Mitigating identity theft

March 2006 Products & Solutions

Identity theft is the new crime of the information age. A criminal collects enough personal data on someone to impersonate a victim to banks, credit card companies, and other financial institutions. Then he racks up debt in the person's name, collects the cash, and disappears. The victim is left holding the bag. While some of the losses are absorbed by financial institutions - credit card companies in particular - the credit-rating damage is borne by the victim. It can take years for the victim to clear his name.

Unfortunately, the solutions being proposed in Congress will not help. To see why, we need to start with the basics. The very term `identity theft' is an oxymoron. Identity is not a possession that can be acquired or lost; it is not a thing at all. Someone's identity is the one thing about a person that cannot be stolen.

The real crime here is fraud; more specifically, impersonation leading to fraud. Impersonation is an ancient crime, but the rise of information-based credentials gives it a modern spin. A criminal impersonates a victim online and steals money from his account. He impersonates a victim in order to deceive financial institutions into granting credit to the criminal in the victim's name. He impersonates a victim to the Post Office and gets the victim's address changed. He impersonates a victim in order to fool the police into arresting the wrong man. No-one's identity is stolen; identity information is being misused to commit fraud.

The crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated, and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud. But data privacy is more than just fraud. Whether it is the books we take out of the library, the websites we visit, or the contents of our text messages, most of us have personal data on third-party computers that we do not want made public. The posting of Paris Hilton's phone book on the Internet is a celebrity example of this.

The second issue is the ease with which a criminal can use personal data to commit fraud. It does not take much personal information to apply for a credit card in someone else's name. It does not take much to submit fraudulent bank transactions in someone else's name. It is surprisingly easy to get an identification card in someone else's name. Our current culture, where identity is verified simply and sloppily, makes it easier for a criminal to impersonate his victim.

Proposed fixes tend to concentrate on the first issue - making personal data harder to steal - whereas the real problem is the second. If we are ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.

Fraudulent transactions have nothing to do with the legitimate account holders. Criminals impersonate legitimate users to financial institutions. That means that any solution cannot involve the account holders. That leaves only one reasonable answer: financial institutions need to be liable for fraudulent transactions. They need to be liable for sending erroneous information to credit bureaux based on fraudulent transactions.

They cannot claim that the user must keep his password secure or his machine virus free. They cannot require the user to monitor his accounts for fraudulent activity, or his credit reports for fraudulently obtained credit cards. Those are not reasonable requirements for most users. The bank must be made responsible, regardless of what the user does.

If you think this will not work, look at credit cards. In the US, credit card companies are liable for all but the first $50 of fraudulent transactions. They are not hurting for business; and they are not drowning in fraud, either. They have developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions. They have pushed most of the actual costs onto the merchants. And almost no security focuses on trying to authenticate the cardholder.

That is an important lesson. Identity theft solutions focus much too much on authenticating the person. Whether it is two-factor authentication, ID cards, biometrics, or whatever, there is a widespread myth that authenticating the person is the way to prevent these crimes. But once you understand that the problem is fraudulent transactions, you quickly realise that authenticating the person is not the way to proceed.

Again, think about credit cards. Store clerks barely verify signatures when people use cards. People can use credit cards to buy things by mail, phone, or Internet, where no one verifies the signature or even that you have possession of the card. Even worse, no credit card company mandates secure storage requirements for credit cards. They do not demand that cardholders secure their wallets in any particular way. Credit card companies simply do not worry about verifying the cardholder or putting requirements on what he does. They concentrate on verifying the transaction.

This same sort of thinking needs to be applied to other areas where criminals use impersonation to commit fraud. I do not know what the final solutions will look like, but I do know that once financial institutions are liable for losses due to these types of fraud, they will find solutions. Maybe there will be a daily withdrawal limit, like there is on ATMs. Maybe large transactions will be delayed for a period of time, or will require a call-back from the bank or brokerage company. Maybe people will no longer be able to open a credit card account by simply filling out a bunch of information on a form. Likely the solution will be a combination of solutions that reduces fraudulent transactions to a manageable level, but we will never know until the financial institutions have the financial incentive to put them in place.

Right now, the economic incentives result in financial institutions that are so eager to allow transactions - new credit cards, cash transfers, whatever - that they are not paying enough attention to fraudulent transactions. They have pushed the costs for fraud onto the merchants. But if they are liable for losses and damages to legitimate users, they will pay more attention. And they will mitigate the risks. Security can do all sorts of things, once the economic incentives to apply them are there.

By focusing on the fraudulent use of personal data, I do not mean to minimise the harm caused by third-party data and violations of privacy. I believe that the US would be well-served by a comprehensive Data Protection Act like the European Union. However, I do not believe that a law of this type would significantly reduce the risk of fraudulent impersonation. To mitigate that risk, we need to concentrate on detecting and preventing fraudulent transactions. We need to make the entity that is in the best position to mitigate the risk to be responsible for that risk. And that means making the financial institutions liable for fraudulent transactions.

Doing anything less simply will not work.

Bruce Schneier is the founder and CTO of Counterpane Internet Security. He can be contacted at schneier@counterpane.com. To subscribe to a free monthly newsletter providing summaries, analyses, insights and commentaries on security: computer and otherwise, visit http://www.schneier.com/crypto-gram.html





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Glide Master Bi-Folding Speedgate
BoomGate Systems Products & Solutions
Boomgate has introduced its Glide Master Bi-Folding Speedgate, engineered with durability in mind to meet the demands of high-security environments while maintaining a compact form factor.

Read more...
Perimeter security enclosures
Mimic Components Products & Solutions
Mimic Components specialises in providing perimeter solutions with its robust Alutech aluminium wall-mount enclosures and Mosaic Mimic panels, custom-designed to visually represent perimeter fencing.

Read more...
From wireless alarms to smart homes
Elvey Security Technologies Perimeter Security, Alarms & Intruder Detection Products & Solutions
The final brand SMART Security Solutions features in its discussions with companies operating in South and southern Africa’s detection and alerting technologies market is DSC, distributed in the region by Elvey Security Technologies.

Read more...
The AX Hybrid PRO Series offers reliable wired and wireless protection
Hikvision South Africa Editor's Choice Perimeter Security, Alarms & Intruder Detection Products & Solutions
Hikvision has announced the launch of a new AX Hybrid PRO alarm system with innovative Hikvision ‘Speed-X’ transmission technology. This system offers reliable wired protection while delivering expanded flexibility with seamless wireless integration.

Read more...
Advanced Perimeter Intrusion Detection Systems
XtraVision OPTEX Technews Publishing Modular Communications Perimeter Security, Alarms & Intruder Detection Integrated Solutions Products & Solutions
Making full use of fibre installations around the perimeter by adding Perimeter Intrusion Detection Systems means you can easily add another layer of security to existing surveillance and fencing systems.

Read more...
Smart intercoms are transforming access control
Access Control & Identity Management Products & Solutions
Smart intercoms have emerged as a pivotal tool in modern access control. They provide a seamless and secure way to manage entry points without the need for traditional security guards to validate visitors before granting them access.

Read more...
Explosion-protected network horn speaker
Axis Communications SA Products & Solutions
Axis launched the world’s first explosion-protected thermometric camera specifically designed for Zone/Division 2, and its first Zone/Division 1 explosion-protected network horn speaker.

Read more...
Western Digital reveals new solutions
WD South Africa Products & Solutions News & Events Infrastructure
Western Digital unveiled new solutions and technology demonstrations at the Future of Memory and Storage Conference 2024. The innovations cater to diverse market segments, from hyperscale cloud to automotive and consumer storage.

Read more...
Supercharge surveillance with AXIS Camera Station Pro
Surveillance Products & Solutions
Designed to put efficient surveillance at users’ fingertips with an intuitive interface that is easy to operate, AXIS Camera Station Pro 6.2 provides a customisable video management and access control solution for companies of all sizes.

Read more...
The Duxbury Services Gateway revolutionises the Edge
Products & Solutions Infrastructure
Duxbury Networking has announced the launch of the Duxbury Services Gateway (DSG) range. These cost-effective edge compute appliances are designed to meet the diverse needs of South African businesses including SD-WAN, Firewall, and IP PBX applications.

Read more...