Sunday, July 31, 2005

A new way to authenticate your identity?

What is the root cause of the identity theft "crisis". That depends upon what you consider "identity theft". The term is often used to refer to simple credit card or debit card fraud, but the definition that I use involves impersonating another person to fraudulent obtain a benefit, such as credit facilities. The root cause of this sort of fraud is that it is very easy to impersonate someone, at least to the extent that banks and credit grantors would extend credit on the basis of the faked identity.

Though conventional identification methods, such as drivers licenses, can be faked or can be fraudulently obtained, credit grantors often do not even use such methods to confirm that the applicant is who s/he says s/he is. In most online applications, it seems the credit grantors assume your identity if the information you provide matches what's retrieved from your credit file.

MSNBC is today running an article on two responses to this challenge. The first would be mandatory "fraud alerts" on credit files, so that the credit bureaus are required to confirm that the owner of a credit file consented to its disclosure before handing it over to a lender. The second is a technological method to displace the social security number as the universal identifier.

A new way to authenticate your identity? - Consumer Security -

"...Several identity theft watchdogs say the bills would neglect the deeper reason why financial fraud is relatively easy: Speed, not identity assurance, is the main priority of U.S. financial institutions that issue credit.

To be sure, the fact that many companies use Social Security numbers essentially as a password — not only are they the key to getting credit, they can also unlock access to an account over the phone — magnifies the problem. That's why Congress hopes to hide the numbers better — by reducing the ways they can be sold, for example, or by prohibiting them from being printed on benefit checks.

Even so, keeping the numbers and other personal data out of the wrong hands likely will remain tricky.

"It's too easy to get to data no matter what the key is, from insiders or hackers or mistakes," said Jody Westby, head of the security and privacy practice at PricewaterhouseCoopers LLP. "What we have to do is make it harder to use the data."

Westby's solution would be quite simple: universal use of the fraud alert, which identity theft victims are allowed to put on their credit reports for seven years. Before any new credit is granted, a card issuer or loan provider is supposed to call them and doublecheck that they, rather than an impostor, really made the application.

Putting everyone on fraud alert status would be a simple way of bringing more personal control to the system, Westby argues, just as do-not-call lists let people decide for themselves whether to talk to telemarketers.

In contrast, the data bills pending in Congress would make a lot of changes at once. Consumer advocates like many of the provisions, such as allowing people to refuse to give businesses their Social Security numbers, requiring more encryption of financial records and demanding widespread disclosure of data breaches....

No comments: