New Identity Theft Technology Fails to Protect

Nuclear Elephant writes "According to BBC News, identity thieves are quickly adapting to new technologies such as chip-and-pin credit cards using human nature tactics rather than cracking the technology. At least that's what Dr. Emily Finch (UEA), who interviews career criminals about their activities, claims. Finch swapped credit cards with a male coworker and performed a number of transactions without being challenged by cashiers. Finch also believes biometric identity cards will only exacerbate the problem. Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"

Always a way!

[usageman]

It is possible that one day the imbedded chip under the skin would become law it may even come with a gps and auto feature that disables the user installed in it as well. But taht makes me think about the Bible in the mark of the beast and son on.With all the things you can buy unchallenged with a credit card there will always be a way around any security feature period.

embedded identity

[sedyn]

"Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"

I fail to understand how an embedded chip would make identity theft any less of a problem. While it may reduce social enginering which the article defines as a problem, how would it eliminate the technical (and in the case of securing identity information, most important) aspect.

For example, assuming that theives can get around biometric data. What is going to stop them from removing a "read-only" chip and installing a "read/write" chip?

Back to basics

[macemoneta]

"Regardless of which side of the fence you sit on, could this take us closer to embedded chips under the skin?"

If it does work outside of your body, it won't work inside your body. There is no absolute way to prove identity. It's a bummer, I know.

You can prove (within acceptable limits) that some biometric data (like a DNA sample) comes from you, but there is a gap between that information and identity. Identity is solely a "web of trust" issue. Trying to solve identity theft with some piece of information (like a password) or biometric data (like a fingerprint) will only raise the bar for identity theft.

One Time and for All

[Doc+Ruby]

Why are credit card companies taking so long to make each transaction covered by its own one-time password? Why do I give the same CC# to a recipient, without security? The card is almost always processed by a machine now, even with a (usually minimum-wage) human handling the transaction. Why should the recipient be trusted not to rerun the charge, or increase it, or share the access info with someone else?

I know that credit card companies cover fraud loss over $50, so they are paying some of these costs of fraud. But automation has made frauds <$50 much more profitable and common. And identity theft comes after one leak in the identity privacy chain, often without direct damage to the leaking organization. And usually in much greater amounts than the original transaction could have allowed - and usually with much further damage to future transactions than even the value of the theft.

One-time password tech is much cheaper than the losses we're suffering. And the necessary automation overhead could make the entire transaction system safer and more efficient for legitimate transactors. Where is it? Are banks just making so much money off all their transactions that new systems like one-time passwords are just to low on their priority list? With all the ID theft running rampant, what crisis could it require to force action to protect us?

All the more reason to go cash

[Allnighterking]

No matter how hard you try. You can't steal my ID if I use cash. You might steal my cash. Not my ID. Do transactions indoors at the teller window. (Most banks will not ensure that any deposit made at the ATM will make it into your account.) Get to know your tellers. Facial recognition helps a lot. Saved my Grandfather (according to him) years ago when someone tried to cash a stolen payroll check. The tellers knew him. The cops where called.

Am I alone in noticing that the more protections they build in the easier theft becomes? It would seem that the more you tell people they are too dumb to protect themselves the more they act like idiots.

Re:All the more reason to go cash

[Overzeetop]

It's like anything else...the more safe you make it, the more complacent we will become. I'm convinced that each person has a risk tolerance band, rather than a limit. They will do foolish things to stay above the "minimum risk" line while still staying below the "maximum risk" line. They will also endeavor to raise the lower limit, proving a perceived reduction in risk. This creates a sort of risk-instability, in which the drive to maximize your "return" (aka, stay above your minimum risk)puts you perilously close to your maximum risk line and results in catastrophic failures rather than minor, progresive ones.

I probably shouldn't have used "return" above, as you might think I'm referring to financial investing. I'm not. A return would be to reduce your commute time by 2-5 minutes, allowing you to sleep a bit later. The risk you add is driving faster and closer to the car in front of you than conditions would otherwise permit because you have ABS and air bags. Or reducing the effort required to mow the lawn by getting a self-propelled lawnmower, and then using a velcro strap to lock it in the "on" position so you can mow one-handed, closer to that steep hillside, increasing the chance that you and the (locked-on mower) will careen down the bank, cutting out chunks of your [insert appendage here] and destroying your neighbor's [insert anything valuable here].

It's all about liability

[slim]

When I was over in the States recently, quite a few cashiers would notice my chip'n'pin card, mention that the US would be moving over to them soon, and saying how nice it will be to have that extra security.

Sometimes I would try and explain the catch.

Since chip & pin supposedly makes fraud impossible, banks have shifted the liability for chip & pin fraud away from themselves and onto the consumer.

That is -- is someone clones your card and forges your signature with a traditional credit card, you can call the credit card company, tell them you didn't make that purchase, and (unless they can prove you were lying) they will refund you the money. They might write the money off, or they might pursue the criminals responsible; it's not your worry. Accepting this risk is all part of their business model. That's what banks are all about.

However, in the UK at least, this changes with chip & pin. If someone shoulder-surfs your PIN, pickpockets your card, and spends money on your card, the bank now says it's YOUR responsibility.

In one way: fair enough, there are precautions you can take to safeguard your PIN, but on the other hand, isn't taking on that liability one of the things we're (directly or indirectly) paying our card providers for?

chips won't work either. Nothing will

[pair-a-noyd]

You need to see Gattaca and here

They were taking DNA samples in real time from people for access control.

The guy went to extreme measures to defeat the real time DNA sampler.

No matter what they try, no matter what measures they try to take and enforce, there will always be people that will find ways around it.

Personally, I will tell them to stick their chips up their asses. When it gets to that point, I'm leaving civilization and heading for an island somewhere, I'll live off of coconuts and iguana stew.

reminds me of...

[amcdiarmid]

The problem of this type of security is that it attempts to replace thought on the part of all involved. (see zug.com about credit card fun)

When I and my wife got a joint account, the bank swapped our pictures on our atm cards. We look nothing alike, each being easly taken for our respective genders. I used mine (with her picture) for six months without anyone even glancing at the picture. Eventually, when I got passport photos at a local picture processing shop: the clerk looked at the card and refused to process it.

Literally after hundreds of transactions including a good number in the $250/300 range. Unfortionatly "Security" (tm) is everyones job, but no one wants to do it.

Biometrics cellphones

[jsveiga]

A friend just came back from Japan, where his cousin was paying groceries et all with his cellphone, which had a "sweep-type" fingerprint scanner (and videophone, and fast internet, etc).

I also heard years ago that somewhere in Scandinavia you could pay some soda vending machines just by calling the phone number on its front with your cell phone.

It is interesting to see phone companies grabbing part of the credit card market.

Maybe it'll converge to using your phone/phone account as an ID, driver's license, bank account, credit card, and even to call people!

Instead of money, you'll be paid in talktime credits...

cashiers asking for ID

The cashier didn't ask for the coworker's ID probably because he looked like a non-threatening white person.

My experience:
I was standing in line one time and two friendly-looking white women ahead of me used their credit card without the cashier asking for their ID. When it was my turn, the cashier asked for my drivers license to check my signature on the receipt. I guess the cashier assumed two white women are less likely to commit fraud compared to an asian guy. Acting casual and friendly is how con-artists get away with fraud.

I don't mean to turn this into a race issue, but it cannot be ignored.

Re:Who needs eyes?

[Detritus]

I've read about a number of local cases where the thug kidnaps his victim and takes him to a cash machine, forcing the victim to make a withdrawal or be shot. These are the same dead-enders who switched to carjacking when it became too difficult for them to steal unattended cars.