Part of me always cringes when I read stories or hear reports about identity theft. Sure I worked at a company whose goal was to try and help consumers protect their identity, but that’s not why I cringe. I cringe because I’ve always had a problem with the term “identity theft.” It seems like an impossibility. An Identity can’t be stolen, can it?
Before I go into my rant, let’s look at exactly what an identity is. Princeton defines identity as such:
the individual characteristics by which a thing or person is recognized or known.
‘
That’s a pretty good definition so we’ll stick with that.
If I’m a “victim” of identity theft, does that mean somebody stole my characteristics? That doesn’t seem possible. In fact, it’s all more likely that somebody else just did a piss poor job of verifying my identity or defining those characteristics.
Techdirt points to a british comedy routine that can explain it much better than I can. Please listen to the following audio – it’s quite funny in that special British way.
(look, I just resisted linking to my british translator. Crap, no I didn’t.)
The comedy routine above hits the nail right on the head: the whole concept of identity theft is merely a piss poor attempt for companies to shift the blame from themselves onto their customers. It’s all so clear now.
The problem here isn’t that somebody actually had there identity stolen, it’s simply that the company did a terrible job of verifying the characteristics of that person’s identity.
Your identity online should consist of more than just a username and password. Requiring only a password is the offline equivalent of only listing hair color on a drivers license. It’s just not sufficient anymore.
Think about those old TV shows (get smart comes to mind) where there’s 2 people both pretending to be one. They look exactly alike and hilarity ensues, but what do they always do to solve the problem? they ask them questions that only the real person would know.
And, since we programmers love to re use as much as possible, that’s why you’re seeing so many of those “security questions” show up on all your favorite websites. Sadly, most websites fail at security questions. They’ve got the right idea, but they just choose crappy questions that aren’t really “secret”. If the answer can be found on a Facebook page, it’s not a good security question.
There’s other things that can be done too. Give users an option of 5 or 6 images on the login page and ask them to choose one. A picture is easy to remember for logging in (and instantly pops back into your mind when doing so.) Not only that, but the user isn’t very likely to write it down either and it’s not something likely to be shared with another website or found in the public domain.
Since most “identity thieves” simply brute force passwords, steal passwords with key loggers, or try passwords from other accounts, any creative login requirements can easily stop them dead in their tracks. It doesn’t really matter what extra step you take, so long as you help the user define their identity with something non-public that consists of more than just their hair color password.
Stopping “identity theft” starts with re-defining a user’s online identity, and ends with shifting responsibility back onto the companies who don’t do an adequate job of verifying that you’re really you.
Great article HG, and Mitchell and Webb are excellent aren’t they? Makes me proud to be British all over again. Not that I’m ever NOT proud to be British because we’re great.
Comment by Alexander — August 26, 2009 @ 6:42 am
It took me a long time to appreciate the dryness of british humor (sorry humour)
Comment by Ryan — August 26, 2009 @ 9:27 am