Identify This!
Creating a system that stops identity theft and increases privacy
Charles Baakel
5/13/2007
CS199r Final Paper
Identify This! – C. Baakel
The growth of the Internet and computer technology has led to a growth of new
opportunities, both good and bad. Identity theft, in particular, has become America’s fastest
growing crime.1 For example, Sean Hoar, the Assistant United States Attorney calls identity theft
“The crime of the new millennium.”2 While the methods of identity theft have grown rapidly, the
methods of prevention and recovery have not. Today, once one’s identity is stolen it is a very
long and public path to recovery. Every business and agency that one has had contact with has to
be notified that one’s identity has been stolen, so that no new fraudulent actions are made. This is
a very humiliating and public process. The question I plan to address in this paper is: Why are
the current identity theft recovery measures so slow and poor at maintaining one’s privacy, and
what new systems could be developed, where recovery is more rapid and private? I contend that
there is a solution that can fix the problem of identity theft recovery and privacy.
The Identity Theft Resource Center defines identity theft as “a crime in which an
imposter obtains key pieces of personal identifying information (PII) such as Social Security
numbers and driver’s license numbers and uses them for their own personal gain.3 The crime is
very difficult to manage under our current system because one’s PII can be obtained in a number
of different ways, and exploited for gain in more.
There are two main reasons why identity theft research data is difficult to obtain. First,
many victims of identity theft are not aware of the problem until months after their information
has been stolen and exploited. Second, during the process of recovery, it is not clearly known
whether or not one has completely recovered from identity theft until fraudulent accounts and
charges have stopped. Insurance agencies, banks and other organizations have completed studies
on identity theft, but the data is not the most reliable, and the sample groups are not always the
most representative.
Nationwide Mutual Insurance Co. conducted a survey on identity theft victims and found
some rather disheartening results. 28% of the victims could not reconstruct their identities within
one year. It took an average of 5.5 months for a victim to realize their identity has been
compromised. The average victim lost nearly $4,000 due to fraudulent charges, and 16% were
still forced to pay for them. Meanwhile, only 17% were notified by their financial institution or
creditor that suspicious activity was occurring on their accounts.4
Currently, the process of recovering requires a great deal of persistence by the victim.
The Nationwide study notes that victims spent an average of 81 hours attempting to recover,
though some never do. The Federal Trade Commission recommends these steps when one is
aware that his/her identity has been stolen:
1) Place a fraud alert on your credit reports and review your credit reports
2) Close the accounts that you know or believe, have been tampered with or opened
fraudulently
3) File a complaint with the Federal Trade Commission
4) File a report with your local police or the police in the community where the identity
theft took place5
1
“Identity Theft” http://www.usps.com/postalinspectors/idthft_ncpw.htm. Accessed 5/10/2007.
Hoar, S., “Identity Theft: The Crime of the New Millennium” United States Attorneys’ USA Bulletin
March 2001 Vol. 49, No.2.
3
“Identity Theft Resource Center: A Nonprofit Organization” http://www.idtheftcenter.org/ Accessed 5/9/2007.
4
TechWeb Technology News, “One in Four Identity Theft Victims Never Fully Recover”
http://www.techweb.com/wire/security/166402606. Created 7/26/2005. Accessed 5/1/2007
5
“DEFEND: Recover from Identity Theft” http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html.
Accessed 4/25/2007.
2
2
Identify This! – C. Baakel
Let’s evaluate these measures more closely. The four steps require the victim to contact
at least 6 entities: the 3 credit bureaus, the account that has fraudulent activity, the FTC, and the
police. The list does not include ChoicePoint, a private entity that is also used to obtain identity
information about individuals. Contacting the 3 credit bureaus includes placing an extended
fraud alert on one’s credit report, which will be visible to anyone who checks your report. It is
debatable as to whether or not this is a good thing. Maybe a person is careless if they had their
identity stolen. But very few, if any other victims of crimes have a visible record of the offense
on something like a credit report.
By contacting the FTC and the local police one obtains an FTC ID Theft Complaint and
an Identity Theft Report, respectively. These documents allow a victim to place a seven year
fraud alert on one’s credit report. This part of the process is not as easy as it may seem. The
Nationwide study finds that 40 percent of victims list “the police, their financial institution, or
their credit card issuer as the most difficult to work with when trying to solve the problem.” In
addition, a survey respondent is quoted as saying that “The institution we do all of our banking
with made us feel like we were the ones trying to pull something.”6 In extreme cases the Social
Security Administration will give a victim a new Social Security number, but this is usually only
after all options have been tried and fraudulent accounts have continued to be made for years.
It is clear that the process for recovering from identity theft is neither quick nor private,
but why is this so? A simple diagram can explain the current system of identification (Figure 1).
If a credit card issuer, an employer or any other entity wants to know if John Doe exists, and who
he is, they can contact the three credit bureaus, or ChoicePoint. These agencies create a profile of
Mr. Doe based on his interactions with other agencies, which then share this information. In the
end, there is You, a Social Security number and a date of birth. Those two numbers are the most
reliable because they are the only identifiers that do not change, as name, address, and even
gender can be modified. Date of birth is not a reliable identifier, since birthdays are celebrated
and often publicized. This leaves the Social Security number as the best identifier under our
current system.
The Social Security number was first distributed in 1936 for the purpose of giving out
government benefits. Over time, other federal and state governmental uses have been applied,
including the Internal Revenue Service in the 1960’s and for driver’s license registration in 1976.
In addition, the military also gained access to use the number, as well as employers who needed
the number for employee benefits. Currently, a variety of entities use the SSN as their “secure”
identifier, including hospitals, financial institutions, and universities.7 What can be seen from this
is that a number that was originally developed for one agency for the purpose of benefit
allocation has now developed into the universal citizen identifier of the United States.
Organizations had other options that could have been pursued, like creating a number for their
specific industry, or seeking out the government to provide an alternate solution, but now so
many systems use the identifier that it is not only a part of one’s existence, it is one’s existence.
There are approximately 250 million social security numbers active today. It is now
commonplace for an SSN to be assigned at birth, leading one to assume that every U.S. citizen’s
SSN the one identifier that is unique.8 This is not the case, as there are duplicate SSNs that have
6
TechWeb Technology News, 2005.
Kouri, J. “Social Security Cards: De Facto National Identification” American Chronicle, 11/29/2005
8
Hammond, W. E. “The Use of the Social Security Number as the Basis for a National Citizen Identifier” National
Information Infrastructure White Papers
7
3
Identify This! – C. Baakel
been distributed, as well as errors in the distribution of the number leading some to believe their
SSN was one listed in the promotional material.
Despite all these problems with the use and development of the SSN, the number still
could be used as a UCI, though clearly this is not the intention of the number. The number is
fixed, and not made to be something very anonymous, as there are predetermined values as a part
of the number. The first three digits of the SSN are based on location, and the next two are given
in alternative but known serial order. The variance occurs during the last four digits, but some
entities place only that part on documentation.9 A bad usage of the SSN is that many universities
use the SSN as the student ID number, leaving open the possibility that the student can be
handing over her SSN every time she logs into her campus portal. A possible good use of the
SSN is for medical records.
Solution
The system I propose will aid significantly in helping to: decrease identity theft, improve
identity theft recovery time, and increase the control of privacy on the behalf of the individual.
These changes will leverage existing infrastructure and work to expand capabilities in others.
The resulting system will require adjustments, but can satisfy the goals described much better
than the current system. For the purpose of this paper the system will be called WISE.
The primary tenets of WISE are:
1) The individual controls his/her data.
2) The individual is responsible for his/her data.
3) The individual cares about his/her data.
WISE functions as an organizational firewall to individual information. In the initial
model, entities in the “cloud”, the outermost region, went to other businesses in the second ring
to know about YOU. This required individuals to keep track of at least four different databases,
with little control over how the information is collected and used.
In WISE, there is one entity and the user always controls how the data is spread. In the
current system, access to one’s account information is similar to an opt-out process. Once a
credit card issuer receives an application, they check the credit report and proceed onward.
Under WISE, the credit card issuer will receive the application, but will not be able to check
records until there is a confirmation made.
It would be assumed that this process would be very cumbersome, expensive, and would
slow the process, but there is a solution for this: PreConfirm. PreConfirm would be the process
by which an individual can grant access to one’s financial data before the inquiry arrives. This
could be completed through a secure web page form or a telephone interview. The web form, in
particular, would be automatic and require less manpower. The phone system would require an
extensive list of answers to questions that WISE and the individual know, similar to the sign up
process for ChoicePoint. If a third party makes an inquiry, PreConfirm is not used, and the
individual wants her data released, there will be a very significant fee. Otherwise, the user
declines at no charge. This assumes that the individual will have up to date contact information
available. This responsibility is placed on the individual. When an individual changes her
address, by law one has to notify the Department of Motor Vehicles for their state. The same
policy would be used under WISE.
Because of the use of the WISE system, there will be little need for and individual to
provide their SSN to any entities. For example, the credit card issuer will only need a name and
9
“The SSN Numbering Scheme” http://www.ssa.gov/history/ssn/geocard.html. Accessed 5/5/2007
4
Identify This! – C. Baakel
address to send an inquiry to WISE, it is highly unlikely that anyone will have two of the same
name at a given address. WISE can track individuals internally by SSN or an internal code.
The concept of identity theft is different under WISE. While the ability to steal credit
card information is unchanged, the ability to create new accounts will be significantly hindered.
For an individual to have their identity stolen under WISE, one of two things have to happen: An
individual’s web login information and security questions (at lest 3 each login, should have about
8 on file) have to be compromised, or an individual’s phone PIN, and security questions have
been compromised. Phishing is still a legitimate threat, but this is an area where educating WISE
usage comes in.10 Web browsers and search engines like Google are helping in the fight against
phishing, and for the time being WISE will rely on their aid.11
Under this more secure system, when one’s identity is stolen there it is much more
severe, because a great deal of personal information must be known. The security questions will
be more diverse than “Mother’s Maiden Name”, and the individual should also create some of
the questions. Recovery would require two entities to be contacted: WISE and the police. The
FTC will play a role in WISE, and therefore will not need to be contacted by the individual. The
individual will be required to come into their local Social Security Administration office, and
then provide at least 6 point documentation similar to New Jersey’s driver’s license procedures.12
The individual’s contact information will be updated, and all new security questions will have to
be created. After this visit, the individual will again be able to take advantage of opportunities
where financial/credit information is required, much faster than the current system.
There are still areas of concern in the WISE system; for example, there is an assumption
that the major credit bureaus and other entities like ChoicePoint can be pushed out of the second
circle in the Identity Verification Model. This could be done by competitive pricing and/or
government intervention. The effect this will have on these international organizations will be
great, and will force a change in the industry. But this will not be the first time technology and
governmental influence has changed the shape of a market.13
The data on identity theft leads one to believe that technology is spawning a crime that is
unstoppable. Our current system allows for identity theft to occur too easily, and gives little
control to the individual over her information. In addition, the current method of recovery is too
passive. However, by changing our approach to data usage and distribution it is possible to stop a
significant amount of fraudulent activity. In addition, personally identifiable information control
becomes a primary focus, increasing individual privacy. In the end, the expansion of a WISE
system addresses our current needs, and is technically feasible.
10
I could not help adding the pun. It will strike again.
bbc.co.uk, “Google searches web’s dark side” http://news.bbc.co.uk/1/hi/technology/6645895.stm. 5/11/2007
12
“6 Point ID verification” http://www.state.nj.us/mvc/Licenses/6PointID.htm. Last Updated 3/22/2007, Accessed
5/1/2007.
13
Charny, B. “Net phone 911 may hit nomads the hardest”.
http://news.com.com/Net+phone+911+mandate+may+hit+nomads+hardest/2100-1034_35714421.html?part=dtx&tag=nhl&tag=nl.e433. Published 5/19/2005. Accessed 5/11/2007.
11
5
Identify This! – C. Baakel
Credit Cards
Etc.
Employers
YOU
Banks
Loan/Lenders
Government
Figure 1: The Current Identity Verification Model
6
Identify This! – C. Baakel
Credit Bureaus
Credit Cards
Employers
WISE
Etc.
YOU
Banks
Loan/Lenders
Government
ChoicePoint
Figure 2: The Wall between YOU and other entities created by WISE
7