Home

Identity Theft and the Emperor's New Clothes

If someone stole my identity what do they actually take? Technically they have taken absolutely nothing. So what's all the big fuss about?

The UK Government's booboo last week drew more attention to the risks of Identity Theft. This data compromise contained names of individuals and their children, National Insurance number and bank account details. The loss of that data is not a concern in itself, but what can be done with that information is. The obvious theft opportunity would be to access the victim's accounts to withdraw cash, yet the more potent crime is loans and debts being taken out in the individual's name and worst of all to commit crimes in the individual's name.

Numerous definitions of identity theft have been published (see Bibliography below) including those of the thief obtaining enough information about the victim to be able to borrow money, perhaps an unsecured loan or more seriously, by taking a mortgage out on the victim's property. Fraudsters go to extraordinary lengths to set up these scams, yet the ability to do this relies on the victim having a good enough credit score that the lender is prepared to make the loan.

Suppose for a minute that credit scores did not exist, if a fraudster could get hold of your personal details, what would they be able to do? They would still be able to access your accounts and steal money and they could still commit crimes in your name, but their ability to take a loan out in your name would be made a lot more difficult - the lender would require direct validation, perhaps contacting your bank or other lenders for a reference. If we returned to an antiquated system such as this, convenience would decrease and costs would increase unacceptably. It appears that we may be stuck with centralized credit scoring and with it the possibility of identity-based loan fraud.

However, the web opens up new methods by which things can be done - distributed databases and the ability to aggregate data on-the-fly might allow for a de-centrallized credit scoring system. If a bank needs to assess the risk of a loan applicant and they could not rely upon the centrally provided credit-score, they would contact the other institutions that could vouch for the good standing of the applicant. They would first authenticate the individual with certainty via a biometric validation, then make a request to another institution who would also need that validation code to ensure that the applicant was the same person as their account-holder. Upon confirmation, they would be able to confirm the reputation of the applicant. The lending bank would be able to make further enquiries with other institutions until they were able to fully assess the risk of the applicant - and now, all in near real-time.

This sounds a lot more complicated than the centralized scoring system than we have today, but because a fraudster would need to provide biometric validation at multiple points in the network (namely the lending bank and all institutions that provide a reference to that bank), the difficulty in perpetrating a fraud would increase. The distributed nature of the web and the availability of secure web-services will permit much of the complexity to be hidden from the user experience. This would mean that any organization wishing to participate in this scheme would have to be equipped with a biometric scanner, however, as recommended in the report on the UK National Identity Card and in US government recommendations on RealID, biometric authentication seems a likely part of governmental identification schemes.

I have documented how a federated identity scheme might work, that would provide a model for an distributed identity management system - this thinking is also shared at least in part by the Liberty Alliance and Ping Identity Corporation.

Bibliography

  1. Coming next... an even bigger database by NO2ID
  2. Digital identity: remember when it was about more than just security? > from Javelin Strategy and Research
  3. HMRC apologises for data loss on Direct.Gov.uk (Nov 20, 2007)
  4. I was a victim of identity theft on BBC.co.uk (Mar 3, 2005)
  5. Dealing with Stolen Identity on CNN.com (May 27, 1999)
  6. Protect Yourself Against the Fraudster, a whitepaper by Johann Grennepois of Euristix
  7. About Credit Scores by Fair Isaac at myFico.com
  8. Technology Solutions and Tools for Identity Theft Protection published by the Liberty Alliance
  9. Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Proposed Rule from the US Department of Homeland Security
  10. Paoga - an answer to the Privacy Problem by Ben King at the Register.com (June 8th, 2005)
  11. Everything you never wanted to know about the UK ID Card by JOhn Lettice at the Register.com (May 5, 2004)
  12. Towards Federated Identity Management by Andre Durand (Dec 9, 2002)
  13. 25 million UK citizens exposed to ID fraud by HMRC on Graham Sadd's Weblog

Definitions of ID Theft

Note

I would like to be able to access some of the Meeting Details, Papers and Minutes from the (UK) EURIM Working Group on Personal Identity, Data Sharing, Retention and Protection - but this requires special access - if someone would be able to help, I'd be grateful.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
ID Theft
Submitted by Brian (not verified) on Sat, 12/01/2007 - 07:28.

It does seem as though we should be able to circumvent ID theft by now. Isn't there a way to reset all crucial data? It does seem as though the government should be able to make it possible for a victim to recover from this.

reply
Identity theft
Submitted by startrekspock (not verified) on Sat, 12/01/2007 - 07:18.

We are all creatures of habit. Another safeguard against identity theft would be if credit card companies and banks, using our own spending profiles stored in their databases, triggered an alert for extra scrutiny when an unusual transaction is being requested. Several months ago, I received an automated phone call from a financial institution using these precautions. The call described the transaction they were skeptical about. They asked me to call an 800 number to verify the transaction or deny the charge. A recording answered, asked me a few questions, and offered the option to speak to a human if necessary. The entire process was very quick and painless, and actually reassuring. For once, I felt that the usually annoying voice systems was a real asset. Perhaps we could even tell the banks or credit card companies what kind of transactions to question on our behalf.

reply
Distributed Identity Theft Management System: Great Idea
Submitted by Hermann Strijewski (not verified) on Sat, 12/01/2007 - 06:29.

This is an excellent concept that you have developed there to prevent Identity Theft. As a former senior auditor of a national bank and a professional software developer with 3 decades of experience I appreciate the completeness of your approach to security. It has been found that often the weakest point in security is at the software application layer. You have the right estimation of effort and the right path to addressing the problem.

reply
Identity Cards
Submitted by Jennifer Buchanan (not verified) on Sat, 12/01/2007 - 06:09.

I certainly have mixed feelings about this. While I understand completely the risks of this crime, I am not at ease with the notion of a governmental national ID card or any of the tracking they may sneak into it. New passports in the US clearly have tracking chips in them already, and the current government is far from trustworthy. I just don't see how any remnant of privacy can exist in a centralized system.

But the problem has to be addressed somehow. I was teaching in a healthcare program and one of the MD's on staff got a call at lunch one day from a local hospital asking her to pay her rather huge outstanding bill. She had never been a patient there and at our urging asked to have a fax of the ID that had been presented sent to her. It was a very real looking driver's license with her name, address and everything except the picture correct. She sent back a copy of her real license and the school sent a verification file with her other identification, med school diploma and passport pictures.

Then she had to go through the whole police report, bank report and on and on. The imposter was caught on their next hospital visit and arrested, but it took more than three years to straighten out her credit reports. She was from another country originally and had never even heard of identity theft until we explained it to her.

Still, how would your proposal protect privacy, if at all?

reply
I knew a man who had his
Submitted by G (not verified) on Sat, 12/01/2007 - 05:07.

I knew a man who had his identity stolen once. Though the perpetrator had done nothing as far as lending went, he did withdraw large sums of money from the bank. What really had us worried, however, was that he was committing other crimes under his new identity - nobody knew.

reply
I've been a victim, and it's hell.
Submitted by Anne (not verified) on Sat, 12/01/2007 - 04:16.

I had my identity stolen in 1999. I was pickpocketed, noticed within minutes of it happening, and immediately closed all my credit cards and notified my bank. I had never heard of the 3 U.S. credit reporting bureaus (Experian, TransUnion, Equifax). Back then, identity theft wasn't in the news, and you couldn't even get your credit score if you wanted.

Then in 2000, I have moved to California, and joined a Credit Union and tried to get a credit card. Answer? Sorry, you have 3 credit collection agencies after you.

Turns out, my Red Cross blood donor card in my wallet had my social security number on it. The thieves opened up multiple phone accounts in my name, and ran up thousands of dollars of calls on it. The phone company refused to talk to me since they had already sold my account to these collection agencies. They had no explanation why they would open up multiple phone accounts in my name even though I had one valid account with them already. You'd think they'd call you at the original account to confirm. But no.

It took me 6 months of almost daily work on repairing the problem. I even had to fly back to Chicago to fill out a police report. Everyone treated me like I was the criminal, trying to play the system. It was absolute misery, very stressful, and quite expensive.

I now have learned my lesson --- I generally refuse to give up my social security number. I keep a vigilant eye on my credit reports. When I get phone services, I request from the phone company that my account can not be changed or added to without confirmation from me in writing. (They are set up to do this, to prevent slamming.)

If this ever happens to you, you have to be aggressive, vigilant, knowledgeable, and your own best champion.

I also lived in the UK for 3 years, and I was so shocked and impressed at how much more secure the banking system was. It took me ages to finally be allowed to open a bank account. (You need a bank account to get an apartment, but you need proof of your apartment to get a bank account.)

Although the loss of this data is inexcusable (why in the world would 1/2 the nation's population need to be carried around???!), I hope it didn't fall into nefarious hands.

reply
I was a victim of identity
Submitted by Erica Herrod (not verified) on Sat, 12/01/2007 - 03:43.

I was a victim of identity theft, my debit card number was stolen. Online purchases were made but I was able to get my money back from my bank as there were red flags. This was great it sucked at first but if you have a good bank then I think it is not as bad as it could be. I am sure it has been worse for some but my personal experience was not bad.

reply

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <i>
  • Lines and paragraphs break automatically.

More information about formatting options

Captcha
Are you human? (Just checking...)
Copy the characters (respecting upper/lower case) from the image.