copyright notice

link to the published version in Gaming and Leisure, Winter, 2012

accesses since September 6, 2011

The Art and Practice of Avoiding Identity Theft and Financial Fraud

Hal Berghel

In my last column, I discussed some of the current statistics on the extent of identity theft and financial fraud in the United States. You may recall that according to mainstream media reports, data security breaches account for the leaks of over four million individual, personal records, with cherished institutions like universities, local, state and federal governments and medical providers accounting for most of the leaks!

So it would appear that estimates of personal record compromises affecting tens of millions of individuals are likely to be reliable; hundreds of millions would not be surprising. This number is not easily extrapolated into expected dollar amounts because there is no one-to-one correspondence between a compromised record and a specific loss for a variety of obvious reasons.

One of the more alarming facts to emerge from Figure 1 is the percentage of contribution by healthcare providers, educational institutions, and governments. These three sources collectively account for one half of the total compromises. If we can’t trust our colleges, hospitals, and government agencies to protect our confidential information, who can we trust? Abreakout by breach instances follows the same pattern with the exception that there appear to be fewer breaches in the retail arena, but the breaches tend to involve a larger than normal number of personal records. This accords with our intuition because of the number of financial card transactions processed by merchants.


tab1

Figure 1: Distribution of Security Breaches of Confidential Personal Records by Organization Type (source: itffroc.org)


However, when we shift the focus away from the organization type and toward the nature of the breach, a different picture emerges - the majority of individual records compromised resulted from some form of online hacking. Well, what are we to do about this?

The fact of the matter is that we've all been drawn into the web of this conspiracy to make private records public. This happens subtly: a physician asks us for a social security number, a manufacturer asks us for our contact information for warranty purposes, a DMV wants to put your home address on your driver's license. And the most egregious and dangerous of conspiracies of all: car dealers who request personal information when you buy a car. None of this information is necessary for the purposes intended. Specifically, with the exception of medicare billing, there is absolutely no medical reason for a physican to know your social security number, your address, your phone number, your mother's maiden name, your email address, etc. ---- medical history, yes; social security number, definitely not. Physicans collect this information for billing and collection purposes, period. There is no law that I know of allows a manufacturer to disallow a warranty claim because the consumer refused to complete and return a warranty card. Manufacturer collect this information for purposes of marketing and revenue - they sell this information to third parties. While a state government is entitled to know where you live, they are usually not entitled to force you to have your home address on the driver's license (the importance of this issue will become clear below). And a car dealer, per se, is entitled to nothing. They must record information deemed sufficient by the state or municipality to transfer title. Anything beyond that is highly suspect.

So why do we give this information out? Largely because of herd mentality. Everyone else does it, so why not? Well, the reason is that these millions of records that are leaked each year producing billions of dollars of crime involve, for the most part, information that we voluntarily provided. We ought to know better. Toward that end, I offer the present column.

What's it all about, Alfie?

The business of blabbing personal information about us to everyone who asks dates back to the Social Security Act of 1935. Well, not actually to the Act itself, but rather other agencies, institutions, businesses, industries, etc. abuse of same. The SSA provides a mechanism by means of which every covered employee in the U.S. may be assigned a social security number for the internal use of the SSA. In less than ten years the idea of having a number for everyone was so appealing that the Internal Revenue Service wanted access to it. And then other government agencies. Finally, in 1943, Executive Order 9397 extended the use of the SSN to all federal agencies. (I think you can see where this is headed). By the Federal Privacy Act of 1974, this got twisted into including state and local agencies, and we're off to the races. By this time every industry that dealt with the public felt entitled to know the SSN, and the toothpaste was completely out of the tube. For the past ten years, governments and agencies are trying to undue this stupidity with "Breach Notification Laws," that have met with some success. As of March 2009, fourty four states and D.C. have passed such legislation. Alabama, Kentucky, Mississippi, Missouri (law is pending), New Mexico and South Dakota notwithstanding. To their credit, some of the more progressive states (e.g., Michigan and Massachusetts) require that businesses that collect SSNs have information security programs that specifically adress SSN protection. But most of the states with Breach Notification Laws limit their statutory prohibitions to such things as:

  1. publically posting, displaying or disclosing an individual's SSN;
  2. printing an individual's SSN on any card or tag required for the individual to access products or services;
  3. requiring an individual to transmit his or her SSN over the Internet without encryption or a secure connection;
  4. requiring an individual to use his or her SSN to access a website (unless a password is also required);
  5. printing an individual's SSN on any mailed materials; (vi) selling, leasing, trading or otherwise disclosing an SSN to a third party without consent of the individual; or
  6. encoding or embedding an SSN in a card or document in lieu of removing the SSN as required by law.

Of course the problem with such proscriptions, is that the criminals don't follow the law! As a consequence, some advocates of personal privacy have advocated just eliminating the SSN and starting all over. No wonder. It's amazing how this seemingly harmless number has caused so many financial problems for the citizenry. This information can't be leaked if it's never collected.

The Worst Abusers

Without question the industry with the worst record in terms of protecting your privacy are the automobile dealerships. Where some physicians, manufacturers and physicans might try to coerce you into giving out personal information that they have no right to have, some automobile dealerships actually turn this into a blood sport. I'll give a few examples to illustrate this point.

So What's a Person To Do?

Well, I've got a remedy for you to consider. But first a few caveats. First, if you follow my advice you may have to change doctors, insurance agencies, car dealerships, etc. (But if you've already dealt with them, the battle is already lost so if you follow my advice, there will be no harm, no foul. Second, I'm not an attorney, so these recommendations are offered from one technologist to another. My recommendations are no substitute for professional legal advice.

So, here we go. The following the generic advice harvested from FTC, FBI, BBB, etc websites:

So far, so good. However, this list has been "sanitized" to be merchant and vendor friendly. As such its really incomplete as it stands. To be really effective in the protection of personal privacy, one needs to be more aggressive. Toward that end, I offer the following advice for your consideration:

And finally, DO NOT look for any silver bullets when it comes to protecting your identity - there are none. The only defense is eternal vigilance.