Slashdot Mirror
Government To Fix Identity Theft?
Cobb writes "With nearly 50 million identities compromised in the last 6 months, the powers that be are gearing up to fix the problem. 'Prosecutors and privacy experts say that what America needs is a coordinated national strategy. While 15 states require companies to tell consumers if their data has been compromised, there's still no national law.' A new study joins a host of other statistics -- some private, some government-sponsored -- attempting to quantify the size of the ID theft problem. There is no universal agreement on the size of the problem, on the way to count the victims, or even on how to define identity theft."
Maybe he's more credit worth than you are? ;)
:-)
No, the dog is totally irresponsible with credit.
Anyway, it happened cause I was too cheap to pay extra to have the data phone line (pre-broadband) unlisted. Solution - list the data line in the dog's name. Side effect - ads and credit card offers mailed to to dog.
[Insert pithy quote here]
From TFA (which did not have a lot of details), I got the impression that the laws would be geared toward companies that control your personal information and intimidate them into being responsible with it.
For once it looks like "hackers" aren't going to be the scapegoat on this one. Although it may be too soon to tell.
Biometrics is not an end-all, be-all solution. Any electronic data can be compromised. ANY. Digitally encoded biometric data, hardened database, etc. can all be broken or circumvented. It seems stupid to me why people push 'passwords' that you cannot change and/or change themselves over time (biometrics). If this information is ever compromised, and odds are it will eventually, then you will not have an option to set it to something that hasn't been.
Consider this. Fingerprint biometrics. Someone manages to steal a record of your 10 fingerprints, and is capable of reproducing them to fool a biometric sensor. You can no longer be assured that anyone using fingerprint identification is truely you, and what would you change your authentication credentials to after that, your footprint?
Vein biometrics (hand, as per previously recorded on Slashdot) change based on what you're doing, over time, with vascular problems, etc.
Fingerprints are unchangable, but you have a limited quantity (10) and after that, you have little recourse.
Voice prints may be able to be mimiced sufficiently with recorders, or worse, you could be denied access one day because you had a cold.
Biometrics may be used to help such a system, but they could never take the place of any aspect that may need to be changed at random, such as a password.
how about instead of storing our information we have some sort of password (credit card number, ssn, etc.) that gets encrypted and all we have to do is match the code (obviously not sha1, maybe sha1024). Then there is a big book of codes that everyone can see, but only the individual knows the pass.
Just trying to promote discussion. Please feel free to attack any loop holes in my argument. Or you can just call me an idiot.
We want to be able to walk into a car delership, bank, electronics store and walk out with whtever it is we want on credit. The only way this is possible is for the financiers to have access to our "credit history" to see what interest level they can shaft us with. If we are so ticked with identity theft, the quickest cure is for us to have a little patience and wait a couple of days for purchase confirmation on big ticket items, and callbacks on others.
Let's say you go to an online merchant and made a purchase. The financial institution should then call you at the phone numbers of record, that you gave when you opened the account, to confirm that it is indeed you that is making the purchase. This would maybe slow us down, and horror of horrors may force us to actually think about whether or not we actually need whatever it is that we are purchasing.
We have been so trained to want things instantly that we are willing to give up part of our financial security for immediate "satisfaction".
Sorry for the rant, but it isn't just the companies that are to blame, and a solution that punishes the institutions without challenging our ways of thinking about the way we approach our finances is only going to change the problem's appearance, not fix it.
I'm a happy pessimist. I expect and prepare for the worst, when it doesn't happen I am pleasantly surprised.
Funny how fast things happen when the FTC Chief gets their credit card info stolen..
#include bier;
http://www.tampabays10.com/weird/weird_article.as
Want to solve identity theft? Stop making the authentication so easily replayed.
Identity theft is too easy for two reasons:
1. The best uniquely identifying piece of information (in the US) is the SSN. It is a perfect username. And yet, we keep using it as both the username AND the password. It is stupid. Just because I know a unique name for a person shouldn't mean I can open a line of credit for him/her.
2. Even if there were a separate "secret" password, it wouldn't be secret once used. Every time you prove to someone that YOU are you in the current system, you empower that person to prove that HE is you. Let me say that again, because it is important: every time you prove to someone that YOU are you in the current system, you empower that person to prove that HE is you. And, even if you trust that guy, the information you have given can be stolen or lost by him and used by someone else you don't trust.
Instead, we need to find a good way to make public-key encryption work for the masses. Public-key encryption can be used to safeguard one's identity because the authentication is not so easily replayed.
Imagine a dedicated piece of hardware, similar in form-factor to a credit-card-sized calculator, complete with LCD display and numeric keys. Have that card be able to generate key-pairs and easily display and transmit the public key. Then, set up a ubiqitous public key infrastructure that financial institutions and others can use to verify that the public key you give them is really yours.
The government can actually be of help here. Nearly everyone in the US has to go to the DMV and get a driver's license. There is actually quite a bit of identity verification that goes on there, certainly compared to what goes on at a credit-card bank. If the DMV also provided a free key-signing service, then people could bring their key cards in and get their public-keys signed as belonging to the actual person in question.
Then, when a company that wants to authenticate that you really are who you claim to be, they can sign a challenge and send it to you. Your key-card can verify that the challenge is legitimate, and respond by signing their challenge using the stored private key. This private key, btw, would never be accessible off the card or shown in the LCD display.
The neat part about this is that the credentials necessary to prove you are you are never anywhere but that key-card in your possession. It can't be stolen from the bank's computer system or replayed by a retail clerk. Even if it gets physically stolen, they would need your PIN number to use it.
Also, because this would be mandated and use open standards, no one bank or institution would need to shoulder the costs. Each individual would have to purchase a conforming card only once and be able to use it for all financial transactions.
"...it's not identify "theft," it's identity infringement."
Well, no.
"It's not identity "theft", it's identity fraud."
40 million banking customers have had privledged personal information about them compromised in a
manner that would suggest that "identity fraud" perpetrated against them is likely at a future time.
There are also persons walking around with completely fraudulent identity papers - birth certificate, social security number, drivers license, employment history, credit cards and credit history, etcetera -- this too is identy fraud.
There is a whole spectrum of identity fraud between unauthorized credit card usage and the
"man who never was". It is still fraud. And each and every case of identity fraud should be prosecuted, and prosecuted to the fullest extent of the law. In fact, the law needs to be changed so that ID fraud cannot be "rolled up" into other related charges and pled down. It really needs to be a separate charge, perhaps 2 to 5 years per instance, to be served consecutively with those other charges prosecuted.
Multiple intertwined biometric parameters need to be incorporated into whatever will pass for the RealID Act that was recently signed. The only federal agency that has the expertise to actually protect that data from hackers is the NSA, so it should go into their task list.
First off, I think it's a horrible idea to use SSN as proof of identity. Why reset someone's password with something you can buy on the Internet for $50?
What SSN is good for is a unique number that the person knows that is also common other places. So if I'm 123-45-6789 in one medical database, odds are I'm the same number in another one. When I need to check to see if Person X is really Person Y with a deadly drug allergy in a related database, it's good to have a number that everyone's pretty sure about.
We certainly assign medical record numbers to people, and use that where possible, but the catch is that every clinic and medical system have their own unique medical record numbers. Even if I have access to the data, it's essentially worthless as I can't trust that John Smith in one database is the same John Smith in another.
So while I have concerns about freely sharing financial information between companies, I have different feelings about medical organizations. If my clinic prescribes drugs to me, I sure want my hospital to know what those drugs are. If that information doesn't get passed around, serious medical errors can occur.