As a result of the recent introduction of data breach notification laws, we've all been distressed to learn that large amounts of sensitive personal information about us maintained by businesses, government agencies, and other organizations seem to be routinely lost or stolen. There's plenty of personal information about us "out there" in one form or another, and we cannot realistically prevent identity theft by hoping that all those data custodians will keep the information secure. Much of that personal information is in paper form that can be stolen or copied - account statements, medical claims forms, etc., and that makes it even harder to keep personal information secure.
The widespread availability and insecurity of personal information has made it clear that identity theft prevention cannot rely completely on attempting to keep personal information "secret." Although better information security would certainly help to keep our personal information private, a more realistic approach to identity theft prevention should focus on ensuring that personal information, by itself, is insufficient for committing identity theft.
Why Identity Theft Happens
Today, it’s not difficult for a fraudster who obtains personal information about someone to commit identity theft. A business that opens a new credit account for someone typically makes only a minimal, if any, attempt to verify the identities of new account applicants. Indeed, since the person applying for the account probably will not have a prior relationship with the business, in most cases the only way for the business to verify an applicant’s identity is to physically inspect identity documents when the application is made in-person, or to resort to a knowledge-based authentication service from a trusted data source when the application is made online. But it's not difficult for an identity thief to obtain phony but realistic-looking government IDs such as driver's licenses. And because of the added cost, time, and inconvenience involved, knowledge-based authentication is not usually performed for accounts opened online. Instead, if the identity information provided by the applicant generally matches the information contained in a credit report, it’s assumed that the applicant’s identity has been verified.We suggest two approaches for preventing identity theft that rely on better forms of identity authentication.
Two Proposals For Identity Theft Prevention
- "Call Me First": A security freeze provided
by a credit bureau is one way to attack identity theft - at
least the types of financial identity theft assocated with new account
openings. Once a credit file is frozen, it must be "unfrozen" by
the consumer before a would-be credit grantor can view a credit
file/credit score and make a decision about whether someone is credit
worthy or not. However, a "Call Me First" service that combines a security freeze with an
improved fraud alert could
help to prevent
identity theft while at the same time allowing consumers more
control over the dissemination of their credit information to
credit
grantors who should not have it. Further details here.
- "Trusted Identity Provider": Another approach would be to employ a trusted, third party "Identity Provider" that issues credentials to people whose identities can be verified using a variety of physical documents as well as possibly knowldege-based authentication. This Identity Provider could then be invoked to authenticate someone using multifactor authentication who claims the identity of anyone registered with a trusted IdP. Further details here.