Identity Theft and the Emperor's New Clothes

If someone stole my identity what do they actually take? Technically they have taken absolutely nothing. So what's all the big fuss about?

The UK Government's booboo last week drew more attention to the risks of Identity Theft. This data compromise contained names of individuals and their children, National Insurance number and bank account details. The loss of that data is not a concern in itself, but what can be done with that information is. The obvious theft opportunity would be to access the victim's accounts to withdraw cash, yet the more potent crime is loans and debts being taken out in the individual's name and worst of all to commit crimes in the individual's name.

Numerous definitions of identity theft have been published (see Bibliography below) including those of the thief obtaining enough information about the victim to be able to borrow money, perhaps an unsecured loan or more seriously, by taking a mortgage out on the victim's property. Fraudsters go to extraordinary lengths to set up these scams, yet the ability to do this relies on the victim having a good enough credit score that the lender is prepared to make the loan.

Suppose for a minute that credit scores did not exist, if a fraudster could get hold of your personal details, what would they be able to do? They would still be able to access your accounts and steal money and they could still commit crimes in your name, but their ability to take a loan out in your name would be made a lot more difficult - the lender would require direct validation, perhaps contacting your bank or other lenders for a reference. If we returned to an antiquated system such as this, convenience would decrease and costs would increase unacceptably. It appears that we may be stuck with centralized credit scoring and with it the possibility of identity-based loan fraud.

However, the web opens up new methods by which things can be done - distributed databases and the ability to aggregate data on-the-fly might allow for a de-centrallized credit scoring system. If a bank needs to assess the risk of a loan applicant and they could not rely upon the centrally provided credit-score, they would contact the other institutions that could vouch for the good standing of the applicant. They would first authenticate the individual with certainty via a biometric validation, then make a request to another institution who would also need that validation code to ensure that the applicant was the same person as their account-holder. Upon confirmation, they would be able to confirm the reputation of the applicant. The lending bank would be able to make further enquiries with other institutions until they were able to fully assess the risk of the applicant - and now, all in near real-time.

This sounds a lot more complicated than the centralized scoring system than we have today, but because a fraudster would need to provide biometric validation at multiple points in the network (namely the lending bank and all institutions that provide a reference to that bank), the difficulty in perpetrating a fraud would increase. The distributed nature of the web and the availability of secure web-services will permit much of the complexity to be hidden from the user experience. This would mean that any organization wishing to participate in this scheme would have to be equipped with a biometric scanner, however, as recommended in the report on the UK National Identity Card and in US government recommendations on RealID, biometric authentication seems a likely part of governmental identification schemes.

I have documented how a federated identity scheme might work, that would provide a model for an distributed identity management system - this thinking is also shared at least in part by the Liberty Alliance and Ping Identity Corporation.

Bibliography

  1. Coming next... an even bigger database by NO2ID
  2. Digital identity: remember when it was about more than just security? > from Javelin Strategy and Research
  3. HMRC apologises for data loss on Direct.Gov.uk (Nov 20, 2007)
  4. I was a victim of identity theft on BBC.co.uk (Mar 3, 2005)
  5. Dealing with Stolen Identity on CNN.com (May 27, 1999)
  6. Protect Yourself Against the Fraudster, a whitepaper by Johann Grennepois of Euristix
  7. About Credit Scores by Fair Isaac at myFico.com
  8. Technology Solutions and Tools for Identity Theft Protection published by the Liberty Alliance
  9. Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Proposed Rule from the US Department of Homeland Security
  10. Paoga - an answer to the Privacy Problem by Ben King at the Register.com (June 8th, 2005)
  11. Everything you never wanted to know about the UK ID Card by JOhn Lettice at the Register.com (May 5, 2004)
  12. Towards Federated Identity Management by Andre Durand (Dec 9, 2002)
  13. 25 million UK citizens exposed to ID fraud by HMRC on Graham Sadd's Weblog

Definitions of ID Theft

Note

I would like to be able to access some of the Meeting Details, Papers and Minutes from the (UK) EURIM Working Group on Personal Identity, Data Sharing, Retention and Protection - but this requires special access - if someone would be able to help, I'd be grateful.