Identity Theft and Solutions:
Research for the Future
Dr. Milena Head
Associate Professor
Director, McMaster eBusiness Research Centre
(MeRC)
McMaster University
What is Identity Theft?
Any impersonation or
misappropriation of
an individual's identity
Misusing personal information to …
Lease an apartment
Open new credit cards
Obtain
passports
Take out loans
Fill out legal
documents
Open a telephone
account
What are the implications for victims?
 Possible loss of money … and more importantly …
reputation
 False credit reports that can be difficult to correct
 Average cost per victim is $740 US
 The average time spent by victims is about 600
hours
 Lost opportunities
 False arrests
 Emotional impact of identity
theft has been found to
parallel that of victims of
violent crime
How big is the problem?
7 million Americans (3.4% of consumers)
were victims of IDT during the 12 months
ending June 2003
 79% increase from previous year!
 FTC states IDT is America’s fasting growing
crime
Annual cost in the US is $53B (2003)
In Canada, over 600,000 victims during
2003 (3% of consumers)
Annual cost in Canada is $21.5M (2003)
How are identities stolen?
 34% : obtained or forged credit card
 12% : obtained improperly a paper or computer
record with personal information.
 11% : stole wallet or purse.
 10% : opened charge accounts in stores.
 7% : opened a bank account or forged cheques.
 7% : got to mail or mailbox.
 5% : lost wallet or purse.
 4% : went to a public record.
 3% : created false IDs.
How is this happening?
Dumpster diving
Shoulder surfing
Bribing
Spyware
Hacking
Online searching of publicly available data
Phishing and spoofing
 Designed to fool recipients into divulging
personal information
 Example: password
verification request sent
by a victim’s “bank”
 Example: fake listings
on Monster.com
Who are the thieves?
A true story …
 Michelle Thibodeau of Worcester, Mass. took
her 16-year old son to get his learner’s permit
 He already had a driver’s license!
 Photo on the license was his father … in jail
 Teen started getting notices that he was
delinquent in his child support
 DoR seized part of his grocery store bagger
paycheques
 After a year of frustration, had to apply for a
new SSN (implications for getting college
loans)
Who are the thieves?
Should we just be concerned about
hackers?
NO!
Most identities stolen from trusted insiders
who already have easy access to private
information … 70%!
Acquaintances, friends … even family …
16%!
Theory of Human Identification
“Knowledge-based” identification
 In possession of information which only that
person would be expected to know
“Token-based” identification
 Recognized by possession of some item
“Biometric” identification
 Variety of identification techniques which are
based on some physical and difficult-toalienate characteristics
Are we careless about our private
information?
In a word … YES
Careless protection of private
information
Careless disposal of private
information
Careless protection of
private information
Passwords are a very weak form of
protection
 Let’s have an HONEST show of hands
 80% select a common password where
possible
 67% rarely or never change their passwords
 49% of heavy computer users
(more than 10 passwords)
write them down
 Willing to compromise for a “bribe”!
Not isolated to passwords
Careless disposal of
private information
People increasingly are learning to destroy
paper-based information that can lead to
privacy and security breaches
 But still a major issue
Often don’t think to “shred” the
data stored at various locations
within the computer
Yes, we can be more careful.
Is it all our fault?
In a word … NO
Organizations are careless
Procedures and processes are
careless
Careless business & government
practices
Sloppy security practices
Easy credit
Greater access to personal information
Widespread use of SIN as unique
customer identifier
Increasing commercial trade in personal
consumer information
And a good policy is not enough!
Theory of Human Identification
“Knowledge-based” identification
 In possession of information which only that
person would be expected to know
“Token-based” identification
 Recognized by possession of some item
“Biometric” identification
 Variety of identification techniques which are
based on some physical and difficult-toalienate characteristics
The clever identity thief …
Knows personal information
AND
has physical items
Tokens can be stolen and altered
OR
manufactured
Theory of Human Identification
“knowledge-based” identification
 In possession of information which only that
person would be expected to know
“Token-based” identification
 Recognized by possession of some item
“Biometric” identification
 Variety of identification techniques which are
based on some physical and difficult-toalienate characteristics
The promise …
… to unequivocally identify
individuals
The hurdles …
… technology,
infrastructure,
privacy
Stakeholders
Identity
Protector
Identity
Checker
Identity
Issuer
Identity
Thief
Identity
Owner
From Wang, Yuan and Archer (2004)
Stakeholders
Identity
Protector
Role
 Legally own and use ID
Responsibilities
Identity
Identity
 Safeguard
ID
Checker
Issuer
 Fast victim recovery to reduce loss
 Legally use ID
Identity
Thief
Identity
Owner
Stakeholders
Identity
Protector
Role
 Authenticate and issue ID
Responsibilities
Identity
Identity
Issuer
 IssueChecker
secured certificates
 Protect ID certificate & information
 Protect ID owner and checker
Identity
Thief
Identity
Owner
Stakeholders
Role
Identity
Protector
 Authenticate ID and provide services
Responsibilities
Identity
Identity
 ID authentication
Checker
Issuer
 Provide services to real ID owner
 Protect ID information
 Protect ID owner
Identity
Identity
Owner
Thief
Stakeholders
Role
Identity
Protector
 Protect and prosecute
Responsibilities
Identity
Identity
Issuer
Checker
 Legislate
 Enforce laws
 Protect ID owners
 Educate
and guide
Identity
Identity
 Provide
technical solutions
Owner
Thief
 Record and track complaints and detect trends
IDT Prevention Activities
Identity
Protector
Education
Guidance
Guidance
Identity
Checker
Identity
Issuer
Prevention
Policies &
Tech.
Prevention
Policies &
Tech
IDT Alert
IDT Alert
Identity
Owner
Identity
Thief
Self Protection
What research is needed?
But first a bit about ….
McMaster eBusiness Research
Centre (MeRC)
Established in 2000
Part of the Ontario Research Network in eCommerce (ORNEC)
How we define eBusiness
 We believe that the “e” will disappear.
 We are focused on business innovation in the
networked economy
Our mission: focus on research, education
and outreach
Research
Interdisciplinary research
Research groups have developed expertise in
areas of:
 Identity Theft
 Privacy
 Security
 Trust
 Consumer Behaviour
 Mobile Commerce
 eHealth
 Portals
 Online Negotiation
 Supply Chain
Management
 Interface Design
 eLearning
 Change Management
 Knowledge Management
 among others …
Education
Providing graduates with the managerial and
technical knowledge demanded and necessary
in the electronic marketplace
 Undergraduate eBusiness courses
 eBusiness MBA specialization
 PhD (currently 12 candidates engaged in eBusiness
research)
Co-op, internship, full time placements
Opportunities for course projects
Outreach
Providing an interface to facilitate dialogue
between academics and business leaders
Distributing research papers and reports
eBusiness Seminar series
Industry speakers in the classroom
On-site executive training programs
On-line courses for SMEs
Supply Chain Symposium
World Congress Conference
eCase Competition
Ontario Research Network for
Electronic Commerce (ORNEC)
Initial Researchers
Cluster
Number
Law
12
Business
56
Technology
12
Total 80
Ontario Research and
Development Fund (ORDCF)
1/3 private sector, 1/3 institutions, 1/3 ORDCF
ID Theft as a Flagship Project
Funds assigned by the ORNEC
Board of IDT ….
$1.9 Million!
3 Expressions of Interest developed
Project 1: Defining and
Measuring IDT
Scattered and incomplete Canadian data
Research questions:
 What types of stats should be gathered? How?
 How can businesses be encouraged to report
IDT?
 How can technology help to gather stats?
 What are the various jurisdictions doing?
 What is the magnitude and nature of IDT?
 What are the real costs of IDT to consumers,
businesses, governments, and the economy?
Project 2: Management
Approaches to Combating IDT
Research questions:
 How does IDT affect trust?
 What are the direct and indirect costs?
 What are the risks?
 What is the “business case” for stakeholders?
 Are current policies & practices effective?
 What are the “leak-points”?
 What are the costs/benefits of
countermeasures?
 What is the effectiveness of various multi-party
approaches?
 How can employee attitudes be improved?
Project 3: Technical Tools
to Address IDT
Some available technical solutions: digital
signatures, PKI, smartcards, biometrics
Research questions:
 How effective are alternative tech solutions?
 What is the impact on privacy and other social
values?
 How can security systems be designed to give
consumers informed choice in the level of
security they are provided?
 Who will manage biometric information?
 How can reputation management systems
build trustworthiness?
 How can user profiling effectively detect IDT?
Is there anything positive we
can say about identity theft?
It’s a fruitful area for research!
And the last word by William
Shakespeare …
Who steals my purse steals trash…
But he that fliches from me my good
name
.... makes me poor indeed
- from Othello
Thank you
Milena Head
headm@mcmaster.ca