Financial Cryptography pointed me to a Boston Globe article discussing some of what’s being done to combat the problem.

That’s not identity theft, according to computer security expert Bruce Schneier, author of ‘’Secrets and Lies.” It’s just plain theft — ‘’impersonation leading to fraud,” he said. ‘’I think when we call it identity theft, we lose the battle.”

In Schneier’s view, it’s impossible to eliminate impersonation, especially when somebody is stealing money online. On the Net, nobody knows you’re a thug. Any conceivable authentication method can be faked — even biometric data like fingerprint scans.

‘’I think this whole problem is being solved wrong,” Schneier said. ‘’People are focusing on authenticating the individual, and that’s hopeless.”

As someone IanG summarized Schneier, who pointed out recently, “the reason we have Identity Theft is because Identity Has Value.”* I don’t think this is being disputed by anyone at this point. I think that there is a much more fundamental problem at play here.

A hundred years ago, identity was reputation–the concept of a “man being as good as his word.” Today, identity is the aggregate representation of a person’s past, present, and future income, expenditures, liabilities and a qualified opinion on where the person’s cashflow priorities lie. It is usually represented as the Credit Score.

As it is, financial identity cannot be “stolen” like a car or a wallet. Identity can, however, be devalued and damaged. If I commit fraud by impersonating your Identity, you still have your identity, I have merely damaged or devalued it. If the now-badly-devalued Identity could actually be “lost” like a wallet, then in this scenario, a Loss of Identity would be a Good Thing. This implies a mechanism whereby the victim could obtain a new, undamaged Identity unencumbered by the old.

This might sound like bankruptcy to some, but bankruptcy is the opposite of what I’m envisioning. Bankruptcy is (or was, anyway) the credit equivilent of ritual Hari-Kari, setting the credit score to the lowest value possible in exchange for the discharge of past mistakes.

While this might not be as good as having the old Identity back (largely dependent on how valuable the old Identity was, of course), it would certainly be better than the current situation, which is that the victim must operate with a damaged identity. At best, they suffer significantly more friction in all future credit transactions. At worst, they suffer discrimination and are denied credit outright despite being the victims.

In the modern world, Financial Identity and Personal Identity are supposed to be separate. Look at the things that cannot be reported or considered as part of one’s Financial Identity under the Fair Credit Reporting Act such as race, gender, or sexual preference. Basically, all the things that comprise Personal Identity. So cut the cord once and for all. Split the two identities so the Financial Identity can finally be treated like what it really is–an aggregate risk summary of an entity.

The ability to determine the value of a new baseline Identity also implies that the value of one’s Identity could easily be compared to the baseline value, meaning that a Cost Per Incident could be computed and the risk of an incident calculated. Once you can do that, then Just Add Actuaries and suddenly, you can insure it.

There is another piece of this puzzle that I’m not going to get into today, and that’s Authentication. A large part of the current fraud-through-impersonation problem is the lack of strong, effective form of Identity which can work on a national or global scale. Right now, however, the Authentication piece is essentially nonexistent–my webmail account is better secured than my Financial Identity.

* The “Identity Has Value” statement was a quote, but I can’t find the link–if someone can remind me, I’d like to attribute it.Thanks, Ian!

“Identity Theft exists because Identity is Valuable” sounds like it … click on Iang

OK, darn, I should have read my own post. What that post referred to was Bruce Schneier saying … well, what I’d said earlier. Earlier, I’d written a long and complex rant called “Identity Theft: Why Hollywood has to take one for the team” wherein I’d said this:

“The current project to identify the humanity of the world will make identity theft the crime of the century. It’s really extraordinarily simple. The more everything rests on Identity, the more value will Identity have. And the more value it has, the more it will be worth to steal.”

Darn bother and blast! To which the URL is … click on Iang, this one, not the other ones! Yes, it’s late here.