Friday, September 12, 2008

Credit bureaus, credit reports

I recently had two occasions to do credit-related activities.

In the first, a company had a (fairly) legitimate reason to run a credit check. After collecting name, address, SSN, driver's license, etc., they ran a credit check, and then wanted to "verify" that I am who all those things belong to. A noble goal - but one done poorly. The "verification" (which must be in quotes, as you'll see) consisted of asking three questions:

(1) Which of the following companies holds your mortgage? The person then named four companies, three of which I had never heard of (and may not even exist), and the fourth is one of the larger mortgage companies. If I weren't me, I could have reasonably guessed the large one - it would probably be accurate for 99% of people.

(2) Which of the following companies holds your primary credit card? Again, four banks were named, three of which I had never heard of and probably don't exist, and the fourth is one of the largest issuers (think Amex, Chase, Citi, Capital One, etc - they issue so many more cards than everyone else that it's clearly a very likely choice). Again, someone who knew nothing about me could guess accurately with at least 99% probability.

(3) Your previous address was 123 Main St, in which city? This time four cities were named, one of which is a neighboring town to where I live now, and the other three I've not heard of. This one would be a bit harder to guess without some data, but anyone who has a copy of my credit report would know the answer.

So my conclusion is that, just like TSA and airport security, these new security "safeguards" are security theatre, and don't actually improve security at all.

The day after the above transaction, I got a letter from a bank I do business with saying that my personally identifiable information had been stolen, etc. - I've received quite a few of these before, as have most middle-class Americans. (One of the advantages, I suspect, of being poor is that you have less financial data and in fewer places, so you're less likely to have it stolen!) As is the norm, they offered me two years of free credit monitoring, which of course is just a Band-Aid.

So I accepted the credit service anyway, and ran a credit report on myself. It was moderately accurate (no accounts I didn't know about, which is good). But the amount of missing and inaccurate data is amazing - two of the three credit bureaus list my current employer as a company I left more than 15 years ago. So if one of those clever "validation" questions I discussed above had been to verify my current employer, I would have failed the test, since they had the wrong answer!

The good news from all this is that credit bureaus and the companies who use their data are starting to realize that using an SSN as both an identifer and an authenticator doesn't work, and they need to do more to verify identity. That bad news is that they totally misunderstand how to do it correctly, so they've just added an illusion of security which may have many false positives (i.e., indications of fraud that don't exist) due to the inaccuracy of their data.


Post a Comment

Subscribe to Post Comments [Atom]

<< Home