Recently the press and the public policy makers have begun to speak of “Identity Theft” as though it was a novel concept requiring severe new legislation. These laws are likely to put significant new burdens on business. While most identity theft problems originate via plain old “snail mail,” the discussion these days is all about the Internet. The sponsors of the legislation point to exponential growth in the problem as justification for these laws.

This paper suggests that the “growth” actually comes from redefining traditional fraud, not from the growth of the Internet. It begins with a discussion of the concept of identity and ends with recommendations for individuals, fiduciaries and merchants to safeguard themselves.

What do we mean when we speak of “identity?” One way to look at it is that we are talking about a combination of body, mind, and personality. These three things can each be independently demonstrated and verified but they are not separable. It seems clear that these cannot be “stolen” in the sense of being converted to someone else’s use.

An identity has a number of attributes including character, reputation, credit, and rights. The legal rights include civil rights, the right to own property, and the right to enter into contracts. The individual can work, travel, stand for office, and vote. He can pass his property to heirs of his choice. He may marry and adopt. In the “village,” the bond between the individual and these attributes was recorded in the collective memory. Nonetheless, to some degree or another, the attributes are separable from the identity. For example, as recently as a hundred years ago, when public records were limited, and credentials were not required for, or even available for, travel, it was possible for the individual to walk away from his or her village and start over with a new “identity.”

In the modern world, the bonds between identity and attributes are more tenuous than they were in the village. On the other hand, they are portable; one can enjoy them while traveling or take them when moving. These attributes can be recorded in official, permanent, and other records. They can be tokenized -- substituted for by a symbol. They can be collateralized -- converted into a document, credential, or other instrument. They can be vouched for, or even guaranteed by, a third party. They can be monetized; that is, in cooperation with another party, they can be converted into currency that can be used to buy goods and services.

We use labels, i.e., names and other identifiers, to refer to the individual or identity and to record the association between the identity and its attributes. We identify ourselves by Our names and have a preference for them in most relationships. However, most names are ambiguous; a given name may refer to tens, hundreds, or even thousands of individuals. To reduce the ambiguity, we use the name in association with other information. For example, name and address may be more specific as may name and date of birth (Dub). Of course, name and address may still not distinguish between members of different generations residing together, and there could be two or more people sharing both a name and a birthday. However, for all practical purposes, name, date, and place of birth (PoB) are enough to uniquely identify a single individual.

In the world of modern information systems, with cheap random-access storage, databases, directories, displays, and point-and-click data entry, name and address, Date of Birth, and Place of Birth should be adequate for most applications. However, for most of the twentieth century they were not. Both storage and recording were so expensive that for the sake of efficiency, institutions created alternate identifiers. The most obvious and universal of these is the social security number (SSN), created by the then-new Social Security Administration in the 1930’s and assigned to all workers.

The military began to assign service numbers about the same time. These substitutes for names reduced ambiguity, keystrokes, storage requirements, and errors. In modern times, these numbers have been combined into a single number, extended to all citizens, and assigned shortly after birth. They are now used by credit bureaus, employers, credit card companies, banks, and others. In spite of all laws prohibiting their use for that purpose, Sans are now the identifier of choice for many institutions and applications.

The perpetrators did not change the phone number when they changed the address. We know that because when the account became delinquent, my neighbor began to get collection calls. At this time, the police were called in. They immediately recognized the accommodation address. The police had already placed it under surveillance but the perpetrators had also abandoned it.

Notice that it takes quite a bit of information to pull off one of these frauds. In this particular case, all of the information necessary and, incidentally, the necessary forms, were all included in a single mailing. This scam is a simple but common form of identity fraud.

A more sophisticated but less common form is that in which the perpetrators use public and independent sources to earn enough about a victim to be able to initiate transactions in his name or apply for accounts in the victim's name but the perpetrator’s address. Most of the information required to be able to do this is a matter of public record; all of it is available from credit reporting agencies for a fee.

Abraham Abdullah duped the credit reporting agencies including TRW, Equifax, and Experion, into providing detailed reports on his extremely rich victims (Fortune Magazine’s list of the 400 richest people). He then used this information to dupe the victims’ fiduciaries into transferring money to accounts that he controlled. He submitted the transactions by e-mail or fax. Knowing that the fiduciaries would want to verify the transactions, he would include telephone numbers where he could be reached. However, when the fiduciaries called those numbers, they reached a voice mailbox answered in the victim’s name. Often that was sufficient for them to complete the transaction.

In at least one instance, an officer for a fiduciary used a phone number from his own files, rather than the one in the order, to determine that the transaction was not authentic. The officer was alerted by the form of the request, an e-mail, the amount of the transaction, $10M, the destination, Australia, and the destination account, recently opened. AA was arrested when he showed up to take delivery on contraband equipment intended to help him counterfeit credit cards in the names of his victims. While the popular press likes to describe these frauds as “identity theft,” they are really classic frauds. While it is true that they use personal information to make the transactions appear to be authentic, they really do not rise to the level of identity theft. The targets in these frauds did not suffer permanent damage to their name or credit. They did not even suffer any material financial loss. The use of identity theft should be reserved for those cases that really deserve it.

The popular press also likes to associate these frauds with high technology in general and the Internet in particular. Here they have a slightly better case but one might also take note of how low tech these frauds really are. It is true that more business is being done electronically than ever before; less on paper. Therefore, more fraud is electronic than ever before. To the extent that electronic transactions are successful, they generate more business. More business generates more crime. However, one can make an equally good case that high technology also makes fraud more difficult. For example, in the paper system one could only reconcile one’s accounts monthly. Today, one may reconcile daily if one wishes. A wire room operator in a Chicago bank colluded with several outsiders to transfer $70M to banks in Vienna. The transfers were charged to the accounts of three large customers. Because those customers reconciled their accounts daily, the bank knew about the fraud within hours of close of business. Before dawn they had identified and arrested all of the perpetrators and had officers in Vienna to assert their claim to the funds.

While the press focuses on the hazards and vulnerabilities of the networked environment, most of the moves have been to improve control, not just service. Shortly after Reuters reported on Abraham Abdallah, I received a call from a colleague in Bermuda. He wanted to advise his client, a private bank, on accepting electronic payment orders from their big balance customers. Specifically he wanted to know about the control that requires that electronic payments be made only to pre-registered accounts. It seems that the bank was trying to accommodate customers that wanted to make large payments to arbitrary parties without the registration delay.

AA was able to do what he did in large part because fiduciaries are willing to take some risk in order to accommodate the wishes and intentions of their most affluent customers. It is important to recognize that while identity theft can be devastating to the target individual, in most cases it is the fiduciary that takes the financial loss; this is the reason that we use them. While most of the advice on how to avoid identity theft is aimed at the individual, it is the fiduciary that has most of the control. Most of the advice to the consumer is aimed at “protecting his privacy,” that is, on keeping confidential information likely to be abused.

Consider the recommendations of the Federal Trade Commission at http://www.consumer.gov/idtheft/risk.htm

They suggest that you catch identity theft early by annually checking your credit report. On average you will note a problem in six months. This seems late to me. On the other hand, it may be the only way to learn of accounts in your name opened by others.

• Train your people. There are very few identity frauds that do not involve some successful “social engineering.”
  

• Collect only that customer data that you must.
   

• Protect all customer data that you collect. Keep in mind that if it is compromised, it will most likely be used against you.
  

• Prefer the use of secret data to authenticate customers. Never authenticate a customer on the basis of a single piece of public data, e.g., social security number.
  

• Use digital signatures for large accounts.
   

• Consider the use of dynamic data elements such as recent transaction data to authenticate customers or other trading partners over the phone.
  

• Confirm all transactions out of band. Be sure that employees can neither cause nor prevent such confirmations.
  

• Confirm all changes of address to both the old and the new address before mailing a statement.
  

• Consider processing name changes as the closing of one account and the opening of another.
   

• Do not put the entire account number on the statement in the clear. Prefer partials (e.g., first four and last four digits), one-time tokens, vouchers, or reference numbers. Require that the entire account number be written in order to change address data.
  

• Collect e-mail addresses or fax numbers to be used as an alternative to paper for out-of-band confirmations of transactions or changes.
  

• Involve an officer, (selected at random) in the most sensitive activity. This activity should be selected by such measures as amount, the level of trust in the payer and payee, and how usual or unusual the activity is. The officer should be selected at random by the computer.
  

• Reconcile all variances promptly.