Why American’s Identities Are Easily Stolen

Thursday, May 06, 2010

Robert Siciliano

37d5f81e2277051bc17116221040d51c

We can fix this thing, but we won’t because we don’t want to be inconvenienced. I’m introduced to amazing technologies every week that will stop this. All they need is government support and system wide adoption. Meanwhile, Chuck Schumer and Ed Markey and the rest of the grand standing politicians scream about privacy and security issues when they see an opportunity for publicity, but their follow through is less than satisfactory.

We use easily counterfeited identification, Social Security numbers that are written on the sides of buses and we rely on the anonymity of the phone, fax, internet and snail mail as a means of application.

In other countries they solve problems. They have priorities and don’t deal with the rhetoric.  They put security first, convenience second.

Cedric Pariente from B32Trust tells us that in Paris, France you need to open an account first before a loan is granted by a bank. In order to do so, you need to provide them with a printed copy of your ID card and proof that you still live where you claim to live (last electricity bill usually.) Then they can check your credit history and decide to grant you with a loan or not. Most of the time, they just check that your debt is not over 30% of your income. You have to be a bank client. Doesn’t seem they allow phone, fax, internet or snail mail transaction when granting credit.

In the UK, Keith Appleyard echoed something similar to France’s system: you have to present yourself in person with a Government-issued Photo ID such as Passport or Drivers License, plus a proof of address less than 3 months old, such as a bank statement or utility bill. Keith further explained the whole UK population had vetting their Identity Credentials and one of the last people to be vetted was the Queen of England, but she is not exempt. So she meets with her Bankers, but she doesn’t have a Passport or Birth Certificate or Drivers License. So she asks them to take a Sterling Currency note out of their wallet, points to her picture engraved on the note, and says “yes, that’s me”. So they officially recorded the Serial Number on the Currency note as being her Identity Document. I think that process may need looking into. J

In Australia, Stephen Wilson from the Lockstep Group discussed identification of customers opening bank accounts has been regulated since the 1980’s.  They have a roster of “evidence of identity” documents (passports, Australian driver licenses, government issued cards of various sorts, other bank accounts, utility bills, birth certificates, naturalization certificates …) each of which is equated to a set number of “points” reflecting broadly the quality of the document as proof of id.  You need to present 100 points total to open an account.  Usually passport + driver license suffices.

Gavin Matthews of SECCOM GLOBAL in Australia adds the system can only be compromised with forged items, which are not that easy to obtain. Like our money these days we have holographic licenses, chipped passports etc. However it does happen regularly and organized crime is the main culprit (Asian gangs, motorcycle clubs etc) and replication of stolen items probably makes up 70-80% of beating this system. There have been cases here of people working for drivers licensing authorities in various states being indicted for fraud etc and being linked back to organized crime.

In Finland, Kalle Keihanen from the Nordea Bank Finland Plc added the modern IDs are pretty tough to forge and forgeries easy to spot by professionals like bank tellers. If there is a suspected fake document the police are summoned and their database includes pictures and such of the real person.

When opening a bank account, the social security number on the ID is first mathematically verified (it has a simple algorithm built in), and then submitted electronically to a national registry, which then returns the name, address and credit info tied to that SSN. Utility bills or such are therefore not needed.

The low identity theft figures in Finland are mostly due to the SSN, where the system does real-time checks on the status of the identity, combined to a difficult-to-forge array of ID papers (passport, driver’s license, national id). Also, nearly 100% of Finns always carry a picture ID, since the law requires “every person of age 15 and up to be able to reliably prove their identity to the authorities.” Thus, there is a “chain of picture identity papers” starting from childhood in the national registry and any new ID application is verified against previous ones and the photos in the database, making applying for an ID with a stolen identity extremely difficult. You can only apply for an ID to replace one that is broken or expiring. Stolen or lost IDs are always submitted for criminal investigation before a replacing ID is issued.

While none of these systems are perfect, they are a step in the right direction and far better than the US’s honor based system. At least we have corporations that are providing what the government won’t. But that still doesn’t fix the problem.

Possibly Related Articles:
11659
Privacy
Identity Theft Privacy Regulation
Post Rating I Like this!
694eabca410cc15c81fab9dc514a629e
Bruno Pavlicek Robert,

Your statememt that other countries "put security first, & convenience second" is very true. Here in the states, private sector companies afford felxibility and convenience at the risk of security because no one wants to inconvenience a customer with added security.

At the same time, our government is afraid to offend the consumer with extra security. More government security is misinterpreted as excessive govt. control or that whole big brother concept. It is unfortunately our culture and the only time that we as Americans are acceptive of more security is only after horrible incidents such as 9/11.
1273286848
37d5f81e2277051bc17116221040d51c
Robert Siciliano Excellent comments Bruno. Thank you for contributing.
1273325038
Default-avatar
Kristin Ward Part of the problem is that the minute you start putting security first Americans start complaining about violations of privacy and start suing. I mean just look at how people reacted when they beefed up airport security. And don't get me started on how people complain when you try to run a background check. I had a person threaten to sue me because I ran a report on them at http://www.tenantverification.com/ and refuse to rent to them because their credit was bad. Apparently it violated their privacy, never mind it was clearly stated that it was part of my application process.
1325189887
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.