Authentication technology: identity theft and account takeover.In Miami, Florida “Miami” redirects here. For the Native American tribe, see Miami tribe. Miami is a major city in southeastern Florida, in the United States. It is the county seat of Miami-Dade County. Miami is a gamma world city with an estimated population of 404,048. , a woman wrote personal checks to pay her bills, then dropped them into a mailbox. Criminals stole her bills from the mailbox, and, within hours, a gang of identity thieves dipped her checks into chemicals and rewrote the checks to themselves for up to $450 each.(1) Such stories are common to law enforcement authorities, who, almost daily, receive calls and complaints pertaining to identity theft across the country. Recently, the International Association of Chiefs of Police
The International Association of Chiefs of Police (IACP) was founded in Chicago in 1893 as the National Chiefs of Police Union. (IACP IACP International Association of Chiefs of Police IACP International Academy of Collaborative Professionals IACP International Association of Culinary Professionals IACP Istituto Autonomo Case Popolari IACP International Academy of Compounding Pharmacists ) adopted a resolution to help curb identity theft. The IACP requested, for example, that law enforcement agencies A law enforcement agency (LEA) is a term used to describe any agency which enforces the law. This may be a local or state police, federal agencies such as the Federal Bureau of Investigation (FBI) or the Drug Enforcement Administration (DEA). take a more active role in reporting all incidents of identity theft. Additionally, the IACP requested that departments refer victims to the Federal Trade Commission (FTC FTC See Federal Trade Commission (FTC). ) or the Identity Theft Clearinghouse.(2) DEFINING IDENTITY THEFT Identity theft is the criminal act of assuming someone else's identity for some type of gain, normally financial, and it can happen in different ways. For example, a thief can use a victim's personal identifying information to gain access to current accounts and make fraudulent purchases against them, also known as account takeover, or to open new accounts. A recent survey indicated that 38 percent of individuals have been victims of account takeover.(3) FIGHTING THE INCREASE Identity theft, considered one of the fastest growing crimes in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. , affects an estimated 900,000 new victims every year.(4) The FTC is the lead agency in coordinating with other law enforcement organizations in the fight toward reducing identity theft. Recently, testifying before members of the U.S. Senate Judiciary Subcommittee on Technology, Terrorism, and Government Information, the FTC estimated that it will receive approximately 200,000 identity theft calls on its newly installed identity theft hotline. (5) A General Accounting Office (GAO) investigation revealed that inquiries by consumers to the TransUnion Credit Bureau's Fraud Victim Assistant Department increased from approximately 35,000 in 1992 to almost 523,000 in 1997. (6) Also, in 1999, the Social Security Administration, Office of the Inspector General's telephone hotline received approximately 39,000 reports of social security number misuses. (7) UNDERSTANDING ACCOUNT TAKEOVER METHODS Thieves easily can obtain and use an individual's personal checks and credit cards to initiate an account takeover. For example, criminals can steal original personal checks in transit at a mailbox or mail distribution center. They can copy information about an individual's financial accounts as it appears on checks and then request duplicate checks from a mail order or Internet company. Further, thieves can copy an individual's credit card number during or after a financial transaction or they can steal a credit card database. Also, thieves can record an individual's credit card number using a skimming device during or after a financial transaction. Some criminals resort to "dumpster diving dumpster diving - /dump'-ster di:'-ving/ 1. The practice of sifting refuse from an office or technical installation to extract confidential data, especially security-compromising information ("dumpster" is an Americanism for what is elsewhere called a "skip"). " to obtain an individual's financial information. These offenders retrieve material discarded by individuals or businesses to obtain account numbers, addresses, and other personal information. (8) Although thieves use a variety of methods to commit identity theft, authentication techniques are improving. IDENTIFYING LEVELS OF AUTHENTICATION Technology will continue to play a vital role in overcoming identity theft by improving ways that individuals and organizations conduct financial transactions and by increasing authentication methods. Authentication can help verify the identity of the individual processing the access device (credit or debit card debit card, card that allows the cost of goods or services that are purchased to be deducted directly from the purchaser's checking account. They can also be used at automated teller machines for withdrawing cash from the user's checking account. ) or personal check. Because account takeovers make up a large percentage of identity theft, several potential authentication techniques appear possible now or in the near future. Point-of-Sale Transactions When individuals use a debit card to complete point-of-sale transactions with a merchant, they authenticate their identity by entering a personal identification number (PIN) into the keypad terminal, also known as a payment terminal or automatic teller machine See ATM. (ATM) device. Although credit cards use the same keypad, a PIN currently is not required to authenticate the account holder during this type of transaction. However, many credit cards already have a PIN, allowing individuals to use them to obtain cash advances. Personal checks also could function in connection with keypads. When individuals present a personal check at the point-of-sale, companies could require the customer to provide a PIN prior to the completion of the financial transaction. Credit, debit, and ATM transactions are authenticated differently than personal checks. Financial organizations that provide ATM and credit or debit card transaction services are built upon the electronic funds transfer See EFT. (application, communications) electronic funds transfer - (EFT, EFTS, - system) Transfer of money initiated through electronic terminal, automated teller machine, computer, telephone, or magnetic tape. (EFT) network and processing platform. (9) The network platform involves the routing of financial transactions through the ATM computer network. The processing platform involves the authorization processing of financial accounts and terminal/ATM connections. (10) Financial organizations can perform these functions themselves, or they can belong to an electronic payment company that will conduct one or both of these services for them. Personal checks do not use the EFT platform. Merchants authenticate personal checks through check verification companies. (11) Check verification methods are constantly improving as technology moves toward combining a personal check terminal with the keypad. As terminals become more multifunctional, merchants will be able to use the same one to process checks and debit and credit cards. If this type of terminal integrates the check verification process with EFT platforms, the probability of authenticating true account holders significantly increases. Requiring customers to use a PIN adds to that possibility even further. Telephonic and Electronic Commerce Transactions Consumers want to know the credibility of merchants. Check verification companies and financial enterprises that provide EFT platforms might be able to move toward a PIN authentication system The combination of authentication server and authenticator, which may be separate devices or both reside in the same unit such as an access point or network access server. The authentication server contains a database of user names, passwords and policies, and the authenticator physically . If merchants and the PIN authentication system remain separate entities, conducting business will be more secure. Many individuals still consider on-line payments in an area of immaturity. (12) They have concerns about the privacy of both the data transmitted and the purchaser engaging in a valid on-line transaction. (13) Even though companies can secure the data transmitted, verifying the customer remains a problem. Today, many merchants accept the true credit card account holder on face value. When an electronic commerce transaction takes place, the purchaser provides the type of credit card, as well as the account number, name, and expiration date Expiration Date The day on which an options or futures contract is no longer valid and, therefore, ceases to exist. Notes: The expiration date for all listed stock options in the U.S. on the card. But, the individual placing the order may not be the true account holder. Financial organizations using the EFT platform have begun to provide secure debit card transactions over the Internet. These debit cards use the CD-ROM CD-ROM: see compact disc. CD-ROM in full compact disc read-only memory Type of computer storage medium that is read optically (e.g., by a laser). from an individual's personal computer to provide secure transactions using a PIN. (14) Also, companies are developing smart cards Example of widely used contactless smart cards are Hong Kong's Octopus card, Paris' Calypso/Navigo card and Lisbon' LisboaViva card, which predate the ISO/IEC 14443 standard. The following tables list smart cards used for public transportation and other electronic purse applications. with a PIN (cards with computer chips holding information about various financial accounts). (15) For example, the U.S. Postal Service's certified e-mail Certified e-mail is an e-mail whitelisting technique by which an internet service provider allows someone to bypass spam filters when sending e-mail messages to its subscribers, in return for paying a fee to the certifying service. system will use a smart card with a digital signature encoded into it. (16) Further, check verification companies have begun to provide business owners with secure payment methods. When someone places an order telephonically or over the Internet, these companies verify the validity of the check to the merchant. But, once again, the true account holder may not be the individual placing the order. Biometric Authentication See biometrics. The next generation of authentication most likely will occur in the area of biometrics; future infrastructure is moving toward it. (17) Biometrics accurately captures an individual's unique physical attributes, such as fingerprints, voices, eyes (iris and retina), faces, and written signatures, in electronic format. Biometric methods authenticate who has access to specific records and verify identities of both parties during the transaction. (18) Biometrics can authenticate all financial transactions and greatly reduce identity theft and account takeover. If an individual's physical attributes could be compared to that of the account holder possessing a user ID or smart card on a database of registered users, authentication will occur, known as a one-to-one search. (19) A one-to-many search occurs when an account holder is not required to have a user ID. (20) Various government entities have begun using biometric authentication techniques. For example, social service agencies in several states have installed fingerprinting devices, (21) and at least one state offers its residents the option of having their fingerprints scanned when they apply for their drivers' licenses. (22) Further, one federal agency uses hand geometry Hand geometry is a biometric that identifies users by the shape of their hands. Hand geometry readers measure a user's hand along many dimensions and compare those measurements to measurements stored in a file. at airports. (23) Biometrics research also is expanding. For example, Michigan State University's Pattern Recognition and Image Processing image processing Set of computational techniques for analyzing, enhancing, compressing, and reconstructing images. Its main components are importing, in which an image is captured through scanning or digital photography; analysis and manipulation of the image, accomplished Lab is studying this type of identification (24) and one research testing lab estimates that, by 2005, all personal computers will have at least one type of biometric technology. (25) Biometrics can serve as good authentication mechanisms when used properly. (26) This technique works if the biometric (an individual's physical attributes) came from the actual person being verified, and it matches the biometric master file. (27) As with any new technology, the infrastructure must support it. Whatever is developed to satisfy future needs, it must be the best solution for merchants, financial institutions, and the consumer. (28) Some states have tried to use biometrics; however, privacy advocate groups have persuaded some government officials to think twice about what they are doing. Opponents are concerned that personal information stored in databases will fall into the wrong hands. (29) CONCLUSION Identity theft remains a major problem. Various levels of technology can help prevent identity theft and account takeover. The more options that become available to authenticate financial transactions by verifying the account holder's identity, the less likely individuals will become victims of identity theft. The ability to use a PIN during credit card and check transactions can help stop account takeover. All levels of technology might not be able to exist within the current infrastructure; however, with ongoing research, it will be only a matter of time before they can. To fight identity theft, law enforcement personnel must commit to forming alliances with financial organizations, merchants, and developers of computer hardware and software. Stopping identity theft saves everyone from financial hardships, insecurity, grief, aggravation, and time. Victims of identify theft deserve nothing less. Endnotes (1.) Mark Soupiset, "13 ways to Protect Yourself From Financial Fraud," USAA USAA United Services Automobile Association USAA Urban Superintendents Association of America USAA United States Achievement Academy USAA United States Arbitration Act of 1925 USAA United States Axemen's Association USAA United States Air-Table-Hockey Association Magazine, January/February 1999, 10-14. (2.) The International Association of Chiefs of Police, "IACP Resolutions: 2000," http://www.theiacp.org/leg_policy/Resolutions/resolutions2000.htm; accessed September 7, 2001. (3.) Privacy Rights Clearinghouse Privacy Rights Clearinghouse (PRC) is a project of the Utility Consumers' Action Network (UCAN), an American 501(c)(3) non-profit consumer advocacy organization. The Privacy Rights Clearinghouse is devoted to upholding the right to privacy and protecting consumers against identity , "Nowhere to Tum: victims Speak Out on Identity Theft," http://www.privacyrights.org/ar/idtheft2000.htm; accessed October 9, 2001. (4.) Man J. Frank, Esq., "Identity Theft Prevention and Survival," http://www.identitytheft.org; accessed October 9, 2001. (5.) Federal Trade Commission, "FTC Testifies: Identity Theft on the Rise," http://www.ftc.gov/opa/2000/03/idtest.htm; accessed October 9, 2001. (6.) Ibid. (7.) Ibid. (8.) For more information, see Matthew L. Lease and Tod W. Burke, "Identity Theft: A Fast-Growing Crime," FBI Law Enforcement Bulletin The FBI Law Enforcement Bulletin is published monthly by the FBI Law Enforcement Communication Unit[1], with articles of interest to state and local law enforcement personnel. , August 2000, 8-13. (9.) Ralph Calvano, NYCE See New York Cotton Exchange. NYCE See New York Cotton Exchange (NYCE). Corporation, telephone interview by author on May 24, 2001. (10.) Ibid. (11.) U.S. Department of Justice, "Identity Theft and Fraud," http://www.usdoj.gov/criminal/fraud/idtheft.html; accessed October 9, 2001. (12.) "Reducing On-line Credit Card Fraud Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. ," Web Developers Journal, http://www.webdevelopersjournal.com/articles/card_fraud.html; accessed October 9, 2001. (13.) Ibid. (14.) Nessa Feddis, American Bankers Association The American Bankers Association (ABA) is comprised of banks and other financial institutions. It seeks to promote the strength and profitability of the banking industry by Lobbying federal and state governments, building industry consensus on key issues, and providing products and , telephone interview by author on May 26, 2001. (15.) Ibid. (16.) M. J. Zuckerman, "Agencies Test 'Certified' E-Mail," The Detroit News, May 28, 2001, sec. A., p. 10. (17.) Ibid, 14. For more information, see Stephen Coleman, "Biometrics: Solving Cases of Mistaken Identity mistaken identity n → erreur f d'identité mistaken identity mistake n → Verwechslung f mistaken identity n and More," FBI Law Enforcement Bulletin, June 2000, 9-16. (18.) Michael R. Amour, "Biometrics for the Financial Industry," Business Security Advisor, June 2001, 14 and 19. (19.) Sally Weiner Grotta, "Biometric Security-Bio-Keys," PC Magazine, June 12, 2001, 162-174. (20.) Ibid. (21.) Melissa Stewart, "Fingerprinting," American Heritage American Heritage can refer to:
(22.) Ibid. (23.) Supra A relational DBMS from Cincom Systems, Inc., Cincinnati, OH (www.cincom.com) that runs on IBM mainframes and VAXs. It includes a query language and a program that automates the database design process. note 19. (24.) Michigan State University Michigan State University, at East Lansing; land-grant and state supported; coeducational; chartered 1855. It opened in 1857 as Michigan Agricultural College, the first state agricultural college. Pattern Recognition and Image Processing Lab, "Abstracts of Current Projects," http://biometrics.cse.msu.edu/abstracts.html; accessed October 9, 2001. (25.) Ibid. (26.) Bruce Schneier, Secrets & Lies. Digital Security in a Networked World (New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of , NY: John Wiley & Sons, Inc., 2000). (27.) Ibid. (28.) Ibid., 13. (29.) Ibid., 22. Special Agent Pollock serves with the Social Security Administration, Office of the Inspector General Office of the Inspector General (or OIG) is a common sub-agency within cabinet-level agencies of the United States federal government and serves as auditing and investigative arm of the agency's programs focused on identifying waste, fraud and abuse. , in Detroit, Michigan, and is a member of the FBI'S Joint Terrorism Task Force A Joint Terrorism Task Force (JTTF) is a partnership between the Federal Bureau of Investigation, other federal agencies (notably Department of Homeland Security components such as U.S. . Sergeant May serves with the Detroit, Michigan, Police Department's Major Crimes Division and currently is assigned to the Michigan Attorney General's High Tech Crime Unit. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion