Schneier on Security
A blog covering security and security technology.
« Australia's New Anti-Terrorism Legislation |
| Convicted Felons with Big Dogs »
October 28, 2005
Preventing Identity Theft: The Living and the Dead
A company called Metacharge has rolled out an e-commerce security service in the United Kingdom. For about $2 per name, website operators can verify their customers against the UK Electoral Roll, the British Telecom directory, and a mortality database.
That's not cheap, and the company is mainly targeting customers in high-risk industries, such as online gaming. But the economics behind this system are interesting to examine. They illustrate externalities associated with fraud and identity theft, and why leaving matters to the companies won't fix the problem.
The mortality database is interesting. According to Metacharge, "the fastest growing form of identity theft is not phishing; it is taking the identities of dead people and using them to get credit."
For a website, the economics are straightforward. It costs $2 to verify that a customer is alive. If the probability the customer is actually dead (and therefore fraudulent) times the average losses due to this dead customer is more than $2, this service makes sense. If it is less, then the service doesn't. For example, if dead customers are one in ten thousand, and they cost $15,000 each, then the service is not worth it. If they cost $25,000 each, or if they occur twice as often, then it is worth it.
Imagine now that there is a similar service that identifies identity fraud among living people. The same economic analysis would also hold. But in this case, there's an externality: there is an additional cost of fraud borne by the victim and not by the website. So if fraud using the identity of living customers occurs at a rate of one in ten thousand, and each one costs $15,000 to the website and another $10,000 to the victim, the website will conclude that the service is not worthwhile, even though paying for it is cheaper overall. This is why legislation is needed: to raise the cost of fraud to the websites.
There's another economic trade-off. Websites have two basic opportunities to verify customers using services such as these. The first is when they sign up the customer, and the second is after some kind of non-payment. Most of the damages to the customer occur after the non-payment is referred to a credit bureau, so it would make sense to perform some extra identification checks at that point. It would certainly be cheaper to the website, as far fewer checks would be paid for. But because this second opportunity comes after the website has suffered its losses, it has no real incentive to take advantage of it. Again, economics drives security.
Posted on October 28, 2005 at 8:08 AM
• 18 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
When you are calculating the cost of fraud using the identity of a dead person, don't forget there are still other victims: the dead person's survivors, and in some cases the dead person's estate. And, what is worse is that because the person is dead, s/he isn't there to prove innocence, and therefore in some cases the legal protections that apply to the living, may not apply to them.
In addition, stealing the identity of a dead person may allow for more insidious fraud: for example, electoral fraud (and we have anecdotal evidence of the "cemetery vote" deciding the outcome of certain elections, including the JFK/Nixon race in 1960.)
How would a living victim be responsible for any part of the fraud?
Legislation is needed, but there is a major obstacle: The dominant lobbies ordering our government around have made no secret of their ambition to limit or eliminate liability of corporations, shifting all burdens to victims or the innocent.
It's hard to get laws passed because there are two parties with mutually exclusive goals who wish to be represented. I try to look for ways of working within the existing system to address the current problems. Laws take years to pass and be implemented, so the only currently viable options are those laws we already have.
I have a fraud statement on my credit report to avoid accounts being opened without specifically contacting me first. Though, I wonder if that text can be anything I want it to be. Ie, a EULA of the form "By opening an account in this individual's name, you are agreeing to a liability of 10 times the amount reported." I've also considered having that assert that I do not exist for credit purposes.
I would also think it would be possible to sue in civil court for any losses. After all, the company claiming to be owed money is a party to the fraud affecting the victim. Once they are notified that the victim did not open the account in question, they are trying to collect on what they know to be a fraudulent debt.
Of course, the problem with both of these is that they cost money. You can't sue anyone unless you can afford it. You also can't ignore the current credit system unless you own everything outright and can afford to pay for everything you need in the future.
As with any legislation, the hard part would be finding a reasonable solution that could actually be implemented. A law that holds companies liable for their negligence is not likely to be passed or enforced. Anyone have any ideas for a law that could be agreed on and would help both sides, even if it doesn't go as far as either side might want?
It happens like this:
1) Fraud is committed in your name.
2) You get arrested for the crime.
3) You claim you didn't do it.
4) "They" show the evidence you did (e.g. a check with your name signed, or a credit application in your name.)
5) You claim that someone else did it.
6) You now have to provide evidence to refute "their claim" (e.g. handwriting analysis that shows it wasn't your signature)
7) If things go well, the case is dismissed/thrown out
8) Repeat these steps the next time it happens, and/or
9) Play "whack-a-mole" with bill collectors/credit reporting agencies as the information is passed on/the "debt" is sold to them.
A friend of mine went through this scenario (actually, it was his wife) almost 20 years ago, she has been arrested multiple times (finally, a note was put in her criminal file showing that judges accept the claim that she is the victim of ID theft: but prosecutors are not required to abide by that, so she may still be subject to arrest in the future), and her (and husband's) credit was ruined for years (the hot checks were written over a period of like 5 years.
Concerning the UK Electoral Role, each person can elect (annually on the registration form) to have their name left off the "Edited Register", which is the one available for commercial use.
Thus, for the whole of my family, Metacharge would be unable to confirm that we were on the Electoral Role.
If the website is checking its customers against those databases, this still doesn't prove that they are not impersonating a living person registered in the telephone directory. You may check as many databases as you like, this will never stop identity theft!
I would pay a resonable fee for such a company to maintian a solid identity verification for me. They would be a trusted third party in any transaction to establish that I was the person in question. Kind of like a Verisign for personal indentification.
That would shift the economics a bit. Then a note in my credit file to show were to check to see that it was me.
w/r/t the dead person: a dead person cannot enter into a contract, therefore proving that the person was dead before the contract was entered into would exonerate the person's estate.
w/r/t costs, it's economically irrelevant. If you pass legislation to put it onto the companies, the companies will in turn put it back onto the customers. The difference will be that the cost is diffused across the customer base instead of on each person. This is the exect same economic outcome as if the company just writes off the transaction.
If what you want to cure are the externalities, then perhaps legislation is needed w/r/t credit reporting, but shifting the loss is an economic shell game that does absolutely nothing.
I watched The Day Of The Jackal again last weekend -- pretty ahead of its time with identity theft from the dead, apparently.
Don't forget the cost of false positives possibly driving away business, due to the nuisance.
I am slightly sceptical about this 'mortality database'. The UK Passport Office has, impressively, failed to plug the Day of the Jackal hole in the system during the several decades since the film came out. This would have been relatively straightforward if the UK had a coherent and comprehensive mortality database, but otherwise rather tricky. If I were using this service I'd want to know how solid Metacharge's mortality sources are.
Careful or you'll disrupt Bruce's favourite mantra about movie plot security!
I might also add that Terminator 2 featured a scene in which the liquid metal robot stole the identities of John Connor's foster parents; admittedly this occurred immediately after it had killed them.
Wasn't there also an incident of identity theft in Romeo and Juliette? But then "Shakespearean tradgedy security" doesn't sound nearly as catchy as "movie-plot security". Bruce's mantra still has the higher brand-value. ;-)
as a retired lawyer, i can impose additional costs on a company claiming a false debt from me simply by filing something that will cost at least $50,000 in attorney fees to defend against. i have a track record of publicly accessible court files where i can point to other companies i have brought to grief. try as they might, corporate lobbies will never negate this ability; a new law might impose ten more hoops to jump through but that's what i used to do for a living, laws like this just expand the gulf between lawyers and the rest of you.
funny story involving dead people in commerce: the california bar tabloid arrives here every month with its discipline summaries, synopses of lawyers getting into trouble that we peruse with morbid fascination to see if there's anybody there we know. my all-time favorite discipline summary: a client had just dropped dead in his lawyer's office. the lawyer rifled through the corpse's pockets for his credit cards, which were presented the next day in payment for charges the lawyer had run up at one of those legal bordellos in nevada. you have to be a little stiff to patronize an establishment like that, but it's not the same kind of stiff, and credit cards have been around for a long time now, long enough for banks to get hip about people, usually bereaved relatives, trying for just two or three more dings on the dearly departed's visa, i was surprised there was a lawyer who didn't know that.
it is true that the solution is some kind of trusted verification for people like we have for websites. it will not be foolproof(phishing kindof attacks can be mounted) and the pki scalability problem will need to be solved(it is quite "solvable"). but after this things will definitely be a magnitude better than what we have now.
the bug in the current system is that the verification information consists of things like SSNs, mother's maiden name etc which are not secure. this is somewhat like using clear text passwords which anyone can replay.
Tim, a very common form of fraud is to arrive at the door of the recently deceased (maybe in a UPS uniform trying to collect COD charges) and claim that the dead person ordered this custom bible for outrageous sum of money. Almost always, the surviving spouse will pay for it. They have little idea of what the dead person actually contracted for.
i stole someones identity that i knew that died, now its time for my sister to sell the house will they find out what i did...
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.