[LINK] "Identity Theft" [was: Copyright Infringement as Stealing: Pfft!]

Stephen Wilson swilson at lockstep.com.au
Tue Oct 28 10:51:25 EST 2008


Brendan Scott wrote:

 > What "identity theft" involves is one person A convincing a second
 > person B that A is a third person C.  The fault (if any) is not with
 > C, but with B for having a system of verification which fails to
 > identify that A is not C.  By calling it "identity theft" rather than
 > "banking stupidity" or "lax lending standards" or somesuch, it
 > appears as if there is something that person C might be able to do to
 > stop it.  But they can't.

I agree with Brendan that one of the important underlying issues is the 
lax security that enables these types of fraud.

To lay the issue open, let's look at some nuance in the simple model of 
"identity theft".  I think the model is missing an important player.

Crucially, the "identity" in question is always a digital data item (or 
set of items) of some sort, issued by a 'provider' (like a bank that 
issues a credit card, or a site that issues a password).  Let us call 
that provider "P", and let us refer to the identity of person M issued 
by P as "MvP" (i.e. M-subscript-P).

Then the scenario is more subtly that A convinces B that A 'is' third 
person CvP in the context set by P.

For example, the context might be card-not-present purchases in a 
payment system, where P can be thought of as the banks plus the card 
scheme.  In that case, for A to impersonate C, it is child's play for A 
to obtain a parcel of data that replicates CvP -- C's credit card 
number, billing address, CCV etc. all available on the black market.

Whose to blame?  Well, arguably there actually are things that C can do 
to protect themselves against A availing themselves of CvP; for 
instance, C should take care not to expose their credit card details 
unnecessarily.  In the bricks and mortar world this used to be 
straightforward; but now there are so many ways to steal or buy credit 
card details that C's ability to protect themselves is almost zero.

The technology that instantiates CvP comes from P, and the advice that C 
gets concerning how to protect their "identity" also comes from P.  If 
the technology is no longer resistant to attack, or the advice is no 
longer relevant, then I think we have a basis for working out how to fix 
the system.

Cheers,

Steve Wilson.




More information about the Link mailing list