“Identity” theft and identity theft

[Dave Birch] There’s a fascinating, but slightly creepy, category of issue that makes for a good acid test of proposals for population-scale identity management. How does the “system” recover when an identity really is stolen? If there’s another you out there, if you have an evil doppelganger, if an ex-partner is taking revenge… if there’s someone out there who is pretending to be you (in fact, in virtual terms, is you) then who do you call? And when you call them, what are they going to do? This is a complicated issue. How do you establish that you really are you? And once you have established this, what do you do with the compromised virtual identity?

OK, so we all know that a virtual identity can be worth something. That also makes it worth stealing, and it’s much easier for people to steal your virtual identity than your physical identity. I know someone whose laptop was stolen. It wasn’t protected in any way, so when the thief opened it up, they started using it. The passwords to web sites were remembered by Firefox, just as they are on my machine (which is protected, I hasten to add), so the thief logged in to a few sites “masquerading” as the victim. One of the sites was Bebo, and the thief started posting all sorts of horrible messages. Compared to someone stealing a credit card, this is a much worse crime, isn’t it? While Bebo, MySpace and Facebook users are undoubtedly becoming better educated about identity, privacy, security and so forth, the lack of any real (ie, not password-based) security for these critical virtual identities make them an obvious focus for criminals.

A useful barometer is the nature of internet fraud in vogue. Ever vigilant in the pursuit of new opportunities, the “419” crowd have made Facebook their new frontier. And they are catching people out, taking over Facebook identities and then using them to perpetrate inventive frauds.

A current favourite is the “friend in distress”. If you got a message, via Facebook, from a good friend telling you that they are in Paris and have been mugged and desperately need money quickly and could you wire them $500 immediately, what would you do? Plenty of people send the cash, not suspecting that their friend’s identity has been stolen. It’s easy to do this: you just need the password. And those are easy to obtain: just send out a spam “this is Facebook, we’re just checking our security systems, please log in” message. And when you do find out you’ve been scammed, where do you go?

Facebook was very slow to respond. The criminals switched the email address on his Facebook account, and the email provider was also slow to respond to the fraud reports. Unfortunately, some of his friends fell victim to the scam and sent money with the criminals receiving the funds posing as my friend, and there was not much recourse that could be taken with the money transfer service provider.

[From Mobile Financial Services: Who Provides the Customer Support? | Mobile-Financial.com]

Now this is real identity theft and I think has much more personal impact on the victims than the theft of the money. If someone takes over your Facebook page or your Linkedin page they really have stolen your virtual identity. Not like “stealing” an MP3, where the source still has the MP3 and still has full use of it, or “stealing” your credit card that can be cancelled and reissued, but proper stealing: you are deprived of the use of that identity. It isn’t yours any more. And if you can persuade Facebook to issue you with a new password, how will your friends begin to trust that identity again? It’s a real headache.

If you can’t get control and regain trust, that means you have to abandon that identity and start all over again, building an entirely new online footprint. This is much more important, looking forward, than what we currently see as the “identity theft” problem, which as far as I can see from most reporting is about the tangible subset of identity theft concerned with payment cards.

identity theft is not actually an identity being stolen but is usually a bank/credit card company being robbed and passing off the blame for their own poor security on the victim.

[From Is It ID Theft Or Was The Bank Robbed? | Techdirt]

I wouldn’t go that far, but I would observe that for banks this is about a perfectly reasonable risk management balance, but for (eg) Facebook it isn’t. If you have to create a new online identity, then how do you “transfer” your reputation, painstakingly gained, over to that new identity?

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]