[Dave Birch] It was identity theft week, or something like that, and since I’m about to start the CSFI’s 2010/2011 Research Programme into “Identity in Financial Services”, with support from Visa Europe, I’ve been thinking about the key aspects of the problem. For example: how well are current know-your-customer procedures working? After all, they are pretty stringent. To the point where the typical customer finds dealing with financial services organisations an absolute nightmare.
The ID banks require is getting beyond a joke. I’ve just been locked out of one of my online accounts, through no fault of my own, and they’re demanding I send them a certified document plus a utility/bank bill, but they won’t accept one printed online. Yet like many people, both for the environment and ease, I opt for paperless billing wherever I can, so I simply don’t get any printed statements anymore, leaving me at an ID disadvantage when banks refuse to count those as ID.
Still, I’m sure we’d all agree that it’s worth the massive imposition on customers, and the massive costs to companies, in order to crack down on ne’er-do-wells who are trying to defraud our banking system (at least, the ones who don’t work for banks). But since identity fraud appears to be at record levels, either these stringent controls are counter-productive (because only criminals will bother jumping through the hoops) or a total waste of money.
Drawing upon victim and impostor data now accessible because of updates to the Fair Credit Reporting Act, the data shows that identity theft impostors supply obviously erroneous information on applications that is accepted as valid by credit grantors. Thus, the problem does not necessarily lie in control nor in more availability of personal information, but rather in the risk tolerances of credit grantors. An analysis of incentives in credit granting elucidates the problem: identity theft remains so prevalent because it is less costly to tolerate fraud. Adopting more aggressive and expensive anti-fraud measures is extremely costly and jeopardizes customer acquisition efforts.
Given the amount of trouble I find in accessing my own accounts — I tried to log in to my John Lewis card account this week and it asked me a password that I’d forgotten and when I followed the “forgotten password” link it asked me for a secret word or something that I didn’t even know I’d set — I can only assume that the total amount of time, effort and money wasted on this sort of thing across the financial services sector as a whole is enormous.
I suppose, though, we’re only talking about money, and financial services organisations (and regulators) can make rational calculations about risk and reward. For more important applications, such as border control, law enforcement, homeland security, it’s a different story and the identity infrastructure is much more effective. Perhaps we can all learn something from them: how do they deal with identity theft?
Dubai assassins stole identities of six UK citizens
They didn’t really steal them, did they? I mean, those UK citizens still have their identities (and their passports). It’s a bit like when Big Content complains about teenagers stealing music, when they’re doing nothing of the sort. If I stole “Yesterday” by The Beatles then I’d have it and they wouldn’t. What happened in Dubai wasn’t identity theft but unauthorised copying. But I digress. When I saw this story unfolding on TV, the first thing I thought about was how come it was so easy to get into Dubai with fake passports. I’ve been to Dubai, and I’m pretty sure the border control chap looked at my passport and put it into some sort of machine to access the MRZ.
Dubai airport is not just a two bit arrival and departure lounge for a small Arab country. It is a veritable cross roads for global airline traffic – one of the 10 most important international hubs in the world. Yet its passport scanning machines failed to recognise that all 11 passports were not just fakes but quite awful fakes.
Presumably, Mossad, MI5 the CIA and the KGB will be be snookered when the Dubai border control can read e-passports and access the onboard biometrics via Extended Access Control (EAC). It won’t be more than another twenty or thirty years before all passports are e-passports and EAC is used everywhere. Meanwhile…
INTERPOL Secretary General Ronald K. Noble has warned that the use of fraudulent passports enabling criminals and terrorists to travel undetected is the biggest threat to global security. Speaking at the World Economic Forum in Davos, Switzerland, Noble told CNN that security services should put more emphasis on identifying people trying to use fake travel documents rather than relying on body scans at airports.
[From Security Document World]
Perhaps the whole border control thing is in more of a mess that it at first appears.
The Irish government says the passport numbers publicised by Dubai authorities also are counterfeits, because they have the wrong number of digits and contain no letters.
What? So to make a fake passport that’s good enough to provide a useful false identity, you don’t even have to get the basics of the target right? Well that might be true for Irish passports, but I’m sure it isn’t true for US passports. After all, they have Department of Homeland Security and multi-billion budgets, so making fake US passports would be much more difficult, wouldn’t it? Who knows — because any terrorist who wants a US passport can just apply for a real one, which I is quicker and cheaper than trying to create a fake one
The goal was to find out whether the State Department’s passport examiners would catch on to the tricks not of highly skilled expert forgers, but of clumsy amateurs. Using standard, off-the-shelf equipment, the GAO team fabricated a number of bogus documents, including birth certificates. With these in hand, the agents filed several passport applications, each of which contained deliberate errors that should have been spotted readily had anyone been paying attention. From seven bogus applications, five genuine passports were issued.
Uh oh. So it turns out that you don’t have to be a Russian spy under deep cover or a highly-trained Mossad operative, you just need Photoshop and an ink-jet printer. Just as the credit card counterfeiters discovered, something has gone wrong: the current identity infrastructure inconveniences the innocent more than the guilty. This isn’t a theoretical matter, it means an impact on real businesses.
Businesses already reeling from the recession say the new rules, which require Canadians to show a passport or other internationally recognized documentation when entering the U.S. by land or sea, have resulted in a sharp drop in free-spending tourists crossing the border. In June, the first month of the new policy, the 11 busiest U.S.-Canada bridges drew about 2.6 million vehicles — a nearly 23% drop from the same time last year, according to the Public Border Operators Association. July’s numbers were slightly better, but still off 17% from a year ago.
A drop in a business, yet any terrorist who wants to can knock up a birth certificate on their home computer and get a US passport anyway.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]