Monday, April 9, 2007

Credit Agencies - The Ultimate Scam

Adam, over at EmergentChaos recently blogged about The Cost of Disclosures, and a Proposal, wherein he proposes that there must be [paraphrasing] some trade-offs to disclosing security breaches of non-critical information vs. breaches of significant information. One statement in particular caught my eye:

I'd be perfectly willing to forgo personal notification of the theft of credit card numbers. I just don't think it's that important, and the liability lies with the banks and the merchants. In contrast, the outcome of my SSN being abused falls back to me, in credit reports, false arrests, etc.

I don't particularly agree with this statement, but what really caught me - as it has in the past - is the ridiculous amount of power the credit reporting agencies have over our lives. Credit agencies have performed data-mining almost since before data-mining had a name - and the amount of financial data available to them is provided, typically without your clear consent by your bank, credit card company, mortgage company, car loan company etc...

What's worse is that, if you ever want a loan (or even an apartment), you're required to provide access to this data as a reference that your credit is good.

Even worse than that, is there are virtually no controls over what people (malicious or otherwise) can report about you to the credit companies. There are "appeal processes" in place with these companies to have invalid entries "expunged" from your credit rating - but if you've ever gone through this process, it is ridiculously arduous and the invalid information never truely gets removed from your rating - it still appears as a reported item but, at least in theory, isn't used to calculate your "risk rating".

Now, if you go to the web pages of the credit reporting agencies, the first thing you see is the ability to watch your own credit rating for a fee (this is at least true for Equifax=$12.95/month and Transunion=$9.95/month). How nice! The ability to check when someone has already affected my credit - and they get paid for this! What a great business model - they get money to report on whether you are a good/bad risk (which you have virtually no ability to control), and then you have to pay them for the miniscule amount of control they're willing to provide.

In my opinion, these companies are highly responsible for the lack of controls on personal information, because there are no meaningful controls. As far as I know, any controls that are in place, are largely "self-regulated" since there has been no significant backlash from the average proletariat who has been largely abused by their "services", so the government hasn't bothered.

To my mind, there are several controls that should be federally enforced for these types of companies:
1. Requirement to have a method to contest an item on your statement such that the company that provided the originating information is required to substantiate their claims - right now, you are on the hook to prove to them that the statement is inaccurate.
2. Requirement to have this information permanently expunged from all of their reports.
3. Requirement for you to sign a separate agreement with your loan company (or whoever) stating that you agree to allow them to share information with CreditRatingCompanyX - after all, for them to access this information you need to sign a separate agreement (one of the few government-enforced regulations).
4. Requirement to share this information with the owner for free - it is after all, information about you. (As an aside, I wonder if they've ever been sued for slander for sharing inaccurate information??)

I really think this would have a positive impact on identity theft because it would make people aware that this information exists about them, and a pro-active method for people to prevent abuse of their credit.


Security Retentive said...

I'll agree that they are a bit of a scam. A few points worth noting though:

1. You're not required to apply for credit anywhere, and consequently you're not required to actually ever use your credit report in this fashion.

2. Many states, etc. have fair housing laws, etc. You can refuse to provide a credit report but provide backing to the landlord via things like extra deposit, etc. Landlords want to examine your credit to judge your riskiness. if you want to reduce this, pay them extra money.

3. The Fair Credit Reporting Act (FCRA) does protect you in certain cases against fraudulent reports, etc. See - for more details.

4. I'll agree that our credit bureaus are a big source of problems related to identity theft. In the end though it is generally those who extend credit that are to blame for problems with identity theft. They don't properly authenticate people, and don't bear the legal burden of the cleanup costs if they allow someone to create an account in your name.

Regulating those who do not properly authenticate people before extending services would then force them to require stronger authentication from the credit service bureaus. After all, the banks, CC companies, etc. are the real customers of people like Experian, etc.

lennykaufman said...

This is actually a much easier problem to solve than it appears, given sufficient will by government agencies to solve it: let me know.

If I change my Blogger or eBay account information, they let me know. This is one of the checks and balances that keeps the simplest of decentralized identity management from falling apart at the seams. My information changes, let me know.

How difficult would it be for credit agencies to let me know when my credit information changes? Not too f'n hard, but why would they?

I don't know if you know anyone that has ever worked for a Bank, rG0d, but this is the same scam that Financial Services have been pulling for years. Make service a pain in your customers' collective asses and then charge for a new service that purports to solve the problem caused by your mis-management.

You sound like a marginally intelligent guy so I'll share a little secret with you.

ATM's are cheaper than people.

I know - sounds like crazy talk but it's true. Yet Banks charge a "convenience fee" for you to enjoy the privilege of using Bank machines. That's like making IKEA more expensive than Ethan Allen. It doesn't make sense to pay a premium for DIY/ but it does.

"Pissed off that you can't see your own credit information? No problem - for $12.95 per month, there's a Visine for that!"

Can't we regulate it? Is it simply a matter of political will? Political will is motivated by two things: votes and money. So, how much do you pay *your* lobbyist?

No votes and no money to offer (not including your taxes, cause you don't have an f'n choice about that either) and you don't have much to say that lines up with what they're willing to listen to.

I read Adam's last post on the subject and the cost argument doesn't make cents to me. Offering full customer service is expensive but notification isn't. Here's my proposal - give me a secure place to self-register for free and I'll let the credit agencies know where they can send the automated e-mails. At least then I can respond real-time instead of finding out later, probably at the most inopportune time.

I like your thinking on this one and I like what Adam's really advocating. I just don't think there's bugger all either one of you can do about it.

If you can put yourself in their shoes and figure out why the Credit Agencies should change (or why the government should introduce regulations) ...

... let me know.

rG0d (CISSP, GCIH, GEEK) said...

"You're not required to apply for credit anywhere..."
-- security retentie

Wow! Isn't this just a little naive? I can't get a phone without getting a credit check done anymore. My bank will also report any bounced checks or overdraft charges to the credit agency - and they're the ones making a profit from ME by storing my funds there. Perhaps if I were the perfect citizen, born to a wealthy family, who never had any financial difficulties I wouldn't have to worry about my credit rating. But as it stands, I'm not rich (nor are 90+% of the rest of the population), and I HAVE TO use credit to buy a car, a condo/house, or even a BlockBuster card.

"..(FCRA) does protect you..."
-- security retentive

Let be clear on who is MOST protected by this law. It's the Credit Agencies - as long as they follow FCRA, the likelyhood of any legal disputes resulting in summary judgements against them is minimal. I would also point out that the wikipedia reference actually re-enforces my point:

--"negative information is removed as a result of a consumer's dispute, it may not be reinserted without notifying the consumer within 5 days, in writing".
As I stated, you must dispute it - ANYONE can insert something into your credit history.
--"CRAs may not retain negative information for an excessive period of time"

As I stated, they CAN and DO retain negative information (e.g. information proven to be false by the consumer.

rG0d (CISSP, GCIH, GEEK) said...

"I just don't think there's bugger all either one of you can do about it."
-- lennykaufman

While I would agree that there's nothing we can do as individuals, there's plenty we can to as a collective. My only impetus was to inform and start the discussion - this is how change begins.

lennykaufman said...

I agree with you - the discussion *has* to happen for there to ever be a chance for change. I just don't believe that it will change "because it's the right thing to do."

Corporations invest in the environment and diversity because such investment helps their bottom lines.

You have the right ideas here. I just don't think you're selling it to anyone who's in a position to actually buy. :)

The sad(dest?) part is, a lot of Canadian society takes its lead from the U.S. Given their implementation of the Patriot Act, your common sense seems to be going in the opposite direction to the current political will of the U.S.

With a Conservative government running Canada right now, do you think there's an opportunity for individuals to gain more control over their identity information? The winds don't seem to be blowing in the "openness" direction today.

Emele said...

Thanks for writing this.