Identity theft has been a big hit with the purveyors of fear in recent years. We all now live in terror of waking up one morning and finding that someone has stolen our identity, and we can’t even remember who we are.
Well, maybe not. But identity theft is a real problem. If someone manages to construct a copy of your identity, you don’t stop being you, you just stop being the owner of all of your money (unless you can persuade your bank it’s their fault). You might get back from vacation to find that your house has been stolen...
Identity is closely tied to the concept of reputation. We are now trying to apply ideas from villages of a few hundred people to a global scale and (not surprisingly) finding that they don’t quite work.
In a small community, everyone knows—or knows of—everyone else. Reputations are very important. If you want to borrow something from a neighbor, or ask them for a favor, then you will have some idea of how much you trust them.
When banks started, they would use this sort of model. They would be willing to lend you money based on letters of recommendation from people they trusted, or based on their prior dealings.
Now banks have grown so big that they use a much less personal system, but still deal in the idea of reputations.
The Social Security Scam
Some time ago, the U.S. government introduced the concept of a Social Security number (SSN). This was a unique identifier assigned to every taxpaying citizen, allowing their tax records to be connected together.
Having a unique identifier for people was useful to a lot of institutions. It’s pretty hard to know whether you can trust John Smith, but it’s much easier to find out information about a specific John Smith.
The problem began when people started regarding knowing someone’s Social Security number as proof (or, at least, strong evidence) that you were that person.
This attitude isn’t limited to SSNs, by the way. One of my banks has an ultra-secure login where, in addition to my password, they also require that I tell them the following information:
- My mother’s maiden name
- My house number
- My date of birth
All these responses are public knowledge and can be looked up by anyone who wanted to find them out.
The most surreal experience I’ve had with a bank was one based in the United States. I phoned them to try to set up Internet banking. The conversation went something like this:
Me: Hi, I’d like to know my password for Internet banking, please.
Them: Certainly. We just need to confirm your identity. Can you tell me the size of the last transaction in your account, please?
Me: No, I want to log into Internet banking to look that up.
Them: Oh, we can tell you that over the phone.
Me: Thanks. The answer to your question is $n.
Them: Oh, I can’t ask you things I’ve just told you as a security question.
Me: Well, that’s sensible.
Them: Let me transfer you to someone who can.
The next person I talked to asked me for the number that the first representative had given me, and was then happy to pass on my Internet banking password.
The illusion of security seems very popular with banks at the moment.