Shostack + Friends Blog Archive


ID Theft, meet IRS

elvis.jpgOne of the things that makes building secure products such a challenge is how hard people will work to steal. Clever criminals who come up with new attacks will spread them around. Today’s attacks often seem to center on identity.

“Identity” seems to be hard-wired into our brains (or at least our society) as a way to manage risk. It’s not insensible. After a counter-party makes increasing investment in a relationship, the odds they’ll cheat you drop. If you’ve lived next door to someone your whole life, you make certain expectations, borne of experience, about their behavior. The identity system for managing risk doesn’t scale to today’s speed of communication or travel, but we keep using it, and as we do, fraudsters keep finding new ways to exploit that:

It doesn’t take much to file a tax return. What’s to stop an identity thief from filing one under your name to generate a refund? Nothing. To generate the maximum refund, you can be all kinds of frivolous deductions will be claimed. After all, it will be you that has to attend the audit. (“Identity Theft, Impacting Your Taxes?“)

And here I’d forgotten that there are bureaucracies worse than the credit bureaus.

[Update: Fixed some grammar issues.]