I've seen variations of this posted in many groups and lists, and of
> course we have heard of similar (though perhaps smaller) incidents in
> the past. Yet nobody ever seems to ask the obvious question: why does
> ChoicePoint deliver sufficient information for identity theft even to
> "legitimate" businesses?
Because there is money in it, and there isn't anybody preventing it.
More abstractly, why is the information required by an entity to
> verify the identity of a consumer also sufficient for someone to
> obtain credit or cash in the name of that consumer? There are many
> ways to set things up such that this is not the case. They range
> from the highly technical (e.g., public key crypto) to the
> procedural (credit inquiry locks).
Because it is a necessary condition to obtain credit to verify your identity. If you have good credit and someone can impersonate you in some way, they can take advantage of it.
The only way to prevent this is to make it more difficult to impersonate someone. This could be a technological improvement, such as accurate biometrics like fingerprints, or it could be a social improvement, such as the privacy laws enacted in Europe which are sadly not in force here in the US.
IMHO, the current system is designed purely for the convenience of the
> financial institutions. The consumer is expected to disclose whatever
> personal information the bank requests and, if the bank likes what it
> hears, the consumer may get his money, credit, etc. The system is not
> only haphazard and insecure but unidirectional: there is barely any
> notion of the bank's authenticating itself to the consumer. It is
> because many consumers are conditioned to respond unquestioningly to
> anything that appears to be acting on the bank's behalf that the many
> phishing scams (online and otherwise) are practical.
Of course, because the banks are the ones with the money.
Recently in my area we had a rash of ATM fraud. The scam involved
> replacing the door entry card reader at enclosed ATMs with one which
> recorded the customer's information, and installing minicams to watch > the PIN entry.
This does nothing to prevent fraud. All it does it make it easier to identify the perpetrator after the fraud has been committed. That is not a bad thing, but it's not a solution.
--scott
"C'est un Nagra. C'est suisse, et tres, tres precis."