Every year, millions of Americans fall victim to credit fraud, often unaware that their identities have already been compromised. In 2023, this issue affected over 15 million people and cost Americans more than $42.9 billion.
Such incidents aren’t just coincidences; they highlight significant security flaws in a credit reporting system built across different eras, relying on outdated methods for verifying identities.
The Social Security number lies at the heart of this crisis, serving as the primary credential for credit applications. Unfortunately, it has become so compromised that it’s almost beyond recovery. Designed initially to manage social security benefits, this number has been widely leaked online, and changing it is nearly impossible, yet it remains central to our financial dealings.
In the first half of 2023, 69% of the Social Security numbers leaked in data breaches involved U.S. citizens, according to reports. Major hacks in 2024 exposed 272 million Social Security numbers available in the criminal market. One breach exposed 44 million, which means that credit bureaus are now verifying applicants using data already owned by criminals.
Beyond identity theft, fraudsters are also creating something new: synthetic identities. This type of fraud has surged recently, combining real and fabricated information to construct convincing but false identities. With the rise of generative AI, creating these synthetic identities has become alarmingly easier.
Consumers often lack control over the information credit agencies gather about them. Although laws like the Fair Credit Reporting Act allow consumers to check and freeze their credits, they don’t require agencies to initiate these freezes proactively.
This places a cumbersome burden on consumers, who must manually freeze their reports across all major credit bureaus. This process can be daunting, especially for older individuals or those unfamiliar with how credit reporting works. Some may even resort to third-party services to help manage these issues, which isn’t ideal for those already struggling to secure their identities.
What might be a better solution? A “Frozen by default” model for consumer credit reports could flip the current script. Rooted in “Zero Trust” cybersecurity concepts, this approach would mean that credit reports remain locked unless the consumer explicitly permits access.
Experts have proposed two significant policy changes to alleviate much of the burden on consumers.
The first is a tokenized pre-approval system, enabling consumers to generate a one-time code for specific lenders or businesses to access credit information. This code, valid for a limited time and only for authorized entities, aims to be safe, straightforward, and trackable.
The second suggestion involves real-time notification for credit inquiries. If someone attempts to pull a consumer’s credit, they would receive immediate alerts via email or text, allowing them to approve or deny access quickly.
While real-time approval offers great control, challenges like missed notifications and spoofing remain. On the other hand, tokenized systems are generally more user-friendly and secure, positioning them for broader application.
This modernized approach would enforce a default credit freeze on all consumer files and mandate multifactor authentication for accessing credit reporting systems. Any hard credit inquiry would require explicit consumer consent, accompanied by timely notifications for every access.
Yet, some within the credit reporting sector resist these proposed changes, fearing disruption to revenue streams built on passive data sales. While exceptions may be reasonable for soft inquiries related to marketing or monitoring, strict ones that lead to new credit accounts must be automatically frozen.
With credit fraud on the rise, it’s unsustainable to overlook this increasing threat. According to the FTC, there were 5.4 million reports of identity theft in 2023. Complaints from the elderly are particularly troubling, showing a 14% increase in losses to $3.4 billion in 2022, affecting mostly older adults nearing retirement who may struggle to recover from such losses.
Congress has the opportunity to amend credit reporting laws with default freeze rules. The Consumer Financial Protection Bureau and the Federal Trade Commission, which already have some authority, should strengthen monitoring. States like California and New York could also lead with pilot programs.
The American credit system was designed for a world where personal data was scarce and hard to steal. That reality no longer applies. Implementing Zero Trust and Freeze-by-Default frameworks could significantly protect those unable to defend themselves against credit fraud.
