Slashdot Mirror
Government To Fix Identity Theft?
Cobb writes "With nearly 50 million identities compromised in the last 6 months, the powers that be are gearing up to fix the problem. 'Prosecutors and privacy experts say that what America needs is a coordinated national strategy. While 15 states require companies to tell consumers if their data has been compromised, there's still no national law.' A new study joins a host of other statistics -- some private, some government-sponsored -- attempting to quantify the size of the ID theft problem. There is no universal agreement on the size of the problem, on the way to count the victims, or even on how to define identity theft."
Databases are a pain to maintain.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
~~~
The so called solution turns out to become much worse than the original problem.
Perhaps if banks and merchants would control credit a little better we might not have as much of a problem. They could start by not sending credit card offers to my dog.
[Insert pithy quote here]
Yep, that'll help. Except for all those criminals who don't obey the law.
Ronald Reagan was right, the most frightening words in the English language are "Hi, I'm from the government, and I'm here to help."
All movements for social change begin as missions, evolve into businesses, and end up as rackets.
If the government privated identity management it could not get any worse. Government made monopolies like that on identity management only end in crisis and wasted taxpayer dollars. Oh well. Our government is out of control these days. Can anyone say revolution time? Pitchforks and shotguns!
I hope they don't form all these comittees, have all these meetings, and make a national law that makes it mandatory for companies to tell us our information has been stolen. It would be better if they passed laws that held these companies more financially responsible for these identify thefts. That would help them beef up security. I think...
"That's not ironic, it's just mean!" - Bender
It is silly that someone can committ such fraud just because they collect some numbers (SSN, phone, address, Credit Card, Driver's License, Passport). What we need is a system where simply possessing the numbers does not allow for fraud. The solution probably has something to do with biometrics. Of course, criminals will work against that too, but I just don't see how we can legislate ID theft into submission.
Logic would dictate that your information is private BY DEFAULT, as in other enlightened countries.
The only way to fix the problem is not to have all these laws after the fact, but to stop the sharing at the source. For example, you sign-up at a bank for a new account. You cannot at that time ask for you information not to be shared. You must call up later and say:
1) I don't want my information shared to third-parties.
2) I don't want my information shared to afflilated companies.
3) I don't want any offers, etc.
If you miss one your screwed. Just think of all the things you've registered for where your information is flying around. It's absolutely unstoppable.
I'd love to do a credit freeze on my account, but in Texas you can only do that AFTER you prove to the credit companies that your a victim of identity-theft. That's like handing out a condom after rape.
The credit-bureaus snap back that without access to the sea of "metadata" people won't get all these advertisements for low-interest lows and crap like that. Makes me want to puke.
Maybe we can change out our SSN#s every so often, but otherwise I assume having your identity stolen will be common-place in 5 to 10 years.
Peace out!
Happy 4th.
"This isn't a study in computer science, its a study in human behavior"
The issue is gaining momentum, with several bipartisan proposals aimed at restricting the use of Social Security numbers and creating a new cyber-security center. The latest bill would require companies that collect data to tighten controls and tell customers how that information is used.
Good! It's by no means the silver bullet in identity theft, but I really get sick of having companies ask for my SSN when it's none of their goddamned business! Even when I took Sun certifiation exams, the unique identifier that they wanted to use was my SSN! Exactly what business is it of a certification examination center to have my (or anyone's) SSN?
The problem, however, is one that government will never be able to fix - consumer stupidity. It's staggering that people are so shocked when they find out that their identity was stolen, yet they will look at you dumbfounded if you ask them:
* Do you shred all of your mail, bank statement, receipts, and so forth before throwing them away?
* Do you make sure to never purchase from e-mails that you didn't ask for?
* Do you make sure to purchase on-line through secure, HTTPS connections?
* Do you willingly give out information to people on the phone who claim to be from one business or another?
I'm sure that the government will do what it can (even if it further tramples on our individual rights one way or another) but until the general public stops their carelessness with personal information or materials that contain personal information, identity theft will keep going and going just like that damned rabbit.
The Overrated mod is for reversing inappropriate, positive mods, not for voicing disagreement with a post.
The reason identify theft is the fasteest growing problem is that a lot of crimes that used to be called something else is now called identify theft.
Someone steals your credit card number and orders porn? That's no longer credit card fraud, that's identity theft.
Someone forges a check against your bank account for porn? That's no longer check fraud, that's identity theft.
Somebody ordering a pizza in your name, because they can't afford porn? That's no longer a phone prank, that's identity theft.
Nearly all economic crime can now be classified as identity theft. Nearly all is being so classified.
It's impossible to tell how much of a problem there is, at this point. We're all too distracted by watching the sky falling.
Identity "theft" is not the fault of the offended party, so why should they have to spend their resources fixing it?
The best idea yet is that unless the creditor can prove that you authorized any purchases made on your account, then they have to eat it. It is the creditor's job to make sure they know who to whom they are giving credit. It is then ultimately their responsibility to track down identity thieves. If their internal policies are so lax, that they don't know their customers from a hole in the ground, then they need to shape up. I think that this policy is the only way to get them to fix these problems, by hurting their bottom line.
how about instead of storing our information we have some sort of password (credit card number, ssn, etc.) that gets encrypted and all we have to do is match the code (obviously not sha1, maybe sha1024). Then there is a big book of codes that everyone can see, but only the individual knows the pass.
Just trying to promote discussion. Please feel free to attack any loop holes in my argument. Or you can just call me an idiot.
The biometrics biz doesn't want you to know, but biometrics suck.
Even if one were to develop a much better biometric system, there are serious drawbacks. Any biometric key is really just a password that cannot be changed, even if the password has been compromised, or even if the whole system has been cracked wide open.
Suppose someone invents a "foolproof" retinal scanner system, which is deployed at every point-of-sale terminal in the US. All credit card transactions are verified with the retinal scanner. A year later, someone figures out a way to imprint retinal holograms on contact lenses, or finds some other circumvention. Now if someone gets his hands on your retinal data, your financial life is completely hosed, forever, or at least until you convince the powers-that-be to trade in $50 billion worth of retinal scanners for updated models. You can't call the credit card company and ask for a new retina.
As ever, security is really more about attitude than about devices. An awful lot of dollars worth of credit card fraud, for example, would be stopped cold if store clerks bothered to just check the signatures on credit card slips.
The next step is to limit sharing of personal information; this is something that some states have achieved.
Make sure that lists are opt-in. Businesses must ask personal permission at all times.
Higher penalties for stealing mail or other personal information that is used for wrong purposes.
Require online businesses to use secured connections for better protection.
Hold banks, credit card, loan agencies, etc. accountable for credit history fuckups.
Require timetables on identity theft resolutions; have businesses pay for it.
Fine companies for losing personal information.
If this does not work, let people buy cheap guns and shoot mother fuckers who commit or contribute to identity theft. Why should people sit in silence if credit card industry gets a fat profit that is growing from year to year? Make those fuckers responsible for their fuckups.
but no one will want to do it.
Apply the same privacy and security standards to financial institutions that HIPAA requires.
I went to work on a PC at a doctors office, it was the machine that contains patient records.
That machine was forbidden from being connected to the internet in ANY way what-so-ever and was forbidden from being connected to their inhouse LAN.
The STAND ALONE machine had a modem in it but it was only allowed to connect to a certain system through a single dial-up line.
No other use of the machine was permitted. It had no disc drives so it was not possible for employees to install stuff from home or to copy things from it.
The machine was pretty damn isolated from the outside world.
Of course that will never happen with financial institutes because they WANT these things to happen, that way the people will cry for more security. And they will get it, with Orwellian security like retina scans and sooner or later, DNA scans, like in the movie GATTACA
Personally, I have no financial anything. I don't use banks at all in any form. I have no credit, I have no savings or checking accounts, I have no credit cards.
I live strictly by cash alone. Everything I own is paid for. I pay utility bills with green cash, in person at the local grocery store. I owe no one for anything.
You want to steal my identity? I don't give a shit, go ahead, I don't use it anyway..
We want to be able to walk into a car delership, bank, electronics store and walk out with whtever it is we want on credit. The only way this is possible is for the financiers to have access to our "credit history" to see what interest level they can shaft us with. If we are so ticked with identity theft, the quickest cure is for us to have a little patience and wait a couple of days for purchase confirmation on big ticket items, and callbacks on others.
Let's say you go to an online merchant and made a purchase. The financial institution should then call you at the phone numbers of record, that you gave when you opened the account, to confirm that it is indeed you that is making the purchase. This would maybe slow us down, and horror of horrors may force us to actually think about whether or not we actually need whatever it is that we are purchasing.
We have been so trained to want things instantly that we are willing to give up part of our financial security for immediate "satisfaction".
Sorry for the rant, but it isn't just the companies that are to blame, and a solution that punishes the institutions without challenging our ways of thinking about the way we approach our finances is only going to change the problem's appearance, not fix it.
I'm a happy pessimist. I expect and prepare for the worst, when it doesn't happen I am pleasantly surprised.
Funny how fast things happen when the FTC Chief gets their credit card info stolen..
#include bier;
http://www.tampabays10.com/weird/weird_article.as
Want to solve identity theft? Stop making the authentication so easily replayed.
Identity theft is too easy for two reasons:
1. The best uniquely identifying piece of information (in the US) is the SSN. It is a perfect username. And yet, we keep using it as both the username AND the password. It is stupid. Just because I know a unique name for a person shouldn't mean I can open a line of credit for him/her.
2. Even if there were a separate "secret" password, it wouldn't be secret once used. Every time you prove to someone that YOU are you in the current system, you empower that person to prove that HE is you. Let me say that again, because it is important: every time you prove to someone that YOU are you in the current system, you empower that person to prove that HE is you. And, even if you trust that guy, the information you have given can be stolen or lost by him and used by someone else you don't trust.
Instead, we need to find a good way to make public-key encryption work for the masses. Public-key encryption can be used to safeguard one's identity because the authentication is not so easily replayed.
Imagine a dedicated piece of hardware, similar in form-factor to a credit-card-sized calculator, complete with LCD display and numeric keys. Have that card be able to generate key-pairs and easily display and transmit the public key. Then, set up a ubiqitous public key infrastructure that financial institutions and others can use to verify that the public key you give them is really yours.
The government can actually be of help here. Nearly everyone in the US has to go to the DMV and get a driver's license. There is actually quite a bit of identity verification that goes on there, certainly compared to what goes on at a credit-card bank. If the DMV also provided a free key-signing service, then people could bring their key cards in and get their public-keys signed as belonging to the actual person in question.
Then, when a company that wants to authenticate that you really are who you claim to be, they can sign a challenge and send it to you. Your key-card can verify that the challenge is legitimate, and respond by signing their challenge using the stored private key. This private key, btw, would never be accessible off the card or shown in the LCD display.
The neat part about this is that the credentials necessary to prove you are you are never anywhere but that key-card in your possession. It can't be stolen from the bank's computer system or replayed by a retail clerk. Even if it gets physically stolen, they would need your PIN number to use it.
Also, because this would be mandated and use open standards, no one bank or institution would need to shoulder the costs. Each individual would have to purchase a conforming card only once and be able to use it for all financial transactions.
First off, I think it's a horrible idea to use SSN as proof of identity. Why reset someone's password with something you can buy on the Internet for $50?
What SSN is good for is a unique number that the person knows that is also common other places. So if I'm 123-45-6789 in one medical database, odds are I'm the same number in another one. When I need to check to see if Person X is really Person Y with a deadly drug allergy in a related database, it's good to have a number that everyone's pretty sure about.
We certainly assign medical record numbers to people, and use that where possible, but the catch is that every clinic and medical system have their own unique medical record numbers. Even if I have access to the data, it's essentially worthless as I can't trust that John Smith in one database is the same John Smith in another.
So while I have concerns about freely sharing financial information between companies, I have different feelings about medical organizations. If my clinic prescribes drugs to me, I sure want my hospital to know what those drugs are. If that information doesn't get passed around, serious medical errors can occur.