The real problem in ID theft

In “Reckoning day for ChoicePoint, “Rich Stiennon writes:

The real culprit is actually ChoicePoint itself and the three bureaus. By creating what is supposedly a superior solution than the old fashioned way of granting credit (knowing your customer, personal references, bank references, like they do it in most of the rest of the world) they have created a system that is prone to identity theft and over extended borrowers.

He’s right. The players at the heart of identity theft in the U.S. are the credit bureaus. But, what they’ve done is more than just creating a system which is prone to identity theft. Let’s review how the credit bureaus work. They serve businesses by selling information about creditworthiness. Their customers (businesses extending credit) are happy to charge higher rates for people with poor credit, so there is little incentive for the business or the bureau to eliminate errors from the credit data. Worse, as the problem of identity theft becomes more widespread, the credit agencies can sell “credit monitoring” services to consumers and “enhanced authentication” to businesses and make even more money.

The credit agencies now run TV commercials touting credit monitoring, threatening people with identity theft. They don’t quite say “nice credit score you’ve got there. Shame if we were to do something to it,” but they come close.

Small wonder it’s hard to address the problem.

Rich closes:

I suggest that the FTC, various Attorneys General, and the trial lawyers, target the credit reporting industry for reform. Maybe we can starve the cyber criminals out by making identities less valuable goods.

I think it would be simpler to remove their exemption from libel law. The credit agencies share default data just fine. They should have to share remedial data as well, or be accountable for the costs which they impose by their negligence.

Damn You, Beaker!

Yesterday Hoff blogged about McGovern’s “Ten Mistakes That CIOs Consistently Make That Weaken Enterprise Security” and added ten more of his own. I’m particularly annoyed at him for #4:
Awareness initiatives are good for sexual harassment and copier training, not security.
Why? Because, damn that really sums it up. I wish that I had thought of this one myself. As I’ve said in the past, I think that awareness training is way under appreciated in security and Chris just had to go and be far more eloquent in one sentence than I was in several paragraphs. Hey Chris, mind if I steal this?

US Banks Rated for Identity Theft

Chris Hoofnagle has completed a paper which ranks US financial institutions according to their relative incidence of ID theft, based on reports to the FTC by consumers who named an institution.
Chris (like another Chris I know) would like to see more complete information on ID theft available to consumers, so they can make informed decisions about with whom to do business. In an earlier paper, he argued that banks should publicly disclose identity theft statistics.
From the current paper’s abstract:

There is no reliable way for consumers, regulators, and businesses to assess the relative incidence of identity fraud at major financial institutions. This lack of information prevents more vigorous competition among institutions to protect accountholders from identity theft. As part of a multiple strategy approach to obtaining more actionable data on identity theft, the Freedom of Information Act was used to obtain complaint data submitted by victims in 2006 to the Federal Trade Commission. This complaint data identifies the institution where impostors established fraudulent accounts or affected existing accounts in the name of the victim. The data show that some institutions have a far greater incidence of identity theft than others. The data further show that the major telecommunications companies had numerous identity theft events, but a metric is lacking to compare this industry with the financial institutions.

This is an area fraught with methodological challenges, many of which are due to sparse (or, as I have intimated with regard to ID Analytics for example) proprietary data. Chris’ paper simultaneously shows what can be done with what we have, and why we’d be better off if we had more.

Saying it loud — OpenID leads to phishing


Kim Cameron not only admits what Ben Laurie has said here, here, and here, but he says it succinctly:

OpenID provides convenience and power but suffers the problem of all the Single Sign On technologies – the more it succeeds, the more dramatically phishable it will become.

There you have it.

It has long been a joke about crusty states such as Idaho, Oregon, New Hampshire, or New Jersey that they have signs at the border that read, “Welcome to <insert-name-here>, now go home.

As a Mac user, someone often asks me if they should switch to a Mac because it’s more secure, my response to them is that the only reason a Mac is more secure than a PC is because it’s only people like me who use them. As soon as hordes of people start using them, then they will no longer be as secure. I like not knowing the details of anti-virus programs. I like not bothering even to run the built-in firewall. So, no, I don’t think you should switch to a Mac because it’s more secure. I think you should just update your virus files every week. Besides, Macs are much more expensive than you can afford. Really. Have you heard about Ubuntu? It’s Open Source! (Cue sounds of angels singing.) People tell me it’s really nice. And I hate Leopard.

Despite all of these being true statements, this technique does not work as well as I would like. I think I need to take a presentation skills class.

OpenID is similar in that it’s a safe neighborhood because people like me don’t go there. Once enough people like me start going there, it’s not going to be secure. I am reminded of comments by each of Groucho Marx and Yogi Berra.

I am happy to help keep OpenID secure by not using it. I’ve already written about what I think is better.

What I find amusing about Cameron’s epiphany is his solution for the problem. He thinks that OpenID should become part of InfoCardSpace, and thus shipped with Windows.

There’s a joke that begs to be made here, oh, how it begs. It is rim-shot worthy, so I’ll not make it. I’ll merely point out that if you want to get CardSpace, you have to get Vista. Ba-dum-dump.

I am again using the photo “Trunk ‘n Branches” by slightly-less-random because it is the only image in Flickr that comes back from the search of “cardspace phishing” and one of two for “openid phishing“.

Not Dead Yet


Dan Solove has an interesting article up, “Coming Back from the Dead.” It’s about people who are marked dead by the Social Security Administration and the living hell their lives become:

Dan starts with quotes from the WSMV News story, “Government Still Declares Living Woman Dead

According to government paperwork, Laura Todd has been dead off and on for eight years, and Todd said there’s no end to the complications the situation creates.

According to a government audit, Social Security had to resurrect more than 23,000 people in a period of less than two years. The number is the approximate equivalent to the population of Brentwood.

Illinois resident Jay Liebenow was also declared dead. He said Todd is now more vulnerable to identity theft because after someone dies, Social Security releases that person’s personal information on computer discs. He said the information is sold to anyone who wants it, like the Web site

Responsibility should be placed on every entity that maintains records to ensure that information is correct and that errors are promptly fixed. Moreover, when information is shared with others, the one sharing the information should have duties to inform the others of the error; and those receiving the data should have a duty to check for corrections in the data from the source.

I’d propose a different solution: libel law. These organizations are making false and defamatory statements about people. They should be held accountable, under existing law.

I’ve been discussing libel and the credit agencies for years, in posts like “Because That’s Where The Money is: Ethan Leib’s ID Theft” or “ Government Issued Data and Privacy Law.” I’ve yet to hear why libel law isn’t a reasonable and easy approach to the problem. As Nick Szabo comments in “The Discovery of Law,” “common law is a painstaking way of discovering and making better law, case by case, dispute by dispute, piece of evidence by piece of evidence.”” I’m not calling for a broad overhaul. I think that a common law approach to libel law would likely address many of our issues with the way data flows between organizations.

More airport security toys

airport-security-toys.jpgLet’s play ‘airport security’,” says Foriegn Policy. It’s like playing Doctor, only with latex gloves and inappropriate touching.

In an effort to help children understand and be comfortable and confident in the need and process of higher security protocols we’ve developed a new play and learning toy and resource web site to promote and educate security procedures.

It’s not really clear who “we” refers to here. The, also refers to “” That sounds like the sort of pliable marketing channel who’ll sell anything for a buck, so maybe it’s not them who’s really behind this thing. OperationCheckpoint has four different names on a single landing page. (OperationCheckpoint,, Wizard Idustries and Product Exposure Services.) If only we had ID for the forces of evil. Maybe these guys could carry sample National ID cards, and kid’s tattoo guns, too.

Previously, “From the mouths of toymakers:”

Dubai banks hiring hackers (no word on if a drug test is needed)

Dubai, as Adam pointed out, is in something of a branding quandary. A hard line – some would say a retrograde and counterproductive line – on victimless crime doesn’t mix well with an image as a fun spot for the well-heeled.
Meanwhile, there’s this (from Emirates Business 24-7, retrieved 2/21/2008):

Dubai-based banks are recruiting former hackers to shore up their information security systems, said an information technology expert.
Addel Wahab Ahmed Mostafa, an IT consultant and chief of the technical committee at information company UAE Data Warehouse PM, said banks were hiring hackers in a bid to stay one step ahead of potential breaches.
Most of the big organisations are employing ex-hackers.
In Dubai banks are hiring hackers to protect themselves because how else do you protect yourself from hackers?
You must figure out the measures they use and use them yourself.
He said 60 per cent of hacking originated inside organisations or was carried out by former employees.

(emphasis mine)
I see a mixed message being sent here. And by the way, from the tone of the article it is clear the “ex-hacker” doesn’t mean “broke the law ten years ago”, so let’s not start that flame war.

Cat Le-Huy, Dubai and the moral high ground


Cat Le-Huy is a friend of friends who has been “detained” entering Dubai. I put detained in quotes, because he’s been thrown into prison, where he’s now spent a few weeks.

He claims he was carrying melatonin, which is legal in Dubai, and the authorities have charged that there was .001 gram (1 milligram) of hashish, which is basically some specs of dust. The law firm representing him wants a £25,000 retainer.

It used to be that the United States, the United Kingdom (where Cat lives), and Germany had a certain moral high ground with regards to the arbitrary detention of their citizens. Unfortunately, the executives of our countries have tossed away that high ground with our own arbitrary detentions. In the US, we detain not only foreigners, but our own citizens.

So, what does this mean to you?

First, please donate to Cat’s legal defense fund.

Second, don’t go to Dubai. They’re competing to be the next “Disneyland with the Death Penalty,” and that should hurt their businesses and that should hurt their bizarre attempts to bring in tourists.

It might mean other things, but we’ll leave that for future blog posts.

[Updated: fixed donation link.]

Time To Rethink The Efficacy Of That Hard Drive Crypto

As we love to say, if you have physical access to a machine, then you have access to all the data on it. Today Ed Felten et al. proved that yet again when they released a paper describing cold boot attacks on encryption keys. In it, they DRAM can be stripped (even after a full shutdown) of passwords and encryption keys. It turns out that DRAM doesn’t lose it’s memory immediately even after losing power. As a result, they have been able to successfully extract keys for Bitlocker (Vista), TrueCrypt (multiplatform open source) and FileVault (OS X). They can even take the DIMMS out of the target computer move them to another machine then find the keys without interference from the original host OS. How cool is that? I imagine it won’t be long before this gets implemented in forensics software and/or hacking tools.
[Via Boing Boing]

Back in the ring to take another swing

Via Kable’s Government Computing, comes news that the British House of Lords “Science and Technology Committee has announced a follow-up inquiry to its ‘Personal Internet Security’ report”.

Chair of the committee Lord Sutherland said: “The committee was disappointed with the government’s response to its report. We felt they had failed to address some of our key concerns about people’s security on the internet.
“The House of Lords is likely to be debating the report in the summer and to ensure that the debate is as well informed as possible we have decided to seek key stakeholders’ views on the government’s response.”

Kable’s Government Computing, 2008-02-21
I speak American english, so I may not be up on the nuances, but I think Lord Sutherland is saying that they’re going to line up a bunch of experts to say what absolute dolts the government were in ignoring the recommendations put forth by the Committee last year.

Here we go…

Experian sues Lifelock.
I think I can hear the champagne corks popping at ID Analytics from here. They, arguably, provide a service which is similar enough (a detective control against new account fraud, rather than a preventative control), but theirs operates through a different mechanism.
I’d like to see some numbers showing the efficacy of these approaches. I am pretty sure Lifelock or Debix can produce them for the ‘automated fraud alert’ approach. I don’t know what ID Analytics has.

Sivacracy on Privacy and Surveillance

Last week, Siva Vaidhyanathan, of Sivacracy, released a new column in the Chronicle of Higher Education, Naked in the ‘Nonopticon’ has some refreshing thoughts on privacy and surveillance that I wish more of us on the security side understood better. His main themes are (in his own words):

1) Anyone who claims “young people don’t care about privacy” doesn’t understand that privacy is about control, not about whether we choose to reveal our sexual or consumer details in public forums.
2) We have at least four “privacy” interfaces” and try to govern our details and reputations differently in each one. For instance, we regulate information about ourselves one way among friends and family, and a different way with Amazon or Google.
3) The “Panopticon” model of surveillance is stale and inapplicable to the current situation. We don’t suffer from knowing we are being watched. We suffer more from the surveillance we are not supposed to see or understand — such as the illegal domestic wiretapping in the United States.

Additionally, his reviews of Daniel Solove’s and James Rule’s new books, makes me wish I had more time to read in the next few weeks.
[Image from]