Identity theft: security threats get personal

Imagine trying to withdraw money from your bank account but the ATM doesn't recognise you because your iris scan was somehow used by someone else, five minutes ago. Or maybe you are buying groceries but another person, three thousand miles away, has already used the biometric information generated by your fingerprints.

This imaginary scenario could soon become reality if industry pundits in the US are to be believed. Experts have recently predicted an increase in digital identity theft and are warning it may well become a global phenomenon.

But pundits are not alone in worrying about personal data misuse. A recent study published by the Information Technology Association of America (ITAA) found that more than 80 per cent of Americans are concerned about potential fraudulent usage of personal information currently stored on computers.

To steal someone's identity no longer requires forged birth certificates or smudged photographs in driver's licences but a smattering of technical knowledge. So the warnings may be well justified.

Chris Cherrington, an analyst at Frost and Sullivan, notes that identity theft is not a new crime. "Traditionally, taking someone's identity or creating a new one meant using their passports or birth certificates and pretending to be this new person," he said.

Dr Neil Barrett, technical director at security consultancy IRM and an expert who has worked on projects with the police, HM Inland Revenue, Customs & Excise and DERA, explained the crime is moving to the online world in two different ways. "You can either create an online personality by masquerading as someone else," he said. "Or you can start to use someone else's existing details as your own."

The internet is an ideal channel for those who wish to create multiple personalities because users can interact without proof of real physical presence.

Adrian Wright, director of IT security at Reuters UK, told silicon.com that the lack of necessary physical presence can create a way in for the criminal. "The amount of identity verification information needed in an online transaction is very little: birth dates, mother's maiden names, addresses and a password, which can all be easily guessed," he said.

The problem of fake identities seems to be on the increase in countries that have relatively loose privacy policies according to Winn Schwartau, a security expert and author. He said digital identity crimes are extensions of 'real life' frauds, but the methods used are more technically sophisticated.

"Card details are easily obtainable from hard copy print outs or by telephone or directly from a user's PC. Eastern Europe and other similar economies may become centres for organised cyber criminals who will target countries such as the UK," he said.

A former hacker, Jericho, said that current personal information protection methods used by banks simply act as an invite to criminals: "Most credit cards are protected by four digit PINs which are very easy to guess with the help of a basic PC. You can even find software programs designed to do this."

The question becomes, which party should take responsibility for any cyber crimes? Many users would like to see banks and other financial institutions beef up their authentication procedures or strongly encrypt transactions. At the same time, others argue users should be vigilant - and that includes looking after old credit card receipts and bank statements.

American news media has recently reported widely on the victims of identity crime and their ordeals. Some individuals have ended up trying to prove their credit worthiness and overall innocence for years.

IRM's Dr Barrett said institutions are notorious for trying to pass the blame. "Banks are not taking the issue seriously enough as they have never been particularly good at establishing identity and taking responsibility for technology-based transactions," he explained.

But there is no universal cure for identity theft, according to Reuters' Adrian Wright, who added: "The only way to keep personal information safe is to have an adequate technical defence installed on an organisational level, and to educate the end users to be extra vigilant."

Charrington at Frost and Sullivan said law enforcement agencies must catch up with the technology-savvy criminals. "In the UK it is not illegal to be someone else in the offline world unless you use the identity fraudulently. As that is now taking place in the online world it can cause problems. Definitions of what is legal need to be outlined."

Many, including Charrington, recognise the police are under-resourced in this respect, giving criminals the upper hand. And then there is the important issue of cracking illegal activity without violating the rights or harming the web usage of the innocent, something anyone following the inception of the UK's Regulation of Investigatory Powers Act or its international equivalents will know about.

Any society that increasingly relies on the use of digital information needs to ensure its citizens' private data is safe. The responsibility for personal information no longer belongs solely with the individual, but with all parties involved. If this message does not get through, and we aren't guaranteed our identities are safe, how likely are we to organise our lives or buy and sell online?