The Internet has made identity theft trivially easy – a new report from Symantec says that for $14 you can obtain someone’s name, date of birth, mother’s maiden name, social security number, bank account (with password), and credit card information (with security code). At any given time, nearly 150,000 credit card numbers can be purchased online.
When we celebrate and encourage open data on the new web, this isn’t what we’re talking about. The FTC estimates that identity theft costs our economy about $50 billion per year. It takes people years to recover from a full blown identity assault.
In the U.S., our government has done very little to protect us. Part of the problem is that credit bureaus, auto dealers and retailers spend millions lobbying the federal and state governments to keep the laws just as they are. If a company is in the business of selling credit information and/or opening new credit accounts, they’re probably on the wrong side of this issue, and working to keep the transfer of private information as easy as possible.
But at some point this is going to pop. It will probably happen when a few members of Congress have to go through the ordeal of identity theft themselves, or when the volume of citizen complaints becomes too serious to ignore. And at that point, Congress is likely to push legislation that not only cuts out the cancer, but lots of healthy tissue as well.
We saw this with Sarbanes Oxley, federal legislation hurriedly enacted following the Nasdaq implosion five years ago. While Sarbanes Oxley certainly improved the level of disclosure needed for public companies in the U.S., it also put a very heavy burden on reporting companies. Many feel that it was the most significant contributing factor in the huge reduction in U.S. initial public offerings since that time (many companies have gone pubic in London or other countries instead).
If Congress finally does act to protect us against identity theft, the legislation could similarly go overboard as well, and have an impact on all these great companies making a living on the free exchange of data over the Internet.
Gray market startups like Jigsaw that are in the business of brokering personal information don’t make it any easier for the rest of the industry to show that they take the management of personal information seriously. Other startups, like TrustedID, are trying to find a private sector way of protecting us (see if your personal data is on any of the well known fraud forums with TrustedID’s StolenIDSearch).
Symantec and others sell products to companies that help them protect their servers (and the data on them) from attacks. That’s good, but the ultimate solution is to hold companies financially accountable if their users’ data is stolen from their servers. And the burden of proof that it did or didn’t occur should fall on the company holding the data, not the user.
Companies won’t want this liability, and they’ll start finding ways to get that data off of their servers. New startups will launch that are willing to take that risk. And ultimately, sensitive user data will be stored in far fewer places than it is today. That’s a good thing.
$14 I’ll give you my identity, good luck with it. It’ll be the worst purchase you ever make.
Scary stuff, there’s not much that can be done but locking down your computer, buying online only @ trusted places, and pray. In fact all of the above won’t stop someone who knows what they are doing.
if someone wants to get you, they’ll get you – there’s nothing you can do about that
every thing has its poison.
for the sake of the greater mass, online theft is still relatively small.
Amen – and as I read this I’m sure that thousands of people in the US are asked for – and give – their SSN freely.
Just to let it sit on some front-desk for passerby’s to see.
Jason Alba
CEO – JibberJobber.com
1. stop putting in your name into boxes
2. stop responding to stupid emails
3. stop browsing porn
Mike, there is a typo in the second to last paragraph, the word Symantec is spelled Semantec.
No offense, just thought I would point that out.
yeah, thanks for that. got it.
Sarbanes-Oxley (no matter how you say it) in my personal opinion has been largely a failure. As a former public auditor and having been responsible for the process changes at a fortune 100 when it hit, it has not done the things it needed to.
But it did do one thing… help the large consultancy firms make billions of dollars.
I got into the credit arena about 6 yrs ago when I decided to take responsibility for my credit picture… it is really amazing what is out there.
And the truth is, if the gov’t did something about spam (including the illegal crap), a decent percentage of identity theft would be wiped out (at least for the time being). Counting all the fake bank emails I have today so far is over 100.
And even with the best security, I had someone pick up my card number in amsterdam last year.
Until we realize that our government is not computer savvy, and until we start to take charge of this, we will continue to suffer. Just look at the Internet radio fiasco going around now.
Hey, I didn’t know you were a bean counter, Allen.
HAHAH! Yep, started out as an accountant and auditor in NYC. Then one day a friend of mine bet me on who could make a better web site. Let’s just say I won. Thankfully, otherwise who knows where I would be! I quit the accounting after the 1st full tax season wearing the full suit everyday and working 18 hrs a day for almost no money. The next day went to work for CKS (doubled salary, actually enjoyed the job, jeans, pool, beer fridge, women, etc.) and never turned back! I do think my accounting background, plus my technology experience and my marketing experience and education (MBA ha!) helps when I do consulting. I wouldn’t trade it in and when I do coaching of tech students, I have always tried to teach them the importance of getting the most biz education they can get. Helps with a startup
Anyway, let’s not mention this ok? I have a rep to maintain! (j/k)
I don’t know that storing more sensitive information in fewer places is going to be of great benefit or is even desirable. I wouldn’t underestimate the lengths that criminals will go to in order to get this information. If you have fewer providers storing more of the data, that just makes for bigger targets, and when you look at the financial upside potential for the theft of the data compared to the provider’s incentive (and resources) to keep it secure, the criminal has a really powerful motivator.
Allen – yeah it will be just between us.
I have not had my identity stolen, but my debit card number was by a tow truck driver. My truck had just been side swiped by someone trying to pass on a one lane, one way road. I got a ticket for having my truck on the side of the street broken down (in the college area you can’t park without a permit), and then I had to get towed. The guy towed my car, but also took my debit card with me and drained my whole bank account. Did I mention this was two days after Christmas? Ah, that was a great time…
Michael,
The problem with Congress taking action against identity theft isn’t necessarily that they will do too much. It’s that they will do too little.
Look at CAN-SPAM–that got passed with much fanfare and hullaballoo, but how much has it actually lessened spam proliferation? Not a whit. Many of the laws being proposed that claim to “prevent ID theft” do nothing of the kind–they actually preempt state laws for data breach notifications, set the minimum level for disclosures way too high (10,000 records?!), and so on.
You’re right in saying that the credit and financial industries have too much to lose from serious identity theft protection like nationwide credit freezes, so they’ve been fiercely lobbying Congress to ensure that any federal laws governing data breaches are as toothless as possible. The private sector needs to take the lead on this issue and demonstrate that not only is identity theft a serious problem that isn’t going away, but that you CAN reduce your risk and protect yourself with the right tools and knowledge.
Full disclosure: I work for another ID theft prevention company (MyPublicInfo) and cover ID theft regularly in my writing, so this is something I have a personal stake in.
Martin Bosworth
http://www.mypublicinfo.com (MyPublicInfo)
http://www.consumeraffairs.com (ConsumerAffairs.Com)
I work for a Fortune 200 Financial company (currently one of the top credit card companies in the US) and thought I would comment on the article.
Sarb-Ox:
This act was not originally designed to protect customer information on the net. It is primarily designed towards building better, more responsible oversight of companies. This act is of value as it helps to protect those that have oversight and requires significantly increased amount of reviews with anything related to a P&L or reporting. No more of this since it is not directly related to credit fraud.
Online / System Security:
I do agree that financial institutions should continue to do push themselves to ensure the better security on their servers. However, if you do look at the security of financial institutions you will find they are pretty good, though not perfect. Many (all the national institutions) offer so level of fraud protection on their accounts and will asset with stolen identity issues.
Also, we don’t want financial information to be easily passable for anyone to anyone. While I work for an institution, I have many open lines of credit as well and don’t want anyone to have access to this info. The problem is how to draw the line for easy of use to the customer and protection of information. How many of you personally want to visit 5 banks and apply for an auto loan (that you may or may not use) prior to purchasing an auto? Or how many of you would like to have all internet access to your accounts removed?
Protection against Identity Theft:
In the end there is no better way to protect yourself then don’t give out your information. In my opinion, the average American lacks the common sense / education to properly protect themselves. We need to increase the focus on education rather the technology products / legislation.
Here are a few simple tips to help:
1. Shred EVERYTHING! Every time you get something with your name or account number, dispose of it properly.
2. Don’t give our your SSN. If you have to, do it in person at the bank.
3. Don’t let anyone see your credit card! This is huge! If you don’t have a card on you then you must have the CVV number in order to make purchases online. In Jason’s (above) case I would bet the truck driver wrote down the CVV and CC#. Essentially, NEVER let anyone hold your card. If you are buying something then swipe it yourself (most CC readers are like that now, so the physical card never leaves your hand)!
4. Remember, identity theft IS NOT new or a result of the internet. It existed before the internet. Yes, it was made easier by the internet but that is because people are not taking the proper steps to protect themselves (goes back to the education thing).
At the end of the day, your identity is your responsibility. You must do what is necessary to protect it and that includes being careful when you CHOOSE to give out that information. Please don’t think that financial institutions don’t care about keeping your information safe. If everyone’s identity is stolen then who’s going to pay the bills? It is a lose – lose situation for consumers and companies. There is always room to improve and companies like Jigsaw are just wrong. But this is a shared responsibility between everyday people and the companies that service them.
Remember, you can always pay in cash.
I agree this is a potentially big problem. Its interesting that you group companies like Jigsaw (www.jigsaw.com) in with the problem of identity theft. Identity theft is associated with someones personal information as you describe, “… for $14 you can obtain someone’s name, date of birth, mother’s maiden name, social security number, bank account (with password), and credit card information (with security code).” Companies like Jigsaw (that I am a big user of and think is a very disruptive idea for the stagnant b2b data industry and which you seem to like to pick on for some reason), Dun and Bradstreet, et al aren’t selling someones personal information, they are in the business of helping other business people do business with BUSINESS information with less friction. There is a big difference between date of birth, mothers maiden name, social security number, bank account w/ password and credit card information w/ security code vs. someones name, title, work address, work email address and work phone number. If you want to make a comparison to what you are able to get on Jigsaw to something more realistic, you should compare it to something like the white pages, the yellow pages, 411, or one of your favorites Jingle Networks/1800FREE411. You obviously do not have an issue with those services as you write pretty positively about at least one of them fairly frequently.
One thing that i think will help is OpenID, as it gets adopted by more and more companies the amount of personal information stored on corporate servers will decline more and more, which is a good thing
Mike, you make a great point with the Sarbanes Oxley reference. We can only hope that when the gov takes action against identity theft, it won’t be a knee-jerk political reaction ignoring a good deal of empirical evidence. Probably depends on the election cycle…
Isnt this one of the main barriers to participating in networks like Linkedin, Xing et al? For a relatively small price, crooks can look up potential, high value targets. Once identified, it only takes a little leg work to acquire more potentially damaging personal info.
lifelock.com is another identity theft company ( I am an investor) that has had success in prevetion.
guard ID systems (guardidsystems.com) has a great product called the ID Vault that stores and encrypts passwords on a smartcard (USB dongle) that then allows you to securely connect to financial institution sites. I call it two-factor authentication for the masses. The SW polls the financial service URLs daily to make sure that your transaction is actually happening at an official site vs. a spoofed or phished/pharmed site. It’s one of the most elegant and user friendly products/services I’ve seen to prevent online identity theft. full disclosure: i’m an investor and on the board.
Identity theft and credit card fraud are two different things – I learned that filing a police report after having my credit card info stolen.
My experience: my debit card got a fraudulent charge an year ago. I’ve never used it – neither online, nor offline – just at the ATM. Nobody else has ever seen the card, but I got the charge anyway. Most probably it was one of the stolen accounts from Bank of America. Conclusion: sometimes things are completely out of your control and even the greatest precautions won’t help you eliminate headaches!
Anyway, credit card fraud is a small concern considering the protection most credit cards give you.
The responsibility for protecting consumers identity should be on the banks and, in my opinion, they are not doing enough to stay in front of the problem. The best solution for this is a technical, preventative solution similar to some of the startups listed above, but I believe there needs to be a more holistic solution. I wrote an article on the subject:
http://www.vent...identity-fraud/
I would get really worried if we need to depend on the government to regulate this. I’m a venture capitalist though, so I’m sure the entrepreneurs here have some clever approaches to combatting the problem.
There is no way to stop ID theft. it has been going on for years it is just now people relize how easy it is and how profitable it is. Even with more harsh laws in effect, there is still only 3-5% that are ever caught. Every one including consumers need to take responsibility on being more aware cautious, however it still will not stop it completely. I am an ID theft specialist through the Institute of Fraud and help to protect people against this crime. I see the impact in all 5 areas of ID theft. For the one who said they would sell thier ID for $14, carefull what you ask for. credit is not all that is worth having, it gets much worse I see it every day. You can’t rely on the government or any one else to stop it because they can’t, just get educated and find the right protection.
I would suggest reading this blog, it talks about these privacy related matters and alerts people of recent identity theft trends:
http://blog.arz...privacy-20.html