Schneier on Security
A blog covering security and security technology.
« Privacy Risks of Used Cell Phones |
| Security at Visa »
August 29, 2005
Identity Thief Steals House
James Cook left on a business trip to Florida, and his wife Paula went to Oklahoma to care for her sick mother. When the two returned to Frisco, Texas, several days later, their keys didn't work. The locks on the house had been changed.
They spent their first night back sleeping in a walk-in closet, with a steel pipe ready to cold-cock any intruders. The next day, they met the man who thought he owned their house, because he had put a US$12,000 down payment to someone named Carlos Ramirez. The Cooks went to the Denton County Courthouse and checked their title. Someone had forged Paula Cook's maiden name, Paula Smart, and transferred the deed to Carlos Ramirez. Paula's identity was not only stolen, but the thief also stole her house. Even the police said they've never seen a case like this one, but suspect the criminal was able to steal the identity and the house with just Mrs. Cook's Social Security number, driver's license number and a copy of her signature.
This is a perfect example of the sort of fraud issue that a national ID card won't solve. The problem is not that identity credentials are too easy to forge. The problem is that the criminal needed nothing more than "Mrs. Cook's Social Security number, driver's license number and a copy of her signature." And the solution isn't a harder-to-forge card; the solution is to make the procedure for transferring real-estate ownership more onerous. If the Denton County Courthouse had better transaction authentication procedures, the particulars of identity authentication -- a national ID, a state driver's license, biometrics, or whatever -- wouldn't matter.
If we are ever going to solve identity theft, we need to think about it properly. The problem isn't misused identity information; the problem is fraudulent transactions.
Posted on August 29, 2005 at 7:42 AM
• 55 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I had a similar problem a few years back.
I was about to sell my BMW M3. A guy showed up and said he had a buyer and wanted to show the car to him. After a few meetings and phonecalls, I lend him the car. Then he apparently forged my name on the registration paper and sent it to swedish "DMV". I went to the police but I couldn't report my car stolen since I wasn't the owner. I reported the incident as a fraud and contacted a good lawyer.
Two days later, the guys were picked up by the police and the trial was held 2 weeks later. They got 2 years behind bars for fraud in 3 different cases.
Anyone could sign a document with someone elses name ..
It's worth noting that some simple personal securuty measures can help reduce the threat from this:
1) Not giving anyone copies of your driving license.
2) Shreading any personal / financial mail before consigning it to the rubbish.
3) Only sign documents for "trusted" parties.
Of course this won't prevent this form of theft, but anything that makes the thief's job that much harder helps to deter the opportunist.
You're right that those countermeasures can help. But there are two halves to the problem: identity information is easy to obtain, and identity information is easy to use for fraudulant purposes. Personal security measures can deal with the first half, but the real problem is the second half.
I talk about that here:
It's also a problem of the US society that things like the driver's license and a signature are enough to be 'trusted'.
On the other hand, here in germany every step takes much more time because of the red tape...
I remember years ago when we were going on Holidays my parents used to inform their Bank manager and the local police that they were going to be away for a set period of time.
Not practical for everyone but it may aid in resolving issues like this in the future.
"it's interesting how you differ - and how you concur - with the press release below indicating that identity theft legislation is a bad idea."
In general, I don't think any of the current legislation will help much. There are various lobbying groups that are making sure that any legislation that passes doesn't tackle the real problem. I think legislation is required to fix the problem, but not silly cosmetic legislation -- real legislation that adversely affects some interest groups.
I don't know about Texas, but a notary should authenticate both parties in a RE transaction. The title to a real estate is usually also insured in a bona fide transaction. This seems to be more a case of simple fraud against the buyer than a case of identity fraud. Since the audit trail of a real estate transaction is so detailed and eminently traceable, I think that the (arguably weak) authentication is sufficient.
"the solution is to make the procedure for transferring real-estate ownership more onerous."
I just bought a house -- could the process _be_ any more onerous?
I can go to a car dealer, and buy a $60000 Mercedes in a couple of hours. They'll take care of the paperwork for the loan, through the lender of my choice, and I get keys and a title pretty quick.
OTOH, If I buy a house for the same price, it takes lawyers, title searches, appraisals, title insurance, inspections. Much of that is multiple layers of "insurance" (PMI insures the lender; title insurance insures the lender; title search insures the title insurance policy holder; appraisal insures the lender; etc.)
If everything goes very well, we can complete the transaction 3-4 weeks after it starts.
Bill, you're comparing the entire process of purchasing a house (and doing it intelligently - you don't HAVE to do a title search, have ins, etc) and the simple transfer of the deed. It may well be that the described scheme worked so well in part because many people think of the process of transferring property as such a nightmare that they don't consider the lack of authentication that happens in any one stage - even if it is the most important one!
One problem is the reliance on a handwritten signature to convince people something is authorized. Since nearly nobody can verify a handwritten signature, why people rely on them is a mystery.
At the border, if I present a letter "signed by the parents" saying I can take the child to Canada, they will let me through, as if they can verify that the signed letter is valid. Go figure!
I don't understand why National ID wouldn't prevent this. If the property is registered to Jane Doe, ID number xxxxx and the Doe's ID is checked when the transaction is being accepted for processing, the impostor wouldn't be able to pose as Doe, without stealing and faking the ID.
Wow. I see an emerging advocacy group that says we should treat all of our authentication as weak but make authorization extremely rigorous. This log entry seems to follow that group's logic.
The obvious problem, however, is that at some point you still need "strong" authentication. In other words, even if you require oodles of weak authentication to be collected you can still only dissuade criminal activity when the cost of cheating the system is more than the reward. In simple economic terms it is cost/penalty that determines the likelihood of abuse, so if you do not increase the cost related to abusing identities...
Bill, you have a good point. When the process of authorization becomes too convoluted (especially when most controls are just slanted towards covering others' risk, and not the buyers') then buyers will be naturally attracted to circumvention. But you have to factor in the built-in authentication with regard to a "car dealer" versus an anonymous person on the street (e.g. in Daniel's example above).
"The problem isn't misused identity information; the problem is fraudulent transactions."
For some reason this reminds me of the old adage "guns don't kill people, people kill people".
An interesting observation:
My bank, to open a new account (even as an existing cardholder), requires me to demonstrate 2 forms of ID: Driver's liscene and (something else, for existing customers, swipe ATM and know PIN).
But the tons of credit card crap I receive in the mail requires NO verification of identity. No notorization. No check in person.
I think its because the feds require that the account opening be verified (counter money laundering and a bunch of other things). Why aren't there legal mandates for these other transfers?
Much of the paperwork involved in buying a house these days isn't about making sure that the right person gets the deed. PMI, inspections, title searches, etc. are mostly about protecting the mortgage company so they don't issue a loan a) for someone to buy a house that isn't for sale, b) on collateral that isn't worth the lending price, c) that won't be repaid by the borrower, and d) where all previous lien holders are satisfied. And most of that occurs only in cases where a bank is involved.
If the buyer is paying cash and the "seller" is listing the property themselves (i.e. not using an agent), then the process can be as simple as signing a contract, transfering the title, and handing over the keys.
"someone to buy a house that isn't for sale"
And that was exactly what happened in this case, no?
Actually, guns don't kill people, it's husbands who come home early (thank goes to Larry the Cable Guy). There will always be fraud. Someone out there will have a "need" to cheat the system somewhere. What is needed is a way to recover from an attack or hack. A 30 day cooling off period or some sort of waiting delay would help. Basically someone holds the money for a certain amount of time, putting the money in a limbo state, to allow time to settle. If the real homeowner comes back in that 30 day period, the money goes back to the guy who made the down payment, the home owner gets the title to his home back, and the crook can't claim the money. The quick cash problem is made into slow cash, preventing a quick get away.
I thought jandzero had a good point in the Plastic site's comments section. After providing some interesting personal identity-loss information (Check fraud versus CCN) they concluded "we'll have potholes until there's more money to be made from building roads that last than building a cheap one and being paid to repair it".
"Wow. I see an emerging advocacy group that says we should treat all of our authentication as weak but make authorization extremely rigorous. This log entry seems to follow that group's logic.
The obvious problem, however, is that at some point you still need "strong" authentication."
I'm not sure what you are talking about. The problem of fraudulent transaction can very well be beat by stronger authentication, and I don't see anyone saying that this isn't a way to beat it. We simply need to be smarter about where we put the authentication, and how we authenticate. There are many situations where authentication is not really necessary, and actually reduces security when we add it (airplane screening comes to mind).
I think in this case, we do need better authentication as part of the transaction, but the real question is what would prevent this fraud from happening in the first place. Someone apparently sold an house he did not own. That's a fraud, how do we stop it?
I'd like to go a bit further and add to my previous post.
Assume you are a realtor, and have a way to authenticate with 100% accuracy whether or not the property belongs to the seller. Now, how would that help if the crook decided to sell the house without the realtor's involvement?
It's like having a house with a dead bolt on one door, and no lock whatsoever on the back door. Do you honestly expect the crooks to take the harder way?
"The problem of fraudulent transaction can very well be beat by stronger authentication"
Easy to say, but define "stronger".
"and I don't see anyone saying that this isn't a way to beat it."
Many people say that because SSNs are "out of the bag" we might as well give up trying to treat them as sensitive. Many states publically posted SSNs (e.g. class lists at Universities) and used them as driver's license ID numbers until very recently. My point was just that you can shift the focus from one ID to another but the real discussion is how to arrive at controls that make the cost of fraud high enough to prevent it. So I think we're somewhat in agreement.
"Assume you are a realtor, and have a way to authenticate with 100% accuracy whether or not the property belongs to the seller."
Ok, now assume the realtor is the crook and you are the buyer...
I wonder how long before people will have to start forming corporations to help protect assests from these things.
Banks have to take more care in processing transactions from corporations as they have to know if the person before them is not only who they claim to be, but also if they have the proper authority within the corporation to make the transaction.
"Ok, now assume the realtor is the crook and you are the buyer..."
Haha, yeah -- that is along the track of what I was thinking. Everyone needs to be able to make sure that they are not being defrauded. Authentication might be part of the solution, though.
I see your point about SSN number abuse, and the possibility that National ID would be abused in precisely the same way.
However, I think the problem is not that we shouldn't use SSN, but that we rely too heavily on SSN to verify that someone is who they say they are. Anytime you have a central piece of information that can be used to tell someone that you are a certain person, crooks are going to try to find a good way to use it for their benefit.
Sorry, I have nothing of value to add, but:
This reminds me of The Simpsons episode where some ex-circus workers took The Simpsons' house and in order to get it back, Homer challenged the thieves to a contest, the winner being the one who would keep the house. The contest involved throwing a hoola hoop on the top of the chimney and getting it to stay (IIRC) put.
"If the Denton County Courthouse had better transaction authentication procedures, the particulars of identity authentication -- a national ID, a state driver's license, biometrics, or whatever -- wouldn't matter"
I totally agree. This whole issue revolves around the ineptness of the Denton County Courthouse.
From the article there are 4 actors here. The Forger, and unnamed woman that forged the signature and perported to be the female owner (using the owner's maiden name, which was on the deed to the house). The Seller, Carlos who had the Forger sign the deed over to him. The Buyer who for reasons unknown paid a large sum of money to the Seller, apparently without the involvment of any bank (since the bank would have likely done more checking on the Seller). The Authenticator, who in this case is the Denton County Courthouse.
So apparently, the Denton County Courthouse was duped twice. Once when the Forger signed the deed over to the Seller (Carlos), and again when Carlos signed the deed over to the Buyer.
From Bruce's linked article on fraudulent transactions, the conclusion seems to be that financial liability will "fix" most fraudulent transactions that result from "identity theft" problems. So, in this case, would the Denton County Courthouse (likely the register of deeds office) need to be held financially liable for all documents of record that they process/hold? I don't know about Denton County, but given the number of property deeds a typical county registers (and value of each), it would seem that there could be a significant financial liability a county would be required to carry. Also, what about other "properties". Is the DMV to be held financially liable for all automobiles they register (and transfer title for)?
Perhaps making these "authenticators" (register of deeds, DMV, etc.) financially liable would be the "wake up call" needed to get proper authentication systems to prevent the types of fraudulent transactions (which result from "identity theft") discussed here.
"If the Denton County Courthouse had better transaction authentication procedures, the particulars of identity authentication -- a national ID, a state driver's license, biometrics, or whatever -- wouldn't matter"
I can hear the squeals of the real estate and title transfer industries from here.
Let me guess, that thief got the information he needed from their website?
@Steve: "I can hear the squeals of the real estate and title transfer industries from here."
The German reaction: "Na und" (So yes)
If some business makes stinking mistakes they should not be able to get away with it. Why should fraud victims have to bleed for institutional mistakes? If the institutions don't want to take the risk, they can get insurance (and be clubbed into good practices by their insurers.)
"I don't understand why National ID wouldn't prevent this. If the property is registered to Jane Doe, ID number xxxxx and the Doe's ID is checked when the transaction is being accepted for processing, the impostor wouldn't be able to pose as Doe, without stealing and faking the ID."
The same procedure works if you substitute "ID number xxxxx" with "drivers' license xxxxx" or "anything number xxxxx." The solution isn't a National ID. The solution involves someone verifying that the person selling the house is actually the person who owns the house.
@ Nicholas Weaver
"Why aren't there legal mandates for these other transfers?"
Because the credit card lobby is strong.
But honestly, that would be a great solution.
Just to add, I can't see any problem here. Just as with credit cards, I can't see why someone would be responsible for a bank giving someone else a loan in their name. Just like credit cards, a signature authorizes a loan. If someone didn't sign a loan he's not liable for it. Like credit cards, no signature, no liability (the bank would have to prove you were physically in the bank and also show that you were the one making the signature to make you liable for it).
Yes, it's exactly one thing that a National ID will prevent. Here in Spain we have a National ID since long than I can remember (I was born in 1977), and our DNI (Documento Nacional de Identidad) it's made by the same entity that makes stamps, money and official documents, the DNI has similar security measures as a bank note (BTW a lot more than a dolar note), so it's very difficult to duplicate, and very easy to spot a false one.
These things make very difficult to make a false DNI, and the DNI is needed for every transaction.
It's just wrong to ask for anonymity and say you do not want to have someone to stole
"your" identity. Here when there is a fraudulent transaction it usually does not involve a false DNI, it usually has to do with false companys or with a procedure that has not been correctly followed.
I don't know any case of identity thief in Spain, I could be wrong, but I think thats exactly (the identity thief) the thing a National ID is thougth for.
"The solution involves someone verifying that the person selling the house is actually the person who owns the house."
Or to be more precise, the solution involves verifying that the person selling the house is actually the person who is *authorized* to sell the house.
You're right, thinking about it. ID theft itself is well documented & to some extent preventable.
The question should now be - what is the best way to prevent ID data from being used for fraudulent purposes? When put in this light a national ID card seems to be far from the best crime-prevention method.
Tighter control over who and what organisations hold personal data could help, but then that would be open to abuse by employees anyway.
A difficult one.... Maybe it would help if data transactions as important as who owns a house ought to be accompanied by a simple phone call: "Are you selling this house, can you prove your ID" etc. etc. Still, not an easy solution.
OK, I see where this is going, but as far as I can see, the 'victim' is the buyer of the house, not the previous owner. James and Paula Cook are clearly getting their house back, so in many ways, the system has worked. I would be more upset if they had really lost their house. They feel 'violated' according to the original article, but I doubt we'll be seeing a rash of house stealings over the next few months. It clearly doesn't work.
Frankly, the buyer seems to have been a bit of a dill.
The story reminds me of a house that was literally stolen in Brisbane back in the early 1980s. Many houses there are raised on stumps, and one family came back from holidays to find the whole house missing. IIRC it was never located.
"in many ways, the system has worked"
No, in many ways the system failed.
Homeowners should never really feel the need to break into their own home and wait in a closet with a steel pipe to regain their identity...seriously, though, they were lucky they weren't killed when they jumped out of the closet. Not only would this have been an ugly turn of events, but it may have made it impossible for the family to disprove the transfer of ownership.
It seems to me that Bruce's point - the type of authentication used doesn't matter as long as there is some authentication - is logically correct. At the same time, Jorge seems to be right too. The type of fraud called "identity theft" and widely discussed in the US simply doesn't ocur in Spain (says Jorge), and neither in Germany or Switzerland (according to my personal experience). Correct me if you know otherwise. So what is it really that is done differently in those and other countries? And how could it be applied to the US?
"The problem is not that identity credentials are too easy to forge. The problem is that the criminal needed nothing more than 'Mrs. Cook's Social Security number, driver's license number and a copy of her signature.'"
C'mon guys. I can't believe you're letting him get away with statements like these. What is this, the Bruce Schneier fan club? The statements above are contradictary. The criminal in this case are using her Social Security Number and her driver's license number to forge her identity. If they were unable to convince authority that they were she, then the transfer would never have happened. That identity credentials are too easy to forge is precisely the problem.
Ownership is inextricably linked with identity. If you legally own something and you are who you are, then you enjoy the rights to what you please, within the boundary the Law, including transferring your property to someone else. There is no other "transaction authentication procedures" other than verifying the owner's identity. And as there is no other sanctioned forms of identification on this land other than pieces of cardboard with your pension number and liecenses issued by departments whose mission is motor satety, they are used for purposes that they were not designed for.
Can someone at least describe what this hypotheical more "onerous procedure for transferring real-estate" is?
in california, deeds transferring title to real estate must be notarized, and a few years back they added a requirement that the notary get the signer's thumbprint too for his/her official log. i don't see the situation in the article as the start of a trend, or anything to be concerned about. there's no way a fraudulent title transfer would stand up against the owners, as an earlier poster noted, the only victim was the guy who paid carlos ramirez 12 grand down for the house. most savvy or well-advised buyers know enough to make their check out to the escrow (usually a title company) which will not release the funds to the seller until it's in position to convey clear, insured title to the buyer. yes, a fool and his money are soon parted, but i doubt that any legislation can prevent this.
In Canada you can buy title insurance when you purchase a house, the insurance protects you from unlawful transfers and other error and omissions when transferring title. The insurance costs between $250 to $400 CDN. (One thing to note, you can't buy the insurance for an existing property.) It appears to be available in the U.S. but maybe in a different form.
@Bruce "The solution involves someone verifying that the person selling the house is actually the person who owns the house."
@David "Or to be more precise, the solution involves verifying that the person selling the house is actually the person who is *authorized* to sell the house."
And how can you do either of these without good ID? The only one today a person can check the ID of another person is to look at ID issued by someone trusted, and a driver's license or national id or passport will be the best bets.
What else could the person have checked to know the person they were talking to was authorized to sell?
"That identity credentials are too easy to forge is precisely the problem."
I think you're missing the point. The TXCN.com article says that the scammer used Paula Cook (nee Smart)'s driver's license *number*, not a stolen or forged license. A national ID card with standardized anti-forgery features would have some advantages -- such as making it much easier for people to authenticate out-of-state IDs -- but none of them apply to an ID that isn't actually checked in the first place.
"Can someone at least describe what this hypotheical more 'onerous procedure for transferring real-estate' is?"
As simple a procedure as "show me your driver's license and sign your name in front of me" would have prevented this particular attack. It sounds as if that authentication was falsely assumed to have happened at some earlier stage.
I'm actually fairly confident that no amount of forging skill would have enabled Carlos Ramirez to pass himself off as Paula Smart if there had been any live ID checking at all.
"And how can you do either of these without good ID? "
Yes, that was partly my point. Authorization is definitely impacted by authentication weaknesses, which is why multiple controls are better than just one (point of failure). Personal appearance with a photo ID and a live signature could have been required, as mud and flame mentions above. I was also trying to say I am not so sure we should all just abandon the security of SSNs.
For many Americans, there is a big legacy problem. I have a legal birth certificate, but there is no way to assure that document actually refers to me. Most of my other documents are directly or indirectly based on that one
"I have a legal birth certificate, but there is no way to assure that document actually refers to me."
All the birth certificates I have seen have the person's footprint on them (albeit as a baby). I don't know if it is forensically possible (or has ever been attempted), but one may be able to verify the adult to the baby footprint on the document.
"I was also trying to say I am not so sure we should all just abandon the security of SSNs."
National IDs should include a hash of the person's identity info (name, address, DOB, ID#1, etc.) combined with an ID#2 that only the government has access to.
You can't recover ID2 from the hash and it isn't printed on the card. The ID1 printed on the card can be given out in situations where you need an ID# (check cashing, etc.).
For high value transactions, like house buying or loan applications, they would get the hash (a barcode or magnetic strip), check it through secure access to a government database, but not keep a record of it. The database would merely confirm the name, address, etc. that matches the hash.
The hash itself would be far less accessible to identity thiefs. It would not be printed on any paperwork that you throw out with the trash. A store that cashes a check for you would not have a copy of it.
It would not be impossible to get a copy of the hash, but it would likely not be worth the trouble. It would be like spending $1,000 to break into a safe that contains only $100.
>All the birth certificates I have seen have the person's footprint on them... Mine doesn't. My sister's doesn't. Footprints on birth certs is a fashion that started in the 70s.
"All the birth certificates I have seen have the person's footprint on them (albeit as a baby)."
I'm not sure this is as universal as you think. I work in HR in the US and as a result I have seen a lot of birth certificates (filling out I-9 forms).
Birth certificates are state issued where I live, but I'm sure that in some places it's a county document. There aren't any national standards, so far as I know, but one expects to see some manner of fancy seal stamped into the paper and that's about it.
"I wonder how long before people will have to start forming corporations to help protect assests from these things.
Banks have to take more care in processing transactions from corporations as they have to know if the person before them is not only who they claim to be, but also if they have the proper authority within the corporation to make the transaction."
hmm.. Role-Based Mandatory Access Control comes to mind.
Remember, there is no win-win when it comes to security. The most secure computer is the one which is turned off, buried in unknown place deep in the woods, and the person who buried it killed before being able to say where it is.
"Mrs. Cook's Social Security number, driver's license number, ...."
I think it is all about the consequences of the problem instead of the initial one. SSNs ought to be *identification* information (i.e. allowing to distinguish between two "John/Jane Doe" folks), and therefore should be publicly available. Step 2 should involve some real *authentication*, either direct ("I know you, John") or through a chain of trust ("You know that guy, don't you", or usually a governmental controlled IDs proving "the government wrote you are John Doe 31782B11j").
So the problem is that SSN is much close to authentication and not to identification info. I will be fine if everyone knows my public key, but will be deeply worried if my private key is loose.
And finally it is all about privacy. Aussies have no need for IDs inland (again AFAIK, I am not Australian). So you can change your names as much as you like if you do not feel bound by university diploma, ownership, etc.
If government have to protect you from fraud, it has to enforce a tight system and procedures, so activists will start to complain about a police state.
So everyone have to decide what he/she *really* wants!
O.K. guys This is whats happening with me wright now. What is the fix ?. They have my house so now what do i do.?
I am getting ready to re-finance with my original mortgage company and am going through all this transfer business. Could anything go wrong?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.