Schneier on Security
A blog covering security and security technology.
« DHS Privacy Committee Recommends Against RFID Cards |
| Forge Your Own Boarding Pass »
November 1, 2006
Online ID Theft Hyped
Does this surprise anyone?
While keylogging software, phishing e-mails that impersonate official bank messages and hackers who break into customer databases may dominate headlines, more than 90% of identity fraud starts off conventionally, with stolen bank statements, misplaced passwords or other similar means, according to Javelin Strategy & Research.
"An insignificant portion of identity fraud actually starts with the Internet," said James Van Dyke, president of Javelin, who pointed out that many firms still rely on simple security questions such as one's mother's maiden name. "The Internet always grabs the headlines, but it is individuals who are close to the victims, such as family and friends, that are doing most of it," he said.
While fraudsters often use the Internet to access existing bank, phone or brokerage accounts or to create new ones using stolen details, in only one out of 10 of those incidents did the actual theft of the personal data take place through e-mail or the Web or somewhere else on the Internet, according to Javelin. "No matter how you slice the data, it's really hard to arrive at a scenario where the Internet could be the source of the majority of identity fraud," Van Dyke said.
All told, 4% of Americans were affected by identity fraud in 2005, a statistic that is slowly shrinking, though the value of each fraud incident is growing, Van Dyke said. The total losses attributed to identity fraud has held steady the past three years.
Posted on November 1, 2006 at 2:07 PM
• 26 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Bruce - How does this article fit with the one you wrote back in December (December 12, 2005
Most Stolen Identities Never Used)?
a friend had her PIN stolen when she used her ATM card to pay for something at a store. they used the camera over the register to record her punching in her PIN and charged up over $1000 to her account within two days.
Once I found a $2 charge on a credit card bill that at first glance made no sense to me. The way the mind works when confronted with something like this is to imagine a scenario, like some kind of third party service fee for an online purchase, that might have generated the line item. I called the credit card company and tried to get more information beyond the 800 number that was listed next to the transaction and they told me that there is no more information beyond what they printed on the statement. They recommended that I call the vendor before denying payment. This was bad advice. In order for this company to tell me anything about the transaction, they wanted information about me to prove that they should divulge it. In this cat and mouse game the person at the other end eventually slipped up and tipped me off that the real scam was playing out on the very phone call I was on. I hung up and called the credit card company back; after recounting what had just transpired they stopped payment and issued a new card. Somewhere my credit card information was stolen, likely from some merchant that didn't safeguard the information sufficiently.
The original theft may have been from an online merchant. The explanation I originally invented for myself to explain the anomally was an Internet-related phenomenon; I've purchased items from small shops online where you are sometimes warned that you will see a small charge from a third party related to the sale.
> starts off conventionally, with stolen bank statements,
I've discovered a bank I opened an account at recently doesn't send monthly statements in months when the number of transactions is too low. You might be more likely to overlook a missing statement if they are irregular.
I received a credit card bill from Bank of America for the amount of $0.00. I took the bill to the local BofA where I was told I had applied for the card, given personal information to confirm my identity -- mother's maiden name, SSN, etc. -- and had activated the card over the phone, again confirming my identity. I explained that none of this ever happened. They had no explanation for how the card could have been issued without my knowledge, but they didn't seem too upset about it, since no money had been stolen. Apparently this is not a rare event.
What did surprise me was to see any report whatsoever correctly identifying this as "fraud", rather than "Identity Theft". If I ever see print media or TV using this (the correct name for the crime), I'll believe we're on the correct path to reducing it drastically.
Identity theft is a defined subset of fraud - it is a specific type of fraud that predicates on stealing a set of valid authentication credentials in order to successfully apply to a financial scheme, and furthermore where the authentication credentials used by the scheme are related to an applicant's identity.
Yes, it is a type of fraud, but fraud is a very broad term that also covers many very different types of crime, such as bribery and corruption, IP fraud, cheque fraud, insurance fraud, insolvency fraud and so on.
I'd say the more specific a term that can be used to define an attack, the closer we are to understanding it and combatting it.
I appreciate your post Bruce. But, lets put this in real numbers. US Population: 295,734,134 - 4% of americans: 11,829,365 and 10% of these affected by Internet "Identity Theft": 1,182,936 only in 2005. I would not call it hype!
ID theft is only fraud to the agency the thief contracts with 'disguised' as you.
Thus the ID Thief is not defrauding YOU, he is simply binding you into a contract for which you did not agree. Which makes it null and void between you and the defrauded agency.
I wonder why this is such a big thing in the US but very rare in Europe. Seems like the whole US banking/ID system is seriously flawed.
good question. From my experience (growing up in Europe, now living in the US), I can guess several contributing factors:
- very widespread credit card use
- terrible privacy laws enabling data brokers, more insider attacks etc.
- higher competition in the financial industry leading to a focus on ease-of-use (they want you to spend that cash), not security; for instance, in 2006, my Wells Fargo bank account is still only password protected, whereas my European bank (and this is only a regional bank) uses indexed TANs and also offers smartcard authentication
I'd love to hear what others can come up with. Ross A., are you reading this?
"Identity Theft" is a bad name, because it confuses people about who is victimising whom.
(1) A crook gets money from my bank by using false credentials to impersonate me. The bank is the victim of the crook.
(2) The bank tries to debit my account. I am a victim of the bank's attempt to pass its loss to me.
(3) The bank tells a credit reference agency I am a bad payer. I am a victim of the bank's libel.
"Identity Theft" is a name that makes it look as though I am the crook's victim, and leaves the bank and the credit reference agency out of it when they are the ones who actually injure me. The banks push this name, understandably. The rest of us shouldn't buy it.
"Impersonation" is the crook's crime against the banks, and that's what we should call it. Then we can hold the banks accountable for trying to pass the buck to their customers.
@Almost Burned: "I found a $2 charge on a credit card bill that at first glance made no sense to me."
Brian Krebs wrote in late Sept about fraudsters doing small-value payments to test card details they had bought. There's a significant black market in stolen credit card records (best write-up is still last year's New York Times article); doing small value payments - sometimes to a charity - can be a good way to test whether a card is active and can then be exploited for more serious fraud. Check out http://blog.washingtonpost.com/securityfix/2006/...
@T: "guess several contributing factors"
I'm in Aust and get the impression that fraud levels here are significantly less than in US. I strongly agree with your point about the correlation of weak privacy laws and fraud.
I'm not so sure about your third point. Banks here have a similar convenience focus to the US banks - it's starkly different from the European market. Some authentication tokens and SMS authentication approaches are starting to become available in the market, but it is still very rare for any bank to mandate it for their customer base - usually optional.
One interesting difference between Aust and US is that we don't have a defacto identity number like SSN. The Aust government set minimum identity requirements for banks ("100 point check") more than 20 years ago, and I think this diverse identity approach makes it slightly harder to impersonate someone and carry out some of the higher-value fraud (e.g. loan fraud).
Nick Bohm: You phrased the problems with the name "identity theft" very well. Thanks
Geoff : while I'll agree that more specific terms make it easier to discuss and thus fix specific issues, using the wrong name can be more damaging. In this case, hiding the fact that it is the banks and other companies that are the both the victims of the fraud and the ones making it so easy to accomplish. Why? Because as Nick said, they can easily pass the loss on to me or you. Once they must quit making us the victims, and shouldering the full cost of the crime, they will push to protect themselves from it.
The BBC news website has a artice about a site where it will tell if your vulnerable to ID fraud online.
My first thought was it asked for your name and address and if you entered them it would say 'Yes'.
I like the way their privacy statement says that they can change their policy any time they like and you should check their privacy page 'often'.
This problem is not an American problem,2005 saw 25% of the UK population fall victim to ID Theft and/or fraud
"I wonder why this is such a big thing in the US but very rare in Europe"
There is currently a epidemic of identiy theft is actualy in the UK which is technicaly part of europe ( although it sometimes feels like we are an "unincorporated, organized territory of the US ".
The main reason it is rare in Europe proper is the rigourious system of official id cards and registration procedures introduced by Napoleon.
Its very easy for finacial institutions to check who you are and very difficult to get a fake ID.
When someone went shopping with my credit card details, the company immediately jumped to the conclusion that this was due to the Internet. In fact this particular card had never been used for Internet purchases, or even for mail order because it was the card I used for business travel. So actually someone in a hotel or restaurant had simply noted all the details and used these to go shopping. Good old fashioned fraud: if you have the card in your hand, you can note down the number, expiry date, the CVV code off the back....
Somebody please tell me how adding three more digits to the BACK of the card, which is now required along with the card number and expiration date on ALL transactions, has made credit card fraud less likely? How is it different from making the CC number 3 digits longer?
@roy: Did they let you close the account, or did they refuse since you're not the one who opened the account? CapitalOne refuses to allow me to close a (otherwise legitimate) credit card account with them (yes, its paid off, and has been unused for 2 years now).
@supersnail: Thats ok, you've gotten even with us; we inherited your jusrisprudence system.
"2005 saw 25% of the UK population fall victim to ID Theft and/or fraud"
@Anonymous - Moi?
"2005 saw 25% of the UK population fall victim to ID Theft and/or fraud"
Perhaps fraudprotector was talking about our tax system :)
Then it should be called identity fraud.
Theft is when you misappropriate something, and in doing so deprive the former owner of it. By contrast, the person still has their identity, the RIAA still has its music, and the MPAA their movies.
Here's a story of someone who emailed tech support at Shaw and the tech support guy emailed back asking them to email him/her their Shaw password so they can inspect their account:
Luckily the person refused to send it through email due to security reasons. But you can see how broken the security infrastructure is at Shaw and why so many people fall for those "email us your password now or your eBay/Wells Fargo account will be terminated!" scams.
"Identity theft" is a dangerous term as it has been twisted and politicised. It has been a favourite of UK politicians to justify their ID card & population database (costing somewhere between £6-£20bn over 10 years).
E.g. this year Blair claimed in Parliament that annual UK "ID theft" losses were £3bn. This was pure spin - he conflated all types of fraud and then doubled it. All "fraud"* was last reckoned to be about £1.7bn p.a. of which true "ID theft" is approx 1/10th; figures which are all publically available from the banking, insurance, industries, etc. (and nowhere near 25%!!).
Certainly this level of fraud is not good, but the "cure" is worse than the disease in this case!
*excluding "carousel fraud" - which is entirely UK VAT/business-tax-related. Uk Treasury reckons that costs us £6bn alone and is a beast of its own making.
Almost every bank must come up with a solution, FFIEC mandates it. Time is still an issue with a solution in place as well as a fine being imposed large enough to warrant an action. The banks here are more worried about consumer defection than consumer protection, whereas the autocracy of Europe recognizes the problem and has acted. Unfortunately, I don't want multiple tokens, questions (that are all the same) or cookies. I suggest keystroke dynamics may be a more elegant solution that is grabbing validation every day.
If you ever get an email from a bank saying that there may be a third party accessing your account and that they are going to temporarily block it so please go to a specific link to reset it do not panic and look over it with a fine tooth comb. Thank God that is what I did. It looked very legit, it had the companies banners and all. However, three things came to me:
1.) Why if it was so serious did they email me and not call me.
2.) It was impersonal it said none in the To: area instead of our name or email address.
3.) There was a persons name then the banks url after it when I put the mouse over the link. Talk about messed up!
So I didn't click!
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.