October192007

Identity Theft Notes Oct. 19, 2007

Attendees:
Mari Frank, identitytheft.org
David Weitzel, MITRE
Eric Nelson, STS (Strategic Tech Solutions)
Kevin O’Neil, ISTPA
Bob Pinheiro, Robert Pinheiro Consulting
Gilles Lisimaque, IDTP
Michael Barrett, PayPal
Steve Bramson, Credentica
Britta Glade, Liberty

This call was a follow up with Gilles Lisimaque, based on his international smart card expertise.

Q: Have you seen instances of smart cards being used to prevent identity theft? A: two things are called IDTheft in the US: 1) account theft (someone logging in with another account) and 2) someone obtaining credit in another person’s name (what he defines as real IDTheft).

Look at identity “freezing”. This seems to be the thing that needs to be protected as thoroughly as possible. When you have a freeze on, it’s on until you lift it. Costs $10 to put on (unless you’re a victim)—but it becomes costly quickly. A lot of times fraudsters set up false phone numbers with credit bureaus—so question if a “call me first” approach would work. Conversation about a company called Debix, a commercial entity that verifies identity for people—it calls you every time there is an inquiry about you/your credit.

Q: Who would be the most likely entity to issue smart cards? Consumers could pay a credit bureau to issue a card?
A: Yes. Less infrastructure, add a smart card reader ($10/reader), and verify the identity of the purchaser and it’s verified.

What data is going to be on the smart card? Hackers could clone and take.
A: Cards should act as a public notary. They are extremely difficult to clone. It’s an authenticator—doesn’t have sensitive information embedded in it. You could also use an OTP.

Discussion about Finland’s govt issuance of smart cards with citizen certificate. Comment that governments have been reluctant to issue devices that are of use for anything beyond their own use at the government level. They didn’t want them reused and—if they were—didn’t want liability for their misuse.

Key issue—liability? Rules on who’s liable for what. This is one of the big “barriers” in this industry—no clear definition of liability. Look at bills currently before Congress—all seem to be precluding private right of action. We’re not seeing reduction of IDTheft because no enforcement—laws aren’t enforceable (FTC only pursues large ones). Law enforcement is overwhelmed and can’t enforce. Law enforcement aren’t really in a position to prevent. Credit bureaus, etc. are making money off of this—they don’t really have a motivation to curb it. Would credit bureaus, then, be interested in smart cards (they could make profit here, add to their offerings)? Not sure—perhaps more OTP generators. Seems better than a static pin. But if stolen, needs to be reported immediately.

Credit bureau could issue—kind of like passport delivery? But concern about delivering this through the mail.

In Europe, many transactions require physical verification via the bank, checks deposited directly into bank accounts, etc. Not so much in US. Look at the uproar with “RealID”—DMV isn’t really a reliable source for verifying identity. European system seems to be better with authentication because of face-to-face verification. Need to authentication who people are at inception. In France, for example, use a national ID card (question when the card is issued—at what age)—in US, there is child IDTheft happening.

Seemingly, credit bureaus could/should have more of a role in preventing identity theft. Burden, it seems, should be on the creditor to prove identity—be diligent in who they are issuing credit to.

Lobbyists lobby against no private right of action—they’ve been successful—it’s not in GLB, not in HIPAA--nowhere. The security breach notification law in CA has at least made companies more accountable with their databases, but hasn’t done enough with IDTheft in authentication.

Discussion about government use of smart cards (HSPD12, etc). Cost of a smart card is 1/10th the cost of the system using the card—sometimes 1/20th. The real cost is creating digital certs, background checks, etc.—everything around this. DoD example--$100—about $8 of this is the card. So we’re really talking about a service here, not card costs. 10-15 million cards have been issued. Large contractors are also planning to use smart cards for the same thing—electronic access and electronic identification.

Concern among privacy advocates with RealID is how much info could get on a smart card—going far beyond what’s really needed—need to look more at what Europe is doing with a very streamlined authenticator. Government issues the card in Europe, and it’s just a part of the culture. Also—look at example in Switzerland (giving away at the branches).

Is it too expensive to do mutual authentication? Requires creation of infrastructure that’s not there yet. We need to deal with online issues (pharming concerns). Give user the ability to verify who’s on the other side. A smart card on the browser to do it correctly—hardware based assurance level with the browser.