Comments on: Twice bitten: Acts of stupidity can lead to identity theft

For the second time in over a year, a high profile figure has had his identity stolen after publicly releasing his own financial information. Is identity theft really this easy?

[Pippapasses]

Ha!
Jeremy Clarkson hoisted on his own petard! Next I predict he will admit he is tired of breathing in traffic fumes when in central London and buy a G-Wizz -like I did!
Pippa passes

[wizwhack5]

I think we need to make a distinction between "real" identity theft and blatant stupidity. If you tell someone you leave your house key under the mat, you don't claim the person who illegally entered your house stole your identity. This is a case where he gave people all the information they needed to take advantage of the lax security in our current banking systems. Someone didn't really steal his identity. Real identity theft it much more then a fraudulent transaction on a credit card or someone gaining access to one of your bank accounts. Real identity theft is much more damaging and involves people out in the world pretending to be you which damages all aspects of your life including your credit history, tax records, etc..... To call what this guy put himself through identity theft is an insult to all those innocent people out there who have gotten taken to the cleaners by real criminals and are still trying to put their lives back together and prove to the world that they are really themselves.

[gravytoss]

These cases are at the idiot's fringe of all identity theft but they are still valuable for dramatizing the problems for the rest of us who [may not even have been informed that we] have had our financial privacy breeched by the sloppy operation of our banks, credit card clearing houses, market researchers etc.

There is, even with these high profile cases, still an appallingly low percent of convictions or fines either for the morons we trusted with our data or the thieves all to happy to use that data.

I think this points to a third responsible party in this deepening mire for electronic commerce: the careless way credence has been given to fraudulently obtained identities. The bank that honored the 500 pound transfer or the outfit that cashed the check in Texas ... and all the institutions who dished money to thieves with stolen credit information or gave loans to persons whose identities they did not verify... are being negligent. They can't say they don't know about phony credentials any more than the accountant who leaves his unencrypted lap top in the taxi cab can say he has never heard of identity theft. There should be an equal amount of hue and cry about all three contributions to our financial insecurity. Whenever a teller is asking me for a second ID or I get a call from Amex about an out-of-character transaction I do not get cross with them for slowing down or butting into my financial life. I thank them for protecting it.

[ajhoughton]

In the case of Jeremy Clarkson, the only thing you can do with a bank account number here in the U.K. is set up something called a "Direct Debit". The banks are *supposed* to check that these have been authorised before setting them up, but recently there has been a disturbing trend in not requiring signatures etcetera.

Technically he can get all of his money back from his bank under the terms of the Direct Debit guarantee, and it then becomes their problem.

The fact, though, is that the problem with "identity theft" isn't anything to do with the theft of identifying information. It's that the governments and financial institutions *allow* people to steal from others by using facts about an individual as a way of identifying them. Since most such facts are public knowledge anyway, it's hardly surprising that identity theft is easy or indeed that it is growing as a crime.

The right fix isn't to hide everyone's details away. The right fix is to give everyone a proper hardware token with secure authentication. If done right, it would stop identity theft dead.

[ajhoughton]

(I should also have added that a Direct Debit can only be used to pay a business that has signed up to receive Direct Debit payments. It can't be used to transfer money between individuals.)

[AntAllan]

There is absolutely nothing wrong with "using facts about an individual as a way of identifying them". What is wrong is using those facts as a way of *verifying* an identity! I think that confusion is at the heart of some of the problems regarding identity theft.

[ekistics22]

Chris:

Excellent post. I blog about identity theft after IBM lost my personal data in February 2007. As a result, I've had to evaluate various credit monitoring services like Lifelock. In my opinion, companies do not provide free credit monitoring services after a data breach that matches the risk period cause by the data breach. I am evaluating which credit monitoring service to go with after IBM's one-year of free service with Kroll ends. Your post was helpful with my evaluation of Lifelock.

George
http://ivebeenmugged.typepad.com

[tenc21]

scary but true, eh?

[timbrr]

Very humorous post, Chris. IMO, the time is ripe for someone to put Soghoian's Law to the test again. If the CEO of another credit security service published his (or her) info *without* being compromised, they'd get a big gold star in their crown. I think TrustedID's Scott Mitic should try it. They've got a solid track record and a slew of protection features, like an over-the-phone double-checking protocol, and a creditlock freezing feature. Sounds swell--so, Mitic, with all of those measures behind you, why not try to debunk the great Soghoian's LOITS?

Then again: if you were proven wrong, Chris, you wouldn't be infallible anymore! Would the world implode? ;)

Cheery-oh.