Schneier on Security
A blog covering security and security technology.
« G. Gordon Liddy on Terrorism |
| A Pilot on Airline Security »
December 12, 2005
Most Stolen Identities Never Used
This is something I've been saying for a while, and it's nice to see some independent confirmation:
A new study suggests consumers whose credit cards are lost or stolen or whose personal information is accidentally compromised face little risk of becoming victims of identity theft.
The analysis, released on Wednesday, also found that even in the most dangerous data breaches--where thieves access social security numbers and other sensitive information on consumers they have deliberately targeted--only about 1 in 1,000 victims had their identities stolen.
The reason is that thieves are stealing far more identities than they need. Two years ago, if someone asked me about protecting against identity theft, I would tell them to shred their trash and be careful giving information over the Internet. Today, that advice is obsolete. Criminals are not stealing identity information in ones and twos; they're stealing identity information in blocks of hundreds of thousands and even millions.
If a criminal ring wants a dozen identities for some fraud scam, and they steal a database with 500,000 identities, then -- as a percentage -- almost none of those identities will ever be the victims of fraud.
Some other findings from their press release:
A significant finding from the research is that different breaches pose different degrees of risk. In the research, ID Analytics distinguishes between "identity-level" breaches, where names and Social Security numbers were stolen and "account-level" breaches, where only account numbers -- sometimes associated with names -- were stolen. ID Analytics also discovered that the degree of risk varies based on the nature of the data breach, for example, whether the breach was the result of a deliberate hacking into a database or a seemingly unintentional loss of data, such as tapes or disks being lost in transit.
ID Analytics’ fraud experts believe the reason for the minimal use of stolen identities is based on the amount of time it takes to actually perpetrate identity theft against a consumer. As an example, it takes approximately five minutes to fill out a credit application. At this rate, it would take a fraudster working full-time averaging 6.5 hours day, five days a week, 50 weeks a year over 50 years to fully utilize a breached file consisting of one million consumer identities. If the criminal outsourced the work at a rate of $10 an hour in an effort to use a breached file of the same size in one year, it would cost that criminal about $830,000.
Another key finding indicates that in certain targeted data breaches, notices may have a deterrent effect. In one large-scale identity-level breach, thieves slowed their use of the data to commit identity theft after public notification. The research also showed how the criminals who stole the data in the breaches used identity data manipulation, or "tumbling" to avoid detection and to prolong the scam.
That last bit is interesting, and it makes this recommendation even more surprising:
The company suggests, for instance, that companies shouldn't always notify consumers of data breaches because they may be unnecessarily alarming people who stand little chance of being victimized.
I agree with them that all this notification is having a "boy who cried wolf" effect on people. I know people living in California who get disclosure notifications in the mail regularly, and who have stopped paying attention to them.
But remember, the main security value of notification requirements is the cost. By increasing the cost to companies of data thefts, the goal is for them to increase their security. (The main security value used to be the public shaming, but these breaches are now so common that the press no longer writes about them.) Direct fines would be a better way of dealing with the economic externality, but the notification law is all we've got right now. I don't support eliminating it until there's something else in its place.
Posted on December 12, 2005 at 9:50 AM
• 33 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This almost sounds like the same kind of problem jewel thieves run into. The money you get from selling stolen jewels is very slim, even if you have a fence to go through. Even with eBay it's difficult to pawn off hot items. I think some almost intelligent guy thinks he's going to get rich after stealing, but realizes after he has the info there isn't an easy way to collect. I figured when there was a huge breach it was because Tony "no thumbs" hired Melvin "no dates" to get it.
if they are notified their info has been stolen then that can give them the heads up to check their credit report or they can change their ss number. That is what I would do if I got a notifiation letter. The notification letter needs to tell them steps they can take to secure themselves like that. if notification is all we have.
"the main security value of notification requirements is the cost"
Actually, another "finding" the report is that the notification laws have a deterrent effect:
"Another key finding indicates that in certain targeted data breaches, notices may have a deterrent effect. In one large-scale identity-level breach, thieves slowed their use of the data to commit identity theft after public notification."
And another finding is that, during that slow-down, cancelling the stolen CC numbers is an effective method to prevent damage. Loss of ID information such as a SSN, on the other hand...
Apparently the report is meant to say that if you buy ID Analytics services, you will be more effective in figuring out the real risk to consumers who have had their ID stolen from your company and how to minimize damage to your image by not alerting those who you decide are least likely to be harmed:
"It’s not helpful for consumers to receive a generic letter in the mail telling them that they may or may not be at risk. We need to help victims of breaches understand when they need to be more vigilant and prevent them from being unnecessarily alarmed."
Problem is, the companies that experience the breach are probably the last entity you would want deciding whether you should worry about your ID or not.
I suppose I should also mention that ID Analytics appears to suggest that risk assessments should use a "lost" versus "stolen" determination.
Your post the other day on "E-Hijacking" explains nicely why this can be dangerously attractive to companies who wish to avoid disclosing a breach:
"UPS, Citigroup, and Experian spent four days blaming each other for losing the shipment before realizing it had actually been stolen."
Thank you for posting some calm thought on this as everyone else is running around like chickens with their heads cut off.
Although you may think that your old advice is obsoleate it is actually not.
There are a whole spectrum of people after not just your identity but any other item of information they can get.
Whilst information held by agencies is quite wide it is usually not comprehensive and is generall specific to a small area of peoples lives (finance), digging around in your trash can (Garbology/bin diving) is still a very usefull source of very up to date information with a much broader coverage.
The old Gum Shoe Private Eye might have evolved but there are many other lesser crocks and undesirables quite willing to snaffell your details, especially if you live in certain areas known to be populated by the "well healed"...
The fact that online/data source theft produces such a vast quantity of ID information does not change the basic premise that people may look through your garbage so you should remove and destroy confidential information not just financial but in all other aspects of your life...
Really, everyone's identity is probably already gone. The reason to nail companies for security breaches isn't the risk of identity theft (who can tell who lost your informationto the people who actually used it?), but loss of privacy.
The way to deal with identity theft is to make it unprofitable.
Could someone point me to some resource that explains what the report means by idenity data manipulation or "tumbling"?
"The way to deal with identity theft is to make it unprofitable."
Also, just because a database server is broken into doesn't mean the attacker even attempted to get the "exposed" information. Several times I have seen reports of database break-ins at schools and wonder if the student even knew that the server had a DB on it. Just because she had access to it, doesn't mean she even knew to look at it. Just something to keep in mind also...
"As an example, it takes approximately five minutes to fill out a credit application."
Maybe it can be automated (using a printer) ?
The N in this "study" is 4.
I'd be hesitant about any statistical inferences made, and I'd be reluctant to label this as either "independent" or as "confirmation". It is anecdotal evidence which supports a claim in which the reporting party has an interest. Davi's read on the nature of that interest seems spot-on to me.
That said, it nonetheless seems believable that
data which is targeted for theft, and which it's easier to steal an ID with (name + SSN) are more likely to be used than non-targeted and/or account # and name data.
It also seems sensible that if your name is in an urn with 1,000,000 others, it is less likely to be drawn than if it is in an urn with only 10,000 others.
I am disappointed that the play this report is getting has tended to focus on the "see? -- the actual risk is low!" angle (not including you in this, Bruce).
If I had a million mag-stripes worth of data, I'd raise funds by selling off some to fund the ID theft of the rest, so that business about $830K being hard to raise makes little sense to me.
One has to wonder if this "research" was funded by the lobbists backing the new federal legislation that will pull the rug out from under the existing state legislation requiring notification.
I think it is important to have full disclosure whenever private "identity" information is lost or stolen.
The problem is that any single entity that has data lost or stolen, can't correlate an individual's exposure.
Without full disclosure, Company A may decide that the account info in its custody for "Person 1" that was lost or stolen is not "critical" enough to warrant notification. Similarly, Company B that has some other private data for "Person 1" may also conclude that the data it had lost or stolen was not worthy of notification. However, if the same criminal group stole or gained access to both sets of data, they would now be able to correlate that data to start creating "intersection sets" of data for individuals that are in multiple stolen databases, allowing them to acquire quite valuable data for committing fraud and other sorts of crimes.
Only the individual, getting perhaps "minor" notifications from multiple entities reporting lost or stolen data would be able to understand the real exposure these multiple losses create for them.
notification laws are good! i bristle when biz or gov says it's not a good idea to notify me because i might become unduly alarmed, this tawdry old chestnut of a lie has been around since about 15 minutes after biz and gov were created. it treats me like i'm not smart enough to assess my level of risk for myself. it's patronizing and condescending. i am not a mushroom, to be kept in the dark and covered with shit.
Bruce, I beg your pardon to differ with your views here. Being a victim of identity fraud, I know first-hand how difficult it was for me emotionally to fix the mess (this was just a after a week after my daughter was born!).
Banking on the inefficiency of fraudsters and thinking that they may not strike you just because it is laborious for them go through their database is a weak argument. Why do they steal 500,000 customers data in the first place, because their mining field becomes more valuable with the size of the data.
Shoddy journalism by CNN--they don't indicate who paid for the ID Analytics report, or whether ID Analytics (who offers "fraud detection" services) happens to get most of its revenue from the credit industry.
"Bruce, I beg your pardon to differ with your views here."
I think you have misinterpreted my views.
"Banking on the inefficiency of fraudsters and thinking that they may not strike you just because it is laborious for them go through their database is a weak argument."
I don't think I'm using it as an argument for anything, except that the large-scale notifications are having a "boy who cried wolf" effect. Still, I think they're a good idea because they raise the costs of breaches to those entrusted with our data. Direct fines would be better, though.
"Why do they steal 500,000 customers data in the first place, because their mining field becomes more valuable with the size of the data."
Not really. They steal them in large blocks because they come in large blocks. I think everything else is ancillary to that.
Please don't misunderstand me. I think fraud due to impersonation is a huge problem, and one that we should not ignore. I have never said otherwise.
The report seems to say that fraudsters are not working hard enough, or that there are not enough of them to efficiently exploit all the data available to them out there. That's really too bad. Something must be done about it. Capitalism is such an efficient economic system. According to economy text books, the market will *always* make sure that any available resource is used as efficiently as possible. Inefficiency is usually a sign of not enough competition.
"'Why do they steal 500,000 customers data in the first place, because their mining field becomes more valuable with the size of the data.'
Not really. They steal them in large blocks because they come in large blocks. I think everything else is ancillary to that."
Um, the ID Analytics report attempts to say the exact opposite, that small blocks are stolen and lead to a higher probability of fraud. Note the quote in the Reuters article:
"'If you’re in a breach of 100, 200 or 250 names, there’s a pretty high probability that you’re identity is going to be used,' said Mike Cook, ID Analytics’ co-founder.
'The reason for that is if you look at how long it takes a fraudster to use an identity, they can roughly use 100 to 250 in a year. But as the size of the breach grows, it drops off pretty drastically.'"
ID Analytics is emphasizing that the percentage of victims (based on their analysis of four incidents from this year) is less than one percent in really big breaches. I understand their point, but I don't think the victims really care whether their information was stolen with 100 or 100,000 other identities.
I'm not a statistician, but as I mentioned elsewhere, it is not hard to imagine that if "fraudsters" today are believed to only process 100-250/yr then organized criminals are smart enough to find ways of hiring 100 people to process a total of 10,000 to 25,000/yr or more and the probabilities go up because of the residual value (e.g. companies have not notified the victims).
I wrote a little on my blog about who funds ID Analytics, but I also just found Written Testimony from them for the Subcommittee on Financial Institutions and Consumer Credit Hearing on H.R. 3997, the "Financial Data Protection Act of 2005". This is from Nov 9th, 2005:
This testimony is worth reading as it has some hidden gems such as:
"However, misuse rates could continue to increase drastically over time if the vibrant black market for “identities��? remains unimpeded. ... By selling any amount of the remaining identities (those not able to be used because of the 'feasible limit'), fraud rings could maximize the proceeds from their efforts and exact a far greater degree of harm to consumers, industry and government over time."
They also discuss the "tumbling" method that involves munging data in order to evade detection. See page six:
"The fraud ring in this example chose to manipulate the addresses submitted as part of the account applications over time, resulting in obscure, yet difficult-to-detect variations of the original address. The manipulations illustrated here amounted primarily to changes in apartment numbers or spellings of street names. Interestingly, scientists observed a dramatic increase in these manipulations in the latter days of the identity fraud scam."
Just a quickie. In the databases (especially credit card), are there any bogus entries? I figure if you salt the data with a few intentionally bad ones it might be easier to track someone if they happen to use it. You wouldn't have to wait until a customer suddenly realized these purchases weren't theirs and tried to stop it. The salted accounts would be marked bad from the beginning.
That hidden gem is the exact point I tried to make. Funny how in their press release they imply the exact opposite -- that the difficulty in funding the labor-intensive aspects of ID theft retards harm.
Well said! I'm all agree. Thanks everyone for their thoughts.
Just a little note from the UK
In the news this morning it was reported that something like upto 13000 Govenment employees have had their ID details stolen and used to claim "Tax Credits" by fraudsters.
Aparently the way the fraudsters did it was to enter the detasils on a UK Gov website, to claim the money and have it paid into somebody elses bank account.
Apparently the UK Gov has known about "this problem" for upto a year but has not so far done anything about it.
Most of the employees effected only found out through their union who let other members know. One or two employees have indicated that they have been threatened by their employeer with the Oficial Secrets act if they disclose any information. Also when trying to find out about which bank accounts have been used they again have been told they cannot have the information as it would contraveen the "Data Protection" act...
Once again an example of "Joined up government thinking" on behalf of the UK Government...
If you want more details look on the BBC website,
I'ld like to point out that the unused identities don't just fade away when a large block goes mostly unused. In the extreme example of all IDs being stolen, only a small percentage will actually be used in any given time period. But as some IDs get 'used up' others will be 'put in service'. Most security wonks today now say that the hacking motive (whether penetration, worm, virus, or spyware) has changed from fame to profit: how long before cleaver schemes to process large numbers of IDs evolve in this environment? An example I have thought of is matching stolen IDs against unclaimed property lists. Or using new e-money services to hit a large number of IDs with relatively small $ amounts. I don't think the story is written yet on this rapidly evolving crime. And a lost identity is like herpes, you are never really free from it, though it may appear to be in remission for some period of time, so notification is still critical.
I am not sure I understand your idea of making the financial company pay when they don't protect personal data and it gets stolen. Isn't that what happens today where I am only responsible for the first $50? The ultimate cost is still on the customer even though it is spread over all customers.
"I am not sure I understand your idea of making the financial company pay when they don't protect personal data and it gets stolen. Isn't that what happens today where I am only responsible for the first $50?"
Yes, that's exactly what happens today with credit cards: you are only responsible for the first $50. That mechanism has resulted in a pretty robust and secure credit-card system. We need that same sort of mechanism elsewhere.
" The ultimate cost is still on the customer even though it is spread over all customers."
That'll be true no matter what we do. We pay for increased security. We pay for increased theft. We pay regardless of how the system is designed. But if you make the data owner responsible for paying, he'll do his best to increase security. So the money you pay will actually make the system more secure -- instead of just lining the pockets of criminals.
On this topic, it is important to understand how people pay, do they pay a little and avoid big expense (like insurance) or do a few people pay a lot while most are relatively unaffected (uninsured). And of course, even in the 'robust' cc system, a truely lost ID can still cost quite a bit more in time and effort to clean up the mess, even if the consumer is only responsible for the first $50.
"understand how people pay, do they pay a little and avoid big expense (like insurance) or do a few people pay a lot while most are relatively unaffected (uninsured)."
At the moment in a large number of countries both.
As Bruce and others have pointed out for some types of fraud you are only liable for the first $XX and the financial institution the rest.
In other cases you are either liable for nothing or the whole amount (ie fraud where the signiture is easily proved as being false/not if proved nothing otherwise the whole amount and potentially other costs/losses as well).
However that is just the "single" financial cost of one fraud against your credit status. What is not known is if financial institutions are now running black lists where you effectivly get a black mark and therefore cannot get loans or other financial services simply because you have had a "fraud" (of any kind) registered against you.
As has been pointed out on earlier blogs atleast one organisation (who lost many peoples details) where apparently keeping records of peoples transactions and "charge backs" to identify potential fraud. Supposedly so they could flag it up at an early stage.
On the face of it it appears like a good idea, however how long before the cost of checking back with the individual means that they get put on a list where they do not get benifits that others not on the list do.
Basically it is not just financial loss you need to consider.
Your newsletter from 12/15/05 has a periodic end.
This is what comes by 100 or more times:
For a while I've been saying that most stolen identities are never
used. It's nice to see some independent confirmation:
I think it is a mail that was to long to display correct by firefox 1.0.7. What a funny and worth thing itself. So I cant read the topics under the news block in this mail.
I dont even know if others have this problem, but I wish (cause its chrismas) a new letter with the informations under the newsblock.
Catch my mail from optional part.
Thank you and
Interesting news about the Guidance Software breach, especially since they are the self-proclaimed "leader in computer forensics and incident response solutions".
Note that victims are already reporting large amounts of fraud. Apparently only about 4,000 identities were reported to be stolen and Guidance was not in compliance with the PCI data security standards at the time of the breach.
why would someone need to make up foney names and addresses that are all conected to the same ss#? what could they be trying to do? i have a family member who has been doing this for YEARS. he does not work and has $??? he is up to something and i can not figure out what! please shed some possible light on this! thanks
I opened a new account earlier this year but never had the time to use it. Today i received a request from someone wanting to join "my friends." Out of curiosity I went back through my emails and retrieved the original account information and password initially forwarded to me after opening the account. Lo and behold the password worked and there before my eyes was a page containing pornographic photos and videos and material i personally would never want to be associated with. It was still under my name with my current email address.
I have been a journalist and documentary filmmaker for over 20 years and have been the target of malicious personal attacks because of my political stance in questioning US foreign policy. Anyone who saw this MySpace page in my name would have associated it with my person and reputation which I find frightening. Again, access to this page was only possible by using the original password that was sent directly from MYSpace.com.
Needless to say, I immediately deleted the account after creating a .pdf of the contents to forward to my attorney.
The interesting thing was that the first friend on the account was a photo of a man named Tom. I have since learned he is Mr. MySpace himself.
Beware of MySpace, their role and intention is less than transparent and clear to me.
My social security card was stolen over 3 years ago, along with a check book and several credit cards. I was able to cancel the check book and credit cards, placed fraud alerts with all 3 credit agencies immediately and filed a police report. About 5 months after the theft, someone used one of those cancelled checks at a gas station for $20 and forged my name. There in involved a long process of disputing the charge AND the check, and providing proof that I was a victim of identity theft. However, my credit report has remained clean to this day (knock on wood!!!!) with no new opened accounts or false information. I am still perplexed and have always braced myself before checking my credit report every 3 months, but...am not complaining! I sincerely hope and pray that I was lucky enough to NOT be the 1 out of 1,000....but, knowing that my social security number is floating around out there does continue to make me nervous and anxious. This report made me feel a lot better though....
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.