firstname.lastname@example.org (Scott Dorsey) wrote:
> Dan Lanciani <email@example.com> wrote:
>> More abstractly, why is the information required by an entity to
>> verify the identity of a consumer also sufficient for someone to
>> obtain credit or cash in the name of that consumer? There are many
>> ways to set things up such that this is not the case. They range
>> from the highly technical (e.g., public key crypto) to the
>> procedural (credit inquiry locks).
> Because it is a necessary condition to obtain credit to verify your
I think you've missed the point. In spite of what the banks may tell
you, there is no reason for the information required by an entity to
verify your identity to also be sufficient for that entity to
impersonate you. The attitude of, 'we need to know all about you so
we can be sure who you are' (and consumers' acceptance of that
attitude) is exactly the problem.
> If you have good credit and someone can impersonate you in
> some way, they can take advantage of it.
> The only way to prevent this is to make it more difficult to
> impersonate someone. This could be a technological improvement, such
> as accurate biometrics like fingerprints,
As I said, there are technical solutions. Biometrics (and
fingerprints in particular) are probably not among them. Most such
systems depend on giving the bank yet another set of information that
is just as useful for impersonation as it is for authentication. I
realize that biometric systems seem flashy (and banks would
undoubtedly like to use them to defeat consumers' claims of fraud--at
least until some scammer demonstrates how easy they are to defeat) but
they are really just more hoops for the consumer and they lack
provable nonrepudiation characteristics.
A system where neither the authentication information provided by the
consumer in a transaction _nor_ the information held by the bank is
sufficient to later impersonate the consumer would solve most of the
problem without flashy fingerprint readers. Combined with mutual
authentication it would solve almost all of the problem. (You still
can't do much about simple duress.) The technology to achieve this
solution has been around for decades.
> or it could be a social improvement, such as the privacy laws
> enacted in Europe which are sadly not in force here in the US.
As I said, there are procedural solutions. Laws to protect "privacy"
are probably not among them. Keeping information "secret" while
sharing it within an entire industry is a hard (and unnecessary)
problem. The goal should be to make the information useless by
itself. Credit inquiry locks are a simple procedural approach, but
unfortunately credit agencies are opposed to them.
>> IMHO, the current system is designed purely for the convenience of the
>> financial institutions. The consumer is expected to disclose whatever
>> personal information the bank requests and, if the bank likes what it
>> hears, the consumer may get his money, credit, etc. The system is not
>> only haphazard and insecure but unidirectional: there is barely any
>> notion of the bank's authenticating itself to the consumer. It is
>> because many consumers are conditioned to respond unquestioningly to
>> anything that appears to be acting on the bank's behalf that the many
>> phishing scams (online and otherwise) are practical.
> Of course, because the banks are the ones with the money.
I can't tell whether you are being sarcastic or whether you really
believe that banks deserve this privileged position in the
authentication hierarchy. Either way, I would point out that (a) it
isn't the banks' money and (b) in the long run the fraud is going to
cost the banks more than any benefit from such privilege can be worth.
>> Recently in my area we had a rash of ATM fraud. The scam involved
>> replacing the door entry card reader at enclosed ATMs with one which
>> recorded the customer's information, and installing minicams to watch
>> the PIN entry.
> This does nothing to prevent fraud. All it does it make it easier to
> identify the perpetrator after the fraud has been committed. That is
> not a bad thing, but it's not a solution.
Again, you have missed the point. (Or else you just aren't reading
what I wrote at all.) The minicams were installed by the scammers.
They had nothing to do with identifying the perpetrator. They were
used *by* the perpetrators to commit the fraud!
Hmm. I think you've just provided a great example of the problem of
unquestioningly assuming that any high-tech security gadget must be
working on behalf of the bank ...