Combating Identity Theft 204
An anonymous reader writes "Net-Security is running an interesting article about some of the problems facing organizations when it comes to identity theft. From the article: 'Identity theft is the major security concern facing organizations today. Indeed, for the banking industry, it is the number one security priority for 2006. Identity security has developed beyond the simplest form of authentication where one party issues and verifies identities within a closed group of users. While easy to do, this approach is extremely hard and costly to scale upwards and offers no interoperability with other authentication networks.'"
Um... (Score:5, Informative)
It's useless... (Score:5, Funny)
--CowboyNeal
Re:It's useless... (Score:2, Funny)
--CmdrTaco
Re:It's useless... (Score:3, Funny)
It's like sex with Kobe Bryant... (Score:2, Insightful)
"It's like sex with Kobe Bryant; you can kick and scream all you like... but in the end... it's going to happen."
Re:It's useless... NO (Score:2)
They're not helping themselves (Score:5, Informative)
A statement and a story (Score:5, Interesting)
This is common knowledge. I haven't signed the back of my card in over 10 years. What's funny is when a cashier actually looks at the back of the card and then just procedes on even though there's no signature. Let's face it though, even if they did check, it's a worthless security measure anyway. Any crook with even a primitive grouping of nerve endings in their skull can take the few minutes to come "close enough" to the signature on the back of the credit card they just stole.
Interesting side note about the saying that the "banking industry" no taking advantage of their own saftey checks. When I went to get a cashiers check for the down payment on some real estate (around $13K), my bank gave me MASSIVE amounts of grief because my signature on the cashiers check request did not match the signature they had on file for me, nor did it match the signature on my drivers license (all three were different). I ended up having to produce another form of picture id (which for most people is difficult, since usually it's your drivers license that has a picture, for some it could also be a student id, for many you're SOL) and signing another signature card. Turns out that while the signature card is not used generally to check the signature on checks (it's bank stated purpose), the bank does check it for transactions over $10K.
Re:A statement and a story (Score:2, Interesting)
However, whenever I go to BestBuy they ask for my drivers license and compare my face to the photo. I guess the managers at the 2 stores near me are strict about that sort of thing.
When I worked as a cashier I didn't care if it was signed or not. I never bother checking unless my boss was hovering around the front.
Re:A statement and a story (Score:5, Interesting)
If you look at the card, you'll see a notice by the signature field that says "NOT VALID UNTIL SIGNED." This is because the card constitutes a binding contract between you and the credit card company. Until you sign it, the card is not a financial instrument.
Let's say you don't sign the card, and you use it to but $1500 worth of stuff at a store, and then you don't pay the credit card bill. The credit card company is not legally obligated to pay the store for the goods you bought, because the unsigned card was not a binding agreement. You can be prosecuted for acting in bad faith, but the store won't get its $1500.
That's why the store needs you to sign it--and that's why, when I was a cashier (for my sins) I would often have to ask people to sign their credit cards.
Incredulous customer: But don't you see how ridiculous that is? I might have just stolen this card and be forging the signature on it!
Me: That's true, but remember, I'm not doing this to protect you; I'm doing it to protect the store.
Technically, by insisting on a signature, I was performing good-faith assurance. Sure, the guy might be signing a fake name; but a store can't be held legally responsible for detecting forged signatures, since it's not reasonable that a minimum-wage cashier be required to be trained in forgery. (Court cases have upheld this.) As long as the card has a signature on it, the credit card company has to reimburse the store for whatever gets bought. That's the only thing the store cares about.
The lesson? Remember that the only person who has any interest in protecting you is yourself.
Re:A statement and a story (Score:5, Interesting)
'The credit card company is not legally obligated to pay the store for the goods you bought, because the unsigned card was not a binding agreement.'
That's a nice though, but I'm wondering how an online transaction fits into this scheme?
Re:They're not helping themselves (Score:4, Interesting)
Re:They're not helping themselves (Score:5, Insightful)
VISA actually requires that merchants, in some circumstances, NOT challenge the person using the card. (Have tou noticed that many merchants won't even ask for a signature for purchases below a set limit now?) Why? Because the cost of turning away potential sales - including fraudulent ones - is many multiples of VISA's cost of lost revenue due to fraudulent activity and theft.
What's more is that merchants, not the credit card issuers or underwriting banks, are the ones ultimately responsible for more than 90% of chargebacks. So if the merchant sells a product to someone using a fake card, and the rightful owner of that card challenges it, the merchant takes the loss, not VISA. So for the most part there's really not a direct reason for VISA to curb fraudulent activity at all.
So security in this case actually leads to loss of sales, and therefore loss of revenue for VISA. The customer is indemnified, VISA and the banks are insulated, and the merchant gets screwed - until they raise their prices to make up for the loss. And even then, it's the customer who bears the ultimate financial burden. IOW, VISA has every incentive to make it easier for people to use their cards, even if that means more identity theft.
Re:They're not helping themselves (Score:2)
VISA doesn't foot the losses. Merchants and banks do. VISA is just a network - and they make money by taking a small part of each transaction.
Re:They're not helping themselves (Score:2)
Re:They're not helping themselves (Score:2)
That walmart lawsuit a couple of years ago hurt too (a lot).
Re:They're not helping themselves (Score:5, Informative)
Here in the UK, we use the Chip and PIN system [wikipedia.org], which has been in effect for a while and practically mandatory since Valentine's Day [bbc.co.uk].
Re:They're not helping themselves (Score:3, Interesting)
And which everyone else in the shop knows, after the first time you type it into the keypad which is visible from all around...
It's called "chip and pin", it's not even slightly secure, it's been used in Europe for years, and just introduced in the UK.
Re:They're not helping themselves (Score:2)
The real problem with this is not phones, but systems where credit cards are expected to be usable without any keypads etc. For instance, if you take Metro in D.C., the farecard machines don't have pinpads, you just shove in your credit card and take it out. Where
Re:They're not helping themselves (Score:2)
What banks need to start doing is pre-print the cardholder's signature on the back of the card the same way many state's DMVs do for licenses now. A post-issue-applied signature isn't worth the card it's written on (quite literally).
Re:They're not helping themselves (Score:2)
When you get your picture taken for the card (we have
photo IDs on our ATM cards), they collect your signature,
and the finished card is available for pickup a number of
days later (if the bank is paranoid enough to not trust the
postal service).
Re:They're not helping themselves (Score:3, Informative)
Theoretically, if you buy stuff with an unsigned card, you are not on the hook to pay the bill in some states.
Re:They're not helping themselves (Score:2, Insightful)
Re:They're not helping themselves (Score:2)
Using a credit card is making a promise that you'll pay, which is what entitles the merchant to be paid. Checking an ID is just a step to see if your face matches the one on your ID and the name matches the name on the card. In the case of credit cards with photos, asking for ID
Re:They're not helping themselves (Score:2)
Yeah, it sucks that when I use your credit card they ask for an ID. I now have to resort to lifting wallets and hoping that they have cash in them.
Merchant rules require sig and ID. (Score:3, Informative)
According the merchant rules, for MasterCard anyway, the merchant is suppose to check the signature and request ID as part of their compliance (section 2.1.1.2).
If a card is not signed, the merchant is suppose to obtain authorization from the card issuer, request ID and have the customer sign the card then and there (section 2.1.
Re:They're not helping themselves (Score:2)
I'm one of those "asshats", and I've never had a merchant reject my card.
Only about 1 in 20 actually look at the signature block and ask for my ID. I praise them and thank them for doing so.
I've heard of some merchants refusing to accept signed cards. Mine are signed -- and next to the signature is 'DEMAND PHOTO ID' in big block letters.
Re: (Score:2)
Re:They're not helping themselves (Score:4, Interesting)
Their new saftey checks are pissing me off. I just recently made 2 ~$700 purchases for a personal file server. On the 2nd order I entered the expiration date wrong. That apparently set off alarms at the credit card company and called the house. My wife told them to approve the purchases. So I had to go back to newegg and update my credit card info. The order never updated it so I canceled it and made a new one. The new one didn't go through because they couldn't confirm my address because they didn't like the credit card phone number I gave them Here's the list of credit card items I had to give them:
Now newegg didn't like the number on the back of my card (888 45-YAHOO). My IMing with customer support didn't get anywhere as they wanted another number that I didn't have. A phone call to my credit card company didn't get anywhere as they don't want to issue me a credit card with an number on it acceptable to newegg. There also appears to be some new "Verified by Visa" program, which requires more information to comfirm the order. I didn't want to deal with that. So I ended up cancelling the order with newegg, went to zipzoomfly and used a Master Card. I'm willing to jump through some hoops to prove I am who I say I am. If I have to make phone calls and IM customer support to get an order completed (which I didn't) I don't want to deal with that credit card or merchant.
Re:They're not helping themselves (Score:2)
Re:They're not helping themselves (Score:2)
Re:They're not helping themselves (Score:2)
I had a card that I never used outside online purchases. On the back I put the phrase in caps "THIS CARD IS STOLEN!!!"
I went on a trip once and grabbed the card because I was short on cash and forgot that I wrote that. Funny thing was no one bothered to look at the back of the card (granted I only bought plane tickets and a hotel room with it).
Re:Simple solution when asked to print receipts (Score:2)
Yeah, it felt kind of weird at first when I did it for a few times feeling like I was stealing gas without printing the receipt, but I figure if they were going to accuse me of stealing gas they wouldn't let me pump it without being authorized with my card.
Saves me from having to worrying about forgetting to grab the ticket and maybe save a few trees in the process.
Combating ID Theft is easy... (Score:4, Informative)
Re:Combating ID Theft is easy... (Score:2, Interesting)
Won't work. A growing area of fraud is title fraud, where someone fraudulently sells your house/land. The identity verification process of many land registry offices leaves a lot to be desired.
Re:Combating ID Theft is easy... (Score:2)
But if you desire that lot, you will gladly accept the risk.
Re:Combating ID Theft is easy... (Score:4, Funny)
My esteemed uncle, the Grand Vizier of the Carribean National Bank, Doctor Moroawe mBasse, has just passed away, leaving me, some property. I have a nice little island in the Carribean that I need to turn into cash immediately, and I will sell it to you for just $150.00 American. Just send me your bank account login information and Iwill send to you the title right away.
Regards,
Mr. Tamuk Nagalanucha
The Grand Vizier's Garden Party (Score:2)
Re: (Score:2)
Penalties (Score:5, Insightful)
Uh... okay. I guess I'm living in fantasyland.
Nevermind.
Re:Penalties (Score:2)
I'm all about upping security, but it has to be cost effective, for both the consumer AND the company...
Re:Penalties (Score:2)
Re:Penalties (Score:3, Funny)
What we need is legislation prohibiting passing costs on to the consumers. As long as you can pay your employees a living wage you don't need to be charging your customers any more. Profit margins in the credit industry are beyond obscene.
Re:Penalties (Score:2)
Re:Penalties (Score:2)
AOL? (Score:4, Funny)
Alternative systems? (Score:5, Interesting)
-Rick
That just creates a market for theft. (Score:2)
The money has to come from somewhere.
Re:Alternative systems? (Score:2)
Digital Signatures (PGP, etc.) should be a minimum requirement. The
You don't need to see his identification (Score:5, Insightful)
Except that people are completely resistant to the idea of a single id card (the so-called "National Id"), even though it makes sense, given the sheer quantity of different forms of id that are required:
In the end, we're saddled with all these differet ids (let's not even get into usernames and passwords for on-line banking or web site membership). And all these ids share the common feature of having to be tied back to an individual somehow. The problem lies in the fact that thieves can get their hands on pieces of data (address, SS#, phone number, DL#, etc.) that allow them to replicate you and then use that information to either utilize resources you already have or create new resources that they can exploit (mortgages, loans, etc.).
Until there's some kind of global standard, defining just what identifies you as you, and there is a system for storing, retrieving, and updating that information in a manner that foils potential thieves, identity theft will continue to be a problem for the forseeable future.
That last line is the killer. (Score:5, Insightful)
If a single item will "identify" you, then the value of that single item skyrockets.
As the value goes up, so does the incentive to break the system so that you can cash in on it.
digital privacy is about databases (Score:4, Interesting)
I would much prefer a biometrically locked card, with something that required a thumbprint or something to release my signed public key stored on the card along with the digitally signed receipt. The key could encrypt a picture that is displayed on the cash register, but it seems like having a computer do a biometric rejection is less likely to cause a lawsuit. Plus, what clerk wants to examine a photograph and say "this doesn't look like you" several times a day?
Re:digital privacy is about databases (Score:2)
Re:digital privacy is about databases (Score:2)
Re:digital privacy is about databases (Score:2)
Re:digital privacy is about databases (Score:2)
Re:digital privacy is about databases (Score:2)
That would not happen. As soon as a national ID card, the govt. will immediately move to the next step of storing the information. They'll say, "look, it would be so easy to cut crime by storing this information, the fact that we're not doing it defie
It's mostly paper - checks, etc... (Score:5, Insightful)
Mar 11, 2005 -- How identity theft really occurs
Identity theft has become huge, as we all know. But how and why does it occur? Many people think that identity theft occurs because of what we do online. But just slightly more than 10 percent happens online. Almost all of it occurs when someone steals your checkbook, your wallet or your mail. The Internet actually helps in reducing ID theft, according to the Better Business Bureau. Monitoring your checkbook and credit card status online is a huge deterrent to identity theft because people find things quickly and can report them right away. So, if you still have a checkbook and you refuse to part with it, keep it at home and know where it is at all times. This is especially important for businesses, which are expected to keep a higher standard of security when it comes to securing checks. Businesses have liability for checks written that are stolen. So, keep very good track of your checks if you own a business.
Sometimes it's very low-level (Score:2)
(Yes, we cancelled that card and put fraud watches on our credit report - no other signs so far.)
Meanwhile, someone transposed digits and ended up getting their gas bill paid by my
Make it harder (Score:3, Interesting)
Re:Make it harder (Score:5, Insightful)
Mod parent up! (Score:2)
And Bruce Schneier has said the same thing. If you want to fight identity "theft" (really just old fashioned fraud), then you put the burden on the financial institutions.
Once their costs exceed the profits, they'll change their processes.
Until then, they'll talk a lot, but do nothing of real value.
Sinple answer (Score:2)
Theft? Fraud! (Score:5, Insightful)
Re:Theft? Fraud! (Score:2)
Who remembers in the 80's when a credit card check at the cash register meant a cashier checking the credit card # against a list of bad numbers, printed on newsprint that was updated once a week. Purchases less than $50 would rarely get checked at all, while those over $50 would get called in by phone/modem for verification depending on the size of the retailer.
naah (Score:2)
Re:Theft? Fraud! (Score:5, Funny)
Re:Theft? Fraud! (Score:3, Insightful)
Not to nitpick terms, but "theft" is thrown around WAY too loosely. If the term "rape" didn't already exist, people would refer to it as "sex theft".
Identity theft protection here (Score:2, Informative)
Solution - remember that customers are people (Score:3, Insightful)
In some countries, a company issuing a credit card has to send someone out to verify that the individual is who they say they are and applied for the account. I would like a system like that. At a minimum, it would require that people committing ID theft be local to their victims. Unlike now, it would be much harder for someone to try to set up numerous fraudulent accounts for victims all over the world.
If I could specify my preferences, I would like to require that all accounts being created or modified in my name required that the change be made in person. This would not be much of an additional burden for many of my accounts. There is no way for me to set up and enforce such a policy. The closest I can come is a fraud notice on my credit report that tells the issuer to call me before opening an account, but there are companies that will ignore that since there is no obligation to comply with that request.
Federated Identities are a long ways away (Score:2, Interesting)
How to thwart identity theft (Score:2)
1. Obtain an assumed identity (black market)
2. Get a PO Box under the new name
3. Get an unlisted phone under the new name
4. Rent an apartment under new name
5. Apply for every new credit card you can under you old name and run them all up to the max
6. Stop paying your mortgage, credit cards, and insurance
7. Accept foreclosure on your house and move to the apartment, do not leave a forwarding address
In short, the best way to thwart identity theft is to ruin your credit and start
Not easy but doable (Score:2)
2. The list also holds information on whether the individual has been issued a driving licence or a passport or any ther reliable id-card.
3. The list should have a copy of data suitable identification saved on the time of licence/passport issue, picture, finger prints etc.
4. Whenever someone is aplying for a licence/passport or other identification card, the list is checked.
Measuring the risk (Score:4, Insightful)
Ah yes, more unattributed and meaningless statistics. Obviously we must leap up and address this issue!
If, as noted in another post [slashdot.org], only 10% of this crime is attributed to on-line activities, then we're talking a paltry £1.3 million a year. Surely there are a couple of thousand varieties of crime that would offer a better return on the investments in crime fighting.
Dollar for dollar how does on-line originated fraud compare to fraud by more traditional means? Is the growth in on-line fraud increasing the amount of fraud, or are the fraudsters just moving to a new platform while keeping the level and likelihood of fraud constant?
I guess that I better turn on my TV news channel for the answers.
Meanwhile I'll continue to be more worried about handing my Visa card to the pimply faced kid at the corner gas station.
Re:Measuring the risk (Score:3, Informative)
10% of 1.5 bilion British Pounds is 150 million Pounds NOT 1.5 million.
Bad mods, naughty mods.
Re:Measuring the risk (Score:2)
I will then insist on knowing how the 1.3 billion number was calculated.
Somehow I expect it was by the usual cop math that estimates two scraggly pot plants and a handful of seeds to have "an estimated street value of $679,000."
Or the RIAA math that tells us that piracy has cost them $456 Billion dollars in the last six months.
When people and groups with a vested interest start tossing out huge numbers it is important to ask for substantiation.
Unless you work in the media or of co
Re:Measuring the risk (Score:2)
http://www.jimloy.com/math/billion.htm [jimloy.com]
Re:Measuring the risk (Score:3, Interesting)
"If, as noted in another post [slashdot.org], only 10% of this crime is attributed to on-line activities, then we're talking a paltry £1.3 million a year. "
You might want to check that again. Ten percent of 1.3 billion would be 130 million, not 1.3 million. That's big enough to warrant attention.
Having said that, most identity theft could be preven
Re:Measuring the risk (Score:3, Insightful)
Actually, 10% of £1.3 billion is £130 million, not £1.3 million.
But I agree with you that this article seems to be written for the sole purpose of hyping up the threat of online identity fraud. The (poorly written) article provides almost no useful technical information, and it's clearly just a marketing piece aimed at attracting customers. The author works for Thales eSecurity [thales-esecurity.com], a company which sells precisely the security services/solutions that the article is promoting. Their website is
Re:Measuring the risk (Score:2)
ID theft sucks and it's only getting worse (Score:5, Informative)
Paradoxical ID Theft (Score:4, Insightful)
After reading the article I found a couple of the points to be near disturbing, to such an extent I choked on my coffee.
1. This allows individuals to use one form of identity to authenticate themselves to a range of different organisations.
This is a security breech in it of its self. The idea is to make a system harder to get into, by allowing users to have a single token for a multi-organizational environment you are essentially defeating the purpose of information security. ONLY one person has to sell their information or loose it for a single person to attack a vast amount of networks.
2. For a start, the enormous investment involved in issuing digital certificates on smart cards, for example, can be recouped to some extent, by deriving revenue from allowing other organisations to authenticate their users with the same identity.
A part of Information Security is Information Control. This is an easy way to loose control of a secure environment. The CIO is relying on a secondary company that he/she is not physically monitoring to maintain positive control of their security environment. I for one would allow NO ONE access to my tokens or authentication system that didn't reside behind my firewall. Information security should not be about cost effectiveness. It is no secret that it is not cheap. Though cross organizational security is becoming more robust with software and a wider array of risk management, there is still the human factor that no one can control, i.e. there is no cure of human stupidity.
3. On the upside
There is of course a way to manage this kind of environment; intense risk management. The amount of resources the organization would have to dedicate to risk management almost makes this concept not cost effective. There would have to be an entire task force not associated to any of the corporations and would have to manage and asses security risks. The reason being is to gather non-biased information. This would be costly and time intensive.
4. There are alternatives?
The alternative and one that I am seeing become more common is to share a single platform but on the backside enforce a stronger security measure. Example, John logs in via a token system that is shared and then re-authenticates via biometrics on the backside. There goes cost effectiveness right out the window. The best biometric systems are very expensive and timely to roll-out. SafLink offers a great solution but is very costly and does not include hardware. Biometrics is the way to go albeit there is still a chance of a security breech if a hacker gains access to local cache files that store the bio-information. It would be near impossible to break the algorithm but there is still that chance.
I guess with all security there is that same risk. There is no truly secure system, but we all make out as best we can. As security becomes more intense so will the possibilities of intrusion, for every action there is reaction.
Re:Paradoxical ID Theft (Score:2)
One token is a lot easier to manage securely then a dozen tokens.
Ways to use a single token system without having to give every party that needs to verify yo
Re:Paradoxical ID Theft (Score:2)
Re:Paradoxical ID Theft (Score:2)
In regards to online banking, biometrics isn't really an option. And, personally, I don't really see any obvious problems with a standard username/password verification system, or "lowest common denominator digital identity solution," as the author so succinctly put it. The main problem is with people lacking common sense when it comes to basic internet security practices. What it comes down to is that the PEBKAC [wikipedia.org]. With credit card fraud, many large credit card issuers do have back-up security protocals in p
Useless information (Score:3, Insightful)
Let me lock my credit report down so that it reports only "CREDIT REPORT LOCKED BY OWNER" and identity theft will drop drastically. If you can not apply for new credit under someone's name it makes stealing their identity nearly worthless.
It's an industry problem that the industry refuses to fix because they profit from it.
Re:Useless information (Score:4, Informative)
You can protect yourself from identity theft by taking your name off of the credit bureaus mailing lists. The credit bureaus are one of the biggest offender when it comes to selling your name and information to the credit card companies who in turn send you all those pre-approved applications. One call to the Opt Out Request Line (for Equifax, Trans Union, Experian and Consumer Credit Associates) is all it takes to permanently remove your name from all marketing lists that the credit agencies supply to direct marketers. You can also opt for a two-year period, renewing your request at any time in the future.
1-888-567-8688
To get rid of most other junk mail, write a letter giving your complete name, name variations and mailing address to:
Mail Preference Service
Direct Marketing Association
P.O. Box 9008
Farmingdale, NY 11735
1-800-407-1088 Opt-Out from all mailing and telemarketing lists
Other sources:
http://www.dmaconsumers.org/cgi/offtelephonedave [dmaconsumers.org]
http://www.dmaconsumers.org/cgi/offmailinglistdav
http://www.dmaconsumers.org/optoutform_emps.shtml [dmaconsumers.org]
Re:Useless information (Score:2, Insightful)
Let me lock my credit report down so that it reports only "CREDIT REPORT LOCKED BY OWNER" and identity theft will drop drastically. If you can not apply for new credit under someone's name it makes stealing their identity nearly worthless.
So you lock down your credit report to prevent any more credit card or loans in your name. I assume there would be a method for unlocking the reports when you want to apply for something for real.
The trouble is that the credit thieves would just impersonate you an
Re:Useless information (Score:3, Informative)
The lockdown doesn't work quite that way. No proof of identity is required to remove the lockdown (normally, at least). What is required is a specific code that's given out when the freeze is put in place and only to the party requesting the freeze. If the request for a report's accompanied by that code the report will be issued, otherwise the request is refused. Makes it very hard for an impersonator to override a freeze unless they were the ones who placed it, since if they didn't they wouldn't have gotte
Re:Useless information (Score:2)
You can already kinda do this (in the U.S., anyway). Just call the credit reporting agencies and have them place a fraud alert on your information. Anyone, or any business, requesting information on your credit or credit history will be denied access to that information until you specifically authorize it. As a side benefit, doing this also automatically removes your name from a pile of mailing lists.
Re:Useless information (Score:2)
This removes the profitability of identity theft. This one simple thing will solve it. Remove the profitability of identity theft and you solve the problem.
Stealing your CC numbers is a different matter and any good credit card company
Lenders are liable for ID theft, not victims (Score:5, Informative)
They wanted me to sign an affidavit. I told them I wan't signing anything, it wasn't my problem. I quoted the following from CHAP. 41, SUBCHAP VI, sections b and e of U.S. Code TITLE 15 which states:
(b) Burden of proof
In any action which involves a consumer's liability for an unauthorized electronic fund transfer, the burden of proof is upon the financial institution to show that the electronic fund transfer was authorized or, if the electronic fund transfer was unauthorized, then the burden of proof is upon the financial institution to establish that the conditions of liability set forth in subsection (a) of this section have been met, and, if the transfer was initiated after the effective date of section 1693c of this title, that the disclosures required to be made to the consumer under section 1693c(a)(1) and (2) of this title were in fact made in accordance with such section.
(e) Scope of liability
Except as provided in this section, a consumer incurs no liability from an unauthorized electronic fund transfer.
Anyway, they took care of everything after that. Including my credit rating.
Re:Lenders are liable for ID theft, not victims (Score:4, Insightful)
I told them I wan't signing anything, it wasn't my problem.
Isn't it great how they shift the problem to the consumer by calling it identity theft. They didn't steal your identity, they stole the credit card companies money by fooling them. They should call it credit company bamboozling, but that would make it sound like their problem instead of yours.
Postal Service (Score:2)
http://www.deutschepost.de/dpag?lang=de_DE&xmlFile =6394 [deutschepost.de]
http://www.usps.com/all/welcome.htm?from=homedoorw aybar&page=0019allproducts [usps.com]
The Y2K bug that cried wolf (Score:4, Interesting)
Now there's another need for technology improvement, in the area of data and network security. From a layman's standpoint, it looks like, "Hey, you need to spend a lot of money and increase the cost of doing business going forward, to prevent against a risk that may never come to pass." And even if the risk does come to pass, it's likely going to be a handful of victims, with little repercussion to the business whose lax security was the root cause.
We spent all that money on Y2K, and didn't get an obvious return on it. Why should we do that again? Interestingly, this belief surely exists at insurance companies - who are trying to get their clients to pay a regular fee to mitigate risks.
And, in truth, it's probably cheaper for these businesses to deal with clean-up costs after a few people are victimized than it is to spend proactively to protect everyone. It's like the automotive recall equation from Fight Club.
Whatever happened to private/public key? (Score:2, Interesting)
This is a genuine question--I don't know much about cryptography, so I'd w
Combatting Identity Theft (Score:2, Insightful)
Authentication in the wrong direction (Score:3, Insightful)
I've said it before, and I'll say it again: what the article speaks of won't help. Even if it's implemented perfectly and is utterly mathematically secure, it won't stop identity theft. That's because it doesn't address the largest hole in the system, the way most identity thieves steal your identity: authenticating the organization the user wants to talk to to the user. It doesn't matter how securely I can prove who I am to my bank, if Mister X out there can impersonate my bank to me he doesn't have to steal my credentials because I'll be giving them to him voluntarily (if unknowingly). The only way to stop this is for the bank to prove to me who it is before asking me to prove who I am.
This isn't even new. It's been long known that you don't trust the other end when they initiated the communication. If someone calls up saying you're late on your electric bill but if you want they can do a check over the phone if you'll just give them your bank account information, common wisdom is that you take note of this, hang up the phone, call the number on your electric bill for the power company's billing department and talk to them. You do that so that you know that you're in fact talking to the real power company before handing over details to them. Same thing for bills in the mail, if out of the blue you receive a bill saying you owe $BIGNUM on your car loan immediately and please send the check in the enclosed return envelope, you don't blindly use it until you've made sure it's to the same address as your regular loan-payment envelopes and you've confirmed with the lender that the bill's for real.
So why, when it comes to identity and security, is all the emphasis in electronic transactions on authenticating the user to the organization when in real life the first thing in a similar transaction is to authenticate the organization to the user?
marketing problem? (Score:2)
I think the banks, etc like to complain about fraud, and want to use the excuse to get control of MORE information from the customers, so they can make more money, and still allow law enforcement to try and make up for their unwillingness to miss out any profit that might otherwise educate their customers in the first place.
sp
IMPOSTER (Score:5, Funny)