Congratulations, Your Identity Has Been Stolen!

Again!

This article was originally posted to Medium on Sep 8, 2017

In April I went to lunch with some coworkers, and as we were standing in line I checked email on my phone (as you do) and saw this email:

New card? I didn't sign up for a new card. New card? I didn't sign up for a new card.

I knew I hadn’t signed up for an Amazon Rewards Visa Signature Card because I’d been in a meeting all morning, so I called my wife. She hadn’t signed up for it either. Instead of sitting down with my coworkers, I stepped outside and called Chase, canceling the new card immediately. Apparently I got the email because I already had an account with Chase, and they linked the new card with my existing account.

A few days later the card arrived in the mail. I keep it as a souvenir.

I mean, I do like orange I mean, I do like orange

When your identity has been stolen you are thrown into the world of credit reporting. By this point you've probably read enough to name the three credit reporting agencies by memory: Equifax, Experian, and TransUnion. I had to go to identitytheft.gov and report the theft, I had to go to the police station and file a report there, and I had to log into one of those three agencies and put a 90-day freeze on my credit. That was a problem.

Because it turned out that of the three agencies, one wouldn't even let me try to log in at all, and when I tried to log onto the second one I failed to verify my own identity. Twice.

But now I have to back up.

Congratulations on Your New Home!

We bought our house in … let's just say we bought our house a few years ago. We'd been in it for more than a year when we got an IKEA catalog addressed to someone else (and not the name of the sellers from whom we bought the house). That was weird, but I could ignore it, because hey, new IKEA catalog and I didn't have to go to the store to get it.

A few days later, however, we got two more pieces of mail addressed to the same person (I'll call her by her initials, CB, because she seems to be a real person): the coupons that anyone who has filed a change of address form will recognize, and an offer from JCPenney explicitly addressed to a new homeowner. At that point I went on higher alert. Why had somebody filled out a new change of address form and listed our address? When a strange Visa cash card arrived a few months later I did some research and reported the whole thing as mail fraud, although I still don't understand what the possible angle was. To this day we still get occasional pieces of mail addressed to CB, but they mostly tapered off after I did that.

(We get mail to like four people who are not us, one of whom seems to be a football player, and another I assumed had to be a fake name since he literally only gets mail from Adventists, but holy cow, he's real and he has a LinkedIn profile, and now I'm both more and less confused. Anyway.)

Where Was I?

After failing completely to log into one credit agency, I hit the verification barrier for another one. You know the questions: they give you a multiple choice list of addresses where you may have lived, or names of people you're associated with, or whatever, and you have to pick the correct answer, or “none of the above.” So I went through the form and it asked me to pick someone I'd lived with from a list including three completely random names … and CB. There is no correct answer to that question. I'm not sure what I picked, the answer I knew to be correct (uh, that'd be “none of the above”) or the answer they wanted (CB, famous for IKEA catalogs and JCPenney furniture discount offers). Another question was about property my family owned in Ohio. Nobody in my family owns any property in Ohio. Reader, I failed to verify my own identity.

So I went through the form again, and this time I got two multiple choice questions where there was one recognizable wrong answer. One listed a neighbor at an old apartment, and another had a different neighbor's phone number. As you might guess, I failed a second time to verify my identity and that agency locked me out of further attempts. So then I called the agency and spent a good half hour on the phone because yet another challenge question had bogus information (this time it was the football player) but eventually I convinced them of who I was, they unlocked my online account, and I was able to log in and freeze my credit.

Wait For It

Later that week I got a letter about my application for a JCPenney charge card (offered by Synchrony Bank). I called. They had already marked it as fraudulent, and there was nothing for me to do. That was April.

But then in June I checked the mail and found an identical letter, but this one was from Walmart (offered by Synchrony Bank). I logged back in to the reporting agencies, gave the new date, and thought I had extended my “initial 90-day freeze.” But no!

Last week I got yet another letter from JCPenney (offered by Synchrony Bank) because a new application had been denied. Turns out my credit freeze had not been extended in June and had thus expired in August, so I clicked the button and started a new freeze. I have a reminder for that one:

Happy New Fraud! Happy New Fraud!

The Problem With Identity

Now, of course, I'm one of the very high percentage of people affected by the Equifax breach. But I've already been down this road. Somebody out there (perhaps multiple somebodies) can already identify me well enough to get through to the “Apply” button on any credit form. They have my Social Security Number, they have my address, they probably have my mother's maiden name, and now, with the Equifax breach, it's pretty certain they probably have all the challenge-response answers that might come up. Where have I lived? On the list! Relatives? Roommates? Yup!

We have at least two major problems with the way we verify identity:

  1. Social Security Numbers aren't secure. They stopped being secure years ago, but now it has become entirely trivial for criminals to locate and use them.
  2. Credit reporting agencies stand to profit off both sides of the equation, even when their data is wrong.

There is no way for me to correct the record. Now the irony of this theft is that wherever Equifax had information about me wrong, any identity thief will have more information about how to verify my identity than I do. I didn't live with CB, but the (incorrect) record says I did! Nobody in my family owns property in Ohio, but let's check the (incorrect) record! And so on. It was possible for me to fail to verify my own identity, but now thieves will know my own record better than I do.

How do I protect my identity now? It's difficult to get a new Social Security Number, and the government discourages you from even trying:

Keep in mind that a new number probably won't solve all your problems. This is because other governmental agencies (such as the IRS and state motor vehicle agencies) and private businesses (such as banks and credit reporting companies) will have records under your old number. Along with other personal information, credit reporting companies use the number to identify your credit record.

The Equifax solution is to offer a paltry year of credit monitoring. What happens after that? My identity is not going to get un-stolen in a year. The teacup is shattered. You can't unscramble an egg. And so on.

Credit agencies offer “protection” only in the racket sense, offering a service which only needs to exist because they are so bad at their jobs. I can't opt out of having a credit record. If I want to lock my credit report beyond the year they're offering now, I will have to pay, on an ongoing basis. Ars Technica wrote:

The net result long term is that you'll end up paying an additional $30 or so in fees every time you open new credit or need to allow someone to check your credit history.

For now I have to print out a paper application, print out the police report I filed, and put that stuff in an envelope to get an extended fraud alert. The good news is that it won't expire in 90 days, but that's … the only good news.

The bad news is that now that my identity has been stolen, it's pretty much stolen for good. To the rest of you in the Equifax breach, I'd say welcome to the club, but you don't want to be in it any more than I do.

What Happens Now?

In a just world, Equifax would be seized and shut down by the FTC. But we all know that won't happen, because we don't live in a just world.

What really needs to happen, like yesterday, is that the Social Security Administration should just give everybody in the country a new number. That's step one.

Step two: now that everybody has new Social Security Numbers, the SSA shouldn't allow anybody (even the IRS) to use them for identification. They need to have token-based authorization in place, so it's possible to query to verify that a person really exists, but not to use that information anywhere else.

Step three and beyond: I'd like to see authentication and authorization go to mandatory two-factor, but I don't know how to make that work on that kind of scale. I think one start would be to break up the credit reporting agencies, though. To my mind, they should have to choose whether they are in the identity verification business or the credit authorization business, and they shouldn't be allowed to do both.

Sigh

At this point I'm just tired. I'm tired of knowing I have this problem, I'm tired of the hoops I had to jump through to report it, I'm tired knowing I still have more hoops (mailed forms!), and I'm tired just thinking about the next time I need to do literally any banking at all, or apply for a job, or or or.

We're in this mess because we handed the keys to our identities to people who failed to steward them safely, and because nobody takes security seriously until it's too late (and even then it will cut into profits, so it's always at risk of being ignored). The people we need to save us are the same people.

That's bad.