March 27, 2007

Cost of an identity

Some figures on the cost to build a new identity:

In all, seven defendants pleaded guilty in Corpus Christi this past week to charges of selling their birth certificates and Social Security cards for $100 each. Seven other defendants pleaded guilty to buying or reselling those documents as part of a ring that sold documents to illegal immigrants seeking jobs in Dodge City, Kan.

One other figure:

Tim Counts, an Immigration and Customs Enforcement spokesman in Bloomington, Minn., said that investigation revealed documents were available for a price in places as open as Kmart parking lots. He said genuine documents were the most expensive, costing up to $1,500, and the most effective against detection.

That remark looks suspicious, I'd guess he's talking about something else than SS cards and birth certificates.

Also over in that center of expertise in identity theft, USA, a blog entry by Spire says:

  1. For as long as we continue to pretend that SSNs are secret and therefore may be used as authenticators, they will be.
  2. There are over 150,000 people (my estimate) with "defendable" access to your SSN right now. They aren't secret.
  3. You are more likely by a factor of 10 to be a victim of identity fraud via one of these "authorized" folks.
  4. The real problem is not how easy it is to get your SSN, but how creditors allow the SSN to be used as an authenticator (See #1).
  5. The SSN is fine as an identifier. No, it is not perfect, but its main benefit is that it is already used in so many places.

Right. That's a number we wanted: 150k people in that country have access (legal, he says defendable) to the SSN. Presumably they have access to all the other PII as well.

Posted by iang at March 27, 2007 05:51 AM | TrackBack

Hi Ian,

Interesting to see that the fact that it is the verifier who determines whether or not the "proof of identity" is valid (i.e. the authentication process) is not yet widely understood. The only reason I can imagine, continuing your economic way of thinking, is that the actual risk/damages/loss is not with the verifier!

This effectively means that a company or institution can give (no scare quotes here) your money, support or whatever you are entitled (hmmm, is there an ancient meaning to "entitlement" and rights here?) to, away to anyone they feel like, as long as they can get away with "due diligence" in their "best commercial effort" to conduct their business.

If title is the basis of ownership, and private ownership the basis for a capitalistic society, how do we need to treat identity in representational economies?

Not a very rhetorical question, but a viewpoint I haven't encountered yet.

Posted by: Twan at March 28, 2007 04:07 AM

Are you aware of the moves by the Australian govt to shove an Australia Card Mark 2 down our throats under the guise of a more secure identify theft preventative Medicare card?

Posted by: Duane at March 28, 2007 04:08 AM

So if a form of ID is legally permitted and the procedure for its verification is accepted why does it have to be secret? The ease of use is complicated by the threshold of secrecy. If an ID is secret it has to be known by someone outside of your control and since the only available parties for that role are regulators either governmental or commercial. Therefore the user must accept the regulatory oversight of some entity to verify their identity. The strategy of plastering the walls with some form of identification and allowing it to float around, awaiting some kind of assertion and contest is probably easier. If your identity is stolen from the vast bait ball swimming around the parking lot you have to contest its use ie defend it once you are informed of its theft. The damages attributed to that theft, should be laid at the feet of the those that accepted the identity due to a flawed process. The environment will change when class actions are formulated against those that accept identification with no challenge to its bona fides. So each entity that accepts the identity of another is liable as a co-conspirator in a fraud. So if Microsoft has a process that insures the identity is valid and that process regardless of the licence, is liable for the losses and damages that can be attributed to that theft and infringement.

Posted by: jimblaa at March 28, 2007 07:38 AM

some cross over from another forum

We can have 'win-win' on security vs. privacy, says Acadamy

Dilemmas of Privacy and Surveillance Report

some comments

Posted by: Lynn Wheeler at March 28, 2007 05:03 PM

My 2p..

You are, of course, preaching to the converted, but it is still infuriating to be reminded of the stupidity of some people and organizations...

Identity theft need not be a problem - government and corporate incompetence and stupidity have made it one...

Here are my basic rules for protecting identity:

Rule 1. Nothing dual use is secret - period.
Your credit card numbers are not secret, because you give
them to strangers every time you use them. You provide your
social security number whenever a minor official asks for it.
You probably carry both in your wallet.

Don't shred your documents. Scan them and post them on to
the Internet. Display your social security number and credit
card numbers on your t-shirt.

That will help prevent your or other people mistakenly thinking
that they are secrets that can be used to identify you.

Rule 2. No document or token is unforgeable.
If the government or a major corporation can produce it, then
so can a lot of others. Probably faster and at a much lower cost.
Fancy. Hard to manufacture gimicks just provide a false sense of
security. Just as there is no lock that will do more than delay
an intruder if left unguarded, no magic token that is in the
possession of entitity to be verified can provide more than a
superficial level of trust unless used in conjunction with secure
verification means in the hands of the entity doing the verifying.

Rule 3. Identity verification must be based on trusted global
data, not secret data.

So what is the solution? It depends on the specific problem of course. But if we want to protect our identities then one solution would be a public database - open to anyone to inspect. By all means carry your social security number, National Insurance number, drivers licence or National ID card. But if person A wants to be sure that they are talking to person B, they should be able to enter that number obtained from person B into a publicly accessible database and retrieve a corresponding name, photograph, and assorted biometric data.

It is, of course, critical that such a central database cannot be tampered with - either by criminals or corrupt covernment officials.

This is where strong crypto comes is. Each entry should be digitally signed but some number of authorised parties, whose public keys are available online and can be readily checked. Suitable authorization might be indicated, for example, by having these public keys signed by the current president/prime minister. And of course the president or prime minister should have their public key published and the key fingerprint included on all currency minted during their term in office. And, of course, the entry should be signed by the person identified in the document (and their public key included in the entry) so we are all in control of what is included.

As cryptographic technology improves, or governments change, new digital signatures can be added to the database entries. But the old ones naturely remain. So it gets progressively harder to forge or tamper with an entry.

No system is perfect, but now we have raised the identity theft hurdle from simple harvesting of readily available data to one of
a) duplicating somebody else's appearance and biometric data, and compromising the their secret cryptographic key.
b) compromising the secret key of the current (and all previous) heads of state.
c) compromising the secrets keys of a sufficient number of (current and past) authorised signers.
d) breaking current (and past) cryptographic technology.

That was off the top of my head, and I haven't given it enough thought for it be a serious proposal, so no doubt there are vulnerabilities that I have overlooked - but it might be a starting point for generating ideas, and nearly anything would be better to the current flawed ideas.

My gut feeling is that there should be something better than a centralised database, but it seems like the most obvious solution and is certainly better than relying on information provided by the entity to be verified.

Posted by: Digbyt at March 28, 2007 05:04 PM

p.s. had a good analogy for current conventional wisdom on identity protection which I forgot to add to my comment...

If the banks decided to start asking for your eye colour when wanting to verify your identity, would it be reasonable to blame the victims of resulting identity theft for foolishly walking around with their eyes open....?

Posted by: DigbyT at March 28, 2007 05:49 PM

re: Cost of an identity

of possible some interesting additional drift ... response
to comment in a mainframe n.g. T.J. Maxx data theft worse than first reported

in the response ... i even made reference to one of the analogies made in this thread

and then a followup T.J. Maxx data theft worse than first reported

the followup was references to news item claiming that the exploit wasn't copying transaction log ... but skimming the transaction as it was being processed. the original comment somewhat implied that the problems would all go away ... if merchants stopped storing account numbers (in transaction logs). however, this latest (largest) exploit may not have involved transaction logs at all.

Posted by: Lynn Wheeler at March 31, 2007 08:31 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.