Pete Rowley

Over the last few months there have been a number of highly publicized thefts of databases containing the identity data for thousands of people, in some cases in millions. To some this might give the impression that the problem is getting worse quickly. Well I suppose that is part of the story, but a greater factor in this is that until recently these thefts were simply kept under wraps. What you don’t know can’t be raised in your defence. One might suppose that this change of heart in reporting these thefts is due to some realization that it is the right thing to do. But no, actually it has more to do with newly enacted state laws requiring that people be informed when their data has been stolen or may have been stolen, and no doubt companies in states without those laws consider reporting thefts in order to prevent new laws. My question is, do these laws go far enough?

In the wake of the Enron scandal public companies have been required to, among other things, enforce and monitor much stricter rules governing access to data and reporting of that access. That is data pertinent to the running of the business. The focus of the rules are to protect shareholders who have a financial stake in the company. But what about the members of the public who have their data compiled into these vast databases without any say so or control? What protections do they have? I dont believe it is enough to force reporting of stolen identity data, embarressing though it may be. Without responsibility the report merely equates to “You’re screwed, sucks to be you.” If you have any doubt that that is all it amounts to then consider these facts that can be accessed at Identity Theft Resource Center:

1. Victims now spend an average of 600 hours recovering from this crime, often over a period of years. Three years ago the average was 175 hours of time*, representing an increase of about 2470%.

2. Based on 600 hours times the indicated victim wages, this equals nearly $16,000 in lost potential or realized income.

3. While victims are finding out about the crime more quickly, it is taking far longer than ever before to clear their records and recover from the situation.

4. Even after the thief stops using the information, victims struggle with the impact of identity theft. That might include increased insurance or credit card fees, inability to find a job, higher interest rates and battling collection agencies and issuers who refuse to clear records despite substantiating evidence of the crime. This “tail” may continue for more than 10 years after the crime was first discovered.

5. Based on the ITRC study, today the business community loses between $40,000 - $92,000 per name in fraudulent charges, based on reported fraud losses seen by surveyed victims. While this conflicts with other findings by other groups, there was a wide range of responses by the ITRC study respondents. The answer is that we may never know the true financial impact of this crime due to mis-classification of identity theft crime definitions by the business community and by victims.

6. The emotional impact on victims is likened to that felt by victims of more violent crime, including rape, violent assault and repeated battering. Some victims feel dirty, defiled, ashamed and embarrassed, and undeserving of assistance. Others report a split with a significant other or spouse and of being unsupported by family members.

7. Today victims spend an average of $1,400 in out-of-pocket expenses, an increase of 85% from years past.

8. Approximately 85% of victims found out about the crime due to an adverse situation - denied credit or employment, notification by police or collection agencies, receipt of credit cards or bills never ordered, etc. Only 15% found out through a positive action taken by a business group that verified a submitted application or a reported change of address.

9. Victims report a lack of responsiveness from those entities to whom they turned for help similar to results reported in 2000*. These include police, collection agencies, credit issuers, utility companies and financial institutions.

Sucks to be you.

Under these rules, which have only been in force for a few years I have been notified 3 times that my data may have been stolen. In each case my recompence was a free year long subscription for monthly credit activity reports. I guess that does mean I get to know it sucks to be me potentially much sooner, but well, it would still suck to be me. There is no element of finacial responsibility attached to the database compilers lack of adequate security. The reason is really quite simple - it’s no skin off their nose if I go under at the hands of identity thieves. Well, the only way that can be changed is by law.

I’m talking about the kind of responsibility that business understands - fiscal. How about a scheme like this: next time an employee of your company thinks it is a good idea to carry your entire database of identity data around on a laptop that subsequently gets stolen, your company is obliged to foot the bill for any and all identity related fraud, including all incidental costs, for all the people with information in the database for say, the next five years. Of course, given that the details have been stolen, it would be that companies burden to prove in any one case that it was not their leak that resulted in the crime. With something like that in place you better believe those who safe guard the data will be paying a lot more attention to the guarding part than simply the compiling part. I should imagine that there would be some motivation to also stop relying on the pathetically idiotic proofs of identity in common use now, such as social security numbers and the like.

At the end of the day, if the costs incurred by the victims of stolen identity data, both fiscal and in pure inconvenience, are never accounted for then as history shows us, there is insufficient motivation to treat the data with the care that the public deserves. It’s time to make those who profit from data accumulation pay for the cost of the breaches. Make it a cost of doing business, not a cost of living.

In Why Johnny Can’t Authenticate Ben Laurie makes the point that:

I often hear it argued that using something better than passwords will fix the problem, for example, public/private key pairs. There’s actually two fundamental reasons why this ain’t so…

• So long as its possible for users to recover from losing their keys (or passwords, or whatever it is they use to authenticate) in a way that can be imitated by phishers, they will not be helped by these protocols. Phishers currently concentrate on getting people’s passwords simply because that’s the low-hanging fruit. Pluck that fruit and they’ll move on to recovery (which obviously cannot use anything the user can’t hold in their head).
• Computers aren’t secure and users can’t be trusted to make good decisions about what to run. Start using public/private key pairs and they’ll be stolen by viruses and worms instead of fake websites and spam. Indeed, trojans that log keys in order to steal passwords already exist.

This perfectly reasonable opinion really speaks to the current state of affairs. It is war out there and right now the phishers are winning. But I wonder if it really is an unwinnable war, or whether the current state of the art is simply too bogged down in its own dogma to see passed it. In the end no single thing will save us from the phishers since there are just too many angles of attack. However I would like to think that a combination of technologies and user training through good rituals will make phishing a long shot so long that it is not worth the risk of the attempt. I do wish our banks would help out by using what is available now though.

I was dismayed to find this advertisement on technorati, I do hope Doc gets a good price :)

Looking for Doc Searls?
Low prices, wide selection. Find exactly what you want today. www.ebay.com

Robin Wilton raises the question: Is “user-centricity” the answer to identity fraud?

Which is of course an intriguing question. To which he answers with another question “can you envisage a case where the user has that degree of control, and yet businesses still shoulder 90% of the cost of identity theft?”, and an answer with conclusion:

“I can‘t. This suggests two factors which weigh heavily in favour of the status quo

- the lack of incentive for users to bear added responsibility, as long as someone else is picking up the cost of the current approach;

- the difficulty of raising the awareness and competence of every user and citizen, as data custodians, relative to achieving the equivalent rise in awareness and competence among existing data custodians. Not that I‘m suggesting the latter is ‘easy‘ either!”

Well that is good news for the status quo I suppose if you believe the reasoning. I don’t. Before we get to users shouldering anything, let us step back and look at the problem, the real problem. First, when we talk of identity theft, are we really talking about identity theft, or are we referring to that old chestnut fraud. I posit that stealing my identity is close to impossible, but impersonating me might be a whole lot easier. That is an important distinction, because the line of reasoning that starts with identity theft invariably ends with some kind of responsibility being placed on the person whose identity has, supposedly, been stolen. However, replacing the term “identity theft” with the word “impersonation” makes that whole line of reasoning much harder to make. The reason is that impersonation is an interaction that takes place wholly between a fraudster and a victim without any interaction with the person being impersonated - they are in fact an innocent bystander in the process. There is no theft but the fruits of the successful fraud.

And what of that fruit? Current reasoning du jour says that the “identity theft” victim’s account has been compromised, and the “identity theft” victims money has been stolen. Again, this is simply smoke and mirrors. The account compromised is an administrative convenience of the financial entity, and the money that is stolen has clearly been stolen from that financial entity. With the current protections and identity solutions in place this is already the case. This may go some way to explaining the generosity of these businesses who “shoulder 90% of the cost of identity theft.”

It is not the consumer that creates the security procedures, and therefore they cannot be held liable for their failings. So, it really does not matter where identity information is stored, it is a problem for the enterprise alone to protect its own assets. It is the responsibility of the enterprise alone to put in place adequate protections to ensure that those assets are not easily compromised. This is orthoganal to where identity data is stored. The fact is, security for financial transactions is currently lacking across the board because there is an inherent reliance on relatively easily obtainable data. That is, easily obtainable at the point of transaction. A replay attack is trivial since any one transaction gives sufficient information to make another!

I’d say the current situation might indicate that the status quo isn’t adequate, perhaps in both the financial and identity spaces.