TELECOM Digest OnLine - Sorted: Is Your Identity Safe?


Is Your Identity Safe?


Dan Lanciani (ddl@danlan.com)
Wed, 2 Mar 2005 03:45:25 EST

> But ChoicePoint delivered thousands of electronic reports containing
> names, addresses, Social Security numbers and other personal financial
> information to criminals in the Los Angeles area who were posing as
> officials in legitimate debt collection, insurance and check-cashing
> businesses.

I've seen variations of this posted in many groups and lists, and of
course we have heard of similar (though perhaps smaller) incidents in
the past. Yet nobody ever seems to ask the obvious question: why does
ChoicePoint deliver sufficient information for identity theft even to
"legitimate" businesses? More abstractly, why is the information
required by an entity to verify the identity of a consumer also
sufficient for someone to obtain credit or cash in the name of that
consumer? There are many ways to set things up such that this is not
the case. They range from the highly technical (e.g., public key
crypto) to the procedural (credit inquiry locks).

IMHO, the current system is designed purely for the convenience of the
financial institutions. The consumer is expected to disclose whatever
personal information the bank requests and, if the bank likes what it
hears, the consumer may get his money, credit, etc. The system is not
only haphazard and insecure but unidirectional: there is barely any
notion of the bank's authenticating itself to the consumer. It is
because many consumers are conditioned to respond unquestioningly to
anything that appears to be acting on the bank's behalf that the many
phishing scams (online and otherwise) are practical.

Recently in my area we had a rash of ATM fraud. The scam involved
replacing the door entry card reader at enclosed ATMs with one which
recorded the customer's information, and installing minicams to watch
the PIN entry. I'll bet that these incidents will be used to push
SecureIDs or similar contrivances which force the consumer to jump
through additional hoops to prove herself to the bank while doing
little to address the underlying problem. N.B. I'm not opposed to
high-tech solutions, but we need to think in terms of mutual
authentication and zero knowledge proofs (concepts that have been
around for so long that most of the patents have expired :). Again,
more abstractly, we need to recognize that it is as important for the
bank to prove its identity to the consumer as it is for the consumer
to prove her identity to the bank.

Dan Lanciani
ddl@danlan.*com

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: Marcus Didius Falco: "Re: Arbitration Left ID Theft Victim With $27,000 Bill"
Go to Previous message: Telecom dailyLead from USTA: "MCI to Review Qwest Bid"
Next in thread: hancock4@bbs.cpcn.com: "Re: Is Your Identity Safe?"
May be reply: hancock4@bbs.cpcn.com: "Re: Is Your Identity Safe?"
May be reply: Scott Dorsey: "Re: Is Your Identity Safe?"
May be reply: Dan Lanciani: "Re: Is Your Identity Safe?"
May be reply: Scott Dorsey: "Re: Is Your Identity Safe?"
May be reply: Dan Lanciani: "Re: Is Your Identity Safe?"
TELECOM Digest: Home Page