RE: Identity Theft (was: CRIME Computers vulnerable at Oregon department)

From: Baker (aka John B. Corey Jr) (bakerltd@private)
Date: Thu Sep 26 2002 - 19:38:03 PDT

  • Next message: Greg Jorgensen: "Re: Identity Theft (was: CRIME Computers vulnerable at Oregon department)"

    Focusing on a small part of the discussions...see below
    
    Baker
    
    -----Original Message-----
    
    > ID theft works because a very large number of organizations (banks,
    > credit bureaus, etc.) treat Social Security numbers as authenticators
    > instead of identifiers.
    
    > An obvious solution to ID theft is to implement national strong
    > authenticators. But that is rife with problems: civil liberties issues,
    > the fact that it is technically infeasible to do it right, etc.
    
    > What WILL work to prevent ID is legislation that prohibits banks &
    > credit bureaus from using pathetically weak authenticators. Dr. Crispy's
    > proposed law to largely eliminate ID theft:
    
    >    * No financial institution or government agency may use a social
    >      security number, any attribute that is a matter of public record,
    >      or any attribute that is easily obtainable about another person
    >      (such as DOB, address, or mother's maiden name) as an
    >      authenticator. Authenticators must be *secret*, known only to the
    >      person and to the issuing organization at the time of issue.
    
    > Sadly, I don't think the State has the jurisdiction to implement such a
    > law; it'll probably have to be Federal. It will also likely be a long
    > time coming, because while it will save the hapless victims of ID theft
    > vast fortunes, it will cost the financial institutions big $, and their
    > lobbiests will prevent any such thing from happening.
    
    > Crispin
    
    Having spent some time working for both retail and investment banks, I do
    not believe that banks have any vested interest resisting useful changes.
    There certainly would have to be changes but if the cost was less than the
    present costs of fraud issues (not all directly connected to identify
    theft), the banks will get on board. Bank customers value trust and security
    so banks are used to finding ways to offer solutions that customers value.
    
    There are certainly legal issues between state and federal regulations. Some
    of these issues are larger than the US as people  travel with their identity
    and credit instruments. Hence some of these solutions need to work even when
    someone is traveling outside the US or someone from outside comes to the US.
    
    One retail bank in the UK has 4 pieces of info for each customer. To access
    your account you have to supply all four. Ignoring the idea if this is
    perfect, it shows that changes happen in an effort to reduce the risk
    profile.
    
    Baker
    



    This archive was generated by hypermail 2b30 : Thu Sep 26 2002 - 20:26:44 PDT