Shostack + Friends Blog Archive


40% of Fraud Alerts Don’t Propagate

[Update 3: I should have disclosed affiliations with Debix in this post. See “Mea Maxima Culpa.”]

Debix is reporting that 40% of fraud alerts don’t propagate between all three major credit agencies. You remember those fraud alerts? They’re supposed to protect you from identity theft, right? Well, let me let you in on a secret.

Identity theft is the best thing to happen to the credit agencies since the creation of the SSN.

Identity theft helps them sell more products, like identity verification tools, to their customers. It creates a new line of consumer business, people who will often happily pay them $10 a month to tell you what lies they’re spreading about you.

Is it any wonder that the alerts don’t propagate? Is it any wonder that they’ve been sitting on this knowledge?

I’m very excited about the emergence of companies like Debix, who are not responsible for the problem, but are helping us understand and fix it.

[Update: The New York Times covers this, “ID Security Company Finds Snags in Fraud Alert System.”] [Update 2: Bob Sullivan has a story at MSNBC, “Fraud Alert System Broken, Study Says.”

4 comments on "40% of Fraud Alerts Don’t Propagate"

  • Chris says:

    Paging Mr. Spitzer…Mr. Spitzer to the red phone please…

  • Mr. X says:

    Yes, I always receive my news from self-serving press releases too.

  • Adam says:

    Dear Mr. X!
    1) If you’d like to have your “</snark>” show up, you need to encode it as &lt; etc.
    2) I think it appropriate for you to comment on the buttering of your bread here, and gosh, maybe even provide some statistics. Which of course, would be free of the self-serving taint.

  • Mr. X says:

    Yes, you’re right. I admit that my objectivity on this issue is highly questionable, since I work for one of the major credit reporting agencies.
    But my snarkism was not so much directed at the validity of the story, but at the dissapointment that a press release from a security vendor made it into your blog with none of your usual questioning analysis.
    My frustration overall is with the fact that both the popular press and the security industry are led around on a leash by vendors, and by media-savvy press releases such as this one.
    The day that Emergent Chaos becomes Information Security magazine is the day I’ll commit seppuku.

Comments are closed.