Slashdot Mirror
Combating Identity Theft
An anonymous reader writes "Net-Security is running an interesting article about some of the problems facing organizations when it comes to identity theft. From the article: 'Identity theft is the major security concern facing organizations today. Indeed, for the banking industry, it is the number one security priority for 2006. Identity security has developed beyond the simplest form of authentication where one party issues and verifies identities within a closed group of users. While easy to do, this approach is extremely hard and costly to scale upwards and offers no interoperability with other authentication networks.'"
Can't they just use 'whois'?
Starsucks
There's really no point to fighting identity theft. If someone wants your identity, they'll take it.
--CowboyNeal
A big part of the problem is that the banking industry isn't always taking advantage of their own safety checks. For example, take a look at these stories to see how merchants pretty much ignore the signatures on the back of credit cards.
Like woodworking? Build your own picture frames.
...just buy a deserted island, build a house and NEVER leave.
He who knows best knows how little he knows. - Thomas Jefferson
Uh... okay. I guess I'm living in fantasyland.
Nevermind.
Electric Monkey Pants
You mean AOL isn't going to keep me safe? The monkey isn't going to come out and wack baddies for me?
It's either on the beat or off the beat, it's that easy.
I moderate therefore I rule!
--
As noted, hardening identity security is extremely costly and difficult. Another option may be to reduce the importance of an identity, make them easier to get rid of and recreate. For example, if someone grabs your credit ID and maxes you out, you'll have to battle for years to get your credit rating restored. If a system could be developed to trivialise the impact of Identity Theft, then the importance of security would decrease from its current point. Yes, it's treating the symptoms, but in this case it could be the cheapest and easiest way to having a safe experience for customers.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
**I** am Anonymous Coward, this ^^^ guy stole my nick. Don't believe a word he says!
Except that people are completely resistant to the idea of a single id card (the so-called "National Id"), even though it makes sense, given the sheer quantity of different forms of id that are required:
In the end, we're saddled with all these differet ids (let's not even get into usernames and passwords for on-line banking or web site membership). And all these ids share the common feature of having to be tied back to an individual somehow. The problem lies in the fact that thieves can get their hands on pieces of data (address, SS#, phone number, DL#, etc.) that allow them to replicate you and then use that information to either utilize resources you already have or create new resources that they can exploit (mortgages, loans, etc.).
Until there's some kind of global standard, defining just what identifies you as you, and there is a system for storing, retrieving, and updating that information in a manner that foils potential thieves, identity theft will continue to be a problem for the forseeable future.
GetOuttaMySpace - The Anti-Social Network
Mar 11, 2005 -- How identity theft really occurs
Identity theft has become huge, as we all know. But how and why does it occur? Many people think that identity theft occurs because of what we do online. But just slightly more than 10 percent happens online. Almost all of it occurs when someone steals your checkbook, your wallet or your mail. The Internet actually helps in reducing ID theft, according to the Better Business Bureau. Monitoring your checkbook and credit card status online is a huge deterrent to identity theft because people find things quickly and can report them right away. So, if you still have a checkbook and you refuse to part with it, keep it at home and know where it is at all times. This is especially important for businesses, which are expected to keep a higher standard of security when it comes to securing checks. Businesses have liability for checks written that are stolen. So, keep very good track of your checks if you own a business.
Saturday is April 1. Slashdot will be shut down. Sorry for the inconvenience.
I know it would be a serious inconvenience on everyone, but couldn't they just make it harder to get Credit/ID? If all you need is a couple key pieces of information, (SIN (SSN), Driver's license, another credit card, etc..) to be able to get credit under a certain name, then it's the bank's fault when people do it. They should make it a lot harder. For any new credit cards/loans/mortgages over $5000, then you should have to meet in person, and show real ID (like a passport). Maybe this could be on a sign up basis, so that It doesn't annoy everyone, but I know that I get new credit cards seldom enough that it wouldn't be the end of the world if I had to wait a few weeks.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
It's not theft. It's fraud.
Evil people are out to get you.
merchants pretty much ignore the signatures on the back of credit cards
This is common knowledge. I haven't signed the back of my card in over 10 years. What's funny is when a cashier actually looks at the back of the card and then just procedes on even though there's no signature. Let's face it though, even if they did check, it's a worthless security measure anyway. Any crook with even a primitive grouping of nerve endings in their skull can take the few minutes to come "close enough" to the signature on the back of the credit card they just stole.
Interesting side note about the saying that the "banking industry" no taking advantage of their own saftey checks. When I went to get a cashiers check for the down payment on some real estate (around $13K), my bank gave me MASSIVE amounts of grief because my signature on the cashiers check request did not match the signature they had on file for me, nor did it match the signature on my drivers license (all three were different). I ended up having to produce another form of picture id (which for most people is difficult, since usually it's your drivers license that has a picture, for some it could also be a student id, for many you're SOL) and signing another signature card. Turns out that while the signature card is not used generally to check the signature on checks (it's bank stated purpose), the bank does check it for transactions over $10K.
There are many simple things that could be done to make identity theft harder, but they won't be done because it also makes marketing harder. Everything that makes it more difficult to commit identity theft also makes it harder to grant people instant credit online. Making it difficult to establish new accounts is bad for the businesses, but it would be beneficial to security conscious customers.
In some countries, a company issuing a credit card has to send someone out to verify that the individual is who they say they are and applied for the account. I would like a system like that. At a minimum, it would require that people committing ID theft be local to their victims. Unlike now, it would be much harder for someone to try to set up numerous fraudulent accounts for victims all over the world.
If I could specify my preferences, I would like to require that all accounts being created or modified in my name required that the change be made in person. This would not be much of an additional burden for many of my accounts. There is no way for me to set up and enforce such a policy. The closest I can come is a fraud notice on my credit report that tells the issuer to call me before opening an account, but there are companies that will ignore that since there is no obligation to comply with that request.
Federated identity systems have not been well accepted, and I don't expect to see any for quite a while. We have the MS Passport, which still placed too much trust in MS. We have the Liberty Alliance working group which has ahd lofty goals and major industry support, but it still hasn't produced much of value in years of work. I think individual identies and credential repositories and credential wallets are our best bet for a while.
If a single item will "identify" you, then the value of that single item skyrockets.
As the value goes up, so does the incentive to break the system so that you can cash in on it.
I agree, currently it is *way* too easy to copy a number or two and steal an identity. A rational world would have gone to a single id card, since whatever databases that can be made with an id card number can be made just as well with a SSN. Most of the problems with a national ID card revolve around the gov't knowing "too much" about its citizens and rounding up gun-owners. If the federal gov't simply digitally signs a public key and biometric id/photograph of the person to be stored on the card, and doesn't store it in a database, then we get the benefit of a more secure id without the dangers privacy advocates warn us about.
I would much prefer a biometrically locked card, with something that required a thumbprint or something to release my signed public key stored on the card along with the digitally signed receipt. The key could encrypt a picture that is displayed on the cash register, but it seems like having a computer do a biometric rejection is less likely to cause a lawsuit. Plus, what clerk wants to examine a photograph and say "this doesn't look like you" several times a day?
"Scientists don't change their minds, they just die." -- Max Planck
(Identity) theft has increased by 500% since 1999 and now costs the UK economy £1.3bn a year, forcing defences against this crime to evolve rapidly.
Ah yes, more unattributed and meaningless statistics. Obviously we must leap up and address this issue!
If, as noted in another post, only 10% of this crime is attributed to on-line activities, then we're talking a paltry £1.3 million a year. Surely there are a couple of thousand varieties of crime that would offer a better return on the investments in crime fighting.
Dollar for dollar how does on-line originated fraud compare to fraud by more traditional means? Is the growth in on-line fraud increasing the amount of fraud, or are the fraudsters just moving to a new platform while keeping the level and likelihood of fraud constant?
I guess that I better turn on my TV news channel for the answers.
Meanwhile I'll continue to be more worried about handing my Visa card to the pimply faced kid at the corner gas station.
Three Squirrels
I was just an ID theft victim. Some douche in Philly opened up a cell phone account with all my info. Now I have to constantly watch my credit for the next year. It's bad enough knowing that your name,address, SS#, etc, all are floating around in 50,000 different legitimate locations, but it really sucks when someone with malicious intent gets ahold of that information. There really isn't anything anyone can do for you either once your information is stolen. You can only file a police report and then notify the credit agenices. Real damage gets done and peoples lives have been completely turned upside because of ID theft. Sadly many people end up battling ID theft for years and years. It's only going to get worse.
If you wanna get rich, you know that payback is a bitch
After reading the article I found a couple of the points to be near disturbing, to such an extent I choked on my coffee.
1. This allows individuals to use one form of identity to authenticate themselves to a range of different organisations.
This is a security breech in it of its self. The idea is to make a system harder to get into, by allowing users to have a single token for a multi-organizational environment you are essentially defeating the purpose of information security. ONLY one person has to sell their information or loose it for a single person to attack a vast amount of networks.
2. For a start, the enormous investment involved in issuing digital certificates on smart cards, for example, can be recouped to some extent, by deriving revenue from allowing other organisations to authenticate their users with the same identity.
A part of Information Security is Information Control. This is an easy way to loose control of a secure environment. The CIO is relying on a secondary company that he/she is not physically monitoring to maintain positive control of their security environment. I for one would allow NO ONE access to my tokens or authentication system that didn't reside behind my firewall. Information security should not be about cost effectiveness. It is no secret that it is not cheap. Though cross organizational security is becoming more robust with software and a wider array of risk management, there is still the human factor that no one can control, i.e. there is no cure of human stupidity.
3. On the upside
There is of course a way to manage this kind of environment; intense risk management. The amount of resources the organization would have to dedicate to risk management almost makes this concept not cost effective. There would have to be an entire task force not associated to any of the corporations and would have to manage and asses security risks. The reason being is to gather non-biased information. This would be costly and time intensive.
4. There are alternatives?
The alternative and one that I am seeing become more common is to share a single platform but on the backside enforce a stronger security measure. Example, John logs in via a token system that is shared and then re-authenticates via biometrics on the backside. There goes cost effectiveness right out the window. The best biometric systems are very expensive and timely to roll-out. SafLink offers a great solution but is very costly and does not include hardware. Biometrics is the way to go albeit there is still a chance of a security breech if a hacker gains access to local cache files that store the bio-information. It would be near impossible to break the algorithm but there is still that chance.
I guess with all security there is that same risk. There is no truly secure system, but we all make out as best we can. As security becomes more intense so will the possibilities of intrusion, for every action there is reaction.
Identity theft will remain a problem until the Credit reporting companies are forced at gunpoint to put in place controls to limit it and allow the owner to "lock" their credit report from any reading or reporting. The Credit companies make a crapload of money off of the illigitmate credit reports that are pulled on every person thousands of times a day. I typically find from 10 to 30 illigitmate credit report requests in my credit report every quarter from companies "phishing" for people to send pre-approved credit card offers and refinance requests, etc...
Let me lock my credit report down so that it reports only "CREDIT REPORT LOCKED BY OWNER" and identity theft will drop drastically. If you can not apply for new credit under someone's name it makes stealing their identity nearly worthless.
It's an industry problem that the industry refuses to fix because they profit from it.
Do not look at laser with remaining good eye.
I was a victim of ID theft 5 years ago. A credt card company (Next Card IIRC) gave someone a credit card who had only my name and SS#, wrong date of birth and wrong address. Anyway this guy went to Vegas and ran up quite a bill. It was only when the card remained unpaid that the company bothered to track down the real me.
They wanted me to sign an affidavit. I told them I wan't signing anything, it wasn't my problem. I quoted the following from CHAP. 41, SUBCHAP VI, sections b and e of U.S. Code TITLE 15 which states:
(b) Burden of proof
In any action which involves a consumer's liability for an unauthorized electronic fund transfer, the burden of proof is upon the financial institution to show that the electronic fund transfer was authorized or, if the electronic fund transfer was unauthorized, then the burden of proof is upon the financial institution to establish that the conditions of liability set forth in subsection (a) of this section have been met, and, if the transfer was initiated after the effective date of section 1693c of this title, that the disclosures required to be made to the consumer under section 1693c(a)(1) and (2) of this title were in fact made in accordance with such section.
(e) Scope of liability
Except as provided in this section, a consumer incurs no liability from an unauthorized electronic fund transfer.
Anyway, they took care of everything after that. Including my credit rating.
Obligatory Family Guy Comment:
"It's like sex with Kobe Bryant; you can kick and scream all you like... but in the end... it's going to happen."
I wonder if all of the efforts that were made to deal with Y2K bugs may have a detrimental effect on future needs for technology improvement. Consider that a whole lot of businesses were convinced to spend a whole lot of money to do Y2K fixes, the result of which appeared to be ... nothing. Executive committees, boards of directors, shareholders - the appearance is that a lot of money was spent, and after the turn of the millenium, everything was the same as before.
Now there's another need for technology improvement, in the area of data and network security. From a layman's standpoint, it looks like, "Hey, you need to spend a lot of money and increase the cost of doing business going forward, to prevent against a risk that may never come to pass." And even if the risk does come to pass, it's likely going to be a handful of victims, with little repercussion to the business whose lax security was the root cause.
We spent all that money on Y2K, and didn't get an obvious return on it. Why should we do that again? Interestingly, this belief surely exists at insurance companies - who are trying to get their clients to pay a regular fee to mitigate risks.
And, in truth, it's probably cheaper for these businesses to deal with clean-up costs after a few people are victimized than it is to spend proactively to protect everyone. It's like the automotive recall equation from Fight Club.
Web 2.0 == Giant Blogspam Circle Jerk
This is a genuine question--I don't know much about cryptography, so I'd welcome some informative discussion about this issue.
Great men are almost always bad men--Lord Acton's Corollary
According the merchant rules, for MasterCard anyway, the merchant is suppose to check the signature and request ID as part of their compliance (section 2.1.1.2).
If a card is not signed, the merchant is suppose to obtain authorization from the card issuer, request ID and have the customer sign the card then and there (section 2.1.1.3).
MasterCard Merchant Rules
It must have been something you assimilated. . . .
Although identity theft is much broader than just unauthorized usage of credit cards wouldn't it seem logical to force a PIN number to be used for all credit card transactions. It seems that the majority of vendors already have the equipment and capacity to allow a customer to enter a PIN for Debit. Why not integrate this into credit transactions? This would be especially helpful for people who may have lost their card or if someone has copied the number. RickP
I've said it before, and I'll say it again: what the article speaks of won't help. Even if it's implemented perfectly and is utterly mathematically secure, it won't stop identity theft. That's because it doesn't address the largest hole in the system, the way most identity thieves steal your identity: authenticating the organization the user wants to talk to to the user. It doesn't matter how securely I can prove who I am to my bank, if Mister X out there can impersonate my bank to me he doesn't have to steal my credentials because I'll be giving them to him voluntarily (if unknowingly). The only way to stop this is for the bank to prove to me who it is before asking me to prove who I am.
This isn't even new. It's been long known that you don't trust the other end when they initiated the communication. If someone calls up saying you're late on your electric bill but if you want they can do a check over the phone if you'll just give them your bank account information, common wisdom is that you take note of this, hang up the phone, call the number on your electric bill for the power company's billing department and talk to them. You do that so that you know that you're in fact talking to the real power company before handing over details to them. Same thing for bills in the mail, if out of the blue you receive a bill saying you owe $BIGNUM on your car loan immediately and please send the check in the enclosed return envelope, you don't blindly use it until you've made sure it's to the same address as your regular loan-payment envelopes and you've confirmed with the lender that the bill's for real.
So why, when it comes to identity and security, is all the emphasis in electronic transactions on authenticating the user to the organization when in real life the first thing in a similar transaction is to authenticate the organization to the user?
Who would want everyone to think they're a total geek living in their mom's basement at 43?
The 'Net is a waste of time, and that's exactly what's right about it. - William Gibson
My grandmother was recently taken by a telemarketer scam. She doesn't have internet access, doesn't even have a computer, but the scammers already had her checking account number (I guess it's been on every check she's ever written) and by being recorded saying her account number, she had, in Washington Mutual's view, authorized a legitimate transaction. She never saw or signed the check -- which the scammers just printed up themselves!
She was ready to throw up her hands but online security is a big part of my job so I took up the cause for her. I don't expect to get her $700 back but I want to make it a little more difficult at the very least for the unclever scammers.
What shocked me is how lax WM's security policies are. According to the reps I spoke with, WM will cash any automated check with the right readily public account info on it. And they won't even categorize it as fraud so long as -- according to the manager in WM's Fraud Dept I spoke to -- the scammers have recorded the account holder saying nothing more than her account number. I'm still flabbergasted and wonder if this is true of the industry at large.
Not quite on topic, except perhaps in pointing out how excessive talk of encryption codes and integrated authentication platforms is when banks like WM won't even exercise the most basic security measures (or at least take responsibility when their poorly secured system gets played.)
In any event, all the blood and gore can be found here:
http://wamublamesgrandma.blogspot.com/
And if you have less id-paranoid friends or family members (esp. senior citizens) out there, it's probably worth a couple minutes of your time to alert them to the perils of identity theft/fraud. I'm not naive, but this was an eye-opener even for me.
Oh how I love those Equifax commercials that I've been hearing on the radio. You know, the ones where they'll only charge you a small monthly fee to send you an email whenever they allow your identity to be stolen.
Priceless.