Archive for January 15th, 2006

Credential Theft

Sunday, January 15th, 2006

I’ve always been interested in on-line social mechanisms, and identity mechanisms are crucial to developing a ubiquitous on-line community. I’ve been reading blogs by some Identity Pundits, and a thought occurred to me just now. (The guys I’m talking about are: Bob Blakely and Kim Cameron) These guys take an approach that a lot of tech thinkers do. They look at technology that’s out there today, or being developed, and try to extrapolate how it will affect society, or how it should affect society. It would be better to approach things from the other way around.

Here is an example. These guys discuss things like identity theft and the Laws of Identity. They often wax philosophical about how society and hence software should deal with related social issues. From an english language point of view I have a bone to pick here. The whole “online identity” notion would be better called “online credentials”.

According to webster.com, Identity : (2a) the distinguishing character or personality of an individual (2b) the relation established by psychological identification. This is clearly talking about things that live inside a person’s head.

Credential: something that gives a title to credit or confidence. Clearly talking about an artifact. A something. The only hazy part is that you have to understand that in this case (identity theft), the artifacts that often get stolen are information. Like social security number, bank account number, etc. Those are information artifacts. They are somethings.

Your social security number is NOT part of your identity, in any stretch of the term “identity”. Your social security number is a peice of information that CORPORATIONS use as a credential. You call someone on the phone, you give them a social security number, and they assume that you are the person whom that social security number was assigned to.

So identity is identity and credentials are credentials. There’s no reason to wax philosophical about the true nature of identity when we’re discussing new kinds of computerized credentials. There’s no point.

Begin rant…

Modern so-called “identity theft”, is more accurately called “fraud”, plain and simple. The problem is not that a brand new evil practice (“identity theft”) has become rampant. The problem is that consumer databases have become massively more connected, and the coporations that interface with those databases are still using the credential systems that they used 20 years ago.

Actually, you could say that corporations (bank, insurance companies etc) are using weaker credentials than they used to. Signatures and bank visits used to be required in many cases. These days, (to lower costs) computers and phone trees are are doing the same work, and you can’t give a handwritten signature over the phone or internet.

We don’t need to invent anything to solve the problem of identity theft. All we need to do is hold corporations accountable for fraud that they fail to prevent.

Cracking down on identity thieves is politically easier to do, since they are obviously the “bad guy”. But from an enforcement point of view, it will never be effective in the long run. Desperate people will do stupid things for money no matter how severe you make the penalty.

Cracking down on corporations is harder to do because corporations donate millions to political parties and candidates and Political Action Committees, etc, etc. And the most guilty corpoprations are the largest ones. Banks, insurance companies, government departments, etc.

From a global point of view (considering all social costs) the most effective way to reduce this kind of fraud is to place legal requirements on the kinds of credentials that can be used for significant financial transactions. The government could require corporations to use stronger credentials (like a token card, or calling from your home phone with ID enabled, or using a pass-phrase, or reading a number that was mailed or emailed to them … None of these is a perfect solution, and the better ones are a bigger hassle.

Some services, departments, or corporations are worse than others. The weakest links in the chain become the most common point of entry for identity fraud. First a criminal gets a sears card in your name, then they use that to get a mastercard, etc, etc. If we tightened the credentials in the worst places, that would be the best way to cut down on identity fraud.