Introduction

If identity theft happens to you, it's not your fault.

You can take some precautions to minimize the risk, but when it happens to you anyway -- it's not your fault.

Victims of identity theft lose time and money, experience frustration and possibly anger. Maybe the worst part about being a victim of identity theft is the feeling of helplessness -- that people and organizations you trust have betrayed you and there's nothing you can do about it.

In this article, you will learn how the most common forms of identity theft can be prevented. There is an action guide at the end.

• Cybersecurity functions
• Mechanics of identity theft
• The problem
• Public identifiers
• Authenticators
• Biometrics
• How to stop identity theft
• Action guide
• Next steps

Cybersecurity functions

NIST published a nice overview of the five functions of a successful cybersecurity program. Let's see how these functions map to what's available today on the topic of identity theft:

☑ Identify. Understanding the risks of identity theft. You're reading this article now, and there is plenty of other material published about identity theft. So let's say we know the risks.

☐ Protect. It's an adage: "there are precautions you can take to minimize the risk, but identity theft cannot be prevented." This article describes a solution -- keep reading to learn more -- but it has to be used for people to benefit, so until we make it a reality let's leave this box unchecked.

☑ Detect. Credit monitoring services offer an answer to the question: "did someone impersonate me and get credit in my name?" and there are companies that sell data analytics services to banks and credit unions to answer a related question, "is there suspicious activity on this account?". There is a list of warning signs that you might spot for yourself.

☑ Respond. The FTC operates the website identitytheft.gov which answers the question "what to do when information is lost or exposed?", and additional information can be found with a quick Internet search.

☑ Recover. You can buy insurance to recover lost money from identity theft incidents. There are also specific steps you can take based on what kind of damage was done, such as reporting it to various organizations or agencies.

As you can see from the checklist, as a society we have everything covered here except a way to actually prevent identity theft.

A quick Internet search will produce many results about how to avoid identity theft such as this and this. While you can adopt many good habits to minimize your risk, it's not enough.

Mechanics of identity theft

To obtain personal and financial information about you that can be used to steal your identity, a criminal might:

1. dive into your garbage to find account numbers, social security numbers, and other personal and financial information about you
2. trick you into disclosing personal information with a phishing attack by email, phone, or website
3. steal your wallet or purse while you are in public
4. steal your personal information or account numbers directly from a merchant or other organization that might have information -- either by finding a weak or stolen password that you use, or hacking into their servers

Notice that the risk of #1, #2, and #3 can be reduced (but not eliminated) with certain habits like shredding your bills, learning to avoid phishing attacks, and keeping a bottle of pepper spray handy.

But #4 is out of your control. Whether you do anything about the first three or not, data breaches happen all the time, and your information has probably been exposed in some of them already, or will be exposed in the future.

With the ever-growing number of data breaches, the likelyhood of your personal information falling into the wrong hands is also ever-growing.

Let's look at two illustrations showing how this could easily happen to you even if you practice all the good habits.

Illustration 1 - You live somewhere

Let's step through a sequence of events that can lead to identity theft regardless of a person's habits:

If you rent a house or apartment, your landlord probably required you to provide a lot of personal information in the application: your full name, current address, telephone number, date of birth, government identification number(s) such as social security number and driver license number in the United States, employer information, emergency contacts, details of any pets you might bring, details about your vehicle(s) such as make, model, year, and license plate number; and sometimes they even ask about your bank address and checking account number. They ask for similar information about your spouse or co-signer.

If you own a house or apartment, and if you needed a loan to buy it, your bank or credit union probably required you to provide a lot of personal information in the loan application. Probably a list similar to what you might need to rent a place, but without asking about pets.

You have to give it to them, right? Otherwise you're not getting into that property. You're not breaking any "good habit" by providing information when it's required. They might use some of the information to request a credit check and background check on you. Your name, birthdate, and government identifiers might be required by the companies that perform those checks to identify you so they report the correct information.

Thinking about this one transaction of renting or buying a property, you have to share a lot of information with your landlord, bank, or credit union. They get additional information about you from a credit bureau or background check agency.

Furthermore, the government also has much of this information.

Organizations with your info: landlord, bank or credit union, credit bureaus, government.

Continued in the problem...

Illustration 2 - You enroll your child in school

Let's step through a sequence of events that can lead to identity theft regardless of a person's habits:

If you enrolled your child in a school, the school probably required you to provide a lot of personal information about yourself and your child: your full name, current address, telephone number, and a copy of a utility bill or some other proof that you live in the school's district; your child's full name, date of birth, government identification number such as social security number in the United States, vaccination records, and emergency contacts.

You have to give it to them, right? Otherwise they're not getting into that school. You're not breaking any "good habit" by providing information when it's required.

Thinking about this one transaction of enrolling a child in school, you have to share a lot of information with the school district. They get additional information about your child from a doctor's office, which also has much of the same information.

Furthermore, the government also has much of this information.

Organizations with your info: school district, doctor's office, government.

Continued in the problem...

The problem

As illustrated in you live somewhere and in you enroll your child in school, it is entirely possible for a lot of your personal information to be in the hands of some organization which is supposed to safeguard it. You're not breaking any of the "good habits" that people say you should do to prevent identity theft, yet identity theft is still possible.

Sometime later, a hacker could breach any of these computer systems and download their digital records, which might include some or all of that personal information.

The hacker might combine that with other personal information that they obtained from other data breaches.

Armed with your personal information, the criminal will then attempt to impersonate you in order to access money or services at your expense, or use your identity as a springboard to do something even more nefarious.

Criminals engaging in identity theft will try to impersonate you to:

• banks and credit unions, to get your money or new loans
• utilities, to open accounts in your name
• government, to access services in your name such as receiving your social security
• merchants, to buy goods and services
• pharmacies, to get the drugs you've been prescribed
• ... and more

The one thing that all these targets have in common is that they frequently rely on what is essentially publicly available information to "authenticate" the person they're interacting with.

Using public identifiers as authenticators is insecure and it is the reason identity theft is possible.

Let's learn about the difference between public identifiers and authenticators.

Public identifiers

A public identifier is a name, a birthdate, a government-issued number. It's public because you have to give it to family, friends, and an endless array of strangers in order for them to interact with you. It's public.

There was a time when a government identifier, like your social security number in the United States, might have been considered a secret. People should stop thinking this way, because it's not a secret at all. It's a public identifier.

As an extreme but unfortunately real example, refer to the Argentina data breach where the government id database for the entire population was stolen. That's about 45 million people.

An even bigger breach happened in the United States years before that: the Equifax data breach exposed records on about 143 million people.

If it wasn't public before, it's public now.

Your name, birthdate, government identifiers, email address, telephone number, and residence or mailing address are all public information.

Authenticators

An authenticator is something used to prove that you are really the person who is referenced by the public identifier.

You carry an authenticator with you wherever you go, like you would carry your wallet with your government id or credit cards. When you need to prove your identity, it does the work with strong cryptography.

The cashier, website, or whatever you're authenticating with is called the verifier, or sometimes it outsources that function to a 3rd party verifier. The verifier only has your public identifier and a cryptographic object called a public key. The authenticator has a corresponding cryptographic object called a private key. This one is secret and never leaves your authenticator. The public key is used to verify digital signatures created by the corresponding private key.

LoginShield is one example of an authenticator that works as an app on your smartphone, laptop, or desktop. If you already use these devices regularly, you don't need to carry any additional equipment.

Yubico is one example of an authenticator that works as a USB stick that you connect to your laptop or desktop.

Either way, you need to carry something with you. There are risks associated with that also -- what if the device is lost, stolen, or damaged? But there are good technical mitigations available for these issues.

In contrast, other systems that use passwords or one-time passcodes (OTP) are vulnerable to data breaches where attackers can recover the secrets for a lot of people directly from the server.

An authenticator in the hand is better than two in the cloud.

Biometrics

Every person is unique, and there is some amazing technology that can identify you by analyzing aspects of your body:

• fingerprint
• retina
• face
• gait
• voice
• DNA
• ...and more

Biometrics are sometimes treated as both identifier and authenticator: if you put your fingerprint on the scanner, the computer can match it to your profile and then (reasonably?) assume that it's you.

Hopefully it's not someone else with a finger they took from you, or replicated from an impression on a glass like in a spy movie.

How to stop identity theft

The principle that is the key to stopping identity theft is surprisingly simple:

Stop using public identifiers as authenticators.

However, implementing the principle is non-trivial because it requires a coordinated effort between the organizations that control access to resources: banks, credit unions, utilities, merchants, pharmacies, credit bureaus, government benefit programs, and so on.

When a person approaches a bank and asks to withdraw money or take a loan, or approaches a utility company and asks to open an account, or any other action that involves the organization providing some resource to the person, typically this involves a decision on the part of the organization on whether to provide the resource or not. When a decision to provide such a resource depends, at least in part, on the person's identity or on information that is linked to the person's identity, such as their credit score, the decision is called an identity-based authorization.

Whenever an identity-based authorization happens, there needs to be an obligation to use an authenticator to verify the person's identity.

Ideally, this obligation will be created by the government in the form of passing a law requiring such organizations to use authenticators to verify a person's identity in these situations.

The use of an authenticator then implies that some other organization already has a relationship with this person and can verify their identity using the authenticator.

To avoid confusion, let's summarize who could be involved in a transaction:

• the subject: this is the person asking for the resource
• the verifier: this is the organization that has a prior relationship with the subject and can verify the subject's identity
• the relying party: this is the organization that will be providing the resource (or not) with an identity-based authorization

There is a sequence of events that should happen in an identity-based authorization:

1. The subject approaches the relying party to ask for a resource.
2. The relying party asks the subject to provide some public identifiers, such as name, email, telephone number, address, and government-issued identification.
3. The relying party contacts a suitable verifier with a request to verify the subject's identity.
4. The verifier interacts electronically with the subject's authenticator and responds to the relying party with a verification result: verified or not verified.
5. The relying party completes the identity-based authorization: if the subject was verified, the relying party continues to make a decision whethe to provide the resource; if the subject was not verified, the relying party must decline to provide the resource.

That was somewhat abstract, so let's try it with an example:

1. You (the subject) walk into a bank or visit their website and ask for a loan (the resource).
2. The bank (a relying party) asks you for your name, email, telephone number, address, and government-issued identification (your public identifiers).
3. Based on your address, the bank contacts your state government (a verifier) to ask for an identity verification.
4. A notification appears on your smartphone from your state government: "Identity-based authorization at XYZ Bank. Tap approve or deny". You tap approve. The state government sends a response to the bank that your identity is verified.
5. The bank, having verified your identity, then proceeds to ask the credit bureau for your credit report, and complete their decision-making process. If your identity was not verified, the bank would skip the rest of the process and decline the loan immediately.

I used a state government in the example because when you renew you driver's license or state identification card every few years, you have to show up in person to get a new photo for that document. The state already has physical contact with you, has already verified your identity, and that is a good time for the state to ensure they have a public key on record that can verify digital signatures made with the private key in your authenticator.

But it doesn't have to be the state. It could be a credit bureau or a company that specializes in providing digital identification services where you already established a relationship using the same public identifiers, which they verified.

If we collectively implement this protocol for identity-based authorization, it would significantly decrease the incidence of identity theft.

Action guide

If you are an executive or director of a financial institution, you know that institutions like yours are required to detect and prevent identity theft. You probably already have a program in place to do what you can, but sometimes it still happens. Contact us about how we can help you eliminate identity theft for your customers.

If you're a customer of a bank, credit union, or insurance company: write to them and tell them that you want them to do their part to eliminate identity theft. You can refer them to Cryptium for more information.

If you are an executive or director of a government benefits program, a utility company, a property management company, a staffing company, a human resources department, or other organization that uses government identification, consumer credit reports, or background checks in decision-making: there's something you can do. Contact us about how we can help you eliminate identity theft for your customers.

If you receive government benefits, have a utility bill, rent a house or apartment, or work for the government or a corporation: write to them and tell them that you want them to do their part to eliminate identity theft. You can refer them to Cryptium for more information.

If you are an elected or appointed official in government, start a conversation about requiring financial institutions, government benefits programs, utilities, merchants, and human resources departments to do their part to prevent identity theft.

If you vote in elections, tell your elected representatives that you want to see them taking steps towards regulating minimum security standards for customer authentication as described in this article.

All of us could use some good personal habits to minimize the risk, but remember -- it's not enough. We need to push for systemic changes that will minimize the risk for everyone.

Next steps

Here's our plan for transforming the world to eliminate identity theft:

Step 1. Sign this petition

Step 2. Share it with friends, family, and everyone you know

Step 3. Get an authenticator to be ready

Step 4. Tell your banks, credit unions, utilities, corporations, and government to adopt strong authentication and stop using public identifiers for that

Please show your support and sign the petition!