Every year, millions of Americans become victims of credit fraud. Most victims don’t know their identity has likely already been compromised. Identity fraud cost Americans more than $42.9 billion in 2023 and affected more than 15 million people.
These aren’t isolated incidents. They reflect a serious security issue: a credit reporting infrastructure built for a different era, operating on outdated identity verification and an open-by-default trust model.
At the center of this crisis is the Social Security number, still the primary credential used to apply for credit. But it has been compromised beyond repair. Originally designed for Social Security benefits, not identity verification, the number is now the key to our financial world, despite being widely leaked online and nearly impossible to change.
In just the first half of 2023, 69 percent of U.S. data breaches exposed Social Security numbers, according to Security Magazine. A massive 2024 breach of the company National Public Data leaked nearly 272 million unique Social Security numbers, which are now widely available on criminal marketplaces. AT&T disclosed a separate breach that exposed 44 million of them. This means credit bureaus are frequently verifying applicants using data already possessed by criminals.
Beyond stealing identities, fraudsters are now fabricating entirely new ones. “Synthetic identity fraud,” which combines real and fake personal data to create convincing false identities, has surged in recent years. And thanks to generative AI, crafting synthetic identities that evade detection is easier than ever.
With all this, consumers have little knowledge of or control over what information credit reporting agencies collect about them. Laws like the Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act allow consumers to check and freeze their credit, but do not require credit reporting agencies to freeze by default.
Consumers bear the burden of manually freezing and unfreezing their credit with each of the three major credit reporting agencies, a cumbersome process with a steep learning curve. Many people, especially seniors or those unfamiliar with how to manage their records with credit reporting agencies, don’t know how to protect their identities. The alternative is paying a third-party service to manage it for them. All of this puts the burden of identity security on the shoulders of those least capable of managing it.
There’s a better way: a “frozen by default” model for consumer credit reports. This concept, rooted in “zero trust” cybersecurity principles, flips the model. Instead of trusting by default, it locks credit reports unless the consumer explicitly authorizes access.
Two main policy frameworks have been proposed by data security and privacy professionals that would remove most of the burden from consumers.
First is tokenized pre-authorization. Under this system, consumers generate a one-time-use code to authorize a specific lender or other business to pull their credit. This token would allow only the authorized company to pull credit and would expire after a set amount of time. It is simple, secure and trackable.
Second, real-time inquiry notifications. When a credit pull is attempted, consumers receive an email or text alert prompting them to approve or deny access instantly.
While real-time approval offers maximum control, it comes with challenges such as missed alerts, spoofing, communication expenses and accessibility barriers. Tokenized authorization, in contrast, offers strong protection with better usability and is easier to scale.
A modernized system would apply default credit freezes to all consumer credit files. It would also require multifactor authentication on credit reporting sites for any consumer login, dispute or unfreeze action. Each hard credit inquiry would require explicit consumer authorization. And consumers should receive timely notifications whenever their credit report is accessed.
Some in the credit reporting industry will resist these reforms, fearing disruption to revenue models built on passive data sales. Reasonable exceptions can be made for soft inquiries used for marketing or monitoring. But hard inquiries, which can be used to establish new credit, should be frozen by default.
Credit fraud is on the rise, and ignoring this growing threat is not sustainable. In 2023 alone, the FTC logged 5.4 million identity theft reports. Elder fraud complaints rose 14 percent and reached $3.4 billion, up from $2.9 billion in 2022 and $1.7 billion in 2021, a troubling trend. Seniors over 60 accounted for 58 percent of losses. These are people toward the end of their careers, and many have retired on a fixed income. They can’t recover from major financial loss.
Congress can act by updating our credit reporting laws with new “frozen by default” regulations. The Consumer Financial Protection Bureau and Federal Trade Commission already hold partial authority and should strengthen oversight. These agencies should not be weakened. States like California and New York can also lead the way with pilot programs.
America’s credit system was built for a world where personal data was scarce and hard to steal. That world no longer exists. A zero-trust, freeze-by-default framework would go a long way toward protecting those who cannot protect themselves from becoming victims of credit or identity fraud.
Daniel Hoffman is a cybersecurity consultant and Certified Information Systems Security Professional with over 20 years of experience information technology and data security.
