Identity Theft – A Customer’s View
A Tim recently pointed out, identity theft costs businesses billions of dollars each year.
I think the main burden at this point is from repercussions of an incident originating from the individual. Banks and credit card companies have to pay back the individuals when something does happen, then try and track down the thief, mind you most of this is outsourced, but it’s not cheap.
Here’s where businesses should take the lead since customer’s are woefully ignorant on how to protect their assets. All of the following assumes that there is a legal framework to push companies to think about more than their pocketbooks and more about the people that finance them.
People don’t know how or want to educate themselves on how to protect their identities. That’s why the experts exist, if everyone knew why/how to encrypt their hard drives, shred credit card offers, or run penetration tests the IS industry wouldn’t be what it is. There would be less car accidents if people actually learned how to drive, make evasive maneuvers, etc.
When the average Joe has all of their money stolen, they are, to put it bluntly, screwed. When a big company mismanages all of its money, engages in unethical practices, and goes belly up the government bails them out.
Businesses have better resources to handle the costs of education, security, and mitigation. As Walt pointed out, customers are already paying for it – so why isn’t it paying off?
May 20th, 2008 at 4:04 pm
Identity theft has different impact in different contexts, of course. Broadly speaking, identity theft is just an attack on the authentication function of a system.
In social networks where the currency is reputation, identity theft can be used to harm the reputation of others, whether it manifests as bullying or criminal enterprise (e.g. blackmail).
In electronic voting, voters themselves should be anonymous during the voting session – this is a matter of proper security engineering of the voting equipment. Voter ID supporters consider identity theft enough of a problem that laws are being passed (and vetoed, as Sibelius did in Kansas) in various states.
There is no evidence of a wave of fraudulent voters running around on election day, but voter ID supporters say that vote fraud is a crime that leaves no evidence, so you can’t say that it isn’t happening. I don’t know enough about pollbook procedures to be able to gauge the accuracy of that statement, but I have heard counterarguments that the identification stage of voting (i.e. confirming your name is on the voter list) is done in a way that would detect the same voter identifying themselves more than once. Whether an audit is performed to detect such events is another matter. Election auditing should be stepped up – it doesn’t have to be expensive, I believe there would be be plenty of volunteers.
Identity theft of the administration accounts is a threat on all systems that can be administered, and takes the form of hacking and privilege escalation, social engineering attacks, untrustworthy individuals in trusted roles, etc. Usually, this form of identity theft results in systematic compromise.
Finally, the Debian/Ubuntu Crypto Key Generation, Origin: Open Source Embarrassment (DUCK-GOOSE) is a very serious flaw – if you haven’t patched your systems and rekeyed, start planning to do so. All sorts of identity theft could result from compromised systems, both by impersonating administrator accounts, and by obtaining access that permits attacks on stored data and access other parts of the system.