The real problem in ID theft

In “Reckoning day for ChoicePoint, “Rich Stiennon writes:

The real culprit is actually ChoicePoint itself and the three bureaus. By creating what is supposedly a superior solution than the old fashioned way of granting credit (knowing your customer, personal references, bank references, like they do it in most of the rest of the world) they have created a system that is prone to identity theft and over extended borrowers.

He’s right. The players at the heart of identity theft in the U.S. are the credit bureaus. But, what they’ve done is more than just creating a system which is prone to identity theft. Let’s review how the credit bureaus work. They serve businesses by selling information about creditworthiness. Their customers (businesses extending credit) are happy to charge higher rates for people with poor credit, so there is little incentive for the business or the bureau to eliminate errors from the credit data. Worse, as the problem of identity theft becomes more widespread, the credit agencies can sell “credit monitoring” services to consumers and “enhanced authentication” to businesses and make even more money.

The credit agencies now run TV commercials touting credit monitoring, threatening people with identity theft. They don’t quite say “nice credit score you’ve got there. Shame if we were to do something to it,” but they come close.

Small wonder it’s hard to address the problem.

Rich closes:

I suggest that the FTC, various Attorneys General, and the trial lawyers, target the credit reporting industry for reform. Maybe we can starve the cyber criminals out by making identities less valuable goods.

I think it would be simpler to remove their exemption from libel law. The credit agencies share default data just fine. They should have to share remedial data as well, or be accountable for the costs which they impose by their negligence.

Damn You, Beaker!

Yesterday Hoff blogged about McGovern’s “Ten Mistakes That CIOs Consistently Make That Weaken Enterprise Security” and added ten more of his own. I’m particularly annoyed at him for #4:
Awareness initiatives are good for sexual harassment and copier training, not security.
Why? Because, damn that really sums it up. I wish that I had thought of this one myself. As I’ve said in the past, I think that awareness training is way under appreciated in security and Chris just had to go and be far more eloquent in one sentence than I was in several paragraphs. Hey Chris, mind if I steal this?

US Banks Rated for Identity Theft

Chris Hoofnagle has completed a paper which ranks US financial institutions according to their relative incidence of ID theft, based on reports to the FTC by consumers who named an institution.
Chris (like another Chris I know) would like to see more complete information on ID theft available to consumers, so they can make informed decisions about with whom to do business. In an earlier paper, he argued that banks should publicly disclose identity theft statistics.
From the current paper’s abstract:

There is no reliable way for consumers, regulators, and businesses to assess the relative incidence of identity fraud at major financial institutions. This lack of information prevents more vigorous competition among institutions to protect accountholders from identity theft. As part of a multiple strategy approach to obtaining more actionable data on identity theft, the Freedom of Information Act was used to obtain complaint data submitted by victims in 2006 to the Federal Trade Commission. This complaint data identifies the institution where impostors established fraudulent accounts or affected existing accounts in the name of the victim. The data show that some institutions have a far greater incidence of identity theft than others. The data further show that the major telecommunications companies had numerous identity theft events, but a metric is lacking to compare this industry with the financial institutions.

This is an area fraught with methodological challenges, many of which are due to sparse (or, as I have intimated with regard to ID Analytics for example) proprietary data. Chris’ paper simultaneously shows what can be done with what we have, and why we’d be better off if we had more.

Saying it loud — OpenID leads to phishing

openid-phishing.jpg

Kim Cameron not only admits what Ben Laurie has said here, here, and here, but he says it succinctly:

OpenID provides convenience and power but suffers the problem of all the Single Sign On technologies – the more it succeeds, the more dramatically phishable it will become.

There you have it.

It has long been a joke about crusty states such as Idaho, Oregon, New Hampshire, or New Jersey that they have signs at the border that read, “Welcome to <insert-name-here>, now go home.

As a Mac user, someone often asks me if they should switch to a Mac because it’s more secure, my response to them is that the only reason a Mac is more secure than a PC is because it’s only people like me who use them. As soon as hordes of people start using them, then they will no longer be as secure. I like not knowing the details of anti-virus programs. I like not bothering even to run the built-in firewall. So, no, I don’t think you should switch to a Mac because it’s more secure. I think you should just update your virus files every week. Besides, Macs are much more expensive than you can afford. Really. Have you heard about Ubuntu? It’s Open Source! (Cue sounds of angels singing.) People tell me it’s really nice. And I hate Leopard.

Despite all of these being true statements, this technique does not work as well as I would like. I think I need to take a presentation skills class.

OpenID is similar in that it’s a safe neighborhood because people like me don’t go there. Once enough people like me start going there, it’s not going to be secure. I am reminded of comments by each of Groucho Marx and Yogi Berra.

I am happy to help keep OpenID secure by not using it. I’ve already written about what I think is better.

What I find amusing about Cameron’s epiphany is his solution for the problem. He thinks that OpenID should become part of InfoCardSpace, and thus shipped with Windows.

There’s a joke that begs to be made here, oh, how it begs. It is rim-shot worthy, so I’ll not make it. I’ll merely point out that if you want to get CardSpace, you have to get Vista. Ba-dum-dump.

I am again using the photo “Trunk ‘n Branches” by slightly-less-random because it is the only image in Flickr that comes back from the search of “cardspace phishing” and one of two for “openid phishing“.

Not Dead Yet

dead-to-the-databases.jpg

Dan Solove has an interesting article up, “Coming Back from the Dead.” It’s about people who are marked dead by the Social Security Administration and the living hell their lives become:

Dan starts with quotes from the WSMV News story, “Government Still Declares Living Woman Dead

According to government paperwork, Laura Todd has been dead off and on for eight years, and Todd said there’s no end to the complications the situation creates.

According to a government audit, Social Security had to resurrect more than 23,000 people in a period of less than two years. The number is the approximate equivalent to the population of Brentwood.

Illinois resident Jay Liebenow was also declared dead. He said Todd is now more vulnerable to identity theft because after someone dies, Social Security releases that person’s personal information on computer discs. He said the information is sold to anyone who wants it, like the Web site Ancestry.com.

Responsibility should be placed on every entity that maintains records to ensure that information is correct and that errors are promptly fixed. Moreover, when information is shared with others, the one sharing the information should have duties to inform the others of the error; and those receiving the data should have a duty to check for corrections in the data from the source.

I’d propose a different solution: libel law. These organizations are making false and defamatory statements about people. They should be held accountable, under existing law.

I’ve been discussing libel and the credit agencies for years, in posts like “Because That’s Where The Money is: Ethan Leib’s ID Theft” or “ Government Issued Data and Privacy Law.” I’ve yet to hear why libel law isn’t a reasonable and easy approach to the problem. As Nick Szabo comments in “The Discovery of Law,” “common law is a painstaking way of discovering and making better law, case by case, dispute by dispute, piece of evidence by piece of evidence.”” I’m not calling for a broad overhaul. I think that a common law approach to libel law would likely address many of our issues with the way data flows between organizations.

More airport security toys

airport-security-toys.jpgLet’s play ‘airport security’,” says Foriegn Policy. It’s like playing Doctor, only with latex gloves and inappropriate touching.

In an effort to help children understand and be comfortable and confident in the need and process of higher security protocols we’ve developed a new play and learning toy and resource web site to promote and educate security procedures.

It’s not really clear who “we” refers to here. The operationcheckpoint.com, also refers to “SampleRewards.com.” That sounds like the sort of pliable marketing channel who’ll sell anything for a buck, so maybe it’s not them who’s really behind this thing. OperationCheckpoint has four different names on a single landing page. (OperationCheckpoint, SampleRewards.com, Wizard Idustries and Product Exposure Services.) If only we had ID for the forces of evil. Maybe these guys could carry sample National ID cards, and kid’s tattoo guns, too.


Previously, “From the mouths of toymakers:”

Dubai banks hiring hackers (no word on if a drug test is needed)

Dubai, as Adam pointed out, is in something of a branding quandary. A hard line – some would say a retrograde and counterproductive line – on victimless crime doesn’t mix well with an image as a fun spot for the well-heeled.
Meanwhile, there’s this (from Emirates Business 24-7, retrieved 2/21/2008):

Dubai-based banks are recruiting former hackers to shore up their information security systems, said an information technology expert.
Addel Wahab Ahmed Mostafa, an IT consultant and chief of the technical committee at information company UAE Data Warehouse PM, said banks were hiring hackers in a bid to stay one step ahead of potential breaches.
Most of the big organisations are employing ex-hackers.
In Dubai banks are hiring hackers to protect themselves because how else do you protect yourself from hackers?
You must figure out the measures they use and use them yourself.
He said 60 per cent of hacking originated inside organisations or was carried out by former employees.

(emphasis mine)
I see a mixed message being sent here. And by the way, from the tone of the article it is clear the “ex-hacker” doesn’t mean “broke the law ten years ago”, so let’s not start that flame war.