Category Archives: ID Theft

Social Security Numbers are Worthless as Authenticators

Posted on by

The nation’s Social Security numbering system has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth.

The findings, published Monday in The Proceedings of the National Academy of Sciences, are further evidence that privacy safeguards created in the era before powerful computers and ubiquitous networks are increasingly failing, setting up an “architecture of vulnerability” around personal digital information, the researchers said.

“My hope is that publishing these results may open a window of opportunity, so to say, to finally take action,” Mr. Acquisti said. “That S.S.N.’s are bad passwords has been the secret that everybody knows, yet one that so far we have not been able to truly address.”

So reports John Markoff in “Social Security Numbering System Vulnerable to Fraud.”

We’ve all known for a long time that the SSN makes a godawful authenticator. And now Alessandro Acquisti and Ralph Gross have put a final nail in the coffin for anyone using the SSN as an authenticator. I would really hate to be on the witness stand defending a decision to let anyone authenticate to my business with “the last four” because “everyone else is doing it.” Now is the time to go to management and talk to them about improving things.

My favorite response is from the Social Security Administration, “There is an Elephant in the Room; & Everyone’s Social Security Numbers are Written on Its Hide:”

For decades, we have cautioned the private sector, including educational, financial and health care institutions, against using the SSN as a personal identifier.

Ahh, decades of advice. How’s that working out for you guys? I’m sure if you tell everyone just once more, they’ll listen. For the rest of you: not getting going on a fix now will turn out to be career limiting.

Publius Outed

Posted on by

The pseudonymous blogger, Publius, has been outed. Ed Whelan of the National Review outed him in what appears to be nothing more than a fit of pique at a third blogger, Ed Volokh, and Publius commented on Volokh’s criticism of Whelen, so Whelen lashed out at Publius. Or so it seems from the nosebleed bleachers I sit in.

I suppose Publius isn’t completely blameless, but the only thing I’d criticize him for is his taste in names. “John J” would have been cuter, and heck why not just use “Jim Madison”?

However, the particulars aren’t really important. What’s important is the issues of pseudonymity, and so on. So I will move on to those.

Let’s get something straight from the start: pseudonymity and anonymity are not the same thing. I feel like it shouldn’t need constant repeating, but hey, if law professors can’t get it right, how can we expect other people to get it right? A pseudonym is an identity. It is an identity that is earned, because you don’t get to use any of your previous reputation. You’re starting from zero, especially when blogging.

There are many reasons people use a pseudonym. Publius did it because he’s a reasonably young law professor and has heard that there can be tenure issues for controversial blogging.

Maybe. If what you write isn’t very good, there’s a low cost to it, personally. But if what you write is good, then ironically, being known to be a pseudonym is better than the pseudonym itself. Mark Twain, Voltaire, and are better known than their so-called real names. Think of all the great actors and musicians who are known far better by their stage names.

This is why outing a pseudonym is a two-edged sword. It will likely irk the person using a pseudonym, but it’s less likely to hurt them, especially if they’re reasonably good. John Blevins is probably not going to have tenure problems, especially now that Whelan outed him. Ironically, he’s probably better off for having been outed than not and part of that is who outed him.

Well-known personages who are irked by pseudonymous writers may think they’re being attacked by some anonymous little nobody who is hiding, but no, they’re being attacked by an identity that’s just not easily tied to some SSN. The power relationship is such that the better-known person is unlikely to look good. Whelan certainly hasn’t come out on top on this one. While pseudonymity is somewhat controversial, it cuts across political lines and some of the most thoughtful criticism of Whelan comes from his admirers. And in the future, everyone in the law biz who remembers Publius will think better of Blevins. We human beings do that; that’s why the old movie star’s dictum about publicity is, “spell my name right.”

In other cases, the pseudonym still wins. Dan Lyons wasn’t hurt by being outed as Fake Steve Jobs. Joe Klein wasn’t hurt by being shown to be Anonymous. Juan Non-Volokh was probably helped by being outed, too, and Prof. Brian Leiter, who outed him, probably suffered in his reputation.

This is perhaps, I think the most important point, as it’s simply practical. If a pseudonym ticks you off, you’re better off letting them stew in their own juices. The better known a pseudonym is, the better it is for the author to be known as the pseudonym.

There are exceptions to this, of course. If Publius were a politically conservative professor blogging out his inner liberal, there’d be a hypocrisy issue that would hurt him, but it doesn’t make it any more right. Thoughtful people who out hypocrites usually talk about the outing being necessary despite it being questionable.

Nonetheless, an important lesson to this is that as Feedie said, outing a nym is “a matter of basic decency” and “unworthy of someone with [his] impeccable professional credentials”.

The Identity Divide and the Identity Archepelago

Posted on by

(I’d meant to post this in June. Oops! Chaos reigns!)

Peter Swire and Cassandra Butts have a fascinating new article, “The ID Divide.” It contains a tremendous amount of interesting information that I wasn’t aware of, about how infused with non-driving purposes the drivers license is. I mean, I know that the ID infrastructure, is, in essence and aim, an infrastructure of control. Even so, I didn’t realize how far it had gone as a tool of compliance enforcement.

There’s more to say than I can get into this blog post. Short form: go read it. Slightly longer form:

There are lots of details that are just great. For examples:

“The More ID checks in society, the more ID theft matters.” (page 11)

In a discussion of a 2005 deficit reduction act attempt to reduce medicaid fraud: “A GAO study instead found that the major effects of the program were higher administrative costs …and denial of medical benefits to eligible US citizens” (page 14)

“In addition, some state will not issue a state ID until a person has caught up on all outstanding payments due the staet, including traffic fines and child support payments. As ID requirements spread, persons who cannot afford to make all such payments may be denied the right to vote, to receive health insurance, or to become lawfully employed.” (page 16)

“…independent reviews of the E-Verify program have found that employers engage in prohibited employment practices…” (page 18)

My copy of this report is covered in markup, about “the computer is always right,” about linkability, about data shadows. In fact, about the only thing I don’t like is the title. I don’t think this is a divide, I think that identity has become an archepelago, a la the Soviet Gulag system.

In the preface to The Gulag Archepelago, Solzhenitsyn wrote:

And this archipelago crisscrossed and patterned that other country
within which it was located, like a giant patchwork, cutting into its
cities, hovering over its streets. Yet there were many who did not
even guess at its presence, and many, many others who had heard
something vague.

I think the argipelago is a better metaphor than a divide. A divide
exists, and most of us exist on one side of it. But the identity
archipelago! At a moments notice, we can be thrust onto its other
side. A phone call, a letter, and our identity’s connection to the
machine is broken. Our data shadow has sinned, and we are cast into
the archipelago, forced to learn its ways.

In conversation, Peter has said that the Gulag analogy is too over-used, which is a shame. Maybe identity is more like an accident–you’re driving along and 35 and boom, you wake up in the hospital. Maybe it’s more like a vase, dropped and you’re cutting yourself picking up the shards. What’s the right description for the fragile system we have where people get violently yanked into the nightmares?

[Comments have been closed because of a flood of spam against this single entry.]

New ID Theft Research And Blog For Debix

Posted on by

id-theft-frame.jpg
Adam and I have discussed Debix several times in the past, so it will come as no surprise, that I am again posting about them.
Debix now has a blog, which will be covering issues around identity theft, breaches and privacy.
Debix also released a new research study examining child identity theft. The most recent blog post, contains some highlights from the study, including that one in twenty people (or one in every classroom) suffers from some sort of compromise to their identity before they reach their maturity with an average of over $12K in fraudulent debt assigned to their names.
As the post says:

Kids are a great target for identity theft, because the younger you target them, the longer you have before it is likely that the act will be discovered and as a result the corresponding amount of fraud that is committed prior to discover is significantly higher with minors than with adults.

Check out the post and the full research study for much more detailed information.
[Image is identity-theft-2 from j_lovefool on flickr]

Write Keyloggers Professionally!

Posted on by

keylogger.jpg

GetAFreelancer.com has a job for you if you need some high-paid work — write a remote keylogger.

Here are the project requirements:

We need a keylogger that can be installed remotely.

Description:
The main purpose is that the user A can send an email with a program to install (example: a game or a funny program) to the person B. When the person B install the program on his computer, he is installing at the same time an invisible keylogger on his computer. Then the person A is receiving the report by email of every keystrokes that the person B is doing on his computer.

They only want to pay $250 to $750, which seems fair given that the requirements don’t include undetectability. For that low a contract price, it seems only fair to give the victim a fighting chance.

Photo “Keylogger 1.0 Beta” by soulrift.

That’s an address I haven’t used in a very long time.

Posted on by

Well, I got a letter from BNY Mellon, explaining that they lost my data. The most interesting thing about it, I think, is where it was sent, which is to my mom. (Hi Mom!) I had thought that I’d moved all of my financial statements to an address of my own more than a decade ago. I’ve been meaning to call BNY and ask questions, but haven’t had time.

The letter is dated June 9, regarding a February 27th loss by Archive Systems, Inc. The three-plus month delay annoys me. Archive Systems isn’t named in the letter. I had to look at Data breach at New York bank possibly affecting hundreds of thousands of CT consumers to discover that.

The signup experience for the “Triple Alert Monitoring” from Experian was not awful, but it was pretty poor. It demanded lots of personal information, wasn’t clear how it was going to be used. Experian stuffed a long terms and conditions into a three line at a time scroll box, clearly indicating that they don’t expect anyone to read it. Their web site silently relied on Javascript, and it wasn’t at all clear how long I’m enrolled for. I have little doubt I’ll start getting renewal notices in three months.

Incidentally, I’ve Been Mugged has a review of Triple Alert.

On Gaming Security

Posted on by

Adam comments on Dave Maynor commenting on Blizzard selling authentication tokens.

Since I have the ability to comment here, I shall.

This isn’t the case of a game having better security than most banks (as Maynor says). This is a game company leaping ahead of some banks, because they realize they have bank-like security issues.

It’s been a year or so since I read on El Reg that on the black market, a credit card number sells for (as I remember) £5, but a WoW account sells for £7. I would look up the exact reference, but I’m not in the mood. Your search skills are likely as good as mine.

The exact reasons for this are a bit of a mystery, but there are some non-mysterious ones. There is a black market for WoW gold and (to a lesser extent) artifacts. That black market is shuddering because Blizzard has done a lot to crack down on it. (Blizzard’s countermeasures are one main reason that the artifact market is low. Most artifacts become bound to one character when used, and so are not transferrable and so are not salable.) Nonetheless, many WoW players have gold in their pockets that would sell for hundreds to thousands of dollars on this black market.

(If you think from this, that WoW can be a profitable hobby, think again. That many players have gold worth some real change says more about the time they have spent playing than anything else. If you live in a first-world country, you can earn far more flipping burgers than playing WoW. It is only if you are in a third-world country that WoW is a reasonable career choice.)

This means that by putting a keylogger on someone’s system, you can steal a pretty penny from them and sell it on the black market. A not-insignificant number of WoW players have logged into their accounts to find their characters naked and penniless. However, there’s an interesting twist on this. Blizzard can and does restore the lost gold and items.

Presumably, Blizzard has a transaction log and can rewind it. However, this is work for them and annoyance for the victim. Two-factor authentication will lower Blizzard’s costs but fear of robbery is high enough among the players that they’re snapping these things up and are willing to pay for them.

Bank customers rightly think that increased security is something that the bank should pay for. So in the banking world, the cost-benefit calculation of two-factor authentication is complex. In the gaming world, it’s pretty straightforward. Since Blizzard can shift the cost of the device to the customer base, it’s easier to justify.

UK Passport Photos?

Posted on by

UK-Passport-Eye.jpg

2008 and UK passport photos now have the left eye ‘removed’ to be stored on a biometric database by the government. It’s a photo that seems to say more to me about invasion of human rights and privacy than any political speech ever could.

Really? This is a really creepy image. Does anyone know if this is for real, and if so, where we can read more?

Photo: Alan Cleaver2000

Identity Theft is more than Fraud By Impersonation

Posted on by

gossip.jpgIn “The Pros and Cons of LifeLock,” Bruce Schneier writes:

In reality, forcing lenders to verify identity before issuing credit is exactly the sort of thing we need to do to fight identity theft. Basically, there are two ways to deal with identity theft: Make personal information harder to steal, and make stolen personal information harder to use. We all know the former doesn’t work, so that leaves the latter. If Congress wanted to solve the problem for real, one of the things it would do is make fraud alerts permanent for everybody. But the credit industry’s lobbyists would never allow that.

There’s a type of security expert who likes to sigh and assert that ID theft is simply a clever name for impersonation. I used to be one of them. More recently, I’ve found that it often leads to incorrect or incomplete thinking like the above.

The real problem of ID theft is not the impersonation: the bank eats that, although we pay eventually. The real problem is that one’s “good name” is now controlled by the credit bureaus. The pain of ID theft is not that you have to deal with one bad loan, it’s how the claims about that bad loan haunt you through a shadowy network of unaccountable bureaucracies who libel you for years, and treat you like a liar when you try to clear up the problem.

So there’s a third way to deal with identity theft: make the various reporting agencies responsible for their words and the impact of those words. Align the law and their responsibilities with the reality of how their services are used.

I’ve talked about this before, in “The real problem in ID theft,” and Mordaxus has talked about “What Congress Can Do To Prevent Identity Theft.”

Debix Publishes Data on Identity Theft

Posted on by

identity-theft.jpg
Finally, we have some real hard data on how often identity theft occurs. Today, Debix (full disclosure, I have a small financial interest) published the largest study ever on identity theft. Debix combed though the 2007 Q4 data on over 250 thousand of their subscribers and found that there was approximately a 1% attempted fraud rate (380 attempts out of 30,618 authorizations). This is well in-line with the 1.05% fraud rate for new bank accounts. Now as I’ve mention in the past, one of the cool things about Debix is that if you are a subscriber, then all credit requests have to be authorized by you. As a result all 380 fraud attempts were correctly identified as such and were blocked. Pretty damn cool eh? I highly encourage you to read the report as it has lots of other interesting data in it, including some interesting ways in which your identity can be stolen even if you have a fraud report set on your accounts (hint: interesting things can happen if you have have a spouse and they don’t have fraud reports set.)
[Image is Identity Theft!! by Else Madsen]