Why High Assurance Authentication Is Necessary to Fight Identity Fraud
Identity Fraud and the Myth of "Secret" Personal Information
There
is information about each of us that is "out
there" in cyberspace in one form or another, and that serves to
identify us.
Information such as our name, address, Social Security Number or other
government identification number, birthdate, and
place of birth are examples of "personally identifiable information"
(PII).
These
identifiers exist in various government
and commercial databases, as well as in paper form, and are available
for access by numerous authorized (and often, unauthorized) entities.
The value of PII is that it serves to identify us to various entities that we deal with. For instance, if we need to get a credit card, or apply for a loan, or seek medical treatment, or do any number of others things that require us to identify ourselves, our identities are defined in terms of some set of these identifiers. So although we can assert our own identities by providing PII when it is requested, the flip side of this is that others can impersonate us if they happen to know our PII. Because our PII is so widely distributed, it would be a mistake to assume that this information is truly "secret" in any real sense, or that individuals can control who has access to it. Yet there's a long history of relying on knowledge of personal information such as passwords, Social Security Numbers, mother's maiden name, or other commercially collected personal information to "prove" someone's identity. This practice is based on the flawed assumption that such information is somehow "secret", and cannot be discovered by an identity thief.
As a result of the introduction of data breach notification laws, it's well established that large amounts of sensitive personal information about people that are maintained by businesses, government agencies, and other organizations have been lost or stolen through poor information security practices. It seems clear that prevention of identity fraud needs to depend on factors other than a hope that custodians of our personal information can keep the information "secret."
There are at least two ways to combat the identity fraud problem:
We believe that although better information security is essential for protecting the privacy of individuals, relying solely on trying to keep personal information "secret" will not prevent identity theft or other types of identity-related fraud.
Better information security needs to be augmented with better ways to verify that those seeking to establish new accounts, or to access existing accounts, are truly authorized to do so. The real problem is the widespread assumption that knowledge of personal information, by itself, "proves" the identity of the person who knows the information. We believe that the way to deal with this problem is through adoption of high assurance authentication.
The value of PII is that it serves to identify us to various entities that we deal with. For instance, if we need to get a credit card, or apply for a loan, or seek medical treatment, or do any number of others things that require us to identify ourselves, our identities are defined in terms of some set of these identifiers. So although we can assert our own identities by providing PII when it is requested, the flip side of this is that others can impersonate us if they happen to know our PII. Because our PII is so widely distributed, it would be a mistake to assume that this information is truly "secret" in any real sense, or that individuals can control who has access to it. Yet there's a long history of relying on knowledge of personal information such as passwords, Social Security Numbers, mother's maiden name, or other commercially collected personal information to "prove" someone's identity. This practice is based on the flawed assumption that such information is somehow "secret", and cannot be discovered by an identity thief.
As a result of the introduction of data breach notification laws, it's well established that large amounts of sensitive personal information about people that are maintained by businesses, government agencies, and other organizations have been lost or stolen through poor information security practices. It seems clear that prevention of identity fraud needs to depend on factors other than a hope that custodians of our personal information can keep the information "secret."
Preventing Identity Fraud
There are at least two ways to combat the identity fraud problem:
- One
way is to better secure personal information so that it can’t
fall into the wrong hands. This is certainly a
laudable goal,
and
every effort should be made to secure this information by encrypting it
for electronic storage and transmission, or making doubly sure that
only authorized
people can access it. But all too often, these steps are not
taken. And even when they are, personal information may still be
available in other places or formats that are less secure. There
are just too many ways for sensitive personal information to fall into
the wrong hands to completely rely on better information security for
preventing identity-related fraud.
"Secret" Personal Information That Isn't Really Secret
- Another approach is to change business practices so that stolen passwords, Social Security Numbers, and other personal information, by themselves are insufficient for breaking into existing online accounts, or for opening new accounts, or for commiting other types of identity fraud.
We believe that although better information security is essential for protecting the privacy of individuals, relying solely on trying to keep personal information "secret" will not prevent identity theft or other types of identity-related fraud.
Better information security needs to be augmented with better ways to verify that those seeking to establish new accounts, or to access existing accounts, are truly authorized to do so. The real problem is the widespread assumption that knowledge of personal information, by itself, "proves" the identity of the person who knows the information. We believe that the way to deal with this problem is through adoption of high assurance authentication.