Friday, February 18, 2005

fyi 145,000 Americans' identity data stolen


Pointer to article:

Kobielus kommentary:
This just underlines how easy it is to fraudulently represent yourself as some “trusted” agency and use money to penetrate identity honeypot-for-profit sites.

One issue is when, whether, and how we’re going to mandate credentials and background checks on honeypot hounds who claim to work for legitimate debt-collection agencies, insurance agencies and other firms. Legislation and regulation seems to be called for here.

Another issue is providing prompt notification to people whose identity information is stolen or compromised. The notifications must be through all channels possible.

Yet another issue has to do with public education, and instilling in the culture habits of personal identity protection. We’ve all heard the guidelines about not disclosing more identity information than is absolutely necessary in various transactions. And in being careful who you’re giving it out to. And reporting/canceling lost/stolen credit cards and other credentials as soon as you’re sure they’re truly gone. And so forth.

But personal preventive habits don’t protect anybody against the incompetence of legitimate identity honeypots whose systems are breached, or who don’t do due diligence when selling our identities to the highest bidder.

I think personal identity surveillance is the most fundamental new habit we must all learn. A lot of it has to do with something quite simple we all should do like clockwork: check our statements. Know what statements (bank, broker, credit card, etc.) are due to you on what times of the month, quarter, or year. Check your statements item by item as soon as they arrive. Match up every single item against receipts and other records you’ve kept (you have kept them, haven’t you?) on every single transaction in which you’ve engaged over the preceding statement cycle. Question every anomalous item, and call the statement-issuing institution to discuss it with them. Flag possible identity theft right away so that the statement-issuing institution can implement appropriate damage/liability-control measures. And so forth.

These all seem like common sense habits, but it’s surprising how many people don’t pay close attention to what’s happening with their personal assets and liabilities. The point I’m getting to is that your identity isn’t valuable in and of itself. It’s only valuable as an instrument for unlocking and absconding with your assets.

Which brings me, and I’ll explain the relevance in just a moment, back to the subject of the “identity of things,” which I discussed in a recent blog posting. When I was thinking through that topic, my mind kept gravitating back to the time-honored characterization of nouns as referring to “people, places, and things.” Then I noticed a parallel with our concepts of identity. Most IdM systems focus on identities of people, and also on the identity of “places” (a term that I’m construing broadly as referring to any logical or physical grouping of people, and of “things”).

Then I rolled my mind over how we’re going to define the difference between “people” and “things,” from an IdM standpoint. And it hit me. The practical difference between these entities is simple:

• People have asses and assets that can be impounded.
• Things are just assets, associated with, owned by, and used by people.

Yeah, I know, that’s a crude cartoonish way to put it. But it occurred to me that all the risk of identity theft has to do with the fact that it’s your ass and your assets that are on the line. Your ass can be thrown into the slammer if somebody impersonates you doing something nasty. Your assets can all be taken away by the thief, or tied up in the most horrendous legal labyrinth.

Which is why you need to read your statements. Only you are keeping track of your assets. And should. They’re the real reason people want your identity. They covet your assets (hmmm...sounds quasi-biblical, doesn't it). Unless they somehow like your name more than their own, and enjoy introducing themselves with your euphonious moniker.

I suppose there are name fetishists out there, but that’s the least of it.