Identity theft (PGN, RISKS-21.04)

[Carl Ellison]

I used to try to keep my SSN private -- then I realized that that's blaming
the victim (me).  It's not the SSN holder's fault that stores and other
institutions use improper means for authenticating people.  It's the store's
fault.

Any information held by a credit bureau is public.  So is any information
held by any government agency, if I'm to believe the spam I get
occasionally.

So, that information is not acceptable for authentication -- even in person,
but especially online.  It's not merely unacceptable when dealing with the
credit bureau.  The credit bureau poisons the information for everyone.

Now -- how do we get consumer protection laws that make it clear that a
consumer is not liable for any debts incurred by someone claiming to be
him/her unless there is irrefutable authentication during registration
(e.g., videotape of the consumer signing up for the service).  This means
killing all issuing of credit online, by mail, by phone, etc.

Maybe I'd stop getting all those credit-card applications in the mail....

[This opens a technical challenge: how can we authenticate anyone, if we
rule
out information that an attacker can get?]

 - Carl

---
All inventions or works of authorship original to me,
herein and past, are placed irrevocably in the public
domain, and may be used or modified for any purpose,
without permission, attribution, or notification.