Shostack + Friends Blog Archive


When The Fox Is In The Henhouse

Protectors, Too, Gather Profits From ID Theft” in today’s New York Times tells the tale of woe of Melody and Steven Millett and her husband who despite a subscription Equifax’s Identity Theft protection service still had Steven’s SSN readily abused. Privacy consultant Robert Gellman summed up one of the problems with these services nicely:

Identity theft has essentially become a business — not just for bad guys but for good guys, too…A lot of the people that are involved in profiting legally from identity theft are direct participants in the whole credit system that doesn’t have the protections in place to prevent identity theft in the first place.

So essentially, the credit monitoring services are selling a service that to cover the fact that they don’t have a good process to begin with. And given that fraud is generally the liability of the merchant and banks/credit card companies and not the end user there is little to no incentive for folks like Experian, Transunion and Equifax to actually do much in the way of due diligence on either end. When the folks who control your private information are also charging you to “protect”, they have a serious conflict of interest.
What’s actually needed is a service like Debix. In the interest of full disclosure, I have a fiduciary relationship with Debix. I was also one of their first customers. Why? Because I think it’s important to have someone whose only interest is the protection of my personal information on my side, not someone whose job it is to also sell it to the right people.
[Image is “Fox food” by Bob Hallinen / Anchorage Daily News]

4 comments on "When The Fox Is In The Henhouse"

  • Anonymous says:

    How lazy does one have to be to use Debix? All they do is provide automated fraud alerts with the three agencies. Great! Let me put all of my eggs into another basket. Instead of cracking the three agencies, I’ll just dupe Debix, steal a SIM card, and approve things for myself.
    In the larger picture, the three credit agencies need a good smackdown and hard regulation. It’s clear the market can’t solve this. Or the SSA needs to devalue the SSN and publish them all.

  • Adam says:

    So, ID theft goes from stealing something I have no control over to duping debix (which you have no control over), stealing your phone, and guessing your PIN. You’re right. It’s for the lazy. Try not to write your PIN on the side of your phone.

  • David Brodbeck says:

    I think “it’s for the lazy” is a silly argument against a service, because everyone who sells a service is, in a way, catering to the lazy. I pay a barber because I’m too lazy to learn how to cut my own hair. I pay a mechanic because I’m too lazy to change my own oil. People presumably pay Debix because they don’t want to keep track of managing fraud alerts at three credit agencies themselves.

  • Chris Walsh says:

    “People presumably pay Debix because they don’t want to keep track of managing fraud alerts at three credit agencies themselves”
    How much does it cost to keep such tabs? I notice that the going rate seems to be something like $100/year. I wonder how much the bureaus make from the typical file. Clearly, there is a point at which the bureaus could decide to really aggravate Arthur and offer a Debix-like service themselves, as long as they make more from it than they lose in foregone opportunities to sell credit reports. I wonder if there’s a regulatory obstacle to this? One would expect their cost of production for such a thing to be lower than an outside company’s, so they could own the market.

Comments are closed.