Slashdot Mirror
Combating Identity Theft
An anonymous reader writes "Net-Security is running an interesting article about some of the problems facing organizations when it comes to identity theft. From the article: 'Identity theft is the major security concern facing organizations today. Indeed, for the banking industry, it is the number one security priority for 2006. Identity security has developed beyond the simplest form of authentication where one party issues and verifies identities within a closed group of users. While easy to do, this approach is extremely hard and costly to scale upwards and offers no interoperability with other authentication networks.'"
Can't they just use 'whois'?
Starsucks
There's really no point to fighting identity theft. If someone wants your identity, they'll take it.
--CowboyNeal
A big part of the problem is that the banking industry isn't always taking advantage of their own safety checks. For example, take a look at these stories to see how merchants pretty much ignore the signatures on the back of credit cards.
Like woodworking? Build your own picture frames.
...just buy a deserted island, build a house and NEVER leave.
He who knows best knows how little he knows. - Thomas Jefferson
Comment removed based on user account deletion
- Central db of headshots collated from driving license database.
- Individual must ok access with bank, cc etc prior to use.
- terminal pulls up picture at point of physical transaction (or verification)
- couple this with biometric as required
Uh... okay. I guess I'm living in fantasyland.
Nevermind.
Electric Monkey Pants
You mean AOL isn't going to keep me safe? The monkey isn't going to come out and wack baddies for me?
It's either on the beat or off the beat, it's that easy.
I moderate therefore I rule!
--
As noted, hardening identity security is extremely costly and difficult. Another option may be to reduce the importance of an identity, make them easier to get rid of and recreate. For example, if someone grabs your credit ID and maxes you out, you'll have to battle for years to get your credit rating restored. If a system could be developed to trivialise the impact of Identity Theft, then the importance of security would decrease from its current point. Yes, it's treating the symptoms, but in this case it could be the cheapest and easiest way to having a safe experience for customers.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
**I** am Anonymous Coward, this ^^^ guy stole my nick. Don't believe a word he says!
Except that people are completely resistant to the idea of a single id card (the so-called "National Id"), even though it makes sense, given the sheer quantity of different forms of id that are required:
In the end, we're saddled with all these differet ids (let's not even get into usernames and passwords for on-line banking or web site membership). And all these ids share the common feature of having to be tied back to an individual somehow. The problem lies in the fact that thieves can get their hands on pieces of data (address, SS#, phone number, DL#, etc.) that allow them to replicate you and then use that information to either utilize resources you already have or create new resources that they can exploit (mortgages, loans, etc.).
Until there's some kind of global standard, defining just what identifies you as you, and there is a system for storing, retrieving, and updating that information in a manner that foils potential thieves, identity theft will continue to be a problem for the forseeable future.
GetOuttaMySpace - The Anti-Social Network
Mar 11, 2005 -- How identity theft really occurs
Identity theft has become huge, as we all know. But how and why does it occur? Many people think that identity theft occurs because of what we do online. But just slightly more than 10 percent happens online. Almost all of it occurs when someone steals your checkbook, your wallet or your mail. The Internet actually helps in reducing ID theft, according to the Better Business Bureau. Monitoring your checkbook and credit card status online is a huge deterrent to identity theft because people find things quickly and can report them right away. So, if you still have a checkbook and you refuse to part with it, keep it at home and know where it is at all times. This is especially important for businesses, which are expected to keep a higher standard of security when it comes to securing checks. Businesses have liability for checks written that are stolen. So, keep very good track of your checks if you own a business.
Saturday is April 1. Slashdot will be shut down. Sorry for the inconvenience.
I know it would be a serious inconvenience on everyone, but couldn't they just make it harder to get Credit/ID? If all you need is a couple key pieces of information, (SIN (SSN), Driver's license, another credit card, etc..) to be able to get credit under a certain name, then it's the bank's fault when people do it. They should make it a lot harder. For any new credit cards/loans/mortgages over $5000, then you should have to meet in person, and show real ID (like a passport). Maybe this could be on a sign up basis, so that It doesn't annoy everyone, but I know that I get new credit cards seldom enough that it wouldn't be the end of the world if I had to wait a few weeks.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
ID theft is dominately an issue with companies setting insecure networks and allowing their clients to run insecure OS configs. The best solution for this is to change the laws to allow companies to be sued if they allow this or if they have not taken ALL possible steps to prevent it.
I prefer the "u" in honour as it seems to be missing these days.
It's not theft. It's fraud.
Evil people are out to get you.
Prepaid legal does IDentity Theft, it just costs money.
God spoke to me.
Posting AC for obvious reasons.
Just don't submit any sort of transactions online. The Internet is NOT secure enough to submit anything I care about losing. I have witnessed far too many examples of this, since a network is only as good as its weakest link. You think your money is safe because you submit it to a server in a locked data center? I cannot even discuss half the things I have seen in the past, that is, if I want to keep my job.
merchants pretty much ignore the signatures on the back of credit cards
This is common knowledge. I haven't signed the back of my card in over 10 years. What's funny is when a cashier actually looks at the back of the card and then just procedes on even though there's no signature. Let's face it though, even if they did check, it's a worthless security measure anyway. Any crook with even a primitive grouping of nerve endings in their skull can take the few minutes to come "close enough" to the signature on the back of the credit card they just stole.
Interesting side note about the saying that the "banking industry" no taking advantage of their own saftey checks. When I went to get a cashiers check for the down payment on some real estate (around $13K), my bank gave me MASSIVE amounts of grief because my signature on the cashiers check request did not match the signature they had on file for me, nor did it match the signature on my drivers license (all three were different). I ended up having to produce another form of picture id (which for most people is difficult, since usually it's your drivers license that has a picture, for some it could also be a student id, for many you're SOL) and signing another signature card. Turns out that while the signature card is not used generally to check the signature on checks (it's bank stated purpose), the bank does check it for transactions over $10K.
There are many simple things that could be done to make identity theft harder, but they won't be done because it also makes marketing harder. Everything that makes it more difficult to commit identity theft also makes it harder to grant people instant credit online. Making it difficult to establish new accounts is bad for the businesses, but it would be beneficial to security conscious customers.
In some countries, a company issuing a credit card has to send someone out to verify that the individual is who they say they are and applied for the account. I would like a system like that. At a minimum, it would require that people committing ID theft be local to their victims. Unlike now, it would be much harder for someone to try to set up numerous fraudulent accounts for victims all over the world.
If I could specify my preferences, I would like to require that all accounts being created or modified in my name required that the change be made in person. This would not be much of an additional burden for many of my accounts. There is no way for me to set up and enforce such a policy. The closest I can come is a fraud notice on my credit report that tells the issuer to call me before opening an account, but there are companies that will ignore that since there is no obligation to comply with that request.
Identity wants to be free. You could open source your ID and make it available to everyone, with the only stipulation being that any additions or alterations someone else makes will also be made available.
Who do you want to be today?
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Federated identity systems have not been well accepted, and I don't expect to see any for quite a while. We have the MS Passport, which still placed too much trust in MS. We have the Liberty Alliance working group which has ahd lofty goals and major industry support, but it still hasn't produced much of value in years of work. I think individual identies and credential repositories and credential wallets are our best bet for a while.
Steps to thwart identity theft:
1. Obtain an assumed identity (black market)
2. Get a PO Box under the new name
3. Get an unlisted phone under the new name
4. Rent an apartment under new name
5. Apply for every new credit card you can under you old name and run them all up to the max
6. Stop paying your mortgage, credit cards, and insurance
7. Accept foreclosure on your house and move to the apartment, do not leave a forwarding address
In short, the best way to thwart identity theft is to ruin your credit and start a new identity.
Believe in things of which no person has ever learned
1. Some government authority keeps a list of all citizens. In manny countries they do already.
2. The list also holds information on whether the individual has been issued a driving licence or a passport or any ther reliable id-card.
3. The list should have a copy of data suitable identification saved on the time of licence/passport issue, picture, finger prints etc.
4. Whenever someone is aplying for a licence/passport or other identification card, the list is checked.
If you lose nothing when your identity is "stolen", then what's to stop some unscrupulous person from doing so ... repeatedly?
The money has to come from somewhere.
If a single item will "identify" you, then the value of that single item skyrockets.
As the value goes up, so does the incentive to break the system so that you can cash in on it.
Just don't submit any sort of transactions online.
How is paying through a broker, such as Paypal, inherently more insecure than me simply handing my CC over to Joe the Waiter, who can easily write down my number, double-swipe, etc?
And Bruce Schneier has said the same thing. If you want to fight identity "theft" (really just old fashioned fraud), then you put the burden on the financial institutions.
Once their costs exceed the profits, they'll change their processes.
Until then, they'll talk a lot, but do nothing of real value.
I agree, currently it is *way* too easy to copy a number or two and steal an identity. A rational world would have gone to a single id card, since whatever databases that can be made with an id card number can be made just as well with a SSN. Most of the problems with a national ID card revolve around the gov't knowing "too much" about its citizens and rounding up gun-owners. If the federal gov't simply digitally signs a public key and biometric id/photograph of the person to be stored on the card, and doesn't store it in a database, then we get the benefit of a more secure id without the dangers privacy advocates warn us about.
I would much prefer a biometrically locked card, with something that required a thumbprint or something to release my signed public key stored on the card along with the digitally signed receipt. The key could encrypt a picture that is displayed on the cash register, but it seems like having a computer do a biometric rejection is less likely to cause a lawsuit. Plus, what clerk wants to examine a photograph and say "this doesn't look like you" several times a day?
"Scientists don't change their minds, they just die." -- Max Planck
It's all fine and good that you won't leave the island. What would happen when some thief comes onto your island, dresses like you, and steals your significant other. Or I suppose you can just develop a two-factor authentication system for a chastity belt.
Proof by very large bribes. QED.
(Identity) theft has increased by 500% since 1999 and now costs the UK economy £1.3bn a year, forcing defences against this crime to evolve rapidly.
Ah yes, more unattributed and meaningless statistics. Obviously we must leap up and address this issue!
If, as noted in another post, only 10% of this crime is attributed to on-line activities, then we're talking a paltry £1.3 million a year. Surely there are a couple of thousand varieties of crime that would offer a better return on the investments in crime fighting.
Dollar for dollar how does on-line originated fraud compare to fraud by more traditional means? Is the growth in on-line fraud increasing the amount of fraud, or are the fraudsters just moving to a new platform while keeping the level and likelihood of fraud constant?
I guess that I better turn on my TV news channel for the answers.
Meanwhile I'll continue to be more worried about handing my Visa card to the pimply faced kid at the corner gas station.
Three Squirrels
Identity copyright infringement
Guy asked me for a quarter for a cup of coffee. So I bit him.
I was just an ID theft victim. Some douche in Philly opened up a cell phone account with all my info. Now I have to constantly watch my credit for the next year. It's bad enough knowing that your name,address, SS#, etc, all are floating around in 50,000 different legitimate locations, but it really sucks when someone with malicious intent gets ahold of that information. There really isn't anything anyone can do for you either once your information is stolen. You can only file a police report and then notify the credit agenices. Real damage gets done and peoples lives have been completely turned upside because of ID theft. Sadly many people end up battling ID theft for years and years. It's only going to get worse.
If you wanna get rich, you know that payback is a bitch
After reading the article I found a couple of the points to be near disturbing, to such an extent I choked on my coffee.
1. This allows individuals to use one form of identity to authenticate themselves to a range of different organisations.
This is a security breech in it of its self. The idea is to make a system harder to get into, by allowing users to have a single token for a multi-organizational environment you are essentially defeating the purpose of information security. ONLY one person has to sell their information or loose it for a single person to attack a vast amount of networks.
2. For a start, the enormous investment involved in issuing digital certificates on smart cards, for example, can be recouped to some extent, by deriving revenue from allowing other organisations to authenticate their users with the same identity.
A part of Information Security is Information Control. This is an easy way to loose control of a secure environment. The CIO is relying on a secondary company that he/she is not physically monitoring to maintain positive control of their security environment. I for one would allow NO ONE access to my tokens or authentication system that didn't reside behind my firewall. Information security should not be about cost effectiveness. It is no secret that it is not cheap. Though cross organizational security is becoming more robust with software and a wider array of risk management, there is still the human factor that no one can control, i.e. there is no cure of human stupidity.
3. On the upside
There is of course a way to manage this kind of environment; intense risk management. The amount of resources the organization would have to dedicate to risk management almost makes this concept not cost effective. There would have to be an entire task force not associated to any of the corporations and would have to manage and asses security risks. The reason being is to gather non-biased information. This would be costly and time intensive.
4. There are alternatives?
The alternative and one that I am seeing become more common is to share a single platform but on the backside enforce a stronger security measure. Example, John logs in via a token system that is shared and then re-authenticates via biometrics on the backside. There goes cost effectiveness right out the window. The best biometric systems are very expensive and timely to roll-out. SafLink offers a great solution but is very costly and does not include hardware. Biometrics is the way to go albeit there is still a chance of a security breech if a hacker gains access to local cache files that store the bio-information. It would be near impossible to break the algorithm but there is still that chance.
I guess with all security there is that same risk. There is no truly secure system, but we all make out as best we can. As security becomes more intense so will the possibilities of intrusion, for every action there is reaction.
Identity theft will remain a problem until the Credit reporting companies are forced at gunpoint to put in place controls to limit it and allow the owner to "lock" their credit report from any reading or reporting. The Credit companies make a crapload of money off of the illigitmate credit reports that are pulled on every person thousands of times a day. I typically find from 10 to 30 illigitmate credit report requests in my credit report every quarter from companies "phishing" for people to send pre-approved credit card offers and refinance requests, etc...
Let me lock my credit report down so that it reports only "CREDIT REPORT LOCKED BY OWNER" and identity theft will drop drastically. If you can not apply for new credit under someone's name it makes stealing their identity nearly worthless.
It's an industry problem that the industry refuses to fix because they profit from it.
Do not look at laser with remaining good eye.
The University of Wisconsin just released a report on how credit unions are handling identity management. I'm sure similar conclusions can be drawn in other industries. The report can be found at http://www.uwebc.org/docs/CUReport2006.pdf From their press release: " "New technology implementations, such as biometrics, are changing how identities are managed," said Alfonso Gutierrez, UWEBC associate director for research and education. "Credit unions are currently implementing these in varying degrees, and the implementations seem more experimental than mature. We'll likely see many changes before they become standard." Other key findings in the study include: -Credit Unions perceive that the cost of IdM is far outweighed by the risks of not implementing IdM security measures. -The biggest vulnerabilities lie not in faulty software or hardware packages, but in how users protect their passwords and credentials outside the system. -IdM is being handled by high level governance bodies such as boards of directors, which tends to leave out more technically savvy IT staff. -Many IdM processes are performed manually, despite existing automated tools that reduce errors in creating and managing identities. -Regulations demanding multiple layers of authentication are slowing the validation of online users by seconds, adding up to thousands of hours annually. The free research report is available online. The survey builds on a series of successful collaborative research projects conducted by CUNA Mutual, CUNA, other credit union groups and the UW-Madison E-Business Consortium. UWEBC is Wisconsin's leading organization that helps companies gain a competitive advantage through e-business. Its members - business executives and senior managers from the Midwest's leading companies - tap into world-class university resources and the collective experiences of this business-to-business and business-to-consumer group on strategic e-business and information technology challenges. "
You must be listening to a bit too much Ummagumma if you think I will fall for that....but if you can go to $75.00, its a deal!
He who knows best knows how little he knows. - Thomas Jefferson
Comment removed based on user account deletion
I was a victim of ID theft 5 years ago. A credt card company (Next Card IIRC) gave someone a credit card who had only my name and SS#, wrong date of birth and wrong address. Anyway this guy went to Vegas and ran up quite a bill. It was only when the card remained unpaid that the company bothered to track down the real me.
They wanted me to sign an affidavit. I told them I wan't signing anything, it wasn't my problem. I quoted the following from CHAP. 41, SUBCHAP VI, sections b and e of U.S. Code TITLE 15 which states:
(b) Burden of proof
In any action which involves a consumer's liability for an unauthorized electronic fund transfer, the burden of proof is upon the financial institution to show that the electronic fund transfer was authorized or, if the electronic fund transfer was unauthorized, then the burden of proof is upon the financial institution to establish that the conditions of liability set forth in subsection (a) of this section have been met, and, if the transfer was initiated after the effective date of section 1693c of this title, that the disclosures required to be made to the consumer under section 1693c(a)(1) and (2) of this title were in fact made in accordance with such section.
(e) Scope of liability
Except as provided in this section, a consumer incurs no liability from an unauthorized electronic fund transfer.
Anyway, they took care of everything after that. Including my credit rating.
...are the three keys to security. Who you are includes fingerprints and retinal scans, what you have includes fobs and keys, and what you know includes passwords. Pick two groups to go with (key fobs and passwords, for example) and you should be fairly secure, or pick from each group (say, retinal scans in addition to keys and pass phrases) and it will be sufficient for military use.
The Postal Service in Germany offers a service called PostIdent. Customers and third parties can rely on this service. I am sure there is a post office in your neighborhood. Why is this service not available in the US?
e =6394w aybar&page=0019allproducts
http://www.deutschepost.de/dpag?lang=de_DE&xmlFil
http://www.usps.com/all/welcome.htm?from=homedoor
That's exactly one reason why I don't use credit cards either. :)
Banks and merchants have no pressing reason to prevent identity theft. You see, they don't pay for its consequences, we do. For them, fraud is just part of the cost of doing business, and guess who winds up covering that cost--we the customers. Interest rates on credit cards are calculated to cover the risk of fraud, and prices take into account the losses suffered by merchants through theft. It's all part of a system in which commercial institutions write the rules to protect their interests--at our expense.
Great men are almost always bad men--Lord Acton's Corollary
Obligatory Family Guy Comment:
"It's like sex with Kobe Bryant; you can kick and scream all you like... but in the end... it's going to happen."
Most of the identity theft is due to people being stupid with their information... Falling for Phishing schemes, using websites that aren't known to the public. Just not using common sense.
[%] Cingular Ringtones
Press "No" ;)
Yeah, it felt kind of weird at first when I did it for a few times feeling like I was stealing gas without printing the receipt, but I figure if they were going to accuse me of stealing gas they wouldn't let me pump it without being authorized with my card.
Saves me from having to worrying about forgetting to grab the ticket and maybe save a few trees in the process.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
I wonder if all of the efforts that were made to deal with Y2K bugs may have a detrimental effect on future needs for technology improvement. Consider that a whole lot of businesses were convinced to spend a whole lot of money to do Y2K fixes, the result of which appeared to be ... nothing. Executive committees, boards of directors, shareholders - the appearance is that a lot of money was spent, and after the turn of the millenium, everything was the same as before.
Now there's another need for technology improvement, in the area of data and network security. From a layman's standpoint, it looks like, "Hey, you need to spend a lot of money and increase the cost of doing business going forward, to prevent against a risk that may never come to pass." And even if the risk does come to pass, it's likely going to be a handful of victims, with little repercussion to the business whose lax security was the root cause.
We spent all that money on Y2K, and didn't get an obvious return on it. Why should we do that again? Interestingly, this belief surely exists at insurance companies - who are trying to get their clients to pay a regular fee to mitigate risks.
And, in truth, it's probably cheaper for these businesses to deal with clean-up costs after a few people are victimized than it is to spend proactively to protect everyone. It's like the automotive recall equation from Fight Club.
Web 2.0 == Giant Blogspam Circle Jerk
This is a genuine question--I don't know much about cryptography, so I'd welcome some informative discussion about this issue.
Great men are almost always bad men--Lord Acton's Corollary
According the merchant rules, for MasterCard anyway, the merchant is suppose to check the signature and request ID as part of their compliance (section 2.1.1.2).
If a card is not signed, the merchant is suppose to obtain authorization from the card issuer, request ID and have the customer sign the card then and there (section 2.1.1.3).
MasterCard Merchant Rules
It must have been something you assimilated. . . .
... costs the UK economy £1.3bn a year ... only 10% of this crime is attributed to on-line activities, then we're talking a paltry £1.3 million a year.
The figure you arrived at is suitable for 0.1%, 10% would mean $130 million GBP a year which seems a much more serious number, especially considering the current rate of growth. I'm living in the UK myself, and I have to say I don't think much of their security practices. They are just now heralding a "Chip and PIN" system for their point of sale debit transactions, until that happens you can still sign for a debit transaction with most retailers here. Address history is the backbone of security here, and it's unfortunately very easy to fake and tamper with.
As for online fraud, the banking systems I've used so far have appalling standards of security both online, over the phone and at the teller. For both phone and internet a 6-10 digit PIN is used. For phone, two of those digits are requested to gain access, for internet three are requested as well as your birth date. To change this number, you must ring the bank and dictate it to the operator to input it into the system.
I recall on arriving here I had to have my credit PIN reset, as it had never arrived. I did it in person and I changed my address (which is where the active PIN is delivered to), but never had to show any ID. This was certainly human error going against policy at least one security policy but regardless of that, most of security policies don't stand up to rudimentary inspection.
In my experience, most consumers accept fraud and 'identity theft' as something unavoidable, minor and most of all presume there are no better systems. The general thinking seems to be that if there were, they'd be in place already. I think this is an issue that needs to be seriously addressed, and I don't mean by the companies that have started selling 'identity theft' insurance now.
...if you make sure that your own info is safe all the time, when companies are losing your data all the time.
--MaxPowerDJ
Although identity theft is much broader than just unauthorized usage of credit cards wouldn't it seem logical to force a PIN number to be used for all credit card transactions. It seems that the majority of vendors already have the equipment and capacity to allow a customer to enter a PIN for Debit. Why not integrate this into credit transactions? This would be especially helpful for people who may have lost their card or if someone has copied the number. RickP
It's realy a whole marketing spin from the banking industry to misslead the public. Identity, by definition, can't be stolen.
You can only be identical to yourself.
Identity theft is a nice term being used to shif away responsibility from the lousy financial industry and put it their users' shoulders.
They won't take mine. I'm in Finland! I really trust The System.
(Yes, we cancelled that card and put fraud watches on our credit report - no other signs so far.)
Meanwhile, someone transposed digits and ended up getting their gas bill paid by my father-in-law for a couple of months. The bank said it had to be resolved by the utility company and vice versa. It took my wife over a month to get things resolved and get his money back.
"But your father signed up online for electronic bill payment!"
"That's not his name, or his address, and he doesn't own a computer. The account numbers are identical except for two swapped digits. Exactly why are you, as a bank, authorizing these withdrawls?"
PHEM - party like it's 1997-2003!
I've said it before, and I'll say it again: what the article speaks of won't help. Even if it's implemented perfectly and is utterly mathematically secure, it won't stop identity theft. That's because it doesn't address the largest hole in the system, the way most identity thieves steal your identity: authenticating the organization the user wants to talk to to the user. It doesn't matter how securely I can prove who I am to my bank, if Mister X out there can impersonate my bank to me he doesn't have to steal my credentials because I'll be giving them to him voluntarily (if unknowingly). The only way to stop this is for the bank to prove to me who it is before asking me to prove who I am.
This isn't even new. It's been long known that you don't trust the other end when they initiated the communication. If someone calls up saying you're late on your electric bill but if you want they can do a check over the phone if you'll just give them your bank account information, common wisdom is that you take note of this, hang up the phone, call the number on your electric bill for the power company's billing department and talk to them. You do that so that you know that you're in fact talking to the real power company before handing over details to them. Same thing for bills in the mail, if out of the blue you receive a bill saying you owe $BIGNUM on your car loan immediately and please send the check in the enclosed return envelope, you don't blindly use it until you've made sure it's to the same address as your regular loan-payment envelopes and you've confirmed with the lender that the bill's for real.
So why, when it comes to identity and security, is all the emphasis in electronic transactions on authenticating the user to the organization when in real life the first thing in a similar transaction is to authenticate the organization to the user?
The problems I have experienced are due to them selling the information in the first place, and sending out more junk than necissary trying to screw their customers in the first place.
I think the banks, etc like to complain about fraud, and want to use the excuse to get control of MORE information from the customers, so they can make more money, and still allow law enforcement to try and make up for their unwillingness to miss out any profit that might otherwise educate their customers in the first place.
specifically relating to credit card companys sending out cards, checks, solicitations via bulk USPS mail, and unsolicited, un-expected mailings.
I know what I want to do to solve this, but may not be legal, setup a junk mail selling station. IE I drop all my unsolicated mail in a "trash can" I get a reciept or cash. Anyone can buy a bin of this "trash", and that amount makes it back to the trash can location to share back to the orignator. Granted, I will eventually have to fight the illegal transactions done in my name without my autorization, but at least I got some money to do that with. Eventually every credit card offer, illicit offer they send out will cost them so much they'll have to stop. I am not willing to directly participate in commiting the fraud, but I am willing to be passive about it in the short term to try and fix the truly horrible part of the system.
You'd think this type of thing would be prime for public key encryption technology. Each person would be issued with a private key and have their public key registered within a lender's database. All information coming from a person for financial transactions would be signed by their key and verified against their registered public key. As an example, let's take a simple credit transaction.
This example shows proof of identity as well as security. In the event that you lose your credit card then you call up and they issue you a new one with a new public/private key pair.
This also does away with a single source authentication, since the identification method would be carried with the token, and so easily replaceable.
For online or remote transactions, a store could encode their public key with their private key, which would be encoded by your private key (e.g. (your private key ( their private key ( their public key ) ) ) ). This is sent to the authenticating agent and if it unravels properly, then the authentication is successful.
BUT, most credit card receipts (and almost all those electronic touch sensitive things) say that you agree to the terms of the card.
That is why, IMHO, they don't have to give two shits if the card is signed or not, because you affirm anyways that you agree to the terms.
Just take a look at the receipts in the two zug.com links in the original post. They all have some variation on that theme.
http://www.zug.com/pranks/credit_card/
http://www.zug.com/pranks/credit/
The electronic things don't show it, but most of the ones I've used have a screen either before or after the signature that says "you agree to blah blah blah"
[Fuck Beta]
o0t!
We try and we try to protect ourselves and our constituents and the government, in its
c le/2005/05/24/AR2005052401347.html/
infinite wisdom, quest for appearing as eGovernment, and pandering to special interests
screws us anyway....
http://www.washingtonpost.com/wp-dyn/content/arti
http://www.opcva.com/watchdog/
P.S. regarding those statistics about online identity theft comprising only 10% of the total. I think its 10% of the total where the victim knows where it happened. Big difference.
Most people don't realize it, but simply monitoring your credit report is not enough. In fact, only 1 out of 5 identity thefts get reported would even show up on a credit report. While there are a lot of credit monitoring applications around, a pretty decent fraud protection package is available at http://www.identityguard.com/ . You can't leave it up to your bank or employer to secure your records, because they may not even know it got compromised.
I don't recall the details, but it involved the contract between merchant and issuing bank.
I rubbed off SEE ID and signed the thing before it caused me any trouble.
Man, you really need that seminar!
Who would want everyone to think they're a total geek living in their mom's basement at 43?
The 'Net is a waste of time, and that's exactly what's right about it. - William Gibson
And now let's try that for online banking with a computer you can't simply blackbox and a trojan that can play man in the middle without any problem (and of course read all you have on your hard drive).
If you have an idea, I pay well!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
But not against the man in the middle attacks executed by trojans.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
My grandmother was recently taken by a telemarketer scam. She doesn't have internet access, doesn't even have a computer, but the scammers already had her checking account number (I guess it's been on every check she's ever written) and by being recorded saying her account number, she had, in Washington Mutual's view, authorized a legitimate transaction. She never saw or signed the check -- which the scammers just printed up themselves!
She was ready to throw up her hands but online security is a big part of my job so I took up the cause for her. I don't expect to get her $700 back but I want to make it a little more difficult at the very least for the unclever scammers.
What shocked me is how lax WM's security policies are. According to the reps I spoke with, WM will cash any automated check with the right readily public account info on it. And they won't even categorize it as fraud so long as -- according to the manager in WM's Fraud Dept I spoke to -- the scammers have recorded the account holder saying nothing more than her account number. I'm still flabbergasted and wonder if this is true of the industry at large.
Not quite on topic, except perhaps in pointing out how excessive talk of encryption codes and integrated authentication platforms is when banks like WM won't even exercise the most basic security measures (or at least take responsibility when their poorly secured system gets played.)
In any event, all the blood and gore can be found here:
http://wamublamesgrandma.blogspot.com/
And if you have less id-paranoid friends or family members (esp. senior citizens) out there, it's probably worth a couple minutes of your time to alert them to the perils of identity theft/fraud. I'm not naive, but this was an eye-opener even for me.
Oh how I love those Equifax commercials that I've been hearing on the radio. You know, the ones where they'll only charge you a small monthly fee to send you an email whenever they allow your identity to be stolen.
Priceless.
How long are we going to wait for Big Brother to bankrupt us all with this false illusion of a possible secure money system?
A perfect example of how perceptions are almost always WRONG, is with FingerPrinting.
Here is a report on how the acuracy of FinerPrinting is finally being shown to be a technology filled with fallacy.
http://www.truthinjustice.org/fingerprints.htm
Following these error rates listed in that article, it is clear that they are not much different, if not WORSE than the troubles we see today, not using FingerPring technology to verify 'who we are' in normal everyday transactions!
The whole system needs to be 'dumped', in exchange for one where individuals will control ALL access to their data, without the prying eyes of banks, credit card companies, etc., therebye relieving the possibility of 'someone' calling and requesting data, and the consumer mistakeningly 'giving' it up.
Until we as citizens form our own coalition of a money or bartering system, in lieu of what the Government and Corporations have offered us, we are doomed to succumb to the tyranncy of: The System (ie. The Beast, The Machine, etc.).
-- Someone has stolen my 'good' Karma-- please return it.
I will gladly loose all of life's battles.. in order to win the war..
And you'll pay it... you'll pay it again too.
When I say 'you' I mean those of you who need to buy a house, a car, rent-a-car, own a credit card, etc.
Because, quite simply, PINs act from the assumption that:
1. The card is present
2. A machine needs to do the validation, because when the card system was created, we didn't have the capability to verify a signature purely electronically. A stand-in, or Personal Identification Number, was needed to take the signature's place. (mostly at ATMs)
Most fraudsters don't have blank cards and the proper embossing/encoding equipment to create fake cards. So PIN usage would save you nothing in most cases. Fraud usually starts with someone being careless about the card number - whether merchant, issuer or cardholder.
CVV2, the code numbers on the back of your card in the signature blank, are going in that direction for Internet and other non-personal transactions, but it's not fully used yet, and not perfect.
Really, a signature is far safer than PINs. But the best thing is to just be careful with your personal info from the start, and don't do business with anyone who feels/acts any different.
Why is this surprising?
The US banking industry has documented policies that permit and encourage this to occur.
Get a 20th century banking system, and these incidents will stop virtually completely.
The UK experience is that moving to PIN has removed about 40% of the fraud that occured under signature-based authentication, according to recent reports.
Implementing virtual terminals (or hardware based terminals in mobile phones et al) with a PIN to effect an legal electronic signature is simple, and doesn't need PKI or digita certificates, thus is very cheap by comparison to PKI.
> It's not theft. It's fraud.
I wish it was that simple.
I am a victim of identity theft.
When I was returning from work one evening, a couple of guys jumped me and stole my identity.
I have no identity anymore. My kids don't recognize me. My wife will not let me into our house.
I even have to post "AC" on SlashDot.
One reason the term "Identity Theft" came about was a PITA loophole in the fraud laws. Fraud prosecution tends to be figured on the basis of financial loss. Not that many years ago, it was up to the merchants to push for prosecution. The problem was, it was easier and cheaper for them to hold the person whose personal information was used responsible than try to find the guilty party. But because the technical victim was the merchant, not the person whose identity was used, police were -extremely- uncooperative.
The whole "identity theft" change was to recognize that something of value -solely and wholely- to the person whose identity was used was taken and used inappropriately. It was a necessary change.