The Business Forum

"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."         Thomas Mann, 1896


Identity, Identifiers and Identity Fraud

Author: William H. Murray, CISSP
Contributed by:
Cybertrust, Inc.

 

 

Introduction

Recently the press and the public policy makers have begun to speak of “Identity Theft” as though it was a novel concept requiring severe new legislation. These laws are likely to put significant new burdens on business. While most identity theft problems originate via plain old “snail mail,” the discussion these days is all about the Internet. The sponsors of the legislation point to exponential growth in the problem as justification for these laws.

This paper suggests that the “growth” actually comes from redefining traditional fraud, not from the growth of the Internet. It begins with a discussion of the concept of identity and ends with recommendations for individuals, fiduciaries and merchants to safeguard themselves.

Identity

What do we mean when we speak of “identity?” One way to look at it is that we are talking about a combination of body, mind, and personality. These three things can each be independently demonstrated and verified but they are not separable. It seems clear that these cannot be “stolen” in the sense of being converted to someone else’s use.

An identity has a number of attributes including character, reputation, credit, and rights. The legal rights include civil rights, the right to own property, and the right to enter into contracts. The individual can work, travel, stand for office, and vote. He can pass his property to heirs of his choice. He may marry and adopt. In the “village,” the bond between the individual and these attributes was recorded in the collective memory. Nonetheless, to some degree or another, the attributes are separable from the identity. For example, as recently as a hundred years ago, when public records were limited, and credentials were not required for, or even available for, travel, it was possible for the individual to walk away from his or her village and start over with a new “identity.”

In the modern world, the bonds between identity and attributes are more tenuous than they were in the village. On the other hand, they are portable; one can enjoy them while traveling or take them when moving. These attributes can be recorded in official, permanent, and other records. They can be tokenized -- substituted for by a symbol. They can be collateralized -- converted into a document, credential, or other instrument. They can be vouched for, or even guaranteed by, a third party. They can be monetized; that is, in cooperation with another party, they can be converted into currency that can be used to buy goods and services.

Identifiers

We use labels, i.e., names and other identifiers, to refer to the individual or identity and to record the association between the identity and its attributes. We identify ourselves by Our names and have a preference for them in most relationships. However, most names are ambiguous; a given name may refer to tens, hundreds, or even thousands of individuals. To reduce the ambiguity, we use the name in association with other information. For example, name and address may be more specific as may name and date of birth (Dub). Of course, name and address may still not distinguish between members of different generations residing together, and there could be two or more people sharing both a name and a birthday. However, for all practical purposes, name, date, and place of birth (PoB) are enough to uniquely identify a single individual.

In the world of modern information systems, with cheap random-access storage, databases, directories, displays, and point-and-click data entry, name and address, Date of Birth, and Place of Birth should be adequate for most applications. However, for most of the twentieth century they were not. Both storage and recording were so expensive that for the sake of efficiency, institutions created alternate identifiers. The most obvious and universal of these is the social security number (SSN), created by the then-new Social Security Administration in the 1930’s and assigned to all workers.

The military began to assign service numbers about the same time. These substitutes for names reduced ambiguity, keystrokes, storage requirements, and errors. In modern times, these numbers have been combined into a single number, extended to all citizens, and assigned shortly after birth. They are now used by credit bureaus, employers, credit card companies, banks, and others. In spite of all laws prohibiting their use for that purpose, Sans are now the identifier of choice for many institutions and applications.

Identity Fraud

One Saturday morning at the barber’s, I listened to the tale of woe told by the man in the next chair. It seems that his mailbox was rifled. The perpetrators took only credit card statements. They tore the remittance advice from the statement. They turned it over and used the form on the back to submit a change of address from my neighbor’s address to an accommodation address in Northern New Jersey.1 When they began to receive statements at that address, they called the customer service number and asked the bank to send them some drafts. When the drafts arrived, they used them to draw down my neighbor’s line of credit.

The perpetrators did not change the phone number when they changed the address. We know that because when the account became delinquent, my neighbor began to get collection calls. At this time, the police were called in. They immediately recognized the accommodation address. The police had already placed it under surveillance but the perpetrators had also abandoned it.

1  For most of my professional career, I have been trying to get the banks to confirm changes of address to the old address. Brokerage houses have always done it. I can only conclude that the banks have done an economic analysis and have concluded that it would not pay.

Notice that it takes quite a bit of information to pull off one of these frauds. In this particular case, all of the information necessary and, incidentally, the necessary forms, were all included in a single mailing. This scam is a simple but common form of identity fraud.

A more sophisticated but less common form is that in which the perpetrators use public and independent sources to earn enough about a victim to be able to initiate transactions in his name or apply for accounts in the victim's name but the perpetrator’s address. Most of the information required to be able to do this is a matter of public record; all of it is available from credit reporting agencies for a fee.

Abraham Abdullah duped the credit reporting agencies including TRW, Equifax, and Experion, into providing detailed reports on his extremely rich victims (Fortune Magazine’s list of the 400 richest people). He then used this information to dupe the victims’ fiduciaries into transferring money to accounts that he controlled. He submitted the transactions by e-mail or fax. Knowing that the fiduciaries would want to verify the transactions, he would include telephone numbers where he could be reached. However, when the fiduciaries called those numbers, they reached a voice mailbox answered in the victim’s name. Often that was sufficient for them to complete the transaction.

In at least one instance, an officer for a fiduciary used a phone number from his own files, rather than the one in the order, to determine that the transaction was not authentic. The officer was alerted by the form of the request, an e-mail, the amount of the transaction, $10M, the destination, Australia, and the destination account, recently opened. AA was arrested when he showed up to take delivery on contraband equipment intended to help him counterfeit credit cards in the names of his victims. While the popular press likes to describe these frauds as “identity theft,” they are really classic frauds. While it is true that they use personal information to make the transactions appear to be authentic, they really do not rise to the level of identity theft. The targets in these frauds did not suffer permanent damage to their name or credit. They did not even suffer any material financial loss. The use of identity theft should be reserved for those cases that really deserve it.

The popular press also likes to associate these frauds with high technology in general and the Internet in particular. Here they have a slightly better case but one might also take note of how low tech these frauds really are. It is true that more business is being done electronically than ever before; less on paper. Therefore, more fraud is electronic than ever before. To the extent that electronic transactions are successful, they generate more business. More business generates more crime. However, one can make an equally good case that high technology also makes fraud more difficult. For example, in the paper system one could only reconcile one’s accounts monthly. Today, one may reconcile daily if one wishes. A wire room operator in a Chicago bank colluded with several outsiders to transfer $70M to banks in Vienna. The transfers were charged to the accounts of three large customers. Because those customers reconciled their accounts daily, the bank knew about the fraud within hours of close of business. Before dawn they had identified and arrested all of the perpetrators and had officers in Vienna to assert their claim to the funds.

While the press focuses on the hazards and vulnerabilities of the networked environment, most of the moves have been to improve control, not just service. Shortly after Reuters reported on Abraham Abdallah, I received a call from a colleague in Bermuda. He wanted to advise his client, a private bank, on accepting electronic payment orders from their big balance customers. Specifically he wanted to know about the control that requires that electronic payments be made only to pre-registered accounts. It seems that the bank was trying to accommodate customers that wanted to make large payments to arbitrary parties without the registration delay.

AA was able to do what he did in large part because fiduciaries are willing to take some risk in order to accommodate the wishes and intentions of their most affluent customers. It is important to recognize that while identity theft can be devastating to the target individual, in most cases it is the fiduciary that takes the financial loss; this is the reason that we use them. While most of the advice on how to avoid identity theft is aimed at the individual, it is the fiduciary that has most of the control. Most of the advice to the consumer is aimed at “protecting his privacy,” that is, on keeping confidential information likely to be abused.

Consider the recommendations of the Federal Trade Commission at http://www.consumer.gov/idtheft/risk.htm

They suggest that you catch identity theft early by annually checking your credit report. On average you will note a problem in six months. This seems late to me. On the other hand, it may be the only way to learn of accounts in your name opened by others.

Recommendations for the Individual

  • Prefer electronic accounts. Despite myths to the contrary, electronic systems are more secure than paper.

  • Prefer “e-mail” statements. As a rule, one simply gets a notice that the statement is ready and must logon to retrieve the (pdf) statement. It really is harder for a perpetrator to do this than to rifle a mailbox.

  • Stop or forward your mail when you are away. I recently returned from a trip to find a note from the local police informing me that a stranger had been observed rifling the mailboxes in our neighborhood. Fortunately for me, I had stopped delivery on my mail before leaving on my trip.

  • Empty your mailbox every day.
     

  • Prefer a locked mailbox.
     

  • Consider the use of a post office box or an accommodation address. Federal law to the contrary notwithstanding, people do rifle mailboxes.

  • Limit the number of your accounts to a sufficiently small number that you would miss a statement that did not arrive.

  • Consider giving your fiduciaries a secret code-word in lieu of such public information as your mother’s maiden name.

  • Put only the last five digits of your SSN on applications. Remember that the real purpose of the SSN number on an application is to reduce any ambiguity in name and address when making an inquiry of the credit reporting agencies. (If a fiduciary does not want to do business with you on that basis, look seriously at the competition.)

  • Prefer one-time credit card numbers (e.g., American Express Private Payments) or store-of-value cards (e.g., Visabuxx, extramoney GiftCard) on the Internet.
     

  • Give permanent credit card numbers only to highly reputable merchants with whom you expect to do business frequently.
     

  • Prefer major merchants on the Internet. While only 1 offer in 40,000 on eBay is fraudulent, that is higher than when dealing with major merchants.

  • Do not keep large balances in checking account. Do not link accounts or use overdraft arrangements.

  • Use escrow agents when making major purchases from strangers on the Internet.
     

  • Consider the use of PayPal, Yahoo! PayDirect, or BillPoint
     

  • Reconcile your statements promptly. Prefer on-line reconciliation so that you reconcile a few transactions frequently rather than a large number infrequently. This is the most important and effective control. Nothing above will compensate for it; it will compensate for a great deal.

Recommendations for Fiduciaries

Remember that it is the fiduciary that takes most of the losses in identity fraud. You are more likely to be defrauded by an employee than an outsider, by a manager or an officer than by non-management. You are more likely to be defrauded at application time than at transaction time, at exception time than at routine transaction time.

  • Train your people. There are very few identity frauds that do not involve some successful “social engineering.”

  • Collect only that customer data that you must.
     

  • Protect all customer data that you collect. Keep in mind that if it is compromised, it will most likely be used against you.

  • Prefer the use of secret data to authenticate customers. Never authenticate a customer on the basis of a single piece of public data, e.g., social security number.

  • Use digital signatures for large accounts.
     

  • Consider the use of dynamic data elements such as recent transaction data to authenticate customers or other trading partners over the phone.

  • Confirm all transactions out of band. Be sure that employees can neither cause nor prevent such confirmations.

  • Confirm all changes of address to both the old and the new address before mailing a statement.

  • Consider processing name changes as the closing of one account and the opening of another.
     

  • Do not put the entire account number on the statement in the clear. Prefer partials (e.g., first four and last four digits), one-time tokens, vouchers, or reference numbers. Require that the entire account number be written in order to change address data.

  • Collect e-mail addresses or fax numbers to be used as an alternative to paper for out-of-band confirmations of transactions or changes.

  • Involve an officer, (selected at random) in the most sensitive activity. This activity should be selected by such measures as amount, the level of trust in the payer and payee, and how usual or unusual the activity is. The officer should be selected at random by the computer.

  • Reconcile all variances promptly.

Recommendations for Merchants

There are two issues for the merchant. First is being sure that he is doing business with the person that he intends, that is, that he is not the victim of fraud. Second is that he protects all of the information that he uses for the first, that is that he does not contribute to fraud by others against his customers.

The classic form of fraud against the merchant is the bad check. The customer pretends to be someone that he is not or to have funds that he does not. While there are a number of techniques that the merchant can use to resist bad checks, they all involve cost and none of them is foolproof. The modern equivalent of the bad check is the bad credit card number. The customer uses a good credit card number that does not belong to him.

On-line merchants frequently store customer names and addresses so that return customers do not have to re-enter them. For the same reason, they may store credit card numbers. They have a special obligation to protect this information from exploitation by others.

  • Require two credentials, including a valid in-state driver’s license, when cashing checks. Reconcile photo to the customer, signature to that on the check, and name and address. Record the license number on the check.

  • Use on-line check guarantee services to ensure that the driver’s license is valid, that there is no previous fraud associated with it, and to compensate you for the inevitable losses.

  • Use on-line services at the point-of-sale to verify that credit cards, are valid, current, and within credit limits.

  • Protect any and all customer identifying information stored on systems from employees, other users, and rogue hackers. (Consider the recommendations of SANS, MasterCard or Visa for the operation and security of your web site.)

  • Where offered, use out-of-band authentication (e.g., Verified by Visa, MasterCard SecureCode) of customer ID. These mechanisms resists fraudulent use of a credit card number, reduce charge-backs, and may offer a lower rate. Prefer banks that offer this service.


Visit the Authors Web Site

Website URL:

 http://www.cybertrust.com

Your Name:
Company Name:
E-mail:

Inquiry Only - No Cost Or Obligation


3D Animation : red star  Click Here for The Business Forum Library of White Papers   3D Animation : red star
 


Search Our Site

Search the ENTIRE Business Forum site. Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.


Disclaimer

The Business Forum, its Officers, partners, and all other
parties with which it deals, or is associated with, accept
absolutely no responsibility whatsoever, nor any liability,
for what is published on this web site.    Please refer to:

legal description


Home    Calendar    The Business Forum Journal     Features    Concept    History
Library     Formats    Guest Testimonials    Client Testimonials    Experts    Search
News Wire
     Join    Why Sponsor     Tell-A-Friend     Contact The Business Forum



The Business Forum

Beverly Hills, California United States of America

Email:  [email protected]

Graphics by DawsonDesign

Webmaster:  bruceclay.com
 


Copyright The Business Forum Institute 1982 - 2010  All rights reserved.