Shostack + Friends Blog Archive


676,000 Victims

I first covered the improper disclosures by Wachovia, Bank of America, Commerce Bancorp, and PNC Bank NA employees last week. It’s now up to 676,000 accounts, all New Jersey residents. The Census Bureau estimates that in 2003, New Jersey had 8,638,396 residents. Thus, around 8% of the people of New Jersey are affected by Orazio Lembo, Jr and his associates. (So far; I see no reason to expect that more won’t come out. In fact, if this grows like Lexis-Nexis did, it would seem reasonable to assume that sufficient personal information to commit identity theft fraud-by-impersonation against most of the population of New Jersey is in the hands of a crime ring.

If it grows like that or not, the trickle of breach announcements that started with Choicepoint has grown to a stream. Soon, it will be a deluge, and it will change many things.

First, it will change the way credit is granted. Today, with a name and social security number, I may be able to get credit. If I add to that an address, phone number, or date of birth, I’m set. Some enterprising lawyer is going to look at the number of news articles around the fraud, the number of people whose personal information has leaked, and find a court that will agree that using only data that’s been leaked like that is careless, and that the costs need to be shifted from the consumer onto the bank.

What will replace it will likely be a scoring based system, based on odds that you are you. Some people will suggest that a national ID card would help here, but they’re wrong. Any single factor that is used to loan money will be attacked, because that’s where the money is.

Secondly, such a change will put the banks between the liability rock and the money-laundering hard place. Banks are required by a raft of laws to spy on know their customers and gossip about them to the feds with a set of reports that are already burdensome:

“Under the Bank Secrecy Act, banks fill out more than 13 million cash transaction reports annually,” said Rock. “In my area, many of these reports are filed for small businesses like delis, gas stations and flower shops, which have nothing to do with potentially criminal activity. The 35-year-old rules related to cash transaction reports have lost their usefulness due to several developments, including more extensive suspicious activity reporting.”

I would expect that the banks will push to not be liable. This would be a mistake. Far better would be to stop spying on customers.

I expect that Congress will step in, but choosing a set of actions will be hard. Adjusting the availability and cost of credit is bad. Having a set of complex rules like the Financial Services Modernization act is bad. Letting identity theft run unchecked is worse than either.

The best course of action is probably imposing liability on anyone who holds government-authenticated data on their customers; shrinking the set of organizations who need to (ideally to none); and providing a safe harbor for any organization that provides “best of class” help to victims of a breach of data that they held.

Congress being who they are, we’ll get the identity theft mitigation act of 2005, holding banks and credit agencies immune for their “well intentioned” mistakes, a federal department of repairing your credit, and longer sentences for identity thefts committed within 500 yards of a school.

[Update: I was behind on Bruce Schneier’s blog. He covers this in “Massive Data Theft,” and points out the manual nature of the process. (I’ll add, how long it must have gone on.) But more interesting (to me) is a commenter’s question: “why is it that we never hear about this sort of problem in Europe?” The answer is California’s SB 1386, requiring disclosures of such breaches. After Choicepoint flubbed their announcement of a breach in February, a new standard for disclosure has emerged.]

7 comments on "676,000 Victims"

  • Justin Mason says:

    Hi Adam — it’s an interesting question, that Europe one. I blogged my thoughts at

  • David says:

    One is never going to get government identification information away from financial institutions and employers (eager as they may be to stop collecting it, or at least stop keeping it after performing initial identity checks) for one simple reason: taxes. Assuming one could get the government to give up its conscripted anti-money laundering police force, it’s still never giving up on its revenue. Ever.
    Great blog. Keep up the good work.

  • Adam says:

    Great point, and I fear you’re right. I do think that the longer id theft goes on, the steps that we’re willing to discuss will become broader and more suprising.

  • Jim Horning says:

    One other reason why there may be fewer reports of this kind in Europe is that Europe has much stronger data privacy laws than the US.
    There’s a good summary on Wikipedia, if you scroll down to “Europe.”

  • Iang says:

    I have been stating that this is a US problem for about a year now. Quite often I point this out … but until now, nobody has ever asked me to explain this.
    Which is part of the answer: Americans are not a questioning race, but are an accepting race. They accept what they are sold, primarily. And they’ve been sold a lot of things, one of which is a primarily insecure credit system.
    The insecure credit system is known about in the industry, but within America it is considered to be a risk model, no more. There is a perception that as long as the numbers work out, and the people pay for the fraud then it works out ok. In this case, the thing that has been sold, and accepted, is that it is working for now, so there is no problem.
    Systems theory won’t let that last of course. As the reward structure of credit crime is so profitable, such easy pickings are not to be left unpicked and more and more crooks move in. Now, we are in danger of seeing the easy fraud of the credit commons being over grazed, but still there are few who point to the commons and to the big signs that say “phish me now” and ask whether we need to adjust the model some.
    It’s pretty much the case that the rest of the world won’t be sold such an insecure credit system, or accept it. If anything, they are too cautious – so this is the flip side of America’s entrepreneurial spirit. In America if it causes no pain today, it’s ok. Outside America, if it suggests pain tomorrow, then it’s not ok.

  • America asks “Why us?”

    Adam points to something I’ve been stating for a year or more now: why is the current security crisis happening in USA and not elsewhere, asks a nervous troll on Bruce Schneier’s blog: This isn’t intended as a troll, but…

  • Justin Mason says:

    Adam — very clueful article from MSN Money at: . some interesting aspects that I hadn’t known, for example that credit bureaus are more of a closed club, and that the preference for debit cards has an effect on ID theft rates.

Comments are closed.