Why identity-theft rates are so high

Austrian journalist Erich Möchel asked me why there might be a higher rate of identity theft in the United States than in Austria. He published an article in German about identity theft in which he quoted extensively from my responses (in translation) but, never wanting to waste any writing, I am using an edited version of my original comments (with a few additions) here for readers of English.

* * *

One of the problems any society faces is the use of universal identifiers. In the U.S., in contravention of the original legal restrictions on its use, the Social Security number is increasingly being used throughout society as an identifier. In Europe and many other parts of the world, a government-issued identity number is commonplace.

These uniform identifiers, if inadequately controlled, allow data aggregation: the use of disparate collections of data (e.g., bank records + air travel records + library usage records + credit-card records + etc.) to create an increasingly detailed profile of everything a person does, whether viewed as private or not by the individual. The United States is still behind Europe in its privacy regulations.

Another issue that lies at the root of the rise in identity theft involving credit-card fraud is the system of fraud-recovery in the U.S. banking system.

Yes, a person who has been defrauded does have limits (typically $50 in total) on liability for someone else's fraudulent use of their account - but who bears the cost of the fraud? Is it the banks? No, it's card holders who don't pay their accounts on time.

Interest rates for credit cards are two to three times the rates for secured loans. The enormous difference pays for the fraud. But shifting the costs onto users deflects responsibility away from the card suppliers; instead of investing in better identification and authentication schemes for cards, they have shied away from anything that would reduce credit-card use. Some European banks (e.g., the Bank of Scotland) have pictures on the credit cards they issue; very few (e.g., Citibank) in the U.S. do the same. Smart cards would make forging much more difficult, but they are not in use.

Stopping the practice of sending unsolicited, pre-approved application forms to millions of residents would deprive thieves of the opportunity to steal the forms from mailboxes. The stolen forms are then filled in and sent in with a different address from the original but the same name and identifying data as the original recipient's. The victim gets the bills and the thief gets the goods.

If banks bore a greater percentage of the costs of fraud, they would invest in better security.

In addition, the lackadaisical manner in which store personnel apply their own rules about checking identity of credit-card holders facilitates fraud. I sometimes have to insist on having a clerk at least look at my signature on the credit card to compare it with the signature on the bill. I've sometimes signed a credit-card receipt "Mickey Mouse" to see what would happen; nothing happened.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.