Combating Identity Theft

An anonymous reader writes "Net-Security is running an interesting article about some of the problems facing organizations when it comes to identity theft. From the article: 'Identity theft is the major security concern facing organizations today. Indeed, for the banking industry, it is the number one security priority for 2006. Identity security has developed beyond the simplest form of authentication where one party issues and verifies identities within a closed group of users. While easy to do, this approach is extremely hard and costly to scale upwards and offers no interoperability with other authentication networks.'"

Re:Combating ID Theft is easy...

...just buy a deserted island, build a house and NEVER leave.

Won't work. A growing area of fraud is title fraud, where someone fraudulently sells your house/land. The identity verification process of many land registry offices leaves a lot to be desired.

Alternative systems?

[RingDev]

As noted, hardening identity security is extremely costly and difficult. Another option may be to reduce the importance of an identity, make them easier to get rid of and recreate. For example, if someone grabs your credit ID and maxes you out, you'll have to battle for years to get your credit rating restored. If a system could be developed to trivialise the impact of Identity Theft, then the importance of security would decrease from its current point. Yes, it's treating the symptoms, but in this case it could be the cheapest and easiest way to having a safe experience for customers.

-Rick

Make it harder

[CastrTroy]

I know it would be a serious inconvenience on everyone, but couldn't they just make it harder to get Credit/ID? If all you need is a couple key pieces of information, (SIN (SSN), Driver's license, another credit card, etc..) to be able to get credit under a certain name, then it's the bank's fault when people do it. They should make it a lot harder. For any new credit cards/loans/mortgages over $5000, then you should have to meet in person, and show real ID (like a passport). Maybe this could be on a sign up basis, so that It doesn't annoy everyone, but I know that I get new credit cards seldom enough that it wouldn't be the end of the world if I had to wait a few weeks.

A statement and a story

merchants pretty much ignore the signatures on the back of credit cards

This is common knowledge. I haven't signed the back of my card in over 10 years. What's funny is when a cashier actually looks at the back of the card and then just procedes on even though there's no signature. Let's face it though, even if they did check, it's a worthless security measure anyway. Any crook with even a primitive grouping of nerve endings in their skull can take the few minutes to come "close enough" to the signature on the back of the credit card they just stole.

Interesting side note about the saying that the "banking industry" no taking advantage of their own saftey checks. When I went to get a cashiers check for the down payment on some real estate (around $13K), my bank gave me MASSIVE amounts of grief because my signature on the cashiers check request did not match the signature they had on file for me, nor did it match the signature on my drivers license (all three were different). I ended up having to produce another form of picture id (which for most people is difficult, since usually it's your drivers license that has a picture, for some it could also be a student id, for many you're SOL) and signing another signature card. Turns out that while the signature card is not used generally to check the signature on checks (it's bank stated purpose), the bank does check it for transactions over $10K.

Re:A statement and a story

[kannibal_klown]

I don't sign my cards either. 4 times out of 5 the cashier won't bother checking, or will check and not care.

However, whenever I go to BestBuy they ask for my drivers license and compare my face to the photo. I guess the managers at the 2 stores near me are strict about that sort of thing.

When I worked as a cashier I didn't care if it was signed or not. I never bother checking unless my boss was hovering around the front.

Re:A statement and a story

[fumblebruschi]

Bear in mind that the signature on the back of the card is not a security measure for you; it's security for the store.

If you look at the card, you'll see a notice by the signature field that says "NOT VALID UNTIL SIGNED." This is because the card constitutes a binding contract between you and the credit card company. Until you sign it, the card is not a financial instrument.

Let's say you don't sign the card, and you use it to but $1500 worth of stuff at a store, and then you don't pay the credit card bill. The credit card company is not legally obligated to pay the store for the goods you bought, because the unsigned card was not a binding agreement. You can be prosecuted for acting in bad faith, but the store won't get its $1500.

That's why the store needs you to sign it--and that's why, when I was a cashier (for my sins) I would often have to ask people to sign their credit cards.

Incredulous customer: But don't you see how ridiculous that is? I might have just stolen this card and be forging the signature on it!

Me: That's true, but remember, I'm not doing this to protect you; I'm doing it to protect the store.

Technically, by insisting on a signature, I was performing good-faith assurance. Sure, the guy might be signing a fake name; but a store can't be held legally responsible for detecting forged signatures, since it's not reasonable that a minimum-wage cashier be required to be trained in forgery. (Court cases have upheld this.) As long as the card has a signature on it, the credit card company has to reimburse the store for whatever gets bought. That's the only thing the store cares about.

The lesson? Remember that the only person who has any interest in protecting you is yourself.

Re:A statement and a story

[6*7]

'If you look at the card, you'll see a notice by the signature field that says "NOT VALID UNTIL SIGNED."' ...
'The credit card company is not legally obligated to pay the store for the goods you bought, because the unsigned card was not a binding agreement.'

That's a nice though, but I'm wondering how an online transaction fits into this scheme?

Re:They're not helping themselves

[pete6677]

I've never understood why credit and debit card issuers can't take the most basic security measure that is already in place with ATM cards: PINs! Attach a PIN to every credit card, which the user must know. No PIN, no transaction approval, just like an ATM. Why is this so freaking difficult? A signature is NO security, especially when a sample is provided on the back of the card for a thief to practice with.

Federated Identities are a long ways away

[slagell]

Federated identity systems have not been well accepted, and I don't expect to see any for quite a while. We have the MS Passport, which still placed too much trust in MS. We have the Liberty Alliance working group which has ahd lofty goals and major industry support, but it still hasn't produced much of value in years of work. I think individual identies and credential repositories and credential wallets are our best bet for a while.

digital privacy is about databases

[dancpsu]

I agree, currently it is *way* too easy to copy a number or two and steal an identity. A rational world would have gone to a single id card, since whatever databases that can be made with an id card number can be made just as well with a SSN. Most of the problems with a national ID card revolve around the gov't knowing "too much" about its citizens and rounding up gun-owners. If the federal gov't simply digitally signs a public key and biometric id/photograph of the person to be stored on the card, and doesn't store it in a database, then we get the benefit of a more secure id without the dangers privacy advocates warn us about.

I would much prefer a biometrically locked card, with something that required a thumbprint or something to release my signed public key stored on the card along with the digitally signed receipt. The key could encrypt a picture that is displayed on the cash register, but it seems like having a computer do a biometric rejection is less likely to cause a lawsuit. Plus, what clerk wants to examine a photograph and say "this doesn't look like you" several times a day?

Re:They're not helping themselves

[TeamSPAM]

Their new saftey checks are pissing me off. I just recently made 2 ~$700 purchases for a personal file server. On the 2nd order I entered the expiration date wrong. That apparently set off alarms at the credit card company and called the house. My wife told them to approve the purchases. So I had to go back to newegg and update my credit card info. The order never updated it so I canceled it and made a new one. The new one didn't go through because they couldn't confirm my address because they didn't like the credit card phone number I gave them Here's the list of credit card items I had to give them:

• Credit Card Number
• Expiration Date
• Name on Card
• Billing Address
• Security Code on back
• Card Issuer Telephone "(800 number on back of card. Please provide for fast verification)"

Now newegg didn't like the number on the back of my card (888 45-YAHOO). My IMing with customer support didn't get anywhere as they wanted another number that I didn't have. A phone call to my credit card company didn't get anywhere as they don't want to issue me a credit card with an number on it acceptable to newegg. There also appears to be some new "Verified by Visa" program, which requires more information to comfirm the order. I didn't want to deal with that. So I ended up cancelling the order with newegg, went to zipzoomfly and used a Master Card. I'm willing to jump through some hoops to prove I am who I say I am. If I have to make phone calls and IM customer support to get an order completed (which I didn't) I don't want to deal with that credit card or merchant.

Who you are, what you have, what you know

...are the three keys to security. Who you are includes fingerprints and retinal scans, what you have includes fobs and keys, and what you know includes passwords. Pick two groups to go with (key fobs and passwords, for example) and you should be fairly secure, or pick from each group (say, retinal scans in addition to keys and pass phrases) and it will be sufficient for military use.

Re:You don't need to see his identification

Except that people are completely resistant to the idea of a single id card (the so-called "National Id"), even though it makes sense, given the sheer quantity of different forms of id that are required

The error here being that you've spent so long living in a police state, where you have to show your papers to do anything, that you think this is normal rather than being part of the problem. I live in a country where this is not the case, and I can't remember the last time I had to show identity papers in order to get something done... I think it was probably the last time I passed through customs while entering the country (which is reasonable enough), but that was months ago.

And yes, I do own and use credit cards, and no, they don't have my name printed on them. There's no rule that says the thing printed on the card has to be your name and my bank allows me to specify what it says there. The bank knows who I am - the guy in the store doesn't. This is a functioning pseudonymous identity system. If the courts, and probably the government, wanted to trace my identity, they could. If choicepoint wanted to, they can't - and there are laws protecting my pseudonymity here.

It is not right, normal, or tolerable that you should have to prove your identity to people on a day-to-day basis. That is deliberate abuse by corporations and similar organisations, who are using and selling your information in order to make money (this is called 'identity theft'). Even the most hard-line right-wing ideals of national security do not require this: it is sufficient for you to leave a paper trail that can be tracked by the relevant authorities, there is no need for the damn store clerk to know who you are. The only reason for it is so that people can make money from identity theft. The only distinction between a corporation stealing your identity and a criminal doing it, is that the corporation has more money.

When corporations talk about "combating identity theft", they really mean "combating our competitors use of identity theft, in order to improve our market share in this field". Any serious proposal would involve me getting paid for their sale of my information, at the very least.

Re:Measuring the risk

[Pantero+Blanco]

"(Identity) theft has increased by 500% since 1999 and now costs the UK economy £1.3bn a year, forcing defences against this crime to evolve rapidly."

"If, as noted in another post [slashdot.org], only 10% of this crime is attributed to on-line activities, then we're talking a paltry £1.3 million a year. "

You might want to check that again. Ten percent of 1.3 billion would be 130 million, not 1.3 million. That's big enough to warrant attention.

Having said that, most identity theft could be prevented by common-sense measures on the part of both customers and stores, banks, et cetera.

The Y2K bug that cried wolf

[MrNougat]

I wonder if all of the efforts that were made to deal with Y2K bugs may have a detrimental effect on future needs for technology improvement. Consider that a whole lot of businesses were convinced to spend a whole lot of money to do Y2K fixes, the result of which appeared to be ... nothing. Executive committees, boards of directors, shareholders - the appearance is that a lot of money was spent, and after the turn of the millenium, everything was the same as before.

Now there's another need for technology improvement, in the area of data and network security. From a layman's standpoint, it looks like, "Hey, you need to spend a lot of money and increase the cost of doing business going forward, to prevent against a risk that may never come to pass." And even if the risk does come to pass, it's likely going to be a handful of victims, with little repercussion to the business whose lax security was the root cause.

We spent all that money on Y2K, and didn't get an obvious return on it. Why should we do that again? Interestingly, this belief surely exists at insurance companies - who are trying to get their clients to pay a regular fee to mitigate risks.

And, in truth, it's probably cheaper for these businesses to deal with clean-up costs after a few people are victimized than it is to spend proactively to protect everyone. It's like the automotive recall equation from Fight Club.

Whatever happened to private/public key?

[DrVomact]

I remember reading about a proposal to use private/public keys as a form of authentication in a Scientific American article several decades ago. Why haven't we adopted such a system? Obviously, we'd need an infrastructure that supplies the keys in a secure and confidential manner, and methods of exchanging keys that don't involve typing in 256-character alphanumeric strings...but would finding solutions to these problems be so hard?

This is a genuine question--I don't know much about cryptography, so I'd welcome some informative discussion about this issue.

Re:They're not helping themselves

[legirons]

"Attach a PIN to every credit card, which the user must know."

And which everyone else in the shop knows, after the first time you type it into the keypad which is visible from all around...

It's called "chip and pin", it's not even slightly secure, it's been used in Europe for years, and just introduced in the UK.