- Spam, and Other Problems with Email
- Hostile Code
- Security Breaches
- Identity and the Theft of Identity
- Should We Just Start Over?
- The Need for a New School
This chapter is from the book
This chapter is from the book
This chapter is from the book
Identity and the Theft of Identity
Imitation is the sincerest form of flattery, but no one is flattered by having their good name and credit used for fraud. Such frauds include emptying your bank account, applying for credit, or getting medical care in your name. Personally identifying information such as your full name, national identity number, bank account details, and so on are valuable precisely because they can be used by someone else to impersonate you.
The desire to commit fraud is an important part of the rapidly growing and widely misunderstood crime known as identify theft. Before we can discuss it, we need to describe identification, authentication, and authorization. These three concepts are often confused. Identification concerns the labels we provide for things. Much like The New School of Information Security identifies a book, “John Wilson” identifies a person. We use other identifiers to identify people, such as “Dad.” Dad is not a unique identifier, but most people are pretty sure whom they mean when they say it. A bank with eight customers named John Wilson needs to be able to differentiate between them. Anyone can claim to be John Wilson, so how can we tell if he really is? The answer lies in authentication to figure out which John Wilson is authorized to take money from account number 1234.
You may plan to have coffee with John, and he might tell you that he is tall, bald, and is wearing a green shirt today. Those are authenticators. They help you recognize John at the coffee shop. But if you’re a bank, you want to make sure that John is authorized to withdraw money, so you might check his signature, password, or PIN. Identification and authorization are tricky. Too many organizations believe that anyone who knows your social security number (SSN) is you.
The same information about us is stored repeatedly, by different organizations and in different places. Tremendous duplication occurs, and many organizations continue to design processes that depend on these little pieces of data. The problem is that many of these identifying fragments were never designed for the ways in which they are being used. The SSN was not designed to be secret, and yet it is widely believed to be secret and often is treated as such. The result is that SSNs are used as both an identifier and an authenticator. We are told it is important not to hand out our SSN willy-nilly, but at the same time, everyone demands it.
If something is valuable, it should be protected, and we should give our personal information to only trustworthy organizations that really need it. Unfortunately, most organizations seem to think that they are trustworthy and that they must have our personal information. Landlords, utility and insurance companies, employers, hospitals, governments, and many others all profess to be completely trustworthy. It’s likely that these organizations, storing the most personal information imaginable, will authorize hundreds of thousands of other completely “trustworthy” people at a variety of organizations to see it, increasing the possibility that it will become compromised.
Why do these approaches persist? The idea that we have a “core identity” that is truly “us” seems to be both strong and pervasive, as does people’s desire to build on it. These drivers seem to be deep-seated, despite the practical problems. The willingness to build identity systems without testing our ideas mirrors and reinforces a willingness to build security systems on faith. The deep-seated desire to make identity-driven systems work is not only emotional, but also economic: the use of SSNs to identify us is inexpensive to the people designing the systems. Other systems might cost more to deploy, might be harder to use, or might be more intrusive on the surface.
One outgrowth of such faith is the fastest-growing crime in America today, identity theft. This term calls to mind the deep sense of violation that many of its victims feel, because we often believe that our identity is our “good name” and one of the most important things about us.
To get a credit card in the U.S., all you need is a date of birth and an SSN that match a record in a database. Criminals who obtain credit take on as much debt as they can and then disappear. The loan is reported to credit bureaus and collection agencies. Collection agencies attempt to track down the person identified, thinking that he is the person responsible for the debt, and a Kafka-esque nightmare ensues.
Credit fraud is not the only goal of identity fraudsters. They can obtain medical care under false names, leading to a risk that medical records will be unfortunately intertwined. They can obtain driver’s licenses and passports under false names, leading to repeated arrests of innocent individuals. As more and more systems are based on the notion of identity, the value of identity fraud will grow. Some states have proposed “identity theft passports” to help victims of identity fraud. However, the more we tighten the security of identity systems, the less willing authorities will be to believe they can be compromised and defrauded. This will increase the value of compromising these systems and make victims’ lives more difficult.
Addressing identity theft will likely involve some investment in technology, and perhaps more importantly, an understanding of the motivations of the various participants that make it such a problem. One of the themes of this book is using economic analysis to increase our understanding of systems and using that understanding to reach better outcomes. Looking at identity theft allows us to see that all the players behave rationally. That rational behavior imposes costs on everyone who touches the financial system.