Slashdot Mirror
Combating Identity Theft
An anonymous reader writes "Net-Security is running an interesting article about some of the problems facing organizations when it comes to identity theft. From the article: 'Identity theft is the major security concern facing organizations today. Indeed, for the banking industry, it is the number one security priority for 2006. Identity security has developed beyond the simplest form of authentication where one party issues and verifies identities within a closed group of users. While easy to do, this approach is extremely hard and costly to scale upwards and offers no interoperability with other authentication networks.'"
Uh... okay. I guess I'm living in fantasyland.
Nevermind.
Electric Monkey Pants
Except that people are completely resistant to the idea of a single id card (the so-called "National Id"), even though it makes sense, given the sheer quantity of different forms of id that are required:
In the end, we're saddled with all these differet ids (let's not even get into usernames and passwords for on-line banking or web site membership). And all these ids share the common feature of having to be tied back to an individual somehow. The problem lies in the fact that thieves can get their hands on pieces of data (address, SS#, phone number, DL#, etc.) that allow them to replicate you and then use that information to either utilize resources you already have or create new resources that they can exploit (mortgages, loans, etc.).
Until there's some kind of global standard, defining just what identifies you as you, and there is a system for storing, retrieving, and updating that information in a manner that foils potential thieves, identity theft will continue to be a problem for the forseeable future.
GetOuttaMySpace - The Anti-Social Network
Mar 11, 2005 -- How identity theft really occurs
Identity theft has become huge, as we all know. But how and why does it occur? Many people think that identity theft occurs because of what we do online. But just slightly more than 10 percent happens online. Almost all of it occurs when someone steals your checkbook, your wallet or your mail. The Internet actually helps in reducing ID theft, according to the Better Business Bureau. Monitoring your checkbook and credit card status online is a huge deterrent to identity theft because people find things quickly and can report them right away. So, if you still have a checkbook and you refuse to part with it, keep it at home and know where it is at all times. This is especially important for businesses, which are expected to keep a higher standard of security when it comes to securing checks. Businesses have liability for checks written that are stolen. So, keep very good track of your checks if you own a business.
Saturday is April 1. Slashdot will be shut down. Sorry for the inconvenience.
It's not theft. It's fraud.
Evil people are out to get you.
There are many simple things that could be done to make identity theft harder, but they won't be done because it also makes marketing harder. Everything that makes it more difficult to commit identity theft also makes it harder to grant people instant credit online. Making it difficult to establish new accounts is bad for the businesses, but it would be beneficial to security conscious customers.
In some countries, a company issuing a credit card has to send someone out to verify that the individual is who they say they are and applied for the account. I would like a system like that. At a minimum, it would require that people committing ID theft be local to their victims. Unlike now, it would be much harder for someone to try to set up numerous fraudulent accounts for victims all over the world.
If I could specify my preferences, I would like to require that all accounts being created or modified in my name required that the change be made in person. This would not be much of an additional burden for many of my accounts. There is no way for me to set up and enforce such a policy. The closest I can come is a fraud notice on my credit report that tells the issuer to call me before opening an account, but there are companies that will ignore that since there is no obligation to comply with that request.
If a single item will "identify" you, then the value of that single item skyrockets.
As the value goes up, so does the incentive to break the system so that you can cash in on it.
They don't want to make it harder to get credit. The whole basis of their profitability is giving easy credit to people who will draw on the credit, and pay them interest. Making it too hard to get credit would make them less profitable. It's only when the cost of identity fraud exceeds the profitability from easy granting of credit that they'll change.
a.
To put it simply: it isn't painful enough.
VISA actually requires that merchants, in some circumstances, NOT challenge the person using the card. (Have tou noticed that many merchants won't even ask for a signature for purchases below a set limit now?) Why? Because the cost of turning away potential sales - including fraudulent ones - is many multiples of VISA's cost of lost revenue due to fraudulent activity and theft.
What's more is that merchants, not the credit card issuers or underwriting banks, are the ones ultimately responsible for more than 90% of chargebacks. So if the merchant sells a product to someone using a fake card, and the rightful owner of that card challenges it, the merchant takes the loss, not VISA. So for the most part there's really not a direct reason for VISA to curb fraudulent activity at all.
So security in this case actually leads to loss of sales, and therefore loss of revenue for VISA. The customer is indemnified, VISA and the banks are insulated, and the merchant gets screwed - until they raise their prices to make up for the loss. And even then, it's the customer who bears the ultimate financial burden. IOW, VISA has every incentive to make it easier for people to use their cards, even if that means more identity theft.
Ummm no. Signing the reciept is what binds you to repayment for that purchase. The card is just an object, it is not a contract. The signature on the card IS for comparison with the signature on the receipt and the reason merchants may not accept SEE ID is that most (all?) card companies dont like it when people write see ID, it defeats the purpose of the signature block. That said, a lot of places now are checking IDs for purchases...which generally pisses me off. I shouldn't need a drivers license to use my credit card. The banks make more than enough money that loss from fraud shouldn't outweigh my convienence or relative privacy.
(Identity) theft has increased by 500% since 1999 and now costs the UK economy £1.3bn a year, forcing defences against this crime to evolve rapidly.
Ah yes, more unattributed and meaningless statistics. Obviously we must leap up and address this issue!
If, as noted in another post, only 10% of this crime is attributed to on-line activities, then we're talking a paltry £1.3 million a year. Surely there are a couple of thousand varieties of crime that would offer a better return on the investments in crime fighting.
Dollar for dollar how does on-line originated fraud compare to fraud by more traditional means? Is the growth in on-line fraud increasing the amount of fraud, or are the fraudsters just moving to a new platform while keeping the level and likelihood of fraud constant?
I guess that I better turn on my TV news channel for the answers.
Meanwhile I'll continue to be more worried about handing my Visa card to the pimply faced kid at the corner gas station.
Three Squirrels
After reading the article I found a couple of the points to be near disturbing, to such an extent I choked on my coffee.
1. This allows individuals to use one form of identity to authenticate themselves to a range of different organisations.
This is a security breech in it of its self. The idea is to make a system harder to get into, by allowing users to have a single token for a multi-organizational environment you are essentially defeating the purpose of information security. ONLY one person has to sell their information or loose it for a single person to attack a vast amount of networks.
2. For a start, the enormous investment involved in issuing digital certificates on smart cards, for example, can be recouped to some extent, by deriving revenue from allowing other organisations to authenticate their users with the same identity.
A part of Information Security is Information Control. This is an easy way to loose control of a secure environment. The CIO is relying on a secondary company that he/she is not physically monitoring to maintain positive control of their security environment. I for one would allow NO ONE access to my tokens or authentication system that didn't reside behind my firewall. Information security should not be about cost effectiveness. It is no secret that it is not cheap. Though cross organizational security is becoming more robust with software and a wider array of risk management, there is still the human factor that no one can control, i.e. there is no cure of human stupidity.
3. On the upside
There is of course a way to manage this kind of environment; intense risk management. The amount of resources the organization would have to dedicate to risk management almost makes this concept not cost effective. There would have to be an entire task force not associated to any of the corporations and would have to manage and asses security risks. The reason being is to gather non-biased information. This would be costly and time intensive.
4. There are alternatives?
The alternative and one that I am seeing become more common is to share a single platform but on the backside enforce a stronger security measure. Example, John logs in via a token system that is shared and then re-authenticates via biometrics on the backside. There goes cost effectiveness right out the window. The best biometric systems are very expensive and timely to roll-out. SafLink offers a great solution but is very costly and does not include hardware. Biometrics is the way to go albeit there is still a chance of a security breech if a hacker gains access to local cache files that store the bio-information. It would be near impossible to break the algorithm but there is still that chance.
I guess with all security there is that same risk. There is no truly secure system, but we all make out as best we can. As security becomes more intense so will the possibilities of intrusion, for every action there is reaction.
Identity theft will remain a problem until the Credit reporting companies are forced at gunpoint to put in place controls to limit it and allow the owner to "lock" their credit report from any reading or reporting. The Credit companies make a crapload of money off of the illigitmate credit reports that are pulled on every person thousands of times a day. I typically find from 10 to 30 illigitmate credit report requests in my credit report every quarter from companies "phishing" for people to send pre-approved credit card offers and refinance requests, etc...
Let me lock my credit report down so that it reports only "CREDIT REPORT LOCKED BY OWNER" and identity theft will drop drastically. If you can not apply for new credit under someone's name it makes stealing their identity nearly worthless.
It's an industry problem that the industry refuses to fix because they profit from it.
Do not look at laser with remaining good eye.
Obligatory Family Guy Comment:
"It's like sex with Kobe Bryant; you can kick and scream all you like... but in the end... it's going to happen."
Although identity theft is much broader than just unauthorized usage of credit cards wouldn't it seem logical to force a PIN number to be used for all credit card transactions. It seems that the majority of vendors already have the equipment and capacity to allow a customer to enter a PIN for Debit. Why not integrate this into credit transactions? This would be especially helpful for people who may have lost their card or if someone has copied the number. RickP
I told them I wan't signing anything, it wasn't my problem.
Isn't it great how they shift the problem to the consumer by calling it identity theft. They didn't steal your identity, they stole the credit card companies money by fooling them. They should call it credit company bamboozling, but that would make it sound like their problem instead of yours.
I've said it before, and I'll say it again: what the article speaks of won't help. Even if it's implemented perfectly and is utterly mathematically secure, it won't stop identity theft. That's because it doesn't address the largest hole in the system, the way most identity thieves steal your identity: authenticating the organization the user wants to talk to to the user. It doesn't matter how securely I can prove who I am to my bank, if Mister X out there can impersonate my bank to me he doesn't have to steal my credentials because I'll be giving them to him voluntarily (if unknowingly). The only way to stop this is for the bank to prove to me who it is before asking me to prove who I am.
This isn't even new. It's been long known that you don't trust the other end when they initiated the communication. If someone calls up saying you're late on your electric bill but if you want they can do a check over the phone if you'll just give them your bank account information, common wisdom is that you take note of this, hang up the phone, call the number on your electric bill for the power company's billing department and talk to them. You do that so that you know that you're in fact talking to the real power company before handing over details to them. Same thing for bills in the mail, if out of the blue you receive a bill saying you owe $BIGNUM on your car loan immediately and please send the check in the enclosed return envelope, you don't blindly use it until you've made sure it's to the same address as your regular loan-payment envelopes and you've confirmed with the lender that the bill's for real.
So why, when it comes to identity and security, is all the emphasis in electronic transactions on authenticating the user to the organization when in real life the first thing in a similar transaction is to authenticate the organization to the user?
Well, you sort of got it right. [In the US] credit card companies are only responsible for the first $50 of a fraudulent transaction. Until recently, they passed that $50 on to the consumers. Merchants have to absorb any additional amount.
Clerks are encouraged to check the signature to reduce the risk of fraudulent purchases, theoretically reducing the merchant's exposure, but there are several flies in the ointment:
Most stolen cards are used to buy high-end goods and "vices" like porn, cigarettes and alcohol. Home Depot doesn't worry about it, because who's buying PVC with a stolen card? A gas station pretty much never needs to worry about getting paid because they won't go near the $50 mark (most won't let you buy cartons with a credit card). Newegg and BestBuy could be out thousands of dollars of high-margin goods, so they verify identity vigorously.
My background: Former convenience store clerk and trainer. I've been on the witness stand against someone who used a stolen credit card.