"Call Me First" Before Using My Identity Information
This suggestion builds on two existing capabilities currently available to (most) consumers, which arguably afford the best protections consumers currently have against identity theft: fraud alerts and security freezes.
When a fraud alert is placed, the credit grantor who views a credit file or credit score in advance of deciding whether to extend credit to someone will see an "alert" containing contact information for the person whose credit file is being viewed. This contact information is usually a phone number. The credit grantor is supposed to call the phone number, or otherwide contact the consumer, to verify that the person who responds is truly the person who is applying for the new credit account. This is really a two step process: authentication of the consumer occurs as a result of an assumption that the phone number called is tightly linked to the consumer "owning" the identity being authenticated, and authorization occurs by obtaining an ackknowledgement from the consumer that he/she is truly the person seeking to establish the new account with the credit grantor.
Since there are three major credit bureaus, a consumer would need to place fraud alerts with all three. Fraud alerts are also only valid for 90 days, unless it can be demonstrated that someone is a victim of identity theft. They can be renewed as many times as desired. Because these fraud alerts are cumbersome to place and maintain, a number of companies have arisen to assist consumers in using fraud alerts.
The security freeze also helps to prevent identity theft by preventing the would-be credit grantor from accessing the credit file or credit score of someone who has "frozen" his or her credit file. The idea is that the would-be credit grantor will not go ahead and extend credit anyway without examining this credit file or credit score. But security freezes are also cumbersome because they must be set at each of the three credit bureaus, and because they must be lifted each time a user wishes to actually apply for a new credit account, and then refrozen again. The "unfreezing" and "refreezing" processes could take several days, and have an associated cost each time it is done.
The effective use of a security freeze requires a certain amount of planning on the part of the consumer, since he/she must lift the freeze prior to seeking new credit accounts, and then refreeze it afterwards. Despite this, it's possible to envision a way that fraud alerts and security freezes can be combined in a new "Call Me First" service that takes advantage of the best of both approaches, and eliminates some of the inconveniences.
A "Call Me First" service could be offered as an opt-in service by the credit bureaus as part of the process of providing credit scores to credit grantors when a new account is being opened. In effect, it would serve as an identity and authorization check to make sure that the credit bureau is providing credit information to a credit grantor as part of a legitimate request for a new credit account, and not as part of an identity theft attempt.
How "Call Me First" Could Work:
A "Call Me First" service could work like this:
- Interested individuals would need to “register” their identities (ie, their SSNs) on a kind of "Call Me First” list, patterned along the lines of the ever-popular Do Not Call list. A person who can prove that they “own” a particular SSN would provide contact information (phone number, email address, etc.) to the credit bureaus to enable any credit bureau to contact him/her whenever someone attempts to use his/her SSN to establish a new credit account. This would constitute the process of registering an identity on the Call Me First list.
- During the new account opening procedure, a credit grantor contacts a credit bureau and provides the identity information (including SSN) being used by someone seeking to open a new account. Upon receipt of the informatin, the credit bureau determines whether the claimed identity is registered on the Call Me First list.
- If the claimed identity is
registered, the credit bureaus contacts the consumer whose identity is
being used, to determine whether he/she is truly the
one seeking to establish the new account. This process would be
very similar to what credit grantors currently do when they respond to
a fraud alert. However, it could incorporate better
authentication procedures to verify that the person receiving the call
is the person whose identity needs to be verified.
For instance, the person contacted may be requested to provide a PIN,
or to say something that can be verified as being uttered by the
correct person, via speech analysis and speaker verification methods.
- If the person contacted acknowledges that he/she is truly the same person seeking to establish the new account, the credit bureau returns to the credit grantor the requested credit file or credit score.
- If the person contacted does NOT acknowledge that he/she is the same person
requesting the new account, the credit bureau would NOT return any
credit information to the credit grantor making the request. To
reinforce that the request for credit is likely fraudulent, the credit
bureau could also return a statement to the credit grantor that the person whose identity is
being used to open the account specifically does not recognize the new
account request, and requests that the credit grantor NOT establish the
account.
- If the claimed identity is not registered on the Call Me First list, the credit bureau would treat the request for credit information by the credit grantor as it normally would.
A system such as this would seem to provide the benefits of a security freeze, while eliminating many of the disadvantages. While the security freeze is somewhat of a blunt instrument against identity theft, in that it prevents any credit information from being provided unless the freeze is lifted, the Call Me First concept can give individuals more control over the dissemination of their credit information. No longer would it first be necessary to “unfreeze” your credit file at each of the three credit bureaus, and then “refreeze” it later on.
Although the Call Me First concept is also similar to a fraud alert, in that an individual is contacted to gain approval before an account is opened, there may be some advantages if a small number of credit bureaus can be relied upon to contact individuals for the purposes of authenticating requests for new credit accounts, rather than depending on a much larger number of potential credit grantors to do it.
- One possible
advantage is that it may be easier for the major credit bureaus to enforce some
standards or best-practices for authenticating individuals, rather than assuming
that every credit grantor will follow any kind of standard procedures or best-practices for performing this authentication.
- Another advantage to having a credit bureau perform this function is that it may help prevent damage to a consumer's credit history. When credit grantors return negative information to credit bureaus because someone was late in paying a bill, or did not pay at all, the credit bureau has no way of knowing whether this is a result of a credit account that was opened by an identity thief, or whether the non-payment information is legitimate.
- If the non-payment information results from an account established by an identity thief, the credit bureau will be recording negative information in the credit history of an identity theft victim, thereby damaging the victim's credit history. Today the credit bureau has no way of knowing the difference, and trusts that the credit grantor has taken steps to ensure that a credit account is legitimate. This may not have been done, or it may have been done inadequately, especially if the consumer had no fraud alert in place.
Authenticating The Consumer to the Credit Bureau
With "Call Me First", the credit bureau must contact a consumer whose identity is registered with the Call Me First list whenever that registered identity is used to establish a new credit account. There are three types of identity verifications that are needed.- Any identity registered on the Call Me First list must be verified in terms of the name, birthdate, and SSN used; in other words, making sure that the name, birthdate, and SSN match the records maintained by the Social Security Administration.
- If the SSN information is valid, it must be determined whether the person registering this identity information with the Call Me First list truly the person to whom this information pertains. It may be difficult for a credit bureau to do this, since credit bureaus typically do not have previous relationships with consumers. It may be necessary to enlist the help of trusted third parties to complete this step, such as a bank where a consumer has an account.
- The credit bureau must ensure that the person it establishes contact with using the contact information in the Call Me First list is truly the person whose identity is listed, and not a family member using the same phone number, or someone else.