Combating Identity Theft

An anonymous reader writes "Net-Security is running an interesting article about some of the problems facing organizations when it comes to identity theft. From the article: 'Identity theft is the major security concern facing organizations today. Indeed, for the banking industry, it is the number one security priority for 2006. Identity security has developed beyond the simplest form of authentication where one party issues and verifies identities within a closed group of users. While easy to do, this approach is extremely hard and costly to scale upwards and offers no interoperability with other authentication networks.'"

Alternative systems?

[RingDev]

As noted, hardening identity security is extremely costly and difficult. Another option may be to reduce the importance of an identity, make them easier to get rid of and recreate. For example, if someone grabs your credit ID and maxes you out, you'll have to battle for years to get your credit rating restored. If a system could be developed to trivialise the impact of Identity Theft, then the importance of security would decrease from its current point. Yes, it's treating the symptoms, but in this case it could be the cheapest and easiest way to having a safe experience for customers.

-Rick

A statement and a story

merchants pretty much ignore the signatures on the back of credit cards

This is common knowledge. I haven't signed the back of my card in over 10 years. What's funny is when a cashier actually looks at the back of the card and then just procedes on even though there's no signature. Let's face it though, even if they did check, it's a worthless security measure anyway. Any crook with even a primitive grouping of nerve endings in their skull can take the few minutes to come "close enough" to the signature on the back of the credit card they just stole.

Interesting side note about the saying that the "banking industry" no taking advantage of their own saftey checks. When I went to get a cashiers check for the down payment on some real estate (around $13K), my bank gave me MASSIVE amounts of grief because my signature on the cashiers check request did not match the signature they had on file for me, nor did it match the signature on my drivers license (all three were different). I ended up having to produce another form of picture id (which for most people is difficult, since usually it's your drivers license that has a picture, for some it could also be a student id, for many you're SOL) and signing another signature card. Turns out that while the signature card is not used generally to check the signature on checks (it's bank stated purpose), the bank does check it for transactions over $10K.

Re:A statement and a story

[fumblebruschi]

Bear in mind that the signature on the back of the card is not a security measure for you; it's security for the store.

If you look at the card, you'll see a notice by the signature field that says "NOT VALID UNTIL SIGNED." This is because the card constitutes a binding contract between you and the credit card company. Until you sign it, the card is not a financial instrument.

Let's say you don't sign the card, and you use it to but $1500 worth of stuff at a store, and then you don't pay the credit card bill. The credit card company is not legally obligated to pay the store for the goods you bought, because the unsigned card was not a binding agreement. You can be prosecuted for acting in bad faith, but the store won't get its $1500.

That's why the store needs you to sign it--and that's why, when I was a cashier (for my sins) I would often have to ask people to sign their credit cards.

Incredulous customer: But don't you see how ridiculous that is? I might have just stolen this card and be forging the signature on it!

Me: That's true, but remember, I'm not doing this to protect you; I'm doing it to protect the store.

Technically, by insisting on a signature, I was performing good-faith assurance. Sure, the guy might be signing a fake name; but a store can't be held legally responsible for detecting forged signatures, since it's not reasonable that a minimum-wage cashier be required to be trained in forgery. (Court cases have upheld this.) As long as the card has a signature on it, the credit card company has to reimburse the store for whatever gets bought. That's the only thing the store cares about.

The lesson? Remember that the only person who has any interest in protecting you is yourself.

Re:A statement and a story

[6*7]

'If you look at the card, you'll see a notice by the signature field that says "NOT VALID UNTIL SIGNED."' ...
'The credit card company is not legally obligated to pay the store for the goods you bought, because the unsigned card was not a binding agreement.'

That's a nice though, but I'm wondering how an online transaction fits into this scheme?

Re:They're not helping themselves

[pete6677]

I've never understood why credit and debit card issuers can't take the most basic security measure that is already in place with ATM cards: PINs! Attach a PIN to every credit card, which the user must know. No PIN, no transaction approval, just like an ATM. Why is this so freaking difficult? A signature is NO security, especially when a sample is provided on the back of the card for a thief to practice with.

digital privacy is about databases

[dancpsu]

I agree, currently it is *way* too easy to copy a number or two and steal an identity. A rational world would have gone to a single id card, since whatever databases that can be made with an id card number can be made just as well with a SSN. Most of the problems with a national ID card revolve around the gov't knowing "too much" about its citizens and rounding up gun-owners. If the federal gov't simply digitally signs a public key and biometric id/photograph of the person to be stored on the card, and doesn't store it in a database, then we get the benefit of a more secure id without the dangers privacy advocates warn us about.

I would much prefer a biometrically locked card, with something that required a thumbprint or something to release my signed public key stored on the card along with the digitally signed receipt. The key could encrypt a picture that is displayed on the cash register, but it seems like having a computer do a biometric rejection is less likely to cause a lawsuit. Plus, what clerk wants to examine a photograph and say "this doesn't look like you" several times a day?

Re:They're not helping themselves

[TeamSPAM]

Their new saftey checks are pissing me off. I just recently made 2 ~$700 purchases for a personal file server. On the 2nd order I entered the expiration date wrong. That apparently set off alarms at the credit card company and called the house. My wife told them to approve the purchases. So I had to go back to newegg and update my credit card info. The order never updated it so I canceled it and made a new one. The new one didn't go through because they couldn't confirm my address because they didn't like the credit card phone number I gave them Here's the list of credit card items I had to give them:

• Credit Card Number
• Expiration Date
• Name on Card
• Billing Address
• Security Code on back
• Card Issuer Telephone "(800 number on back of card. Please provide for fast verification)"

Now newegg didn't like the number on the back of my card (888 45-YAHOO). My IMing with customer support didn't get anywhere as they wanted another number that I didn't have. A phone call to my credit card company didn't get anywhere as they don't want to issue me a credit card with an number on it acceptable to newegg. There also appears to be some new "Verified by Visa" program, which requires more information to comfirm the order. I didn't want to deal with that. So I ended up cancelling the order with newegg, went to zipzoomfly and used a Master Card. I'm willing to jump through some hoops to prove I am who I say I am. If I have to make phone calls and IM customer support to get an order completed (which I didn't) I don't want to deal with that credit card or merchant.

The Y2K bug that cried wolf

[MrNougat]

I wonder if all of the efforts that were made to deal with Y2K bugs may have a detrimental effect on future needs for technology improvement. Consider that a whole lot of businesses were convinced to spend a whole lot of money to do Y2K fixes, the result of which appeared to be ... nothing. Executive committees, boards of directors, shareholders - the appearance is that a lot of money was spent, and after the turn of the millenium, everything was the same as before.

Now there's another need for technology improvement, in the area of data and network security. From a layman's standpoint, it looks like, "Hey, you need to spend a lot of money and increase the cost of doing business going forward, to prevent against a risk that may never come to pass." And even if the risk does come to pass, it's likely going to be a handful of victims, with little repercussion to the business whose lax security was the root cause.

We spent all that money on Y2K, and didn't get an obvious return on it. Why should we do that again? Interestingly, this belief surely exists at insurance companies - who are trying to get their clients to pay a regular fee to mitigate risks.

And, in truth, it's probably cheaper for these businesses to deal with clean-up costs after a few people are victimized than it is to spend proactively to protect everyone. It's like the automotive recall equation from Fight Club.