Identity theft is a perfectly reasonable analogy. If someone steals my identity and ruins my credit rating, the onus is on me to inform the credit reference agency. It'd be nice if Equifax could telepathically divine whether a credit transaction was legitimate or not, but it simply isn't possible. Google are similarly unable to distinguish between a blackhat SEO scheme and this sort of weird SEO DDoS.
The credit rating agencies could establish reasonably secure channels directly to consumers (passwords would be a start, dedicated tokens would be best), and require explicit authorization through the secure channel for new lines of credit. No account system is perfect, but it'd be a hell of a lot harder to break than "prove your knowledge of full name, address, DOB, and SSN" which are shared and stored all over the place, and bound to leak.
The financial industry or the government (probably at the financial industry's behest) could sign/distribute cryptographic identities along with plastic ones. Opening a new account could require a signature from a signed certificate.
Banks could send prompts to your smartphone asking you to approve/reject ACH and even credit card transactions, ala Venmo. Or you could sign them from a device you control, as with Bitcoin. (Instead, when we get cryptographic signing for payments at all, we get cards which sign all transactions presented to them by devices the consumer doesn't control, without verifying the cardholder's intent except through the merchant's terminal, whose UI could be lying. And we're still stuck with shared secrets for online payments).
A lot is possible, the financial industry has simply chosen to put consumers (and itself) through the hassle and expense of cleaning up after fraud because it's cheaper than a serious attempt at an authentication system.
Except there are a lot of people (myself included) who see the handling of "identity theft" as banks and credit agencies trying to pass the buck for their own poor approaches to security and verification.
Exactly - In my opinion there is no "identity theft". There is criminal fraud, which the banks are a victim of. However, instead of dealing with that fraud they just pass the costs on to an unrelated individual and then shrug and say "you deal with it".
Google does something much like this - but without regulation or clear appeal process.
