Schneier on Security
A blog covering security and security technology.
« Terrorism Defense: A Failure of Imagination |
| Security Risks of Street Photography »
July 12, 2005
New York Times on Identity Theft
I got some really good quotes in this New York Times article on identity theft:
Which is why I wish William Proxmire were still on the case. What we need right now is someone in power who can put the burden for this problem right where it belongs: on the financial and other institutions who collect this data. Let's face it: by the time even the most vigilant consumer discovers his information has been used fraudulently, it's already too late. "When people ask me what can the average person do to stop identity theft, I say, 'nothing,'" said Bruce Schneier, the chief technology officer of Counterpane Internet Security. "This data is held by third parties and they have no impetus to fix it."
Mr. Schneier, though, has a solution that is positively Proxmirian in its elegance and simplicity. Most of the bills that have been filed in Congress to deal with identity fraud are filled with specific requirements for banks and other institutions: encrypt this; safeguard that; strengthen this firewall.
Mr. Schneier says forget about all that. Instead, do what Congress did in the 1970's -- just put the burden on the financial industry. "If we're ever going to manage the risks and effects of electronic impersonation," he wrote recently on CNET (and also in his blog), "we must concentrate on preventing and detecting fraudulent transactions." And the only way to do that, he added, is by making the financial institutions liable for fraudulent transactions.
"I think business ingenuity is top notch," Mr. Schneier said in an interview. "And I think if you make it their problem, they will solve it."
Yes, he acknowledged, letting consumers off the hook might cause them to be less vigilant. But that is exactly what Senator Proxmire did and to great effect. Forcing the financial institutions to bear the entire burden will cause them to tighten up their procedures until the fraud is under control. Maybe they will invest in complex software. But maybe they'll take simpler measures as well, like making it a little less easy than it is today to obtain a credit card. Best of all, once people see these measures take effect -- and realize that someone else is responsible for fixing the problems -- their fear will abate.
As Senator Proxmire understood a long time ago, fear is the great enemy of commerce. Maybe this time, the banks will finally understand that as well.
Posted on July 12, 2005 at 5:14 PM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"Make it their problem"
Yes, but I thought you were arguing against regulation, no? How do you make it their problem without regulation (e.g. "someone in power")?
Excellent recommendation! As we say in the military; KISS (Keep it Simple Stupid).
The measures financial institutions will take will eventually come around and hit the consumer.
Whenever you trigger one of the fancy AI that will keep tabs on you, your account will be locked out until you can settle matters on Monday when you will arive at the bank in person to give a blood sample and a fingerprint sample.
Financial institutions are very good at making their customer pay for the cost of their operations.
Not that this is not a good idea - it is - but it is no magic solution.
The rationale for putting the responsibility on the financial institution is that they are in the best position to safeguard against fraud. Often times the individual who suffers because of fraud isn't even aware that it happens - the banks are the player that decides whether any given transaction is valid, and it's a moral hazard problem that they aren't held accountable for the consequences of those decisions (assuming that they aren't if they comply with the regulations - I'm not up on the law).
And it's not necessarily the case that banks will all adopt these fancy and comprehensive systems. Certain banks may opt to just pay out for most instances of fraud that are small enough not to litigate - and pursue those that are. Others may choose strict policies like the ones you outlined - but will probably lose customers that are more concerned with convenience and not giving their bank all their biometric data.
In contrast to regulation systems, liability provides the opportunity for a rich competitive environment.
> Yes, but I thought you were arguing against
> regulation, no? How do you make it their problem
> without regulation (e.g. "someone in power")?
Just recognize that harrasment of innocent parties by banks and merhcants trying to collect on fradulent loans and charges made in the name of those innocent parties _because_ the banks and merchants lack adequate authentication technologies - is a crime. Just like any other kind of harrasment.
Make them pay damages and compensation to consumers which were harassed. It should be up to bank to prove that the charge is valid, not up to consumer to prove that it is fradulent.
The problem is not the poor protection of privacy - preventing information leaks is quite expensive and unrealistic anyway. The problem is lack of proper authentication prior to transactions - and not because there's no cheap and easy to deploy technological solution (such as smart cards and two-factor authentication).
"Identity theft" is a misleading name for the problem. The better name is "lazy bank syndrome".
"Yes, but I thought you were arguing against regulation, no? How do you make it their problem without regulation (e.g. "someone in power")?"
I see an economic problem here, and it requires an economic solution. The two basic ways to solve the problem are regulation and liabilities. I have, in the past, preferred liabilities to regulation as a solution. But I'm slowly being convinced that regulation -- good regulation -- is a better solution.
"The rationale for putting the responsibility on the financial institution is that they are in the best position to safeguard against fraud."
Exactly. In the end, the consumer pays thge cost regardless of how it flows. But if the financial institution is responsible, at least the money the consumer pays goes to solving the problem.
"The measures financial institutions will take will eventually come around and hit the consumer."
Of course. The consumer pays regardless of the solution. But given that, isn't it better to have a solution that actually involves improving security? If the consumer pays the cost of fraud directly, nothing will ever improve. If the consumer pays the cost as a pass-through from the banks, security will improve.
Regulation and legal liability are not mutually exclusive, of course. With regard to identity theft, without too much analysis it seems sensible for the balance to be toward regulation -- with millions of comparatively small damage claims, the only cause of action which makes sense is class-action, and that is an extremely blunt tool. Blunt like a Cat D5, but blunt.
By contrast, with something like defective software, where potentially huge injury can occur to a very powerful entity (like a financial institution or insurance company which standardizes on Brand X and gets devastated by a worm), it seems as if legal liability would fare better. In each situation, a mixture of methods probably provides the best results.
Properly-crafted regulations needn't be destructive of competition. This isn't a situation (I hope!) where regulators dictate what services can be offered and/or at what price. I presume that the kind of regulatory outcome Bruce is referring to is one which confers upon identity holders (that's us!) a property right in their identity-related personal data. Once that property right exists in law, regulations which require compensation can go into place. This will increase the costs of production, so in that sense competition will decrease (fewer firms will be choose to produce) but this (I would argue) is not nearly as bad as the negative externality which the ChoicePoints of the world impose on individuals whose PII they traffic in and mishandle.
Great plug for financial responsibility, Mr. Schneier.
The banks are selling trust, pure and simple. If they are falling down on the most important job of all, maintaining public trust in capitalism, then a smart government is obliged to push them back in the right direction.
Even so, I am baffled as to why a person would ever be liable for a transaction they can prove they never took part in. That is really the crux here. Even without regulation, existing legal structures ought to be able to transfer liability to the parties that consummated the transaction rather than the person defrauded.
One would think this is Capitalism 101...and yet, here we are placing blame on a non-participating party to the transaction.
I don't see why this is all that different from credit card use. Since the limit on the liability of credit card holders, the companies that issue them have gone ahead and figured out exactly what they needed to do and what they wanted to accomplish. As far as I can tell, the solution was excellent.
I am very comfortable using credit cards for shopping in stores and on line, even with all the opportunities other people have to take the number and try to defraud me. I've challenged charges before and never seen them again. My wife's wallet was stolen, and credit cards issued and used to a total of $2500 - and, after we wrote a letter of explanation, never heard anything about afterwards. For me, as a consumer, this seems like a very good outcome, and it certainly looks to me like companies that issue credit cards are sufficiently profitable.
If one part of the financial industry can accomplish this, why can't the rest?
"Yes, but I thought you were arguing against regulation, no? How do you make it their problem without regulation (e.g. "someone in power")?"
Regulate the liability, don't regulate the solution.
We already see Identity Theft Insurance policies around - I have one with my bank - so pretty soon it'll be another insurance industry that may also hit the bargaining table with trying to mitigate risk. I think if ID Theft insurance becomes as commonplace as homeowner's and auto insurance, we'll start to see things clean up in a hurry because then a financial institution's reputation becomes part of how much the policy holder pays. And if the policy is too expensive, the customer may go elsewhere. On top of that, though, some creditors may require ID theft insurance as part of issuing credit.
But regulation is necessary, considering we have people who fight creditors tooth and nail for years trying to clean up their name, spending thousands of dollars in the process. I've read too many horror stories of people who've ended up losing a lot more than their credit. The Federal Trade Commission has several good stories on their ID theft web site, a few of which I used as examples in a college article I wrote on ID theft.
By shifting the burden, it doesn't mean that consumers need to be less vigilant, as was stated above. You still need to keep an eye on your credit as that is what credit card companies and other creditors use to determine your credit worthiness. But it makes it easier for individuals to clean up the mess, so we don't have other people like retired US Army Capt. John Harrison, who spent years cleaning up his credit - and probably still is doing so - and was diagnosed with acute stress disorder in the process. You can read about his story on Bankrate.com: http://www.bankrate.com/msn/news/advice/IDTheft/...
A law that states that responsibility for authentication of transactions rests with the one in control of those transactions just makes so much sense that I have no hope that Congress will ever think of it. Nor could a court ever be expected to hold that someone should be held harmless for the actions of another completely unknown person.
Joking aside, though, I agree that this is what is needed, and isn't really regulation at all, just a plain legal framework so that every party knows what is expected of them. Sort of like what the notions of "rule of law" and "equal justice under the law" are for, in the context of freedom.
"I have, in the past, preferred liabilities to regulation as a solution. But I'm slowly being convinced that regulation -- good regulation -- is a better solution."
Whoa, Bruce, you were right the first time. It's all about responsibility. Under regulation, the companies can CYA merely by following the regulations, and the Government is responsible it it doesn't work. With liability, the companies are responsibie for making it work. With good practices they can reduce their liability insurance costs. Far more effective than getting bureaucrats in the act.
Identity Theft takes many forms. Financial violation is just one of these forms. People chastized a "cheezy" Sandra Bullock flick a while back for not being realistic ("The Net"), but the reality is just that the film took the idea of identity theft (of a programmer working for an important trusted firm, no less) and ran with it (the premise of the movie follows).
Your identity is, for better or worse, most closely tied to your bank account in the outside world--but it is much more than that. Somebody could steal your bank records, fake a request for your health records, local crime/government records (etc), and use the information to attempt to murder you.
Far fetched? Maybe it is--but it sounds sickly elegant in just the sort of way that would excite a true psychopath--or a government agent from a James Bond movie for that matter.
So, it may sound unrealistic, but once upon a time people here in the US of A didn't think that it was realistic to believe that the German government was engaging in the wholesale murder of entire peoples. It is better to fight to ensure liberty than to let things slip on by without comment.
Bruce's fundamental idea is one that really needs to take hold--that only financial institutions are in a position to prevent fraud.
When consumers are tricked into giving away their personal account info by someone posing as a bank its called "phishing" and we blame the consumer. When banks give away an account holders money to someone else, its called "identity theft" and we blame the consumer.
Bruce makes an excellent point in noting that this isn't identity theft, it is fraud which is aided by banks and credit agencies giving away money and billing someone else by presumption. Until this becomes the financial responsibility of financial institutions they will continue to view the wake of lives wrecked by by ID fraud to just be part of doing business.
I think this ultimatly hurts the creditors more than the public. These banks and financial instutions depend on at least reasonably accurate data so that they can seperate good credit risks from bad ones. If it gets to a point where a large portion of the credit bureau data is contanimated with fraudulant transactions, the banks will start to deny people who would have been good customers, and made them money. Or if it gets so bad that you could plausablu deny anything on your credit report, these creditors will have no way to reliably seperate good risks from bad.
Ultimatly this will hurt them, and force them to either find a different way to asses credit worthyness, or a better way to identify the customers in the first place.
"Even so, I am baffled as to why a person would ever be liable for a transaction they can prove they never took part in."
Take credit cards, you're actually not liable for anything unless you authorized the transaction with your signature. No signature, no liability.
Speaking of that ID theft issue, I'm somewhat confused here. Why'd you call it "theft" when it's actually legal to do it?
The only way to fix that "everyone including their dogs and cats selling your personal information problem" is good data protection laws.
My only worrey about owning your own data is that the need to be safegaurds to protect it.
The Health Insurance industry for instance, will not alow you access to their services unless you waive all rights to privacy...
The legislation needs to specifically outlaw that type of bypassing activity or the banks will just refuse your custom...
"Take credit cards, you're actually not liable for anything unless you authorized the transaction with your signature. No signature, no liability."
In practical terms this is not true. You only have 60 days to dispute your credit card transactions. Also, there is no such protection for your Checking Account. Fraudsters are free to drain your account. If they used the correct PIN (or even if they didn't), the bank can claim it was an "authorized" transaction.
My bank doesn't even have a way for me to put a stop on "electronic check" withdrawals.
I agree entirely, it forces institutions then require better authentication. It then bubbles through to institutions who want to do business which require identity. The complication is when in the consumer proving his innocence. How to solve this problem.
You echo a theory I often hear -- businesses might do a better job of regulating themselves than some group that actively represents consumer interests (e.g. elected officials and government).
Could you please provide examples and define how business self-regulation, which has virtually no broad-base consumer advocate, is "better" for the consumer? How many people need to have their lives totally and utterly ruined by identity theft before a radical consensus group forms to fight-back in extreme measures? And how many people will a business try to silently pay-off to prevent organized resistance from growing?
In sum, is it not the very purpose of government and laws to be a representation of a broad-base of interests? If the laws aren't working, they can be changed/modified just like AB1950 followed SB1386. And no matter what happens, you can be certain that insurance companies will try to get in on the act.
A couple of items perhaps of current and historical interest:
(1) Current - I participate in a western WA-based security professionals association which gets a couple hundred attendees/quarterly meeting. The last meeting delved substantively into the implications of the new round of security breach notification laws, and ended with a provocative presentation stating that the current system for dealing with identity theft is neither fair nor viable and needs to be replaced by a system shifting responsibilities and liabilities back to those best able to deal with them - i.e., the data holders. Many comments and a substantial majority show of hands indicated strong agreement. (The presentation was by somebody in law enforcement who takes this kind of thing very seriously indeed.)
(2) Historical - I was really pleased to see Bruce cite Proxmire. I recently completed a major study of the history of US information protection laws (approximately as depressing as you might think, though perhaps for some different reasons), and it is a remarkable fact to note that the US once led the world in this area. This is political/cultural memory we should recover; we've already learned a lot, if only we remembered.
Why can't a credit agency be sued for fraud right now? If they are using false information to make a profit while harming the individual, why aren't they liable for fraud? Do they have an exemption?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.