Finally, we have some real hard data on how often identity theft occurs. Today, Debix (full disclosure, I have a small financial interest) published the largest study ever on identity theft. Debix combed though the 2007 Q4 data on over 250 thousand of their subscribers and found that there was approximately a 1% attempted fraud rate (380 attempts out of 30,618 authorizations). This is well in-line with the 1.05% fraud rate for new bank accounts. Now as I’ve mention in the past, one of the cool things about Debix is that if you are a subscriber, then all credit requests have to be authorized by you. As a result all 380 fraud attempts were correctly identified as such and were blocked. Pretty damn cool eh? I highly encourage you to read the report as it has lots of other interesting data in it, including some interesting ways in which your identity can be stolen even if you have a fraud report set on your accounts (hint: interesting things can happen if you have have a spouse and they don’t have fraud reports set.)
[Image is Identity Theft!! by Else Madsen]
The Washington Times reports, “Outsourced passports netting govt. profits, risking national security.” It is the first of a three-parter.
The United States has outsourced the manufacturing of its electronic passports to overseas companies — including one in Thailand that was victimized by Chinese espionage — raising concerns that cost savings are being put ahead of national security, an investigation by The Washington Times has found.
The Government Printing Office’s decision to export the work has proved lucrative, allowing the agency to book more than $100 million in recent profits by charging the State Department more money for blank passports than it actually costs to make them, according to interviews with federal officials and documents obtained by The Times.
The GPO tells us we don’t need to worry, because the blanks are moved by armored car. I feel better already, but can’t stop giggling.
Last week, I talked about consumer credit in “The real problem in ID theft.”
Yesterday, the New York Times had a story, “States and Cities Start Rebelling on Bond Ratings:”
A complex system of credit ratings and insurance policies that Wall Street uses to set prices for municipal bonds makes borrowing needlessly expensive for many localities, some officials say. States and cities have begun to fight back, saying they can no longer afford the status quo given the slackening economy and recent market turmoil.
At every rating, municipal bonds default less often than similarly rated corporate bonds, according to Moody’s… Colleen Woodell, chief quality officer for public finance, acknowledged that municipal debt had defaulted at lower rates than corporate issues, but she noted that the data covered a relatively benign 20-year period…Ms. Woodell said the disparity was “within a tolerable band” and would diminish over time.
Tolerable to whom, Ms. Woodell?
The article goes on to explain that the financiers are taking enormous sums of money from taxpayers on what is really very safe debt.
Since most government bonds are repaid, there would be a very large chunk of identically rated bonds.
If you rate 95 percent of the issues the same, the ratings cease to be useful, and investors need and utilize these ratings to differentiate credits,” said John Miller, chief investment officer at Nuveen Asset Management in Chicago, which manages about $65 billion in mostly tax-exempt bonds.
Really? If the bonds are safe, and 95% of them would get a AAA rating, maybe we could save a lot of money by removing a low-value information source.
It makes sense to look at the organizations who control credit data, and ask the age-old question: who benefits? These organizations aren’t in it for their health.
In “Reckoning day for ChoicePoint, “Rich Stiennon writes:
The real culprit is actually ChoicePoint itself and the three bureaus. By creating what is supposedly a superior solution than the old fashioned way of granting credit (knowing your customer, personal references, bank references, like they do it in most of the rest of the world) they have created a system that is prone to identity theft and over extended borrowers.
He’s right. The players at the heart of identity theft in the U.S. are the credit bureaus. But, what they’ve done is more than just creating a system which is prone to identity theft. Let’s review how the credit bureaus work. They serve businesses by selling information about creditworthiness. Their customers (businesses extending credit) are happy to charge higher rates for people with poor credit, so there is little incentive for the business or the bureau to eliminate errors from the credit data. Worse, as the problem of identity theft becomes more widespread, the credit agencies can sell “credit monitoring” services to consumers and “enhanced authentication” to businesses and make even more money.
The credit agencies now run TV commercials touting credit monitoring, threatening people with identity theft. They don’t quite say “nice credit score you’ve got there. Shame if we were to do something to it,” but they come close.
Small wonder it’s hard to address the problem.
I suggest that the FTC, various Attorneys General, and the trial lawyers, target the credit reporting industry for reform. Maybe we can starve the cyber criminals out by making identities less valuable goods.
I think it would be simpler to remove their exemption from libel law. The credit agencies share default data just fine. They should have to share remedial data as well, or be accountable for the costs which they impose by their negligence.
OpenID provides convenience and power but suffers the problem of all the Single Sign On technologies – the more it succeeds, the more dramatically phishable it will become.
There you have it.
It has long been a joke about crusty states such as Idaho, Oregon, New Hampshire, or New Jersey that they have signs at the border that read, “Welcome to <insert-name-here>, now go home.”
As a Mac user, someone often asks me if they should switch to a Mac because it’s more secure, my response to them is that the only reason a Mac is more secure than a PC is because it’s only people like me who use them. As soon as hordes of people start using them, then they will no longer be as secure. I like not knowing the details of anti-virus programs. I like not bothering even to run the built-in firewall. So, no, I don’t think you should switch to a Mac because it’s more secure. I think you should just update your virus files every week. Besides, Macs are much more expensive than you can afford. Really. Have you heard about Ubuntu? It’s Open Source! (Cue sounds of angels singing.) People tell me it’s really nice. And I hate Leopard.
Despite all of these being true statements, this technique does not work as well as I would like. I think I need to take a presentation skills class.
OpenID is similar in that it’s a safe neighborhood because people like me don’t go there. Once enough people like me start going there, it’s not going to be secure. I am reminded of comments by each of Groucho Marx and Yogi Berra.
I am happy to help keep OpenID secure by not using it. I’ve already written about what I think is better.
What I find amusing about Cameron’s epiphany is his solution for the problem. He thinks that OpenID should become part of
InfoCardSpace, and thus shipped with Windows.
There’s a joke that begs to be made here, oh, how it begs. It is rim-shot worthy, so I’ll not make it. I’ll merely point out that if you want to get CardSpace, you have to get Vista. Ba-dum-dump.
I am again using the photo “Trunk ‘n Branches” by slightly-less-random because it is the only image in Flickr that comes back from the search of “cardspace phishing” and one of two for “openid phishing“.
Dan Solove has an interesting article up, “Coming Back from the Dead.” It’s about people who are marked dead by the Social Security Administration and the living hell their lives become:
Dan starts with quotes from the WSMV News story, “Government Still Declares Living Woman Dead”
According to government paperwork, Laura Todd has been dead off and on for eight years, and Todd said there’s no end to the complications the situation creates.
According to a government audit, Social Security had to resurrect more than 23,000 people in a period of less than two years. The number is the approximate equivalent to the population of Brentwood.
Illinois resident Jay Liebenow was also declared dead. He said Todd is now more vulnerable to identity theft because after someone dies, Social Security releases that person’s personal information on computer discs. He said the information is sold to anyone who wants it, like the Web site Ancestry.com.
Responsibility should be placed on every entity that maintains records to ensure that information is correct and that errors are promptly fixed. Moreover, when information is shared with others, the one sharing the information should have duties to inform the others of the error; and those receiving the data should have a duty to check for corrections in the data from the source.
I’d propose a different solution: libel law. These organizations are making false and defamatory statements about people. They should be held accountable, under existing law.
I’ve been discussing libel and the credit agencies for years, in posts like “Because That’s Where The Money is: Ethan Leib’s ID Theft” or “ Government Issued Data and Privacy Law.” I’ve yet to hear why libel law isn’t a reasonable and easy approach to the problem. As Nick Szabo comments in “The Discovery of Law,” “common law is a painstaking way of discovering and making better law, case by case, dispute by dispute, piece of evidence by piece of evidence.”” I’m not calling for a broad overhaul. I think that a common law approach to libel law would likely address many of our issues with the way data flows between organizations.
On the beaches of Mexico, they’re talking about Copacabana, a new cipher-cracker that works on DES and other ciphers with a 64-bit key. Yes, this has been done before, but this is interesting for a number of reasons.
First is the price. About €9,000. Second, there’s the performance. A complete DES keyspace sweep in a fortnight. That’s not bad. If you think about Deep Crack and what you’d expect from normal semiconductor advances.
The news, however, is that apparently there are banks using two-factor authentication tokens with DES-based keys, and if you’re clever, you can break this token with far less than a full key search. You only need to observe the supposedly one-time password (or two or three of them), and then with a fortnight’s of computing, you can generate any one-time password the real owner can.
Maddeningly, there are other systems based on AES or some other crypto that aren’t at all vulnerable to this attack — because they have better keys. People who are vulnerable to this attack need not be.
Apparently, these banks have fallen in love with DES. But falling in love is dangerous. It’s also negligent, when it’s so easy to get shot.
Photo courtesy of Imagem Compartilhada.
Tomorrow at 2 Eastern, ANSI will be hosting a Identity Theft Prevention and Identity Management Standards Panel.
Key analysts, industry leaders, and members of the Identity Theft Prevention and Identity Management Standards Panel (IDSP) will lead an online discussion of a new report that promotes access to and implementation of tools and processes that can help to minimize the scope and scale of identity theft and fraud.
The new report, which will be published on January 31, 2008, helps to arm businesses, government agencies, and other organizations with the tools needed to protect themselves and their customers against the theft and misuse of personal and financial information.
My colleagues Jeffrey Friedberg (Microsoft) and Julie Fergerson (Debix) co-chaired one of the working groups, and I’m pleased to see that they’ve focused on businesses and governments, not consumers. I thinkwe often spend too much time trying to blame the consumer. It’s important to understand the role that organizations play in using identifying information, and how that interacts with identity fraud, and I hope that this report will advance both that understanding, and the understanding of solutions.
To access the report or webinar, “Identity Theft Prevention and Identity Management Standards Panel: Report and Webinar.”
First exposed nearly a year ago, by DIY boarding pass mastermind Chris Soghoian, a TSA web site intended to help travelers improperly recorded on watch lists has been slammed by a House Oversight and Government Reform Committee report:
TSA awarded the website contract without competition. TSA gave a small, Virginia-based contractor called Desyne Web Services a no-bid contract to design and operate the redress website. According to an internal TSA investigation, the “Statement of Work” for the contract was “written such that Desyne Web was the only vendor that could meet program requirements.”
The TSA official in charge of the project was a former employee of the contractor The TSA official who was the “Technical Lead” on the website project and acted as the point of contact with the contractor had an apparent conflict of interest. He was a former employee of Desyne Web Services and regularly socialized with Desyne’s owner.
TSA did not detect the website’s security weaknesses for months. The redress website was launched on October 6, 2006, and was not taken down until after February 13, 2007, when an internet blogger exposed the security vulnerabilities. During this period, TSA Administrator Hawley testified before Congress that the agency had assured “the privacy of users and the security of the system” before its launch. Thousands of individuals used the insecure website, including at least 247 travelers who submitted large amounts of personal information through an insecure webpage.
TSA did not provide sufficient oversight of the website and the contractor. The internal TSA investigation found that there were problems with the “planning, development, and operation” of the website and that the program managers were “overly reliant on contractors for information technology expertise” and had failed to properly oversee the contractor, which as a result, “made TSA vulnerable to non-performance and poor quality work by the contractor.”
House Oversight and Government Reform Committee
As for accountability,
Neither Desyne nor the Technical Lead on the traveler redress website has been sanctioned by TSA for their roles in the deployment of an insecure website. TSA continues to pay Desyne to host and maintain two major web-based information systems: TSA’s claims management system and a governmentwide traveler redress program. TSA has taken no steps to discipline the Technical Lead, who still holds a senior program management position at TSA.