Schneier on Security
A blog covering security and security technology.
« Voting and IDs |
| Anonymity and the Internet »
March 25, 2005
Personal Information and Identity Theft
The chance to win theatre tickets is enough to make people give away their identity, reveals a survey.
Of those taking part 92% revealed details such as mother's maiden name, first school and birth date.
Fraud due to impersonation -- commonly called "identity theft" -- works for two reasons. One, identity information is easy to obtain. And two, identity information is easy to use to commit fraud.
Studies like this show why attacking the first reason is futile; there are just too many ways to get the information. If we want to reduce the risks associated with identity theft, we have to make identity information less valuable. Too much of our security is based on identity, and it's not working.
Posted on March 25, 2005 at 8:09 AM
• 14 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I think this quote misses the point:
>> The chance to win theatre tickets is enough to make people give away their identity, reveals a survey.
People would have given away their details even without the prize. And not because they are too dumb, but because the questions were quite cleverly disguised.
They weren't just "What's your mother's maiden name?" questions but disguised under the "Actors often use their mother's maiden name for their characters, what would your name be?" guise. They are playing with people's ego and also the fun to participate in an interesting game. Social engineering at its best.
I think even a lot of security conscious people would have fallen for the trick (at least to an extent), because you only recognise what's behind it if you get a chance to take a step back and consider all the questions in combination.
I fully agree with the conclusion though.
I think this survey underestimates people's cleverness. I'd be one of those 90% of the people who give out information.
My mother's maiden name is Green, I was born on Christmas and the 4th of July and I went to Abe Lincoln elementary. Can I have my theatre tickets now?
I suspect some of the same happens with the password surveys. You want my password for a chocolate bar? Sure, my password is, ummm, auntibeeb. Big fan. Munch munch.
The problem isn't the identity information.
The problem is the presupposition that it's a secret,
available only to the person with the real identity.
Take US social-security number. As a software contractor,
I have to give it to anyone who pays me. Pretty useless as
a secret, eh?
If knowing my name, my address and how I call my cat (or something) allows some folks to get a credit card with my name, then more power to them.
Banks and the like should have proper procedures -- taking for granted that they can give a credit card based on pieces of information that every other of my neighbors could know indicates clearly that they lack common sense.
We are social creatures, and disclose information about ourselves happily, either to market researchers or to friends. This is not going to change.
Chris Simpson, head of Scotland Yard's computer crime unit, should be worried because of the sloppiness of banks regarding their procedures, not because humans continue to do now what they've always been doing.
If you were aware that your mother's maiden name was a secret, you might not give it out so freely.
The problem is that you don't think it's a secret, someone else does. That someone is the idiot
in charge of your credit report or your bank account.
Too much of our security is based on open secrets, or non-secrets.
Since the subject is identity theft, I feel obligated to forge Bruce's identity here, so sign me pseudo-Bruce.
No harm or offense intended, OK? :-)
"If we want to reduce the risks associated with identity theft, we have to make identity information less valuable."
This is exactly right. But how do you make identity information less valuable for committing fraud? The only way I can think of is to require stronger forms of authentication to verify the identity that someone claims. Identity verification must be based on something stronger than just stuff you know, which is single factor authentication. For instance, suppose someone knows your name, social security number, and birthdate, and goes online to open a new account in your name. The first step to preventing theft is to encourage creditors to do better identity verification when opening new accounts. I think you'd need a new law that would make creditors liable when they open fraudulent new accounts, unless the creditor can show that they took steps to verify the applicant's identity.
But for such a law to be meaningful, corporate America must come up with a way to make it reasonably efficient to verify identities, especially in online and telephone situations. Banks are in a unique position to play a role here, since most people have bank accounts, and have presumably established their identity to the bank when opening those accounts. Banks could therefore act on behalf of their customers by verifying whether someone who claims a customer's identity in various online situations is truly that person.
For instance, banks issue passwords to their customers for online banking. So if someone claiming to be John Doe seeks to open a new account somewhere, the creditor could request that John Doe's bank verify the person's identity by determining whether that person knows John Doe's password. The result would then be forwarded to the creditor.
But of course, using passwords to do this would be a bad idea, since passwords are only "something you know", which can easily be stolen via phishing, etc. So in my view this would make sense only if the bank could verify their customer's identity using stronger, two factor authentication. This then gets into the debate about whether banks should go to two-factor authentication for online banking. I believe they should, as long as measures are taken to deal with man-in-the-middle attacks and trojans. Possibly authenticating each individual banking transaction using two factor authentication is one approach.
"Too much of our security is based on identity, and it's not working"
Ok Bruce, I'll bite (not having read your books - yet). I'll pretend to be developing a Internet Banking web site.
How do I setup security for the individual that is not based on their identity? Oh, and I don't want to rely on a key-fob because it's just too complex for some of my users to reliably use (their 3 year old keeps hiding it for example).
" If we want to reduce the risks associated with identity theft, we have to make identity information less valuable. Too much of our security is based on identity, and it's not working."
The problem is not that too much security is based on identity, it's that the criteria we use to identify people is insecure and not biometric.
"The problem is...that the criteria we use to identify people is [sic] insecure and not biometric."
This is "silver bullet" thinking. The problems are not only with the criteria we use, and whether they are "biometric" or not, but also with how we handle those criteria. As we've seen in other blog postings here, credit card issuers, for example, will place far more trust than they ought to in certain types of information, and this causes them to avoid giving applications the level of review that they warrant. So dogs get credit cards.
One approach that might help is for companies to take responsibility for their own laxity in issuing credit (or whatever it is they sell). If they go and give credit to someone posing as me, I ought not have to bear any responsibility for that. And they ought not be able to cause me problems by spreading misinformation about me (such as, "he didn't pay his credit card bill.") Should they mistakenly spread misinformation , causing me damage by hurting my credit rating, they ought also be responsible for going out and fixing the situation.
Unfortunately, the victim of identity theft currently bears much of the cost of poor choices on the vendors' parts, so the vendors have little incentive to do a better job.
Financial Institutions do talk a great deal about identity protection, while in reality situtation is getting worse.
I used to be a customer of American Express. With electronic bill payment and on-line invoicing, I had little to do with a real life AE. Untill two weeks ago, when I actually had to call them.
Their representative asked for my SSN in addition to name, address, etc.,which I declined to release. He tried to tell me that it was a standard procedure. When asked where he was located, he said New Deli, India.
My question is, if someone working for an outsourced branch of of AE was to steal my personal information, is American Express even in position to work with our and Indidian government to investigate such crime? Latest research indicates that American Express is not the only one who outsources their call centers to foreign countries.
The point of the story is, if corporations are so negligent in protecting our privacy, why do we still care so much about some phoney free tickets awareness? "Do not operate while taking a bath" warnings should have been removed from toasters a long time ago.
until we have a "security conscious society" (read: paranoid) people will be viewed as leaving the most ridiculous things to chance.
"One approach that might help is for companies to take responsibility for their own laxity in issuing credit (or whatever it is they sell)."
I would absolutely agree with this. Right now, companies have more financial motivation to extend credit than they do to prevent identity thieves from getting credit. The recently passed bankruptcy law show that the credit industry is still unwilling to take responsibly for its own practices and expects the government to shore up the industries own sloppy business practices.
A couple of simple things would help. One is that any company that issues credit to an ID thief should have to pay all the costs of the victim to restore their credit fully. Right now, credit companies claim they are the victim, not the people who's ID is stolen. That has to change.
When ever I am asked for that type of information I give it, however I do not tell the truth! E.g. I make up a date of birth that is about right. It is quicker then trying to get past a web form that tries to make you fill I the fields. Likewise when most website ask me for my phone number, I just type in the number of the company that owns the web site, so they can get all of there own junk phone calls.
Yes I will tell anyone my password to get a free gift, however it will not be a password that I ever use for real!
Ian at ringrose dot name
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.