Perspective: Mitigating identity theft

Identity theft is the new crime of the information age.

A criminal collects enough personal data on someone to impersonate a victim to banks, credit card companies and other financial institutions. Then he racks up debt in the person's name, collects the cash and disappears. The victim is left holding the bag. While some of the losses are absorbed by financial institutions--credit card companies in particular--the credit-rating damage is borne by the victim. It can take years for the victim to clear his name.

Unfortunately, the solutions being proposed in Congress won't help.

To see why, we need to start with the basics. The very term "identity theft" is an oxymoron. Identity is not a possession that can be acquired or lost; it's not a thing at all. Someone's identity is the one thing about a person that cannot be stolen.

The real crime here is fraud; more specifically, impersonation leading to fraud. Impersonation is an ancient crime, but the rise of information-based credentials gives it a modern spin.

A criminal impersonates a victim online and steals money from his account. He impersonates a victim in order to deceive financial institutions into granting credit to the criminal in the victim's name. He impersonates a victim to the Post Office and gets the victim's address changed. He impersonates a victim in order to fool the police into arresting the wrong man. No one's identity is stolen; identity information is being misused to commit fraud.

The real crime here is fraud; more specifically, impersonation leading to fraud.

The crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud. This is what's been in the news recently: ChoicePoint, LexisNexis, Bank of America, and so on.

But data privacy is more than just fraud. Whether it is the books we take out of the library, the Web sites we visit, or the contents of our text messages, most of us have personal data on third-party computers that we don't want made public. The posting of Paris Hilton's phone book on the Internet is a celebrity example of this.

The second issue is the ease with which a criminal can use personal data to commit fraud. It doesn't take much personal information to apply for a credit card in someone else's name. It doesn't take much to submit fraudulent bank transactions in someone else's name. It's surprisingly easy to get an identification card in someone else's name. Our current culture, where identity is verified simply and sloppily, makes it easier for a criminal to impersonate his victim.

Proposed fixes tend to concentrate on the first issue--making personal data harder to steal--whereas the real problem is the second. If we're ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.

Fraudulent transactions have nothing to do with the legitimate account

Biography
Bruce Schneier is CTO of Counterpane Internet Security, Inc. He is one of the world's foremost security experts. His latest book is "Beyond Fear: Thinking Sensibly About Security in an Uncertain World."

More Perspectives

The poor banks

Considering the large number of transactions, thousands a second, you can not expect a bank or credit card company to do that. I think a more reasonable solution would be a cost affective 2-Factor authentication system like this one.

<a class="jive-link-external" href="http://www.techmobius.com/tm/UI/Pages/P/IndustrySls/CardSolutions/index.aspx" target="_newWindow">http://www.techmobius.com/tm/UI/Pages/P/IndustrySls/CardSolutions/index.aspx</a>

Two-factor authentication won't necessarily solve the problem

Mr. Schneier has argued on his weblog that two-factor authentication won't solve the identity theft problem, because it doesn't defend against phishing scams (also called "man-in-the-middle" attacks) and trojans. All two-factor authentication does is just that, authenticate the user -- a bank or other financial institution wouldn't know for certain if the person making the transaction is an account holder because the authentication data can be replicated or stolen through the aforementioned attacks.

<a class="jive-link-external" href="http://www.schneier.com/essay-083.html" target="_newWindow">http://www.schneier.com/essay-083.html</a>
(a follow-up to the above essay can be found at <a class="jive-link-external" href="http://www.schneier.com/blog/archives/2005/04/more_on_twofact.html" target="_newWindow">http://www.schneier.com/blog/archives/2005/04/more_on_twofact.html</a>)

Fraud

Banks should absolutely be held accountable for fraud. If not, they can get away with their own acts of fraud. Bank of America either 'took out' money from my mother's account without her permission, or someone else did. I suspect the former because they refuse to investigate, and they won't send her Bank statement to her. No Bank should be above the law. And, if we can no longer trust the banks, who can we trust????

Hackers are careful not to trip any flags

Remember they do investigate, but hackers are careful not to trip any flags.

Banks experience an excess of 1,000 transactions a second. To think that they can investigate each one or call you after each one is ignorant. Static authentication is to blame. Credit card numbers, social security numbers, online banking passwords, can all be easily stolen. The real solution is using a non static 2 factor method of authentication. Like the banks already use for their affluent clients.

That's not a good model

Credit card companies only care about managing the fraud and making sure that the merchants refund the charges. The merchants are the ones responsible for going after the fraud and most do not have the knowledge and resources to do that. In the end the people committing fraud get away with it. I don't call that good model!

[David Mohring]

Op-in secure notification scheme as a honeypot

One solution is to use public key encryption and certification to build a notification scheme.

See Epic Ideas for Privacy Reform
<a class="jive-link-external" href="http://itheresies.blogspot.com/2005_03_01_itheresies_archive.html" target="_newWindow">http://itheresies.blogspot.com/2005_03_01_itheresies_archive.html</a>

Not everyone would need to join or use it for it to be effective. The people using the system, and getting notified via text message etc, would act as a honeytrap tracking down the criminals.

The BANKS *Don't* absorb the liability today even

The merchant does. And the banks profit from it. The bank simply does a charge-back against the merchant, gets their money back and advertises that they protect the consumer.

Not only do they not take the hit, but the merchant must simply eat the charge-back.

To add insult, the bank then charges the merchant a processing fee ($20-$40) for each charge-back. Finally, since the bank has direct access to the merchant's accounts, they simply take their money for the charge-back, and the fee and tell the merchant to prove the transaction.

If the end-customer does not agree, the merchant is left holding the bag (and paying the fees and reimbursement). NOT the bank.

Merchants believe they are protected by AVS and CSC checking. They are not. If the bank does the charge-back, the merchant is stuck. Even with supporting documentation, if the customer says they didn't charge it, the merchant is stuck.

The ads that show the bank protecting the consumer drive me nuts. It's the merchant taking the risk, not the banks. As you can see, the banks even *profit* from fraud (charging the merchant a fee for the charge-back).

There is no incentive for the banks to fix this problem.

[ceebee513]

You got it right

The banks not only don't care about the consumer or merchants, but they actively dodge any accountability measures that have already been introduced to help mitigate id theft.

It drives me nuts, too, to see those commercials touting the banks and credit card companies "protection". What a crock! If they REALLY cared they would use their power and resources to address the problem where it usually starts...internally.

All financial institutions should be held accountable for not weeding out their crooked or corrupt employees and they should be accountable for the actions of third-party partners (mortgage companies, car dealerships) that don't implement the required safeguards under the FTC Safeguards Rule. This is an GROSSLY ignored law that went into effect May 23, 2003 but is not being enforced, which is a major reason the financial industry gets away with gross negligence. The only way this is going to change is when enough id theft victims file lawsuits against non-compliant financial businesses for violating their civil rights to privacy and exposing them to undue harm at the hands of id thieves. I could go on but if you want to learn more about this email me at ceebee513@hotmail.com.

[Windowpain]

I disagree

If it's true that Schneier's proposal pushes costs to the merchants (I'm not sure it does) it's still a good thing. They're in the strongest position to prevent impersonation. They can direct their employees to check signatures, require more ID and so on. Not an ideal solution but a start.

Buy PCs with Trusted computing chips

There are many manufacturers who have release PCs with TPM (trusted platform module) chips IBM,HP, Dell... These chips can enhace the quality of authetication to any service provider and will be on all new PCs. There are great example where weak security technology have opened the floodgates of fraud. Remember the early 90's when just going to NY would result in you phone getting cloned. Then we had the ugle solution of the Beep Beep and a pin number for long distance calls and now it is really cool it just works. Why because each handset contains authentication technology. The PC is now capable of strong authentication. This is similar to 2 factor authentication in every PC at no additional cost to the user.
The first action Item is make sure your next PC has a TPM chip
The second action Item is to support the banks, service providers and aplication vendors who support it.
Bruce knows that the solution to every security problem is to look at the whole solution. The credential being stronger will help. The banks protecting their data with encryption will help. the merchants vetting the transaction will help. But everyone doing their part willcreate a solution. Cell phones work as we expect today because a solution was built that met the needs of all the parties.

Steven Sprague
CEO
Wave Systems Corp.


A company building software for Trusted computing platforms

[milesjameson]

I think one relevant factor to consider is the efficacy of id theft mitigation services. Some consumers rely on these and feel that they are well-covered, but there's ample evidence that they don't work quite as well as advertised:

http://money.cnn.com/2008/08/26/pf/identity_theft_prevention/index.htm

Sometimes the right answer is a mixture of strategies including the two-factor model discussed above as well as online scanning and monitoring tools. The main differences to consider with these tools is the proactive vs. reactive monitoring models, as highlighted:

http://factoidz.com/identity-theft-protection-services-reviewed-and-compared