Re: Is Your Identity Safe?

Dan Lanciani wrote:

>> More abstractly, why is the information required by an entity to >> verify the identity of a consumer also sufficient for someone to >> obtain credit or cash in the name of that consumer? There are many >> ways to set things up such that this is not the case. They range >> from the highly technical (e.g., public key crypto) to the >> procedural (credit inquiry locks). > Because it is a necessary condition to obtain credit to verify your > identity.

I think you've missed the point. In spite of what the banks may tell you, there is no reason for the information required by an entity to verify your identity to also be sufficient for that entity to impersonate you. The attitude of, 'we need to know all about you so we can be sure who you are' (and consumers' acceptance of that attitude) is exactly the problem.

If you have good credit and someone can impersonate you in > some way, they can take advantage of it. > The only way to prevent this is to make it more difficult to > impersonate someone. This could be a technological improvement, such > as accurate biometrics like fingerprints,

As I said, there are technical solutions. Biometrics (and fingerprints in particular) are probably not among them. Most such systems depend on giving the bank yet another set of information that is just as useful for impersonation as it is for authentication. I realize that biometric systems seem flashy (and banks would undoubtedly like to use them to defeat consumers' claims of fraud--at least until some scammer demonstrates how easy they are to defeat) but they are really just more hoops for the consumer and they lack provable nonrepudiation characteristics.

A system where neither the authentication information provided by the consumer in a transaction _nor_ the information held by the bank is sufficient to later impersonate the consumer would solve most of the problem without flashy fingerprint readers. Combined with mutual authentication it would solve almost all of the problem. (You still can't do much about simple duress.) The technology to achieve this solution has been around for decades.

or it could be a social improvement, such as the privacy laws > enacted in Europe which are sadly not in force here in the US.

As I said, there are procedural solutions. Laws to protect "privacy" are probably not among them. Keeping information "secret" while sharing it within an entire industry is a hard (and unnecessary) problem. The goal should be to make the information useless by itself. Credit inquiry locks are a simple procedural approach, but unfortunately credit agencies are opposed to them.

> IMHO, the current system is designed purely for the convenience of the >> financial institutions. The consumer is expected to disclose whatever >> personal information the bank requests and, if the bank likes what it >> hears, the consumer may get his money, credit, etc. The system is not >> only haphazard and insecure but unidirectional: there is barely any >> notion of the bank's authenticating itself to the consumer. It is >> because many consumers are conditioned to respond unquestioningly to >> anything that appears to be acting on the bank's behalf that the many >> phishing scams (online and otherwise) are practical. > Of course, because the banks are the ones with the money.

I can't tell whether you are being sarcastic or whether you really believe that banks deserve this privileged position in the authentication hierarchy. Either way, I would point out that (a) it isn't the banks' money and (b) in the long run the fraud is going to cost the banks more than any benefit from such privilege can be worth.

> Recently in my area we had a rash of ATM fraud. The scam involved >> replacing the door entry card reader at enclosed ATMs with one which >> recorded the customer's information, and installing minicams to watch >> the PIN entry. > This does nothing to prevent fraud. All it does it make it easier to > identify the perpetrator after the fraud has been committed. That is > not a bad thing, but it's not a solution.

Again, you have missed the point. (Or else you just aren't reading what I wrote at all.) The minicams were installed by the scammers. They had nothing to do with identifying the perpetrator. They were used *by* the perpetrators to commit the fraud!

Hmm. I think you've just provided a great example of the problem of unquestioningly assuming that any high-tech security gadget must be working on behalf of the bank ...

Dan Lanciani ddl@danlan.*com

Reply to
Dan Lanciani
Loading thread data ... Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.