Whenever I hear the phrase “identity theft,” I can only imagine what the late, great Rodney Dangerfield would have made of it: “Some guy in Moldova stole my identity. The FBI said, ‘…and you want it back?’ No respect!”
Despite what seems to be a public fascination with identity theft as the latest innovation in cybercrime, it isn't really new. Even before the Internet came along, criminals could steal and manipulate identity data by modifying the magnetic strip on the back of a credit card to access a different account than the one listed on the front of the card.
This would allow the thief to present a credit card and identification that matched and hope that the employee didn’t actually look at the name on the receipt.
But this level of con was strictly small time compared to what a computerised identity thief can accomplish today with thousands of names, their financial information, and the Internet as a global playing field for fraudulent transactions.
Not only does automation enable fantastic economies of scale—one thief can manipulate tens of thousands of identities and still have time for a leisurely lunch—but the probability of detection, arrest, and punishment are extremely low.
Mass media news value tells the tale. Large-scale identity breaches have become back page news. The successful prosecution of a single cybercriminal makes the front page because it’s so rare.
Technology is certainly an important part of solving the identity theft equation but society will need to pursue a multi-pronged approach that includes policy changes, process improvements, increased awareness across the value chain (from consumers to business service providers).
The first change is for society to recognise that cybercrime is crime, pure and simple. There is nothing outlandish, exotic or incomprehensible about it. Criminal justice authorities should stop treating it as a discipline apart from suppressing traditional physical and white collar crimes, and integrate it into the mainstream of law enforcement.
It’s true that the world is flat when it comes to cybercrime and its perpetrators thrive in countries that cannot or are unwilling to control it. But there is a lot more that could be done in indicting and demanding extradition of cybercriminals from foreign shores, and putting pressure on countries who tacitly condone them.
Here the situation is similar to the dirty money banking problem. Recently, the US Treasury Department and the EU have been quite effective in putting the screws to dubious offshore banks and the countries that host them.
Second, the law has a blind spot when it comes to assigning liability responsibilities to technology-based products and services. If a car has a manufacturing flaw, it triggers recalls and lawsuits. If a software package is riddled with functional and security gaps, the law shrugs and end users do the heavy lifting every patch Tuesday.
Likewise, if a restaurant poisons its patrons, health inspectors shut it down and aggrieved customers seek damages. But if a retailer exposes financial information on thousands of customers, a quick press release and a public apology usually smooth the round trip to business as usual.
To be fair to businesses, especially ones that sincerely do their best to protect sensitive data, there is no way to completely secure or totally eradicate all breaches. The goal of security is to limit the possibility of a successful compromise, and when one does occur, to limit its impact on the organisation.