By TOM ZELLER Jr.
Consumer advocates have long complained that the fraud alert system mandated by Congress in 2003 as a consumer's first line of defense against identity theft does not always work properly.
So a company seeking to enter the market for identity theft prevention services recently recruited 54 data security and privacy experts to test the system. They claim to have found some kinks, although the credit reporting agencies beg to differ.
Julie Fergerson, vice president for emerging technologies at Debix, the company that produced the study, said that in 40 percent of the cases she examined, it appeared that fraud alerts had failed to put all the reporting agencies on notice to prevent new credit accounts, loans and other debts from being opened in a consumer's name without a verifying phone call from the creditor.
The implication, Ms. Fergerson said, is that you've got millions of people who think that they have fraud protection in place when actually they don't.
But Norm Magnuson, a spokesman for the Consumer Data Industry Association, which represents the major consumer reporting agencies, including Equifax, Experian and TransUnion, suggested that those findings were absurd.
The fraud alert response system is working as it should, contrary to what the Debix report indicates, he said. Starting with the 54 consumers they surveyed, I'd question whether that's an adequate number to base their conclusions on.
In updating the Fair Credit and Reporting Act in 2003, Congress included rules intended to make it simpler for consumers to place fraud warnings on their credit files, including a basic, 90-day alert designed for identity theft victims, but available to anyone who wants one.
Under the law, this alert can be established with a phone call to one of the major consumer reporting companies, which must then refer the information regarding the fraud alert to the others.
The Federal Trade Commission is charged with ensuring compliance.
The Debix study included privacy and consumer rights advocates, as well as data security executives from Citigroup, Charles Schwab, Expedia, Discover Financial and other companies.
Participants were registered for fraud alerts at one credit reporting agency most at TransUnion, Ms. Fergerson said.
Of the 54 volunteers, 32 received confirmation letters within a week or so the sign that things worked as they should. But in 22 cases, something went awry.
In 18 cases, the fraud alert was set at only two agencies. In four cases, it took hold at only one.
Ms. Fergerson surmised that in instances where formatting of data name, date of birth or other essential information differed between agencies, it was more likely that the fraud alert would not propagate properly. Without access to the internal systems of the agencies, it is impossible to know, however.
There's not a 40 percent failure rate, Mr. Magnuson asserted, although he said there were no readily available statistics on any breakdowns in the fraud alert system.
Mr. Magnuson also pointed out, in an e-mail message prepared in tandem with representatives of the three credit reporting agencies, that Debix has a business model that makes money by alleging that the fraud alert process doesn't work.
Indeed, Debix is one of a growing list of companies promising, for a fee, to alleviate the headache of keeping your credit file protected.
Ms. Fergerson said her company had shared the results of the study with the trade commission. Betsy Broder, the assistant director of the commission's division of privacy and identity protection, would not comment on the agency's response, but noted that the fraud alert system was still new.
Copyright 2006 The New York Times Company
NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at