Credential Theft

I’ve always been interested in on-line social mechanisms, and identity mechanisms are crucial to developing a ubiquitous on-line community. I’ve been reading blogs by some Identity Pundits, and a thought occurred to me just now. (The guys I’m talking about are: Bob Blakely and Kim Cameron) These guys take an approach that a lot of tech thinkers do. They look at technology that’s out there today, or being developed, and try to extrapolate how it will affect society, or how it should affect society. It would be better to approach things from the other way around.

Here is an example. These guys discuss things like identity theft and the Laws of Identity. They often wax philosophical about how society and hence software should deal with related social issues. From an english language point of view I have a bone to pick here. The whole “online identity” notion would be better called “online credentials”.

According to webster.com, Identity : (2a) the distinguishing character or personality of an individual (2b) the relation established by psychological identification. This is clearly talking about things that live inside a person’s head.

Credential: something that gives a title to credit or confidence. Clearly talking about an artifact. A something. The only hazy part is that you have to understand that in this case (identity theft), the artifacts that often get stolen are information. Like social security number, bank account number, etc. Those are information artifacts. They are somethings.

Your social security number is NOT part of your identity, in any stretch of the term “identity”. Your social security number is a peice of information that CORPORATIONS use as a credential. You call someone on the phone, you give them a social security number, and they assume that you are the person whom that social security number was assigned to.

So identity is identity and credentials are credentials. There’s no reason to wax philosophical about the true nature of identity when we’re discussing new kinds of computerized credentials. There’s no point.

Begin rant…

Modern so-called “identity theft”, is more accurately called “fraud”, plain and simple. The problem is not that a brand new evil practice (“identity theft”) has become rampant. The problem is that consumer databases have become massively more connected, and the coporations that interface with those databases are still using the credential systems that they used 20 years ago.

Actually, you could say that corporations (bank, insurance companies etc) are using weaker credentials than they used to. Signatures and bank visits used to be required in many cases. These days, (to lower costs) computers and phone trees are are doing the same work, and you can’t give a handwritten signature over the phone or internet.

We don’t need to invent anything to solve the problem of identity theft. All we need to do is hold corporations accountable for fraud that they fail to prevent.

Cracking down on identity thieves is politically easier to do, since they are obviously the “bad guy”. But from an enforcement point of view, it will never be effective in the long run. Desperate people will do stupid things for money no matter how severe you make the penalty.

Cracking down on corporations is harder to do because corporations donate millions to political parties and candidates and Political Action Committees, etc, etc. And the most guilty corpoprations are the largest ones. Banks, insurance companies, government departments, etc.

From a global point of view (considering all social costs) the most effective way to reduce this kind of fraud is to place legal requirements on the kinds of credentials that can be used for significant financial transactions. The government could require corporations to use stronger credentials (like a token card, or calling from your home phone with ID enabled, or using a pass-phrase, or reading a number that was mailed or emailed to them … None of these is a perfect solution, and the better ones are a bigger hassle.

Some services, departments, or corporations are worse than others. The weakest links in the chain become the most common point of entry for identity fraud. First a criminal gets a sears card in your name, then they use that to get a mastercard, etc, etc. If we tightened the credentials in the worst places, that would be the best way to cut down on identity fraud.

2 Responses to “Credential Theft”

  1. Bob Blakley says:

    Chris, You attribute lots of things to me here which I do not in fact believe, but I’ll respond to just a few points. First, Websters’ is about the worst dictionary definition of Identity. American Heritage has a much better one: “The collection of attributes by which a person or thing is generally recognized or known”. This highlights the important problem, which is authentication. The credential exists because we need to recognize a person when we see her again, or when we see her for the first time after someone else who saw her previously has described her to us. The credential is a device to make it easier for me to recognize you if I know lots of people & might not remember you all that well – that is, it’s an authenticator of my identity. Now there are at least three kinds of bad things that might happen with a credential (authenticator): 1. I might steal your credential and use it. This is theft followed by fraud. To prevent this, we put things like pictures and descriptions on the credential (so I can tell if someone who looks different from you is trying to use the credential), and we give you a PIN number (so someone who isn’t you won’t know how to use the credential). 2. I might manufacture a credential which claims to be yours, but which has my picture and my PIN number. This is counterfeiting followed by fraud. To prevent this, we put things like watermarks and holograms on credentials, to make it hard to manufacture credentials which look authentic. 3. I might find out enough about you to open an account in your name, and have the institution which issues legitimate credentials make one with my picture on it and give me the PIN. This is IDENTITY THEFT followed by fraud. This is a harder problem to solve than the previous two, because the credential is just simply genuine. The problem this presents you with, WHICH YOU DO NOT HAVE IN THE OTHER TWO CASES, is that in order to stop me from charging against your credit rating and to avoid having to pay for my purchases, YOU HAVE TO PROVE THAT YOU’RE YOU AND I’M NOT, because BOTH OF US HAVE LEGITIMATE CREDENTIALS CLAIMING TO BE YOU. The problem with preventing Identity Theft (i.e. the third bad thing that could happen) is PRECISELY that there is no unique determinant of a person’s identity: there is nothing you can show the authorities which definitively proves that you are you and everyone else is not (even DNA doesn’t do this for a small but important percentage of the population – including, for example, identical twins). Bruce Schneier writes about a related, and also difficult, problem in a recent blog entry: http://www.schneier.com/blog/archives/2006/01/forged_credenti.html If you want a clear set of definitions of identity, authenticator, attribute, etc…, you could do worse than to look at the report of the National Academy of Sciences panel on “Authentication Technologies and Their Privacy Implications”. The definitions are in chapter 1: http://www7.nationalacademies.org/cstb/pub_authentication.html Regarding placing legal restrictions on the kinds of IDs people can use for significant transactions, I’ll note two things: first, both the ICAO attempt to add biometrics to passports and the US REAL ID act have to date been hugely expensive and not very effective (Bruce also comments on this in a recent blog entry), and second, you seem to have the theory that government is better at reducing identity risks than business. I think the opposite is true – businesses will very effectively control fraud when they are responsible for paying for it. It wasn’t the banks who decided to use Social Security Numbers for identification; it was the Federal government.