Ass Backward

I’ve got this story due on new technologies to prevent financial identity theft. And I’m thinking, maybe we should be looking at identity theft from the front end instead of always from behind. The thought came to me as a friend and I were talking on the phone. He’s not from the industry and has a lot of time on his hands while he waits for a lung transplant, so he likes to hear my stories. When I told him about the story I just filed to Network World on the latest ways phishers are stealing our financial identities (running May 1), he asked why is it so easy to activate a new account under fictitious or someone else’s name in the first place? “Oh I see what you’re saying! It’s like we’ve got two ends of the same business working against each other,” I said as I grabbed a notepad and started writing things down. “On the back end, we’ve got all these information security experts working their tails off trying to close the vulnerabilities. But on the front end, we’ve got systems that are laying bare our financial identities.” For example, why, after all these years in not-present mediums, are the credit card issuers unable or unwilling to unequivocally vet new applicants to ensure they’re issuing the card to a real person with a legitimate identity? Why, at the very least, is the application not tied to a customer phone number for verification? So now I’m looking at the bigger financial identity framework and I’m seeing all kinds of gaps. Let’s start with the credit reporting agencies who are responsible for our credit ratings and yet they prevent us from getting the information we need to protect our ratings by not alerting us to new accounts opening under our identities. The reporting agencies have the system in place to do this. But they’ve made it so hard for consumers to order this service (and when they do, they can only get it for 90 days unless they can prove fraud). Why? Because they make much more money processing our financial identities in real-time than they would if they imposed wait times to get approvals. And another question: Why can you load stolen or fictitious financial data onto a mag strip of a credit card or a stored value card and turn it into cash? Easy to use hacking programs have been around for a couple years in which you can actually change the field data in the tracks on the tape itself. Yet mag strips continue to be vulnerable to this type of tampering. Then there’s the cyber problem. Today, we’ve got millions of remote-controlled computers spewing financial data over criminal ‘botnets’ run by hacker “mules” turned to the dark side by organized crime. We’ve had more than ten years to make browsers safe from Trojan horse installations, which a hacker named Modify demonstrated to me in 1996, and which is how keystroke loggers get onto machines today. And we’ve had more than six years to stop the proliferation of remote-control malware, which SANS researchers discovered in October 1999 when they found executable code on thousands of computers that that later set off the denial of service attacks that took down Amazon, eBay and other secure online businesses. What this means to me is that our financial identity system is wrought with fraud and about to implode. Marcus Sachs, who directs cyber security research for Homeland Defense, says I’m too drastic in my thinking. But nevertheless, he’s worried that what he calls today’s stage of “cyber lawlessness” could, indeed, wreak havoc on society, particularly since our defenses are so far behind the criminals capabilities. Just how did we get to this point when we’ve had so many early warnings? This is the subject of a book I’m working on. I blame the rapid rush to new technologies designed to make our lives more “convenient.” Although I couldn’t live without the Internet for speedy research and communication with editors and sources, I wonder if we haven’t shot ourselves in the foot for all this convenience. I’ve lived all this time without online banking. I only shop online at places I trust, and only using what I call a ‘disposable’ credit card – one with a small limit that can be replaced easily without any auto deductions that have to be rolled over to the new card. And banking from my phone? I’m even more reluctant to go that rout, particularly considering that European and Asian users are already getting Trojan horses on their cell phones to steal their financial identities. If you ask me, I’d say the hackers have had it right since the beginning. “Information is power,” they’d tell me back in the mid 90’s when I couldn’t find any other sources who could tell me what was going on in cyberspace. They told me it was just a matter of time before anarchy and chaos ensued. And I think that we’re now at the crux. Hang on. It’s going to be a wild ride.