[Dataloss] Protectors, Too, Gather Profits From ID Theft
Richard Forno
rforno at infowarrior.org
Mon Dec 11 23:13:21 EST 2006
December 12, 2006
Stolen Lives
Protectors, Too, Gather Profits From ID Theft
By ERIC DASH
http://www.nytimes.com/2006/12/12/business/12credit.html?ei=5094&en=8e636059
3425c89a&hp=&ex=1165899600&partner=homepage&pagewanted=print
Melody Millett was shocked when her car loan company asked her if she was
the wife of Abundio Perez, who had applied for 26 credit cards, financed
several cars and taken out a home mortgage using a Social Security number
belonging to her actual husband.
Beyond her shock, Mrs. Millett was angry. Five months earlier, the Milletts
had subscribed to a $79.99-a-year service from Equifax, a big financial data
warehouse, that promised to monitor any access to her credit records. But it
never reported the credit activity that might have signaled that they were
victims of identity theft.
³I feel like the whole thing is a sham,² said Mrs. Millett, a 37-year-old
information-technology manager from Overland Park, Kan. ³You feel completely
violated because here are the people who know the industry. They hold all
the data.² The services, she contends, are oversold.
It is not just criminals who are profiting from identity theft; financial
institutions are making money, too. Fear of identity theft has helped give
rise to a nearly billion-dollar business in credit-monitoring services sold
by the major credit bureaus companies like Equifax, Experian and
TransUnion as well as direct marketers and banks.
Javelin Strategy and Research, which analyzes the credit-monitoring market,
says more than 12 million Americans are now subscribers. The services alert
them when lenders have requested their credit files, usually an indication a
credit application has been made in their name.
Credit monitoring has quickly gained traction with consumers through
aggressive advertising that often promotes its value in protecting against
identity theft. But its abilities are far more limited than is commonly
perceived.
In the meantime, measures that could stem fraud from identity theft like
legislation empowering consumers to block access to their credit records,
making it impossible to extend new credit have faced stiff resistance from
industry groups.
³Identity theft has essentially become a business not just for bad guys
but for good guys, too,² said Robert Gellman, a privacy consultant in
Washington. ³A lot of the people that are involved in profiting legally from
identity theft are direct participants in the whole credit system that
doesn¹t have the protections in place to prevent identity theft in the first
place.²
Some criticism has been aimed at banks, which tolerate a certain amount of
fraud as a cost of doing business. But the biggest beneficiaries from
identity theft have been the three credit bureaus.
Banks and other lenders have long bought information like a person¹s payment
history or debt load to assess a loan¹s risk. But credit monitoring turned
the system on its head and helped create a new, consumer- focused financial
data industry.
In addition to selling files to lenders in bulk, the bureaus now market
largely the same records to individuals, including entries that reflect
applications for credit, new accounts or balance changes. While the data is
sold to a big financial institution for 20 cents to $1 a report, according
to analysts and industry executives, it can be repackaged and sold to
consumers in the form of credit monitoring for $3 to $16 a month.
Persuading customers to sign up can be costly. But today, Wall Street
analysts estimate credit monitoring alone to be a $900 million category,
growing 20 percent a year or more.
³It¹s a pretty big market considering that 10 years ago it didn¹t exist,²
said J. Bradford Eichler, a consumer data company analyst at Stephens.
Peace of Mind, at a Price
Representatives of Equifax, Experian and TransUnion, whose consumer
affiliates are being sued by the Milletts, would not comment on the couple¹s
specific contentions because of the continuing litigation. But they say
credit monitoring is a valuable tool.
³Our products give consumers an early warning system so they can limit the
damage and take care of the problem right away,² said John Danaher,
president of TransUnion¹s online consumer services arm.
And indeed, many consumers speak glowingly of their experiences with credit
monitoring. Wendy Barrington, a 36-year-old Houston woman, recalled the
annoyance a friend faced for months after her financial information was
stolen.
³I am not about to risk something I have worked so hard on,² said Ms.
Barrington, who pays about $15 a month for TransUnion¹s credit-monitoring
service. ³All it takes is one person stealing your information and you are
in a world of hurt.²
Still, some consumer advocates caution that people may be overpaying for
that peace of mind.
For one thing, Americans can essentially create their own credit-monitoring
service by taking advantage of a federal law that guarantees access to one
free credit report a year from each of the three bureaus. And thanks to
so-called zero liability policies, the cost of fraud is generally absorbed
by the credit card companies, merchants and banks.
At the same time, credit monitoring may fail to detect that a credit request
was even made. For example, a fraud artist may use someone else¹s personal
identification information like a Social Security number but take out a
loan in his or her own name. The data mismatch can cause the bureau¹s
computer systems to route the loan request to a separate file so that a
credit-monitoring service never picks it up.
That is what Melody and Steven Millett, the Kansas couple, say happened to
them.
In late January 2003, Mrs. Millett found something was wrong when a Ford
Motor Credit computer system refused to let her set up an online account to
pay off an auto loan. When she called the lender, Mrs. Millett said, she was
told that an account had already been set up with Mr. Millett¹s Social
Security number but a different name: Abundio Perez.
She later learned of at least 26 cases in which Mr. Millett¹s personal
information had been used in credit applications by Mr. Perez since 1989,
according to a lawsuit filed by the Milletts against the credit bureaus,
data providers and several creditors in June 2004 in federal court in Kansas
City, Kan.
The previous August, Mrs. Millett had bought a credit-monitoring
subscription from Equifax. Soon after the Ford Motor Credit incident, she
also signed up for credit monitoring with Experian and TransUnion.
At least one credit application using Mr. Millett¹s Social Security number
came after the Milletts obtained their credit-monitoring subscriptions,
according to their lawyer, Joyce Yeager. But not once, Mrs. Millett said,
did the couple receive notice of unusual access to their credit records or
the misuse of Mr. Millett¹s data. Quite the contrary, the bureaus sent them
a succession of reassuring e-mail messages suggesting that their information
was safe and offering congratulations.
In their legal claims, which have been separated into several class-action
lawsuits, the Milletts say that the bureaus¹ monitoring services do not work
as advertised.
³The core identifier is your Social Security number,² Mrs. Millett said in
an interview. ³You use it for work, for taxes. You would think that
identifier would be covered by someone advertising they protect you from
identity theft. To think that they are not is just flabbergasting.²
Donald Girard, an Experian spokesman, acknowledged that his company¹s
credit-monitoring products could not detect cases in which a credit
applicant used someone else¹s Social Security number but his or her own name
because those records were stored separately. He added, however, that in
such cases consumers are ³not harmed² financially.
Protection vs. Prevention
Initially, the credit bureaus sold monitoring as a way for consumers to
understand and manage their credit scores before taking out big loans. But
since a wave of data breaches in 2004 heightened consumer fears, a security
message appears to have moved toward center stage.
³It is advertised as monitoring for identity-theft protection,² said Michael
R. Stanfield, chief executive of Intersections, a direct-marketing company
that offers credit monitoring through big banks and card companies. But he
said consumers hear protection ³and don¹t understand if it is prevention or
detection.²
³What is needed in the marketplace are products that are going to help you
protect your information, monitor it when it is in the process of getting
used in a financial fraud, and catch those financial frauds when they are
about to occur,² he added.
Privacy advocates have suggested providing more fraud-prevention tools to
consumers by allowing them to freeze access to credit records if they think
they have been identity-theft victims or as a precaution.
Beginning with California in 2003, such laws have passed in 26 states,
including New York last month. But of roughly 148 million credit-eligible
customers in those states, Experian estimates 30,000 have elected to freeze
their files.
Financial and retailing lobbying groups have generally opposed such
legislation at the state and federal levels since it could hinder a retailer
in issuing a store-branded credit card or a bank in extending a loan to
a legitimate customer, who must first unfreeze the credit file. It can also
restrict the bureaus from selling consumer credit files.
The big credit bureaus, after initially opposing tougher legislation, are
taking a wait-and-see approach. ³It may be that we evolve to that at some
point,² said Maxine Sweet, Experian¹s vice president for consumer education.
³We have to make sure that we are not interfering with what is a very
important part of the whole consumer credit economy.²
Such a freeze might not have helped the Milletts, since the problematic
files were kept under another name. Mrs. Millett is still using a
credit-monitoring service, but she would not recommend it to a friend.
³I still have credit monitoring because of the simple fact that it is the
best tool available at this time,² she said. ³It is not ideal, it is broken,
and it is not as advertised.²
More information about the Dataloss
mailing list