Identity Theft and the Paper Trail
Recently, I got a cross-cut paper shredder at Target, which was desperately needed on my part as I had a large box of junk mail sitting in my living room, waiting to be shredded so I could throw it out without worrying that someone was going to try and use the contents to get a credit card in my name. As I spent the two hours opening all of this junk mail and reading it contents, there was one thing that irked me.
On each of my credit card statements, there is a notice that reads "A paper trail is an identity thief's best friend. Sign up to pay your bill online." What they are saying is simple: sending in a check by mail each month in order to pay off the balance on your credit card is unsafe, because the check or the statement might be intercepted in transit, and a bad guy could use the information they gleaned from this "paper trail" to steal my identity and ruin my day. I wonder what these mail-stealing identity thieves look like...are they like leprechauns, gleefully stealing financial data from mailboxes to get their hands on more whiskey or Blarney stones or whatever it is they buy?
In order to avoid this potential security hole, so they claim, I should sign up to pay my credit card bill using their web interface, which allows me to transfer money from my bank account to the credit card company, without the use of a check or "snail mail". Discouraging me from using a check and the post office, the traditional way, is implying that the web interface is more secure. But is it? I have my doubts. Once I have decided to go that route, then I'll have to use that web interface each month in order to pay off my credit card bill. If I'm not going to get a paper statement, then they're probably going to alert me by email, and that means greater risk of succumbing to a possible phishing scheme. Someone sends me an email that looks like it came from my credit card company, they link to a website that looks like my credit card company's web site, and I unknowingly enter my bank credentials, which are sent to the nefarious bunch of hackers that set up the fraudulent web site to being with. With my bank login and password in hand, they are able to transfer the money in my bank about where they want.
That's just one example. There are tons of other potential security holes in using online banking interfaces in order to transfer money.
I know what they're really doing: the credit card company would like me to opt for the online option so they can cut back on the expense they incur processing checks that are mailed in. When we mail in credit card payments, someone has to open all those envelopes and process all those checks. The credit card companies want to eliminate these people by getting me to do it for them, by using the "convenience" of a web interface.
(Also among my junk mail was at least seven envelopes containing four checks from my credit card company with my name and address on them. By simply writing a payee and amount on them, I could easily borrow money from them on my credit card account using one of these checks. Mmmm-hmmm...what's that you were saying about the dangers of a "paper trail"?)
Ignoring this issue for a moment, I think that saying, "A paper trail is an identity thief's best friend" is flat-out wrong. It's inaccurate, or at best misleading. Sure, it's possible that your information might be compromised if you send it through the post office. Nothing will ever eliminate that risk completely. But I think that it's far more likely that using a web interface, and potentially having to storing my credentials on my credit card company's web site, or initiate bank transfers over Internet connections that may or may not be secure, is a bigger risk.
Partly, it's an issue of control: if my sensitive information is stored in a database on some server somewhere, that information is out of my control. It's a digital abstraction that I cannot physically access or delete in the future, should I ever want to do so.
The other issue is with the size of the dangling carrot and the rabbit chasing it in either scenario. You might have all of your past credit card statements stored in a box in your house somewhere, and it's perfectly possible that burglar might break in, steal that box, and use it for evil purposes. However, burglars are generally not looking for your financial information; they want jewelry, cash, or other small valuables. Even if this burglar did take your box of credit card statements, he's probably not technically savvy enough to know what to do with them. (Although, admittedly, he might know who to sell the information to.)
In any case, if you don't have a house in Bellaire, a burglar is probably not going to go after your financial information. If you've got a 900-square foot house in Cleveland, don't flatter yourself.
On the other hand, financial information for hundreds of thousands, or even millions, of customers, stored in one database on a credit card company's web server is a much bigger carrot. It in turn attracts the very worst of rabbits, who are intelligent enough to devise ways of compromising that information. They have a big incentive to do so, since the information is worth a lot. One person's financial information might not be worth breaking into their house for, but the information of millions of people is certainly worth trying to crack into a computer server for.
This is not to say that we should completely resist doing any financial transactions or manage financial information on the Internet. I don't want to make that claim. The biggest problem I see with people opting to pay their credit card bill online is that if enough people go that route, then eventually they might just eliminate the paper option altogether. As long as there are people like my dad around, who are stuck in their ways and unwilling to give up paying their bills by mail (not that this is a bad thing), the option probably won't go away for a while. I'm not sure how likely this is or how near in the future it might even become a real consideration for companies, but on the whole it's a bad idea. A paper trail isn't an identity thief's best friend; it's our best friend. That's something important to consider before getting rid of it in the name of "convenience".
Take another look at the statement "A paper trail is an identity thief's best friend." What I despise about it most of all is where it places responsibility in the event of identity theft. Let's imagine that I decide, as a customer, to keep paying my bill using the "paper trail" option. A few months later, my identity gets stolen. Because of the wording of this statement, it's implied that it's my fault, because I didn't follow the prudent advice given to me by my credit card company. They can say, "We told you so." It doesn't really matter in what way my identity was stolen, whether because of the paper trail or some other route; most people will just blame themselves. The wording of the statement is psychologically manipulative, in a very subtle way. It will make any victims regret the decision on their part not to opt for paperless billing, they'll feel bad about it, because ultimately, it makes them feel like they should blame themselves.
Hogwash.
Back in 2003, the state of California passed in a piece of very progressive and forward-thinking legislation: SB 1386. Basically, this requires that any company storing personal information about an individual must notify that individual if that information is ever breached. It's not perfect, because it's open for debate about what constitutes "personal information". The law also only applies to unencrypted data, which is incomplete, since a company can still encrypt sensitive data using poor protocols that can be easily cracked even if they've been stolen by a hacker. However, the bill itself is a good thing, since it puts the burden on companies to keep thing secure.
Let me repeat that, because you might have dosed off at some point in the last few paragraphs: requiring companies to disclose breaches of personal data to individuals gives them an incentive to keep things secure. The real problem with SB 1386 is that it only applies to California citizens. For everyone else, as it stands right now, if your sensitive information is ever stolen because some hacker stole it off a company's web server, they're not required to tell you about it. You won't know until you go to apply for a bank loan a year later and find that there were a bunch of new credit cards issued in your name by some person that appropriated your credit information. This is a bad thing, but financial companies don't want this to change because they don't want the bad PR, dissatisfied customers, or worst of all, the potential for liability. If your bank tells you your information was compromised and you get your identity stolen, your first inclination would probably be to sue the pants off of your bank. They don't want this, and it's the reason they vehemently opposed SB 1386.
I've only ever known a couple of people who actually had their identity stolen, but the details are infuriating. I asked one of my friends about it, and they told me that the person has used their social security number to get a small loan from Washington Mutual. What shocked me about this is that on the loan application that the thief filled out, they didn't even use my friend's name; they used either their own (unlikely) or an alias (probably).
Okay, simple question: when "handing out" bank loans, why can't Washington Mutual perform a simple check to make sure the name they've provided matches their social security number? Is this a difficult thing to do?
It isn't difficult, but they don't do it because they don't need to. They don't bear the burden of a thief taking out a bogus loan using someone else's credit. Neither does the company from which my friend's information was stolen in the first place, whoever they might be. Instead, it fell on my friend's shoulders, who had to spend a bunch of their personal time filing a police report, filling out forms, and all the other efforts in an effort to clear their name.
The problem here is with accountability when personal information is stolen. For most financial companies, there is none, California companies being the exception. Washington Mutual wasn't required to verify the person's identity when they applied for the loan. The company from which my friend's information was stolen was required to tell my friend about it when it happened, which could have given my friend enough warning to stop the bogus loan from occuring in the first place. This makes sense, since it's comparatively cheaper to deal with the occasional fraudulent loan or breach than risk losing customers by fully disclosing problems. Companies that collect and store personal information, whatever it is, need to be made accountable when that information is leaked through full disclosure, and companies like Washington Mutual that issue loans need to have mechanisms in place to check the identity of the applicant, which should at least include checking that the person's name matches their provided social security number.
A "paper trail" is not an identity thief's best friend: sloppy practices in the day-to-day operations of financial institutions are. It makes it way too easy for bad guys to commit fraud, and it's the banks like it. It good for their business, or rather, it's not as bad for business as the alternative would be. It's not our fault; it's theirs.
What we need is legislation that regulates this at a federal level. While I hold a small handful of Libertarian-esque opinions, this is one area where the "free market" just won't cut it. A couple of years ago, there was the Federal Agency Data Breach Protection Act, but that didn't get very far before being shot down. If you've got a spare moment, I'd say this is a good point to draft up in an email and send off to your representatives in the US Congress. Tell them that you want this to be enacted.
A lot of people are probably writing letters to their representatives expressing their opinion about healthcare reform. Why not do as they do and "tack on a rider" to your letter? Mention the issue of requiring full disclosure of leaked personal information at the same time. It might not get us anywhere, since financial companies lobby pretty heavily against this sort of thing, but I plan to write a few letters this weekend.
If nothing else, think long and hard about whether or not you want to start paying your bills online.
On each of my credit card statements, there is a notice that reads "A paper trail is an identity thief's best friend. Sign up to pay your bill online." What they are saying is simple: sending in a check by mail each month in order to pay off the balance on your credit card is unsafe, because the check or the statement might be intercepted in transit, and a bad guy could use the information they gleaned from this "paper trail" to steal my identity and ruin my day. I wonder what these mail-stealing identity thieves look like...are they like leprechauns, gleefully stealing financial data from mailboxes to get their hands on more whiskey or Blarney stones or whatever it is they buy?
In order to avoid this potential security hole, so they claim, I should sign up to pay my credit card bill using their web interface, which allows me to transfer money from my bank account to the credit card company, without the use of a check or "snail mail". Discouraging me from using a check and the post office, the traditional way, is implying that the web interface is more secure. But is it? I have my doubts. Once I have decided to go that route, then I'll have to use that web interface each month in order to pay off my credit card bill. If I'm not going to get a paper statement, then they're probably going to alert me by email, and that means greater risk of succumbing to a possible phishing scheme. Someone sends me an email that looks like it came from my credit card company, they link to a website that looks like my credit card company's web site, and I unknowingly enter my bank credentials, which are sent to the nefarious bunch of hackers that set up the fraudulent web site to being with. With my bank login and password in hand, they are able to transfer the money in my bank about where they want.
That's just one example. There are tons of other potential security holes in using online banking interfaces in order to transfer money.
I know what they're really doing: the credit card company would like me to opt for the online option so they can cut back on the expense they incur processing checks that are mailed in. When we mail in credit card payments, someone has to open all those envelopes and process all those checks. The credit card companies want to eliminate these people by getting me to do it for them, by using the "convenience" of a web interface.
(Also among my junk mail was at least seven envelopes containing four checks from my credit card company with my name and address on them. By simply writing a payee and amount on them, I could easily borrow money from them on my credit card account using one of these checks. Mmmm-hmmm...what's that you were saying about the dangers of a "paper trail"?)
Ignoring this issue for a moment, I think that saying, "A paper trail is an identity thief's best friend" is flat-out wrong. It's inaccurate, or at best misleading. Sure, it's possible that your information might be compromised if you send it through the post office. Nothing will ever eliminate that risk completely. But I think that it's far more likely that using a web interface, and potentially having to storing my credentials on my credit card company's web site, or initiate bank transfers over Internet connections that may or may not be secure, is a bigger risk.
Partly, it's an issue of control: if my sensitive information is stored in a database on some server somewhere, that information is out of my control. It's a digital abstraction that I cannot physically access or delete in the future, should I ever want to do so.
The other issue is with the size of the dangling carrot and the rabbit chasing it in either scenario. You might have all of your past credit card statements stored in a box in your house somewhere, and it's perfectly possible that burglar might break in, steal that box, and use it for evil purposes. However, burglars are generally not looking for your financial information; they want jewelry, cash, or other small valuables. Even if this burglar did take your box of credit card statements, he's probably not technically savvy enough to know what to do with them. (Although, admittedly, he might know who to sell the information to.)
In any case, if you don't have a house in Bellaire, a burglar is probably not going to go after your financial information. If you've got a 900-square foot house in Cleveland, don't flatter yourself.
On the other hand, financial information for hundreds of thousands, or even millions, of customers, stored in one database on a credit card company's web server is a much bigger carrot. It in turn attracts the very worst of rabbits, who are intelligent enough to devise ways of compromising that information. They have a big incentive to do so, since the information is worth a lot. One person's financial information might not be worth breaking into their house for, but the information of millions of people is certainly worth trying to crack into a computer server for.
This is not to say that we should completely resist doing any financial transactions or manage financial information on the Internet. I don't want to make that claim. The biggest problem I see with people opting to pay their credit card bill online is that if enough people go that route, then eventually they might just eliminate the paper option altogether. As long as there are people like my dad around, who are stuck in their ways and unwilling to give up paying their bills by mail (not that this is a bad thing), the option probably won't go away for a while. I'm not sure how likely this is or how near in the future it might even become a real consideration for companies, but on the whole it's a bad idea. A paper trail isn't an identity thief's best friend; it's our best friend. That's something important to consider before getting rid of it in the name of "convenience".
Take another look at the statement "A paper trail is an identity thief's best friend." What I despise about it most of all is where it places responsibility in the event of identity theft. Let's imagine that I decide, as a customer, to keep paying my bill using the "paper trail" option. A few months later, my identity gets stolen. Because of the wording of this statement, it's implied that it's my fault, because I didn't follow the prudent advice given to me by my credit card company. They can say, "We told you so." It doesn't really matter in what way my identity was stolen, whether because of the paper trail or some other route; most people will just blame themselves. The wording of the statement is psychologically manipulative, in a very subtle way. It will make any victims regret the decision on their part not to opt for paperless billing, they'll feel bad about it, because ultimately, it makes them feel like they should blame themselves.
Hogwash.
Back in 2003, the state of California passed in a piece of very progressive and forward-thinking legislation: SB 1386. Basically, this requires that any company storing personal information about an individual must notify that individual if that information is ever breached. It's not perfect, because it's open for debate about what constitutes "personal information". The law also only applies to unencrypted data, which is incomplete, since a company can still encrypt sensitive data using poor protocols that can be easily cracked even if they've been stolen by a hacker. However, the bill itself is a good thing, since it puts the burden on companies to keep thing secure.
Let me repeat that, because you might have dosed off at some point in the last few paragraphs: requiring companies to disclose breaches of personal data to individuals gives them an incentive to keep things secure. The real problem with SB 1386 is that it only applies to California citizens. For everyone else, as it stands right now, if your sensitive information is ever stolen because some hacker stole it off a company's web server, they're not required to tell you about it. You won't know until you go to apply for a bank loan a year later and find that there were a bunch of new credit cards issued in your name by some person that appropriated your credit information. This is a bad thing, but financial companies don't want this to change because they don't want the bad PR, dissatisfied customers, or worst of all, the potential for liability. If your bank tells you your information was compromised and you get your identity stolen, your first inclination would probably be to sue the pants off of your bank. They don't want this, and it's the reason they vehemently opposed SB 1386.
I've only ever known a couple of people who actually had their identity stolen, but the details are infuriating. I asked one of my friends about it, and they told me that the person has used their social security number to get a small loan from Washington Mutual. What shocked me about this is that on the loan application that the thief filled out, they didn't even use my friend's name; they used either their own (unlikely) or an alias (probably).
Okay, simple question: when "handing out" bank loans, why can't Washington Mutual perform a simple check to make sure the name they've provided matches their social security number? Is this a difficult thing to do?
It isn't difficult, but they don't do it because they don't need to. They don't bear the burden of a thief taking out a bogus loan using someone else's credit. Neither does the company from which my friend's information was stolen in the first place, whoever they might be. Instead, it fell on my friend's shoulders, who had to spend a bunch of their personal time filing a police report, filling out forms, and all the other efforts in an effort to clear their name.
The problem here is with accountability when personal information is stolen. For most financial companies, there is none, California companies being the exception. Washington Mutual wasn't required to verify the person's identity when they applied for the loan. The company from which my friend's information was stolen was required to tell my friend about it when it happened, which could have given my friend enough warning to stop the bogus loan from occuring in the first place. This makes sense, since it's comparatively cheaper to deal with the occasional fraudulent loan or breach than risk losing customers by fully disclosing problems. Companies that collect and store personal information, whatever it is, need to be made accountable when that information is leaked through full disclosure, and companies like Washington Mutual that issue loans need to have mechanisms in place to check the identity of the applicant, which should at least include checking that the person's name matches their provided social security number.
A "paper trail" is not an identity thief's best friend: sloppy practices in the day-to-day operations of financial institutions are. It makes it way too easy for bad guys to commit fraud, and it's the banks like it. It good for their business, or rather, it's not as bad for business as the alternative would be. It's not our fault; it's theirs.
What we need is legislation that regulates this at a federal level. While I hold a small handful of Libertarian-esque opinions, this is one area where the "free market" just won't cut it. A couple of years ago, there was the Federal Agency Data Breach Protection Act, but that didn't get very far before being shot down. If you've got a spare moment, I'd say this is a good point to draft up in an email and send off to your representatives in the US Congress. Tell them that you want this to be enacted.
A lot of people are probably writing letters to their representatives expressing their opinion about healthcare reform. Why not do as they do and "tack on a rider" to your letter? Mention the issue of requiring full disclosure of leaked personal information at the same time. It might not get us anywhere, since financial companies lobby pretty heavily against this sort of thing, but I plan to write a few letters this weekend.
If nothing else, think long and hard about whether or not you want to start paying your bills online.