Real ID and Identity Theft

Reuters on the trade-offs of Real ID:

Nobody yet knows how much the Real ID Act will cost to implement or how much money Congress will provide for it. The state of Washington, which has done the most thorough cost analysis, put the bill in that state alone at $97 million in the first two years and believes it will have to raise the price of a driver's license to $58 from $25.

On the other hand, a secure ID system could save millions in Medicare and Medicaid fraud and combat identity theft.

Why does Reuters think that a better ID card will protect against identity theft? The problem with identity theft isn't that ID cards are forgeable, it's that financial institutions don't check them before authorizing transactions.

Posted on October 14, 2005 at 11:20 AM • 32 Comments

Comments

ZwackOctober 14, 2005 11:50 AM

Identity Theft does not always occur in ways that could be easily verifiable. Financial institutions want to make it relatively easy for people to spend money remotely (Internet, phone,...) and there is no easy way for a website (for example) to verify your identity.

Real ID is not going to make any difference in those cases.

Z.

AnonymousOctober 14, 2005 12:27 PM

"Real ID is not going to make any difference in those cases."

Is there any case where it -will- make a big difference? Besides the case of companies making ID-printers, that is.

Bruce SchneierOctober 14, 2005 12:30 PM

Real ID will make a difference where credential forging is a problem, assuming that there are better verification procedures that go along with the better issuance procedures.

acOctober 14, 2005 12:44 PM

The ID theft and Medicare/Medicaid fraud lines both sound like talking points from proponents of the Act. It's a shame they don't cite the research that came up with those ideas, or we'd be free to evaluate their truthfulness. On one side we've got cited research and real numbers saying what the cost is. On the other side we have fuzzy uncited numbers about the benefits. I feel better already.

Does existing Medicare/Medicaid fraud actually amount to millions? What proportion of that fraud is entirely based on poor driver's license security? I'd imagine the real savings to be closer to, well, nothing.

Same for identity theft.

I do think this may partially address the urgent national security menace of underage drinking, however.

AnonymousOctober 14, 2005 12:47 PM

"Real ID will make a difference where credential forging is a problem, assuming that there are better verification procedures that go along with the better issuance procedures."

Case in point:

http://www.schneier.com/blog/archives/2005/08/...

If all you need to transfer ownership of your house is your RealID number (not a scan of the actual card) and a copy your signature, then it will be business as usual.

RichOctober 14, 2005 12:49 PM

Um, by 'scan of the actual card' I meant machine reading the machine readable 'non-forgable' portion of the card, not a 'scan to tiff/pdf'

jayhOctober 14, 2005 12:52 PM

My driver license, SS, passport and virtually everything else to identify me are all based on a paper birth certificate from 1949 which has my name typed in. There is actually ZERO to connect me to that birth certificate.

AnonymousOctober 14, 2005 12:58 PM

@Bruce
"Real ID will make a difference where credential forging is a problem,"

It won't help if someone is selling valid ones out the back door of the DMV office. You end up with a state issued ID containing whatever information you want on it.

BryanOctober 14, 2005 1:22 PM

@Bruce

"Real ID will make a difference where credential forging is a
problem,"

As @Anon said, it won't matter if the DMV is selling legit
ones.

The bottom line is that as long as the physical card is the sole
token for identity verification, it can be forged. I don't care how
well you craft the hologram, how many chips you place on it, what
algorithm you use to encrypt the data on the magstripe, how many
RFIDs you embed in it, what colors you use, etc. If something can
be CREATED, it can be RECREATED, given enough time, money and
talent. Period. End of discussion.

If RealID were "real" then it would much more effective if it
were a public key to one's identify record stored on a central
server. Swipe the card through the terminal, it queries the server,
and up pops your picture, fingerprint, DNA, whatever. The store
clerk/title company/DHS interrogator/etc. would then verify the
terminal information versus the ID and person.

Of course, such a system is a nightmare in itself: privacy is
truly dead, single point of failure/compromise, hideously
expensive, etc.

You cannot reliably identify people as long as the system you
use can be circumvented. You can circumvent any system that you
have physical control over.

BryanOctober 14, 2005 1:24 PM

Guys, guys. All this is true but you have to start somewhere, lay a foundation.

Everyone is complaining about /other/ parts of the system that are broke. OK, I understand that. But lets pick one and fix it, then build on that foundation by fixing a few more things, and, y'know, keep progressing toward goal.

So banks don't verify transactions now. Perhaps it would be easier for them if they had a little more confidence in the quality and usability of the ID cards they have to validate against?

I don't understand people who complain out of one side of their mouths (identity theft is too easy!) then complain about any movement toward solution with the other side of their mouths (RealID won't help anything anyway so lets not do it!).

I'd love to see a few criticisms that were followed with even a tiny effort to propose something better.

Bryan@adminfooOctober 14, 2005 1:27 PM

oops, different Bryans posting almost simultaneously! At least he tried to bring an alternative solution though ...

Henceforth I'll sign 'bryan@adminfoo'.

Pat CahalanOctober 14, 2005 1:59 PM

@ Bryan

> So banks don't verify transactions now. Perhaps it would be easier for them if
> they had a little more confidence in the quality and usability of the ID cards
> they have to validate against?

Not really. Banks base their verification/fraud risk analysis on the bottom line. If they get $50M of profit from legitimate uncontested business and lose $10M to fraud, they make $40M. Sound business says to keep doing business that way (especially if you can also stick the $10M loss on somebody). You're not going to spend $20M to eliminate that $10M fraud, and you're not going to stop doing business in the current way (why should you, you're making money!)

If RealID verifications cost more to implement than the money banks lose to fraud, they're not going to change anything.

Basically, banks only care about authentication/authorization in those terms -> they'll continue to evaluation their transaction processing in terms of profit/loss. If a new ID card is institutionalized by the government, they'll use it, but I can guarantee you they're not going to change the way they evaulate efficacy.

This is a hidden factor in most of the discussions about the costs of Real ID measures. In addition to spending all of this money to make/distribute a unified identification card (taxpayer cost), if the resulting product doesn't solve the problem efficiently, financial institutions aren't going to bother to change the way they do business to gain the benefits of the Real ID.

Put another way, even if Real ID reduces fraud by 50%, if it costs banks more than 50% of the fraud loss to adopt using it...

Bruce SchneierOctober 14, 2005 1:59 PM

"'Real ID will make a difference where credential forging is a problem...' It won't help if someone is selling valid ones out the back door of the DMV office. You end up with a state issued ID containing whatever information you want on it."

Of course. But that's not a problem with credential forging. That's a problem with the credential issuing procedure.

Davi OttenheimerOctober 14, 2005 2:59 PM

"But that's not a problem with credential forging. That's a problem with the credential issuing procedure."

Righto!

Someone came up with the clever "Real ID" moniker perhaps to let you know its purpose to rise above all the "fake" IDs in circulation today. But the term "Real" doesn't necessarily have any value in terms of who is issuing the IDs.

Perhaps the issuing procedure gaps will be fixed with an "Authorized ID" project, leading us to a "Real Authorized ID"...but until that happens we can look forward to all the undesireables (criminals, terrorists, etc.) having IDs that are unquestionably Real.

Davi OttenheimerOctober 14, 2005 3:32 PM

As long as they're talking about the money related to Real ID, I thought it interesting that the Reuters report left of one of the more interesting points about why/when Real ID was passed into law:

http://www.theregister.co.uk/2005/05/11/...

"House and Senate Republicans have rammed through the so-called Real ID Act - a legislative Trojan horse that lets the Department of Homeland Security (DHS) dictate drivers' license standards to the states - by attaching it to a $76 billion military spending package for Iraq that no one in the Senate dared oppose. In addition to keeping the Iraq debacle alive, the bill increases the death benefit for US service members from a paltry $12,000 to a more reasonable $100,000, raises the maximum life insurance benefit to $400,000, and provides $100,000 for those who suffer a severe injury. So, naturally, the bill passed unanimously in the Senate Tuesday, on the strength of Republican support-the-troops blackmail."

Pat CahalanOctober 14, 2005 3:53 PM

following up the last post:

This is a tactic that has been widely employed by both political parties, and disgusts me when either side does it. My previous post was not meant to villify only one political party :)

Davi OttenheimerOctober 14, 2005 4:31 PM

@ Pat

I agree, but it's hard to know which is worse, the shameless pork-barreling or the inability to stand up to it.

The thing that comes to mind when I review these attrocious laws is that they are put together by the same people who say we need less regulation. It stands to reason, in a sort of self-fulfilling prophecy way, that if someone repeatedly passes really dumb laws that reduce freedom unnecessarily as well as add an unreasonable financial burden on the government...no wonder they go around saying "regulations are bad".

I've had this argument with Howard Schmidt several times. He keeps saying "regulation is not the answer", but from the perspective of saying some nimwits pass bad regulation. Moreover, all his decorated years in the police were spent enforcing laws that he agreed with and never tried to repeal. Apparently he worked hard to improve the accuracy of the laws until he became a political pundit for the Bush Administration and was paid to wander around saying "less regulation is more" as though corporations will fix their own security without incentive. My point to him was from the centrist's perspective that "better regulation is better, less is just...less". Real ID is more, which is not better either.

JoeyOctober 15, 2005 5:35 AM

I think we are getting blinded by too much technology. As mentioned above, most anything that we CREATE can be duplicated. So what we need for strong identification is something that is unique to an individual and very difficult, if not impossible to duplicate. Two things come to mind:

1. DNA mapping
2. Your signature

DNA mapping is expensive, still early in its infancy and opens up all kinds of customer privacy and fear issues.

OTOH, handwritten signatures have been used from earliest history as a means of identification/agreement. A pure "wet-ink" signature on paper can be successfully forged. A TIFF, JPEG, etc. graphic of a signature is no different and is even easier to copy and propagate. However, an digital/electronic signature backed up with biometrics is nearly impossible to forge. This would seem to be a very workable solution. Of course, it doesn't have the "cache' of double secret encryption, PKI, multiple keys, etc., etc.

How would electronic signatures work? A customer signs up for a new service by giving a number of samples of their signature, establishing a baseline measurement that represents their personal signature. This information profile gets stored on a dB. When the customer comes back to make a purchase or prove their identity, they sign on a tablet PC or signature pad. Their signature is validated against the original master stored on the dB. It should provide near 100% accuracy as a true biometric signature is next to impossible to forge. And people are comfortable giving a signature as signatures have been used for thousands of years. Plus, as a bonus, there are no privacy concerns to worry about.

There are a number of companies offering handwriting ID solutions like this. One I can point to is at http://www.cic.com.

MathFoxOctober 15, 2005 7:38 AM

How difficult would it be for an American to obtain a "second identity"? jayh noticed that all of the government issued documentation seems to be based on a single, forgable birth certificate.

AnonymousOctober 15, 2005 10:28 AM

@MathFox

"How difficult would it be for an American to obtain a "second identity"?"

Don't know about today, but I have a relative who did it in the early 70s. Started with buying a blank baptismal certificate from a Christian supply store, filling it in, and baking it to make it look old.

Bryan@adminfooOctober 15, 2005 6:47 PM

@Pat Cahalan (& Davi too):

"Put another way, even if Real ID reduces fraud by 50%, if it costs banks more than 50% of the fraud loss to adopt using it..."

Exactly. But your assumption seems to be that RealID won't help banks lower the cost of transaction verification by any noticeable amount.

And what if that assumption proves false? RealID works in two ways: one, it tightens the credential issuing procedure to improve the quality and retention of the documents one uses to procure a drivers license (and this must be the majority of the cost Washington State is projecting, since our DLs already have the other stuff), and two, it makes the document easier to validate at the point of use (because of the ability to read the card with some sort of scanner, removing need for a human to detect forgeries).

If banks can capitalize on these two properties of RealID to lower their transaction verification costs, we all win. No, I don't know exactly how they would go about doing this. I just wanted to point out that RealID does change the landscape, and that may change the assumptions you made.

Again - we need to be constructively suggesting ways out of this gridlock, rather than just resigning ourselves to it.

Davi OttenheimerOctober 15, 2005 8:22 PM

"we need to be constructively suggesting ways out of this gridlock, rather than just resigning ourselves to it"

The truly unconstructive part of Real ID comes in the form of a "bill passed unanimously in the Senate Tuesday, on the strength of Republican support-the-troops blackmail".

Where exactly do you think the "constructive" debate is to be held when the ruling party chilled discord or discussion on the topic?

"If banks can capitalize on these two properties of RealID to lower their transaction verification costs, we all win"

Well, that's a mighty big IF. The bottom line for banks is that they apparently do not think they can capitalize on it and that's why they haven't done anything about it for so long. American banks have their own set of rules for how to project liabilities outside their walls, but the British response to ID legislation is still probably worth reviewing:

http://www.theregister.co.uk/2005/10/12/...

"Two years ago 73 per cent of company directors were in favour of ID cards but that figure has now fallen sharply despite the London bombings. Only 45 per cent of company directors now believe the introduction of ID cards would make British cities safer from terrorist attack and just 26 per cent think they would benefit their business. The same number of directors believe the death sentence for terrorist killers would make us safer. "

So my guess is that if American bankers are anything like their British counterparts, and think that the death penalty will be a better solution to terrorism than national ID cards, then they probably aren't thinking very hard about identity management, or worrying about how to do a better job at authenticating and authorizing people to do transactions.

MathFoxOctober 16, 2005 5:28 AM

Thanks for the info Anonymous... It would be far more difficult to create an identity in the Netherlands; everyone is registered at birth in the governemental "population registery" (Bevolkingsregister).

I am trying to think of all of the possibilities of abuse of the US system; promotion from "illegal Mexican immigrant" to "US citicen" is one of the least security worries.

MathFoxOctober 16, 2005 5:29 AM

Thanks for the info Anonymous... It would be far more difficult to create an identity in the Netherlands; everyone is registered at birth in the governemental "population registery" (Bevolkingsregister).

I am trying to think of all of the possibilities of abuse of the US system; promotion from "illegal Mexican immigrant" to "US citicen" is one of the least security worries.

Bryan@adminfooOctober 16, 2005 4:49 PM

Davi:

I don't understand how that theregister.com link addresses identity theft and/or security of financial transactions? Conflating terrorism with the ability to securely transact business just muddies the water.

And I see people on all sides of the issue who seem to be trying to muddy the waters! Yes, the RealID people too.

Personally, I think RealID helps far more than it hurts. Therefore I think it not a bad thing - at a relatively small financial cost as well!

Davi OttenheimerOctober 16, 2005 5:29 PM

@ Bryan@adminfoo

A fair point. I was merely suggesting the business community is nowhere near ready to swallow strong authentication. The key is "just 26 per cent think [a national ID] would benefit their business".

It's a tough sell, but it can be done in terms that benefit not only the business but also the consumers and citizens. The problem with Real ID is that none of the Real Issues were properly vetted or even allowed to be discussed, and the less you deal with the uncertainties of this system the higher the risk of a predictable disaster.

Bruce SchneierOctober 17, 2005 11:22 AM

"'How difficult would it be for an American to obtain a "second identity"?' Don't know about today, but I have a relative who did it in the early 70s. Started with buying a blank baptismal certificate from a Christian supply store, filling it in, and baking it to make it look old."

My guess is that you could still do this today, but you'd need a different skill set. You'd have to be able to hack into several databases and add an entry for the new identity. How hard could it be?

Pat CahalanOctober 17, 2005 12:56 PM

@ Bryan

I wasn't actually assuming that Real IDs would lower the cost of verification, I was just pointing out that if they don't lower it (relative to the fraud cost) significantly, we'll have adopted an identification method (through a political process) at a cost, with no gain realization.

I *do* accept the fact that often you pay the piper ahead of time, and you get the benefit much later down the road (and often from a different vector than you originally anticipated). I believe that it is possible, perhaps even likely, that in the long run a national ID card will have benefits that outweigh the costs of implementing them.

However, I have serious problems with Real ID (specifically) as the method for implementing a national ID. Rather than leaving driver's licenses as what they should be (a token providing authorization to drive), Real ID makes it into *the* national ID. This is bad for lots of reasons. The DMV should not be the distribution center for an identity token - distributing an authorization token is logistically difficult enough. If a police officer is empowered to confiscate my driver's license (which they are now allowed to do at least in CA in a variety of cases) not only does he remove my authorization to drive under Real ID, he removes my ability to identify myself using what Real ID has mandated as the required method of identification.

There are lots of other reasons why this particular method of establishing a national identity card is (IMO) a really bad idea.

Matt EricOctober 18, 2005 12:36 PM

@Bruce Schneier

You wouldn't even have to hack anything; just convince someone with access that the ommission is erroneous.

Bryan@adminfooOctober 26, 2005 6:10 PM

Pat Calahan

Interesting point re: cops confiscating your ID!

But let's think about the alternative to DMV id's: a whole new agency for national ID! The cost of duplicating their function would make the costs Bruce already mentioned seem like chump change.

Perhaps with the increased capabilities of RealID, that cop wouldn't take your ID away. Instead he would simply have the database mark it: 'not licensed to drive' so it would still be a good ID ... just not proof of the privilege to drive.

Ability to easily prove one's identity is hugely important in today's mobile world. If DMV isn't the right agency to provide this ID ... then who is? Seriously, let's think of all the options. It's worth consideration that perhaps it would not be a governmental agency at all!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..