Dan Lanciani (ddl@danlan.com) Wed, 2 Mar 2005 03:45:25 EST

Review Index Sorted By: [ date ][ thread ][ subject ][ author ] Next message: Marcus Didius Falco: "Re: Arbitration Left ID Theft Victim With $27,000 Bill" Previous message: Telecom dailyLead from USTA: "MCI to Review Qwest Bid" Next in thread: hancock4@bbs.cpcn.com: "Re: Is Your Identity Safe?" May be reply: hancock4@bbs.cpcn.com: "Re: Is Your Identity Safe?" May be reply: Scott Dorsey: "Re: Is Your Identity Safe?" May be reply: Dan Lanciani: "Re: Is Your Identity Safe?" May be reply: Scott Dorsey: "Re: Is Your Identity Safe?" May be reply: Dan Lanciani: "Re: Is Your Identity Safe?" TELECOM Digest: Home Page

> But ChoicePoint delivered thousands of electronic reports containing > names, addresses, Social Security numbers and other personal financial > information to criminals in the Los Angeles area who were posing as > officials in legitimate debt collection, insurance and check-cashing > businesses. I've seen variations of this posted in many groups and lists, and of course we have heard of similar (though perhaps smaller) incidents in the past. Yet nobody ever seems to ask the obvious question: why does ChoicePoint deliver sufficient information for identity theft even to "legitimate" businesses? More abstractly, why is the information required by an entity to verify the identity of a consumer also sufficient for someone to obtain credit or cash in the name of that consumer? There are many ways to set things up such that this is not the case. They range from the highly technical (e.g., public key crypto) to the procedural (credit inquiry locks). IMHO, the current system is designed purely for the convenience of the financial institutions. The consumer is expected to disclose whatever personal information the bank requests and, if the bank likes what it hears, the consumer may get his money, credit, etc. The system is not only haphazard and insecure but unidirectional: there is barely any notion of the bank's authenticating itself to the consumer. It is because many consumers are conditioned to respond unquestioningly to anything that appears to be acting on the bank's behalf that the many phishing scams (online and otherwise) are practical. Recently in my area we had a rash of ATM fraud. The scam involved replacing the door entry card reader at enclosed ATMs with one which recorded the customer's information, and installing minicams to watch the PIN entry. I'll bet that these incidents will be used to push SecureIDs or similar contrivances which force the consumer to jump through additional hoops to prove herself to the bank while doing little to address the underlying problem. N.B. I'm not opposed to high-tech solutions, but we need to think in terms of mutual authentication and zero knowledge proofs (concepts that have been around for so long that most of the patents have expired :). Again, more abstractly, we need to recognize that it is as important for the bank to prove its identity to the consumer as it is for the consumer to prove her identity to the bank. Dan Lanciani ddl@danlan.*com

Post Followup Article	Use your browser's quoting feature to quote article into reply
Go to Next message: Marcus Didius Falco: "Re: Arbitration Left ID Theft Victim With $27,000 Bill"
Go to Previous message: Telecom dailyLead from USTA: "MCI to Review Qwest Bid"
Next in thread: hancock4@bbs.cpcn.com: "Re: Is Your Identity Safe?"
May be reply: hancock4@bbs.cpcn.com: "Re: Is Your Identity Safe?"
May be reply: Scott Dorsey: "Re: Is Your Identity Safe?"
May be reply: Dan Lanciani: "Re: Is Your Identity Safe?"
May be reply: Scott Dorsey: "Re: Is Your Identity Safe?"
May be reply: Dan Lanciani: "Re: Is Your Identity Safe?"
TELECOM Digest: Home Page