excerpted from Bruce Schneir's CryptoGram
Bruce Schneir is an important figure in the field of computer and
Mitigating Identity Theft
Unfortunately, the solutions being proposed in Congress won't help.
To see why, we need to start with the basics. The very term "identity
theft" is an oxymoron. Identity is not a possession that can be
acquired or lost; it's not a thing at all. Someone's identity is the
one thing about a person that cannot be stolen.
The real crime here is fraud; more specifically, impersonation leading
to fraud. Impersonation is an ancient crime, but the rise of
information-based credentials gives it a modern spin ...
The crime involves two very separate issues. The first is the privacy
of personal data. Personal privacy is important for many reasons, one
of which is impersonation and fraud ...
The second issue is the ease with which a criminal can use personal
data to commit fraud. It doesn't take much personal information to
apply for a credit card in someone else's name. It doesn't take much
to submit fraudulent bank transactions in someone else's name. It's
surprisingly easy to get an identification card in someone else's
name. Our current culture, where identity is verified simply and
sloppily, makes it easier for a criminal to impersonate his victim.
Proposed fixes tend to concentrate on the first issue -- making
personal data harder to steal -- whereas the real problem is the
second. If we're ever going to manage the risks and effects of
electronic impersonation, we must concentrate on preventing and
detecting fraudulent transactions.
Fraudulent transactions have nothing to do with the legitimate account
holders. Criminals impersonate legitimate users to financial
institutions. That means that any solution can't involve the account
holders. That leaves only one reasonable answer: financial
institutions need to be liable for fraudulent transactions. They need
to be liable for sending erroneous information to credit bureaus based
on fraudulent transactions.
They can't claim that the user must keep his password secure or his
machine virus free. They can't require the user to monitor his
accounts for fraudulent activity, or his credit reports for
fraudulently obtained credit cards. Those aren't reasonable
requirements for most users. The bank must be made responsible,
regardless of what the user does.
If you think this won't work, look at credit cards. Credit card
companies are liable for all but the first $50 of fraudulent
transactions. They're not hurting for business; and they're not
drowning in fraud, either. They've developed and fielded an array of
security technologies designed to detect and prevent fraudulent
transactions. They've pushed most of the actual costs onto the
merchants. And almost no security centers around trying to
authenticate the cardholder ...
That's an important lesson. Identity theft solutions focus much too
much on authenticating the person ... once you understand that the
problem is fraudulent transactions, you quickly realize that
authenticating the person isn't the way to proceed.
Again, think about credit cards. Store clerks barely verify
signatures when people use cards. People can use credit cards to buy
things by mail, phone, or Internet, where no one verifies the
signature or even that you have possession of the card. Even worse,
no credit card company mandates secure storage requirements for credit
cards. They don't demand that cardholders secure their wallets in any
particular way. Credit card companies simply don't worry about
verifying the cardholder or putting requirements on what he does.
They concentrate on verifying the transaction.
This same sort of thinking needs to be applied to other areas where
criminals use impersonation to commit fraud. I don't know what the
final solutions will look like, but I do know that once financial
institutions are liable for losses due to these types of fraud, they
will find solutions ...
Right now, the economic incentives result in financial institutions
that are so eager to allow transactions -- new credit cards, cash
transfers, whatever -- that they're not paying enough attention to
fraudulent transactions. They've pushed the costs for fraud onto the
merchants. But if they're liable for losses and damages to legitimate
users, they'll pay more attention. And they'll mitigate the risks.
Security can do all sorts of things, once the economic incentives to
apply them are there ...
Doing anything less simply won't work.