Friday, April 15, 2005

Mitigating ID thett

Bruce Schneier writes about mitigating identity theft in the latest issue of Crypto-gram, which as usual, is full of common sense advice about security.

"Fraudulent transactions have nothing to do with the legitimate account
holders. Criminals impersonate legitimate users to financial
institutions. That means that any solution can't involve the account
holders. That leaves only one reasonable answer: financial
institutions need to be liable for fraudulent transactions. They need
to be liable for sending erroneous information to credit bureaus based
on fraudulent transactions...

If you think this won't work, look at credit cards. Credit card
companies are liable for all but the first $50 of fraudulent
transactions. They're not hurting for business; and they're not
drowning in fraud, either. They've developed and fielded an array of
security technologies designed to detect and prevent fraudulent
transactions. They've pushed most of the actual costs onto the
merchants. And almost no security centers around trying to
authenticate the cardholder...

That's an important lesson. Identity theft solutions focus much too
much on authenticating the person. Whether it's two-factor
authentication, ID cards, biometrics, or whatever, there's a widespread
myth that authenticating the person is the way to prevent these
crimes. But once you understand that the problem is fraudulent
transactions, you quickly realize that authenticating the person isn't
the way to proceed...

Right now, the economic incentives result in financial institutions
that are so eager to allow transactions -- new credit cards, cash
transfers, whatever -- that they're not paying enough attention to
fraudulent transactions. They've pushed the costs for fraud onto the
merchants. But if they're liable for losses and damages to legitimate
users, they'll pay more attention. And they'll mitigate the
risks. Security can do all sorts of things, once the economic
incentives to apply them are there.

By focusing on the fraudulent use of personal data, I do not mean to
minimize the harm caused by third-party data and violations of
privacy. I believe that the U.S. would be well-served by a
comprehensive Data Protection Act like the European Union. However, I
do not believe that a law of this type would significantly reduce the
risk of fraudulent impersonation. To mitigate that risk, we need to
concentrate on detecting and preventing fraudulent transactions. We
need to make the entity that is in the best position to mitigate the
risk to be responsible for that risk. And that means making the
financial institutions liable for fraudulent transactions."

Identity theft solutions focus too much on authenticating the person? Actually you can probably read this all across to ID cards and translate the last 3 sentences thus, once we all do have ID cards:

To mitigate that risk, we need to concentrate on detecting and preventing [fraudulent transactions] terrorism. We need to make the entity that is in the best position to mitigate the risk to be responsible for that risk. And that means making the [financial institutions] government liable for [fraudulent transactions] terrorism. Ooops, I forgot. That's exactly what the UK government are afraid of. Hence the rush to manage the security theatre public relations battle, the ill thought out developments in law and the soundbite nonsense we hear trotted out in the current election campaign on the subject.

No comments: