[hchasestevens]

Surely the actual problem here is that the responsibility for reliable identification somehow falls on the consumer, not the bank or what have you?

I'll give an example: if I get a phishing email claiming to be from my bank, and end up wiring them $1000, I'm out $1000 for not having done the due diligence for verifying that it in fact was my bank; my bank doesn't suddenly owe me $1000. Somehow, though, if some 3rd party convinces the bank they're me, and withdraws $1000 from my account, I'm at fault as a victim of "identity fraud" (and am again out $1000, but this time as a result of my bank's incompetence).

If the onus for verifying your identity were on institutions (and, consequently, the losses in cases of failure to do so) I'm confident that we would have much more reliable means of personal identification magically pop into existence.

[cortesoft]

> Somehow, though, if some 3rd party convinces the bank they're me, and withdraws $1000 from my account, I'm at fault as a victim of "identity fraud" (and am again out $1000, but this time as a result of my bank's incompetence).

This isn't true, though. The bank is the one on the hook.. eventually. The problem, of course, is that you have to get the bank to agree that it wasn't you who made the withdraw..

While it sucks, I am struggling to figure out alternative solutions.

Let's suppose we did the opposite; if you tell the bank that it wasn't you, then they have to prove it was, and in the meantime they give you the money. Sounds great, but this makes fraud about as easy as you can get - open an account, deposit $50,000, then transfer it somewhere else and withdraw it to cash. Then, tell the first bank that it wasn't you that did it. Sure, they will be able to prove it was you eventually.... but according to our new rules, they have to return the money while they figure it out... you withdraw it all and flee.

There would be literally NOTHING the bank could do to prevent this sort of fraud. They could put a million checks in place, but since they would still need to 'prove' it was you when you claim it was fraudulent, and make you whole in the meantime, you could still steal the money during that time. You claim fraud, they put the money back into your account.. and then they show someone (who? an arbiter? the gov?) that they have video evidence of you making the withdraw. While the ruling is happening, you skip town with the money.

It really sucks, and I really can't think of a solution.

[landryraccoon]

All of that argumentation is nice but it doesn’t hold any water.

Credit card companies are by law on the hook for any fraud committed with your credit card. Everything you just wrote applies to credit cards, and yet Visa and Mastercard are doing just fine. They aren’t going bankrupt just because you can file a chargeback whenever you want as a consumer.

There doesn’t seem to be any doubt Banks can handle this, because they already do.

[cortesoft]

Except they AREN'T on the hook for the fraud... the merchants are. They are doing fine because they pass on the costs to the merchants.

Also, when you dispute a charge, they are able to put the money in 'escrow', basically, while they investigate... since they control both sides of the transaction (both merchant and customer), they 'keep' the money while they resolve it. If they find in the card user's favor, they deduct it from the merchant account and credit it back to the card user. Otherwise, they release the hold and the merchant can withdraw the money.

It doesn't feel like your money is being held as a card holder, because the 'money' in this case is credit, and it doesn't effect your bank account while it is being resolved. However, it DOES count against your credit limit while they resolve the issue, so it shows you that the money is still 'frozen' while they resolve it. They aren't allowed to charge interest during the dispute, but if you lose the dispute you will have to pay the interest.

This is the same thing that happens when your bank account is defrauded.. the money is frozen, and you can't withdraw it until the dispute is resolved.

[kerkeslager]

> Also, when you dispute a charge, they are able to put the money in 'escrow', basically, while they investigate... since they control both sides of the transaction (both merchant and customer), they 'keep' the money while they resolve it. If they find in the card user's favor, they deduct it from the merchant account and credit it back to the card user. Otherwise, they release the hold and the merchant can withdraw the money.

> It doesn't feel like your money is being held as a card holder, because the 'money' in this case is credit, and it doesn't effect your bank account while it is being resolved. However, it DOES count against your credit limit while they resolve the issue, so it shows you that the money is still 'frozen' while they resolve it. They aren't allowed to charge interest during the dispute, but if you lose the dispute you will have to pay the interest.

I knew roughly how this worked before, but it didn't occur to me until I read your explanation that this allows the credit card company or bank to invest the money while it's in escrow. So it actually benefits them when fraud happens on your account.

...of course that's a thing. The bankers always win.

[tappio]

Visa and Mastercard are card schemes. They are just moving the money between financial institutions. The issuer (which is the financial institution from where the credit card was applied from) is providing the credit line=they own the money. The scheme ensures that the other parties always gets their money, which is why their business is really dependent on good fraud detection algorithms. The payment schema will just freeze the settlements during the dispute, but if evidence is found that it was fraud, they will lose the money. This of course happens all the time, but it is just a pricing issue. Visa charges license fees from issuer and acquirer, and every transaction costs for the merchant around 0.5-5% depending on the card.

[tappio]

Had to check again, visa and Mastercard actually don't carry the risk in this scenario. It's either the acquirer or issuer. Scheme acts as a judge and decides who's fault it is. However, now that 3d secure is in place, if both issuer and acquirer support it, there are really few frauds. If they don't, the risk is on the one who did not enforce 3d secure.

[cortesoft]

I mean, they can't really 'invest it' since it was their money in the first place. They are loaning it to the credit card holder, who is giving it to the merchant. In this case they just don't loan it out until the case is resolved.

[kerkeslager]

> I mean, they can't really 'invest it' since it was their money in the first place.

By extending someone a line of credit, they are investing some percentage of that line of credit as their money, because they have to have money on hand in case the person decides to use their credit card. They obviously don't have to keep the whole balance of every line of credit they extend on hand, because most people won't max out all their lines of credit. But they do have to keep some percentage. That money is invested, but only pays out money if the person uses their credit card and then rolls over a balance to accrue interest.

But let's say someone uses a credit card, and then someone disputes the charge (these are different people if the charge was fraudulent). The credit card company holds that money in escrow. While it's in escrow, they don't pay it to the merchant, so they still have it, and they don't count it toward their customer's credit limit, so it decreases the amount of money they have to keep on hand. However, they're still charging interest for it in the case that the charge is found to not be fraudulent. So their investment is paying off.

Now where this gets tricky, is now that money is invested, because they're charging interest for it, but they know they won't have to pay out that investment until the fraud investigation completes. So until then, they can invest it again! They always have to keep some money on hand in preparation for a fraud investigation to finish, but there is always some amount of money being tied up in escrow for ongoing fraud investigations, so they can invest that money twice.

[AmericanChopper]

The type of fraud you described (or at least a very close version of it) is already possible, and happens all the time. The way they manage this is that wire fraud is a federal crime, that will land you with a lot more prison time than you might think.

[rwmurrayVT]

Wire fraud has no mandatory minimum and depending on the transaction value the sentencing guidelines are very light. The killer is ID theft which carries 24 month mandatory minimum with no ability to run concurrently with any other charge.

[AmericanChopper]

My point simply being that most of these types of fraud are rather easy to commit, but actually quite hard to get away with, and the consequences can be very severe. I’ve worked with quite a few US financial institutions, and a lot of their fraud investigations end up with arrest warrants.

[jkepler]

Bitcoin and other digital cash systems that are bearer instruments would change this: if the 1st outgoing transaction is valid, one can't then defraud the bank of the same money. On the flip side, if a user falls for a phishing campaign and sends digital cash to a fraudulent 3rd party, that can't be reversed, either.

[tau255]

I think that this is extension of semantic play that such leaks lead to "identity theft". Even if you took due diligence to protect your credit card and SSN or other personal info after the fact you are being played as "victim of identity theft". No it is not identity theft that someone used yours info to take fast loan or buy bitcoin with your credict card that incompetent business lost and now you are SOL with ruined life/credit score - it is bank fraud and banks should stop making it look like it is not their problem/fault.

It even is stamped on CC that it is property of the issuing bank. So you made it such way that skimmer can copy your card at gas station and empty someones account in few minutes but you are not part of the problem at all? Then what is the point of of plastic other that milking fees?

[dajon]

Regarding your first point, there's a very relevant 2-minute sketch from the radio show 'That Mitchell & Webb Sound' that makes a similar argument: https://www.youtube.com/watch?v=CS9ptA3Ya9E

[paulddraper]

> and am again out $1000, but this time as a result of my bank's incompetence

> If the onus for verifying your identity were on institutions

Your two situations are really the same situation.

1. You give your money to another party, and then claim they committed fraud. You can't just instantly seize $1000 from them; you must prove that they committed fraud.

2. You give your money to another party to manage, and then claim they breached contract. You can't just instantly seize $1000 from them; you must prove they violated the contract.

In both cases, the legal onus is on the accuser to demonstrate criminal activity ("innocent until proven guilty"). Otherwise, you could walk around claiming people and banks owe you money and simply be presumed correct.

(Also, in both cases, it would be have been better for you to not to trust those particular parties.)

[tappio]

Not sure about US, but this definitely does not apply in the EU. The banks are responsible. Also, the PSD2, which just came into effect here sets standards on person identification, which every financial institution needs to comply.

Of course, this does not mean that being a victim of identity theft does not suck.

The stolen information has some other severe side effects, which are not directly personal. The stolen credit card information and the drivers licenses are typically used for things like human trafficing. You buy some airline tickets with fake passport and stolen credit card, and travel as someone else.

[AmericanChopper]

It already is. If you wake up one morning, and somebody else has been withdrawing money from your account, or charging your credit card, the bank already is liable for that, and will reimburse you. The losses from fraud are already written into their margins, the same way the losses from shoplifting are written into a retailers margins.

[ryanlol]

>reliable identification somehow falls on the consumer, not the bank or what have you?

No, it falls on the bank or what have you. If the bank or what have you gets defrauded they lose the money.

As an unfortunate side effect the fraud might affect a consumers credit, but not due to any kind of responsibility for the fraud.

[tolmasky]

The problem with what you're proposing is that, as far as I understand, the real "consequences" for things like identity theft end up being intangibles like "time" and "annoyance" or "credit score". I don't think you'll actually be out $1000, the bank will just reverse it or it will be covered under some sort of insurance or something. Many times its just people taking out fraudulent loans under your name (vs. directly stealing money from you), so it gets handled entirely "digitally" and you experience no long term financial harm. Because of that, no one ends up "angry" at the bank, since what they lost was a week in "hassle".

[flatline]

Except that it can take months or years for the affected individual to clear up their credit record. And they may still end up on the hook for some of that debt. There is a direct and immediate impact on the individual in terms of debt against them and whatever credit reporting occurs on that debt. There is more distant impact on the lenders to eventually eat the losses - which in aggregate are in fact quite large - but no real impact to the lender’s reputation.

[cheriot]

It's worth distinguishing between the lenders and the credit bureaus. The latter cause much of the pain around identity theft afaik.

[ryanlol]

>Except that it can take months or years for the affected individual to clear up their credit record

In what scenario could this take years? Honestly anything beyond a month sounds pretty unlikely unless your identity was abused for an extended period (as in by a family member or such), and even then I don't see how.

As far as I understand the process for getting fraudulent accounts removed from credit reports typically takes less than a week.

[pmiller2]

Bullshit.

I had a fraudulent charge on my bank account via a “demand draft” (essentially a check without my signature). Yes, I had to spend significant time resolving the issue: going to the bank, having them insist they needed to close my account and reopen a new one, plus changing all my ACH drafts. But, I was very angry with the bank, because their proposed solution caused me hassle and doesn’t protect me from whatever attack vector compromised my account. They would not let me have them refuse to honor such instruments without prior authorization, either.

And, this was over a $40 charge. Had it been $4000, I wouldn’t have been any less angry with them for failing to protect me.

[tolmasky]

I think there might have been some sort of misunderstanding in my post. I’m explaining a phenomenon I see: people aren’t generally angry with their bank over identity fraud, and that makes holding them accountable difficult. I don’t disagree they share much of the blame, just trying to point out how non-HN people see things. While you may very well be pissed with your bank, I think the general response to your story is “relief” at getting the money back and “anger” at the criminal. Again, I am not implying this is who they should be angry at, just who I see them get angry at. So, step one is convincing others to have the same response as you if the goal is to hold them responsible.

[chefandy]

'Reverse it' often isn't exactly that simple, or even an option, depending on the method of transfer.