Essays in the Category “Identity Theft”
Impersonation isn't new. In 1556, a Frenchman was executed for impersonating Martin Guerre and this week hackers impersonated Barack Obama on Twitter. It's not even unique to humans: mockingbirds, Viceroy butterflies, and the brown octopus all use impersonation as a survival strategy. For people, detecting impersonation is a hard problem for three reasons: we need to verify the identity of people we don't know, we interact with people through "narrow" communications channels like the telephone and Internet, and we want computerized systems to do the verification for us.
This essay appeared as the second half of a point/counterpoint with Marcus Ranum. Marcus's half is here.
THERE ARE THREE REASONS for breach notification laws. One, it's common politeness that when you lose something of someone else's, you tell him. The prevailing corporate attitude before the law -- "They won't notice, and if they do notice they won't know it's us, so we are better off keeping quiet about the whole thing" -- is just wrong.
Identity theft is the information age's new crime. A criminal collects enough personal data on the victim to impersonate him to banks, credit card companies and other financial institutions. Then he racks up debt in the victim's name, collects the cash and disappears. The victim is left holding the bag.
This essay appeared as the second half of a point-counterpoint with Marcus Ranum. Marcus's side can be found on his website.
Personal information protection is an economic problem, not a security problem. And the problem can be easily explained: The organizations we trust to protect our personal information do not suffer when information gets exposed. On the other hand, individuals who suffer when personal information is exposed don't have the capability to protect that information.
California was the first state to pass a law requiring companies that keep personal data to disclose when that data is lost or stolen. Since then, many states have followed suit. Now Congress is debating federal legislation that would do the same thing nationwide.
Except that it won't do the same thing: The federal bill has become so watered down that it won't be very effective.
The epidemic of personal data thefts and losses - most recently 40 million individuals by Visa and MasterCard - should concern us for two reasons: personal privacy and identity theft.
Real reform is required to solve these problems. We need to reduce the amount of personal information collected, limit how it can be used and resold, and require companies that mishandle our data to be liable for that mishandling. And, most importantly, we need to make financial institutions liable for fraudulent transactions.
Criminals follow money. Today, more and more money is on the Internet: millions of people manage their bank, PayPal, or other accounts-and even their stock portfolios-online. It's a tempting target-if criminals can access one of these accounts, they can steal a lot of money.
And almost all these accounts are protected only by passwords.
Sidebar photo of Bruce Schneier by Joe MacInnis.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Security.