[LINK] "Identity Theft" [was: Copyright Infringement as Stealing: Pfft!]
Stephen Wilson
swilson at lockstep.com.au
Tue Oct 28 10:51:25 AEDT 2008
Brendan Scott wrote:
> What "identity theft" involves is one person A convincing a second
> person B that A is a third person C. The fault (if any) is not with
> C, but with B for having a system of verification which fails to
> identify that A is not C. By calling it "identity theft" rather than
> "banking stupidity" or "lax lending standards" or somesuch, it
> appears as if there is something that person C might be able to do to
> stop it. But they can't.
I agree with Brendan that one of the important underlying issues is the
lax security that enables these types of fraud.
To lay the issue open, let's look at some nuance in the simple model of
"identity theft". I think the model is missing an important player.
Crucially, the "identity" in question is always a digital data item (or
set of items) of some sort, issued by a 'provider' (like a bank that
issues a credit card, or a site that issues a password). Let us call
that provider "P", and let us refer to the identity of person M issued
by P as "MvP" (i.e. M-subscript-P).
Then the scenario is more subtly that A convinces B that A 'is' third
person CvP in the context set by P.
For example, the context might be card-not-present purchases in a
payment system, where P can be thought of as the banks plus the card
scheme. In that case, for A to impersonate C, it is child's play for A
to obtain a parcel of data that replicates CvP -- C's credit card
number, billing address, CCV etc. all available on the black market.
Whose to blame? Well, arguably there actually are things that C can do
to protect themselves against A availing themselves of CvP; for
instance, C should take care not to expose their credit card details
unnecessarily. In the bricks and mortar world this used to be
straightforward; but now there are so many ways to steal or buy credit
card details that C's ability to protect themselves is almost zero.
The technology that instantiates CvP comes from P, and the advice that C
gets concerning how to protect their "identity" also comes from P. If
the technology is no longer resistant to attack, or the advice is no
longer relevant, then I think we have a basis for working out how to fix
the system.
Cheers,
Steve Wilson.
More information about the Link
mailing list