Authentication technology: identity theft and account takeover.
Such stories are common to law enforcement authorities, who, almost daily, receive calls and complaints pertaining to identity theft across the country. Recently, the International Association of Chiefs of Police (IACP) adopted a resolution to help curb identity theft. The IACP requested, for example, that law enforcement agencies take a more active role in reporting all incidents of identity theft. Additionally, the IACP requested that departments refer victims to the Federal Trade Commission (FTC) or the Identity Theft Clearinghouse.(2)
DEFINING IDENTITY THEFT
Identity theft is the criminal act of assuming someone else's identity for some type of gain, normally financial, and it can happen in different ways. For example, a thief can use a victim's personal identifying information to gain access to current accounts and make fraudulent purchases against them, also known as account takeover, or to open new accounts. A recent survey indicated that 38 percent of individuals have been victims of account takeover.(3)
FIGHTING THE INCREASE
Identity theft, considered one of the fastest growing crimes in the United States, affects an estimated 900,000 new victims every year.(4) The FTC is the lead agency in coordinating with other law enforcement organizations in the fight toward reducing identity theft. Recently, testifying before members of the U.S. Senate Judiciary Subcommittee on Technology, Terrorism, and Government Information, the FTC estimated that it will receive approximately 200,000 identity theft calls on its newly installed identity theft hotline. (5) A General Accounting Office (GAO) investigation revealed that inquiries by consumers to the TransUnion Credit Bureau's Fraud Victim Assistant Department increased from approximately 35,000 in 1992 to almost 523,000 in 1997. (6) Also, in 1999, the Social Security Administration, Office of the Inspector General's telephone hotline received approximately 39,000 reports of social security number misuses. (7)
UNDERSTANDING ACCOUNT TAKEOVER METHODS
Thieves easily can obtain and use an individual's personal checks and credit cards to initiate an account takeover. For example, criminals can steal original personal checks in transit at a mailbox or mail distribution center. They can copy information about an individual's financial accounts as it appears on checks and then request duplicate checks from a mail order or Internet company. Further, thieves can copy an individual's credit card number during or after a financial transaction or they can steal a credit card database. Also, thieves can record an individual's credit card number using a skimming device during or after a financial transaction. Some criminals resort to "dumpster diving" to obtain an individual's financial information. These offenders retrieve material discarded by individuals or businesses to obtain account numbers, addresses, and other personal information. (8) Although thieves use a variety of methods to commit identity theft, authentication techniques are improving.
IDENTIFYING LEVELS OF AUTHENTICATION
Technology will continue to play a vital role in overcoming identity theft by improving ways that individuals and organizations conduct financial transactions and by increasing authentication methods. Authentication can help verify the identity of the individual processing the access device (credit or debit card) or personal check. Because account takeovers make up a large percentage of identity theft, several potential authentication techniques appear possible now or in the near future.
When individuals use a debit card to complete point-of-sale transactions with a merchant, they authenticate their identity by entering a personal identification number (PIN) into the keypad terminal, also known as a payment terminal or automatic teller machine (ATM) device. Although credit cards use the same keypad, a PIN currently is not required to authenticate the account holder during this type of transaction. However, many credit cards already have a PIN, allowing individuals to use them to obtain cash advances.
Personal checks also could function in connection with keypads. When individuals present a personal check at the point-of-sale, companies could require the customer to provide a PIN prior to the completion of the financial transaction.
Credit, debit, and ATM transactions are authenticated differently than personal checks. Financial organizations that provide ATM and credit or debit card transaction services are built upon the electronic funds transfer (EFT) network and processing platform. (9) The network platform involves the routing of financial transactions through the ATM computer network. The processing platform involves the authorization processing of financial accounts and terminal/ATM connections. (10) Financial organizations can perform these functions themselves, or they can belong to an electronic payment company that will conduct one or both of these services for them.
Personal checks do not use the EFT platform. Merchants authenticate personal checks through check verification companies. (11) Check verification methods are constantly improving as technology moves toward combining a personal check terminal with the keypad. As terminals become more multifunctional, merchants will be able to use the same one to process checks and debit and credit cards. If this type of terminal integrates the check verification process with EFT platforms, the probability of authenticating true account holders significantly increases. Requiring customers to use a PIN adds to that possibility even further.
Telephonic and Electronic Commerce Transactions
Consumers want to know the credibility of merchants. Check verification companies and financial enterprises that provide EFT platforms might be able to move toward a PIN authentication system. If merchants and the PIN authentication system remain separate entities, conducting business will be more secure.
Many individuals still consider on-line payments in an area of immaturity. (12) They have concerns about the privacy of both the data transmitted and the purchaser engaging in a valid on-line transaction. (13) Even though companies can secure the data transmitted, verifying the customer remains a problem. Today, many merchants accept the true credit card account holder on face value. When an electronic commerce transaction takes place, the purchaser provides the type of credit card, as well as the account number, name, and expiration date on the card. But, the individual placing the order may not be the true account holder.
Financial organizations using the EFT platform have begun to provide secure debit card transactions over the Internet. These debit cards use the CD-ROM from an individual's personal computer to provide secure transactions using a PIN. (14) Also, companies are developing smart cards with a PIN (cards with computer chips holding information about various financial accounts). (15) For example, the U.S. Postal Service's certified e-mail system will use a smart card with a digital signature encoded into it. (16)
Further, check verification companies have begun to provide business owners with secure payment methods. When someone places an order telephonically or over the Internet, these companies verify the validity of the check to the merchant. But, once again, the true account holder may not be the individual placing the order.
The next generation of authentication most likely will occur in the area of biometrics; future infrastructure is moving toward it. (17) Biometrics accurately captures an individual's unique physical attributes, such as fingerprints, voices, eyes (iris and retina), faces, and written signatures, in electronic format. Biometric methods authenticate who has access to specific records and verify identities of both parties during the transaction. (18) Biometrics can authenticate all financial transactions and greatly reduce identity theft and account takeover. If an individual's physical attributes could be compared to that of the account holder possessing a user ID or smart card on a database of registered users, authentication will occur, known as a one-to-one search. (19) A one-to-many search occurs when an account holder is not required to have a user ID. (20)
Various government entities have begun using biometric authentication techniques. For example, social service agencies in several states have installed fingerprinting devices, (21) and at least one state offers its residents the option of having their fingerprints scanned when they apply for their drivers' licenses. (22) Further, one federal agency uses hand geometry at airports. (23)
Biometrics research also is expanding. For example, Michigan State University's Pattern Recognition and Image Processing Lab is studying this type of identification (24) and one research testing lab estimates that, by 2005, all personal computers will have at least one type of biometric technology. (25)
Biometrics can serve as good authentication mechanisms when used properly. (26) This technique works if the biometric (an individual's physical attributes) came from the actual person being verified, and it matches the biometric master file. (27) As with any new technology, the infrastructure must support it. Whatever is developed to satisfy future needs, it must be the best solution for merchants, financial institutions, and the consumer. (28) Some states have tried to use biometrics; however, privacy advocate groups have persuaded some government officials to think twice about what they are doing. Opponents are concerned that personal information stored in databases will fall into the wrong hands. (29)
Identity theft remains a major problem. Various levels of technology can help prevent identity theft and account takeover. The more options that become available to authenticate financial transactions by verifying the account holder's identity, the less likely individuals will become victims of identity theft. The ability to use a PIN during credit card and check transactions can help stop account takeover. All levels of technology might not be able to exist within the current infrastructure; however, with ongoing research, it will be only a matter of time before they can.
To fight identity theft, law enforcement personnel must commit to forming alliances with financial organizations, merchants, and developers of computer hardware and software. Stopping identity theft saves everyone from financial hardships, insecurity, grief, aggravation, and time. Victims of identify theft deserve nothing less.
(1.) Mark Soupiset, "13 ways to Protect Yourself From Financial Fraud," USAA Magazine, January/February 1999, 10-14.
(2.) The International Association of Chiefs of Police, "IACP Resolutions: 2000," http://www.theiacp.org/leg_policy/Resolutions/resolutions2000.htm; accessed September 7, 2001.
(3.) Privacy Rights Clearinghouse, "Nowhere to Tum: victims Speak Out on Identity Theft," http://www.privacyrights.org/ar/idtheft2000.htm; accessed October 9, 2001.
(4.) Man J. Frank, Esq., "Identity Theft Prevention and Survival," http://www.identitytheft.org; accessed October 9, 2001.
(5.) Federal Trade Commission, "FTC Testifies: Identity Theft on the Rise," http://www.ftc.gov/opa/2000/03/idtest.htm; accessed October 9, 2001.
(8.) For more information, see Matthew L. Lease and Tod W. Burke, "Identity Theft: A Fast-Growing Crime," FBI Law Enforcement Bulletin, August 2000, 8-13.
(9.) Ralph Calvano, NYCE Corporation, telephone interview by author on May 24, 2001.
(11.) U.S. Department of Justice, "Identity Theft and Fraud," http://www.usdoj.gov/criminal/fraud/idtheft.html; accessed October 9, 2001.
(12.) "Reducing On-line Credit Card Fraud," Web Developers Journal, http://www.webdevelopersjournal.com/articles/card_fraud.html; accessed October 9, 2001.
(14.) Nessa Feddis, American Bankers Association, telephone interview by author on May 26, 2001.
(16.) M. J. Zuckerman, "Agencies Test 'Certified' E-Mail," The Detroit News, May 28, 2001, sec. A., p. 10.
(17.) Ibid, 14. For more information, see Stephen Coleman, "Biometrics: Solving Cases of Mistaken Identity and More," FBI Law Enforcement Bulletin, June 2000, 9-16.
(18.) Michael R. Amour, "Biometrics for the Financial Industry," Business Security Advisor, June 2001, 14 and 19.
(19.) Sally Weiner Grotta, "Biometric Security-Bio-Keys," PC Magazine, June 12, 2001, 162-174.
(21.) Melissa Stewart, "Fingerprinting," American Heritage of Innovation and Technology, Summer 2001, 23-30.
(23.) Supra note 19.
(24.) Michigan State University Pattern Recognition and Image Processing Lab, "Abstracts of Current Projects," http://biometrics.cse.msu.edu/abstracts.html; accessed October 9, 2001.
(26.) Bruce Schneier, Secrets & Lies. Digital Security in a Networked World (New York, NY: John Wiley & Sons, Inc., 2000).
(28.) Ibid., 13.
(29.) Ibid., 22.
Special Agent Pollock serves with the Social Security Administration, Office of the Inspector General, in Detroit, Michigan, and is a member of the FBI'S Joint Terrorism Task Force.
Sergeant May serves with the Detroit, Michigan, Police Department's Major Crimes Division and currently is assigned to the Michigan Attorney General's High Tech Crime Unit.
|Printer friendly Cite/link Email Feedback|
|Publication:||The FBI Law Enforcement Bulletin|
|Date:||Jun 1, 2002|
|Previous Article:||Henry Duhaime. (The Bulletin Notes).|
|Next Article:||The Gift of Fear: Survival Signals that Protect Us from Violence. (Book Review).|