In our last installment, I described how one of the mortgage vendors who I was considering for the loan for my new home failed to trigger the credit alerting mechanism (Debix) to which I was signed up. Since then, I’ve learned several interesting facts. First, the way that Debix operates is that they insert a line into your credit reports which says, in effect, “you, the reader of this line, are required to call this 1-800 telephone number, prior to granting credit based on what you see in this report.” That 800-number finds its way to Debix, where a robot answers the phone and asks the human who called it for their name/organization, and the purpose of the request. Then, the Debix robot calls up their customer and asks permission to authorize the request, playing back the recordings made earlier.
The only thing that makes this “mandatory” is a recent law (sorry, I don’t have the citation handy) which specifies how lenders and such are required to act when they see one of these alerts in a credit report. The mechanism, aside from legal requirements, is otherwise used at the discretion of a human loan officer. This leads me to wonder whether or not the mechanism works when there isn’t a human loan officer involved. I may just need to head over to some big box store and purchase myself something with an in-store instant-approval credit card, just to see what happens. (With my new house will inevitably come a number of non-trivial expenses, and oh what great savings I can get with those insta-credit cards!)
So does the mechanism work? Yesterday morning, as I was getting into the car to go to work, my cell phone rang with an 800-number as the caller-ID. “Hello?” It was the Debix robot, asking for my approval. Debix played a recording of an apparently puzzled loan officer who identified herself as being from the bank that, indeed, I’m using for my loan. Well that’s good. Could the loan officer have been lying? Unlikely. An identity thief isn’t really the one who gets to see the 800-number. It’s the loan officer of the bank that the identity thief is trying to defraud who then makes the call. That means our prospective thief would need to guess the proper bank to use that would fool me into giving my okay. Given the number of choices, the odds of the thief nailing it on the first try are pretty low. (Unless our prospective thief is clever enough to have identified a bank that’s too lazy to follow the proper procedure and call the 800-number; more on this below).
A side-effect of my last post was that it got noticed by some people inside Debix and I ended up spending some quality time with one of their people on the telephone. They were quite interested in my experiences. They also told me, assuming everything is working right, that there will be some additional authentication hoops that the lender is (legally) mandated to jump through between now and when they actually write out the big check. Our closing date is next week, Friday, so I should have one more post when it’s all over to describe how all of that worked in the end.
Further reading: The New York Times recently had an article (“In ID Theft, Some Victims See an Opportunity“, November 16, 2007) discussing Debix and several other companies competing in the same market. Here’s an interesting quote:
Among its peers, LifeLock has attracted the most attention — much of it negative. In radio and television ads, Todd Davis, chief executive of LifeLock, gives out his Social Security number to demonstrate his faith in the service. As a result, he has been hit with repeated identity theft attacks, including one successful effort this summer in which a check-cashing firm gave out a $500 loan to a Texas fraudster without ever checking Mr. Davis’s credit report.
Sure enough, if you go to LifeLock’s home page, you see Mr. Davis’s social security number, right up front. And, unsurprisingly, he fell victim because, indeed, fraudsters identified a loan organization that didn’t follow the (legally) mandated protocol.
How do we solve the problem? Legally mandated protocols need to become technically mandatory protocols. The sort of credit alerts placed by Debix, LifeLock, and others need to be more than just a line in the consumer’s credit file. Instead, the big-3 credit bureaus need to be (legally) required not to divulge anything beyond the credit-protection vendor’s 800-number without the explicit (technical) permission of the vendor (on behalf of the user). Doing this properly would require the credit bureaus to standardize and implement a suitable Internet-based API with all the right sorts of crypto authentication and so forth – nothing technically difficult about that. Legally, I’d imagine they’d put up more of a fight, since they may not like these startups getting in the way of their business.
The place where the technical difficulty would ramp up is that the instant-credit-offering big-box stores would want to automate their side of the phone robot conversation. That would then require all these little startups to standardize their own APIs, which seems difficult when they’re all still busily inventing their own business models.
(Sidebar: I set up this Debix thing months ago. Then I get a phone call, out of the blue, that asked me to remember my PIN. Momentary panic: what PIN did I use? Same as the four-digit one I use for my bank ATM? Same as the six-digit one I uses for my investment broker? Same as the four-digit one used by my preferred airline’s frequent flyer web site which I can’t seem to change? Anyway, I guessed right. I’d love to know how many people forget.)
This is precisely why I never trust credit alert systems. Somehow, I always feel there was something dubious about their system. I don’t know, maybe it’s just me being paranoiac having been a victim of identity theft. I couldn’t be more cautious these days. Caveat emptor.
Neil
You mean the way Fox news reporting is?
There will always be bias. The more sources though, the more the biases will average out in the wash. It’s already generally easy to spot the astroturfers in a big enough crowd of consumers.
Spudz: yeah, and all of that information will be unspun, verifiable and provided by scrupulously honest sources…
The credit market won’t stay opaque. The Internet is making all markets much more transparent as people can compare notes online or make a stink online about misbehavior by businesses. The day is soon coming when all businesses will have a detailed online “dossier” of all of their publicly visible and customer-visible behavior.
I put it a fraud alert on my credit reports with the agencies a long time ago after a credit card fraud event and never turned it off, it has worked for me ever since. I was applying for an in store credit card to get a discount at Bananna Republic when they guy behind the counter had to hand me the phone and the person on the other end of the line told me that there was a fraud alert on my credit report and could they verify my identity by asking me a few more questions. They asked me about past addresses and a few other details and then I was allowed to get the card. Before answering I also asked for her name a number to get ahold of her and the company she worked for, which I wrote down. I think this is a step that probably would have foiled a would be ID thief trying to open a BR account in my name and run up some charges. They would have had to had a broader set of my personal info ready at hand to answer the follow up questions.
Spudz:
The big question is what happens then. If the folks who pull the report and don’t follow the procedure just get a bad notice in the paper and have to swallow the fraudulent loan (which they do anyway, but after more legal wrangling) that just becomes a very slightly higher cost of doing business. And they can fold that into their charges to legitimate customers with nary a peep, because of the general opacity of the credit market.
If there were serious monetary damages associated with the breach of contract (and I expect it is a breach in law), or if the major credit agencies would simply cut off the access of any company committing such a breach (or having an overlapping set of officers with such company) then you’d get action.
But all of this really comes down to the same thing: neither courts nor legislators are thus far willing to take the issue seriously.
Is it possible that Todd Davis is playing a longer and subtler game than is generally supposed? By creating such a tempting target, and ensuring that there will be significant noise and publicity accompanying any successful fraud that results, he’s essentially created a radar system that will light up any loan organization that doesn’t follow the procedure, bringing media attention to it. The question being whether this is intentional or just a side-effect.
The Texas check-cashing firm is perhaps merely the first one to be zapped this way.
As an actual ID theft victim, I have a right to add the same type of statement to my credit report (saying to call *my* phone number) for free. A whole six months later every single bureau had silently dropped it.
You’re absolutely right about the solution. Unfortunately, it does take work, as without a legal requirement for a good technical solution, the incentive for credit bureaus is to create their own proprietary non-interoperable services to capture the rents from both consumers and third-party services.
I think Peter’s fix is pretty much the case, modulo a lot of annoyance and bother in proving that the borrower wasn’t you. Banks not getting their money back on some of their loans is just part of the normal course of business. What we need is something with more teeth. Say, for example, they owe you treble damages (three times the amount of the fraudulent loan) for the damage done to your credit reputation.
Thank you for the post about Debix. I’ve been thinking of using this service and it’s nice to see a real world post about how it works. I look forward to the followup.
At least for loans, the fix can be entirely implemented in law, can’t it? Say, a fraudsters applies for a loan and the bank fails to follow the protocol. When the fraudster doesn’t pay, the problem is that this bank will demand its money from you. Well then, fix the law to say the bank can’t get its money back if it failed to follow the protocol.
Why on earth would they call you and ask you your PIN? This is
a request that I would think everybody should be trained not
to answer, your voice recording (stolen?) or not.
This sounds remarkably similar to the identity clearinghouse idea that hit me a couple years ago, except (a) privatized and (b) mostly lacking in legal teeth.
It’s not quite that bad. Prior to entering your PIN, they play you an audio recording of your own voice, captured at registration time, with whatever pass phrase you wish to use to authenticate to yourself. (Whether users would recognize the absence of that recording is another matter entirely.)
So let me get this straight — you got a call from someone claiming to be from your credit protection vendor, asking for your PIN number. After thinking about it for a few seconds you give it to them. Yikes.