March 10, 2005

Identity Theft exists because Identity is Valuable

Security writer Bruce Schneier said recently:

"Every credential has been forged. As you make a credential more valuable, there is more impetus to forge it. The reason identity theft is so nasty now is that your identity is so much more valuable than it used to be. By putting in the infrastructure, we have made the crime more common. That's scary."

In further good news for the economic analysis of security, he goes on to say:

"... ID theft will only be solved when banks are given responsibility to prevent it. "As soon as it becomes the banks' problem, it will be solved. The entity that is responsible for the risk will mitigate the risk."

To which I demur somewhat. The banks already took on that risk and passed it on to consumers. Bouncing it back to banks will simply encourage them to bounce it back again.

Far better to empower the individuals to look after and protect their own identity. We can do this quite successfully and quite easily - more easily than alternates - by simply reducing the identity in the infrastructure. (If you don't like my work in this area, have a look at Stefan's work or the capabilities crowd.)

But, the dangerous misperception that "identity equals security" is so deeply embedded in the minds of, well, most everyone, statistically, that these efforts are stalled. What do we need to overcome this? A disaster? A revolution?

Posted by iang at March 10, 2005 10:08 AM | TrackBack
Comments

We need a few thousand years of evolution. Trusting people, and being able to punish them, is inherent to the way successful people have thought for a long time. The abstractions which make sense for today's world are not instinctive, and cause a rush of worry for a great many people.

Posted by: Adam Shostack at March 10, 2005 12:52 PM

The problem isn't with identity; it's with a system where knowing someone's social security number and a few other facts is taken to mean that they are that person! And the people who make this determination, the banks, risk no penalties by doing so. Credit card fraud is paid by merchants, not banks, in any "card not present" transaction, which is how most identity theft is carried out.

There's nothing the end user can do about this. It's the banks granting credit in his name, based on easily falsified information, who are causing the trouble. Until we put liability on the banks, the problem won't get solved.

It's like the difference between ATM theft liability in the U.S. vs the U.K. In the U.S. it is the banks who are liable, and as a result they have been ahead of the curve in putting in security measures. The U.K. lagged behind because the customer was assumed to be at fault. Contrary to your prediction, the banks in the U.S. did not "bounce the risk" to the customers. They worked on technological measures to solve the problem.

If banks who issue credit cards to identity fraudsters were liable for the charges they ran up, you can bet that there would be a lot fewer credit cards issued. This would be a hardship for some people who want and need credit; they might have to go through a more extensive identity verification process. But it would largely eliminate an identity fraud problem which is otherwise only going to get worse.

Posted by: Cypherpunk at March 10, 2005 02:28 PM

The trick is to have many ids that you choose to use . Fake id is the real prize because trusting any government is foolish. You must strive to have at least twenty ids that are valid. This use of mulitple ids makes any standard worthless. By keeping the society guessing who you are they are required to determine your authentic nature each and every time they extend trust. Yes each and every time because this causes one to think and thinking is very important flying around on auto pilot is dangerous. In the world of transactions it is the auto pilot assumptions of extending credit that cause collaspe. Monitoring a frequent client is always a good standard, why really trust what cannot be proven. So people should be asked to find many id and demand several for purposes of their own. Ye private ids issued by people for their own purposes and the law should respite these types of demands since they impose them on people at will themselves.

Posted by: Jimbo at March 10, 2005 09:09 PM
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.