The Persistent Myths of Identity Theft

ftc logoLaw Six of The Laws of Disruption deals with the myths and realities of Internet crime.  It’s a subject that’s bothered me for a long time.  Back in the Stone Age (1995), John Perry Barlow and I wrote a Position Paper for Computer Sciences Corporation titled, “Five Privacy and Security Imperatives for Electronic Trade.”   (It’s so old I can’t even provide a link!)

This was before there was any electronic trade, or what came to be known (when it arrived) as e-commerce.  This was in the era where people were saying things like, “No one will ever give their credit card number out over the Internet.”  (Never start a sentence with “no one will ever,” especially when it relates to technology.)

The problem was that most of the people saying “no one will ever” worked for banks and credit card companies.  Many of them were clients of our research program.  They were overwhelmed by the idea of e-commerce.  Technically, they didn’t know how they would integrate their private networks with the public Internet.  From a business standpoint, they didn’t know how they could make it cost-effective to process what were expected to be smaller-dollar transactions in high volume from a new kind of merchant population.  Not to be unkind, but much of the fear surrounding e-commerce was generated to hold back the flood while these companies looked for ways to build dams.

Eventually these problems were resolved, but the fear-mongering has had a lasting effect.  In 2001, according to the Pew Internet & American Life Project, 87% of Americans said they were concerned about credit card theft online; by 2008 it was down only marginally.  Yet by 2009 over 50% of all American adults had paid online with a credit card anyway.

In the interim, of course, an entire industry has emerged with a strong incentive to keep the fear numbers high.  Companies that make money selling anti-virus software, credit reports, identity theft insurance and alternative payment methods (e.g., PayPal) stoke the fears of users that only a fool would ever type his or her credit card number into a web browser.

Identity theft is real, but for those who have been victims of it, generally the loss of money is the least of its damage (banks and credit card companies are legally obliged to return money fraudulently obtained from a customer’s account).  Restoring credit history and credit scores is where the real crimes take place, and the perpetrators are often the consumer’s own financial services providers.

The recent indictment of three men in the theft of 130 million credit card numbers is a good example of the continued obfuscation employed by the industry and their counterparts at the Federal Trade Commission, confusion often left unchallenged by journalists.  The thieves, an American named Albert Gonzalez and his offshore co-conspirators, broke into corporate networks of payment processors as well as major retailers including 7-11 and TJ Maxx.  When Gonzalez, plead guilty, the Associated Press described him as “masterminding one of the largest cases of identity theft in U.S. history.”  Reuters called it “one of the largest identity-theft crimes on record.”

Stealing credit card numbers from corporate computers is a serious crime, but it is not “identity theft.”

The problem is that “identity theft” has come to mean many different things, including what we may now think of as the quaint form where consumers give their credit card number online to a scam artist, often in response to a fake email message purporting to be from their bank or other payment processors.  The scammer uses or sells the number to open new accounts, make fraudulent withdrawals or charges, and otherwise pass himself off as if he was the victim.  (See my 2005 article, “If Feds Fail, What Can Stop Identity Theft?”)

But that’s small potatoes compared to the kind of crime Gonzalez and his colleagues commit, where millions of credit card numbers are stolen and then sold.  Most of these, however, don’t actually result in identity theft—the credit card numbers are used to get cash and merchandise and are quickly disabled by software that recognizes dubious transactions.  Again the financial losses here are borne by the banks and credit card processors, not the consumers or the merchants.  That’s why the software is good and getting better.  It’s their money at stake.

No one’s “identity” is being stolen, but the use of the term to describe every financial fraud involving a computer amps up the terror level of consumers who largely have nothing to fear.  The vast majority of “real” identity theft has nothing to do with computers at all, but rather  begins with a stolen or lost wallet, stolen or simply discarded mail, or inside jobs pulled by clerks and others with legitimate access to the data.

The real problems are on the back-end, where credit card systems are left insufficiently secured, or where laptops with sensitive data are left in the back seats of cars where they are stolen not for the data but for the hardware.  We keep hearing horror stories of government employees, university officials, and private sector employees who can’t even be bothered to put password protection on their logins, let alone encrypt their data.  And the continued use of social security numbers by private enterprises both as a customer ID and an authentication field is probably the most dangerous practice of all.

Oddly enough, these were exactly the problems Barlow and I pointed out in 1995.  The solutions were obvious then, and they’re still obvious now.  But as long as consumers are being misdirected to think it’s their behavior that needs to be controlled, the financial services industry can avoid solving their largely self-made problems.

Meanwhile, electronic commerce doesn’t grow as quickly as it could.

If anyone wants a hardcopy of my 1995 position paper, I’m happy to send it along!