
“Kind of.”
“I don’t know what you want from me other than my commiserations.”
“You see it was your identity. They said they were you!”
“And you believed them?”
“Yes, they stole your identity.”
“Well, I don’t know. I seem to still have my identity, whereas you seem to have lost several thousands of pounds. In light of that, I’m not sure why you think it was my identity that was stolen instead of your money.”

The problem isn’t “identity theft.” It’s bad security and verification processes by a financial institution.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Is It ID Theft Or Was The Bank Robbed?”

Subscribe: RSS Leave a comment
william (profile) says:

Ouch. To be honest I never thought of it this way.

Undeniably if I were to go on the street and offer every single little detail of my identity, then I am at fault.

In this day and age it’s just a bit too easy to gather enough life detail of another person to convince others that you are them.

However, higher level of verification really cause inconvenience to customers. One of the small local credit union I go to has high level of verification and it’s the worst bank I have ever used.

For the web,
-customer selected image to help identify the correct website (prevents phishing)
-password for identifying your computer (needed when you use a computer for the first time)
-Then your regular username/password.

For phone calls
-secret passwords (and they only ask you, what’s the first and fourth letter of your password)
-some verify question like the typical your mom’s maiden name…etc

I only use this credit union for mortgage so I don’t use all these password on a regular basis, at most twice a month. Long and behold one day I failed my online verification, got my account locked. Then I failed on phone verification. Then I forgot the bank card’s PIN. Note they always tell you not write anything down. Finally I had to go to the bank and proof my identity to get my account reset. Only to have them reset my PIN only.

Now I just use the band machine to pay mortgage and check balance. Just too much a bother…

Fiercedeity (profile) says:

Re: Re:

For the web,
-customer selected image to help identify the correct website (prevents phishing)
-password for identifying your computer (needed when you use a computer for the first time)
-Then your regular username/password.

Every banking website I’ve used (not credit card sites though) has used this process. I don’t know about you, but I take great comfort in the fact that my bank requires those measures… I mean, you can do pretty much ANYTHING to your account once logged in, so I don’t really think it’s and inconvenience.

My current bank site requires me to type in my account number and password. The account number isn’t very long like some banks, so it’s quite easy to remember. Then you answer two security questions (Name of your first pet, etc. Stuff you choose beforehand), then verify that your chosen security picture and quote is shown. If you use cookies you can allow your computer to be verified, and then you only have to answer one security question. It’s not foolproof, but it’s a great system overall.

william (profile) says:

Re: Re: Re:

I am from Canada, and this credit union I mentioned is the first bank I ever had to go through all these process. All the other banks I deal with only requires one account id and password.

I can’t back this up but I heard down south there are a lot more ID theft and bank fraud than in Canada. Perhaps US citizens are more used to this many layers of verification?

I am not against higher level of verification/security, but I do think that banks need to suck up some of the loss just to service the customers better. Credit card fraud has always been rampant but it wasn’t until lately that they start requiring a PIN. The companies has always absorb those losses.

And from those huge amount of profits (and increasing fee every year) for banks, I think they can handle some of these loss.

Kevin Stapp (profile) says:

Re: Re:

“Well, I don’t know. I seem to still have my identity, whereas you seem to have lost several thousands of pounds. In light of that, I’m not sure why you think it was my identity that was stolen instead of your money.”

I never thought of it this way either but having been a victim of ID theft I can attest the attitude of banks and credit card companies regarding ‘your’ problem.

In my case someone used my ID to apply for credit cards then subsequently a large loan ($15k). Once I got copies of the applications so I could prove I didn’t actually take out a loan here’s what I found on the application:

1. My middle name was misspelled
2. My employment history was completely wrong. It listed current and former employers I never worked for
3. Telephone number was invalid
4. Street address physically did not exist
5. Personal references and contact information were fictitious
6. Drivers license presented as ID had a different DOB, no picture and was issued from a state that differed from the bogus address on the application

I pointed out to the ‘fraud’ investigator that even the most rudimentary attempt at verification of the information on the application should have raised red flags. He stated it wasn’t their job to verify every bit of information on an application. He also stated that even though the application had fraudulent information that didn’t prove that I wasn’t the one who submitted the bogus application. The conversation degenerated from there.

In the end I was able to clear up my credit but it was an eye opener to realize that companies handing out money regard you as the primary victim of a crime and that you are guilty until you prove yourself innocent.

JAy. says:

The problem isn’t “identity theft.” It’s bad security and verification processes by a financial institution.

But what is worse than bad verification in creating accounts is hyper-security afterwards. Someone commandeered my friends identity (probably more accurate than “stole”) and created a credit card account. When my friend found out, she called the bank and informed them of what had happened. The customer service agent AND her supervisor refused to talk to my friend about the account because she didn’t know the security information (pin, answers, etc.). It took her three days to get the bank to acknowledge that she was who she said she was and that the account had been fraudulently opened.

John Doe says:

Re: Re:

This same thing happened to my brother. They let somebody open a credit card in his name without any real proof of identity and then hassled him when he tried to prove it wasn’t his. They also got a cell phone and car repair in his name. Took him a year to get it all straightened out.

I would much rather have someone make fraudulent charges to my credit card; you dispute them and they go away. When someone actually opens accounts in your name you are in for a long hard road to clear that up.

diabolic (profile) says:

Re: Re: Re:

Actually my credit card was stolen and there were lots of bogus charges. While the credit card issuer refunded the money the stores/vendors all came after me. It was a big hassle and I had to hire a lawyer to send some letters to them on my behalf. It look months to get everything straight. I was one letter/phone call from suing Home Depot for harrassing me. By trying to make me a victim twice Home Depot lost my business for life. “Identity theft” hurts everyone involved (except the thief), not just the corp fronting the money.

Anonymous Coward says:

“Is It ID Theft Or Was The Bank Robbed?”

The simple answer is both.

The ID was “stolen” virtually, but it isn’t any different from taking your wallet or purse, and having all your ID cards photocopied and read by computer, plus getting a handy list of your mother’s maiden name and your pet’s name too.

With that information, the person (vritually) visits the bank and makes withdrawls.

They key is this: without the personal information, nothing would happen. The bank isn’t going to tolerate someone showing up doing a phonebook or dictionary attack on a password or security test. Without the information, nothing would happen.

It’s the typical “I am never to blame” mentality that most people have. You got your information stolen / lifted / copied, that is where the crime(s) started. You are resonsible not to go to and type your information in.

kirillian (profile) says:

Re: Re:

I think, in this case, your conclusions are a bit stretched. While it is true that most people probably are responsible for this happening, I can still see the possibility of others whose information is stolen outside of their control. Banks have been hacked before…whether or not it’s common or not, the mere fact that it is possible should at least give your conclusions some pause, right?

Derek Kerton (profile) says:

Re: Re:

I’m with AC on this.

Lots of people get “socially engineered” to give up their IDs and passwords.

Lots of people lose their wallets and bank cards.

Criminals then use this to defraud the bank. Not sure I see how this kind of situation is the bank’s fault.

If I leave my car keys on a bar, someone picks them up and steals my Ford, is it Ford’s fault?

Fiercedeity (profile) says:

Re: Re: Re:

Well, unlike a financial institution, Ford has nothing to do with your car’s security after you purchase the vehicle. Now, if Ford was required, somehow, to verify the owners identity every time the key was used to open the door or start the engine, then yes, Ford would be at fault if someone other than the owner stole the car.

Derek Kerton (profile) says:

Re: Re: Re: Re:

If I give someone the “keys” to my bank account, and they “drive off with it”, and the bank’s security systems were adequate and worked perfectly, then I am the security breach, not my bank.

Yes, the bank should be responsible for running a secure, safe system, where a user has a reasonable expectation of security from the bank.

But the user is not just a spectator in this game. We are active players with a role to fill – not to get duped into giving up our credentials. It’s not the banks job to protect us from ourselves. At what point do we take responsibility for our own mistakes?

Fiercedeity (profile) says:

Re: Re: Re:2 Re:

Except the banks job should be to verify IDENTITY, not simply that you have the right “keys”. Even if someone stole someone else’s credentials, the fact remains that the bank incorrectly IDENTIFIED the person and released funds (or whatever). However you spin it, the bank still shares responsibility for that specific incident.

I’m not saying that users aren’t responsible, they are. And there are a lot of stupid people out there. And they pay for it through the hell you have to go through to sort everything out (sometimes takes years). I think that’s punishment enough for someone to learn from their mistake.

The problem is that many banks don’t take their own security seriously (at least when it comes to customer security). If the bank does EVERYTHING reasonably possible to ensure customer security, goes to every length possible to resolve reports of fraud, then at that point if a breach occurs I will say the bank is clear. However, most banks don’t even come close to this. And as the backbone of the country’s financial well being (maybe lol), they have a responsibility to be that secure.

Josh (profile) says:

Re: Re:

“It’s the typical “I am never to blame” mentality that most people have. You got your information stolen / lifted / copied, that is where the crime(s) started. You are resonsible not to go to and type your information in.”

You (and in the case of this skit, the bank) are automatically assuming that the individual was the one who went to the fake site and entered his/her information in. While that is valid in some instances, it certainly doesn’t address all of the ways in which “identity theft” happens.

How often do we see data breaches involving thousands of people’s information stolen through no fault of their own? Maybe the bank’s systems were hacked. Maybe it was a retailer (TJ Max, amongst others). Maybe it was a credit processor that no one outside a specialized field has heard of, despite the fact they handle transactions for millions of people every day (Heartland). Any of those situations could allow an attacker to get enough information to open an account in the name of a random person who never had visited a bogus site or entered information on a malware infected machine.

jilocasin (profile) says:

I don't bank online... the risk is withthe wrong people.

Well the banks and credit unions I’ve dealt with all say the same thing;
IE only
4 digit (that’s numbers only folks) password.
Anything _bad_ happens and _you_ assume all risk.

My response is to have nothing to do with online banking.

I didn’t set up the rules.
I didn’t code their web site.
I don’t have any say in their verification process.

It’s their site, if they want me to bank online (which is much more cost effective than having me deal with a live human teller) then they need to assume some of the risk.

With a credit card, your responsible for the first $50, they eat the rest if it’s used fraudulently. Guess what, credit cards are much more secure as a result. You only use your card locally for purchases less than $100. A charge shows up for a $2,500 purchase in Mexico City, you get a call from your credit card company asking if this is a legit purchase. Why? Because if it isn’t they eat it.

Security for most companies is an externality. It doesn’t directly effect their bottom line, it effects yours. The problem of course is that only they are in a position to fix it. They won’t as long as it’s not their problem. Once we make it their problem, then they’ll have an incentive clean up their acts.

interval says:

They’re absolutely freaking right. “Identity theft” makes it sound like a simulacrum went to your bank looking like you, and when the teller said “Good morning Mr. Smith”, it put on your voice and said hello back. When actually its not identity theft at all but some one telling the banks computers they are you, and the goddamn computer has nothing to go on but a simple password. Its just robbery.

Chargone (profile) says:

pretty sure the process to get into the online banking system here is a lot shorter, and so far as i can tell you can’t NOT have online banking.

that said, while the debit card has a 4 diget pin, the Internet banking [at least the bank i use] requires you to use a rather long password. which i could never remember. to the point where i got locked out of my own account at least once.

i just don’t bother anymore. use the ATM for regular, normal withdrawals, and actually go into the bank for anything more complex. it’s just… massively less hassle.

then again, the banks are all 9-5, Monday to Friday deals [some now open part of Saturday]. catering precisely to, as some wit put it: two types of people: the unemployed, and bank robbers. so maybe it’s not that convenient if one actually has a job.

while there is some truth to the whole ‘identity theft’ angle, in that you very much should do your best to keep your passwords etc secure, and notify the bank if they get stolen or whatever, a password is a key. no more, no less. if you have a safety deposit box, and someone steals your key, copies it, returns the key in such a way that you do not know it was gone, and then one fine day waltzes down to the bank, opens said deposit box, and takes your stuff…

who’s liable? you or the bank?

to me, it’s the same idea, really. on the one hand, they really shouldn’t be able to take your key in the first place. on the other hand, even With the key, they still shouldn’t be able to get in if they’re not you. the problem is, that internet banking is automated. that’s pretty much the Point. it’s the functional equivalent of said deposit box being in a vault… but the same key opens the vault as the box. [or in the cases where there’s a separate password, the thief stole both keys]

on the Other hand, if someone sets up a false account in your name, and then proceeds to rip off the bank, that’s Entirely on them, really.

oh, fun thing: NZ does not have social security numbers, or an equivalent. different entities are not Allowed to have systems that line up by design when assigning you identification numbers for record keeping[fluke chance is a different story]. not even different government departments, i believe. even the Video Rental places typically want photo ID before they’ll issue you a card. most places require multiple forms of ID from other entities [passports and drivers licenses preferred] before they’ll give you a new document that could be used as even basic ID. and on it goes. it’s still not impossible to have one’s identity stolen, but it is a lot more hassle.

also, the concept of stealing credit cards from mailboxes before they’ve been signed is averted, at least for debit cards, by the fact that you can only change the PIN in the bank itself, [or possibly through internet banking, i guess] and either the PIN and the card are both tied to the account, not directly to each other, or the pin is assigned to the card before the card is sent out. so anyone who steals and signs that card, needs to know the PIN too.

it’s still possible to use a credit card based purely on your signature matching the one on the card in a lot of places, mind you… but only for credit. you can’t actually take money that way. and, of course, when one gets the funky bill, one gets hold of the credit card company and says ‘hey, i never bought that. what’s going on?’. cue investigation.

umm… it’s 7:30 am and i haven’t slept yet. i hope that staye dmostly on topic…

Claus Rasmussen (profile) says:

online banking security

If things really are as fairly simple in US online banks as described here, I would agree that banks are partly to blame for lack of verification. Of course the moron sitting 40 cm behind the screen surfing pr0n sites or installing emoticons via activeX in IE6 has his/her part of the blame as well.

My danish bank (actually both the 2 I use nowadays) use a code card with random one-time codes required for each single monetary transaction made in the web-bank. Whenever I’ve used the 80 codes on my card, I get a new card in the snailmail. Before entering the webbank, I use my SSN and a bank-generated password (10 letters, digits and chars), and one of the codes from the card.

On top of that, the webbank interface works like a charm in FF, Opera, Safari as well as IE8, so I don’t need to be a moron and keep on using IE6 on winME or whatever a moron would do…

The hassle of using these codes is really not an issue – especially when taking the benefits into consideration.

Most banks here in Denmark use sort of a dongle file, which you need to store on your computer, which is then queried when making transactions. This solution makes it a bigger hassle to use your work computer to access the web bank, and I believe those solutions also have bigger problems with browser compatibility. But still, it gives a higher level of security.

P. Orin Zack (profile) says:

Security Questions

When I still had an account with Bank of America, they used as one of the security questions, ‘Which branch did you open the account at?” Well, for some reason, they changed the data in their record to show some other branch, and insisted that I answer with their lie in order to access my account. Nobody there, all the way up to the Office of the President, could understand that if they ask customers to lie about one thing, they will lie about others in order to get what they want.

Gregory (profile) says:

Banking security

A lot of work has gone into information security; you can read up Bruce Schneier for a fairly comprehensive look at how you can become as secure as your needs go – but there is always a tradeoff between security and convenience.

I guess I’m one of those who got suckered by that very phrase ‘ID theft’ – you’re right, I still have my identity, it’s just that someone else has been masquerading as myself.

HSBC, amongst others, employs true security by using multi-factor authentication. You get a ‘football’ similar to the one PayPal and Verisign use, where you input one-use numeric codes to gain access to the account, and to do ‘risky’ transactions. A local bank of mine sends that code via SMS to my mobile phone, which is another form of multi-factor authentication (assuming my SIM didn’t get cloned).

Any bank trying to do anything else is not employing true security, and should be castigated from the highest places.

herodotus (profile) says:

“Yes, the bank should be responsible for running a secure, safe system, where a user has a reasonable expectation of security from the bank.

But the user is not just a spectator in this game. We are active players with a role to fill – not to get duped into giving up our credentials. It’s not the banks job to protect us from ourselves. At what point do we take responsibility for our own mistakes?”

I have found that you are much more likely to hear an individual say ‘it was my fault’ than you are to the representative of a bank say ‘it was our fault’.

When someone (the police never did figure out who) printed up a bunch of checks that had our account number and someone else’s name on them, no one at the bank noticed. There were dozens of checks, all cashed within a couple of days, all with our account number and the fake person’s name.

Somehow, it just doesn’t seem like that much of a hassle to verify that the name on a check matches the one on the account before cashing it.

When we finally noticed what was going on, the bank had no process in place to help us out. No one could answer our questions. We finally went to the corporate office and talked to the only helpful woman we met in the whole experience, and got the whole thing cleared up.

This was over a month later.

The funny part was that and one of her co workers had told her ‘you know, you don’t have to help these people’ before she came to help us.

BryanCar (profile) says:

Keep your information safely!

Thief is a thief. No matter stealing your money or your ID.

So you have to protect yourself first. Don’t trust anyone, even some secure internet.

Virus, Spyware and Adware Protection
Personal Firewall
Automatic Daily Updates
Parental Control
Root-Kit Detection
Spam Filter

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...