Two things happened today that made me think about how current measures against identity theft are so very naive. The first is a US bank that I’m a customer with. I hardly ever log in on their website, and of course had forgotten the password. To assure that I am myself, I had to provide two answers about myself that I’m sure many (10s or 100s of) people know, and many more can very easily find out (including place of birth, which I had to put on page 5 of my PhD thesis that is publicly downloadable). And since the web interface did not allow me to do what I wanted (to terminate the account), I had to call them. During this call I had to provide those two same answers, plus my home address (which is listed in the phonebook). The funny thing is that I had to provide these answers twice during the same phone call, which did not make me feel more secure at all …
This type of static knowledge authentication is simply NOT suitable to authenticate any transaction that requires more than a very minimal level of assurance, and it is very naïve to use it for online banking (see also).
The second thing that happened today is a commercial I saw from the Dutch government, part of a campaign for a safer internet (“Veilig Internet. Heb je zelf in de hand”). The campaign seems to focus on peoples own responsibility to prevent identity theft. The commercial however was very limited, stating that people should change their password once in a while, and make sure who you email your personal data. The first recommendation is very naïve because 1) I’m convinced people don’t do this unless forced to and 2) it doesn’t help much against e.g. malware, phishing or using the same password at many sites. The second recommendation assumes that personal data is used to authenticate yourself, which it simply shouldn’t (see the first paragraph).
Although I welcome the attention that this campaign brings to the issue of identity theft, I wonder if spending more energy and time on better authentication and identity solutions for the internet wouldn’t be more effective than this campaign.