Forgot your password?
typodupeerror

Combating Identity Theft 204

Posted by ScuttleMonkey
from the who-am-i dept.
An anonymous reader writes "Net-Security is running an interesting article about some of the problems facing organizations when it comes to identity theft. From the article: 'Identity theft is the major security concern facing organizations today. Indeed, for the banking industry, it is the number one security priority for 2006. Identity security has developed beyond the simplest form of authentication where one party issues and verifies identities within a closed group of users. While easy to do, this approach is extremely hard and costly to scale upwards and offers no interoperability with other authentication networks.'"
This discussion has been archived. No new comments can be posted.

Combating Identity Theft

Comments Filter:
  • Um... (Score:5, Informative)

    by ShaniaTwain (197446) on Wednesday March 08, 2006 @02:06PM (#14876878) Homepage
    Can't they just use 'whois'?
  • by Anonymous Coward on Wednesday March 08, 2006 @02:07PM (#14876891)
    There's really no point to fighting identity theft. If someone wants your identity, they'll take it.

    --CowboyNeal
  • by Kombat (93720) <kombat@kombat.org> on Wednesday March 08, 2006 @02:11PM (#14876925) Homepage
    A big part of the problem is that the banking industry isn't always taking advantage of their own safety checks. For example, take a look at these [zug.com] stories [zug.com] to see how merchants pretty much ignore the signatures on the back of credit cards.
    • by Anonymous Coward on Wednesday March 08, 2006 @02:26PM (#14877079)
      merchants pretty much ignore the signatures on the back of credit cards

      This is common knowledge. I haven't signed the back of my card in over 10 years. What's funny is when a cashier actually looks at the back of the card and then just procedes on even though there's no signature. Let's face it though, even if they did check, it's a worthless security measure anyway. Any crook with even a primitive grouping of nerve endings in their skull can take the few minutes to come "close enough" to the signature on the back of the credit card they just stole.

      Interesting side note about the saying that the "banking industry" no taking advantage of their own saftey checks. When I went to get a cashiers check for the down payment on some real estate (around $13K), my bank gave me MASSIVE amounts of grief because my signature on the cashiers check request did not match the signature they had on file for me, nor did it match the signature on my drivers license (all three were different). I ended up having to produce another form of picture id (which for most people is difficult, since usually it's your drivers license that has a picture, for some it could also be a student id, for many you're SOL) and signing another signature card. Turns out that while the signature card is not used generally to check the signature on checks (it's bank stated purpose), the bank does check it for transactions over $10K.
      • I don't sign my cards either. 4 times out of 5 the cashier won't bother checking, or will check and not care.

        However, whenever I go to BestBuy they ask for my drivers license and compare my face to the photo. I guess the managers at the 2 stores near me are strict about that sort of thing.

        When I worked as a cashier I didn't care if it was signed or not. I never bother checking unless my boss was hovering around the front.
      • by fumblebruschi (831320) on Wednesday March 08, 2006 @03:48PM (#14877820)
        Bear in mind that the signature on the back of the card is not a security measure for you; it's security for the store.

        If you look at the card, you'll see a notice by the signature field that says "NOT VALID UNTIL SIGNED." This is because the card constitutes a binding contract between you and the credit card company. Until you sign it, the card is not a financial instrument.

        Let's say you don't sign the card, and you use it to but $1500 worth of stuff at a store, and then you don't pay the credit card bill. The credit card company is not legally obligated to pay the store for the goods you bought, because the unsigned card was not a binding agreement. You can be prosecuted for acting in bad faith, but the store won't get its $1500.

        That's why the store needs you to sign it--and that's why, when I was a cashier (for my sins) I would often have to ask people to sign their credit cards.

        Incredulous customer: But don't you see how ridiculous that is? I might have just stolen this card and be forging the signature on it!

        Me: That's true, but remember, I'm not doing this to protect you; I'm doing it to protect the store.

        Technically, by insisting on a signature, I was performing good-faith assurance. Sure, the guy might be signing a fake name; but a store can't be held legally responsible for detecting forged signatures, since it's not reasonable that a minimum-wage cashier be required to be trained in forgery. (Court cases have upheld this.) As long as the card has a signature on it, the credit card company has to reimburse the store for whatever gets bought. That's the only thing the store cares about.

        The lesson? Remember that the only person who has any interest in protecting you is yourself.
        • by 6*7 (193752) on Wednesday March 08, 2006 @03:56PM (#14877890)
          'If you look at the card, you'll see a notice by the signature field that says "NOT VALID UNTIL SIGNED."' ...
          'The credit card company is not legally obligated to pay the store for the goods you bought, because the unsigned card was not a binding agreement.'

          That's a nice though, but I'm wondering how an online transaction fits into this scheme?
    • by pete6677 (681676) on Wednesday March 08, 2006 @02:29PM (#14877108)
      I've never understood why credit and debit card issuers can't take the most basic security measure that is already in place with ATM cards: PINs! Attach a PIN to every credit card, which the user must know. No PIN, no transaction approval, just like an ATM. Why is this so freaking difficult? A signature is NO security, especially when a sample is provided on the back of the card for a thief to practice with.
      • by Mattcelt (454751) on Wednesday March 08, 2006 @02:42PM (#14877222)
        To put it simply: it isn't painful enough.

        VISA actually requires that merchants, in some circumstances, NOT challenge the person using the card. (Have tou noticed that many merchants won't even ask for a signature for purchases below a set limit now?) Why? Because the cost of turning away potential sales - including fraudulent ones - is many multiples of VISA's cost of lost revenue due to fraudulent activity and theft.

        What's more is that merchants, not the credit card issuers or underwriting banks, are the ones ultimately responsible for more than 90% of chargebacks. So if the merchant sells a product to someone using a fake card, and the rightful owner of that card challenges it, the merchant takes the loss, not VISA. So for the most part there's really not a direct reason for VISA to curb fraudulent activity at all.

        So security in this case actually leads to loss of sales, and therefore loss of revenue for VISA. The customer is indemnified, VISA and the banks are insulated, and the merchant gets screwed - until they raise their prices to make up for the loss. And even then, it's the customer who bears the ultimate financial burden. IOW, VISA has every incentive to make it easier for people to use their cards, even if that means more identity theft.
        • Why? Because the cost of turning away potential sales - including fraudulent ones - is many multiples of VISA's cost of lost revenue due to fraudulent activity and theft.

          VISA doesn't foot the losses. Merchants and banks do. VISA is just a network - and they make money by taking a small part of each transaction.

          • That's true to a point. They don't take any direct losses, as far as I know. They are keenly aware, however, that if it gets too painful for the merchants, they will stop accepting VISA, and their market (and revenue) will dry up overnight. That's half the impetus behind the VISA PCI reviews and audits that are sweeping the industry now (the other half being increased customer warm fuzzies). Fewer transactions == less revenue. VISA is literally playing both ends against the center to maximize the numbe
            • They've got a fine line to walk - err too much one way, they'll tick off the merchants. Err too much the other, and they'll loose banks. Nobody likes losses - but the consumer is always the one that ends up paying in the end.

              That walmart lawsuit a couple of years ago hurt too (a lot).

      • by Bogtha (906264) on Wednesday March 08, 2006 @03:03PM (#14877404)

        Here in the UK, we use the Chip and PIN system [wikipedia.org], which has been in effect for a while and practically mandatory since Valentine's Day [bbc.co.uk].

      • "Attach a PIN to every credit card, which the user must know."

        And which everyone else in the shop knows, after the first time you type it into the keypad which is visible from all around...

        It's called "chip and pin", it's not even slightly secure, it's been used in Europe for years, and just introduced in the UK.
    • Speaking as someone who has worked in banking infosec for years, I can tell you the signatures on the backs of credit cards are worse than useless.

      What banks need to start doing is pre-print the cardholder's signature on the back of the card the same way many state's DMVs do for licenses now. A post-issue-applied signature isn't worth the card it's written on (quite literally).
      • Banks have done exactly that for years in Norway.
        When you get your picture taken for the card (we have
        photo IDs on our ATM cards), they collect your signature,
        and the finished card is available for pickup a number of
        days later (if the bank is paranoid enough to not trust the
        postal service).
    • The signature has nothing to do with security. Your signature is proof of your acceptance of the cardmember agreement. That's why merchants reject cards from asshats who write stuff like "See ID" on the back of the card.

      Theoretically, if you buy stuff with an unsigned card, you are not on the hook to pay the bill in some states.
      • Ummm no. Signing the reciept is what binds you to repayment for that purchase. The card is just an object, it is not a contract. The signature on the card IS for comparison with the signature on the receipt and the reason merchants may not accept SEE ID is that most (all?) card companies dont like it when people write see ID, it defeats the purpose of the signature block. That said, a lot of places now are checking IDs for purchases...which generally pisses me off. I shouldn't need a drivers license to
        • Why shouldn't they be able to see an ID? I don't mind when they do this because they're trying to protect themselves, with the side effect that if someone steals my credit card, places that ask for ID won't take it without the ID.

          Using a credit card is making a promise that you'll pay, which is what entitles the merchant to be paid. Checking an ID is just a step to see if your face matches the one on your ID and the name matches the name on the card. In the case of credit cards with photos, asking for ID
        • I shouldn't need a drivers license to use my credit card.

          Yeah, it sucks that when I use your credit card they ask for an ID. I now have to resort to lifting wallets and hoping that they have cash in them.

        • I too was once irked at having to present my ID for a credit card purchase, but then I actually did some research (stops to hear Slashdot audience gasp) and found the following:

          According the merchant rules, for MasterCard anyway, the merchant is suppose to check the signature and request ID as part of their compliance (section 2.1.1.2).

          If a card is not signed, the merchant is suppose to obtain authorization from the card issuer, request ID and have the customer sign the card then and there (section 2.1.

      • That's why merchants reject cards from asshats who write stuff like "See ID" on the back of the card.

        I'm one of those "asshats", and I've never had a merchant reject my card.

        Only about 1 in 20 actually look at the signature block and ask for my ID. I praise them and thank them for doing so.

        I've heard of some merchants refusing to accept signed cards. Mine are signed -- and next to the signature is 'DEMAND PHOTO ID' in big block letters.

    • Ok people, say it with me: CREDIT CARD THEFT IS NOT A BIG DEAL.

      Real Identity theft is when they open an account in your name using your information, such as a credit card or bank account, or if they work under your name and never pay taxes, things like that. You will not know that this has taken place until your credit is ruined, and you will will spend a decade trying to get back to where you were.

      The banks make it nearly impossible to recover from identity theft without you hiring lawyers because
    • by TeamSPAM (166583) <flynnmj.email@com> on Wednesday March 08, 2006 @03:01PM (#14877398) Homepage

      Their new saftey checks are pissing me off. I just recently made 2 ~$700 purchases for a personal file server. On the 2nd order I entered the expiration date wrong. That apparently set off alarms at the credit card company and called the house. My wife told them to approve the purchases. So I had to go back to newegg and update my credit card info. The order never updated it so I canceled it and made a new one. The new one didn't go through because they couldn't confirm my address because they didn't like the credit card phone number I gave them Here's the list of credit card items I had to give them:

      • Credit Card Number
      • Expiration Date
      • Name on Card
      • Billing Address
      • Security Code on back
      • Card Issuer Telephone "(800 number on back of card. Please provide for fast verification)"

      Now newegg didn't like the number on the back of my card (888 45-YAHOO). My IMing with customer support didn't get anywhere as they wanted another number that I didn't have. A phone call to my credit card company didn't get anywhere as they don't want to issue me a credit card with an number on it acceptable to newegg. There also appears to be some new "Verified by Visa" program, which requires more information to comfirm the order. I didn't want to deal with that. So I ended up cancelling the order with newegg, went to zipzoomfly and used a Master Card. I'm willing to jump through some hoops to prove I am who I say I am. If I have to make phone calls and IM customer support to get an order completed (which I didn't) I don't want to deal with that credit card or merchant.

      • I've repeatedly had trouble making credit cards payments to allofmp3.com, presumably since they're in Russia. Sometimes verification will fail, then a few minutes later I'll get a phone call from the credit card company asking if it was really me. Other times verification will simply fail and I have to call the CC company to get it going. It's a hassle, especially since I'm already using a one-time CC number which is only good for the exact amount I'm trying to spend.
      • I canceled my first and only attempt at placing an order at Newegg because of all of the info that they wanted and their suggestions on how to kiss their ass to get them to accept my credit card. I talked to the teller at the bank that issued my credit card and she said that the phone number on the back of the card is useless to the merchant. The operators verify that they are talking to the card holder (date of birth, mother's maiden name, name of bank branch, etc.). My bank will not release any informat
    • to see how merchants pretty much ignore the signatures on the back of credit cards.

      I had a card that I never used outside online purchases. On the back I put the phrase in caps "THIS CARD IS STOLEN!!!"

      I went on a trip once and grabbed the card because I was short on cash and forgot that I wrote that. Funny thing was no one bothered to look at the back of the card (granted I only bought plane tickets and a hotel room with it).
  • by digitaldc (879047) * on Wednesday March 08, 2006 @02:12PM (#14876935)
    ...just buy a deserted island, build a house and NEVER leave.
    • by Anonymous Coward
      ...just buy a deserted island, build a house and NEVER leave.

      Won't work. A growing area of fraud is title fraud, where someone fraudulently sells your house/land. The identity verification process of many land registry offices leaves a lot to be desired.
    • by Mattcelt (454751) on Wednesday March 08, 2006 @02:49PM (#14877276)
      Dear Mr. DigitalDC,

      My esteemed uncle, the Grand Vizier of the Carribean National Bank, Doctor Moroawe mBasse, has just passed away, leaving me, some property. I have a nice little island in the Carribean that I need to turn into cash immediately, and I will sell it to you for just $150.00 American. Just send me your bank account login information and Iwill send to you the title right away.

      Regards,
      Mr. Tamuk Nagalanucha
  • When mom and dad have federated secure digital certificates we might start seeing things like encrypted email become common.
  • Penalties (Score:5, Insightful)

    by Paladin144 (676391) on Wednesday March 08, 2006 @02:16PM (#14876981) Homepage
    I think the identity theft problem could be solved fairly easily if we persuaded Congress to pass legislation stating that whenever a company (or government branch) loses person's private information then that person is owed, say $1,000. I think banks would get serious about the public's privacy pretty damn quick. Now all we need to do is get Congress to pass this legislation, which is clearly pro-consumer and somewhat burdensome to big-finance...

    Uh... okay. I guess I'm living in fantasyland.

    Nevermind.

    • Unfortunately, that cost would just get passed on to the consumer.

      I'm all about upping security, but it has to be cost effective, for both the consumer AND the company...
      • Unfortunately, that cost would just get passed on to the consumer.
        No it wouldn't. Just because some bank gets fined doesn't mean they can start charging more to make up for it. Their prices were already chosen to maximize profit before the fine; the fact that they got fined doesn't change the competitive landscape for the company at all. The result is that sloppy companies are at a competitive disadvantage to more careful ones, which is exactly the desired result.
      • by Hatta (162192)
        Unfortunately, that cost would just get passed on to the consumer.

        What we need is legislation prohibiting passing costs on to the consumers. As long as you can pay your employees a living wage you don't need to be charging your customers any more. Profit margins in the credit industry are beyond obscene.
    • Your idea is clearly NOT pro consumer. Your idea would reduce the number of companies offering consumer products that require access to the consumer's private information. That reduced competition would concentrate power in a small handful of huge companies that would not face much competition. Consumers need competition to have power.
    • Or make using that information a capital crime.
  • AOL? (Score:4, Funny)

    by ericdano (113424) on Wednesday March 08, 2006 @02:17PM (#14876985) Homepage
    You mean AOL isn't going to keep me safe? The monkey isn't going to come out and wack baddies for me?
  • Alternative systems? (Score:5, Interesting)

    by RingDev (879105) on Wednesday March 08, 2006 @02:18PM (#14876995) Homepage Journal
    As noted, hardening identity security is extremely costly and difficult. Another option may be to reduce the importance of an identity, make them easier to get rid of and recreate. For example, if someone grabs your credit ID and maxes you out, you'll have to battle for years to get your credit rating restored. If a system could be developed to trivialise the impact of Identity Theft, then the importance of security would decrease from its current point. Yes, it's treating the symptoms, but in this case it could be the cheapest and easiest way to having a safe experience for customers.

    -Rick
    • If you lose nothing when your identity is "stolen", then what's to stop some unscrupulous person from doing so ... repeatedly?

      The money has to come from somewhere.
    • The real problem with identify theft is that your identity can be stolen using only public information. Because of this it is possible to steal someones identity without even being in contact with the person in question. Just look at credit cards where the same 16 digits are reused every time you buy an item. It is just begging to be stolen. The same can be said about the social security number, the home address, the name and anything else.

      Digital Signatures (PGP, etc.) should be a minimum requirement. The
  • by Billosaur (927319) * <wgrotherNO@SPAMoptonline.net> on Wednesday March 08, 2006 @02:20PM (#14877014) Journal
    The key lies in the use of an authentication platform that is flexible enough to accept the digital credentials of any participating organisation. An additional advantage of the integrated approach is that it need not err towards the lowest common denominator digital identity solution - i.e. username/password. Therefore, should an organisation within the integrated identity group want to be able to use stronger identity for some, if not all, of its transactions then this is possible without interfering with the requirements of other participants. As such, one organisation may consistently have high transaction values that would justify and require a more robust authentication solution than lower value transactions would. This is based upon a financial risk versus cost of solution basis but does allow for the widespread use of a single smart card-based solution.

    Except that people are completely resistant to the idea of a single id card (the so-called "National Id"), even though it makes sense, given the sheer quantity of different forms of id that are required:

    • Social Security Card
    • Driver's license
    • Passport
    • Membership cards
    • Health insurance cards
    • Credit cards
    • Debit cards

    In the end, we're saddled with all these differet ids (let's not even get into usernames and passwords for on-line banking or web site membership). And all these ids share the common feature of having to be tied back to an individual somehow. The problem lies in the fact that thieves can get their hands on pieces of data (address, SS#, phone number, DL#, etc.) that allow them to replicate you and then use that information to either utilize resources you already have or create new resources that they can exploit (mortgages, loans, etc.).

    Until there's some kind of global standard, defining just what identifies you as you, and there is a system for storing, retrieving, and updating that information in a manner that foils potential thieves, identity theft will continue to be a problem for the forseeable future.

    • by khasim (1285) <brandioch.conner@gmail.com> on Wednesday March 08, 2006 @02:38PM (#14877196)
      Until there's some kind of global standard, defining just what identifies you as you, and there is a system for storing, retrieving, and updating that information in a manner that foils potential thieves, identity theft will continue to be a problem for the forseeable future.
      The more "global" you make it, the more problems you have from the people who manage the system.

      If a single item will "identify" you, then the value of that single item skyrockets.

      As the value goes up, so does the incentive to break the system so that you can cash in on it.
    • by dancpsu (822623) on Wednesday March 08, 2006 @02:44PM (#14877235) Journal
      I agree, currently it is *way* too easy to copy a number or two and steal an identity. A rational world would have gone to a single id card, since whatever databases that can be made with an id card number can be made just as well with a SSN. Most of the problems with a national ID card revolve around the gov't knowing "too much" about its citizens and rounding up gun-owners. If the federal gov't simply digitally signs a public key and biometric id/photograph of the person to be stored on the card, and doesn't store it in a database, then we get the benefit of a more secure id without the dangers privacy advocates warn us about.

      I would much prefer a biometrically locked card, with something that required a thumbprint or something to release my signed public key stored on the card along with the digitally signed receipt. The key could encrypt a picture that is displayed on the cash register, but it seems like having a computer do a biometric rejection is less likely to cause a lawsuit. Plus, what clerk wants to examine a photograph and say "this doesn't look like you" several times a day?
      • Any token that can't be verified against a database is hard to trust. If someone finds a way to sign a fake ID, it's indistinguishable from a real ID. On the other hand, if an ID just has a number, it's of limited use without confirming the contents against the database. Keeping the ID cards secure is difficult because they can be manipulated. A database serves as a single point of reference where all access can be logged and controlled.
        • Sure someone could break PKI, but it is mathematically proven to be difficult. If the ID expired, then there would be a time-limit to how long one would have to break the key. The last weak link in the chain is how do you know the person standing in front of you is really what the ID says? This could be biometrically solved, but most biometric readers can easily be fooled. The ones that are more difficult to fool are too intrusive. It could be that vein/heat patterns in the thumb would be easy enough t
          • I'm not assuming a mathematic solution to the problem. The key would have a large cash value to organized crime. State employees have been caught in rackets where they created 'legitimate' fake ID's. I'm assuming that the key would be sold at some point, invalidating the system.
      • But think of the kids! What will under 21 college students do to buy beer? This will ruin college for the freshman/sophmore classes...
      • If the federal gov't simply digitally signs a public key and biometric id/photograph of the person to be stored on the card, and doesn't store it in a database, then we get the benefit of a more secure id without the dangers privacy advocates warn us about.

        That would not happen. As soon as a national ID card, the govt. will immediately move to the next step of storing the information. They'll say, "look, it would be so easy to cut crime by storing this information, the fact that we're not doing it defie

  • by AnonymousPrick (956548) on Wednesday March 08, 2006 @02:20PM (#14877018)
    From here: Clark Howard's Identity Theft Section [clarkhoward.com]

    Mar 11, 2005 -- How identity theft really occurs
    Identity theft has become huge, as we all know. But how and why does it occur? Many people think that identity theft occurs because of what we do online. But just slightly more than 10 percent happens online. Almost all of it occurs when someone steals your checkbook, your wallet or your mail. The Internet actually helps in reducing ID theft, according to the Better Business Bureau. Monitoring your checkbook and credit card status online is a huge deterrent to identity theft because people find things quickly and can report them right away. So, if you still have a checkbook and you refuse to part with it, keep it at home and know where it is at all times. This is especially important for businesses, which are expected to keep a higher standard of security when it comes to securing checks. Businesses have liability for checks written that are stolen. So, keep very good track of your checks if you own a business.

    • Some schmuck in Washington state (halfway across the country from me) used my credit card number with a missing letter from my name and the wrong expiration date to get DirectTV service. Now I have to come up with all kinds of stuff and a signed police report or else they'll charge me for it, even though I'm in another state.

      (Yes, we cancelled that card and put fraud watches on our credit report - no other signs so far.)

      Meanwhile, someone transposed digits and ended up getting their gas bill paid by my

  • Make it harder (Score:3, Interesting)

    by CastrTroy (595695) on Wednesday March 08, 2006 @02:20PM (#14877023) Homepage
    I know it would be a serious inconvenience on everyone, but couldn't they just make it harder to get Credit/ID? If all you need is a couple key pieces of information, (SIN (SSN), Driver's license, another credit card, etc..) to be able to get credit under a certain name, then it's the bank's fault when people do it. They should make it a lot harder. For any new credit cards/loans/mortgages over $5000, then you should have to meet in person, and show real ID (like a passport). Maybe this could be on a sign up basis, so that It doesn't annoy everyone, but I know that I get new credit cards seldom enough that it wouldn't be the end of the world if I had to wait a few weeks.
    • Re:Make it harder (Score:5, Insightful)

      by Knackered (311164) on Wednesday March 08, 2006 @02:39PM (#14877207)
      They don't want to make it harder to get credit. The whole basis of their profitability is giving easy credit to people who will draw on the credit, and pay them interest. Making it too hard to get credit would make them less profitable. It's only when the cost of identity fraud exceeds the profitability from easy granting of credit that they'll change.
      • It's only when the cost of identity fraud exceeds the profitability from easy granting of credit that they'll change.
        BINGO!!!

        And Bruce Schneier has said the same thing. If you want to fight identity "theft" (really just old fashioned fraud), then you put the burden on the financial institutions.

        Once their costs exceed the profits, they'll change their processes.

        Until then, they'll talk a lot, but do nothing of real value.
  • ID theft is dominately an issue with companies setting insecure networks and allowing their clients to run insecure OS configs. The best solution for this is to change the laws to allow companies to be sued if they allow this or if they have not taken ALL possible steps to prevent it.
  • Theft? Fraud! (Score:5, Insightful)

    by TechyImmigrant (175943) * on Wednesday March 08, 2006 @02:21PM (#14877032) Journal
    It's not theft. It's fraud.
    • Exactly. I remember when the problem was called "credit card fraud".

      Who remembers in the 80's when a credit card check at the cash register meant a cashier checking the credit card # against a list of bad numbers, printed on newsprint that was updated once a week. Purchases less than $50 would rarely get checked at all, while those over $50 would get called in by phone/modem for verification depending on the size of the retailer.
    • by tehshen (794722)
      Identity copyright infringement
    • by Neoncow (802085) on Wednesday March 08, 2006 @03:09PM (#14877471) Journal
      I prefer to think of it as identity sharing.
      • Re:Theft? Fraud! (Score:3, Insightful)

        by sacrilicious (316896)
        Agreed. "Identity sharing" is a more appropriate term than "Identity theft", because "theft" deprives the victim of the thing being stolen. Perhaps even better than identity sharing (which implies collaboration on the part of the owner) would be "identity duplication".

        Not to nitpick terms, but "theft" is thrown around WAY too loosely. If the term "rape" didn't already exist, people would refer to it as "sex theft".

  • by qwijibo (101731) on Wednesday March 08, 2006 @02:28PM (#14877099)
    There are many simple things that could be done to make identity theft harder, but they won't be done because it also makes marketing harder. Everything that makes it more difficult to commit identity theft also makes it harder to grant people instant credit online. Making it difficult to establish new accounts is bad for the businesses, but it would be beneficial to security conscious customers.

    In some countries, a company issuing a credit card has to send someone out to verify that the individual is who they say they are and applied for the account. I would like a system like that. At a minimum, it would require that people committing ID theft be local to their victims. Unlike now, it would be much harder for someone to try to set up numerous fraudulent accounts for victims all over the world.

    If I could specify my preferences, I would like to require that all accounts being created or modified in my name required that the change be made in person. This would not be much of an additional burden for many of my accounts. There is no way for me to set up and enforce such a policy. The closest I can come is a fraud notice on my credit report that tells the issuer to call me before opening an account, but there are companies that will ignore that since there is no obligation to comply with that request.
  • Federated identity systems have not been well accepted, and I don't expect to see any for quite a while. We have the MS Passport, which still placed too much trust in MS. We have the Liberty Alliance working group which has ahd lofty goals and major industry support, but it still hasn't produced much of value in years of work. I think individual identies and credential repositories and credential wallets are our best bet for a while.
  • Steps to thwart identity theft:

    1. Obtain an assumed identity (black market)
    2. Get a PO Box under the new name
    3. Get an unlisted phone under the new name
    4. Rent an apartment under new name
    5. Apply for every new credit card you can under you old name and run them all up to the max
    6. Stop paying your mortgage, credit cards, and insurance
    7. Accept foreclosure on your house and move to the apartment, do not leave a forwarding address

    In short, the best way to thwart identity theft is to ruin your credit and start
  • 1. Some government authority keeps a list of all citizens. In manny countries they do already.
    2. The list also holds information on whether the individual has been issued a driving licence or a passport or any ther reliable id-card.
    3. The list should have a copy of data suitable identification saved on the time of licence/passport issue, picture, finger prints etc.
    4. Whenever someone is aplying for a licence/passport or other identification card, the list is checked.
  • Measuring the risk (Score:4, Insightful)

    by rueger (210566) on Wednesday March 08, 2006 @02:46PM (#14877259) Homepage
    (Identity) theft has increased by 500% since 1999 and now costs the UK economy £1.3bn a year, forcing defences against this crime to evolve rapidly.

    Ah yes, more unattributed and meaningless statistics. Obviously we must leap up and address this issue!

    If, as noted in another post [slashdot.org], only 10% of this crime is attributed to on-line activities, then we're talking a paltry £1.3 million a year. Surely there are a couple of thousand varieties of crime that would offer a better return on the investments in crime fighting.

    Dollar for dollar how does on-line originated fraud compare to fraud by more traditional means? Is the growth in on-line fraud increasing the amount of fraud, or are the fraudsters just moving to a new platform while keeping the level and likelihood of fraud constant?

    I guess that I better turn on my TV news channel for the answers.

    Meanwhile I'll continue to be more worried about handing my Visa card to the pimply faced kid at the corner gas station.
    • by mrsev (664367)
      ........er how can this be +5% insightful.

      10% of 1.5 bilion British Pounds is 150 million Pounds NOT 1.5 million.

      Bad mods, naughty mods.
      • Oh very well. A math error.

        I will then insist on knowing how the 1.3 billion number was calculated.

        Somehow I expect it was by the usual cop math that estimates two scraggly pot plants and a handful of seeds to have "an estimated street value of $679,000."

        Or the RIAA math that tells us that piracy has cost them $456 Billion dollars in the last six months.

        When people and groups with a vested interest start tossing out huge numbers it is important to ask for substantiation.

        Unless you work in the media or of co
      • Only using American billion! That equals to 1000 millions. But in the rest of the world billion is million million !
        http://www.jimloy.com/math/billion.htm [jimloy.com]
    • "(Identity) theft has increased by 500% since 1999 and now costs the UK economy £1.3bn a year, forcing defences against this crime to evolve rapidly."

      "If, as noted in another post [slashdot.org], only 10% of this crime is attributed to on-line activities, then we're talking a paltry £1.3 million a year. "

      You might want to check that again. Ten percent of 1.3 billion would be 130 million, not 1.3 million. That's big enough to warrant attention.

      Having said that, most identity theft could be preven
    • Actually, 10% of £1.3 billion is £130 million, not £1.3 million.

      But I agree with you that this article seems to be written for the sole purpose of hyping up the threat of online identity fraud. The (poorly written) article provides almost no useful technical information, and it's clearly just a marketing piece aimed at attracting customers. The author works for Thales eSecurity [thales-esecurity.com], a company which sells precisely the security services/solutions that the article is promoting. Their website is

    • . . .and now costs the UK economy £1.3bn a year, . . . .

      . . . If, as noted in another post, only 10% of this crime is attributed to on-line activities, then we're talking a paltry £1.3 million a year.

      I thought a billion in Britain was 10e12 instead of 10e9 like in the United States. If so, then 10% of 1.3 billion is 130,000 million. Even if it's the smaller value, it's still 130 million, which is one hundred times the amount you cited.

      By the way, I don't believe 1,300,000,000,000

  • by bogie (31020) on Wednesday March 08, 2006 @02:47PM (#14877273) Journal
    I was just an ID theft victim. Some douche in Philly opened up a cell phone account with all my info. Now I have to constantly watch my credit for the next year. It's bad enough knowing that your name,address, SS#, etc, all are floating around in 50,000 different legitimate locations, but it really sucks when someone with malicious intent gets ahold of that information. There really isn't anything anyone can do for you either once your information is stolen. You can only file a police report and then notify the credit agenices. Real damage gets done and peoples lives have been completely turned upside because of ID theft. Sadly many people end up battling ID theft for years and years. It's only going to get worse.
  • by 1337p1rt3 (959580) on Wednesday March 08, 2006 @02:54PM (#14877331)

    After reading the article I found a couple of the points to be near disturbing, to such an extent I choked on my coffee.

    1. This allows individuals to use one form of identity to authenticate themselves to a range of different organisations.

    This is a security breech in it of its self. The idea is to make a system harder to get into, by allowing users to have a single token for a multi-organizational environment you are essentially defeating the purpose of information security. ONLY one person has to sell their information or loose it for a single person to attack a vast amount of networks.

    2. For a start, the enormous investment involved in issuing digital certificates on smart cards, for example, can be recouped to some extent, by deriving revenue from allowing other organisations to authenticate their users with the same identity.

    A part of Information Security is Information Control. This is an easy way to loose control of a secure environment. The CIO is relying on a secondary company that he/she is not physically monitoring to maintain positive control of their security environment. I for one would allow NO ONE access to my tokens or authentication system that didn't reside behind my firewall. Information security should not be about cost effectiveness. It is no secret that it is not cheap. Though cross organizational security is becoming more robust with software and a wider array of risk management, there is still the human factor that no one can control, i.e. there is no cure of human stupidity.

    3. On the upside

    There is of course a way to manage this kind of environment; intense risk management. The amount of resources the organization would have to dedicate to risk management almost makes this concept not cost effective. There would have to be an entire task force not associated to any of the corporations and would have to manage and asses security risks. The reason being is to gather non-biased information. This would be costly and time intensive.

    4. There are alternatives?

    The alternative and one that I am seeing become more common is to share a single platform but on the backside enforce a stronger security measure. Example, John logs in via a token system that is shared and then re-authenticates via biometrics on the backside. There goes cost effectiveness right out the window. The best biometric systems are very expensive and timely to roll-out. SafLink offers a great solution but is very costly and does not include hardware. Biometrics is the way to go albeit there is still a chance of a security breech if a hacker gains access to local cache files that store the bio-information. It would be near impossible to break the algorithm but there is still that chance.

    I guess with all security there is that same risk. There is no truly secure system, but we all make out as best we can. As security becomes more intense so will the possibilities of intrusion, for every action there is reaction.

    • This is a security breech in it of its self. The idea is to make a system harder to get into, by allowing users to have a single token for a multi-organizational environment you are essentially defeating the purpose of information security. ONLY one person has to sell their information or loose it for a single person to attack a vast amount of networks.

      One token is a lot easier to manage securely then a dozen tokens.

      Ways to use a single token system without having to give every party that needs to verify yo
    • In regards to online banking, biometrics isn't really an option. And, personally, I don't really see any obvious problems with a standard username/password verification system, or "lowest common denominator digital identity solution," as the author so succinctly put it. The main problem is with people lacking common sense when it comes to basic internet security practices. What it comes down to is that the PEBKAC [wikipedia.org]. With credit card fraud, many large credit card issuers do have back-up security protocals in p

  • by Lumpy (12016) on Wednesday March 08, 2006 @02:57PM (#14877350) Homepage
    Identity theft will remain a problem until the Credit reporting companies are forced at gunpoint to put in place controls to limit it and allow the owner to "lock" their credit report from any reading or reporting. The Credit companies make a crapload of money off of the illigitmate credit reports that are pulled on every person thousands of times a day. I typically find from 10 to 30 illigitmate credit report requests in my credit report every quarter from companies "phishing" for people to send pre-approved credit card offers and refinance requests, etc...

    Let me lock my credit report down so that it reports only "CREDIT REPORT LOCKED BY OWNER" and identity theft will drop drastically. If you can not apply for new credit under someone's name it makes stealing their identity nearly worthless.

    It's an industry problem that the industry refuses to fix because they profit from it.
    • by Anonymous Coward on Wednesday March 08, 2006 @03:10PM (#14877481)
      The functionality is already available as far as the credit reporting agencies not providing your information for marketing purposes.

      You can protect yourself from identity theft by taking your name off of the credit bureaus mailing lists. The credit bureaus are one of the biggest offender when it comes to selling your name and information to the credit card companies who in turn send you all those pre-approved applications. One call to the Opt Out Request Line (for Equifax, Trans Union, Experian and Consumer Credit Associates) is all it takes to permanently remove your name from all marketing lists that the credit agencies supply to direct marketers. You can also opt for a two-year period, renewing your request at any time in the future.

      1-888-567-8688

      To get rid of most other junk mail, write a letter giving your complete name, name variations and mailing address to:

      Mail Preference Service
      Direct Marketing Association
      P.O. Box 9008
      Farmingdale, NY 11735

      1-800-407-1088 Opt-Out from all mailing and telemarketing lists

      Other sources:
      http://www.dmaconsumers.org/cgi/offtelephonedave [dmaconsumers.org]
      http://www.dmaconsumers.org/cgi/offmailinglistdave [dmaconsumers.org]
      http://www.dmaconsumers.org/optoutform_emps.shtml [dmaconsumers.org]

    • by LandKurt (901298)

      Let me lock my credit report down so that it reports only "CREDIT REPORT LOCKED BY OWNER" and identity theft will drop drastically. If you can not apply for new credit under someone's name it makes stealing their identity nearly worthless.

      So you lock down your credit report to prevent any more credit card or loans in your name. I assume there would be a method for unlocking the reports when you want to apply for something for real.

      The trouble is that the credit thieves would just impersonate you an

      • by Todd Knarr (15451)

        The lockdown doesn't work quite that way. No proof of identity is required to remove the lockdown (normally, at least). What is required is a specific code that's given out when the freeze is put in place and only to the party requesting the freeze. If the request for a report's accompanied by that code the report will be issued, otherwise the request is refused. Makes it very hard for an impersonator to override a freeze unless they were the ones who placed it, since if they didn't they wouldn't have gotte

    • Let me lock my credit report down so that it reports only "CREDIT REPORT LOCKED BY OWNER"

      You can already kinda do this (in the U.S., anyway). Just call the credit reporting agencies and have them place a fraud alert on your information. Anyone, or any business, requesting information on your credit or credit history will be denied access to that information until you specifically authorize it. As a side benefit, doing this also automatically removes your name from a pile of mailing lists.

  • by max born (739948) on Wednesday March 08, 2006 @03:06PM (#14877432)
    I was a victim of ID theft 5 years ago. A credt card company (Next Card IIRC) gave someone a credit card who had only my name and SS#, wrong date of birth and wrong address. Anyway this guy went to Vegas and ran up quite a bill. It was only when the card remained unpaid that the company bothered to track down the real me.

    They wanted me to sign an affidavit. I told them I wan't signing anything, it wasn't my problem. I quoted the following from CHAP. 41, SUBCHAP VI, sections b and e of U.S. Code TITLE 15 which states:

    (b) Burden of proof
    In any action which involves a consumer's liability for an unauthorized electronic fund transfer, the burden of proof is upon the financial institution to show that the electronic fund transfer was authorized or, if the electronic fund transfer was unauthorized, then the burden of proof is upon the financial institution to establish that the conditions of liability set forth in subsection (a) of this section have been met, and, if the transfer was initiated after the effective date of section 1693c of this title, that the disclosures required to be made to the consumer under section 1693c(a)(1) and (2) of this title were in fact made in accordance with such section.

    (e) Scope of liability
    Except as provided in this section, a consumer incurs no liability from an unauthorized electronic fund transfer.


    Anyway, they took care of everything after that. Including my credit rating.
  • The Postal Service in Germany offers a service called PostIdent. Customers and third parties can rely on this service. I am sure there is a post office in your neighborhood. Why is this service not available in the US?

    http://www.deutschepost.de/dpag?lang=de_DE&xmlFile =6394 [deutschepost.de]
    http://www.usps.com/all/welcome.htm?from=homedoorw aybar&page=0019allproducts [usps.com]
  • by MrNougat (927651) <ckratsch.gmail@com> on Wednesday March 08, 2006 @03:38PM (#14877717)
    I wonder if all of the efforts that were made to deal with Y2K bugs may have a detrimental effect on future needs for technology improvement. Consider that a whole lot of businesses were convinced to spend a whole lot of money to do Y2K fixes, the result of which appeared to be ... nothing. Executive committees, boards of directors, shareholders - the appearance is that a lot of money was spent, and after the turn of the millenium, everything was the same as before.

    Now there's another need for technology improvement, in the area of data and network security. From a layman's standpoint, it looks like, "Hey, you need to spend a lot of money and increase the cost of doing business going forward, to prevent against a risk that may never come to pass." And even if the risk does come to pass, it's likely going to be a handful of victims, with little repercussion to the business whose lax security was the root cause.

    We spent all that money on Y2K, and didn't get an obvious return on it. Why should we do that again? Interestingly, this belief surely exists at insurance companies - who are trying to get their clients to pay a regular fee to mitigate risks.

    And, in truth, it's probably cheaper for these businesses to deal with clean-up costs after a few people are victimized than it is to spend proactively to protect everyone. It's like the automotive recall equation from Fight Club.
  • I remember reading about a proposal to use private/public keys as a form of authentication in a Scientific American article several decades ago. Why haven't we adopted such a system? Obviously, we'd need an infrastructure that supplies the keys in a secure and confidential manner, and methods of exchanging keys that don't involve typing in 256-character alphanumeric strings...but would finding solutions to these problems be so hard?

    This is a genuine question--I don't know much about cryptography, so I'd w

  • by RickP (959845)
    Although identity theft is much broader than just unauthorized usage of credit cards wouldn't it seem logical to force a PIN number to be used for all credit card transactions. It seems that the majority of vendors already have the equipment and capacity to allow a customer to enter a PIN for Debit. Why not integrate this into credit transactions? This would be especially helpful for people who may have lost their card or if someone has copied the number. RickP
  • by Todd Knarr (15451) on Wednesday March 08, 2006 @04:19PM (#14878096) Homepage

    I've said it before, and I'll say it again: what the article speaks of won't help. Even if it's implemented perfectly and is utterly mathematically secure, it won't stop identity theft. That's because it doesn't address the largest hole in the system, the way most identity thieves steal your identity: authenticating the organization the user wants to talk to to the user. It doesn't matter how securely I can prove who I am to my bank, if Mister X out there can impersonate my bank to me he doesn't have to steal my credentials because I'll be giving them to him voluntarily (if unknowingly). The only way to stop this is for the bank to prove to me who it is before asking me to prove who I am.

    This isn't even new. It's been long known that you don't trust the other end when they initiated the communication. If someone calls up saying you're late on your electric bill but if you want they can do a check over the phone if you'll just give them your bank account information, common wisdom is that you take note of this, hang up the phone, call the number on your electric bill for the power company's billing department and talk to them. You do that so that you know that you're in fact talking to the real power company before handing over details to them. Same thing for bills in the mail, if out of the blue you receive a bill saying you owe $BIGNUM on your car loan immediately and please send the check in the enclosed return envelope, you don't blindly use it until you've made sure it's to the same address as your regular loan-payment envelopes and you've confirmed with the lender that the bill's for real.

    So why, when it comes to identity and security, is all the emphasis in electronic transactions on authenticating the user to the organization when in real life the first thing in a similar transaction is to authenticate the organization to the user?

  • The problems I have experienced are due to them selling the information in the first place, and sending out more junk than necissary trying to screw their customers in the first place.

    I think the banks, etc like to complain about fraud, and want to use the excuse to get control of MORE information from the customers, so they can make more money, and still allow law enforcement to try and make up for their unwillingness to miss out any profit that might otherwise educate their customers in the first place.

    sp

fortune: not found

Working...