Perspective: Mitigating identity theft

(continued from previous page)

holders. Criminals impersonate legitimate users to financial intuitions. That means that any solution can't involve the account holders. That leaves only one reasonable answer: Financial intuitions need to be liable for fraudulent transactions.

They need to be liable for sending erroneous information to credit bureaus based on fraudulent transactions. They can't say that the user must keep his password secure or his machine virus-free. They can't require the user to monitor his accounts for fraudulent activity, or his credit reports for fraudulently obtained credit cards.

Those aren't reasonable requirements for most users. The bank must be made responsible, regardless of what the user does.

If you think this won't work, look at credit cards. Credit card companies are liable for all but the first $50 of fraudulent transactions. They're not hurting for business; and they're not drowning in fraud, either. They've developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions. And they've pushed most of the actual costs onto the merchants.

Identity theft solutions focus much too much on authenticating the person.

And almost none of their security centers on trying to authenticate the cardholder.

That's an important lesson. Identity theft solutions focus too much on authenticating the person. Whether it's two-factor authentication, ID cards, biometrics or whatever, there's a widespread myth that authenticating the person is the way to prevent these crimes. But once you understand that the problem is fraudulent transactions, you quickly realize that authenticating the person isn't the way to proceed.

Again, think about credit cards. Store clerks barely verify signatures when people use cards. People can use credit cards to buy things by mail, phone or Internet, where no one verifies the signature or even that you have possession of the card. Even worse, no credit card company mandates secure storage requirements for credit cards. They don't demand that cardholders secure their wallets in any particular way.

Credit card companies simply don't worry about verifying the cardholder or putting requirements on what he does. They concentrate on verifying the transaction.

This same sort of thinking needs to be applied to other areas where criminals use impersonation to commit fraud. I don't know what the final solutions will look like, but I do know that once financial institutions are liable for losses due to these types of fraud, they will find solutions.

Maybe there'll be a daily withdrawal limit, like there is on ATMs. Maybe large transactions will be delayed for a period of time, or will require a call-back from the bank or brokerage company. Maybe people will no longer be able to open a credit card account by simply filling out a bunch of information on a form.

The likely solution will be a combination of solutions that reduce fraudulent transactions to a manageable level, but we'll never know until the financial institutions have the financial incentives to put them in place.

Right now, the economic incentives result in financial institutions that are so eager to allow transactions--new credit cards, cash transfers, whatever--that they're not paying enough attention to fraudulent transactions. They've pushed the costs for fraud onto the merchants. But if they're liable for losses and damages to legitimate users, they'll pay more attention. And they'll mitigate the risks.

Security can do all sorts of things, once the economic incentives to apply them are there.

By focusing on the fraudulent use of personal data, I do not mean to minimize the harm caused by third-party data and violations of privacy. I believe that the United States would be well-served by a comprehensive Data Protection Act, like the European Union has. However, I do not believe that a law of this type would significantly reduce the risk of fraudulent impersonation. To mitigate that risk, we need to concentrate on detecting and preventing fraudulent transactions. We need to make the entity that is in the best position to mitigate the risk to be responsible for that risk. And that means making the financial institutions liable for fraudulent transactions.

Doing anything less simply won't work.

Biography
Bruce Schneier is CTO of Counterpane Internet Security, Inc. He is one of the world's foremost security experts. His latest book is "Beyond Fear: Thinking Sensibly About Security in an Uncertain World."

More Perspectives

The poor banks

Considering the large number of transactions, thousands a second, you can not expect a bank or credit card company to do that. I think a more reasonable solution would be a cost affective 2-Factor authentication system like this one.

<a class="jive-link-external" href="http://www.techmobius.com/tm/UI/Pages/P/IndustrySls/CardSolutions/index.aspx" target="_newWindow">http://www.techmobius.com/tm/UI/Pages/P/IndustrySls/CardSolutions/index.aspx</a>

Two-factor authentication won't necessarily solve the problem

Mr. Schneier has argued on his weblog that two-factor authentication won't solve the identity theft problem, because it doesn't defend against phishing scams (also called "man-in-the-middle" attacks) and trojans. All two-factor authentication does is just that, authenticate the user -- a bank or other financial institution wouldn't know for certain if the person making the transaction is an account holder because the authentication data can be replicated or stolen through the aforementioned attacks.

<a class="jive-link-external" href="http://www.schneier.com/essay-083.html" target="_newWindow">http://www.schneier.com/essay-083.html</a>
(a follow-up to the above essay can be found at <a class="jive-link-external" href="http://www.schneier.com/blog/archives/2005/04/more_on_twofact.html" target="_newWindow">http://www.schneier.com/blog/archives/2005/04/more_on_twofact.html</a>)

Fraud

Banks should absolutely be held accountable for fraud. If not, they can get away with their own acts of fraud. Bank of America either 'took out' money from my mother's account without her permission, or someone else did. I suspect the former because they refuse to investigate, and they won't send her Bank statement to her. No Bank should be above the law. And, if we can no longer trust the banks, who can we trust????

Hackers are careful not to trip any flags

Remember they do investigate, but hackers are careful not to trip any flags.

Banks experience an excess of 1,000 transactions a second. To think that they can investigate each one or call you after each one is ignorant. Static authentication is to blame. Credit card numbers, social security numbers, online banking passwords, can all be easily stolen. The real solution is using a non static 2 factor method of authentication. Like the banks already use for their affluent clients.

That's not a good model

Credit card companies only care about managing the fraud and making sure that the merchants refund the charges. The merchants are the ones responsible for going after the fraud and most do not have the knowledge and resources to do that. In the end the people committing fraud get away with it. I don't call that good model!

[David Mohring]

Op-in secure notification scheme as a honeypot

One solution is to use public key encryption and certification to build a notification scheme.

See Epic Ideas for Privacy Reform
<a class="jive-link-external" href="http://itheresies.blogspot.com/2005_03_01_itheresies_archive.html" target="_newWindow">http://itheresies.blogspot.com/2005_03_01_itheresies_archive.html</a>

Not everyone would need to join or use it for it to be effective. The people using the system, and getting notified via text message etc, would act as a honeytrap tracking down the criminals.

The BANKS *Don't* absorb the liability today even

The merchant does. And the banks profit from it. The bank simply does a charge-back against the merchant, gets their money back and advertises that they protect the consumer.

Not only do they not take the hit, but the merchant must simply eat the charge-back.

To add insult, the bank then charges the merchant a processing fee ($20-$40) for each charge-back. Finally, since the bank has direct access to the merchant's accounts, they simply take their money for the charge-back, and the fee and tell the merchant to prove the transaction.

If the end-customer does not agree, the merchant is left holding the bag (and paying the fees and reimbursement). NOT the bank.

Merchants believe they are protected by AVS and CSC checking. They are not. If the bank does the charge-back, the merchant is stuck. Even with supporting documentation, if the customer says they didn't charge it, the merchant is stuck.

The ads that show the bank protecting the consumer drive me nuts. It's the merchant taking the risk, not the banks. As you can see, the banks even *profit* from fraud (charging the merchant a fee for the charge-back).

There is no incentive for the banks to fix this problem.

[ceebee513]

You got it right

The banks not only don't care about the consumer or merchants, but they actively dodge any accountability measures that have already been introduced to help mitigate id theft.

It drives me nuts, too, to see those commercials touting the banks and credit card companies "protection". What a crock! If they REALLY cared they would use their power and resources to address the problem where it usually starts...internally.

All financial institutions should be held accountable for not weeding out their crooked or corrupt employees and they should be accountable for the actions of third-party partners (mortgage companies, car dealerships) that don't implement the required safeguards under the FTC Safeguards Rule. This is an GROSSLY ignored law that went into effect May 23, 2003 but is not being enforced, which is a major reason the financial industry gets away with gross negligence. The only way this is going to change is when enough id theft victims file lawsuits against non-compliant financial businesses for violating their civil rights to privacy and exposing them to undue harm at the hands of id thieves. I could go on but if you want to learn more about this email me at ceebee513@hotmail.com.

[Windowpain]

I disagree

If it's true that Schneier's proposal pushes costs to the merchants (I'm not sure it does) it's still a good thing. They're in the strongest position to prevent impersonation. They can direct their employees to check signatures, require more ID and so on. Not an ideal solution but a start.

Buy PCs with Trusted computing chips

There are many manufacturers who have release PCs with TPM (trusted platform module) chips IBM,HP, Dell... These chips can enhace the quality of authetication to any service provider and will be on all new PCs. There are great example where weak security technology have opened the floodgates of fraud. Remember the early 90's when just going to NY would result in you phone getting cloned. Then we had the ugle solution of the Beep Beep and a pin number for long distance calls and now it is really cool it just works. Why because each handset contains authentication technology. The PC is now capable of strong authentication. This is similar to 2 factor authentication in every PC at no additional cost to the user.
The first action Item is make sure your next PC has a TPM chip
The second action Item is to support the banks, service providers and aplication vendors who support it.
Bruce knows that the solution to every security problem is to look at the whole solution. The credential being stronger will help. The banks protecting their data with encryption will help. the merchants vetting the transaction will help. But everyone doing their part willcreate a solution. Cell phones work as we expect today because a solution was built that met the needs of all the parties.

Steven Sprague
CEO
Wave Systems Corp.


A company building software for Trusted computing platforms

[milesjameson]

I think one relevant factor to consider is the efficacy of id theft mitigation services. Some consumers rely on these and feel that they are well-covered, but there's ample evidence that they don't work quite as well as advertised:

http://money.cnn.com/2008/08/26/pf/identity_theft_prevention/index.htm

Sometimes the right answer is a mixture of strategies including the two-factor model discussed above as well as online scanning and monitoring tools. The main differences to consider with these tools is the proactive vs. reactive monitoring models, as highlighted:

http://factoidz.com/identity-theft-protection-services-reviewed-and-compared