impossible for ideas to compete in the marketplace if no forum for
Identity, Identifiers and Identity Fraud
Author:William H. Murray, CISSP
Contributed by: Cybertrust, Inc.
Recently the press and the public policy makers have begun to speak of “Identity Theft” as though it was a novel concept requiring severe new legislation. These laws are likely to put significant new burdens on business. While most identity theft problems originate via plain old “snail mail,” the discussion these days is all about the Internet. The sponsors of the legislation point to exponential growth in the problem as justification for these laws.
This paper suggests that the “growth” actually comes from redefining traditional fraud, not from the growth of the Internet. It begins with a discussion of the concept of identity and ends with recommendations for individuals, fiduciaries and merchants to safeguard themselves.
What do we mean when we speak of “identity?” One way to look at it is that we are talking about a combination of body, mind, and personality. These three things can each be independently demonstrated and verified but they are not separable. It seems clear that these cannot be “stolen” in the sense of being converted to someone elseâ€™s use.
An identity has a number of attributes including character, reputation, credit, and rights. The legal rights include civil rights, the right to own property, and the right to enter into contracts. The individual can work, travel, stand for office, and vote. He can pass his property to heirs of his choice. He may marry and adopt. In the “village,” the bond between the individual and these attributes was recorded in the collective memory. Nonetheless, to some degree or another, the attributes are separable from the identity. For example, as recently as a hundred years ago, when public records were limited, and credentials were not required for, or even available for, travel, it was possible for the individual to walk away from his or her village and start over with a new “identity.”
In the modern world, the bonds between identity and attributes are more tenuous than they were in the village. On the other hand, they are portable; one can enjoy them while traveling or take them when moving. These attributes can be recorded in official, permanent, and other records. They can be tokenized -- substituted for by a symbol. They can be collateralized -- converted into a document, credential, or other instrument. They can be vouched for, or even guaranteed by, a third party. They can be monetized; that is, in cooperation with another party, they can be converted into currency that can be used to buy goods and services.
We use labels, i.e., names and other identifiers, to refer to the individual or identity and to record the association between the identity and its attributes. We identify ourselves by Our names and have a preference for them in most relationships. However, most names are ambiguous; a given name may refer to tens, hundreds, or even thousands of individuals. To reduce the ambiguity, we use the name in association with other information. For example, name and address may be more specific as may name and date of birth (Dub). Of course, name and address may still not distinguish between members of different generations residing together, and there could be two or more people sharing both a name and a birthday. However, for all practical purposes, name, date, and place of birth (PoB) are enough to uniquely identify a single individual.
In the world of modern information systems, with cheap random-access storage, databases, directories, displays, and point-and-click data entry, name and address, Date of Birth, and Place of Birth should be adequate for most applications. However, for most of the twentieth century they were not. Both storage and recording were so expensive that for the sake of efficiency, institutions created alternate identifiers. The most obvious and universal of these is the social security number (SSN), created by the then-new Social Security Administration in the 1930â€™s and assigned to all workers.
The military began to assign service numbers about the same time. These substitutes for names reduced ambiguity, keystrokes, storage requirements, and errors. In modern times, these numbers have been combined into a single number, extended to all citizens, and assigned shortly after birth. They are now used by credit bureaus, employers, credit card companies, banks, and others. In spite of all laws prohibiting their use for that purpose, Sans are now the identifier of choice for many institutions and applications.
One Saturday morning at the barberâ€™s, I listened to the tale of woe told by the man in the next chair. It seems that his mailbox was rifled. The perpetrators took only credit card statements. They tore the remittance advice from the statement. They turned it over and used the form on the back to submit a change of address from my neighborâ€™s address to an accommodation address in Northern New Jersey.1 When they began to receive statements at that address, they called the customer service number and asked the bank to send them some drafts. When the drafts arrived, they used them to draw down my neighborâ€™s line of credit.
The perpetrators did not change the phone number when they changed the address. We know that because when the account became delinquent, my neighbor began to get collection calls. At this time, the police were called in. They immediately recognized the accommodation address. The police had already placed it under surveillance but the perpetrators had also abandoned it.
For most of my professional career, I have been trying to get the banks to confirm changes of address to the old address. Brokerage houses have always done it. I can only conclude that the banks have done an economic analysis and have concluded that it would not pay.
Notice that it takes quite a bit of information to pull off one of these frauds. In this particular case, all of the information necessary and, incidentally, the necessary forms, were all included in a single mailing. This scam is a simple but common form of identity fraud.
A more sophisticated but less common form is that in which the perpetrators use public and independent sources to earn enough about a victim to be able to initiate transactions in his name or apply for accounts in the victim's name but the perpetratorâ€™s address. Most of the information required to be able to do this is a matter of public record; all of it is available from credit reporting agencies for a fee.
Abraham Abdullah duped the credit reporting agencies including TRW, Equifax, and Experion, into providing detailed reports on his extremely rich victims (Fortune Magazineâ€™s list of the 400 richest people). He then used this information to dupe the victimsâ€™ fiduciaries into transferring money to accounts that he controlled. He submitted the transactions by e-mail or fax. Knowing that the fiduciaries would want to verify the transactions, he would include telephone numbers where he could be reached. However, when the fiduciaries called those numbers, they reached a voice mailbox answered in the victimâ€™s name. Often that was sufficient for them to complete the transaction.
In at least one instance, an officer for a fiduciary used a phone number from his own files, rather than the one in the order, to determine that the transaction was not authentic. The officer was alerted by the form of the request, an e-mail, the amount of the transaction, $10M, the destination, Australia, and the destination account, recently opened. AA was arrested when he showed up to take delivery on contraband equipment intended to help him counterfeit credit cards in the names of his victims. While the popular press likes to describe these frauds as “identity theft,” they are really classic frauds. While it is true that they use personal information to make the transactions appear to be authentic, they really do not rise to the level of identity theft. The targets in these frauds did not suffer permanent damage to their name or credit. They did not even suffer any material financial loss. The use of identity theft should be reserved for those cases that really deserve it.
The popular press also likes to associate these frauds with high technology in general and the Internet in particular. Here they have a slightly better case but one might also take note of how low tech these frauds really are. It is true that more business is being done electronically than ever before; less on paper. Therefore, more fraud is electronic than ever before. To the extent that electronic transactions are successful, they generate more business. More business generates more crime. However, one can make an equally good case that high technology also makes fraud more difficult. For example, in the paper system one could only reconcile oneâ€™s accounts monthly. Today, one may reconcile daily if one wishes. A wire room operator in a Chicago bank colluded with several outsiders to transfer $70M to banks in Vienna. The transfers were charged to the accounts of three large customers. Because those customers reconciled their accounts daily, the bank knew about the fraud within hours of close of business. Before dawn they had identified and arrested all of the perpetrators and had officers in Vienna to assert their claim to the funds.
While the press focuses on the hazards and vulnerabilities of the networked environment, most of the moves have been to improve control, not just service. Shortly after Reuters reported on Abraham Abdallah, I received a call from a colleague in Bermuda. He wanted to advise his client, a private bank, on accepting electronic payment orders from their big balance customers. Specifically he wanted to know about the control that requires that electronic payments be made only to pre-registered accounts. It seems that the bank was trying to accommodate customers that wanted to make large payments to arbitrary parties without the registration delay.
AA was able to do what he did in large part because fiduciaries are willing to take some risk in order to accommodate the wishes and intentions of their most affluent customers. It is important to recognize that while identity theft can be devastating to the target individual, in most cases it is the fiduciary that takes the financial loss; this is the reason that we use them. While most of the advice on how to avoid identity theft is aimed at the individual, it is the fiduciary that has most of the control. Most of the advice to the consumer is aimed at “protecting his privacy,” that is, on keeping confidential information likely to be abused.
Consider the recommendations of the Federal Trade Commission at http://www.consumer.gov/idtheft/risk.htm
They suggest that you catch identity theft early by annually checking your credit report. On average you will note a problem in six months. This seems late to me. On the other hand, it may be the only way to learn of accounts in your name opened by others.
Recommendations for the Individual
As a rule, one simply gets a notice that
the statement is ready and must logon to retrieve the (pdf) statement.
It really is harder for a perpetrator to do this than to rifle a
Stop or forward your
mail when you are away.
I recently returned from a trip to find
a note from the local police informing me that a stranger had been
observed rifling the mailboxes in our neighborhood. Fortunately for me,
I had stopped delivery on my mail before leaving on my trip.
Empty your mailbox
Prefer a locked mailbox.
Consider the use of a post
office box or an accommodation address.
Federal law to the contrary
notwithstanding, people do rifle mailboxes.
Limit the number of
sufficiently small number that you would miss a statement that did not
Consider giving your
fiduciaries a secret code-word
in lieu of such public information as
your motherâ€™s maiden name.
Put only the last
five digits of your SSN on applications.
Remember that the real
purpose of the SSN number on an application is to reduce any ambiguity
in name and address when making an inquiry of the credit reporting
agencies. (If a fiduciary does not want to do business with you on that
basis, look seriously at the competition.)
credit card numbers
(e.g., American Express Private Payments)
or store-of-value cards
(e.g., Visabuxx, extramoney GiftCard) on
Give permanent credit card
numbers only to highly reputable merchants with whom you expect to do
Prefer major merchants on
While only 1 offer in 40,000 on eBay is
fraudulent, that is higher than when dealing with major merchants.
Do not keep large
balances in checking account.
Do not link accounts or use overdraft
Use escrow agents
when making major purchases from strangers on the Internet.
Consider the use of PayPal,
Yahoo! PayDirect, or BillPoint
Reconcile your statements promptly. Prefer on-line reconciliation so that you reconcile a few transactions frequently rather than a large number infrequently. This is the most important and effective control. Nothing above will compensate for it; it will compensate for a great deal.
Recommendations for Fiduciaries
Remember that it is the fiduciary that takes most of the losses in identity fraud. You are more likely to be defrauded by an employee than an outsider, by a manager or an officer than by non-management. You are more likely to be defrauded at application time than at transaction time, at exception time than at routine transaction time.
Recommendations for Merchants
There are two issues for the merchant. First is being sure that he is doing business with the person that he intends, that is, that he is not the victim of fraud. Second is that he protects all of the information that he uses for the first, that is that he does not contribute to fraud by others against his customers.
The classic form of fraud against the merchant is the bad check. The customer pretends to be someone that he is not or to have funds that he does not. While there are a number of techniques that the merchant can use to resist bad checks, they all involve cost and none of them is foolproof. The modern equivalent of the bad check is the bad credit card number. The customer uses a good credit card number that does not belong to him.
On-line merchants frequently store customer names and addresses so that return customers do not have to re-enter them. For the same reason, they may store credit card numbers. They have a special obligation to protect this information from exploitation by others.
Visit the Authors Web Site
Search Our Site
Search the ENTIRE Business
Forum site. Search includes the Business