Identity Fraud and the Myth of "Secret" Personal Information
The problem
of identity theft and other identity-related fraud
has
generated a need for people to be able to prove who they are, especially
when they are online and there is no prior relationship
between someone and the entity needing to verify that person's
identity. Although a person may use different "identities" for
different online activities, it becomes especially important to know a
person's "true" identity in certain key situations such
as applying for a new
credit
card, car loan, mortgage, or other credit accounts, or when
seeking access to sensitive medical records. In the physical
world,
we
rely on government-issued
photo IDs because we trust that the government has issued the ID to the
right person. Viable alternatives are needed for consumers in
the online world that would serve
a similar purpose in those situations where it's critical to know someone's true identity.
There's been a long
history of using knowledge of personal
information such as
passwords, Social Security Numbers, or mother's maiden name
to "prove" someone's identity.
This practice is based on
the flawed assumption that such information is somehow "secret", and cannot be discovered by an identity thief.
As a result of the introduction of data breach
notification
laws, it's well established that large amounts of sensitive personal
information about people that are maintained by businesses, government agencies, and other
organizations have been lost or stolen through poor information security practices.
Although
better
information security would help to reduce identity fraud and maintain our privacy, there's plenty of personal information about us "out there" in one form
or another, and we cannot realistically expect to prevent identity fraud by
hoping that all those data custodians will keep the information
secure.
A more realistic approach to identity fraud prevention is to
augment better information security with other means of ensuring that
knowledge of personal information, by itself, is insufficient for
committing identity fraud.
>"Secret" Personal Information That Isn't Really Secret
What's The Solution?
There are at least two ways to combat the identity fraud problem:
- One
way is to better secure personal information so that it can’t
fall into the wrong hands. This is certainly a
laudable goal,
and
every effort should be made to secure this information by encrypting it
for electronic storage and transmission, or making doubly sure that
only authorized
people can access it. But all too often, these steps are not
taken. And even when they are, personal information may still be
available in other places or formats that are less secure. There
are just too many ways for sensitive personal information to fall into
the wrong hands to completely rely on better information security for
preventing identity-related fraud.
- Another approach is to change business practices so that stolen passwords, Social Security Numbers, and other personal information, by themselves are insufficient for breaking into existing online accounts, or for opening new accounts, or for commiting other types of identity fraud.
We
believe that although better information security is essential for
protecting the privacy of individuals, relying solely on trying to keep
personal information "secret" will not prevent identity theft or other
types of identity-related fraud.
Better information
security needs to be augmented with better ways to verify that those
seeking to establish new accounts, or to access
existing accounts, are truly authorized to do so.
The real problem is the
widespread assumption that knowledge of personal information, by
itself, "proves" the identity of the person who knows the information. We believe that the way to deal with this problem is through adoption of better forms of authentication.
>Authentication for Identity Fraud Prevention