Why identity-theft rates are so high

* Banks' practices contribute to the problem

An issue that lies at the root of the rise in identity theft involving credit-card fraud is the system of fraud-recovery in the U.S. banking system. If banks bore a greater percentage of the costs of fraud, they would invest in better security.

Austrian journalist Erich Möchel asked me why there might be a higher rate of identity theft in the United States than in Austria. He published an article in German about identity theft in which he quoted extensively from my responses (in translation) but, never wanting to waste any writing, I am using an edited version of my original comments (with a few additions) here for readers of English.

* * *

One of the problems any society faces is the use of universal identifiers. In the U.S., in contravention of the original legal restrictions on its use, the Social Security number is increasingly being used throughout society as an identifier. In Europe and many other parts of the world, a government-issued identity number is commonplace.

These uniform identifiers, if inadequately controlled, allow data aggregation: the use of disparate collections of data (e.g., bank records + air travel records + library usage records + credit-card records + etc.) to create an increasingly detailed profile of everything a person does, whether viewed as private or not by the individual. The United States is still behind Europe in its privacy regulations.

Another issue that lies at the root of the rise in identity theft involving credit-card fraud is the system of fraud-recovery in the U.S. banking system.

Yes, a person who has been defrauded does have limits (typically $50 in total) on liability for someone else's fraudulent use of their account - but who bears the cost of the fraud? Is it the banks? No, it's card holders who don't pay their accounts on time.

Interest rates for credit cards are two to three times the rates for secured loans. The enormous difference pays for the fraud. But shifting the costs onto users deflects responsibility away from the card suppliers; instead of investing in better identification and authentication schemes for cards, they have shied away from anything that would reduce credit-card use. Some European banks (e.g., the Bank of Scotland) have pictures on the credit cards they issue; very few (e.g., Citibank) in the U.S. do the same. Smart cards would make forging much more difficult, but they are not in use.

Stopping the practice of sending unsolicited, pre-approved application forms to millions of residents would deprive thieves of the opportunity to steal the forms from mailboxes. The stolen forms are then filled in and sent in with a different address from the original but the same name and identifying data as the original recipient's. The victim gets the bills and the thief gets the goods.

If banks bore a greater percentage of the costs of fraud, they would invest in better security.

In addition, the lackadaisical manner in which store personnel apply their own rules about checking identity of credit-card holders facilitates fraud. I sometimes have to insist on having a clerk at least look at my signature on the credit card to compare it with the signature on the bill. I've sometimes signed a credit-card receipt "Mickey Mouse" to see what would happen; nothing happened.

The public at large is undereducated; many card holders are actually offended when someone checks their identity! Amazing!

We might be able to improve security over a couple of generations by introducing better security awareness in schools, but it will be a long haul.

In my next column, I’ll introduce some follow-up comments by colleague Don Holden, CISSP-ISSMP, about securing library records.

Learn more about this topic

 
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

IT Salary Survey: The results are in