Slashdot Mirror
Combating Identity Theft
An anonymous reader writes "Net-Security is running an interesting article about some of the problems facing organizations when it comes to identity theft. From the article: 'Identity theft is the major security concern facing organizations today. Indeed, for the banking industry, it is the number one security priority for 2006. Identity security has developed beyond the simplest form of authentication where one party issues and verifies identities within a closed group of users. While easy to do, this approach is extremely hard and costly to scale upwards and offers no interoperability with other authentication networks.'"
Uh... okay. I guess I'm living in fantasyland.
Nevermind.
Electric Monkey Pants
Except that people are completely resistant to the idea of a single id card (the so-called "National Id"), even though it makes sense, given the sheer quantity of different forms of id that are required:
In the end, we're saddled with all these differet ids (let's not even get into usernames and passwords for on-line banking or web site membership). And all these ids share the common feature of having to be tied back to an individual somehow. The problem lies in the fact that thieves can get their hands on pieces of data (address, SS#, phone number, DL#, etc.) that allow them to replicate you and then use that information to either utilize resources you already have or create new resources that they can exploit (mortgages, loans, etc.).
Until there's some kind of global standard, defining just what identifies you as you, and there is a system for storing, retrieving, and updating that information in a manner that foils potential thieves, identity theft will continue to be a problem for the forseeable future.
GetOuttaMySpace - The Anti-Social Network
Mar 11, 2005 -- How identity theft really occurs
Identity theft has become huge, as we all know. But how and why does it occur? Many people think that identity theft occurs because of what we do online. But just slightly more than 10 percent happens online. Almost all of it occurs when someone steals your checkbook, your wallet or your mail. The Internet actually helps in reducing ID theft, according to the Better Business Bureau. Monitoring your checkbook and credit card status online is a huge deterrent to identity theft because people find things quickly and can report them right away. So, if you still have a checkbook and you refuse to part with it, keep it at home and know where it is at all times. This is especially important for businesses, which are expected to keep a higher standard of security when it comes to securing checks. Businesses have liability for checks written that are stolen. So, keep very good track of your checks if you own a business.
Saturday is April 1. Slashdot will be shut down. Sorry for the inconvenience.
It's not theft. It's fraud.
Evil people are out to get you.
If a single item will "identify" you, then the value of that single item skyrockets.
As the value goes up, so does the incentive to break the system so that you can cash in on it.
They don't want to make it harder to get credit. The whole basis of their profitability is giving easy credit to people who will draw on the credit, and pay them interest. Making it too hard to get credit would make them less profitable. It's only when the cost of identity fraud exceeds the profitability from easy granting of credit that they'll change.
a.
To put it simply: it isn't painful enough.
VISA actually requires that merchants, in some circumstances, NOT challenge the person using the card. (Have tou noticed that many merchants won't even ask for a signature for purchases below a set limit now?) Why? Because the cost of turning away potential sales - including fraudulent ones - is many multiples of VISA's cost of lost revenue due to fraudulent activity and theft.
What's more is that merchants, not the credit card issuers or underwriting banks, are the ones ultimately responsible for more than 90% of chargebacks. So if the merchant sells a product to someone using a fake card, and the rightful owner of that card challenges it, the merchant takes the loss, not VISA. So for the most part there's really not a direct reason for VISA to curb fraudulent activity at all.
So security in this case actually leads to loss of sales, and therefore loss of revenue for VISA. The customer is indemnified, VISA and the banks are insulated, and the merchant gets screwed - until they raise their prices to make up for the loss. And even then, it's the customer who bears the ultimate financial burden. IOW, VISA has every incentive to make it easier for people to use their cards, even if that means more identity theft.
(Identity) theft has increased by 500% since 1999 and now costs the UK economy £1.3bn a year, forcing defences against this crime to evolve rapidly.
Ah yes, more unattributed and meaningless statistics. Obviously we must leap up and address this issue!
If, as noted in another post, only 10% of this crime is attributed to on-line activities, then we're talking a paltry £1.3 million a year. Surely there are a couple of thousand varieties of crime that would offer a better return on the investments in crime fighting.
Dollar for dollar how does on-line originated fraud compare to fraud by more traditional means? Is the growth in on-line fraud increasing the amount of fraud, or are the fraudsters just moving to a new platform while keeping the level and likelihood of fraud constant?
I guess that I better turn on my TV news channel for the answers.
Meanwhile I'll continue to be more worried about handing my Visa card to the pimply faced kid at the corner gas station.
Three Squirrels
After reading the article I found a couple of the points to be near disturbing, to such an extent I choked on my coffee.
1. This allows individuals to use one form of identity to authenticate themselves to a range of different organisations.
This is a security breech in it of its self. The idea is to make a system harder to get into, by allowing users to have a single token for a multi-organizational environment you are essentially defeating the purpose of information security. ONLY one person has to sell their information or loose it for a single person to attack a vast amount of networks.
2. For a start, the enormous investment involved in issuing digital certificates on smart cards, for example, can be recouped to some extent, by deriving revenue from allowing other organisations to authenticate their users with the same identity.
A part of Information Security is Information Control. This is an easy way to loose control of a secure environment. The CIO is relying on a secondary company that he/she is not physically monitoring to maintain positive control of their security environment. I for one would allow NO ONE access to my tokens or authentication system that didn't reside behind my firewall. Information security should not be about cost effectiveness. It is no secret that it is not cheap. Though cross organizational security is becoming more robust with software and a wider array of risk management, there is still the human factor that no one can control, i.e. there is no cure of human stupidity.
3. On the upside
There is of course a way to manage this kind of environment; intense risk management. The amount of resources the organization would have to dedicate to risk management almost makes this concept not cost effective. There would have to be an entire task force not associated to any of the corporations and would have to manage and asses security risks. The reason being is to gather non-biased information. This would be costly and time intensive.
4. There are alternatives?
The alternative and one that I am seeing become more common is to share a single platform but on the backside enforce a stronger security measure. Example, John logs in via a token system that is shared and then re-authenticates via biometrics on the backside. There goes cost effectiveness right out the window. The best biometric systems are very expensive and timely to roll-out. SafLink offers a great solution but is very costly and does not include hardware. Biometrics is the way to go albeit there is still a chance of a security breech if a hacker gains access to local cache files that store the bio-information. It would be near impossible to break the algorithm but there is still that chance.
I guess with all security there is that same risk. There is no truly secure system, but we all make out as best we can. As security becomes more intense so will the possibilities of intrusion, for every action there is reaction.
I told them I wan't signing anything, it wasn't my problem.
Isn't it great how they shift the problem to the consumer by calling it identity theft. They didn't steal your identity, they stole the credit card companies money by fooling them. They should call it credit company bamboozling, but that would make it sound like their problem instead of yours.