Monday, September 25, 2006

Outline of a project plan to implement a due diligence mechanism protecting personal identity

This document reproduces what was originally published in Jan 2006. Because the index got overwritten, I am recreating it here.

Project Proposal

Although there are many ways that identity theft happens, the most troublesome seems to be the capability of a crook to create a fictitious "person instance" by using another’s social security number and then take out loans, which get reported as legal liabilities for the target person. A person may not learn of this problem for months, and could suffer loss of employment or housing as a result. This possibility is one of the main reasons why frequent checks of credit reports is necessary.

There exists an opportunity to prevent this kind of crime by encouraging every person to register a preferred contact address, and then requiring any credit grantor (mortgage company, credit card company, auto finance) to confirm a lone with that address. The United States Postal Service has a facility, National Change of Address (NCOA) that could form the kernel of such a policy. Any person, when he or she moves, can provide the USPS preferred mailing address information, and can provide more than one address. NCOA follows a number of automated practices, such as Code-1 (a standard format for mailing addresses), FastForward, and Move/Forward and Move/Update, an intricate procedure set which allows major companies to maintain preferred mailing addresses. Major corporate postal customers must follow rigorous audit standards to use these facilities. Various software vendors, such as Group-1 and Harthanks, provide software for companies to interface with the USPS. It is easy to imagine expanding such a system to include preferred e-mail addresses.

Public policy (through legislation or administrative law) would then be changed to require all businesses making loans to confirm the obligation at an NCOA address. Therefore if an obligation was made by another party duplicating the target person's identity, that person would receive a notification immediately. The remaining issue would then be securing the NCOA processing as much as possible, but this seems to be much more secure than many other information banks have been, as illustrated by many media reports.

There could be many wrinkles in this process. For example, when a consumer receives an original or a replacement credit card from a bank, the consumer typically call's the bank's 800 number (or goes to its web site) to activate the card. The credit card would, according to proposed law, would have to be mailed only to the preferred NCOA address. Activation information would have to include a preferred address code, a nine-digit zip plus box number if applicable, and that might well have to be encrypted or mapped to a random number for the consumer to use.

Would this violate personal privacy, in that it gives the government a specific contact point to track any person (as a "mark")? In an ideological sense, maybe. But in practice, most active people need to know that they can be reliably contacted, at least by certified mail if nothing else, in case there is some kind of problem that they don’t know about. In the middle 1990s I had a situation with a mortgage that had been assumed. Without such contact, a person could even have a default judgment entered against himself or herself in certain kinds of circumstances. For persons who operate Internet websites, ICANN and registration companies require the maintenance of a reliable USPS land contact address.

It is also important to note that such a preferred address would not need to be where the person lives. An individual would not need to give away his residence to potential stalkers, for example, although certain Internet search or “skip trace” companies make it easier to find such a person. One could use a land address at a mailing company (such as UPS’s Mail Boxes, Etc.). One could use a place of employment with the employer's permission. There is no reason why a simple USPD PO Box would not suffice (although many businesses require a client to use a land address). When the primary address is an email address, one could look to a company like as providing a paradigm for preferred contact.

In a sense, this is what happens now when a consumer's record has a fraud alert with a major credit reporting company (Experian, Equifax, Trans-Union). The lender has to do a lot more due diligence. I think the diligence must be performed in all cases. But there also needs to be an extra layer in the setup to ensure a preferred and guaranteed contact address, and the USPS NCOA is the logical starting point.

Of course, implementation of such a proposal would require major software enhancements by the USPS, companies that provide mail-related software, and software related to credit card, mortgage and auto loan processing. But there's no harm these days in giving I.T. people more work and in creating some jobs.

There are more details at this link. I certainly welcome comments.

Update: Nov. 22, 2011

See IT blog today for related entry.

Wednesday, September 20, 2006

FTC link; conversation at NBC4 Expo in Washington

Many of the important posts on this blog are in the June archive. (Please visit).
The most important is the "Outline of a Broad Strategy...." I am having difficulty making the exact href work. Please visit the archive and eyeball for that string.

September 17 2006 I went to the NBC4Connected Expo at the Washington Convention Center, and had a chat about this proposal with a booth sponsored by the FTC. There really doesn't seem to be a good reason why credit grantors don't practice more due diligence in verifying identities before giving credit (as NCOA would certainly be a good tool if the system were developed).

Here is there link on this problem.

Tuesday, September 12, 2006

AARP warns about scams for medical treatment

The September 2006 AARP Bulletin warns about stealing personal information to get medical treatment, and there seem to be insufficient safeguards in place to prevent this. The scammer becomes a pretexter, and calls another person to get personal information, and then uses it to get medical treatment. There is even a danger that a hospital could mix up treatment records of different patients and give incorrect care. Ironically, HIPAA provisions might interfere with attempts by victims to force hosptials to admit errors, billing a fraudulent patient.

Use of the NCOA USPS system as proposed in this blog would be effective in preventing this kind of medical billing fraud.

For more on consumer scams, visit this fraud alert link.