Robin Wilton raises the question: Is “user-centricity” the answer to identity fraud?

Which is of course an intriguing question. To which he answers with another question “can you envisage a case where the user has that degree of control, and yet businesses still shoulder 90% of the cost of identity theft?”, and an answer with conclusion:

“I can‘t. This suggests two factors which weigh heavily in favour of the status quo

- the lack of incentive for users to bear added responsibility, as long as someone else is picking up the cost of the current approach;

- the difficulty of raising the awareness and competence of every user and citizen, as data custodians, relative to achieving the equivalent rise in awareness and competence among existing data custodians. Not that I‘m suggesting the latter is ‘easy‘ either!”

Well that is good news for the status quo I suppose if you believe the reasoning. I don’t. Before we get to users shouldering anything, let us step back and look at the problem, the real problem. First, when we talk of identity theft, are we really talking about identity theft, or are we referring to that old chestnut fraud. I posit that stealing my identity is close to impossible, but impersonating me might be a whole lot easier. That is an important distinction, because the line of reasoning that starts with identity theft invariably ends with some kind of responsibility being placed on the person whose identity has, supposedly, been stolen. However, replacing the term “identity theft” with the word “impersonation” makes that whole line of reasoning much harder to make. The reason is that impersonation is an interaction that takes place wholly between a fraudster and a victim without any interaction with the person being impersonated - they are in fact an innocent bystander in the process. There is no theft but the fruits of the successful fraud.

And what of that fruit? Current reasoning du jour says that the “identity theft” victim’s account has been compromised, and the “identity theft” victims money has been stolen. Again, this is simply smoke and mirrors. The account compromised is an administrative convenience of the financial entity, and the money that is stolen has clearly been stolen from that financial entity. With the current protections and identity solutions in place this is already the case. This may go some way to explaining the generosity of these businesses who “shoulder 90% of the cost of identity theft.”

It is not the consumer that creates the security procedures, and therefore they cannot be held liable for their failings. So, it really does not matter where identity information is stored, it is a problem for the enterprise alone to protect its own assets. It is the responsibility of the enterprise alone to put in place adequate protections to ensure that those assets are not easily compromised. This is orthoganal to where identity data is stored. The fact is, security for financial transactions is currently lacking across the board because there is an inherent reliance on relatively easily obtainable data. That is, easily obtainable at the point of transaction. A replay attack is trivial since any one transaction gives sufficient information to make another!

I’d say the current situation might indicate that the status quo isn’t adequate, perhaps in both the financial and identity spaces.