December 14, 2017

On freezing your credit reports

In my last post, where I discussed the (likely) theft of my SSN from the State of Ohio, I briefly discussed the possibility of “freezing” my credit report. I’ve done some more investigation on how, exactly, this works.

Details seem to vary from state to state (Consumer’s Union has a nice summary), but you generally can write to each of the three major credit report bureaus, via postal mail, and request that your account be “frozen.” This will not prevent you from getting “pre-approved” credit-card offers. For that, you separately opt-out, although you can at least do it online. Once your request takes effect, most requests to access your credit report will be denied. There are a wide variety of exceptions, mostly related to people who you’re already doing business with, which strikes me as entirely reasonable.

Cost? If you’re the victim of identity fraud (and it’s unclear whether I meet that definition), it’s free. You include a copy of your police report when you’re writing your letters to each of the credit ratings bureaus. If not, the cost is $10 per bureau. Multiply by three, and that’s $30. You’re married and want to do it for your spouse? Add another $30. What if you want to temporarily (or permanently) lift the block? The price varies, but it’s comparable.

Here’s the problem with this system: let’s say you’re doing the sort of things for which people legitimately want to look up your credit report (e.g., borrowing money for a car, opening a new credit card, renting a new apartment, etc.). Particularly if you’re changing jobs, moving to a new area, and so forth, you’ll be doing a lot of this all at once. As a result, precisely when you’re most often giving out your SSN and thus increasing your vulnerability, you also have to disable the block on your account, exposing yourself to the risk of identity theft.

The proper answer, of course, is to arrange for SSNs to have no more value to an identity thief than your name and address. The unanswered question, then, is what exactly can replace it as an authenticator? One possibility, raised in the thread on car dealers who insist on fingerprints, is to require these sorts of transactions be notarized. A notary public‘s main function is to authenticate that a specific person signed a specific document. You already need a notary’s services when you buy or sell a house. Why not require their services for any transaction that involves a personal credit report? The answer, I imagine, is cost, both in time and money. Department stores would be unable to give you “instant credit cards.” Applying to rent an apartment would become more complicated and annoying. There would be more friction, all around, to get credit. However, if identity theft continues to be such a significant problem, maybe it’s a trade-off worth making.

(Aside: how, exactly, do you convince the notary of your identity? The answer varies, but it seems to involve a photo ID, signature, and in some cases a thumbprint. You could certainly imagine cutting the notary out of the process and pushing the same authentication process out to a cash register or wherever else, but this creates a trusted path problem. When a human notary is authenticating a paper document, there’s no question to anybody what, exactly, is being authenticated. If you give your biometric and ID card to a scanner in a store, you have no idea where that data is going and what, ultimately, is being authenticated on your behalf. Astute readers may see a connection between this and the need for election systems to have voter-verifiable paper trails, but that’s a discussion for another day.)

Comments

  1. I don’t use them–I don’t use anyone, but I’ve heard of Lifelock which offers ‘total protection’, including freezing your credit for $10/month.

    Is that better bang for your buck, than a one time $30 followed by an unspecified amount any time you want to temporarily lift it?

  2. Considering that the credit market’s current woes involve (partially) credit being too easy to get (thereby increasing competitiveness to the point where lenders have to obfuscate the terms of a credit agreement in order to get someone to sign), maybe the delays that arise from requiring notarization in order to get a new credit line is a good thing.

    Still, here’s my solution.

  3. Wow, I never understood the USA peoples fear of getting their social number exposed. That is because here (in Switzerland) it works completely different. After your description I do understand the inherit insecurity that governs the USA approach to numbering their citizens, after all, it’s not only a number, it’s access to all your credit history too!

    As a comparison here’s how you get a credit card in Switzerland:

    First a short explanation: The state normally takes 10 CHF for an “has not paid back credits previously” or “has always paid back credits (is not listed)” answer. Additional information costs more, and even the simple answer can only be given in cases of jurist investigation, to myself (or based on my written permission), or in cases of bankrupt. Also, it’s just a laser printed and stamped paper, yet it’s illegal to fake it.

    As for credit cards, first you have to be over 18. Then you apply at one of the credit card issuers, supplying them with your bank account number, and the money amount on it. Then they go to the bank and the state, and get your credit history. Which they only can do, because you explicitly allow them via the application (you need to make a cross, and sign). For me as a customer it just means to allow access to sensitive data, all fees are paid by the credit card issuer.

    You mentioned renting/buying a home. For that, you go to the state office, show your passport, and then you take the previously mentioned answer and make copies, which you attach to the living space application. Again, you choose to give the information away, and it’s only the least detailed information you give.

    As for the social number, it’s basically an index number. Instead of saying your name to the state, you can (and sometimes have to) use that one for identification (mostly for health insurance and taxes). There are huge concerns about it’s privacy implication, because you can see from the number when you where born, and a few chars from your name… Which of course is a paltry problem, compared to the ones you got with your system across the Atlantic!

  4. > how… do you convince the notary of your identity? … in some cases a thumbprint.

    Excuse me, but how can a thumbprint or any other biometric be used by a notary to confirm an identity unless (1) that biometric measurement is already available from a trusted source and (2) the notary has the training and necessary equipment to verify the two biometric measurements are a match and (3) the training and necessary equipment to verify that the current measurement is not being falsified (gelatin fingerprint or …).

    The idea that a thumbprint is a proof of identify seems mistaken or misguided.

  5. The big difference between Switzerland and the US would appear to be that here, credit history is maintained by private companies, while in Switzerland, it’s maintained by the state. That wouldn’t be a bad solution here, either, although Equifax, Experian, and TransUnion would kick and scream because it would put them out of business.

    Is it illegal in Switzerland for a company to maintain credit history information about a person?

  6. Assume a person that has not paid back a mortgage, got a car on rates which he doesn’t pay, and now wants some credit from yet another party… how would any private entity track all of that? Only the state knows who sued the imaginary person for money, and only the state really can tell if litigation demands are satisfied.

    Now if it’d be legal or not I don’t know, just seems awfully impracticable, no?

  7. Fuzzy complains that a fingerprint, in the context of a notary public, is a misguided idea. While I have problems with the broader adoption of biometric identifiers, I’ll argue that they’re sensible with this specific case. When you get a document authenticated by a notary, the notary keeps their own records of the event, including what, exactly, they notarized and who, exactly, you were. By keeping a fingerprint, they have some evidence that might be useful if it turns out an imposter was trying to use your identity. That fingerprint could be used by you to repudiate the authenticated document. It could also be used to ultimately verify that a particular suspect, held by the police, was the person who committed the crime.

    Gelatin fingerprints are clearly an issue for automated fingerprint scanners, but I’d think they’re less of a problem when there’s a human notary watching you place your thumb in the ink.

  8. Although this solution has some attractive features, it would likely require a signficant upgrade in the reliability of the notary public system, or else it will just move the issues somewhere else.

    Becoming a notary is fairly easy, and many notaries are “captive” to whatever enterprise they work for. In addition, notary credentials are not particularly difficult to forge, especially if the notarization isn’t being delivered physically. So relying on notaries to certify identity would probably protect businesses against small-time false-ID fraud, but wouldn’t address unauthorized access to credit/personal records or large-scale ID fraud where the criminals have access to high quality documents. (If anything, it might make those problems more pressing, because of the ostensible trusted path.)

  9. @Dan Wallach
    > By keeping a fingerprint, they have some evidence that might be useful if it turns out an imposter was trying to use your identity.

    I would agree that this is true. However, I have a couple of issues with this approach.

    The first is that it is only useful retroactively. It appears to me that the purpose of the authenticator was to prevent identify theft. If the process is only retrospective, then the theft is not prevented. It is only useful when trying to clean up the mess. And the problem is that by that point, the bad credit report could be spread to databases beyond the three big credit bureaus.

    The second is that this requires an innocent person, who has no interest in getting credit or in divulging biometric information to strangers to have to provide the biometric information to any and all creditors in order to clear up their reputation/credit report. The innocent has to suffer the loss of privacy of the criminal.

  10. The real solution is for authentication to use public-key cryptosystems. Then the number that is divulged widely and not secret is the public key for one’s identity. One’s private key need never be exposed to third parties, even those to whom you’re proving your identity, because you can prove that you know the private key that corresponds to your public key without revealing the private key.

    Now the private key can be kept utterly secret and shared with no-one, and the public key can be your official identity (even if you change your name, etc.; you can change your name without losing your official identity and having to start over easily this way. OTOH, you can start over if you want to, by rolling a new key pair, or have parallel identities to compartmentalize things and contain the consequences of one part of your lifestyle from affecting another one. Such firewalling might be useful to limit the damage that can result if someone somewhere becomes really hostile to you for whatever reason, say at work).

    It also avoids the problems with biometrics, which amount to passwords that you can’t change when they get compromised, and that nonetheless can get compromised.

    SSNs have the same exact problem.

    Of course, using a key-pair also provides a method of communicating securely with anyone who has such an identity, by actually using the keys for encryption…and they can be used to make signatures much harder to forge than the handwritten variety.

    This fixes everything and only falls apart if someone comes up with a proof that NP=P and a way to make practical use of it, or perhaps good-enough quantum computing.

    The one downside is if it’s too easy to start over to whitewash a bad credit history or even a criminal history or hide from the law. But people can use cash reserves and whatever friends they have to hide from the law now; they get found by being visually recognized by human beings, tracked with dogs, and the like. Dodging a bad credit history means starting over with a blank one, not much better. Given these, the ability to start over becomes a useful safety-valve in the system without making it too easy to get away with anything nasty, or really any easier than it already is.

    And of course this is already in large part how identity is handled in some parts of the ‘net, apparently successfully. The only major problem on the ‘net tending to be spam, and that stems from using an unauthenticated protocol for email! (Authenticating by mail host rather than user would preserve some privacy for users, and allow an anonymous mail host where any recipient can see that the mail’s from that host, but not what person sent it. The host gets banned if it allows itself to be used for spamming and such. Authentication allows cutting off spam sources reliably at the mail-provider level of granularity. Users with zombie PCs can’t get spam through if they don’t set their PC up as an authenticated mail host (normally they’d send mail through their ISP’s mail host instead of directly). If the zombie software sets the PC up as such, the PC gets banned quickly, which cuts off the spam but not the normal mail the user sends via their ISP.)

  11. For a non-American, your problems and business practices are truely strange. However solving them requires a shift in the mindset that nobody may want to take.

    1) Your real authenticator is your appearance. Face, expression, voice, handwriting / signature. Have the state, or maybe a trusted private company, issue an official document which relates this to your SSN, and you are done. European countries call this “a passport” and it a good practice to use this in all business transactions. (Notaries only get involved if the risks associated are higher than a certain level). Are you afraid of having passports / identity cards mandatory for all citizens? You should not. It does not differ from driver’s licence too much.

    2) Need to extend this to digital communication? Federated identitiy, offered by state or banks or someone else, helps. The technology used and the liability taken by the identity provider defines the level of trust established by this – OpenID guarantees next to nothing, government-regulated PKI on hardware key management tokens is nearly as good the physical passpors can get. Of course, this implies that the identity itself – your name, or SSN, or whatever identifier gets used – is effectively public. But why should it not be?

    but finally….

    3) do you think that more friction in getting credit is a bad or good thing?

  12. In a US context, the issue is that requiring a higher standard of authentication, including what is considered a document (many parties will accept unauthenticated copies and faxes without a follow-up signed original), will add enough friction to make many business models unprofitable or outright infeasible.

    And that’s “bad for business”.

  13. cm: the friction would be too high and the transaction costs too high with too much reliance on traditional signed paper documents and etc.; but digital public-key cryptography has the same low transaction costs as digital everything else, and can be used to establish virtually-unforgeable identities with associated reputation tracking possibilities by third-parties. The problem of cheap, reliable authentication has already been solved; it just isn’t being used widely enough yet. I expect the banks will take a major role in this someday soon, becoming identity/authentication service providers more generally. I would not, however, like to see the system get all Big Brotherish with a centralized government agency involved, and the accompanying fascist behavior that could be expected in such a case. I don’t think it likely though; for providing authenticated identities that can be used in today’s globalized and international trade, multinational banks are better positioned than governments, and won’t have a monopoly; and identity-providers and users-of-force are then separate entities too.

  14. Spudz talks about introducing a public key infrastructure to solve the authentication problem. For better or for worse, this is an idea that’s been around for a long time and is making very little progress toward reality, at least in the US. The issue, of course, is that humans are not computers. People can’t perform modular exponentiation on 2000-bit numbers in their head. That means the whole business needs to be buried in a smart card of some kind. Okay, who issues that card? Is it your driver’s license? Passport? Credit card? Cell phone? All of those, of course, can be stolen. And, with the exception of the cell phone, none of them have user interfaces. If you’re providing your ID to prove that you’re old enough to enter a bar, you don’t want to also be providing the bar-owner the opportunity to authenticate as you to a third party. (With a cell phone, at least, you’ve potentially got a trusted UI that can tell you who you’re about to authenticate to.)

    Even though we use PKI every day when we visit a secure (i.e., https) web site, it’s unfortunately still a long way off to authenticate individuals.

  15. f--ked@up gov says:

    If a company likes to grant “instant credit”, then it should be their risk, instantly.
    It seems to me that the USPS (postal service) is looking for new tasks since e-mail is taking over snail mail. How about authentication, based on a digital public authentication, id card, and notification letter to the home address. Two problems, one match.
    And where exactly does the Social Security Act state that companies like Equifax, Experian, and TransUnion have permission to misuse the social security number and then make people pay protection money. These companies benefit from a crime, and they should pay for the consequences. The only way to fix the system is to put the bosses of the mob in jail for good.
    Oh, and add a minimum of 5 years in prison for people who request a social security number for purposes other than social security.

  16. Yes, it would have to be a cell-phone-like device with a trusted UI. Also to tell you what the transaction amount is when making transactions — the same number that will be digitally signed as part of the authentication.

    There’s ways around the MITM and related issues you describe. For instance, to avoid a replay attack transactions would include a timestamp as well as the amount, and the whole be signed; or include a sequence number — the bank seeing the same sequence number twice can ignore all the subsequent attempts, or even suspect an attempted replay attack though they should allow for the possibility that some system is just burping or echoing for some reason and merely nullify the effects of the duplication.

    For authenticating things like age, one would prove one’s identity, and the age would be looked up in a biographical database somewhere. If your example bartender tried to buy something as me the UI would show that my device had been asked to sign a payment authorization to transfer funds to foobar inc instead of merely asked to identify me. Oops.

    Lastly, until we get cyber augments to do this sort of sh*t in our heads we’d need to tie the device to the owner in some manner, as per usual two-factor rules. The obvious method is for the device to require a PIN code be input to perform each single transaction or authentication and be tamper resistant, to the point that prying it open will destroy whatever stores the private key. Of course, losing the device or forgetting your PIN would be a headache; you’d need to go to the bank (or whoever) to get a new one and prove your identity to them the “old-fashioned” way, with paperwork. Ouch.

    Other options include reducing any focus on “identity” entirely and replacing it with a kind of e-cash. You have an iWallet device, similar to the above and using PKE again. It can be loaded with funds by some transaction between you and your bank. The most you lose if the device is stolen or compromised is however much was on it, same as a wallet with (only) physical cash. Unlike physical cash, it can be used for online transactions and suchlike. Authenticating things like age is then a separate issue, but perhaps existing methods (carding people that look young, and examining cards for evidence of tampering) suffice there.

    Whither credit? Simple — you never have credit-based interactions with arbitrary vendors, only with your bank or some other financial services provider. Lenders can load an iWallet with funds that you’ll owe back to them instead of that you had socked away in an account. Vendors just see an iWallet full of eCash, and don’t give two toots whether it came from a loan or from savings. Only lenders need to worry about credit history, lending risk, and the like, so we’re reducing the number of players with lending roles in the credit game dramatically and removing all merchant risk from the equation. This shrinks the problem of identity fraud, likely making it more manageable. And of course PKE might be used to authenticate with lenders…

    What about bill payments? Don’t utility providers want credit references and such? Simple again — they can just switch to being paid up front and month-to-month or on some kind of metered scheme, similar to pay-as-you-go phone plans where you buy some number of minutes of phone time and when you’ve nearly used them up, tank it up some more. You’d do the same with electricity: pay the utility company for a few KW/h of power and when you were running low they’d notify you and you would generally pay for a few more. The “lending” here is now reversed: at any given time the utility actually owes you some amount of yet-unused service, rather than you owing them for service consumed and not yet paid for. The trust problem is moved from a large number of possibly-delinquent consumers to a small number of possibly-deadbeat utilities, the latter of which have much more visibility and rely much more on their public reputation to remain in business anyway; if they renege there’ll be public outrage, which should keep them honest. (Obviously, if you run out without topping up, the utility company can just pull the plug; they provided exactly what they were paid for and no more; so the utilities aren’t exposed to any risk here and have no need of credit references this way.)

    Ultimately, the above suggestions amount to simply removing consumer credit from large chunks of the system entirely and replacing it with up-front payment, with credit still in existence but a consumer’s credit being between them and lending institutions and no longer involving any third parties.

  17. It seems that Spudz has really got it here. The only thing I would add is that it seems like we really want two different sorts of identification and we don’t generally recognize it. Sometimes we want to prove who we are and other times we want to prove who we aren’t. The former is what public key cryptography is designed for: When you sign up for a bank account, you provide your public key, and then only someone who can prove they have your private key can access the funds in your account. Likewise, when you apply for credit, you prove that you have a private key that corresponds to a public key with a record of paying back debts. However, this is useless for proving that you *aren’t* someone. You could just generate another key pair.

    By contrast, biometrics, as Spudz has pointed out, are just passwords that you can’t change. Bad news for identifying the holder of a bank account. However, that is exactly the characteristic we want when proving that we aren’t someone. If a criminal escapes from prison and the police then arrest a suspect, the suspect can provide his fingerprints for comparison to the escapee’s to prove that it isn’t him.

    Of course, there are times when you want to do both: Identify the account holder with his willful consent and identify whether he is a malcontent without it. But there isn’t any reason you can’t. When you sign up for a credit account, you use your private key to prove your credit history and you authenticate with biometrics to prove that you aren’t a deadbeat with outstanding debts under another key pair. Then, to make a charge to your credit account, you only use your key — merchants only need to authenticate your creditor and authenticate you as the account holder. Similarly, if you’re just signing up for a bank account, you would only need to provide a public key, not biometrics. You’re giving them your money — they don’t have to trust you, so they don’t have to know any more about you than that you’re the account holder. It not only fixes most of the identity problem, it reduces the amount of personal information being leaked unnecessarily.

  18. I think Jack has actually clarified the matter even further with his distinction between proving who you are and proving who you’re not.

    Thanks.

  19. Anonymous says:

    Can I lose out on a job position because a company has looked into my credit score, which is poor, and decided not to hire me.

  20. Anonymous says:

    I have applied for many jobs and even though the employer tells me I’m qualified, I never get the job….could it be they looked into my credit report and decide I’m “unemployable”>>>