September 10, 2007

Threatwatch - more data on cost of your identity

In the long-running threatwatch theme of how much a set of identity documents will cost you, Dave Birch spots new data:

Other than data breaches, another useful rule-of-thumb figure, I reckon, might come from identity card fraud since an identity card is a much better representation of a persons identity than a credit card record. Luckily, one of the countries with a national smart ID card just had a police bust: in Malyasia, the police seized fake MyKad, foreign workers identity cards, work permits and Indonesian passports and said that they thought the fake documents were sold for between RM300 and RM500 (somewhere between $100 to $150) each. That gives us a rule-of-thumb of $20 for a "credit card identity" and $100, say, for a "full identity". Since we don't yet have ID cards in the U.K., I thought that fake passports might be my best proxy. Here, the police says that 1,800 alleged counterfeit passports recovered in raid in North London were valued at 1m. If we round it up to 2,000 fakes, then that's 500 each. This, incidentally, was the largest seizure of fake passports in the U.K. so far and vincluded 200 U.K. passports, which, according to police, are often considered by counterfeiters to be too difficult to reproduce. Not!

The point I actually wanted make is not that these figures a very variable, which they are, but that they're not comparing apples with apples. Hence the simplistic "what's your identity worth?" question cannot be answered with a simple number.

OK, that's consistent with my long-standing estimate of 1000 (in the major units, pounds, dollars, euros) to get a set of docs. It is important to track this because if you are building a system based on identity, this gives you a solid number on which to base your economic security. E.g., don't protect much more than 1000 on the basis of identity, alone.

As a curious footnote, I recently acquired a new high-quality document from the proper source, and it cost me around 1000, once all the checking, rechecking, couriered documents and double phase costs were all added up. If a data set of one could be extrapolated, this would tell us that it makes no difference to the user whether she goes for a fully authentic set or not!

Luckily my experiences are probably an outlier, but we can see a fairly damning data point here: the cost of an "informal" document is far to similar to the cost of a "formal" document.

Postscript: It turns out that there is no way to go through FC archives and see all the various categories, so I've added a button at the right which allows you to see (for example) the cost of your identity, in full posted-archive form.

Posted by iang at September 10, 2007 05:27 AM | TrackBack

one possible scenario accounting for difference between fraud value of credit cards and identification cards is that credit cards have had a primarily "online infrastructure" where each use is tracked and recorded ... and can be "deactivated". identification cards have tended to be offline infrastructure where use and activity haven't tended to involve online operations with each use being tracked and recorded and there tends to not be an easy online deactivation.

in that sense the card card would be considered only a very small feature of a more extensive online operation ... where identification cards are typically operate independent of a much more extensive infrastructure. Another view point is a credit card (as part of an online infrastructure) tends to be purely authentication and authorization is embodied in the online infrastructure. identification cards would not only represent authentication, but in an offline paradigm, would implicitly carry the sense of authorization.

something similar can be cited for past discussion of "yes card" vulnerability

and/or even PKI .... which i've repeatedly claimed had design point trade-off for the offline email operation of the early 80s and/or letters of credit/introduction from sailing ship days. the "credentials" represented a "better than nothing" solution in a purely offline environment where the relying party had access to no other information regarding the party (first time interaction with complete stranger) they were dealing with. Given any online infrastructure and/or any sort of timely interaction with responsible authority, the "better than nothing" solution (designed for the offline environment) becomes a very poor substitute (possibly being restricted to purely no-value operations).

lots of past posts about mentioning "offline solutions" becoming limited to no-value applications when higher quality "online solutions" are available as an alternative ALARMED ... Only Mostly Dead ... RIP PKI ... part III I-D ACTION:draft-ietf-pkix-usergroup-01.txt Employee Certificates - Security Issues First Data Unit Says It's Untangling Authentication TTPs & AADS (part II) Ousourced Trust (was Re: Difference between TCPA-Hardware and a smart card and something else before GeoTrust says existing PKI practices are worthless How many wrongs do you need to make a right? Another entry in the internet security hall of shame Another entry in the internet security hall of shame Some thoughts on high-assurance certificates browser vendors and CAs agreeing on high-assurance certificates Extended Validation - setting the minimum liability, the CA trap, the market in browser governance EV - what was the reason, again? man in the middle, SSL ... addenda Failure of PKI in messaging PKI: The terrorists' secret weapon (part II) Identity resurges as a debate topic A crazy thought? Root certificate definition Help! Good protocol for national ID card? Certificate Authority: Industry vs. Government Certificate Authority: Industry vs. Government Cirtificate Authorities 'CAs', how curruptable are they to RSA vs AES Who is the most likely to use PK? The SOB that helped IT jobs move to India is dead! Soft signatures Authenticated Public Key Exchange without Digital Certificates? TLS-certificates and interoperability-issues sendmail/Exchange/postfix Maximum RAM and ROM for smartcards More Phishing scams, still no SSL being used The Worth of Verisign's Brand The Worth of Verisign's Brand The Worth of Verisign's Brand More Phishing scams, still no SSL being used The Worth of Verisign's Brand The Worth of Verisign's Brand The Worth of Verisign's Brand PKI Crypto and VSAM RLS Importing CA certificate to smartcard More Phishing scams, still no SSL being used More Phishing scams, still no SSL being used More Phishing scams, still no SSL being used phishing web sites using self-signed certs TTP and KCM X.509 and ssh X.509 and ssh X.509 and ssh X.509 and ssh X.509 and ssh confidence in CA Multi-layered PKI implementation other cp/cms history T.J. Maxx data theft worse than first reported sizeof() was: The Perfect Computer - 36 bits?

Posted by: Lynn Wheeler at September 10, 2007 08:29 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.