Identity Theft and Solutions: Research for the Future

1
Identity Theft and SolutionsResearch for the
Future

• Dr. Milena Head
• Associate Professor
• Director, McMaster eBusiness Research Centre
  (MeRC)
• McMaster University

2
What is Identity Theft?
Any impersonation or misappropriation of an
individual's identity
3
Misusing personal information to
Lease an apartment
Open new credit cards
Fill out legal documents
Obtain passports
Open a telephone account
Take out loans
4
What are the implications for victims?

• Possible loss of money and more importantly
  reputation
• False credit reports that can be difficult to
  correct
• Average cost per victim is 740 US
• The average time spent by victims is about 600
  hours
• Lost opportunities
• False arrests
• Emotional impact of identity
  theft has been found to
  parallel that of victims of
  violent crime

5
How big is the problem?

• 7 million Americans (3.4 of consumers) were
  victims of IDT during the 12 months ending June
  2003
• 79 increase from previous year!
• FTC states IDT is Americas fasting growing crime
• Annual cost in the US is 53B (2003)
• In Canada, over 600,000 victims during 2003 (3
  of consumers)
• Annual cost in Canada is 21.5M (2003)

6
How are identities stolen?

• 34 obtained or forged credit card
• 12 obtained improperly a paper or computer
  record with personal information.
• 11 stole wallet or purse.
• 10 opened charge accounts in stores.
• 7 opened a bank account or forged cheques.
• 7 got to mail or mailbox.
• 5 lost wallet or purse.
• 4 went to a public record.
• 3 created false IDs.

7
How is this happening?

• Dumpster diving
• Shoulder surfing
• Bribing
• Spyware
• Hacking
• Online searching of publicly available data
• Phishing and spoofing
• Designed to fool recipients into divulging
  personal information
• Example password
  verification request sent
  by a victims bank
• Example fake listings
  on Monster.com

8
Who are the thieves? A true story

• Michelle Thibodeau of Worcester, Mass. took her
  16-year old son to get his learners permit
• He already had a drivers license!
• Photo on the license was his father in jail
• Teen started getting notices that he was
  delinquent in his child support
• DoR seized part of his grocery store bagger
  paycheques
• After a year of frustration, had to apply for a
  new SSN (implications for getting college loans)

9
Who are the thieves?

• Should we just be concerned about hackers?
• NO!
• Most identities stolen from trusted insiders who
  already have easy access to private information
  70!
• Acquaintances, friends even family 16!

10
Theory of Human Identification

• Knowledge-based identification
• In possession of information which only that
  person would be expected to know

• Token-based identification
• Recognized by possession of some item

• Biometric identification
• Variety of identification techniques which are
  based on some physical and difficult-to-alienate
  characteristics

11
Are we careless about our private information?
YES
In a word
Careless protection of private information
Careless disposal of private information
12
Careless protection of private
information

• Passwords are a very weak form of protection
• Lets have an HONEST show of hands
• 80 select a common password where possible
• 67 rarely or never change their passwords
• 49 of heavy computer users
  (more than 10 passwords)
  write them down
• Willing to compromise for a bribe!
• Not isolated to passwords

13
Careless disposal of private
information

• People increasingly are learning to destroy
  paper-based information that can lead to privacy
  and security breaches
• But still a major issue
• Often dont think to shred the data
  stored at various locations within the
  computer

14
Yes, we can be more careful.
Is it all our fault?
NO
In a word
Organizations are careless
Procedures and processes are careless
15
Careless business government practices

• Sloppy security practices
• Easy credit
• Greater access to personal information
• Widespread use of SIN as unique customer
  identifier
• Increasing commercial trade in personal consumer
  information

And a good policy is not enough!
16
Theory of Human Identification

• Knowledge-based identification
• In possession of information which only that
  person would be expected to know

• Token-based identification
• Recognized by possession of some item

• Biometric identification
• Variety of identification techniques which are
  based on some physical and difficult-to-alienate
  characteristics

17
The clever identity thief

• Knows personal information
• AND
• has physical items
• Tokens can be stolen and altered
• OR
• manufactured

18
Theory of Human Identification

• knowledge-based identification
• In possession of information which only that
  person would be expected to know
• Token-based identification
• Recognized by possession of some item

• Biometric identification
• Variety of identification techniques which are
  based on some physical and difficult-to-alienate
  characteristics

19
The promise
to unequivocally identify
individuals
The hurdles
technology, infrastructure,
privacy
20
Stakeholders
Identity Protector
Identity Issuer
Identity Checker
Identity Owner
Identity Thief
From Wang, Yuan and Archer (2004)
21
Stakeholders
Identity Protector

• Role
• Legally own and use ID
• Responsibilities
• Safeguard ID
• Fast victim recovery to reduce loss
• Legally use ID

Identity Issuer
Identity Checker
Identity Owner
Identity Thief
22
Stakeholders
Identity Protector

• Role
• Authenticate and issue ID
• Responsibilities
• Issue secured certificates
• Protect ID certificate information
• Protect ID owner and checker

Identity Issuer
Identity Checker
Identity Owner
Identity Thief
23
Stakeholders
Identity Protector

• Role
• Authenticate ID and provide services
• Responsibilities
• ID authentication
• Provide services to real ID owner
• Protect ID information
• Protect ID owner

Identity Issuer
Identity Checker
Identity Owner
Identity Thief
24
Stakeholders
Identity Protector

• Role
• Protect and prosecute
• Responsibilities
• Legislate
• Enforce laws
• Protect ID owners
• Educate and guide
• Provide technical solutions
• Record and track complaints and detect trends

Identity Issuer
Identity Checker
Identity Owner
Identity Thief
25
IDT Prevention Activities
Education
Identity Protector
Guidance
Guidance
Identity Issuer
Identity Checker
Prevention Policies Tech
Prevention Policies Tech.
IDT Alert
IDT Alert
Identity Owner
Identity Thief
Self Protection
26
(No Transcript)
27
(No Transcript)
28
What research is needed?
But first a bit about .
29
McMaster eBusiness Research Centre (MeRC)

• Established in 2000
• Part of the Ontario Research Network in
  e-Commerce (ORNEC)
• How we define eBusiness
• We believe that the e will disappear.
• We are focused on business innovation in the
  networked economy
• Our mission focus on research, education and
  outreach

30
Research

• Interdisciplinary research
• Research groups have developed expertise in areas
  of
• Identity Theft
• Privacy
• Security
• Trust
• Consumer Behaviour
• Mobile Commerce
• eHealth
• Portals

• Online Negotiation
• Supply Chain Management
• Interface Design
• eLearning
• Change Management
• Knowledge Management
• among others

31
Education

• Providing graduates with the managerial and
  technical knowledge demanded and necessary in the
  electronic marketplace
• Undergraduate eBusiness courses
• eBusiness MBA specialization
• PhD (currently 12 candidates engaged in eBusiness
  research)
• Co-op, internship, full time placements
• Opportunities for course projects

32
Outreach

• Providing an interface to facilitate dialogue
  between academics and business leaders
• Distributing research papers and reports
• eBusiness Seminar series
• Industry speakers in the classroom
• On-site executive training programs
• On-line courses for SMEs
• Supply Chain Symposium
• World Congress Conference
• eCase Competition

33
Ontario Research Network for Electronic Commerce
(ORNEC)
34
Initial Researchers
Cluster Number
Law 12
Business 56
Technology 12
Total 80
35
Ontario Research and Development Fund (ORDCF)

• 1/3 private sector, 1/3 institutions, 1/3 ORDCF

36
ID Theft as a Flagship Project
Funds assigned by the ORNEC Board of IDT .
1.9 Million!
3 Expressions of Interest developed
37
(No Transcript)
38
Project 1 Defining and Measuring IDT

• Scattered and incomplete Canadian data
• Research questions
• What types of stats should be gathered? How?
• How can businesses be encouraged to report IDT?
• How can technology help to gather stats?
• What are the various jurisdictions doing?
• What is the magnitude and nature of IDT?
• What are the real costs of IDT to consumers,
  businesses, governments, and the economy?

39
Project 2 Management Approaches to Combating IDT

• Research questions
• How does IDT affect trust?
• What are the direct and indirect costs?
• What are the risks?
• What is the business case for stakeholders?
• Are current policies practices effective?
• What are the leak-points?
• What are the costs/benefits of countermeasures?
• What is the effectiveness of various multi-party
  approaches?
• How can employee attitudes be improved?

40
Project 3 Technical Tools to Address IDT

• Some available technical solutions digital
  signatures, PKI, smartcards, biometrics
• Research questions
• How effective are alternative tech solutions?
• What is the impact on privacy and other social
  values?
• How can security systems be designed to give
  consumers informed choice in the level of
  security they are provided?
• Who will manage biometric information?
• How can reputation management systems build
  trustworthiness?
• How can user profiling effectively detect IDT?

41
Is there anything positive we can say about
identity theft?
Its a fruitful area for research!
42
And the last word by William Shakespeare
Who steals my purse steals trash But he that
fliches from me my good name .... makes me poor
indeed - from Othello
43
Thank you

• Milena Head
• headm_at_mcmaster.ca