Combating Identity Theft 204
An anonymous reader writes "Net-Security is running an interesting article about some of the problems facing organizations when it comes to identity theft. From the article: 'Identity theft is the major security concern facing organizations today. Indeed, for the banking industry, it is the number one security priority for 2006. Identity security has developed beyond the simplest form of authentication where one party issues and verifies identities within a closed group of users. While easy to do, this approach is extremely hard and costly to scale upwards and offers no interoperability with other authentication networks.'"
Penalties (Score:5, Insightful)
Uh... okay. I guess I'm living in fantasyland.
Nevermind.
You don't need to see his identification (Score:5, Insightful)
Except that people are completely resistant to the idea of a single id card (the so-called "National Id"), even though it makes sense, given the sheer quantity of different forms of id that are required:
In the end, we're saddled with all these differet ids (let's not even get into usernames and passwords for on-line banking or web site membership). And all these ids share the common feature of having to be tied back to an individual somehow. The problem lies in the fact that thieves can get their hands on pieces of data (address, SS#, phone number, DL#, etc.) that allow them to replicate you and then use that information to either utilize resources you already have or create new resources that they can exploit (mortgages, loans, etc.).
Until there's some kind of global standard, defining just what identifies you as you, and there is a system for storing, retrieving, and updating that information in a manner that foils potential thieves, identity theft will continue to be a problem for the forseeable future.
It's mostly paper - checks, etc... (Score:5, Insightful)
Mar 11, 2005 -- How identity theft really occurs
Identity theft has become huge, as we all know. But how and why does it occur? Many people think that identity theft occurs because of what we do online. But just slightly more than 10 percent happens online. Almost all of it occurs when someone steals your checkbook, your wallet or your mail. The Internet actually helps in reducing ID theft, according to the Better Business Bureau. Monitoring your checkbook and credit card status online is a huge deterrent to identity theft because people find things quickly and can report them right away. So, if you still have a checkbook and you refuse to part with it, keep it at home and know where it is at all times. This is especially important for businesses, which are expected to keep a higher standard of security when it comes to securing checks. Businesses have liability for checks written that are stolen. So, keep very good track of your checks if you own a business.
Theft? Fraud! (Score:5, Insightful)
Solution - remember that customers are people (Score:3, Insightful)
In some countries, a company issuing a credit card has to send someone out to verify that the individual is who they say they are and applied for the account. I would like a system like that. At a minimum, it would require that people committing ID theft be local to their victims. Unlike now, it would be much harder for someone to try to set up numerous fraudulent accounts for victims all over the world.
If I could specify my preferences, I would like to require that all accounts being created or modified in my name required that the change be made in person. This would not be much of an additional burden for many of my accounts. There is no way for me to set up and enforce such a policy. The closest I can come is a fraud notice on my credit report that tells the issuer to call me before opening an account, but there are companies that will ignore that since there is no obligation to comply with that request.
That last line is the killer. (Score:5, Insightful)
If a single item will "identify" you, then the value of that single item skyrockets.
As the value goes up, so does the incentive to break the system so that you can cash in on it.
Re:Make it harder (Score:5, Insightful)
Re:They're not helping themselves (Score:5, Insightful)
VISA actually requires that merchants, in some circumstances, NOT challenge the person using the card. (Have tou noticed that many merchants won't even ask for a signature for purchases below a set limit now?) Why? Because the cost of turning away potential sales - including fraudulent ones - is many multiples of VISA's cost of lost revenue due to fraudulent activity and theft.
What's more is that merchants, not the credit card issuers or underwriting banks, are the ones ultimately responsible for more than 90% of chargebacks. So if the merchant sells a product to someone using a fake card, and the rightful owner of that card challenges it, the merchant takes the loss, not VISA. So for the most part there's really not a direct reason for VISA to curb fraudulent activity at all.
So security in this case actually leads to loss of sales, and therefore loss of revenue for VISA. The customer is indemnified, VISA and the banks are insulated, and the merchant gets screwed - until they raise their prices to make up for the loss. And even then, it's the customer who bears the ultimate financial burden. IOW, VISA has every incentive to make it easier for people to use their cards, even if that means more identity theft.
Re:They're not helping themselves (Score:2, Insightful)
Measuring the risk (Score:4, Insightful)
Ah yes, more unattributed and meaningless statistics. Obviously we must leap up and address this issue!
If, as noted in another post [slashdot.org], only 10% of this crime is attributed to on-line activities, then we're talking a paltry £1.3 million a year. Surely there are a couple of thousand varieties of crime that would offer a better return on the investments in crime fighting.
Dollar for dollar how does on-line originated fraud compare to fraud by more traditional means? Is the growth in on-line fraud increasing the amount of fraud, or are the fraudsters just moving to a new platform while keeping the level and likelihood of fraud constant?
I guess that I better turn on my TV news channel for the answers.
Meanwhile I'll continue to be more worried about handing my Visa card to the pimply faced kid at the corner gas station.
Paradoxical ID Theft (Score:4, Insightful)
After reading the article I found a couple of the points to be near disturbing, to such an extent I choked on my coffee.
1. This allows individuals to use one form of identity to authenticate themselves to a range of different organisations.
This is a security breech in it of its self. The idea is to make a system harder to get into, by allowing users to have a single token for a multi-organizational environment you are essentially defeating the purpose of information security. ONLY one person has to sell their information or loose it for a single person to attack a vast amount of networks.
2. For a start, the enormous investment involved in issuing digital certificates on smart cards, for example, can be recouped to some extent, by deriving revenue from allowing other organisations to authenticate their users with the same identity.
A part of Information Security is Information Control. This is an easy way to loose control of a secure environment. The CIO is relying on a secondary company that he/she is not physically monitoring to maintain positive control of their security environment. I for one would allow NO ONE access to my tokens or authentication system that didn't reside behind my firewall. Information security should not be about cost effectiveness. It is no secret that it is not cheap. Though cross organizational security is becoming more robust with software and a wider array of risk management, there is still the human factor that no one can control, i.e. there is no cure of human stupidity.
3. On the upside
There is of course a way to manage this kind of environment; intense risk management. The amount of resources the organization would have to dedicate to risk management almost makes this concept not cost effective. There would have to be an entire task force not associated to any of the corporations and would have to manage and asses security risks. The reason being is to gather non-biased information. This would be costly and time intensive.
4. There are alternatives?
The alternative and one that I am seeing become more common is to share a single platform but on the backside enforce a stronger security measure. Example, John logs in via a token system that is shared and then re-authenticates via biometrics on the backside. There goes cost effectiveness right out the window. The best biometric systems are very expensive and timely to roll-out. SafLink offers a great solution but is very costly and does not include hardware. Biometrics is the way to go albeit there is still a chance of a security breech if a hacker gains access to local cache files that store the bio-information. It would be near impossible to break the algorithm but there is still that chance.
I guess with all security there is that same risk. There is no truly secure system, but we all make out as best we can. As security becomes more intense so will the possibilities of intrusion, for every action there is reaction.
Useless information (Score:3, Insightful)
Let me lock my credit report down so that it reports only "CREDIT REPORT LOCKED BY OWNER" and identity theft will drop drastically. If you can not apply for new credit under someone's name it makes stealing their identity nearly worthless.
It's an industry problem that the industry refuses to fix because they profit from it.
It's like sex with Kobe Bryant... (Score:2, Insightful)
"It's like sex with Kobe Bryant; you can kick and scream all you like... but in the end... it's going to happen."
Re:Measuring the risk (Score:3, Insightful)
Actually, 10% of £1.3 billion is £130 million, not £1.3 million.
But I agree with you that this article seems to be written for the sole purpose of hyping up the threat of online identity fraud. The (poorly written) article provides almost no useful technical information, and it's clearly just a marketing piece aimed at attracting customers. The author works for Thales eSecurity [thales-esecurity.com], a company which sells precisely the security services/solutions that the article is promoting. Their website is kinda sketchy too--using a bunch of dummy links of common search terms at the bottom of each page, presumably to boost search engine rankings.
It's pretty sad really that so many companies out there rely on, and indeed thrive off of, purely bullshitting people into paying for crap products/services. It really requires no talent to profit from the general gullibility of most people while contributing nothing at all to society. All it takes is for one to have the initial capital and the ability to market medicore yet high-priced products or services to potential customers.
Re:Useless information (Score:2, Insightful)
Let me lock my credit report down so that it reports only "CREDIT REPORT LOCKED BY OWNER" and identity theft will drop drastically. If you can not apply for new credit under someone's name it makes stealing their identity nearly worthless.
So you lock down your credit report to prevent any more credit card or loans in your name. I assume there would be a method for unlocking the reports when you want to apply for something for real.
The trouble is that the credit thieves would just impersonate you and unlock the reports themselves. So the identity problem is just shifted from the banking institutions to the credit reporting companies. Since it's not their money on the line, they're even less likely to take it seriously.
Combatting Identity Theft (Score:2, Insightful)
Re:Lenders are liable for ID theft, not victims (Score:4, Insightful)
I told them I wan't signing anything, it wasn't my problem.
Isn't it great how they shift the problem to the consumer by calling it identity theft. They didn't steal your identity, they stole the credit card companies money by fooling them. They should call it credit company bamboozling, but that would make it sound like their problem instead of yours.
Re:Theft? Fraud! (Score:3, Insightful)
Not to nitpick terms, but "theft" is thrown around WAY too loosely. If the term "rape" didn't already exist, people would refer to it as "sex theft".
Authentication in the wrong direction (Score:3, Insightful)
I've said it before, and I'll say it again: what the article speaks of won't help. Even if it's implemented perfectly and is utterly mathematically secure, it won't stop identity theft. That's because it doesn't address the largest hole in the system, the way most identity thieves steal your identity: authenticating the organization the user wants to talk to to the user. It doesn't matter how securely I can prove who I am to my bank, if Mister X out there can impersonate my bank to me he doesn't have to steal my credentials because I'll be giving them to him voluntarily (if unknowingly). The only way to stop this is for the bank to prove to me who it is before asking me to prove who I am.
This isn't even new. It's been long known that you don't trust the other end when they initiated the communication. If someone calls up saying you're late on your electric bill but if you want they can do a check over the phone if you'll just give them your bank account information, common wisdom is that you take note of this, hang up the phone, call the number on your electric bill for the power company's billing department and talk to them. You do that so that you know that you're in fact talking to the real power company before handing over details to them. Same thing for bills in the mail, if out of the blue you receive a bill saying you owe $BIGNUM on your car loan immediately and please send the check in the enclosed return envelope, you don't blindly use it until you've made sure it's to the same address as your regular loan-payment envelopes and you've confirmed with the lender that the bill's for real.
So why, when it comes to identity and security, is all the emphasis in electronic transactions on authenticating the user to the organization when in real life the first thing in a similar transaction is to authenticate the organization to the user?
Re:It's mostly paper - checks, etc... (Score:2, Insightful)
Re:A statement and a story (Score:2, Insightful)
Well, you sort of got it right. [In the US] credit card companies are only responsible for the first $50 of a fraudulent transaction. Until recently, they passed that $50 on to the consumers. Merchants have to absorb any additional amount.
Clerks are encouraged to check the signature to reduce the risk of fraudulent purchases, theoretically reducing the merchant's exposure, but there are several flies in the ointment:
Most stolen cards are used to buy high-end goods and "vices" like porn, cigarettes and alcohol. Home Depot doesn't worry about it, because who's buying PVC with a stolen card? A gas station pretty much never needs to worry about getting paid because they won't go near the $50 mark (most won't let you buy cartons with a credit card). Newegg and BestBuy could be out thousands of dollars of high-margin goods, so they verify identity vigorously.
My background: Former convenience store clerk and trainer. I've been on the witness stand against someone who used a stolen credit card.