The root of identity theft

In the last few years, identity theft has become one of the hottest news topics. Companies, hospitals, and government agencies misplace backup tapes, have computers stolen, or fall victim to social engineering. Certainly these organizations deserve blame for mishandling what should be confidential information about their customers (that often should have been destroyed, or never even stored), but there's a bigger problem that gets too little attention.

The big problem is the assumed secrecy of identification numbers and trust of databases. Instant credit approval requires a social security number and perhaps a birth date. This very information is present in possibly millions of databases used by businesses and government agencies. How can we possibly expect it to remain secret if everyone we've allowed to check our credit, or even every medical practice we've visited, has it on file? It only takes one mistake by any employee to potentially reveal that supposedly secret information to a malicious person. Once breached, that information logically is no longer a reliable identifier. But it's still trusted.

It's practically criminal how much a credit file is trusted, and how easily fraudulent information is added. Further, eliminating fraudulent records from one's own credit file requires persistent, proactive efforts by an identity theft victim. Absent a fraud alert on the file, very few creditors seriously attempt to verify identity, and rarely do they question the accuracy of credit reports. That is the reason identity theft has such an impact. It can take years for fraudulent activity to appear, and only through the diligence of the victim is there any hope of correction. Until the information is proved incorrect, it is assumed to be reliable, and the damage continues.

Real identity theft protection requires a change in our culture. We must stop trusting databases and computers, and realize that behind them there are always people, who are fallible. The knowledge of a 9-digit number is not proof of one's identity. There is something reassuring about entering a bank and being greeted by name (and asked how my child is doing these days), not because I've swiped my ATM card and entered a PIN, but because the employees have taken the time to recognize me.